Force outgoing SMTP traffic to specific WAN without blocking SSL VPN local LAN

DavidM
DavidM Posts: 2  Freshman Member
First Comment
edited April 2021 in Security
I have two WAN with two different static IP. One is for mail and the other one for everything else. I have setup NAT and policy rules to control incoming traffic correct. Now I also want to control outgoing traffic so SMTP go out via WAN2 and all other traffic is forced to WAN1. WAN1 and 2 belongs to a "Least Load First" trunk but I will not use the load balancing in this case. I have learned this can be done with "Policy Route" (SNAT) and I have setup one for SMTP traffic. I believe it works as intended (see picture below).

Now I also want to force all other traffic through WAN1 (otherwise the firewall will balance outgoing traffic between WAN1 and WAN2 but I don't want that) but if I activate the rule below my SSL VPN stop working. By that I mean I can connect to VPN but can't ping any device on my LAN1 subnet anymore. The policy route screw up the VPN route.

Any suggestion how to solve that? I tried setup a third route for SSL_VPN but I don't know how to do it properly.



Address config:
WAN1: x.x.x.1
WAN2: x.x.x.2
LAN1_subnet: 10.0.0.0/255.255.0.0
LAN1_interface: 10.0.0.1
VPN_POOL: 192.168.202.50-192.168.202.100
SSL VPN Extention local IP: 192.168.202.1

SSL VPN config:
Zone: SSL_VPN
Enable network extension (full tunnel mode): Yes
Force all client traffic to enter SSL VPN tunnel: No
NetBIOS broadcast over SSL VPN Tunnel: No
Assign IP pool: VPN_POOL (RANGE 192.168.202.50-192.168.202.100)
DNS Server 1: ZyWALL
Network list: LAN1_subnet

Policy control:
SSL_VPN_to_Device: From SSL_VPN to ZyWall (any any any any)
SSL_VPN_Outgoing: From SSL_VPN to Any (excl ZyWall) (any any any any)
WAN_to_Device: From WAN to Zywall (any any "default_allow_wan" any)

NAT

SSL VPN


Policy:

Comments

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Please disable "Use IPv4 Policy Route to Overwrite Direct Route" on the policy route page.

  • DavidM
    DavidM Posts: 2  Freshman Member
    First Comment
    Ian31 said:
    Please disable "Use IPv4 Policy Route to Overwrite Direct Route" on the policy route page.

    Thanks, that did the trick! It also magically solved a NAT loopback problem I've been troubleshooting all day (access local server via public IP from lan side).

Security Highlight