zyman2008  Master Member

Комментарии

  • Hi @valerio_vanni , I just test on my sites to simulate the case. I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result. (1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B. It not works. (route traces show…
    Раздел: Source NAT through vpn tunnels Комментарий от zyman2008 08:43
  • Hi @valerio_vanni , it goes to C with SNAT, it comes back to B but then it runs away on B WAN1 interface instead of going towards tunnel A-B. Does A and B using policy-based IPSec VPN ? what's the local/remote policy ? If the local/remote of rule A-B doesn't include subnet C. Then you need another policy route on B, to…
    Раздел: Source NAT through vpn tunnels Комментарий от zyman2008 21 дек
  • Hi @valerio_vanni, Since policy based VPN of Zyxel firewall only allow one SNAT rule for outbound(B to C). I think may be try another way, 1.Create route-based VPN Connection rule for B - C, then you get a VTI interface to C. But you need using CLI to modify the local/remote policy from any to the address object B, C…
    Раздел: Source NAT through vpn tunnels Комментарий от zyman2008 20 дек
  • Hi @valerio_vanni , Could it be that return traffic rule is implicit, and Inbound Destination NAT is only needed for something that starts from the other side? Firewall handle traffic before send out is all based on the session initialed. Once the initial traffic goes out, the SNAT session is created in session table. And…
    Раздел: Destination NAT on VPN Комментарий от zyman2008 19 дек
  • Hi @Miky, I don't think it can be done. As I know, Zyxel firewall not support as an IPsec client to request IP address from VPN server. It support site to site and VPN server only.
    Раздел: ATP-100 Surfshark VPN Комментарий от zyman2008 23 окт
  • Hi @Gel, Change the next-hop of this policy route to the new Trunk. Note: you need to enable and setup connectivity check in the primary interface. What valerio_vanni mentioned is also a solution. My preference is to use trunk to set up. It makes the policy route table cleaner. Too many rules often make it difficult for me…
    Раздел: Trunk configuration Комментарий от zyman2008 19 окт
  • Hi @Gel , Just setup a Trunk and set it as default. Create a new Trunk. Set the primary link ac active mode and backup link as passive mode. 2. Select this Trunk as default
    Раздел: Trunk configuration Комментарий от zyman2008 18 окт
  • I think it not a good approach to add the IP address into Geo/Country in this case. From the security operation point of view. To add another security policy with address group object is the right way to fit that. (1) It's more visible the full rules on the same security policy page. (2) You can identify firewall logging…
    Раздел: Whitelisted IPs Комментарий от zyman2008 27 сен
  • Hi @ST1, Find out a way to add proxy arp via CLI. Let's get back to your original setting for L2TP/IPSec client. VPN client Pool: 192.168.171.50 - 192.168.171.99 SSH to you firewall and using the following CLI to add proxy arp for IP of VPN clients. Router# configure terminal Router(config)# interface lan1…
  • Hi @ST1 , If both the site to site VPN device is Zyxel firewall. Then create a policy route to enforce the route from IP of VPN client to the remote site. Also, on the remote site create a policy route to enforce remote resources to IP of VPN clients. Here an example, Site 1 LAN1: 192.168.171.0/24 VPN Client IP:…
  • Hi @ST1, Change the IP pool for VPN client to another subnet other than 192.168.171.0/24. Zyxel firewall IPSec VPN not support proxy arp the IP address of VPN client to lan.
  • Hi @EMMEGI , Check the settings of opt-wan2 interface. Make sure, (1) The type is external (2) The ZONE is WAN (3) With Gateway setting if the IP address is static.
    Раздел: Routing LAN1 to WAN1 LAN2 to WAN2 Комментарий от zyman2008 5 авг
  • Hi @EMMEGI , Keep the current WAN Trunk setting. 2. Go to Routing > Policy Route, just add a policy route for LAN2 to WAN2.
    Раздел: Routing LAN1 to WAN1 LAN2 to WAN2 Комментарий от zyman2008 2 авг
  • Hi @EMMEGI , To classify the scenario, is this you want ? LAN1 use WAN1 by default, if WAN1 is alive. If WAN1 has problem, then LAN1 can use WAN2 as backup link. LAN2 use WAN2 by default, if WAN2 is alive. If WAN2 has problem, then LAN2 can use WAN1 as backup link.
    Раздел: Routing LAN1 to WAN1 LAN2 to WAN2 Комментарий от zyman2008 2 авг
  • Hi @LPAPP , Topology: ZyWALL → Duo Proxy → RADIUS Server Here the example. [radius_client] host=<IP of your RADIUS server> secret=xxxxxxxx port=<RADIUS Auth. port of your RADIUS server. Default is 1812.> pass_through_all=true [radius_server_auto] ikey=******************** skey=****************************************…
    Раздел: Cisco DUO for 2FA Комментарий от zyman2008 17 июл
Default Avatar