Комментарии
-
Hi @valerio_vanni , I just test on my sites to simulate the case. I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result. (1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B. It not works. (route traces show…
-
Hi @valerio_vanni , it goes to C with SNAT, it comes back to B but then it runs away on B WAN1 interface instead of going towards tunnel A-B. Does A and B using policy-based IPSec VPN ? what's the local/remote policy ? If the local/remote of rule A-B doesn't include subnet C. Then you need another policy route on B, to…
-
Hi @valerio_vanni, Since policy based VPN of Zyxel firewall only allow one SNAT rule for outbound(B to C). I think may be try another way, 1.Create route-based VPN Connection rule for B - C, then you get a VTI interface to C. But you need using CLI to modify the local/remote policy from any to the address object B, C…
-
Hi @valerio_vanni , Could it be that return traffic rule is implicit, and Inbound Destination NAT is only needed for something that starts from the other side? Firewall handle traffic before send out is all based on the session initialed. Once the initial traffic goes out, the SNAT session is created in session table. And…
-
Hi @Miky, I don't think it can be done. As I know, Zyxel firewall not support as an IPsec client to request IP address from VPN server. It support site to site and VPN server only.
-
Hi @Gel, Change the next-hop of this policy route to the new Trunk. Note: you need to enable and setup connectivity check in the primary interface. What valerio_vanni mentioned is also a solution. My preference is to use trunk to set up. It makes the policy route table cleaner. Too many rules often make it difficult for me…
-
Hi @Gel , Just setup a Trunk and set it as default. Create a new Trunk. Set the primary link ac active mode and backup link as passive mode. 2. Select this Trunk as default
-
I think it not a good approach to add the IP address into Geo/Country in this case. From the security operation point of view. To add another security policy with address group object is the right way to fit that. (1) It's more visible the full rules on the same security policy page. (2) You can identify firewall logging…
-
Hi @ST1, Find out a way to add proxy arp via CLI. Let's get back to your original setting for L2TP/IPSec client. VPN client Pool: 192.168.171.50 - 192.168.171.99 SSH to you firewall and using the following CLI to add proxy arp for IP of VPN clients. Router# configure terminal Router(config)# interface lan1…
-
Hi @ST1 , If both the site to site VPN device is Zyxel firewall. Then create a policy route to enforce the route from IP of VPN client to the remote site. Also, on the remote site create a policy route to enforce remote resources to IP of VPN clients. Here an example, Site 1 LAN1: 192.168.171.0/24 VPN Client IP:…
-
Hi @ST1, Change the IP pool for VPN client to another subnet other than 192.168.171.0/24. Zyxel firewall IPSec VPN not support proxy arp the IP address of VPN client to lan.
-
Hi @EMMEGI , Check the settings of opt-wan2 interface. Make sure, (1) The type is external (2) The ZONE is WAN (3) With Gateway setting if the IP address is static.
-
Hi @EMMEGI , Keep the current WAN Trunk setting. 2. Go to Routing > Policy Route, just add a policy route for LAN2 to WAN2.
-
Hi @EMMEGI , To classify the scenario, is this you want ? LAN1 use WAN1 by default, if WAN1 is alive. If WAN1 has problem, then LAN1 can use WAN2 as backup link. LAN2 use WAN2 by default, if WAN2 is alive. If WAN2 has problem, then LAN2 can use WAN1 as backup link.
-
Hi @LPAPP , Topology: ZyWALL → Duo Proxy → RADIUS Server Here the example. [radius_client] host=<IP of your RADIUS server> secret=xxxxxxxx port=<RADIUS Auth. port of your RADIUS server. Default is 1812.> pass_through_all=true [radius_server_auto] ikey=******************** skey=****************************************…