Good day.
I seriously need to get some help understanding how the traffic and firewall works on RUT241, because this just blows my mind.
The scenario:
Site A is one computer. Lets say it has 10.220.36.206.
Site A uses a RUT241 that’s behind NAT (behind another router). The RUT has 10.220.36.1 and lets say the WAN-side of the RUT is 172.22.2.35.
Site B is a virtual machine in our datacenter. For this scenario, it has 192.168.0.174.
Site B has a ZyXEL firewall with public IP.
The VPN tunnel is setup on Site B as “Dynamic Peer”, so it awaits for the RUT to connect.
Now … From Site B, I can ping the computer on Site A. From Site B I can connect to the RUT241 web interface as well.
From Site A I can connect to a service running on the Site B server. No problem.
So traffic works both ways, but the frustrating part is PING only works one way (from B to A).
If I do any changes on the RUT, like adding a forward firewall rule from LAN to WAN, the PING from site A to Site B (from 10.220.36.206 to 192.168.0.174) starts working.
If I reboot the RUT, this will stop working.
The PING going from Site B to site A (from 192.168.0.174 to 10.220.36.206) will resume at the point the tunnel is re-established after reboot. Site A can also access the services on Site B’s server, but NO PING!
Then I do a change in the RUT again, like deleting the LAN to WAN-rule, and the ping starts working again… From A to B. B to A has always worked.
Now, I reboot again, and the PING from A to B stops working, but B to A resumes after reboot is complete.
A can still access services on B, but no PING from A to B all though B can ping A.
Let’s do another change on the RUT, like trying “Force encapsuled” on the IPSec … Since we did a change, the PING from A to B starts working again.
We do a new reboot to lock in changes and … no. B resumes ping to A, but A cannot ping B. A can still access services on B – BUT WHY THE h#"¤%# does it need a CHANGE in the configuration before A can ping B?
I really don’t get this!
And it doesn’t matter what change it is either. First time setup I didn’t have masqerade on for the lan to wan, but PING worked until rebooting.
Then I activated masquerading and ping started working again – until a reboot.
So even though the VPN is established and the neccessary traffic goes fine from A to B, and B can do ANYTHING towards A (even ping) … Ping from A to B doesn’t work – unless something changes in the configuration and NO REBOOT!