dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
971
share rss forum feed

nerdbomber

join:2013-06-30

ZyWall 192.168.1.1 access from vpn

Ok, so I have searched high and low, and if I am posting a redundant topic, I apologize; however I have seen nothing that solves my issue in the many posts I have gone through.

Thank you everyone for working so hard to make this forum such a great go-to place!

Here is my issue, I have L2TP IPSEC working from Windows 7 remote client to the ZyWall. The address pool is working, dns is working, wins is working, and I can connect to all of my internal resources via dns name and local IP (servers, file shares, etc.). However, when I try to connect to my ZyWall via 192.168.1.1 (from another wifi network), it brings up that local router's web configuration login. It seems that it is resolving that IP whatever network my laptop is currently connected to. If I do a nslookup for the ip, it shows it on my internal network going through my DNS server.

I am sure this is something simple, and probably a routing/firewall rule. I have configured my L2TP as Brano so kindly laid out for us, and I can access the configuration page from my WAN IP, so that part works.

The reason I am saying anything is because I would really like to close that hole and not allow WAN access to the ZyWall, but instead do it either from inside my network, or from VPN when I am away.

I would appreciate any help if someone else has come across this issue.

Thank you all!


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11

1 edit
Check the screenshots here and compare to yours: »Re: USG 200 No Internet over L2TP VPN
And this »Secure your USG - quick how-to (mainly #5)

nerdbomber

join:2013-06-30
I will take a look, and report back. I'm flying out of town today, so it may be a few days. Thank you!

nerdbomber

join:2013-06-30
Click for full size
My Firewall Configuration
Click for full size
My Routing Configuration
Ok, so I am back from vacation, and have caught up on other tasks. I did look at my configuration, and I believe my firewall is setup accordingly. The only thing I see with your routing that may apply to me is #8; however I am not sure what your next hop is configured to for that route?

I am attaching snips of my firewall and routing. The routing is configured based on other posts I have seen, including another one of your how-to's...it may have unnecessary routes, and I will be honest in saying that determining sources, destinations, hops, etc. is not my strong point with the ZyWALL.

I have tested from multiple routers (while on vacation, work, etc.), and as long as the router my laptop is connected to does not use the same internal IP as my ZyWALL, there is no problem and I can remote into the ZyWALL. If the router I am connected to has the same internal IP, it tries connecting to it instead of MY local IP. That is annoying!

Another thing I have stated experiencing is when logging into the ZyWALL USG 50, I will click the Monitor tab, and then when I click Interface Status, it freezes up the web interface. I have to close my browser all together and reopen. I haven't tried rebooting the ZyWALL; however I don't suspect that will resolve the issue. Either way, that is small potatoes right now!

nerdbomber

join:2013-06-30
Anyone? I notice that all my previous posts regarding this topic have diminished into thin air. Briefly, I can easily connect to VPN, and the tunnel seems solid. All local resources are accessible as if I was at home. The only issue is that when I try to access 192.168.1.1 via IE in the tunnel, it takes me to the wireless router my computer is connected to, instead of my ZyWall. I cannot configure my ZyWall, or access it, via VPN with the same IP that I use at home, unless the public router I am connected to has a different IP.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
The only workaround I can suggest is to re-number your home network to something you're unlikely encounter in the wild i.e. 192.168.10.x

nerdbomber

join:2013-06-30
reply to nerdbomber
Brano, thank you for taking the time to review, and all that you have contributed. I contemplated that; however I have multiple servers configured, and I have not yet decided if that is worth the hassle! For now, external access will suffice.