Overlap IP for VPN solution.
Kiattikorn
Posts: 12 
Freshman Member
Freshman Member
Dear Nebula Team,
VPN Solution.
HQ > USG
LAN IP: 192.168.0.0/24
BR1 > NSG
LAN IP: 192.168.1.0/24
BR2 > NSG
LAN IP: 192.168.2.0/24
:
:
BRn > NSG
LAN IP: 192.168.n.0/24
When we design VPN solution with hub and spoke by using HQ to distribute traffic to each branch.
for example BR1 can communicate with BR2 by using same VPN tunnel that connected to HQ.
In USG we can make overlap subnet (192.168.0.0/16) for routing all traffic in this subnet to HQ first, then passthrough BR2.
For NSG configuration I can't add private subnet overlap with local IP.
Please help to improve this.
Thank you.
VPN Solution.
HQ > USG
LAN IP: 192.168.0.0/24
BR1 > NSG
LAN IP: 192.168.1.0/24
BR2 > NSG
LAN IP: 192.168.2.0/24
:
:
BRn > NSG
LAN IP: 192.168.n.0/24
When we design VPN solution with hub and spoke by using HQ to distribute traffic to each branch.
for example BR1 can communicate with BR2 by using same VPN tunnel that connected to HQ.
In USG we can make overlap subnet (192.168.0.0/16) for routing all traffic in this subnet to HQ first, then passthrough BR2.
For NSG configuration I can't add private subnet overlap with local IP.
Please help to improve this.
Thank you.
0
Comments
-
Hi @kiattikorn
I am glad to see you here!
If you want to set the same Private subnet in each non-Nebula VPN peer, you should select "This Site" in Availability dropdown list, or it has routing problem on site.
Please remember your Private subnet cannot be duplicated NSG LAN IP in this site.
There is a link for you to understand the difference between All Network and This Site for Availability configuration on NCC.
https://businessforum.zyxel.com/discussion/715/what-is-the-difference-between-all-network-and-this-site-for-availability-configuration/p1?new=1
0 -
Hi Irene,
Thank you for your information but it's different solution that I mention before.
Here is VPN solution that we design.
Requirement is Client A from site A need to communicate with other branch such as branch B and n by using same tunnel that we connected to Non-Nebula device.
We can't create tunnel between branch to branch because all of NSG are behind NAT.
The question is how can we configure NSG to support this solution.
0 -
Hi @kiattikorn
At this moment, when all NSGs under one organization, and you enable Site-to-Site VPN, all branches (Site A/B/C..) can communicate with each other through Nebula-to-Nebula tunnel (traffic will go through orange line).
Then according to your scenario, I consider your scenario is communication between branches should be through HQ (red line in your reply), not direct path, but overlapping subnet IP cannot be configured on NCC due to routing problem, and we will have the enhancement for the flexibility of VPN function in future.
0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
