Flex 100H DNS over VPN Tunnel

Options
P4Colin
P4Colin Posts: 30 image  Freshman Member
First Comment Friend Collector Second Anniversary

We have a new client site setup and are trying to utilize a Flex 100H, but DNS forwarders do not seem to be going over the tunnel how we have configured these in the past.

For background, we have a Flex 200 on one end and a Flex 100H on the other. We have setup the VPN using both Route (VTI) and Policy based. In both cases, we are able to ping from a device on the 100H side to the DC/DNS Server, and vice versa. However, we are never able to ping from the 100H to the DC/DNS Server. From the Flex 200, I am able to ping a computer over the tunnel without issues.

Ultimately, we would like to be able to setup the Domain Zone Forwarder to go over the VPN tunnel and query where the domain is. When trying to set this up, there is an option to query over the VTI, but not an Auto option like there is under the Global options.

Is there a way to set this up so we do not need to have all DNS traffic sent over the VPN tunnel?

Accepted Solution

  • PeterUK
    PeterUK Posts: 4,146 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited January 30 Answer ✓

    OK I think I have found what you have done so you will need to remove the VTI and everything for the VTI and start over not sure if this is a bug or not on FLEX H

    so when setting up the VTI DO NOT change the following for Policy and yes you MUST start over

    Screenshot 2025-01-30 014855.png
«13

All Replies

  • p4_greg
    p4_greg Posts: 31 image  Freshman Member
    Network Detective-New Adventure Badge First Comment Friend Collector Third Anniversary

    To further summarize this, it appears that packets sourced from the 100H router do not get routed over the VPN tunnel.

    Trying to ping an IP on the other side of the tunnel from the 'diagnostics' screen on the 100H fails, and the DNS requests from the DNS forwarder on the 100H do not get sent down the tunnel.

    We have no issues with this on the FLEX series routers.

    Is some other configuration needed to make this work on the H series?

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,990 image  Guru Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @P4Colin & @p4_greg,

    Let me summarize:

    Your topology:

    DNS server —- USG FLEX 200 ===route-based VPN=== USG FLEX 100H

    Your purpose:

    Clients under 100H can resolve domains from your DNS server.

    Your issue:

    DNS packets won't sent to USG FLEX 200 via VPN tunnel.

    My question:

    1. In route-based VPN configuration, have you tried to set a policy route rule to let the DNS traffic be sent to the VPN tunnel?
    2. Could you send the configuration of USG FLEX 100H to me via a private message?
    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,146 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    is this what you want?

    Screenshot 2025-01-29 105302.png
  • P4Colin
    P4Colin Posts: 30 image  Freshman Member
    First Comment Friend Collector Second Anniversary

    @Zyxel_Melen Correction to this - we want to set the DNS server on the client side to the 100H. The 100H has a Domain Zone Forwarder, so it should be able to send only needed DNS queries for this domain over the tunnel to the DNS server. Computers behind the 100H can communicate with the server, communication from the 100H to the server is the issue.

    We have tried a Policy Route, but this did not seem to work and should not be needed as the Static Route should allow this traffic. On non-H series routers, we have used static routes, and this allows the routers to communicate to devices over a VTI without issues.

    image.png

    At this point, we cannot even ping the server from the 100H; we are using the built-in Network Tool to see if pings from the 100H are able to go over the VPN, but this does not seem to work no matter what interface we ping from or Security Policies we put in place. Even tried adding a 'from any - to any' Security Policy with only a destination address of the server across the tunnel, this got 0 hits during testing.

    image.png

    Computers behind the 100H can ping the server, and there are no firewall rules on the server blocking pings.

    @PeterUK This is exactly what we have, and have used on other non-H series routers without issues in prior setups. Not sure why the 100H is not sending this traffic over the VTI.

    image.png
  • PeterUK
    PeterUK Posts: 4,146 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Are the clients DNS to Zywall?

    what does nslookup show from a client?

  • P4Colin
    P4Colin Posts: 30 image  Freshman Member
    First Comment Friend Collector Second Anniversary

    Yes we had dns server set to the router. Any nslookups to the domain name just time out.
    Pinging from the 100H’s Network Tool page does not get through to the server. Computers are able to ping to server by IP so the tunnel is working appropriately for clients.

  • PeterUK
    PeterUK Posts: 4,146 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    your ping test is wrong you set interface to ge3 needs to be VTI

    clients need to use the LAN gateway IP for DNS if they use anything else it will not work

  • P4Colin
    P4Colin Posts: 30 image  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited January 29

    As stated, does not matter what I set the interface to, the pings do not succeed:

    image.png

    DNS is set to the router for this interface:

    image.png

    Resolving against the router (in this case 192.168.15.1) does not succeed as the router does not seem to be able to send any traffic over the VTI.

  • PeterUK
    PeterUK Posts: 4,146 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited January 29

    testing here seem to be working fine packet capture on the server

    Is 10.22.30.1 subnet in use other then for the VTI?

  • P4Colin
    P4Colin Posts: 30 image  Freshman Member
    First Comment Friend Collector Second Anniversary

    I completely recreated this using a 200H in our office, and cannot get any traffic from the 200H to a Flex 200 router. Note the traffic from computers behind the routers traverses the VPN without issue, the issue only lies with traffic sourced **FROM the router. Setup below:

    Remote site LAN - 192.168.2.0/24, VTI IP - 10.20.30.2/30, Static Route sending anything destined for 10.10.1.0/24 to the VTI

    Main site LAN - 10.10.1.0/24, VTI IP - 10.20.30.1/30, Static Route sending anything destined for 192.168.2.0/24 to the VTI

    Both sites have Policy Controls allowing any traffic from LAN to IPSec, IPSec to LAN, and IPSec to ZyWALL.

    When pinging the server from the Remote site router and doing a packet capture, we see traffic trying to go over the VTI:

    image.png

    When capturing traffic on the Main site router during this same time, the capture is empty.

    Any other thoughts on what could be going on here?