1.37 uOS - error DNS rule myrouter.local

GiuseppeR

Hello everyone,

I moved a firewall from a test site to a production site, I updated it to 1.37

So I went to check its DNS rule and I see:

This is the default internal subnet, while the firewall has different LANs:

Why Nebula still thinks that the firewall is reachable on 192.168.168.1 ?

Zyxel_Barry

Hi @GiuseppeR,

The issue you're encountering with the DNS rule showing myrouter.local resolving to 192.168.168.1 after moving your USG FLEX H Series firewall to a new site and updating it to uOS 1.37 is likely related to how Nebula assigns default subnets and handles initial configurations.

Here's a step-by-step guide to address this:

• Understand the Default Subnet: For USG FLEX H Series firewalls, Nebula VPN typically starts assigning subnets from 192.168.168.0/24. The IP 192.168.168.1 is the default gateway for this subnet, often used during initial setup or when the firewall is onboarded to Nebula.
• Verify Nebula Status: First, ensure your firewall has proper cloud connectivity. You can check the Nebula status on the local GUI by navigating to Maintenance > Diagnostics > Network Tool > Nebula Status. This will indicate if there are any connectivity issues between your firewall and NCC.
• Check DNS Resolution within the Firewall: You can use the CLI command cmd diagnostics nslookup domain-name-or-ip myrouter.local to see how the firewall itself resolves this domain.
• Modify DNS Records in Nebula: If the myrouter.local entry is causing issues and is not reflecting your current LAN configuration, you should be able to modify or remove this DNS record within the Nebula interface. Navigate to Site-wide > Configure > Firewall > Firewall settings to manage DNS Address Records. You would typically add an Address Record here if you want to resolve a specific hostname to an IP address within your network.
• Re-evaluate LAN Interface Configuration: Double-check your LAN interface configurations in Nebula (Site-wide > Configure > Firewall > Interface) to ensure they correctly reflect your production site's IP addressing scheme and are not conflicting with the 192.168.168.x range if it's not intended for your LANs.

To help us further investigate and provide a more tailored solution, please provide the following information:

• Nebula Organization and Site Name: This will allow Zyxel support to access your cloud environment for direct troubleshooting.
• Enable Zyxel Support Access: Please enable Zyxel Support Access via Help > Support Request in your Nebula console. This authorizes the Zyxel support team to directly view your cloud environment configuration, significantly shortening troubleshooting time.
• Screenshots: If possible, provide additional screenshots of your current DNS settings in Nebula, specifically showing any default or system-generated entries.
• Network Topology Map: A simple diagram of your network setup, including how the firewall is connected and the IP subnets in use.

PeterUK

It can be changed it is not auto linked to update its just a normal entry.

Zyxel_Melen

Hi @GiuseppeR

I checked on local GUI, the A record also does not auto update when changing Lan1/ge3 interface IP. I'm discussing with our team, and I will update you once I got further info.