Issue Description

Branch side PC try to access HQ FTP server failed. User do packet capture in FTP server found out branch side PC use vpn interface IP to access the FTP server.

Handling Process

1. Use firewall in HQ to telnet FTP server, the result show success.
2. Use one pc in branch side to ping the FTP server, result show success.
3. Do packet capture in branch and HQ side. Result the pc ip being NAT to the vpn interface IP.
4. Check the interface and zone setting. Found the vpntun being select into WAN zone.
5. As WAN zone being use for SNAT for LAN > WAN cause when internal pc access HQ the source ip will be NAT to vpn interface ip.
6. Remove the vpntun from WAN zone. PC use it ip to access the FTP server.

Root Cause

vpntun being selected into WAN zone. As WAN zone use for SNAT for LAN > WAN cause the source ip being NAT to vpn interface ip.

Solution

Remove vpntun from WAN zone.