FLEX 500H NAT - VPN problem

ZdenekB
ZdenekB Posts: 8  Freshman Member
First Comment Sixth Anniversary
edited May 17 in USG FLEX H Series

I create NAT rule ( and rule works OK ):

but now when i use VPN conection ( windows vpn client ) and try connect to web in my LAN ( for example on IP 192.168.0.7 ) all my web traffic end on ip 192.168.100.210. When I turn NAT rule off all works fine.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,249  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @ZdenekB

    What is the firmware version you are using? What is the VPN client's IP range? Do you have any Policy Route or static route settings? Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • ZdenekB
    ZdenekB Posts: 8  Freshman Member
    First Comment Sixth Anniversary

    Hi
    firmware: V1.20(ABZH.0)

    client IP :

    no policy or static route

    Thanks

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 17

    Slightly different setting like WAN3 and LAN subnets but not able to create your problem other then wrong zone for VPN in logs and able to do WAN3 to LAN for VPN traffic

  • SI_Solutions
    SI_Solutions Posts: 8  Freshman Member
    First Comment First Anniversary
    edited May 30

    I ran into this exact Problem yesterday.

    If i set up a NAT-Rule from WAN to LAN, for Example for Port 443, all 443 Traffic trough an IPSec Tunnel lands there as well

    Interface: ge1
    Source-IP: any
    External IP: any
    Internal IP: [IP-of-Webserver]
    Port Mapping Type: Service
    External/Internal Service: https

    If we have multiple internal Servers that run a service on 443, All traffic trough the IPSec-VPN Tunnel will be redirected to the one set by the NAT Rule

    The IPSec Tunnel is assigned to the default IPSec_VPN Zone

    Traffic trough the IPSEC VPN Tunnel might be treated as traffic from ge1, but assigned a different Zone, and since NAT Rules work on interfaces, not Zones this might be where the issue stems from.

    I just made a workaround by changing the access from the internet to 4433 → forward to 443 since it's not used by the public, only for external access by workers from anywhere

    If this was something that should be publicly available from anywhere, that would be a bigger issue for us.