Synology VPN

cpg_juraj
cpg_juraj Posts: 19  Freshman Member
First Anniversary 10 Comments
edited April 2021 in Security

Hi.

We have IPSec between two offices with two Zywall USG 100.

  1. zywall 192.168.50.1-245
  2. zywall 192.168.53.1-245

Our synology is in .50 network. It also runs a VPN server. When a user connects via Synology VPN it is able to talk to .50 network, but unable to reach .53 network. What rule do I need to create and where to allow the communication?

Thank you for your help.

Juraj.

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    You should ask to Synology Forum, IMVHO. This is part of routing table of your NAS (if availble).

    Otherwise you can use L2TP VPN to allow a user to connect only to Synology AND .53 network.

  • LAURAM
    LAURAM Posts: 13  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    If you have NAS in your topology, check your NAS and Zywall USG100 .50 routing table first if it has .53 routing in it.

    IF not,you can add policy route on both your NAS and Zywall USG .50 routing table to make the communication success.

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    Hello and thank you for taking the time to look into my "issue." I have been working with zywall for very short time. I already have some routing created. Is this what you mean? My goal here is to have the user that is in .53 network, connect via synology vpn from outside and then RDC to his PC.


  • lalaland
    lalaland Posts: 90  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer

    @cpg_juraj What is the PC's IP when it connects to synology by VPN?

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    Synology VPN is set to assign IP addresses in a range 10.0.8.10 - 10.0.8.20. I tried to add a rule to allow traffic from a created object for this specific range to .53 network. I might be missing something or not doing it correctly.

  • jasailafan
    jasailafan Posts: 189  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    Your scenario is similar to this FAQ.

    https://businessforum.zyxel.com/discussion/2764/how-to-forward-traffic-to-branch-site-server-after-client-established-vpn-tunnel


    At the site .53 network, create a policy route.

    Incoming: any, Source: any, Destination: 10.0.8.10 - 10.0.8.20, next-hop: VPN tunnel


    At the site .50 network, create a static route.

    Destination IP: 10.0.8.0

    Subnet Mask: <the subnet mask of 10.0.8.10 - 10.0.8.20>

    Next Hop: 192.168.50.x (Synology's IP)

    Create a policy route.

    Incoming: any, Source: any, Destination: 192.168.53.0/24, next-hop: VPN tunnel

  • cpg_juraj
    cpg_juraj Posts: 19  Freshman Member
    First Anniversary 10 Comments

    Awesome, that`s what I was looking for. I will apply the settings and will post back the results. Thank you.

Security Highlight