|
Half of the internet blockedHi,
I've got a few ZyWALL 110. They're all IPSEC VPN connected. LAN (192.168.6.x) should go over the VPN (to the SBS server 192.168.2.x)
On the PC's behing this ZyWALL 110, half of the internet is not working, even ping to dslreports is not working.
These are a few of the DROPPED lines in my logs:
35 2015-03-28 17:40:00 192.168.6.160:60445 212.79.84.37:443 error ipsec IPSec SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3]
SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3] 60 2015-03-28 17:40:27 192.168.6.160:60448 204.79.197.203:80 error ipsec IPSec SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3] 63 2015-03-28 17:40:31 192.168.6.160 208.73.211.70 error ipsec IPSec SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=3]
What am I doing wrong ? What other info do you guys need ? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2015-Mar-28 1:10 pm
Which half is not working? Left or right?
Was this ever working before? Is the wan PPPoE? Did you check MTU?
...post more details about the setup, with this info it is impossible to advise. |
|
|
It was working before, but it's getting worse everyday.
For my MTU, I did it like this, not sure why the actual ping is blocked.
C:\Users\sbs-adminperk>ping www.dsl-reports.com -f -l 1472
Pingen naar www.dsl-reports.com [208.73.211.70] met 1472 bytes aan gegevens: Time-out bij opdracht.
Ping-statistieken voor 208.73.211.70: Pakketten: verzonden = 1, ontvangen = 0, verloren = 1 (100% verlies). Control-C ^C C:\Users\sbs-adminperk>ping www.dsl-reports.com -f -l 1473
Pingen naar www.dsl-reports.com [208.73.211.70] met 1473 bytes aan gegevens: Pakket moet worden gefragmenteerd, maar DF is ingesteld. Pakket moet worden gefragmenteerd, maar DF is ingesteld.
Ping-statistieken voor 208.73.211.70: Pakketten: verzonden = 2, ontvangen = 0, verloren = 2 (100% verlies). Control-C ^C |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2015-Mar-28 1:41 pm
Call Belgium tech support. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
to oliware
Seems to be incorrect MTU setting. What MTU is set on your internet wanX_ppp interface? |
|
|
MTU for WAN is 1472 |
|
stefaanE Premium Member join:2002-07-10 9657 |
stefaanE
Premium Member
2015-Mar-29 11:01 am
Why 1472? If your Internet connection is through PPPoE, I would expect a MTU of 1492. Who is your provider, and how are you connected? Do you have a 'real' IP address on your router, or is your ISP NAT'ing you?
Do you have the same behaviour on PCs not connected via a VPN (i.e. those connected through the router that assures the connection with the Internet)?
It would be useful to see a tracepath (or traceroute/tracert if you don't have a box with tracepath) from a PC connected through a VLAN, and a PC connected to the Internet router.
Take care,
Stefaan |
|
stefaanE |
to Brano
said by Brano:Which half is not working? Left or right? What about the top or bottom half? |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
to oliware
Test your MTU. You need to figure out minimal size that is getting through. PPPoE overhead is 8 bytes thus 1500 - 8 = 1492 typical MTU on PPPoE.
1) Set your WAN MTU to 1492 on USG. 2) Do the ping -f test to establish actual MTU size. 3) Then set your MTU on WAN interface to the one you've discovered. ...best would be to call your ISP and find out what MTU to set.
4) Also, on VPN tunnels check the "Ignore "Don't Fragment" setting in IP header" |
|
|
Via the DMZ port, I can do whatever I want. Via the LAN1 port, I can't even ping www.dslreports.com Enclosed a printscreen of my policies |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2015-Apr-3 7:35 am
Post also your Policy routes. |
|
1 edit |
F*ck, I can see there is only 1 rule, everything has to go via the VPN_IPSEC, I think internet trafic has to go via the WAN1, not VPN. Thanks for the hint |
|