dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3084

lefring
@bredband2.com

lefring

Anon

Zywall 5 Full Feature NAT routing DMZ issue

Pulling my hair to understand what’s missing in my firewall configuration. Am I blind or stupid? I have tried to narrow down the configuration to make the scenario simpler, here goes:

- 16 public IP’s available from ISP
- Zyxel Zywall 5 with FW 4.04
- WAN1 IP is static and public (217.x.x.59)
- LAN IP is private (192.x.x.1)
- DMZ IP is private (172.x.x.1)
- Firewall is OFF (for now)
- One server sitting on the DMZ (IP 172.x.x.30, GW 172.x.x.1, Primary DNS 172.x.x.1, Secondary DNS pointing to ISP DNS)
- One computer sitting on the LAN, served with DHCP from the Zywall.

The main goal is to reach the .30 server in DMZ on the public IP 217.x.x.60 (i.e. an IP different to the WAN1 public IP)

When running the Zywall in SUA mode with a port 80 forwarding rule to the .30-server in the DMZ, everything works like a charm, i.e. the server responds on port 80 requests from the internet (on public ip .59), and it is possible to reach the internet from the .30 server. But as we want the server on public IP .60, and as the SUA limits the number of servers reachable on port 80 in the DMZ (there will be more), we want to use Full Feature NAT.

Now then, when switching the Zywall to Full Feature NAT, things break. Here’s the continued setup:

- Adding a mapping rule (as rule #1) to bind public IP 217.x.x.60 to DMZ private IP 172.x.x.30
- Leaving the default mapping rules #2 and #3 unchanged, see mapping table:

Local Start IP Local End IP Global Start IP Global End IP Type Modify
1 172.x.x.30 N/A 217.x.x.60 N/A 1-1
2 0.0.0.0 255.255.255.255 0.0.0.0 N/A M-1
3 N/A N/A 0.0.0.0 N/A Server

Which leaves the system in the following state:
- The .30 server cannot reach the internet
- The .30 server cannot be reached from the internet
- The .30 server CAN be reached from the LAN on public IP .60
- The computer on the LAN can reach the internet

Let me know if any vital parameter is missing in order to point to the errors in the configuration. I have tried all kind of variants for altering the mapping table based on a bunch of articles found on this forum, but nothing works. It would be great to understand what the correct settings are in order to determine if it’s a problem with the Zywall or just a config error. Any input is greatly appreciated, I have no more hair to pull!

With kind regards
Nils Lefring
Stockholm, Sweden
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

I'm running couple of servers (with 1-1 rules) from the LAN without problems 1 and 2 and your settings look fine to me. The only difference is - my servers are on LAN, while yours is on DMZ. If that's the only reason of malfunction of the router, it's a bug, that should be fixed.

Make sure, that you run the latest firmware from Zyxel.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano to lefring

MVM

to lefring
Few things
1) The NAT rules are evaluated from top to bottom ... keep that in mind.
2) I believe your NAT rules should look like this (you need to test it as I don't have Z5 anymore) In full NAT mode:
#1 172.x.x.30 N/A 217.x.x.60 N/A 1-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 N/A N/A 0.0.0.0 N/A Server
 
3) Ensure your default firewall rules and specific ports are opened accordingly (try with and/all first)

I'd also check with your ISP how they're routing to you? I'm guessing your ISP gave you /28 subnet which would be 14 usable IP addresses + subnet ID + broadcast (16 IPs, first and last are special).

lefring
@telia.com

lefring to lefring

Anon

to lefring
Brano, you are my hero. I changed the second NAT rule and everything started working. I've also managed to strangle the server access with firewall rules, so now we're good to go! And you're guessing right wrgds to the ip range given to us from our ISP.

Thanks a million for your quick and accurate response.
Best
/Nils
OZO
Premium Member
join:2003-01-17

OZO to Brano

Premium Member

to Brano
I'm glad to hear that OP has resolved the isse :)

Now, theoretical question (and I'm almost certain it should work, but anyway, asking for confirmation). Will M-1 rule work for DMZ too?
#1 172.x.x.0 172.x.x.255 217.x.x.60 N/A M-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 0.0.0.0 255.255.255.255 0.0.0.0 N/A M-1
#4 N/A N/A 0.0.0.0 N/A Server
 

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Yes, it should.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thank you. Any idea how to forward ports in DMZ?

I'd not ask that question if I saw where to put WAN IP mapped to DMZ segment in "Port Forwarding" page...

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano

MVM

Don't know, I've never tried that.
But try entering them on port forwarding screen, if the system is smart enough it will apply the NAT rules first then use port forwarding entries. ...if you ever try it report back the result pls.
Also check CLI, there may be some specific command to do port forwarding with WAN IP specified.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

If the entire DMZ is mapped to a different external public WANIP then port forwarding will not work. My thinking is that port fowarding is functional for the IP associated with the router (and thus primary LAN - but if DMZ is strictly used as a separate LAN utilizing the same Public IP associated with the router it should work)

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

You're probably right, but it's worth a test.
OZO
Premium Member
join:2003-01-17

OZO to Brano

Premium Member

to Brano
Unfortunately at this point I can't test it. So, the question remains pure theoretical at this time. But when I'll do it, I'll return to this thread to report.

After a bit of contemplation about the problem (in the "Port Forwarding" page there is no "Global IP"), I think developers could do port forwarding correctly, based on "Server IP Address" field in the page. If server IP belongs to DMZ, they know that forwarding should be done form IP 217.x.x.60. If that record points to LAN IP, they should use default WAN IP 217.x.x.59. In this case I don't see any contradictions here so far. Did they implement it or not - still remains the question though...

lefring
@bredband2.com

lefring to Brano

Anon

to Brano
I have now tested the scenario of forwarding ports to the DMZ in combo with NAT rules, i.e. having a server in the DMZ respond to requests from the internet on a designated public IP through Full Feature NAT, as well as respond to requests from the internet via the WAN1 public IP through Port Forwarding Rules. It works, the server responds to requests on both public IP's, so the router seems to be able to blend NAT rules with Port Forwarding Rules. Config was done through GUI. I have _not_ tested this with the M-1 rule for the DMZ, only using my setup with 1-1 rule for DMZ.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

The port forwarding is going to work on single M-1 rule, but the question really is whether you can do port forwarding on multiple M-1 rules i.e. for LAN and DMZ.