Work vpn (zscaler) not connecting

Hello,

I had a non openwrt router till a month back with IPv4 only network. And my work pc was connecting to work using company configured zscaler fine.

A month back I had changed to openwrt 24.10.4 and which also enabled IPv6 (When I do https://whatismyipaddress.com/, I get both IPv4 and IPv6 address).

Everything works on personal devices, which includes wireguard VPNs to other sites etc.
But my work pc not able to connect to office network using zscaler.

Could this be a openwrt router configuration or ISP side issue thats casuing this?

Something more to add,
same laptop instead of this home router, if I use mobile hot spot, everything works.
same laptop instead of this home router, if I use my another city another home, another ISP openwrt router, everything works.

Thanks.

ask your support. Openwrt does not interfere/inspect/block connections/protocols at random.

But what do you see locally, on your router?
I guess you have public (GUA) IPv6 on wan6 but what address do you see on your wan? You don't need to hide the address if it belongs to private address space.

What's the result of nslookup gateway.zscaler.net on the client PC?

image939×334 26.5 KB

image862×377 29.6 KB

When client pc is connected home network,

nslookup gateway.zscaler.net
DNS request timed out
    timeout was 2 seconds.
Server: Unknown
Address: 192.168.1.1

DNS request timed oit
    timeout was 2 seconds.
DNS request timed oit
    timeout was 2 seconds.
DNS request timed oit
    timeout was 2 seconds.
DNS request timed oit
    timeout was 2 seconds.
*** Request to Uknown timed-out

When client pc is connected to mobile hotspot,

nslookup gateway.zscaler.net
Server: Unknown
Address: 127.0.0.1

Dns reqeust timed out
     timeout was 2 seconds.
Non-authorititave answer:
Name: gateway.zscaler.net
Address: 165.2xx.xxx.14

You need to solve your DNS issue.

Please avoid using pictures.

From my other pc at same home network,

nslookup gateway.zscaler.net
Server:  OpenWrtTcr.lan
Address:  fd12:e137:9401::1

Non-authoritative answer:
Name:    gateway.zscaler.net
Address:  16X.1XX.1XX.20

Great, so you know what you should achieve on your PC that runs Zscaler.

Yes, that name need to resolve.
Why would it not resolve on work pc alone, when it is the same 192.168.1.1 is being used by both pcs?

This is not the case, look into nslookup output you provided.
You can direct the DNS request on the 2nd PC to another IP by running nslookup gateway.zscaler.net 192.168.1.1

FYI:

• Zsacler intercepts DNS requests (on the client level)
• You should only see the Zscaler IP in a Public IP lookup if your employer runs Internet Security (or VPN)
• What does the connectivity screen in the app say for PIA, Internet Security and Digital Experience?

• Indicates not OpenWrt, or IPv6
• Does your second location/ISP have IPv6?

from the second pc, which is connected to same home network, now its not resolving when I used 192.168.1.1

C:\Users\sim_t>nslookup gateway.zscaler.net 192.168.1.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\sim_t>

and nslookup OpenWrtTcr.lan shows,

C:\Users\sim_t>nslookup OpenWrtTcr.lan
Server:  OpenWrtTcr.lan
Address:  fd12:e137:9401::1

Name:    OpenWrtTcr.lan
Addresses:  fd12:e137:9401::1
          192.168.1.1

So it got 192.168.1.1 and fd12:e137:9401::1 and it is with fd12:e137:9401::1 it earlier used to resolve.

Infact nothing at home network resolve using 192.168.1.1

C:\Users\sim_t>nslookup google.com 192.168.1.1
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.1.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

So that is what I believ I need fix.

That's a good point, I forgot about this. At the same time I would expect name resolution working before Zscaler is up and running. BTW, I do not see a timeout myself, it's some dummy response.

@lleachii @AndrewZ
Yes. my second Location/ISP got IPv6 too.
There I could correctly resolve google.com as well gateway.zscaler.net using 192.168.0.2 (which is my openwrt router address at second Location)

In the current site where I have this problem DNS is not working with any website using 192.168.1.1 (which is my current site openwrt router address).
What troubleshooting approach I can take to solve it?

Basically in the problem site dns resolution works only with ipv6 (Server: OpenWrtTcr.lan ,Address: fd12:e137:9401::1) and not with 192.168.1.1. And my workpc got only IPv4.

Please show the output of netstat -tulpn on the router.

root@OpenWrtTcr:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.20.10:53        0.0.0.0:*               LISTEN      22764/dnsmasq
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      1894/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      22764/dnsmasq
tcp        2      0 192.168.1.1:53          0.0.0.0:*               LISTEN      22764/dnsmasq
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      1894/uhttpd
tcp        0      0 117.xxxx.xx.35:53       0.0.0.0:*               LISTEN      22764/dnsmasq
tcp        0      0 0.0.0.0:868             0.0.0.0:*               LISTEN      1148/dropbear
tcp        0      0 :::8443                 :::*                    LISTEN      1894/uhttpd
tcp        0      0 2001:xx:xx:9xx:b4d5:4756:fc79:c99c:53 :::*                    LISTEN      22764/dnsmasq
tcp        0      0 2001:xxx:xx:9f53::1:53 :::*                    LISTEN      22764/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      22764/dnsmasq
tcp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                    LISTEN      22764/dnsmasq
tcp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                    LISTEN      22764/dnsmasq
tcp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                    LISTEN      22764/dnsmasq
tcp        0      0 :::9100                 :::*                    LISTEN      2466/node_exporter
tcp        0      0 :::8080                 :::*                    LISTEN      1894/uhttpd
tcp        0      0 :::868                  :::*                    LISTEN      1148/dropbear
tcp        0      0 fd12:e137:9401::1:53    :::*                    LISTEN      22764/dnsmasq
tcp        0      0 fe80::b4d5:4756:fc79:c99c:53 :::*                    LISTEN      22764/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           22764/dnsmasq
udp        0      0 192.168.20.10:53        0.0.0.0:*                           22764/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           22764/dnsmasq
udp        0      0 117.xxx.xxx.35:53       0.0.0.0:*                           22764/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           22764/dnsmasq
udp        0      0 :::546                  :::*                                4054/odhcp6c
udp        0      0 :::546                  :::*                                3188/odhcp6c
udp        0      0 :::547                  :::*                                1658/odhcpd
udp        0      0 ::1:53                  :::*                                22764/dnsmasq
udp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                                22764/dnsmasq
udp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                                22764/dnsmasq
udp        0      0 2001:xxx:xxx:9f53::1:53 :::*                                22764/dnsmasq
udp        0      0 fd12:e137:9401::1:53    :::*                                22764/dnsmasq
udp        0      0 fe80::224c:3ff:fe8e:e5e:53 :::*                                22764/dnsmasq
udp        0      0 2001:xxx:xxx:9f53:b4d5:4756:fc79:c99c:53 :::*                                22764/dnsmasq
udp        0      0 fe80::b4d5:4756:fc79:c99c:53 :::*                                22764/dnsmasq

dnsmasq is listening on that IPv4 address
so now it's probably time to check the output of cat /etc/config/firewall

root@OpenWrtTcr:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'modem'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest '*'
        option name 'test-icmp'
        list proto 'icmp'
        option target 'ACCEPT'
        option family 'ipv6'
        list icmp_type 'bad-header'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        option limit '1000/second'

config rule
        option src 'wan'
        option dest 'lan'
        option family 'ipv6'
        list proto 'tcp'
        option dest_port '22'
        option target 'ACCEPT'
        option name 'test-iperf-ipv6'
        list dest_ip '::90/-64'

config rule
        option src 'wan'
        option dest 'lan'
        option family 'ipv6'
        list proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'
        option name 'web-80'
        list dest_ip '::90/-64'

config rule
        option src 'wan'
        option dest 'lan'
        option family 'ipv6'
        list proto 'tcp'
        option dest_port '443'
        option target 'ACCEPT'
        option name 'web-443'
        list dest_ip '::90/-64'

config rule
        option src 'wan'
        option dest 'lan'
        option family 'ipv6'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'wireguard'
        list dest_ip '::90/-64'
        list proto 'udp'

config rule
        option src 'wan'
        option family 'ipv6'
        option dest_port '9100'
        option target 'ACCEPT'
        option name 'node_exporter'
        list proto 'tcp'
        list dest_ip '::1/-64'

config rule
        option src 'wan'
        option family 'ipv6'
        option dest_port '8443'
        option target 'ACCEPT'
        option name 'router_remote_access'
        list proto 'tcp'
        list src_ip '2xxx:xxxx:xxxx:xxxx:e5b7:529c:3e43:5bff'

config rule
        option src 'wan'
        option family 'ipv6'
        option dest_port '868'
        option target 'ACCEPT'
        option name 'router_remote_access_shell'
        list proto 'tcp'
        list src_ip '2xxx:xxxx:xxxx:xxxx:e5b7:529c:3e43:5bff'

config rule
        option src 'wan'
        option dest '*'
        option name 'test-iperf-ipv4'
        option family 'ipv4'
        list proto 'tcp'
        option target 'ACCEPT'
        option dest_port '5201'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'test-iperf-ipv4'
        option src 'wan'
        option src_dport '85'
        option dest_ip '192.168.1.90'
        option dest_port '85'
        option family 'ipv4'
        list proto 'tcp'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web-80'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.90'
        option dest_port '80'
        list proto 'tcp'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'web-443'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.90'
        option dest_port '443'
        list proto 'tcp'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.1.90'
        option dest_port '51820'
        list proto 'udp'

config ipset
        option name 'trusted_remote'
        option family 'ipv6'
        option match 'src_ip'

config redirect
        option name 'tor_dns'
        option src 'lan'
        option proto 'udp'
        option src_dport '53'
        option target 'DNAT'
        option dest_ip '127.0.0.1'
        option dest_port '9053'

remove this completely

Thank you. I removed the rule and restarted firewall and now,

C:\Users\sim_t>nslookup gateway.zscaler.net 192.168.1.1
Server:  OpenWrtTcr.lan
Address:  192.168.1.1

Non-authoritative answer:
Name:    gateway.zscaler.net
Address:  167.103.133.20

Also my work pc got connected to zscaler successfully.

I was experimenting with Tor earlier today and had placed that rule without knowing that it will break other stuff.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.