Issue with VPN Connecting to Internal Devices from WAN Failover to LAN1

dcgtechnologies
dcgtechnologies Posts: 24  Freshman Member
First Anniversary 10 Comments Friend Collector
edited August 2022 in Security
Hello. I have a ZyWall 110 and about a couple weeks ago I got a second ISP for WAN2 so now I have WAN Failover enabled. Before I added that I was able to establish a successful VPN connection and access all my devices on LAN1 over WAN1 and now it is not working at all either over the WAN Failover. I get access block errors in the log pointing to the actual device I want to access on LAN1. I am not able to access anything, but I can VPN in successfully with no issues. The error in logs is below:

Match default rule, DNAT Packet, DROP [count=2] - 166.x.x.x 192.x.x.x - Access Block 

I am doing this from a client device and the Source is the client device IP and the destination is the IP address of the device I want to access. Is there a special setting in the Policy Route that I need to enable to make sure that the VPN can see my internal devices connecting from the client device over the Wan Failover to the Lan1? I hope this helps. If you have idea I would love to get this working ASAP. Thank you.

Accepted Solution

  • dcgtechnologies
    dcgtechnologies Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited August 2022 Answer ✓
    So I fixed it. It turns out under "VPN Connection". The checkbox next to "Use Policy Route to control dynamic IPSec rules" was checked. I unchecked it and everything started working as usual. That was causing all the traffic to be blocked. Thank you for help and sorry for the confusion.
«1

All Replies

  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022

    Sounds like you have many issues...so if WAN2 is not connected does everything work? I'm guessing not? So you look to need a firewall rule to allow from WAN to LAN1

    DNAT Packet is for a NAT Virtual Server that has nothing to do with a VPN

  • dcgtechnologies
    dcgtechnologies Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited August 2022
    PeterUK said:

    Sounds like you have many issues...so if WAN2 is not connected does everything work? I'm guessing not? So you look to need a firewall rule to allow from WAN to LAN1

    DNAT Packet is for a NAT Virtual Server that has nothing to do with a VPN

    Hi Peter.....You are correct nothing is working on the VPN, but if you are not on the VPN everything else works as expected. So I would need a policy route or an actual firewall rule? I would not say many issues, but just not able to connect to internal devices on LAN1 through the VPN, but I am able to authenticate successfully with no issues, but I can not reach any devices over the VPN. Just an FYI all my default rules under Policy Control are there and have not been modified. I am trying to figure out what could be missing for the VPN traffic from WAN to LAN1 is missing whether in Policy Route or Policy Control since all my default rules are there. If I put a blanket firewall rule from WAN to LAN1 then it opens up all external traffic to my internal (Not a good practice). I want VPN traffic from WAN to LAN1 to be able to access all internal devices and NOT just external traffic. Thank you.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You say “Before I added that I was able to establish a successful VPN connection and access all my devices on LAN1 over WAN1” so if you disconnect WAN2 does it work?


  • dcgtechnologies
    dcgtechnologies Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited August 2022
    PeterUK said:

    You say “Before I added that I was able to establish a successful VPN connection and access all my devices on LAN1 over WAN1” so if you disconnect WAN2 does it work?


    Yes it work before, but I am able to establish the connection just fine with no issues, but after authentication is successful I am not able to access the devices on the internal network (LAN1) using the VPN connection. Everything works when you are on the internal LAN as expected, but not using the VPN through another client device externally over the WAN. Let's take the WAN failover out of this. The Policy Control or The Policy Route is blocking the traffic somewhere as that is what the logs are saying I mentioned in the first post. I hope this makes sense. This is a VPN issue only and something is blocking the traffic from the VPN side to the LAN1 side.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Saying it worked before maybe it stopped working before you added the WAN2 and then think it was that I don't see how adding WAN2 break the VPN setup with WAN1 so I just want to make sure that adding WAN2 is the real reason its not working only for you to find out without WAN2 it doesn't work.


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    What VPN setup are you using on the Zywall Site-to-site or Remote Access (Server Role)? is the client using windows default VPN or ZyWALL SecuExtender? 
  • dcgtechnologies
    dcgtechnologies Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    PeterUK said:

    Saying it worked before maybe it stopped working before you added the WAN2 and then think it was that I don't see how adding WAN2 break the VPN setup with WAN1 so I just want to make sure that adding WAN2 is the real reason its not working only for you to find out without WAN2 it doesn't work.


    I took the Wan Failover out of it and it is. It working at all now. So I get your point.
  • dcgtechnologies
    dcgtechnologies Posts: 24  Freshman Member
    First Anniversary 10 Comments Friend Collector
    PeterUK said:
    What VPN setup are you using on the Zywall Site-to-site or Remote Access (Server Role)? is the client using windows default VPN or ZyWALL SecuExtender? 
    I am using remote access with the windows client. It sounds like a policy control issue that is knocking down the traffic. It is really confusing.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022

    So that will be L2TP over IPSec? Can you check the setting in the made VPN for windows has “use default gateway on remote network” checked.

    Control Panel\Network and Internet\Network Connections



  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2022
    Normally you just need a Policy Control rule from like from IPSec_VPN to LAN1

Security Highlight