Synology VPN

cpg_juraj
cpg_juraj Posts: 19  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security

Hi.

We have IPSec between two offices with two Zywall USG 100.

  1. zywall 192.168.50.1-245
  2. zywall 192.168.53.1-245

Our synology is in .50 network. It also runs a VPN server. When a user connects via Synology VPN it is able to talk to .50 network, but unable to reach .53 network. What rule do I need to create and where to allow the communication?

Thank you for your help.

Juraj.

All Replies

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    You should ask to Synology Forum, IMVHO. This is part of routing table of your NAS (if availble).

    Otherwise you can use L2TP VPN to allow a user to connect only to Synology AND .53 network.

  • LAURAM
    LAURAM Posts: 13  Freshman Member
    First Comment First Answer Friend Collector Fourth Anniversary

    If you have NAS in your topology, check your NAS and Zywall USG100 .50 routing table first if it has .53 routing in it.

    IF not,you can add policy route on both your NAS and Zywall USG .50 routing table to make the communication success.

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Comment Fourth Anniversary

    Hello and thank you for taking the time to look into my "issue." I have been working with zywall for very short time. I already have some routing created. Is this what you mean? My goal here is to have the user that is in .53 network, connect via synology vpn from outside and then RDC to his PC.


  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary

    @cpg_juraj What is the PC's IP when it connects to synology by VPN?

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Comment Fourth Anniversary

    Synology VPN is set to assign IP addresses in a range 10.0.8.10 - 10.0.8.20. I tried to add a rule to allow traffic from a created object for this specific range to .53 network. I might be missing something or not doing it correctly.

  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Your scenario is similar to this FAQ.

    https://businessforum.zyxel.com/discussion/2764/how-to-forward-traffic-to-branch-site-server-after-client-established-vpn-tunnel


    At the site .53 network, create a policy route.

    Incoming: any, Source: any, Destination: 10.0.8.10 - 10.0.8.20, next-hop: VPN tunnel


    At the site .50 network, create a static route.

    Destination IP: 10.0.8.0

    Subnet Mask: <the subnet mask of 10.0.8.10 - 10.0.8.20>

    Next Hop: 192.168.50.x (Synology's IP)

    Create a policy route.

    Incoming: any, Source: any, Destination: 192.168.53.0/24, next-hop: VPN tunnel

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Comment Fourth Anniversary

    Awesome, that`s what I was looking for. I will apply the settings and will post back the results. Thank you.

Security Highlight