USG 20 DNS domain zone forwarding issue with static LAN IPs
I am replacing an old ZyWall 5 with USG 20. Currently there is less than ten computers in LAN which gets the IPs from DHCP. I have also configured a custom content filter for DHCP clients, so that they can only access a few business related sites and software updates. Moreover, there are also some computers that have manually assigned static IPs.
Static IPs are used so that those computers have full access to Internet, bypassing the content filter. Primary DNS server for every
computer, those using DHCP and also those with static IPs, is the ZyWall 5. And everything works that way, ZyWall 5 is acting as a DNS relay as it should be.
Now here's the problem. With the USG 20 configured the exact same way, those static IP clients cant resolve DNS queries. Actually it seems like I can't even connect to USG 20 with a manually assigned static IP. However, if I use IP/MAC binding then everything works, including Internet. I guess it's OK, but to me that just seems unnecessary and causes extra work if new computers are added to non-restricted zone.
What could be the problem? I noticed that the ISP's DNS server IPs are actually LAN IPs but that shouldn't be it because ZyWall 5 works fine. USG 20 firmware version is 3.00(BDQ.4). Both firewalls are behind a bridged DSL router.
Any help appreciated.
BranoI hate VogonsPremium,MVM
You don't need to use IP/MAC binding, you've miss-configured something.
|reply to Spessu |
Did you mean that your IP's DNS server's IP addresses are in the same subnet as your LAN subnet? If so, then you might try changing your LAN address range to some other subnet (that your network mask would differentiate) and see what happens.
Alright thanks, I will try to find out what's wrong.
No, they are not in the same subnet. I use 192.168.1.x and ISP's DNS was something like 193.x.x.x. And now I also realized that they aren't private network addresses as I thought at first.
Anyways, thanks for the help. I need to check the config again carefully.
I too am interested in the response to this. I have a USG50, and mine exhibits the same procedure. If I get my IP using the built in DHCP function of the USG50, everything is golden. If I assign a static IP, using the same gateway/dns servers I got using DHCP, then the client has no internet access. I can't ping the ZyWall, can't resolve DNS, etc. Flip the client back to DHCP and everything is fine.
|reply to Spessu |
At the risk of incorrectly solving the ambiguity in the messages above, one path leads to the following:
Computers on a LAN for which one has assigned a static address must have an address that is within the scope of the LAN's gateway address considering the network mask (default 255.255.255.0). Using the default setup, LAN 1 port on the USG has the address of 192.168.1.1. Normally, everything attached to that port has to have an address in the range of 192.168.1.2 to 192.168.1.254.
An exception is that devices could live in a VLAN (established by the USG) that is assigned to that port, e.g., VLAN 99 would have a port address of 192.168.99.1. In the latter case, the port becomes a trunk and has to connect to a trunk port on a managed switch that can separate the VLAN associated device ports from the default VLAN 1 ports connected devices that think they are connected to LAN 1 of the USG.
So, I don't think that establishing downstream devices with static addresses outside of the range of the LAN 1 port address will work as you expect them to unless somehow the LAN 1 port is bridged from the WAN.
I use IP/MAC binding to ensure that no innocent passerby device steals an IP address, but as Brano points out above, it should be sufficient to set the desired address inside a device and have it work. But, the paragraph 2 requirement still holds.
If this helps somone,
I lost quiet a lot of time with the DNS issue and devices with fixed IP addresses... on my Zywall USG 100.
It seems that you have to go to "Configuration + Network + IP/MAC Binding", and put the MAC address + Fixed IP Address of your device, and only then your device will be able to get a reply to the DNS requests from the Zywall ! Very unlogical as this was not necessary on previous the Zywall UTM 35.
Headhach, but resolved thanks to your above posts. Thanks !
AnavSarcastic Llama? Naw, Just AcerbicPremium
Thanks toysoft, excellent observation to throw into this thread!!
By the way, I love your line I lost quiet time.
The way I see it
You lost quite a lot of time AND.....
You also lost quiet time (peace of mind perhaps and all that cursing and yelling and screaming LOL).
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
Thanks for the wording fix ;o))), after the USG parameter fixing.