USG60. No access to one device in local network via VPN
Hello,
My current configuration:
WAN1 x.x.x.x on port P1
WAN2 y.y.y.y on port P2
LAN1 192.168.1.0/24 on P3, P4, P5 ports.
I have a telephone exchange on 192.168.1.10 and VoIP card in this device on 192.168.1.11. I create a group called "Grupa_centrala" with those two address.
I also created two trunks:
WAN1_Trunk - WAN1 active, WAN2 passive.
WAN2_Trunk - WAN2 passive, WAN2 active.
WAN2_Trunk is as "user configured Trunk".
In Policy Route i have one rule:
user: any
schedule: none
any (Excluding ZyWall)
source: Grupa_centrala
destination: any
dscp code: any
service: any
source port: any
Next-hop: WAN1_Trunk
dscp marking: preserve
SNAT: outgoing-interface
This rule make that all 'telephone traffic' goes out via WAN1, all other traffic goes out via WAN2. And this works.
I have also configured SSL_VPN:
name: SSL_VPN
zone: SSL_VPN
user/group: VPN_users (with two users)
enable network extension (full tunnel mode): yes/active
assign ip pool: VPN_range (192.168.200.100-120)
DNS: ZyWALL (192.168.200.1)
network list: LAN1_SUBNET
SecuExtender connecting perfect. I get correct IP (from VPN_Range). But I cannot access telephone exchange via VPN (192.168.1.10 and 192.168.1.11). I can access other devices from local network (192.168.1.0/24). But those two unfortunatly not... When I disable the one rule in Policy Routing - it works.
How this rule should look like? I try a lot of configuration but without any effects...
Could you help me?
My current configuration:
WAN1 x.x.x.x on port P1
WAN2 y.y.y.y on port P2
LAN1 192.168.1.0/24 on P3, P4, P5 ports.
I have a telephone exchange on 192.168.1.10 and VoIP card in this device on 192.168.1.11. I create a group called "Grupa_centrala" with those two address.
I also created two trunks:
WAN1_Trunk - WAN1 active, WAN2 passive.
WAN2_Trunk - WAN2 passive, WAN2 active.
WAN2_Trunk is as "user configured Trunk".
In Policy Route i have one rule:
user: any
schedule: none
any (Excluding ZyWall)
source: Grupa_centrala
destination: any
dscp code: any
service: any
source port: any
Next-hop: WAN1_Trunk
dscp marking: preserve
SNAT: outgoing-interface
This rule make that all 'telephone traffic' goes out via WAN1, all other traffic goes out via WAN2. And this works.
I have also configured SSL_VPN:
name: SSL_VPN
zone: SSL_VPN
user/group: VPN_users (with two users)
enable network extension (full tunnel mode): yes/active
assign ip pool: VPN_range (192.168.200.100-120)
DNS: ZyWALL (192.168.200.1)
network list: LAN1_SUBNET
SecuExtender connecting perfect. I get correct IP (from VPN_Range). But I cannot access telephone exchange via VPN (192.168.1.10 and 192.168.1.11). I can access other devices from local network (192.168.1.0/24). But those two unfortunatly not... When I disable the one rule in Policy Routing - it works.
How this rule should look like? I try a lot of configuration but without any effects...
Could you help me?
0
Comments
-
Do you enable the option "Use IPv4 Policy Route to Override Direct Route" on policy route page ?
Disable it.
0 -
Hello,
I have disabled "Use IPv4 Policy Route to Override Direct Route" and my problem was fixed... I didn't try it before. So... Problem was solved. Thank you lan31!
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 114 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 65 Switch Ideas
- 901 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight