Can IKEv2 Mobile VPN Connection be used to connect VLAN to LAN?
Sorry if this is a stupid question, but here is the scenario. Our last firewall was M370 running ver 10.2.3. We had a VLAN on the box that connected to our WiFi Access Points, for clients to have internet. They could not access our LAN. Our users work remote 2 days a week, and therefore have an IKEv2 connection to the firewall so that they can access LAN servers. This connection pointed to our WAN IP address. Here's the weird part. For 5 years, our users were also able to use the IKEv2 connection WHILE IN THE OFFICE, so that they didn't need to plug in via Ethernet. They could access the local LAN and also had internet. In thinking about it (and also from supports answer), I feel this should have never worked due to the "firewall u-turn scenario", but it did...for 5 years. Now, we upgraded to an M390 and this setup works, but very intermittently. Some times when our local user connects to the VPN using our Wi-Fi, the VPN connects, but then the user loses internet, but CAN access LAN servers. Sometimes it works fine. I can't replicate the issue EVERY TIME. Now, please don't waste time on this if there is no way this should even work. Just tell me to stop wasting my time! 
Thanks so much,
James
PS....about 7 years ago, we used a Cisco ASA 5505 and I remember setting up a user or 2 with TWO VPN connections. One to use from home, and one pointing to an internal address to work off the WiFi with no wired connection to the LAN, for LAN server access. I'm told that WatchGuard does not support this...
Answers
What do you see in Traffic Monitor for local users who loose Internet access?
Absolutely nothing. Shows traffic goes through.
and I can ping and nslookup google.ca
Properly being NATed to the public IP addr?
will need to replicate to double-check that. I will report back when I can duplicate. Thanks! PS...do you feel it should not be able to go out to the WAN IP and then back in again?
I have done so in the past.
I'll try testing again later today
Thanks so much. It is so strange. Hard to tell users that they have to plug in via ethernet now..since it worked for so long. I was thinking of trying to add the internal address in the IKEv2 config area, along side the WAN address. Hoping to test on the old unit tomorrow.
So, still intermittant. Outlook said "Disconnected" but I had internet. disconnected VPN and reconnected. Outlook came back saying "Connected" but VPN icon showed "No Internet" as per screen grab. Very strange behaviour.
On the old firebox, I added local LAN Interface IP to the list of addresses in IKEv2 config page, and it "Seemed" to work if I created a new VPN connection on the client PC pointing to the internal address, but will need to test this "Live" to be sure it works.