Issue with VPN Connecting to Internal Devices from WAN Failover to LAN1
Freshman Member
Match default rule, DNAT Packet, DROP [count=2] - 166.x.x.x 192.x.x.x - Access Block
I am doing this from a client device and the Source is the client device IP and the destination is the IP address of the device I want to access. Is there a special setting in the Policy Route that I need to enable to make sure that the VPN can see my internal devices connecting from the client device over the Wan Failover to the Lan1? I hope this helps. If you have idea I would love to get this working ASAP. Thank you.
Accepted Solution
-
So I fixed it. It turns out under "VPN Connection". The checkbox next to "Use Policy Route to control dynamic IPSec rules" was checked. I unchecked it and everything started working as usual. That was causing all the traffic to be blocked. Thank you for help and sorry for the confusion.0
All Replies
-
Sounds like you have many issues...so if WAN2 is not connected does everything work? I'm guessing not? So you look to need a firewall rule to allow from WAN to LAN1
DNAT Packet is for a NAT Virtual Server that has nothing to do with a VPN
0 -
Hi Peter.....You are correct nothing is working on the VPN, but if you are not on the VPN everything else works as expected. So I would need a policy route or an actual firewall rule? I would not say many issues, but just not able to connect to internal devices on LAN1 through the VPN, but I am able to authenticate successfully with no issues, but I can not reach any devices over the VPN. Just an FYI all my default rules under Policy Control are there and have not been modified. I am trying to figure out what could be missing for the VPN traffic from WAN to LAN1 is missing whether in Policy Route or Policy Control since all my default rules are there. If I put a blanket firewall rule from WAN to LAN1 then it opens up all external traffic to my internal (Not a good practice). I want VPN traffic from WAN to LAN1 to be able to access all internal devices and NOT just external traffic. Thank you.PeterUK said:Sounds like you have many issues...so if WAN2 is not connected does everything work? I'm guessing not? So you look to need a firewall rule to allow from WAN to LAN1
DNAT Packet is for a NAT Virtual Server that has nothing to do with a VPN
0 -
You say “Before I added that I was able to establish a successful VPN connection and access all my devices on LAN1 over WAN1” so if you disconnect WAN2 does it work?
0 -
Yes it work before, but I am able to establish the connection just fine with no issues, but after authentication is successful I am not able to access the devices on the internal network (LAN1) using the VPN connection. Everything works when you are on the internal LAN as expected, but not using the VPN through another client device externally over the WAN. Let's take the WAN failover out of this. The Policy Control or The Policy Route is blocking the traffic somewhere as that is what the logs are saying I mentioned in the first post. I hope this makes sense. This is a VPN issue only and something is blocking the traffic from the VPN side to the LAN1 side.PeterUK said:You say “Before I added that I was able to establish a successful VPN connection and access all my devices on LAN1 over WAN1” so if you disconnect WAN2 does it work?
0 -
Saying it worked before maybe it stopped working before you added the WAN2 and then think it was that I don't see how adding WAN2 break the VPN setup with WAN1 so I just want to make sure that adding WAN2 is the real reason its not working only for you to find out without WAN2 it doesn't work.
0 -
What VPN setup are you using on the Zywall Site-to-site or Remote Access (Server Role)? is the client using windows default VPN or ZyWALL SecuExtender?0
-
I took the Wan Failover out of it and it is. It working at all now. So I get your point.PeterUK said:Saying it worked before maybe it stopped working before you added the WAN2 and then think it was that I don't see how adding WAN2 break the VPN setup with WAN1 so I just want to make sure that adding WAN2 is the real reason its not working only for you to find out without WAN2 it doesn't work.
0 -
I am using remote access with the windows client. It sounds like a policy control issue that is knocking down the traffic. It is really confusing.PeterUK said:What VPN setup are you using on the Zywall Site-to-site or Remote Access (Server Role)? is the client using windows default VPN or ZyWALL SecuExtender?0 -
So that will be L2TP over IPSec? Can you check the setting in the made VPN for windows has “use default gateway on remote network” checked.
Control Panel\Network and Internet\Network Connections
0 -
Normally you just need a Policy Control rule from like from IPSec_VPN to LAN10
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
