diff --git a/pkg/switch/network.go b/pkg/switch/network.go
index 4bc6a02..c64dfca 100755
--- a/pkg/switch/network.go
+++ b/pkg/switch/network.go
@@ -677,6 +677,7 @@ func (w *WorkerImpl) forwardZone(input string) {
 	if w.table == 0 {
 		return
 	}
+
 	w.out.Debug("WorkerImpl.forwardZone %s", input)
 	w.fire.Raw.Pre.AddRule(cn.IPRule{
 		Input:   input,
@@ -690,6 +691,12 @@ func (w *WorkerImpl) forwardZone(input string) {
 		Zone:    uint32(w.table),
 		Comment: "Goto private zone",
 	})
+	w.fire.Raw.Out.AddRule(cn.IPRule{
+		Output:  input,
+		Jump:    cn.CCT,
+		Zone:    uint32(w.table),
+		Comment: "Goto private zone",
+	})
 }
 
 func (w *WorkerImpl) forwardVPN() {
@@ -699,9 +706,6 @@ func (w *WorkerImpl) forwardVPN() {
 	}
 
 	devName := vpn.Device
-
-	w.forwardZone(devName)
-
 	_, port := libol.GetHostPort(vpn.Listen)
 	if vpn.Protocol == "udp" {
 		w.openPort("udp", port, "Open VPN")
@@ -709,6 +713,8 @@ func (w *WorkerImpl) forwardVPN() {
 		w.openPort("tcp", port, "Open VPN")
 	}
 
+	w.forwardZone(devName)
+
 	// Enable MASQUERADE, and FORWARD it.
 	w.toRelated(devName, "Accept related")
 	w.toACL(cfg.Acl, devName)