dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3718
share rss forum feed

Spessu

join:2013-03-10
finland

2 edits

USG 20 DNS domain zone forwarding issue with static LAN IPs

Hi!

I am replacing an old ZyWall 5 with USG 20. Currently there is less than ten computers in LAN which gets the IPs from DHCP. I have also configured a custom content filter for DHCP clients, so that they can only access a few business related sites and software updates. Moreover, there are also some computers that have manually assigned static IPs.

Static IPs are used so that those computers have full access to Internet, bypassing the content filter. Primary DNS server for every
computer, those using DHCP and also those with static IPs, is the ZyWall 5. And everything works that way, ZyWall 5 is acting as a DNS relay as it should be.

Now here's the problem. With the USG 20 configured the exact same way, those static IP clients cant resolve DNS queries. Actually it seems like I can't even connect to USG 20 with a manually assigned static IP. However, if I use IP/MAC binding then everything works, including Internet. I guess it's OK, but to me that just seems unnecessary and causes extra work if new computers are added to non-restricted zone.

What could be the problem? I noticed that the ISP's DNS server IPs are actually LAN IPs but that shouldn't be it because ZyWall 5 works fine. USG 20 firmware version is 3.00(BDQ.4). Both firewalls are behind a bridged DSL router.

Any help appreciated.



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

You don't need to use IP/MAC binding, you've miss-configured something.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Spessu

Spessu:

Did you mean that your IP's DNS server's IP addresses are in the same subnet as your LAN subnet? If so, then you might try changing your LAN address range to some other subnet (that your network mask would differentiate) and see what happens.

kirby


Spessu

join:2013-03-10
finland

Brano:
Alright thanks, I will try to find out what's wrong.

Kirby Smith:
No, they are not in the same subnet. I use 192.168.1.x and ISP's DNS was something like 193.x.x.x. And now I also realized that they aren't private network addresses as I thought at first.

Anyways, thanks for the help. I need to check the config again carefully.



Confused USG

@sbcglobal.net

I too am interested in the response to this. I have a USG50, and mine exhibits the same procedure. If I get my IP using the built in DHCP function of the USG50, everything is golden. If I assign a static IP, using the same gateway/dns servers I got using DHCP, then the client has no internet access. I can't ping the ZyWall, can't resolve DNS, etc. Flip the client back to DHCP and everything is fine.


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Spessu

At the risk of incorrectly solving the ambiguity in the messages above, one path leads to the following:

Computers on a LAN for which one has assigned a static address must have an address that is within the scope of the LAN's gateway address considering the network mask (default 255.255.255.0). Using the default setup, LAN 1 port on the USG has the address of 192.168.1.1. Normally, everything attached to that port has to have an address in the range of 192.168.1.2 to 192.168.1.254.

An exception is that devices could live in a VLAN (established by the USG) that is assigned to that port, e.g., VLAN 99 would have a port address of 192.168.99.1. In the latter case, the port becomes a trunk and has to connect to a trunk port on a managed switch that can separate the VLAN associated device ports from the default VLAN 1 ports connected devices that think they are connected to LAN 1 of the USG.

So, I don't think that establishing downstream devices with static addresses outside of the range of the LAN 1 port address will work as you expect them to unless somehow the LAN 1 port is bridged from the WAN.

I use IP/MAC binding to ensure that no innocent passerby device steals an IP address, but as Brano points out above, it should be sufficient to set the desired address inside a device and have it work. But, the paragraph 2 requirement still holds.

kirby


toysoft

join:2008-07-24

If this helps somone,

I lost quiet a lot of time with the DNS issue and devices with fixed IP addresses... on my Zywall USG 100.

It seems that you have to go to "Configuration + Network + IP/MAC Binding", and put the MAC address + Fixed IP Address of your device, and only then your device will be able to get a reply to the DNS requests from the Zywall ! Very unlogical as this was not necessary on previous the Zywall UTM 35.

Headhach, but resolved thanks to your above posts. Thanks !

TS



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

Thanks toysoft, excellent observation to throw into this thread!!

By the way, I love your line I lost quiet time.
The way I see it
You lost quite a lot of time AND.....
You also lost quiet time (peace of mind perhaps and all that cursing and yelling and screaming LOL).
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


toysoft

join:2008-07-24

Thanks for the wording fix ;o))), after the USG parameter fixing.

TS