dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
24

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano to lefring

MVM

to lefring

Re: Zywall 5 Full Feature NAT routing DMZ issue

Few things
1) The NAT rules are evaluated from top to bottom ... keep that in mind.
2) I believe your NAT rules should look like this (you need to test it as I don't have Z5 anymore) In full NAT mode:
#1 172.x.x.30 N/A 217.x.x.60 N/A 1-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 N/A N/A 0.0.0.0 N/A Server
 
3) Ensure your default firewall rules and specific ports are opened accordingly (try with and/all first)

I'd also check with your ISP how they're routing to you? I'm guessing your ISP gave you /28 subnet which would be 14 usable IP addresses + subnet ID + broadcast (16 IPs, first and last are special).
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

I'm glad to hear that OP has resolved the isse :)

Now, theoretical question (and I'm almost certain it should work, but anyway, asking for confirmation). Will M-1 rule work for DMZ too?
#1 172.x.x.0 172.x.x.255 217.x.x.60 N/A M-1
#2 192.x.x.1 192.x.x.255 217.x.x.59 N/A M-1
#3 0.0.0.0 255.255.255.255 0.0.0.0 N/A M-1
#4 N/A N/A 0.0.0.0 N/A Server
 

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Yes, it should.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thank you. Any idea how to forward ports in DMZ?

I'd not ask that question if I saw where to put WAN IP mapped to DMZ segment in "Port Forwarding" page...

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

1 edit

Brano

MVM

Don't know, I've never tried that.
But try entering them on port forwarding screen, if the system is smart enough it will apply the NAT rules first then use port forwarding entries. ...if you ever try it report back the result pls.
Also check CLI, there may be some specific command to do port forwarding with WAN IP specified.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

If the entire DMZ is mapped to a different external public WANIP then port forwarding will not work. My thinking is that port fowarding is functional for the IP associated with the router (and thus primary LAN - but if DMZ is strictly used as a separate LAN utilizing the same Public IP associated with the router it should work)

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

You're probably right, but it's worth a test.
OZO
Premium Member
join:2003-01-17

OZO to Brano

Premium Member

to Brano
Unfortunately at this point I can't test it. So, the question remains pure theoretical at this time. But when I'll do it, I'll return to this thread to report.

After a bit of contemplation about the problem (in the "Port Forwarding" page there is no "Global IP"), I think developers could do port forwarding correctly, based on "Server IP Address" field in the page. If server IP belongs to DMZ, they know that forwarding should be done form IP 217.x.x.60. If that record points to LAN IP, they should use default WAN IP 217.x.x.59. In this case I don't see any contradictions here so far. Did they implement it or not - still remains the question though...

lefring
@bredband2.com

lefring to Brano

Anon

to Brano
I have now tested the scenario of forwarding ports to the DMZ in combo with NAT rules, i.e. having a server in the DMZ respond to requests from the internet on a designated public IP through Full Feature NAT, as well as respond to requests from the internet via the WAN1 public IP through Port Forwarding Rules. It works, the server responds to requests on both public IP's, so the router seems to be able to blend NAT rules with Port Forwarding Rules. Config was done through GUI. I have _not_ tested this with the M-1 rule for the DMZ, only using my setup with 1-1 rule for DMZ.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

The port forwarding is going to work on single M-1 rule, but the question really is whether you can do port forwarding on multiple M-1 rules i.e. for LAN and DMZ.