Strange behaviour on USG Flex 100v2

Xydocq · December 9

Something strange is going on with the DNS settings on my USG Flex 100v2.

When I set the DNS on wan to my ISP's DNS, one of my computers will not connect to the internet. Well it will connect but then it won't, so it's back and forth. Sometimes it works, sometimes it doesn't. No other computer is affected by that.

Sadly it's the one computer I use to work on.

When I set the DNS to google's DNS, everything seems to be working well. At least I haven't noticed any connection loss.

Another strange thing that is happening:

I run my own website on my own server. The server is also located behind the USG Flex. So I used the build in DNS to point to the internal IP , to allow people on the internal network to access the website too. Well at first this worked great, but lately something weird is going on. No device is able to connect to the website when using Edge. It works perfectly fine with Firefox. I tried and added a fantasy url to point to the USG's own internal IP. Guess what? This fantasy URL works perfectly fine on Edge or any other browser. It always leads to the login page of the USG.

So, does anyone have an idea of what could be going on?

cheers

Zyxel_Judy · December 13

Hi @Xydocq ,

Thank you for your remote session information.

As tour private message, for your remoted laptop, we found the edge browser does not follow system DNS settings.
It works after disabled this option. (find the option here: edge://settings/privacy)

Moreover, we found that your scenario is about "NAT loopback". With NAT loopback feature you will be able to access Virtual server WAN address instead of private address.
So the solution we did is that bind the public address instead of "Any" as Rule 2. The NAT loopback won't work if with public IP "ANY" like rule1.

All devices can access the website using Microsoft Edge now without needing to disable the DNS option mentioned above manually.

Zyxel_Judy · December 11

Hi @Xydocq ,

Regarding the first issue, it appears that your ISP's DNS service is unstable. We recommend continuing to use a reliable DNS service like Google DNS, as you have already implemented.

Regarding the second issue, to provide better support, we would like to have WAN access to your firewall to investigate the problem. Instructions for granting WAN access will be sent to your community inbox. Please check your messages.

Xydocq · December 11

Hello @Zyxel_Judy

I got the message. But we might have a little problem here.

The instructions are for on-premise, I am using NCC. There's no local settings page here for me.

Zyxel_Judy · December 12

Hi @Xydocq ,

Since only users on the internal network can access the website from their laptops, we'd like to schedule a remote support session. We've sent you a private message via the Zyxel Community inbox.

Please respond through the Community inbox directly. Do not reply to system emails from Zyxel.Business_Forum@zyxel.com.tw.

Zyxel_Judy · December 13

Hi @Xydocq ,

Thank you for your remote session information.

As tour private message, for your remoted laptop, we found the edge browser does not follow system DNS settings.
It works after disabled this option. (find the option here: edge://settings/privacy)

Moreover, we found that your scenario is about "NAT loopback". With NAT loopback feature you will be able to access Virtual server WAN address instead of private address.
So the solution we did is that bind the public address instead of "Any" as Rule 2. The NAT loopback won't work if with public IP "ANY" like rule1.

All devices can access the website using Microsoft Edge now without needing to disable the DNS option mentioned above manually.

Xydocq · December 13

hello @Zyxel_Judy

now access to the website from the internet is broken.

I reversed the settings on the firewall. It is key that the website is accessible from the internet. Local access isn't the main priority. I'll leave the settings on Edge as it is. For the windows machines, I'll edit the hosts file on each of them. The smartphones will have to disconnect from LAN to access the website.

I can't say if this is a true Zyxel-problem? Maybe this question can be answered in the future.

Thank you for the kind support and the time invested.

Zyxel_Judy · December 17

Hi there,

We noticed that Zyxel Support access is currently disabled in your Nebula settings. To help us troubleshoot and review your configuration, could you please enable Zyxel support access to your site?

Xydocq · December 17

hi @Zyxel_Judy

I disabled the support access and I am not going to enable it again in this case.

I am not sure what information could be helpful to solve the problem now, as I deleted the DNS entry on the USG Flex.

I tried a different privat DNS and it showed the same result.

The situation as it is, is unpleasant, but it's something I can deal with. My network isn't huge. It only contains 4 Windows-computers, one Windows-laptop and 3 phones. The work around with the Windows hosts-file works for me.

The one strange thing to me, it worked well with other routers I used in the past. D-Link, TP-Link and Meraki Go. On the TP-Link and Meraki Go, I had to use a private DNS-Server because they didn't offer the option for hairpinning.

It might be a problem caused by the USG Flex, but more likely it is a problem caused by the browsers and the fact, that only https-connections are allowed to access the website. I could be wrong in that believe, but turning off the secure DNS setting on each browser worked and supossedly solved the issue. So who knows?

thanks again for the help. it is much appreciated.

Zyxel_Judy · December 18

Hi @Xydocq ,

Thank you for sharing the detail information.

Currently, we couldn't access to your Nebula Org/ Site. Please let us know once you enable it again.

Strange behaviour on USG Flex 100v2

Accepted Solution

All Replies

Categories

Security Highlight

Security Help Center