|
lefring
Anon
2013-Jan-23 8:35 am
Zywall 5 Full Feature NAT routing DMZ issuePulling my hair to understand whats missing in my firewall configuration. Am I blind or stupid? I have tried to narrow down the configuration to make the scenario simpler, here goes:
- 16 public IPs available from ISP - Zyxel Zywall 5 with FW 4.04 - WAN1 IP is static and public (217.x.x.59) - LAN IP is private (192.x.x.1) - DMZ IP is private (172.x.x.1) - Firewall is OFF (for now) - One server sitting on the DMZ (IP 172.x.x.30, GW 172.x.x.1, Primary DNS 172.x.x.1, Secondary DNS pointing to ISP DNS) - One computer sitting on the LAN, served with DHCP from the Zywall.
The main goal is to reach the .30 server in DMZ on the public IP 217.x.x.60 (i.e. an IP different to the WAN1 public IP)
When running the Zywall in SUA mode with a port 80 forwarding rule to the .30-server in the DMZ, everything works like a charm, i.e. the server responds on port 80 requests from the internet (on public ip .59), and it is possible to reach the internet from the .30 server. But as we want the server on public IP .60, and as the SUA limits the number of servers reachable on port 80 in the DMZ (there will be more), we want to use Full Feature NAT.
Now then, when switching the Zywall to Full Feature NAT, things break. Heres the continued setup:
- Adding a mapping rule (as rule #1) to bind public IP 217.x.x.60 to DMZ private IP 172.x.x.30 - Leaving the default mapping rules #2 and #3 unchanged, see mapping table:
Local Start IP Local End IP Global Start IP Global End IP Type Modify 1 172.x.x.30 N/A 217.x.x.60 N/A 1-1 2 0.0.0.0 255.255.255.255 0.0.0.0 N/A M-1 3 N/A N/A 0.0.0.0 N/A Server
Which leaves the system in the following state: - The .30 server cannot reach the internet - The .30 server cannot be reached from the internet - The .30 server CAN be reached from the LAN on public IP .60 - The computer on the LAN can reach the internet
Let me know if any vital parameter is missing in order to point to the errors in the configuration. I have tried all kind of variants for altering the mapping table based on a bunch of articles found on this forum, but nothing works. It would be great to understand what the correct settings are in order to determine if its a problem with the Zywall or just a config error. Any input is greatly appreciated, I have no more hair to pull!
With kind regards Nils Lefring Stockholm, Sweden |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2013-Jan-23 2:36 pm
I'm running couple of servers (with 1-1 rules) from the LAN without problems 1 and 2 and your settings look fine to me. The only difference is - my servers are on LAN, while yours is on DMZ. If that's the only reason of malfunction of the router, it's a bug, that should be fixed.
Make sure, that you run the latest firmware from Zyxel. |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
1 edit |
to lefring
Few things 1) The NAT rules are evaluated from top to bottom ... keep that in mind. 2) I believe your NAT rules should look like this (you need to test it as I don't have Z5 anymore) In full NAT mode: #1 172.x.x.30 N/A 217.x.x.60 N/A 1-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 N/A N/A 0.0.0.0 N/A Server
3) Ensure your default firewall rules and specific ports are opened accordingly (try with and/all first) I'd also check with your ISP how they're routing to you? I'm guessing your ISP gave you /28 subnet which would be 14 usable IP addresses + subnet ID + broadcast (16 IPs, first and last are special). |
|
|
lefring to lefring
Anon
2013-Jan-24 3:07 pm
to lefring
Brano, you are my hero. I changed the second NAT rule and everything started working. I've also managed to strangle the server access with firewall rules, so now we're good to go! And you're guessing right wrgds to the ip range given to us from our ISP.
Thanks a million for your quick and accurate response. Best /Nils |
|
OZO Premium Member join:2003-01-17 |
OZO to Brano
Premium Member
2013-Jan-24 3:30 pm
to Brano
I'm glad to hear that OP has resolved the isse :) Now, theoretical question (and I'm almost certain it should work, but anyway, asking for confirmation). Will M-1 rule work for DMZ too? #1 172.x.x.0 172.x.x.255 217.x.x.60 N/A M-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 0.0.0.0 255.255.255.255 0.0.0.0 N/A M-1
#4 N/A N/A 0.0.0.0 N/A Server
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jan-24 9:07 pm
Yes, it should. |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2013-Jan-24 9:31 pm
Thank you. Any idea how to forward ports in DMZ?
I'd not ask that question if I saw where to put WAN IP mapped to DMZ segment in "Port Forwarding" page... |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
1 edit |
Brano
MVM
2013-Jan-24 9:37 pm
Don't know, I've never tried that. But try entering them on port forwarding screen, if the system is smart enough it will apply the NAT rules first then use port forwarding entries. ...if you ever try it report back the result pls. Also check CLI, there may be some specific command to do port forwarding with WAN IP specified. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2013-Jan-24 9:46 pm
If the entire DMZ is mapped to a different external public WANIP then port forwarding will not work. My thinking is that port fowarding is functional for the IP associated with the router (and thus primary LAN - but if DMZ is strictly used as a separate LAN utilizing the same Public IP associated with the router it should work) |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jan-24 9:49 pm
You're probably right, but it's worth a test. |
|
OZO Premium Member join:2003-01-17 |
OZO to Brano
Premium Member
2013-Jan-24 11:27 pm
to Brano
Unfortunately at this point I can't test it. So, the question remains pure theoretical at this time. But when I'll do it, I'll return to this thread to report.
After a bit of contemplation about the problem (in the "Port Forwarding" page there is no "Global IP"), I think developers could do port forwarding correctly, based on "Server IP Address" field in the page. If server IP belongs to DMZ, they know that forwarding should be done form IP 217.x.x.60. If that record points to LAN IP, they should use default WAN IP 217.x.x.59. In this case I don't see any contradictions here so far. Did they implement it or not - still remains the question though... |
|
|
lefring to Brano
Anon
2013-Jan-25 6:27 am
to Brano
I have now tested the scenario of forwarding ports to the DMZ in combo with NAT rules, i.e. having a server in the DMZ respond to requests from the internet on a designated public IP through Full Feature NAT, as well as respond to requests from the internet via the WAN1 public IP through Port Forwarding Rules. It works, the server responds to requests on both public IP's, so the router seems to be able to blend NAT rules with Port Forwarding Rules. Config was done through GUI. I have _not_ tested this with the M-1 rule for the DMZ, only using my setup with 1-1 rule for DMZ. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2013-Jan-25 6:59 am
The port forwarding is going to work on single M-1 rule, but the question really is whether you can do port forwarding on multiple M-1 rules i.e. for LAN and DMZ. |
|