PeterUK  Guru Member

Slightly different setting like WAN3 and LAN subnets but not able to create your problem other then wrong zone for VPN in logs and able to do WAN3 to LAN for VPN traffic

Yes make a routeing rule with incoming LAN source address 12.34.56.58 nexthop WAN SNAT none

DNS servers go wrong sometimes like for me I run my own bind DNS and found it didn't forward nebula.zyxel.com IP's to client it was getting the answer but not replying to the client a restart of bind fixed it but I'm not sure why…. try changing to like 1.1.1.1, 8.8.8.8 or 9.9.9.9

would you need to set DNS Filter too on that rule? You can do top rule block DNS LAN to WAN Then a rule below LAN to WAN DNS Filter and Web Filter and LAN to Zywall DNS Filter

Ok I suggest you get another unmanaged switch but other make I'm sure you will run into the same problem

Anyone? EE have started to change IP more which means the session and port change to not make this happen as much but its just happened again. My next theory is its to do with the LAG where by a session comes in on one port and is not expected to change to the other port which causes the bridged LAG not to forward the UDP…

The DNS Filter works from LAN to WAN as well as LAN to Zywall you can choose to block DNS LAN to WAN if you want

yes you can't use set to Domain Name give you “policy match error” on the VPN client. if you quickly set to a Domain Name and click on the client VPN it works but that likely because the change over was not made then next connection “policy match error” only setting to interface is stable

Now I would be curious to know why the routing from computers on 192.168.1.0/24 subnet doesn't work. Because the other end is expecting 10.9.230.145 – 10.9.230.150 when it see 192.168.1.0/24 it will get to its gateway and not down the tunnel. so we now know 10.9.230.146 works so with SNAT by the VPN tunnel should work

Here settings that work for my Android 12 that are different to what you have. Local policy IP 0.0.0.0 Phase 1 Encryption AES128 authentication SHA256 DH14 Phase 2 Encryption AES128 authentication SHA256 PFS DH2 for certificate the built-in VPN client may not works use strongswan VPN client

update It seems the FLEX H does not like Domain Name so use IP or interface but good news is behind NAT when using interface works if you use Domain Name you run into “policy match error” so if you want to use a DDNS you have to set to Domain Name download the setup Configuration then change back to interface and for Auto…

update I went back to V1.10(ABWV.0)b9s3 and it tested fine for Domain Name then booted to V1.20(ABWV.0)ITS-m4447 and now its fine….so may be a reboot was needed and the settings are not updating in the Flex?

The interface is external VLAN443 to which you have the interface ping to no-ip.org and bounceme.net which you will fail then allow by other firewall The way in which the routing ping check is not blocked when you fail interface ping check to interface of other firewall (all be it thats not how my setup works as I NAT ICMP…