FLEX 100H firewall zone bug

p4_greg

We ran into some odd behavior that appears to be a bug on a FLEX 100H running latest 1.32 firmware.

We have a firewall rule which blocks NetBIOS packets from ANY-to-WAN, and another rule which allows all packets from LAN-to-IPSec. For some reason, the ANY-to-WAN rule is blocking packets that are supposed to be sent over the VPN.

We can work around this issue if we reverse the order of these rules so the IPSec rule is above the ANY-to-WAN rule.

Why is the ANY-to-WAN rule blocking destination IPs which should be in the IPSec zone?

See screenshots below.

PeterUK

Have seem this too

Incorrect zone use by remote access VPN — Zyxel Community

Zyxel_Melen

Hi @p4_greg

Could you enable the Zyxel support access for this site on Nebula and share an account for us to check this issue? I will send you a private message for the account info.

https://community.zyxel.com/en/discussion/14234/nebula-how-to-turn-on-zyxel-support-access

I did a local test that my policy rules are same as yours, but didn't see this issue.

p4_greg

https://community.zyxel.com/en/discussion/comment/78435#Comment_78435

@Zyxel_Melen Is your test using Policy-based IPSec VPN or Route-based(VTI)?

We have seen this same issue on 2 different networks/routers using FLEX 100H on both sides of a Policy-based VPN.

These routers/networks are in production at our client's locations, so if you truly cannot re-create this issue in your lab I will likely have to set up some test units for you to look at.

PeterUK

Can confirm this is still a issue

tested on two different subnets with both being /28

If I disable the NetBIOS block rule 1 it connects fine then when enabled blocks NetBIOS but its for to WAN2 which is not true as it is going down the VPN not out ge2 WAN2