SNAT Nebula

Ray00731
Ray00731 Posts: 13
First Anniversary Friend Collector First Comment
edited March 2023 in Nebula

Hallo,

ich werde in diversen Standorten die USG60W durch ne USGFLEX 200 ersetzen und habe zu Hause einen Testaufbau mit den Gegebenheiten einer Filiale.

In dem Zuge möchte ich auch alles auf Nebula umstellen und scheitere nun erneut an einer Sache.

Vom Warenwirtschaftanbieter erhalten wir eine Fortigate die einen VPN Tunnel zum Server aufbaut.

Zyxel Netzwerk (VLAN) - 192.168.99.0
Fortigate IP: 192.168.99.200

Ping, Tracert - klappt alles. Nach längerem analysieren mit einem Supporter vom Serveranbieter sieht dieser meine Anfrage eingehen, aber erhält die Meldung das der Client (also ich) die Daten ablehnt. Der Supporter meint, das es am Source Natting liegt.

In der Tat habe ich in einer Filiale ne Policy Router eingerichtet und nun die Frage - wie bekomme ich das in Nebula hin?

Vielen Dank im vorraus

Gruß

Matthias Lagenstein

Accepted Solution

  • Ray00731
    Ray00731 Posts: 13
    First Anniversary Friend Collector First Comment
    Answer ✓

    Hello,

    i had now installed the Zyxel Router with Nebula in our network and the problem is fixed.

    That's was the solution:

    Asymetrical Route:
    SSH > Login
    configure terminal
    secure-policy asymmetrical-route activate
    exit
    write
    exit

    Thanks to the mail support!

    Best regards
    Ray00731

«1

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Ray00731,

    Please configure the SNAT from from outgoing-interface to None in policy route.

  • Hello,

    thank you for your answer.

    the configuration on the screen works, so i mustn't change it.

    I search the function in Nebula, because there don't work the connection with the extern Fortigate.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Ray00731,

    You can add static route in Nebula for routing traffic to Fortigate.

  • Ray00731
    Ray00731 Posts: 13
    First Anniversary Friend Collector First Comment

    Hi @Zyxel_Cooldia

    in the “old” Configuration Interface i must set the policy & static route. Without policy route it don't work.

    So i must apply the same configuration in Nebula with the SNAT option and i don't know how.

    When i set on the windows machine via cmd a route “route /add….” it works.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Ray00731 ,

    Can you provide a brief network topology with interface IP marked for troubleshooting

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023

    Here what I think the root cuase of issue.

    Triangle route issue (without SNAT to 192.168.99.1)

    No triangle route (with SNAT)

    So either Zyxel Firewall to allow asymmetric route or doing SNAT can solve the issue.

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    IMVHO fortigate should have Fritxbox as WAN and a simple PPTP VPN might be the route among 10.97.0.0/16 and 192.168.99.0/24

  • Ray00731
    Ray00731 Posts: 13
    First Anniversary Friend Collector First Comment

    Hello,

    yes the offerer from Server & Fortigate mean the same - that SNAT is missing. Without nebula worked the connection. With nebula not. So i think the feature is missing.

    In 4 locations the configuration without nebula work fine with policy & static route. The offerer from Server & Fortigate will not change his standard config. They use the internal network as primary Gateway for VPN and WAN only as backup.

    Greeting
    Matthias

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    I can see some advantages in Nebula, but not enough for consider that the option for manage Zyxel Firewalls.

Nebula Tips & Tricks