VPN site-to-site from Nebula device to another ORG
Master Member
Hello everyone,
I have some needs when I need to send all the traffic from a Nebula device to another ORG:
- I need to set a VPN from Nebula to another site (Nebula or not…).
- I need to set NAT Traversal in Non-Nebula VPN parameters
- I need to establish a full tunnel VPN
I have different devices, security routers and firewalls, but it seems to me that there are some missing options (except newest FlexH series…).
FlexH have some more pages on Nebula like this one:
1. Let me come back to my problem: take SCR50AXE for example.
I found this:
and this:https://support.zyxel.eu/hc/it/articles/15366638605714-SCR50AXE-Router-sicuro-gestito-dal-cloud-Configurazione-in-Nebula-e-Guida-introduttiva#h_01HG8FKQCTA7RRXNMTXDQWFFVV
So I went here:
And I see this section where it seems that I can start a VPN to another site:
2. But here I cannot tell Nebula that VPN has to go via NAT Traversal, because I have other router in front of Nebula device.
Nebula device is in a DMZ, but to establish a VPN I have to declare that somewhere like I did when using VPN Orchestrator :
Is there something that I'm missing?
3. A part from FlexH:
it seems that I cannot route all the traffic from a Nebula device to another site VPN.
Please tell me if I did not find some Zyxel documentation regarding this request
All Replies
-
Hi @GiuseppeR
Sorry for the wait.
- None Nebula VPN (which is called auto-link VPN) doesn't support NAT-Traversal. So, you will need to set the port forwarding for these protocols UDP 500 & 4500 on the uplink router.
- The NAT-Traversal is only for Nebula VPN scenario.
- May I know the scope of the all traffic? All LAN's traffic? Or also device's traffic?
Zyxel Melen0 -
Hello @Zyxel_Melen
- Setting the Nebula device (firewall/router) in DMZ says to the uplink router that all the incoming connections have to go to the Nebula device itself: have I to add the rule of port forwarding too? I ask this because I always set the Nebula device in DMZ (when I'm forced to use another router from ISP in front of Nebula device), usually I have all open ports on the uplink router because of the DMZ and I need only to open specific port on Nebula device (to operate with some server's services). In this scenario it seems strange to me to add a specific port forwarding rule (to the uplink router) to enable the VPN to a Nebula device.
- OK, so NAT Traversal is only for Nebula VPN Orchestrator.
- The scope to manage the full tunnel is to install a Nebula device (basic firewall or sec. router) to an employee, where the employee could attach notebook/desktop/printer forcing all the traffic inside the tunnel avoiding filters/DNS that could be used by the employee's ISP
See you soon,
GiuseppeR
0
Zyxel Employee
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 279 Service & License
- 436 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight
