Routing all internet traffic through a VPN S2S Tunnel

CWoznik
CWoznik Posts: 2
First Comment
edited April 2023 in Security

We have an ATP200 at our main office and want to introduce several UGS Flex 50 for branch office / home office locations. We have set up the VPN tunnels successfully, static routing is working as expected.
However, as the UGS Flex 50 are limited in the protective functionality, we want to route all the internet traffic via the ATP200 and thus the main office.

I thought I should be able to set it up in the policy control, but I just can not figure it out.

Any help would be greatly appreciated.

Best
Christian

Edit:
Ok. Obviously, I should use policy routing. But it still does not work. I followed the article below, but I am unable to reach the internet. Tracert just says connection timeout:

tracert 8.8.8.8

Routenverfolgung zu dns.google [8.8.8.8]
über maximal 30 Hops:

1 1 ms <1 ms <1 ms myrouter.local [192.168.11.1]
2 * * * Zeitüberschreitung der Anforderung.
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.
5 * * * Zeitüberschreitung der Anforderung.
https://support.zyxel.eu/hc/en-us/articles/360001440613-Policy-Routes-USG-VPN-ATP-Different-scenario-usages-configurations#two

Accepted Solution

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    Hello @CWoznik,
    I would give the suggestion like @peterUK
    You need two policies
    One is to route the traffic from the subnet of office/home to the VPN tunnel. (At USG FLEX 50)
    Another is to route the traffic which comes through the VPN tunnel from the subnet of office/home to WAN. (At ATP200)

    On ATP200
    -Site-to-Site VPN
    Local policy: 0.0.0.0/0
    Remote policy: the subnet of office/home
    -Policy Route
    From: remote subnet of office/home
    To: any
    Next-Hop: WAN

    On USG FLEX 50
    -Site-to-Site VPN
    Local policy: the subnet of office/home
    Remote policy: 0.0.0.0/0
    -Policy Route
    From: remote subnet of office/home
    To: any
    Next-Hop: VPN tunnel

All Replies

  • PeterUK
    PeterUK Posts: 3,361  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 2023

    Not sure why you need static route?

    A setup one I have done should work for you but speed will be limited going down the tunnel.

    At flex 50 end change the tunnel remote policy to subnet 0.0.0.0/0

    make a routing rule incoming LAN1 next hop VPN Tunnel your tunnel.

    At ATP 200 end change the tunnel local policy to subnet 0.0.0.0/0

    make a routing rule incoming tunnel you tunnel next hop WAN

    You might need to make a rule above this for from LAN1 flex 50 to LAN1 ATP 200 subnet.

    You then also need to make policy control rules

  • CWoznik
    CWoznik Posts: 2
    First Comment

    Ok I am doing something wrong then.

    This is what I have now:
    ATP200 side:

    UGS Flex 50:

    However this still does not allow me to get a working internet connection. Sure I can access the other network, but thats it. Even a ping to 1.1.1.1 fails.

  • PeterUK
    PeterUK Posts: 3,361  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited April 2023

    On ATP you need routing rule

    Incoming tunnel your tunnel

    no need for source/destination

    next hop WAN

    SNAT outgoing-interface

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Answer ✓

    Hello @CWoznik,
    I would give the suggestion like @peterUK
    You need two policies
    One is to route the traffic from the subnet of office/home to the VPN tunnel. (At USG FLEX 50)
    Another is to route the traffic which comes through the VPN tunnel from the subnet of office/home to WAN. (At ATP200)

    On ATP200
    -Site-to-Site VPN
    Local policy: 0.0.0.0/0
    Remote policy: the subnet of office/home
    -Policy Route
    From: remote subnet of office/home
    To: any
    Next-Hop: WAN

    On USG FLEX 50
    -Site-to-Site VPN
    Local policy: the subnet of office/home
    Remote policy: 0.0.0.0/0
    -Policy Route
    From: remote subnet of office/home
    To: any
    Next-Hop: VPN tunnel

Security Highlight