Firewall drops traffic

Technician0815
Technician0815 Posts: 3  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security

Hello!

I have a problem with a VPN 100 appliance here. It's set up as a VPN endpoint for users, as well as 2 other branch offices.

The VPN is working fine, as far as I can tell, but some computers at the main site get their outgoing traffic dropped by the firewall. This applies only to WAN traffic. LAN is working fine.

The device is set up behind a primary router with the VPN 100 as an exposed host. All devices are in the same subnet 192.168.11.x

WAN is 11.8 with GW 11.1 and LAN is 11.7. The clients use 11.7 as the GW. The physical ports are in LAN1.

The policies look as follows:

By my understanding this should work. Why do some clients get this?

What am I overlooking? Can anyone help?

Thanks.


Tech0815

P.S.: Funny enough, some clients can access the internet after pinging the WAN and LAN IP of the VPN 100. 🤔

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Hi @Technician0815,

    If you can provide a topology.

    That will help to understand the case.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @Technician0815

    Welcome to Zyxel Community. 😎

    It looks like Wan and Lan are in the same IP subnet.

    Can you post your network topology with IP subnet.(You can mask IP if it have public IP)

  • Technician0815
    Technician0815 Posts: 3  Freshman Member
    First Comment Fourth Anniversary

    Hello!

    Sorry, I don't have a map ready. All local devices are in the same subnet. The 2 branch offices have different subnets.

    Main Office: 192.168.11.x Branch 1: 192.168.10.x Branch 2: 192.168.12.x

    Main Router (11.1) -> VPN100 WAN (11.8) -> VPN100 LAN1 (11.7) -> Dumb Switch -> Rest of network

    There is no separation, all devices are reachable from any machine. The clients get their IPs from the DHCP in the VPN100. GW for the clients is 11.7, DNS is the server (11.10). The VPN100 is set up as an exposed host in the main router. There's switches, a server and WLAN-APs behind the VPN100. The branch offices are connected via a VPN tunnel and have their own servers.

    Does this help, or do I need to make a map?

    Thanks

    Tech0815

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Any reason that WAN and LAN need to be in the same IP subnet(11.X/24) ?

    That will be issue if VPN100 is acting as a router.

  • Technician0815
    Technician0815 Posts: 3  Freshman Member
    First Comment Fourth Anniversary

    Ease of setup and the main router is running fax services and needs to be reachable from the clients.

    What issues are we talking about?

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited August 2019

    The arp learning of VPN100 will not working as expected.

    I suggest to configure VPN100 like this,

    (1) LAN as network 192.168.11.128/25 (you can have 125 hosts IP under LAN)

    (2) Configure proxy-arp on wan1 for 192.168.11.128/25

    (3) Disable WAN Trunk default SNAT

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi lan31, Thanks for the instruction. the device is running as routing mode.🙂

    Hi @Technician0815 , You can follow lan31's instruction to set up VPN100.

    Feel free to let us know if you have any issue.

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    edited August 2019

    Well... i should change whole WAN1 subnet in any case (main router and VPN100 should be the devices affected

    Clients could still reach the fax server (main server) with appropriate policy rules and a subtle change of the ip address on clients (you could also take the opportunity to migrate from ip address to hostname, easier to manage and change)

Security Highlight