Next Hop: VPN Tunnel Flex 100H
Freshman Member
I am looking to upgrade my home VPNs from Zywall USG 110s to Flex XXXH(P) - I had upgraded one of them this summer - and realized that I could not define a VPN tunnel as a next hop. Zyxel Customer Service then replied to a message that would be a feature supported in the October firmware - it does not seem to exist in the 1.3 release however either. What I am trying to support is this: I have SSIDs (VLANS) in each home that represent a specific country - so SSID.NET would be US, SSID.AT for Austria, SSID.ID for Indonesia and SSID.IN for India. So if you were for example on SSID.AT in a home in the US, the traffic would be routed to a home in Austria and go on the public internet there. Truthfully mainly used for streaming content - but it's sometimes useful for specific country content.
Questions:
1, Did I miss anything in 1.3 (running on a Flex 100H) where that feature has been added.
2, If it has been dropped from 1.3 - when is it coming now?
3, Is there another way to accomplish what I am trying to do
Accepted Solution
-
Hi @amateur_netops ,
As we mentioned above, you can establish a Route-based VPN (VTI) by following the instructions in this article, and then you can see the VPN option in Interface next-hop type.
Here is the screenshot of the H series:
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0
Zyxel Employee
All Replies
-
Due to changes in the product roadmap, there was no feature enabling VPN tunnels as next-hop with firmware version 1.30 for H series firewalls.
We are still evaluating this feature. When it becomes available, we will make an official announcement in the Firewall News & Releases section. Please follow this section to stay updated on new features and enhancements.
For your scenario, we can suggest following the guide to configure Site-to-Site VPN between ZLD (USG, USG FLEX) and uOS (USG FLEX H) using Route-based VPN.
Please let us know if we can be of any help.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Hmm - disappointing that the feature has not been added as previously stated by Zyxel support - it is the only reason I bought another Flex H for another home.
I don't see how the guide helps me since traffic to the internet will not go through the tunnel.
Here is a simplified scenario:
Site A has two networks - 192.168.100.X and 192.168.101.X
Site B has two networks - 192.168.110.X and 192.168.111.X
Devices on 192.168.100.X and 192.168.110.X need to communicate together - OK - Site to Site deals with that just fine
Devices on 192.168.101.X should use the public internet on Site B
Devices on 192.168.111.X should use the public internet on Site A
A site to site doesn't do much here - in my old configuration - all traffic from 192.168.101.X would be sent to 192.168.110.X - where all traffic from 101.X would go to WAN - and all traffic for 101.X would be forced back into the VPN from 110.X-101.X
How does a site to site without an ability to force traffic there help me?
0 -
Hi @amateur_netops ,
As of now, you can establish a Route-based VPN (VTI) by following the instructions in the article above. Once configured, follow these steps to add policy routes to adapt your requirement.
Site A: LAN = 192.168.101.X/24
Need to create one policy route to force redirect traffic to site B from site A.
src = 192.168.101.X
dst = any
next hop = VPN => Choose Tunnel name
Site B: LAN = 192.168.111.x/24
Need to create two policy routes:
Policy route 1: is for SNAT to Internet when the source is site A subnet 101.X
src=192.168.101.X
dst = any
next hop = WAN1 or WAN2
SNAT = outgoing interface
Policy route 2: is for routing back the subnet 101.x traffic from Internet.
src = any
dst = 192.168.101.X
next hop= VPN => Choose Tunnel name
SNAT => None
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
But there is no next hop=VPN - that was what I as whining about and was initially told we would get in October.
The options on the Flex are: Auto, Interface, gateway,, gateway-ip and trunk - VPN is not an option
0 -
Hi @amateur_netops ,
As we mentioned above, you can establish a Route-based VPN (VTI) by following the instructions in this article, and then you can see the VPN option in Interface next-hop type.
Here is the screenshot of the H series:
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
OK - got this to work - thank you. I had to delete the other connections between other subnets on those sites and also manually route them. Then I had to change MTU to 1300 on the WAN port since tracert would work but http or https did not - somewhat odd - and a little slower than I would have expected. But got it working now
0 -
Oh - is there a way to rename those vti-wizzard something things to something more meaningful. Will be a pain to keep track if I have several
0 -
Hi @amateur_netops ,
Under the current uOS design, VTI interface names cannot be modified. However, we have implemented a description field in both the interface and static route configurations that allows users to add custom identifiers for easier reference.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
