Firewall drops traffic

Options
Technician0815
Technician0815 Posts: 3
First Anniversary First Comment
edited April 2021 in Security

Hello!

I have a problem with a VPN 100 appliance here. It's set up as a VPN endpoint for users, as well as 2 other branch offices.

The VPN is working fine, as far as I can tell, but some computers at the main site get their outgoing traffic dropped by the firewall. This applies only to WAN traffic. LAN is working fine.

The device is set up behind a primary router with the VPN 100 as an exposed host. All devices are in the same subnet 192.168.11.x

WAN is 11.8 with GW 11.1 and LAN is 11.7. The clients use 11.7 as the GW. The physical ports are in LAN1.

The policies look as follows:

By my understanding this should work. Why do some clients get this?

What am I overlooking? Can anyone help?

Thanks.


Tech0815

P.S.: Funny enough, some clients can access the internet after pinging the WAN and LAN IP of the VPN 100. 🤔

All Replies

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Technician0815,

    If you can provide a topology.

    That will help to understand the case.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @Technician0815

    Welcome to Zyxel Community. 😎

    It looks like Wan and Lan are in the same IP subnet.

    Can you post your network topology with IP subnet.(You can mask IP if it have public IP)

  • Technician0815
    Options

    Hello!

    Sorry, I don't have a map ready. All local devices are in the same subnet. The 2 branch offices have different subnets.

    Main Office: 192.168.11.x Branch 1: 192.168.10.x Branch 2: 192.168.12.x

    Main Router (11.1) -> VPN100 WAN (11.8) -> VPN100 LAN1 (11.7) -> Dumb Switch -> Rest of network

    There is no separation, all devices are reachable from any machine. The clients get their IPs from the DHCP in the VPN100. GW for the clients is 11.7, DNS is the server (11.10). The VPN100 is set up as an exposed host in the main router. There's switches, a server and WLAN-APs behind the VPN100. The branch offices are connected via a VPN tunnel and have their own servers.

    Does this help, or do I need to make a map?

    Thanks

    Tech0815

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Any reason that WAN and LAN need to be in the same IP subnet(11.X/24) ?

    That will be issue if VPN100 is acting as a router.

  • Technician0815
    Options

    Ease of setup and the main router is running fax services and needs to be reachable from the clients.

    What issues are we talking about?

  • Ian31
    Ian31 Posts: 174  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2019
    Options

    The arp learning of VPN100 will not working as expected.

    I suggest to configure VPN100 like this,

    (1) LAN as network 192.168.11.128/25 (you can have 125 hosts IP under LAN)

    (2) Configure proxy-arp on wan1 for 192.168.11.128/25

    (3) Disable WAN Trunk default SNAT

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi lan31, Thanks for the instruction. the device is running as routing mode.🙂

    Hi @Technician0815 , You can follow lan31's instruction to set up VPN100.

    Feel free to let us know if you have any issue.

  • mMontana
    mMontana Posts: 1,342  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2019
    Options

    Well... i should change whole WAN1 subnet in any case (main router and VPN100 should be the devices affected

    Clients could still reach the fax server (main server) with appropriate policy rules and a subtle change of the ip address on clients (you could also take the opportunity to migrate from ip address to hostname, easier to manage and change)

Security Highlight