DNS query via vti
Dear all,
I have a problem with DNS queries via UDP to the VPN destination.
The Zyxel System is always forwarding DNS queries with the wan IP for the vti interface instead of the local IP. For tcp traffic it is working fine and no communication issue (TCP local Zywall IP).
Any idea how I can change it (SNAT). It looks like a bug in the Zyxel firmware.
The solution would be to overwrite
Has someone the same experience?
I have a problem with DNS queries via UDP to the VPN destination.
The Zyxel System is always forwarding DNS queries with the wan IP for the vti interface instead of the local IP. For tcp traffic it is working fine and no communication issue (TCP local Zywall IP).
Any idea how I can change it (SNAT). It looks like a bug in the Zyxel firmware.
The solution would be to overwrite
Has someone the same experience?
0
All Replies
-
Hi,
I have similar case in the past, but the scenario is SIte to Site IP Sec vpn, the issue was solved by policy route, how about create a policy route, assign the next hop is VTI, then do the SNAT?
0 -
The VTI IPSec is a route-based IPSec VPN.
So most easy way is just add a static route to the destination through that VTI interface.
For example,
If the remote DNS server IP address is 192.168.10.10
Then add a static route 192.168.10.10/255.255.255.255 interface: the vti interface
0 -
Hi,
I have a IPSec SitetoSie VPN with exactly a policy route and a static route working (without VTI interface).
If I try a policy route like for the IPSec vti tunnel it is not working.
Option 1 (SNAT_not allowed):
Zywall (Incoming), WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect.
Option 2 (SNAT_allowed no affect):
any, WAN IP (Source), destination netowork, Service (DNS_UDP:53), NextHop (vti1), SNAT not allowed wia WebGui, with CLI yes but no effect.
When I add the rule you mentioned I get the following error:CLI Number: 8
Warning Number: 31001
Warning Message: 'Invalid gateway. Default route will not be added.'
If I do a wireshark I clearly see that the DNS request is coming from the local IP like 192.168.1.1 and the Zywall is answering via wan1 interface and Public IP -> 192.168.1.1. Completely wrong...
If I do the same for ssh from 192.168.1.1 to my lokal network it is correctly routed.
Issue 1:
vti is not correctly implemented due to the fact that it is working via IPSec with Policy route
Issue 2:
DNS UDP via vti
Blue box is my WAN IP
Remark:
I opened a ticket (USG60W - IPSec VPN to VTI - Ticket #30062-163488 ) already to Zyxel but the only answer I got is that they need the hole configuration from both end points to can simulate the issue.
I provided all configs that are required to setup the tunnel and the routing but still no support.
0 -
Dear Sebastian,
If you have time today i will give you a quick call.
I hope that we can solve the issue for you..
Kind regards,
Mark
ZYXEL Support Campus
0 -
Please check your PN.0
-
That's look like policy route for the traffic out from device has some issue.
Here a work around you can try,
On the policy route, select the next-hop: auto
auto means, once traffic hit this policy route then go to check the main routing table only.
Then it will hit the static routing entry in the mail routing table.
0 -
Hello,
On this scenario,
you need add DNS on local USG (USG A) and Nat rule on remote device (USG B)to redirect session to DNS server.
Here is example:
1. Configure the Nat rule on the USG B
Original: 10.0.1.10
Mapping: 192.168.10.33
Service: port 53
2. Set the DNS and static route on USG A
Thanks
Charlie
0 -
It's really strange that need to set the DNAT on the peer.
If there has static route entry on USG A to reach 192.168.10.33, then the packet can reach the peer, right ?
0 -
Dear,
I have setup a workaround via a raspberrypi and unbound tool. The problem is that the answer from the Zywall is always using my wan1 (Public IP) when I'm using UDP traffic.
For TCP traffic it is working fine.
Workaround to use a DNS proxy and forward every UDP DNS traffic via TCP to the DNS destination.
Best regards,
Sebastian0 -
Hello Sebastian,
We want to reproduce your case locally, so please share your topology and pm the configuration for our checking further.
Charlie0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight