SNAT Nebula

Ray00731
Ray00731 Posts: 11
First Comment Friend Collector Second Anniversary
edited March 14 in Nebula

Hallo,

ich werde in diversen Standorten die USG60W durch ne USGFLEX 200 ersetzen und habe zu Hause einen Testaufbau mit den Gegebenheiten einer Filiale.

In dem Zuge möchte ich auch alles auf Nebula umstellen und scheitere nun erneut an einer Sache.

Vom Warenwirtschaftanbieter erhalten wir eine Fortigate die einen VPN Tunnel zum Server aufbaut.

Zyxel Netzwerk (VLAN) - 192.168.99.0
Fortigate IP: 192.168.99.200

Ping, Tracert - klappt alles. Nach längerem analysieren mit einem Supporter vom Serveranbieter sieht dieser meine Anfrage eingehen, aber erhält die Meldung das der Client (also ich) die Daten ablehnt. Der Supporter meint, das es am Source Natting liegt.

In der Tat habe ich in einer Filiale ne Policy Router eingerichtet und nun die Frage - wie bekomme ich das in Nebula hin?

Vielen Dank im vorraus

Gruß

Matthias Lagenstein

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,320
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee

    Hi @Ray00731,

    Please configure the SNAT from from outgoing-interface to None in policy route.

  • Ray00731
    Ray00731 Posts: 11
    First Comment Friend Collector Second Anniversary

    Hello,

    thank you for your answer.

    the configuration on the screen works, so i mustn't change it.

    I search the function in Nebula, because there don't work the connection with the extern Fortigate.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,320
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee

    Hi @Ray00731,

    You can add static route in Nebula for routing traffic to Fortigate.

  • Ray00731
    Ray00731 Posts: 11
    First Comment Friend Collector Second Anniversary

    Hi @Zyxel_Cooldia

    in the “old” Configuration Interface i must set the policy & static route. Without policy route it don't work.

    So i must apply the same configuration in Nebula with the SNAT option and i don't know how.

    When i set on the windows machine via cmd a route “route /add….” it works.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,320
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
     Zyxel Employee

    Hi @Ray00731 ,

    Can you provide a brief network topology with interface IP marked for troubleshooting

  • zyman2008
    zyman2008 Posts: 184
    25 Answers First Comment Friend Collector Sixth Anniversary
     Master Member
    edited March 9

    Here what I think the root cuase of issue.

    Triangle route issue (without SNAT to 192.168.99.1)

    No triangle route (with SNAT)

    So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.

  • mMontana
    mMontana Posts: 1,249
    50 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member

    IMVHO fortigate should have Fritxbox as WAN and a simple PPTP VPN might be the route among 10.97.0.0/16 and 192.168.99.0/24

  • Ray00731
    Ray00731 Posts: 11
    First Comment Friend Collector Second Anniversary

    Hello,

    yes the offerer from Server & Fortigate mean the same - that SNAT is missing. Without nebula worked the connection. With nebula not. So i think the feature is missing.

    In 4 locations the configuration without nebula work fine with policy & static route. The offerer from Server & Fortigate will not change his standard config. They use the internal network as primary Gateway for VPN and WAN only as backup.

    Greeting
    Matthias

  • mMontana
    mMontana Posts: 1,249
    50 Answers 1000 Comments Friend Collector Fourth Anniversary
     Guru Member

    I can see some advantages in Nebula, but not enough for consider that the option for manage Zyxel Firewalls.

Nebula Tips & Tricks