Nebula Policy Route malfunction with VPN Orchestrator

Options
GiuseppeR
GiuseppeR Posts: 688 image  Guru Member
Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula 5 Answers First Comment
edited April 8 in Nebula

Hello everyone,

I went to this section:

immagine.png

to route a pair of specific LAN devices via wan2 internet connection.

I have 2x wans on that site but I need that both of those LAN devices go on the internet ONLY via wan2. No backup via wan1.

The problem is that I have also a VPN (VPN that is working via wan2 only too) on that ORG:

immagine.png

So when those rules are enabled I am NOT able to use internal VPN to reach those devices. Neither ping or smb connection.

In my opinion VPN is an internal LANs connection, so routing policies via wan2 should NOT affect LAN traffic.

How can I solve that?

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,687 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @GiuseppeR ,

    The issue occurs because your current Policy Routes use "Any" as the destination and the policy route has higher priority than site-to-site VPN in routing flow. Since the VPN subnets are technically "Any" destination, the firewall prioritizes the Policy Route and pushes that traffic out through WAN2 instead of routing it through the VPN tunnel.

    Please allow me to take some time to find the solution for you.

    Zyxel Melen


  • Zyxel_Melen
    Zyxel_Melen Posts: 4,687 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @GiuseppeR

    I checked the priority of routing flow can't be modified. It seems like you have some reason for using policy route rather than setup the WAN Load Balancing? May you share the reason and your scenario's detail? With these information, we can help to figure the solution.

    Zyxel Melen


  • GiuseppeR
    GiuseppeR Posts: 688 image  Guru Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - Nebula 5 Answers First Comment

    Hi @Zyxel_Melen

    I need to use wan2 for redundant backup and VoIP purposes.

    VoIP PBX is set to be aligned to a specific IP that is working only via wan2, a part from this wan1 is made on a radio ISP connection so it has more latency and instability with bad weather.

    Redundant backup has to go via wan2 because it has to avoid any conflict with traffic usage via wan1. In this scenario I’m sure that wan1 is used for the rest of the ORG traffic, avoiding the backup to use that bandwith too. Using only wan2 could lead to a little bit longer backup, but a smoother working time for the rest of the ORG

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)