Firewall drops traffic
Hello!
I have a problem with a VPN 100 appliance here. It's set up as a VPN endpoint for users, as well as 2 other branch offices.
The VPN is working fine, as far as I can tell, but some computers at the main site get their outgoing traffic dropped by the firewall. This applies only to WAN traffic. LAN is working fine.
The device is set up behind a primary router with the VPN 100 as an exposed host. All devices are in the same subnet 192.168.11.x
WAN is 11.8 with GW 11.1 and LAN is 11.7. The clients use 11.7 as the GW. The physical ports are in LAN1.
The policies look as follows:
By my understanding this should work. Why do some clients get this?
What am I overlooking? Can anyone help?
Thanks.
Tech0815
P.S.: Funny enough, some clients can access the internet after pinging the WAN and LAN IP of the VPN 100. 🤔
All Replies
-
1
-
Welcome to Zyxel Community. 😎
It looks like Wan and Lan are in the same IP subnet.
Can you post your network topology with IP subnet.(You can mask IP if it have public IP)
0 -
Hello!
Sorry, I don't have a map ready. All local devices are in the same subnet. The 2 branch offices have different subnets.
Main Office: 192.168.11.x Branch 1: 192.168.10.x Branch 2: 192.168.12.x
Main Router (11.1) -> VPN100 WAN (11.8) -> VPN100 LAN1 (11.7) -> Dumb Switch -> Rest of network
There is no separation, all devices are reachable from any machine. The clients get their IPs from the DHCP in the VPN100. GW for the clients is 11.7, DNS is the server (11.10). The VPN100 is set up as an exposed host in the main router. There's switches, a server and WLAN-APs behind the VPN100. The branch offices are connected via a VPN tunnel and have their own servers.
Does this help, or do I need to make a map?
Thanks
Tech0815
0 -
Any reason that WAN and LAN need to be in the same IP subnet(11.X/24) ?
That will be issue if VPN100 is acting as a router.
0 -
Ease of setup and the main router is running fax services and needs to be reachable from the clients.
What issues are we talking about?
0 -
The arp learning of VPN100 will not working as expected.
I suggest to configure VPN100 like this,
(1) LAN as network 192.168.11.128/25 (you can have 125 hosts IP under LAN)
(2) Configure proxy-arp on wan1 for 192.168.11.128/25
(3) Disable WAN Trunk default SNAT
0 -
Hi lan31, Thanks for the instruction. the device is running as routing mode.🙂
Hi @Technician0815 , You can follow lan31's instruction to set up VPN100.
Feel free to let us know if you have any issue.
0 -
Well... i should change whole WAN1 subnet in any case (main router and VPN100 should be the devices affected
Clients could still reach the fax server (main server) with appropriate policy rules and a subtle change of the ip address on clients (you could also take the opportunity to migrate from ip address to hostname, easier to manage and change)
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight