Not having split tunnel VPN is a deal breaker
Freshman Member
Overall, I've been happy with the Nebula lineup but the lack of a split tunnel VPN client is driving me away from using the Gateway. It's a shame because the single pane of glass management has been fantastic. Please reconsider this crucial omission.
1
Comments
-
Hello @JCKelly
I assume you're using L2TP tunnel and you wanna traffic can pass through to the tunnel when access to the remote LAN site and can go through via local interface card directly when access to the internet? Please correct me if I'm wrong.1 -
yes, that is correct.
An SSL VPN setup would be even better1 -
This is also a deal breaker for us. We must be able to force split tunneling.0
-
We are using split tunnelling with USG and ATP devices and would really like the option on the NSG line up too!
+10 -
@FrankIversen and @TAPTech,May I know both of your scenario is using L2TP over IPSec? If it is the case then the routing behavior is actually relevant to the end device, uncheck "default gateway on remote network" (in the advanced of ) then add the routing in Windows manuall, for instance "route add <LAN IP in peer> mask <submask> <Your L2TP IP in this host>" should work.In TCP/IPv4 properties>Advanced
Add the route manually
0 -
I'm using L2TP/IPSec. It's adding the route that is the problem. With USG and ATP devices we do not need to add this route. We can push a script to many endpoints using our RMM tool and the VPN works great on USG and ATP. For the NSG units, we need to keep the box checked and route all traffic over the VPN. This is an issue if the VPN network has limited bandwidth.0
-
We need to force this behavior centrally.There is situation at customer site, f.ex when they are using external people to connect to their servers. They do not want the person who connects to the vpn to be able to use full tunnelig since they have a lot of polices which depens on the wan-adress. If people outside the organization which uses vpn get browse with this WAN ip, they can be able to bypass other security lines.Please create a ticket/policy in Nebula (on user level) which says the connection will be split-tunneling or not. We can do this with most other firewalls, f.ex the free Pfsense.0
-
Thanks for your input and understood for the request, we'll put it in our feature queue.
0 -
This has been a never ending question for all vendors and the answer seems to be always the same:
https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN
https://forum.netgate.com/topic/104711/split-tunnel-with-l2tp-over-ipsec-in-pfsense/2
https://community.ui.com/questions/Split-tunnel-VPN/98043267-96c5-4eac-877c-fa54eff13b9c
L2TP remote VPN split tunneling are up to client settings as the routes need to be configured, and cannot be 'forced' by the firewall device.
There are other ways to avoid the issue of having internet traffic through VPN and maybe include this on Nebula will be fantastic, such as creating a script/bat file that configures the routes and can be run in the client devices.
Alternatively, it will be useful to have an option to automatically create firewall rules to allow VPN network access to LAN only, denying other traffic. This can be manually done now but a little automation will be nicer. I know this means the client will not have internet access at all while connected but then users need to be instructed on what to do in their devices.
"You will never walk along"0
Zyxel Employee
Master Member
Ally Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
