|
ZyWall 110 IPsec VPN, can't see entire remote network from client?Hi there! Just got VPN setup on a new ZyWall 110, and I can connect without any hassle. The problem is that I can't see everything from the client, see this: 10.0.0.1 - internal IP of firewall - OK 10.0.0.2 - os x server - OK 10.0.0.3 - windows server - no access at all 10.0.0.4 - windows server - no access at all 10.0.0.11 - SBS 2007 - no access at all 10.0.0.39 - iMac - OK 10.0.0.114 - NAS box running Windows server - OK 10.0.0.238 - printer - OK There are a lot of other computers accessible (just don't want to type in all IP addresses!), so to me it seems as if there is a part of the internal network that can't be accessed, starting from 10.0.0.3 to at least 10.0.0.11. I've tried various VPN setups, and all have this error? I had a ZyWall 35 before this, and that VPN setup did not have this "flaw", and I'm 100% positive that it is not the servers rejecting the VPN client, mostly because of it working before, and I can't even ping the addresses, just get a timeout Anyone knowing what could be the problem with my setup? Thanks in advance, Tommy |
|
|
That's an IPSec VPN you set up there? So just how exactly can't you "see" these computers, exactly? Ping? Windows Shares? Are you trying by IP address or NETBIOS name?
My initial 00000010bits
Regards |
|
|
I managed to find out that the devices I can't do anything to / about, are the ones I have a 1:1 NAT on. When I'm connected via VPN, I can't ping, can't see shares - it's like the machines are not there... If I set those 1:1 NAT to Virtual Servers instead, it works, except for the fact that they do not appear as their own public IP's when sending mail etc, but uses the IP of WAN1?
/Tommy |
|
|
to tomlar1977
....so what exactly is different, config-wise, between 1:1NAT and virtual?
I'm guessing, for 1:1NAT, it's something like - x.x.x.x (your public address) : 10.0.0.3 - x.x.x.y (your public address) : 10.0.0.4
Don't know if there's any way to dump the config... or if any Zyxell experts know what needs to be pulled from the GUI to review...
Regards |
|
|
In the config, all I can see different is ip virtual-server Mailserver interface wan1 original-ip 87.54.49.118 map-to 10.0.0.xx map-type any nat-loopback nat-1-1-map ip virtual-server IC interface wan1 original-ip 87.54.49.115 map-to 10.0.0.xx map-type any nat-loopback Basically, the last "nat-1-1-map" part is all there is. I also tried disabling NAT loopback on one of the 1:1 NAT'ed hosts, but still that host cannot be seen from a VPN client. There must be some setting for this somewhere, just need to find it /Tommy |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to tomlar1977
The question becomes, do you need public IPs for this to work.
Unless you have two of the same kind of server it all can be run from your standard one WANIP.
Of course, it could be a load thing and that throughput is an issue.
If you can do the standard WANIP thingy, then you will need both virtual server (port forwarding) rules and firewall (Security Policy) rules.
I use policy routes due to the fact that I have two WAN ISPs and I force any email traffic to go to my secondary WANIP (primary runs all the time and secondary only used in a failover type scenario). Its followed by a policy route that states all other traffic will go through my trunk rule (which is wan1 all the time).
So is the problem in a nutshell that you cannot VPN into the router using the standard router IP address and access devices on the public IPs? |
|
|
The problem is that I cannot access devices using their internal IPs - ie. I need to access a share on my FTP server using \\10.0.0.xx and have control of the files from there, I am of course not interested in opening for this on the public IP, but it is allowed internally I have more than one server running HTTP, and I still like the ability to have each machine using it's own public IP - it also worked on my old ZyWall 35, from that one I could do everything from VPN clients, even though I also used 1:1 NAT! |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Oct-14 11:28 am
Yes, weird that it worked on zywall 35 but not on 110. The devices if on a public IP do not have an internal IP thats why its called one to one mapping. Well besides the ONE IP you assigned to the device that maps to the public IP. Did you try creating a vpn tunnel over the public IP itself? It seems the question is how do you access one to one mapped servers using a VPN tunnel to the main router (main wanIP).. |
|
|
I think there is some setting, which NAT's the internal IP to the public IP, which then again makes it inaccessible from the VPN. One thing I can see, not sure if it makes any difference, but on the old VPN I think I got an IP assigned, which was one of the 10.0.0.x addresses, but in the VPN setup on the 110, I can't find any setting for such a pool of addresses, and need to set it up manually in the client. In these, it must NOT be a 10.0.0.x address, but ie a 192.168.0.x address is OK...? |
|
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to tomlar1977
Maybe its a zone thing, in terms of being in the same zone?? |
|
|
Beats me, haven't been able to figure it out, but I'll keep digging. In 3 weeks I'm back at the company, and will try to boot up the old firewall, checking the setup of that one, even though the GUI is way different, it might help |
|