Why does my USG200 take the wrong route to the other network
Options
Hello,
I have some troubles with routing traffic between 2 networks. A bit context may be required to understand my situation. I'm joined a company where i'm fully responsable for everything which comes to IT as the previous employee left. As the network is old fashioned and out dated (hardware, software and configuration) we decided upgrade the whole network by replacing it with a new one. To avoid that i need to do a "big bang" i will create the new network in parallel to the current/old one. The idea is that the old and the new network are connected/routed to each other so devices in the new network can reach devices in the old network and visa. We have 2 WAN connections in the building so each network gets its own WAN connection until the migration is finished. I made a sketch about the situation i already build including which connections are working and which connections don't. When i login to my USG200 CLI and do a tracepath to 192.168.222.2, this is the result:
I created a route policy on the Zyxel USG200:
And a static route (which i suppose should not be required as the route policy covers this route but with the route policy only i have the same problem):
When i do a tracepath from the USG200 to 192.168.222.2 or 10.128.10.1, this are the results:
1. ---------------------------
When i understand this correctly, the route to 192.168.222.2 looks correct but the route to 10.x is routed to the public IP, so WAN. I do not understand why this happens as i configured a static route and route policy for the 10.x network.
2. ---------------------------
Another thing is when i ping 192.168.222.2 i would expect that i got a response (as pfSense allowes ICMP on the 192.168.222.2 interface) but i got this
When i trace the packets on that interface on the pfSense side, no packages arrive at all. Also no firewall logs are written for the concerning interface. (usually pfSense logs all blocked traffic).
3. ---------------------------
What i also not understand is that i can ping 192.168.222.0 and 192.168.104.0 devices from pfSense but not from devices behind. I think this is blocked by the Zyxel as pfSense allows all outgoing traffic for the 10.128.10.0 network.
---------------- GENERAL NOTES and information ----------------
I also have a connection from 10.128.10.0/24 to 10.128.11.0/24 configured on the pfSense with the same firewall rules as for 10.128.10.0 to 192.168.104.0 and 10.128.10.0 to 192.168.222.0 and those routings/connections work fine. This is one of the reasons i think that pfSense is configured correctly. Also logs on pfSense look fine (do not have entries so nothing is blocked). Also routes on pfSense site looks good.
I asked this question the last days from different point on pfSense forum and stackexchange as well and looked into this with an ex colleague (network specialist) and everything i could figure out points to issues on the Zyxel side. As i really out of ideas i hope someone can help me out or at least point me in the right direction.
The stack exchange question may contain interesting information about this problem aswell:
https://networkengineering.stackexchange.com/posts/68009/edit
I have some troubles with routing traffic between 2 networks. A bit context may be required to understand my situation. I'm joined a company where i'm fully responsable for everything which comes to IT as the previous employee left. As the network is old fashioned and out dated (hardware, software and configuration) we decided upgrade the whole network by replacing it with a new one. To avoid that i need to do a "big bang" i will create the new network in parallel to the current/old one. The idea is that the old and the new network are connected/routed to each other so devices in the new network can reach devices in the old network and visa. We have 2 WAN connections in the building so each network gets its own WAN connection until the migration is finished. I made a sketch about the situation i already build including which connections are working and which connections don't. When i login to my USG200 CLI and do a tracepath to 192.168.222.2, this is the result:
I created a route policy on the Zyxel USG200:
And a static route (which i suppose should not be required as the route policy covers this route but with the route policy only i have the same problem):
When i do a tracepath from the USG200 to 192.168.222.2 or 10.128.10.1, this are the results:
1. ---------------------------
When i understand this correctly, the route to 192.168.222.2 looks correct but the route to 10.x is routed to the public IP, so WAN. I do not understand why this happens as i configured a static route and route policy for the 10.x network.
2. ---------------------------
Another thing is when i ping 192.168.222.2 i would expect that i got a response (as pfSense allowes ICMP on the 192.168.222.2 interface) but i got this
--- 192.168.222.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2013ms
When i trace the packets on that interface on the pfSense side, no packages arrive at all. Also no firewall logs are written for the concerning interface. (usually pfSense logs all blocked traffic).
3. ---------------------------
What i also not understand is that i can ping 192.168.222.0 and 192.168.104.0 devices from pfSense but not from devices behind. I think this is blocked by the Zyxel as pfSense allows all outgoing traffic for the 10.128.10.0 network.
---------------- GENERAL NOTES and information ----------------
I also have a connection from 10.128.10.0/24 to 10.128.11.0/24 configured on the pfSense with the same firewall rules as for 10.128.10.0 to 192.168.104.0 and 10.128.10.0 to 192.168.222.0 and those routings/connections work fine. This is one of the reasons i think that pfSense is configured correctly. Also logs on pfSense look fine (do not have entries so nothing is blocked). Also routes on pfSense site looks good.
I asked this question the last days from different point on pfSense forum and stackexchange as well and looked into this with an ex colleague (network specialist) and everything i could figure out points to issues on the Zyxel side. As i really out of ideas i hope someone can help me out or at least point me in the right direction.
The stack exchange question may contain interesting information about this problem aswell:
https://networkengineering.stackexchange.com/posts/68009/edit
0
All Replies
-
Hi @CodeNinjaThe routing you setup is policy route.As your configuration is only for “forwarding” traffic.You tested route path by USG, so you have to also add additional rule for “local-out” traffic which incoming is “ZyWALL”.Otherwise the traffic will pass by default route(WAN interface).
Of course PFsense device have to setup corresponding rules and firewall rules for these traffic.0
Zyxel Employee
Categories
- All Categories
- 393 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 906 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
