Equipment Support > Hardware By Brand > ZyXEL > Port opening on Zywall USG100

Port opening on Zywall USG100

To recap,
you have the module as an address object .xxx on your LAN.
you created a service for the unique port
you created a firewall rule for that service to that port.

Not sure why you created a wan object, should be no need.

IN Nat Tab, choose Virtual Server port mapping type.
incoming interface is wanx (if you have dual wan)
original and mapped IP are your address object
port mapping type service,
put in your defined service for original and mapped
dont enable nat loopback.

should work.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Ok, do I get it right - on nat rule the original and mapped ip should be this modules LAN address. Changed this, I had original ip my public ip before. Cleared loopback. But still no luck. When I check with port checking program it says not able to ping router, port is closed.
Is there a setting for making router pingable?

do you have a firewall rule for that service as well?

Yes I have firewall rule for the service Source WAN1 port and destination - module LAN ip.

user and source should be ANY for your firewall rule. Unless there is a specific WANIP or range of WANIPs accesssing the server.

reply to Anav

I'm assuming the OP has multiple WAN IPs like me.

reply to mrtom
Hah and you thought I would leave at that, My ZW, I have a gun in my Hand Hey Joe--

The only difference a different WAN would make in the equation is to identify the Interface as WAnY in the virtual server NAT rule, and in the firewall rule NO change it seems to be happy to accept any WANX or Y as input.

reply to Anav
I am assuming he has one WANIP and hes assigning the security model a private IP behind the router in the lAN.

Yes I have one WANIP and security model has assigned private IP behind router in the LAN.
NAT rule is virtual server original and mapped ip is the same as security module one. Port mapping type is service and precreated service with parameters host TCP port 9000 is chosen.
Firewall rule is from wan1 to lan1 allow any for this service.

And its not working. I have no clue what I have configured not right here.

Hi Tom,

quoting you from the first post
"On USG I have created two address objects one for WAN1-interface-public ip.......
Then I created NAT rule interface WAN1, original ip WAN1 address object and destination LAN1 address"

My response to that information was......
Not sure why you created a wan object, should be no need

In other words remove your wan object created (obliterate it) and simply use WANX or WAN from the pulldown menu in virtual nat selections. Also you should not have used that object for the firewall rule ( if you have obliterated as per instructions it will no longer be available )

Try that and see if it works.
I am assuming you have confirmed access from a PC on the LAN by simply typing in the LANIP of the security module.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

reply to Anav
Thank you.

It's starting to sink in.

To reiterate my gun's firewall doesn't care what WAN IP the request is going to because my gun's NAT rule will pick up the WAN IP and route it to the appropriate IP and port?

WGIH_ZW_Joe

I have no idea about your gun etc as this is a separate thread. What I can say is that the port forwarding doesnt care what WANIP the traffic is coming in on, it just received the traffic recognizes its a service that is permitted and routes to the correct LANIP. The firewall rule does the same thing basically plus look at a bit deeper at the packet level and as well add restrictive input caveats (such as specific incoming WANIPs). (and one can add scheduling) etc.....
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

I have spent two days trying to do the same thing, but I need two ports opened for both tcp and udp. I did all the same steps here, but am using WAN1 to LANIP, and while a port scan says the port is open, cannot access the security dvr. Note that I easily forwarded two ports with a Netgear router and it works fine, but I need everything behind just a Zywall USG50. I have followed steps in user guide and from posts on the net of step by stem, to no avail.
The unit says to open two ports, but looking at logs from Netgear, it looks like it also passes traffic on a different set of ports, too, though again I only opened two ports on Netgear.

Okay metoo. Lets get it working.
I will assume the zyxel is replacing the netgear and thus we do not have to worry about two routers and double nat.

As to opening up other ports, typically a program or input request originated on the WAN side (and why we open the ports) will start an initial negotiation with your client application etc. Thus further traffiic back and forth could occur on a multitude of ports because your client is going outbound to the WAN with the requests and the router then knows what to do with the return inbound traffic (in other words if comms originate behind the router on the LAN we dont have to use port forwarding)

So in your setup you need to do two things
a. port forwarding rules
b. matching firewall rules

Doesnt sound like you did b. yet.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

Hi
Yes, I created the firewall rule, too.
Priorit:1, From: WAN, To: LAN1, Schedule: none, User: any, Source: (any or external IP range, neither work so far), Destination: Internal DVR IP, Servive: DVR_GROUP (sub groups DVR_PN1_UDP, DVR_PN1_TCP, DVR_PN2_UDP, DVR_PN2_TCP), Access: allow.
Note the sub service groups are just tcp/udp for each of the two ports.

My NAT:
NAT_DVR_PN1, MapType: Virtual Server, Interface: wan1_ppp, Origina IP: any (should this be different?), Mapped IP: Internal DVR_IP, Protocol: any (though also set up 4 NAT rules, one for each port and type, still didn't work), Original Port: PN1 (have one for each rule, though as stated, tried one for each port and rule, didn't work), Mapped Port: same as Original port.

I really need this to work, this equipment is exactly what I have needed for so long, I absolutely love all the features, control, logging, etc. Tired of dealing with hackers, etc.
Thank you so much for your time!
Looking forward to getting everything else working, just need to get a forward working, and everything else should be great!

Hi Metto..

Seems likeyou have everything correct...
On the firewall,,,,you have identified the DVR IP on lan1 as the destination. Your using service of DVR Group which is all the port and type tcp udp etc that you had to create separate Port forwarding rules for (since you cant group those).

There is a log feature to turn on there might help see what is going on. How do you test these by the way?????
Do you get a friend to try and enter????

Okay on virtual side, can you confirm that the original and mapped IP is the DVR IP?
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

My last post never posted for some reason.
I connect via a browser, but not to port 80, and it works fine from Netgear.
Here is the rest of the post that didn't post:

Even though a port scan from grc.com shows op, I tried to connect to dvr via web same as that works for Netgear router, and it not only doesn't connect, but there is nothing in the firewall or other logs. As for the original ip, I thought that was extrenal, but setting it to same as DVR doesn't work still.

This is just so strange. When I got this unit, there were a bunch of ports opened that I closed, etc. While I am fairly certain I didn't turn off anything I shouldn't have, I suppose I am not certain. It might be helpful to see he list of default settings for this unit, but everything else seems to work OK.
Thanks again!

reply to Anav
Even though a port scan from grc.com shows op, I tried to connect to dvr via web same as that works for Netgear router, and it not only doesn't connect, but there is nothing in the firewall or other logs. As for the original ip, I thought that was extrenal, but setting it to same as DVR doesn't work still.