diff --git a/logic/acls.go b/logic/acls.go
index 0bbb2bdf0..81b1f0b45 100644
--- a/logic/acls.go
+++ b/logic/acls.go
@@ -292,7 +292,7 @@ func GetDefaultPolicy(netID models.NetworkID, ruleType models.AclPolicyType) (mo
 		}
 		if policy.RuleType == ruleType {
 			dstMap := convAclTagToValueMap(policy.Dst)
-			srcMap := convAclTagToValueMap(policy.Dst)
+			srcMap := convAclTagToValueMap(policy.Src)
 			if _, ok := srcMap["*"]; ok {
 				if _, ok := dstMap["*"]; ok {
 					return policy, nil
diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
index 289d751d6..08836224a 100644
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -640,6 +640,7 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 	}
 	if _, ok := user.NetworkRoles[models.AllNetworks]; ok {
 		gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
+		return
 	}
 	if len(user.UserGroups) > 0 {
 		for gID := range user.UserGroups {
@@ -647,6 +648,10 @@ func GetUserNetworkRolesWithRemoteVPNAccess(user models.User) (gwAccess map[mode
 			if err != nil {
 				continue
 			}
+			if _, ok := userG.NetworkRoles[models.AllNetworks]; ok {
+				gwAccess[models.NetworkID("*")] = make(map[models.RsrcID]models.RsrcPermissionScope)
+				return
+			}
 			for netID, roleMap := range userG.NetworkRoles {
 				for roleID := range roleMap {
 					role, err := logic.GetRole(roleID)