No Internet after L2TP behind NAT Configuration

Options
2

All Replies

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    Options

    Hmm ok but the bigger problem is that the firewall is currently unable to connect to the internet since I did the configuration for the L2TP connection behind Nat, but the clients on the network have normal internet if I set the DNS server to 8.8.8.8 in Interface for LAN1 instead of "Zywall" and deactivate the SSL inspection.

    I have made the configuration of the link exactly according to instructions. This problem must have been had others, that suddenly they have no Internet access after this guide. The firewall is not yet configured so complicated, much is still on standard. I had a working internet connection with working SSL Inspection before it. And now the clients, as I said, have only with the change working internet and the USG is no longer reaching its servers...

  • PeterUK
    PeterUK Posts: 2,863  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    In VPN > L2TP VPN set a DNS to 8.8.8.8

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    edited September 2019
    Options

    Hello PeterUK,

    thanks for your answer it worked!!

    But the USG still can´t connect to the Internet...

    Would you have an idea what it could be? As I said, it has to be somehow related to the L2TP behind Nat configuration ?

    Unfortunately that did not help...

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    edited September 2019 Answer ✓
    Options

    Hello together,

    finally i found the solution in this topic...

    https://businessforum.zyxel.com/discussion/2519/no-default-dns-for-wan1-on-usg40/p2

    Set the local policy at Ipsec-VPN to 0.0.0.0


    and disable the NAT 1:1 (from ISP-Router Public -> ZyXEL_WAN)

  • mMontana
    mMontana Posts: 1,338  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Sorry for bugging you

    Image came from the article...

    I don't know if your ISP blocks access to 8.8.8.8 (should not) and i don't know if you have one, two or more ISP, but you can add more Domain Zone Forwarders, which could be the one that ISP gave to you and should be correctly choose the interface for faster query resolution (can't use DNS of one ISP from the other one, for example)

    Also, sorting of the forwarders can change a lot the behaviour: for instance, if you query via a dial-up PPP connection which goes standby, the response time could be much higher than a more busy connection but which is constantly connected.

    Also, using the (eventual) backup connection which should be always online can lead to problems if for any reason it will go offline.

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    Options

    Hi mMontana,

    i only have one ISP, but i could change the DNS in the USG back to 192.168.1.1 after the changes in the solution.

  • mMontana
    mMontana Posts: 1,338  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Which device is using 192.168.1.1 in your network?

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    Options

    Sorry i meant 192.168.120.1...

    It is the router, which is connected before the USG.

  • mMontana
    mMontana Posts: 1,338  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Did your ISP provide also DNS Servers? You can try to add them and put on higher priority on forwarder.

  • Spielkultur_1
    Spielkultur_1 Posts: 13  Freshman Member
    First Comment
    Options

    I think yes, but why schould i do it if everything works great?

Security Highlight