dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2237
share rss forum feed


Barry_Was

@caiway.nl

USG in DMZ, ping ok, but no other traffic

Hi All,

Until recently i had my zywall as router and all was fine.
The IPsec tunnel worked for about a year without fail.

Because i got a fast internet connection 150 Mbit the Zywall usg 100 became a bottleneck and i placed a new router before the zywall.

Its a Asus RT-N66u where i placed the Zywall in the DMZ.

The tunnel comes up and i can ping, but i cannot connect to the remote routers nas etc.

Since i changed nothing on the VPN configuration this is ok.
But since i can ping i am not sure what routing is missing.

Local network:

192.168.1.254 -> router asus
255.255.255.0

DMZ -> 192.168.1.249

Zywall USG 100

192.168.1.1
255.255.255.0
192.168.1.254 (gateway)

WAN

192.168.1.249
255.255.255.0
192.168.1.254

Remote network:

192.168.2.254 (zywall 5)
255.255.255.0

I can curently not check what is possible on the other side.

What could cause this problem?

Thanks!

Barry



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

Because you've added the Asus router ZyWall is behind NAT (and does not have public IP).
Make sure on ZyWall you have NATT (NAT Traversal) open in firewall and configured in VPN Gateway rules.

In addition, ASUS LAN and ZyWall LAN can't be the same. From what you've posted both seem to be 192.168.1.0/24. Renumber the ASUS LAN to something that's not used on primary or remote side, i.e. 192.168.254.0/24.

On ASUS make sure you have VPN pass-through enabled (since ZyWall is in DMZ you don't need to forward ports I guess as DMZ really means default forwarding host).



Barry_Was

@caiway.nl

Thank you for your reply!

NATT i have in my VPN and in my firewall.
Yes, The DMZ means direct forward.

I have configured the Local SN in the VPN as 192.168.1.0/24 and 192.168.2.0/24 as remote SN.

Youre correct the WAN and LAN are in the same subnet now.

If i Change the lan (asus and zywall) to 192.168.0.0/24 how can i handle the routing since i have the 192.168.1.0/24 configured in the VPN.

I hope you can help me.

thanks!

Barry



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

Change only the ASUS LAN. Each subnet must be unique, you don't want to have any two subnets the same.
You could change the ZyWall LAN and keep the ASUS LAN but that would require changes to your local and remote VPN policies, so changing the ASUS LAN is much simpler solution.

As for routing, policy routes are the answer.
Manual and support notes here »ftp://ftp.zyxel.com/ZYWALL_USG_100/

...post back if you run into issues.



Barry_was

@caiway.nl

Thanks again for your help.

I am still struggeling to get it working
I have changed the asus lan to 192.168.0.0/24 as you suggested.

So now on the zywall:
Site 1
Lan 192.168.1.1/24
Wan:192.168.0.249

Site 2
192.168.2.0/24

On the asus:
Lan : 192.168.0.0/24
Dmz: 192.168.0.248

The vpn is up and functional as long as i have a ip in the 192.168.1.0/24 range.

I added a route on the asus

192.168.2.0/24 192.168.1.1
It seems to me this needs to be done, however the asus cannot reach this ip.
I checked this with tracert and i can see it goes out the wan port.

How can i solve this?

How should the cabling be, i have plugged 1 cable from my asus network into the wan port of the zywall.
Should i connect another to the lan ports of the zywall, but then with the 192.168.1.0/24 subnet?

Then i can add a policy route from the zywall throug the tunnel.
Now the traffic from my lan does not end up on the zywall.

I hope you can help me!

Thanks

Barry



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Well you have the zyxel on .249 for wan port but the asus dmz is .248. Were they not supposed to be the same?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
reply to Barry_was

I'm pretty sure you have to add route on the Asus to direct your VPN traffic through the USG.



Barry_Was

@caiway.nl

Thank you for your help.

Although i must be close, I still have problems getting it working correctly.

After chaning subnet on the ASUS the ping stopped working.

Zywall:
WAN 192.168.0.249/24
LAN 192.168.1.1/24
And a policy route:
incoming Any Source ASUS SN -> Destination Remote SN -> next hop -> IPsec VPN

I check the log for the firewall and this is empty.

Asus my local lan
WAN (external IP)
Lan 192.168.0.0/24
DMZ 192.168.0.249

Static route
192.168.2.0/24 -> 192.168.1.249

When i make a tracert 192.168.2.254 (the remote router) i get this:

1 2 ms 1 ms 1 ms 192.168.0.254
2 2 ms 1 ms 1 ms 192.168.0.249
3 * * * Time-out bij opdracht.

So the ASUS is doing the static route and since the VPN is up so the DMZ is ok aswell.

For me it is not clear if the WAN port for the Zywall can route the traffic into the tunnel.
The policy route i made is not working.
From my LAN network on the ASUS i cannot reach the LAN network on the Zywall so i need to point to the wan port on the ASUS.

At this moment there is only one cable connected to the zywall (the WAN cable).

I hope you can help me.

Thanks!

Barry



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

Hmm, I just realized that you actually won't be able to accomplish what you need with the current setup (I didn't pay close attention to the one cable remark).

What you need is to create separate LAN on ASUS that is going to be used as USG WAN (now you just have DMZ host on one LAN).

- create new LAN1 on ASUS and connect it to WAN on USG
- connect original ASUS LAN to USG LAN with additional cable (use same subnet on USG LAN as the ASUS LAN)

---
On a separate topic, you're saying that you have 150Mbps connection, the USG 100 should be able to handle 110Mbps throughput ... is all this trouble wort it for you? Perhaps just leaving USG100 only would be much easier to manage. ... just a thought



Barry_Was

@caiway.nl

Thank you for your help.

I have returned to the zywall as the router.
However the specs you give are optimistic.
I make 60 Mbit down and only 40 up (wired) on the wan port.

Its a shame to loose 90 Mbit (even though i never really need it)



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

I was going by the specs, on USG100 ZyXel is saying 225Mbps firewall throughput (half one way is 110 Mbps), specs here »USG series FW 3.00 Comparison

I have USG200 and when I did the speed test FW throughput was not that bad, see »USG200 speed tests #3
Mind this was on 2.x FW revision, the 3.x should be better (the specs in first link are from FW 3.0 datasheets).