Firewall drops traffic

Technician0815Technician0815 Member Posts: 3
edited August 6, 2019 8:43PM in ZyWALL VPN Series


I have a problem with a VPN 100 appliance here. It's set up as a VPN endpoint for users, as well as 2 other branch offices.

The VPN is working fine, as far as I can tell, but some computers at the main site get their outgoing traffic dropped by the firewall. This applies only to WAN traffic. LAN is working fine.

The device is set up behind a primary router with the VPN 100 as an exposed host. All devices are in the same subnet 192.168.11.x

WAN is 11.8 with GW 11.1 and LAN is 11.7. The clients use 11.7 as the GW. The physical ports are in LAN1.

The policies look as follows:

By my understanding this should work. Why do some clients get this?

What am I overlooking? Can anyone help?



P.S.: Funny enough, some clients can access the internet after pinging the WAN and LAN IP of the VPN 100. 🤔

All Replies

  • Ian31Ian31 Member Posts: 138  Ally Member

    Hi @Technician0815,

    If you can provide a topology.

    That will help to understand the case.

  • Zyxel_CooldiaZyxel_Cooldia Moderator, Zyxel Offical Agent Posts: 698  mod

    Hi @Technician0815

    Welcome to Zyxel Community. 😎

    It looks like Wan and Lan are in the same IP subnet.

    Can you post your network topology with IP subnet.(You can mask IP if it have public IP)

  • Hello!

    Sorry, I don't have a map ready. All local devices are in the same subnet. The 2 branch offices have different subnets.

    Main Office: 192.168.11.x Branch 1: 192.168.10.x Branch 2: 192.168.12.x

    Main Router (11.1) -> VPN100 WAN (11.8) -> VPN100 LAN1 (11.7) -> Dumb Switch -> Rest of network

    There is no separation, all devices are reachable from any machine. The clients get their IPs from the DHCP in the VPN100. GW for the clients is 11.7, DNS is the server (11.10). The VPN100 is set up as an exposed host in the main router. There's switches, a server and WLAN-APs behind the VPN100. The branch offices are connected via a VPN tunnel and have their own servers.

    Does this help, or do I need to make a map?



  • Ian31Ian31 Member Posts: 138  Ally Member

    Any reason that WAN and LAN need to be in the same IP subnet(11.X/24) ?

    That will be issue if VPN100 is acting as a router.

  • Ease of setup and the main router is running fax services and needs to be reachable from the clients.

    What issues are we talking about?

  • Ian31Ian31 Member Posts: 138  Ally Member
    edited August 12, 2019 1:00PM

    The arp learning of VPN100 will not working as expected.

    I suggest to configure VPN100 like this,

    (1) LAN as network (you can have 125 hosts IP under LAN)

    (2) Configure proxy-arp on wan1 for

    (3) Disable WAN Trunk default SNAT

  • Zyxel_CooldiaZyxel_Cooldia Moderator, Zyxel Offical Agent Posts: 698  mod

    Hi lan31, Thanks for the instruction. the device is running as routing mode.🙂

    Hi @Technician0815 , You can follow lan31's instruction to set up VPN100.

    Feel free to let us know if you have any issue.

  • mMontanamMontana Member Posts: 89  Ally Member
    edited August 13, 2019 5:29PM

    Well... i should change whole WAN1 subnet in any case (main router and VPN100 should be the devices affected

    Clients could still reach the fax server (main server) with appropriate policy rules and a subtle change of the ip address on clients (you could also take the opportunity to migrate from ip address to hostname, easier to manage and change)

Sign In to comment.