- This topic is empty.
January 7, 2013 at 5:54 pm #43537zgypaMember
is this a bug, or is it a configuration issue? After i updated to 2.0RC2 keeping the same configuration from 2.0RC1 i was not able to access LAN services from the internet. I had granted access with Net Balancer. Maybe there is a better way to do this then to use Balancing Rules?
Why does the below described configuration work with 2.0RC1, and not with 2.0RC2?
* LAN2LAN and HOST2LAN OpenVPN time out when trying to connect from remote site.
* Connections time out when i try to access websites and ssh hosted inside the LAN from outside the LAN.
* Clients inside LAN access outgoing internet without problems through FO.
* I found 10.1.1.166 server was accessing internet through FO as well, until i disabled HTTP Proxy/HAVP
What i discovered by running tcpdump and analyzing packets for incoming OpenVPN connections is that SYN packets correctly are received and replied to by ZS, but they go through the incorrect router. In other words, SYN come in from ADSL, and SYN,ACK go out through FO (see diagram).
So for now, what i did was disable the FO router in the Net Balancer, forcing therefore ALL traffic through ADSL.
I am running a stick (one-armed) router inside a VM. I permanently use the CD iso image to boot ZS, then i have Profiles stored /dev/sda. I find this configuration particularly appealing because when it’s time to upgrade all i have to do is point the Virtual Machine to the new CD iso image, and ZS boots and finds the old profiles. No need to backup and restore profiles.
The ZS stick router in question is on the bottom left of the diagram.
Here are the rules i have setup with Balancing Rules:
* all traffic for 10.1.1.80 and .166 needs to go back out through the ADSL connection (because it’s the only one with a public IP address).
* all traffic to and from OpenVPN ports needs go to through through the ADSL connection (because it’s the only one with a public IP address).
* all other traffic needs to go through FO, since it has more bandwidth.[/b]
- You must be logged in to reply to this topic.