USG110 - SSL VPN over OPT Interface

mipa
mipa Posts: 1
edited April 2021 in Security

Hi.

We have actually two Internet Lines, connected to WAN1 and WAN2 and a WAN Trunk with WRR.

Now i would configure a third Internet Line, connected to the OPT interface, that is reserved for SSL VPN traffic. The SSL VPN should be configured in a way that all the client traffic goes trough the VPN Tunnel, so internet traffic incoming trough SSL VPN -> OPT should be routed then over WAN1/2.

I was no able to setup this configuration without adding the opt interface to the WAN group and so to the WAN trunk, but this is not the right solution for us because we have external services bound to the public IP adresses of WAN1/2.

Any solution to this?

Accepted Solution

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @mipa

    Welcome to Zyxel Community. ?

    In this scenario, you can set up as below,

    1)Create a customize trunk with wan1 and wan2 interface.

    “CONFIGURATION > Network > Interface > Trunk


    2)Leave the default trunk as SYSTEM_DEFAULT_WAN_TRUNK

    “CONFIGURATION > Network > Interface > Trunk > Default WAN Trunk”


    3)Create a policy route for routing ssl vpn tunnel traffic to wan2/1.

    “CONFIGURATION > Network > routing > Policy Route”

    Incoming = SSL VPN

    Next-Hop type= interface 

    Interface = wan2


    4)Create a policy route for lan to wan traffic, the next hop is trunk(wan1 and wan2 only without opt). 

    “CONFIGURATION > Network > routing > Policy Route”

    Incoming= Interface

    Member = lan1

    Next hop type = trunk

    Select the trunk you created in step 1.


    After complete settings above, the opt is for ssl vpn connection, and it will route to Internet via interface WAN 2. For Intranet host, outgoing traffic only goes to customize trunk(cus_trunk)wan 1 and wan 2.

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓

    Hi @mipa

    Welcome to Zyxel Community. ?

    In this scenario, you can set up as below,

    1)Create a customize trunk with wan1 and wan2 interface.

    “CONFIGURATION > Network > Interface > Trunk


    2)Leave the default trunk as SYSTEM_DEFAULT_WAN_TRUNK

    “CONFIGURATION > Network > Interface > Trunk > Default WAN Trunk”


    3)Create a policy route for routing ssl vpn tunnel traffic to wan2/1.

    “CONFIGURATION > Network > routing > Policy Route”

    Incoming = SSL VPN

    Next-Hop type= interface 

    Interface = wan2


    4)Create a policy route for lan to wan traffic, the next hop is trunk(wan1 and wan2 only without opt). 

    “CONFIGURATION > Network > routing > Policy Route”

    Incoming= Interface

    Member = lan1

    Next hop type = trunk

    Select the trunk you created in step 1.


    After complete settings above, the opt is for ssl vpn connection, and it will route to Internet via interface WAN 2. For Intranet host, outgoing traffic only goes to customize trunk(cus_trunk)wan 1 and wan 2.

Security Highlight