FLEX 500H NAT - VPN problem

ZdenekB Posts: 8
First Anniversary First Comment
edited May 17 in USG FLEX H Series

I create NAT rule ( and rule works OK ):

but now when i use VPN conection ( windows vpn client ) and try connect to web in my LAN ( for example on IP ) all my web traffic end on ip When I turn NAT rule off all works fine.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,113  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ZdenekB

    What is the firmware version you are using? What is the VPN client's IP range? Do you have any Policy Route or static route settings? Thanks.

  • ZdenekB
    ZdenekB Posts: 8
    First Anniversary First Comment

    firmware: V1.20(ABZH.0)

    client IP :

    no policy or static route


  • PeterUK
    PeterUK Posts: 2,906  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited May 17

    Slightly different setting like WAN3 and LAN subnets but not able to create your problem other then wrong zone for VPN in logs and able to do WAN3 to LAN for VPN traffic

  • SI_Solutions
    SI_Solutions Posts: 6
    First Anniversary First Comment
    edited May 30

    I ran into this exact Problem yesterday.

    If i set up a NAT-Rule from WAN to LAN, for Example for Port 443, all 443 Traffic trough an IPSec Tunnel lands there as well

    Interface: ge1
    Source-IP: any
    External IP: any
    Internal IP: [IP-of-Webserver]
    Port Mapping Type: Service
    External/Internal Service: https

    If we have multiple internal Servers that run a service on 443, All traffic trough the IPSec-VPN Tunnel will be redirected to the one set by the NAT Rule

    The IPSec Tunnel is assigned to the default IPSec_VPN Zone

    Traffic trough the IPSEC VPN Tunnel might be treated as traffic from ge1, but assigned a different Zone, and since NAT Rules work on interfaces, not Zones this might be where the issue stems from.

    I just made a workaround by changing the access from the internet to 4433 → forward to 443 since it's not used by the public, only for external access by workers from anywhere

    If this was something that should be publicly available from anywhere, that would be a bigger issue for us.