ZyXEL → Zyxel USG 20 / Multiple public ip addresses

Hello everyone,

I know many forums talk about this, but I have honestly spent quite some time configuring my Zywall USG 20 (first time I'm having a look at one of these), and now I'm so confused, I need your help.

Here is the setup I'm trying to do :



For now, my 3 local addresses 192.168.x.x go through the default wan address (109.xxx.xxx.2).

I would like to configure my zywall so that I can add two other public ips, so that networks 192.168.2.x and 192.168.3.x are accessible from outside using addresses 109.xxx.xxx.3 and 109.xxx.xxx.4 with NAT & firewall rules.

From I have read, I thought that be creating two VLANs, using the zone WAN and setting each an external IP. Then I would create two bridges to link vlan1 to my lan1 and vlan2 to my lan2.

But whatever I do, either it doesn't work, or iit crashes my zywall.

Any help would be really appreciated

Interesting scenario.
I would suspect you need to either create two additional policy routing rules to the current one. OR create 1 to 1 SNAT rules.
(under NETWORK - NAT)

instead of virtual server select 1:1 NAt.

Will need corresponding FW rules.

Here is the default setup :



I have reseted the Zywall, and disable the firewall.

Now what am I suppose to do ? (so i have removed the vlans, the bridges, ...) :

NAT or not ? ^^



Policy route (need help for the data to enter) :

I've never done this, but if I had multiple IPs I'd create virtual interfaces on wan1 interface, one for each additional WAN IP and then I'd add routing rules for each LAN to WAN interface as desired.

To recap
The USG 20 is assigned ISP 109..........2
You have two more IPs you can assign .3 and .4

LAN1 falls under the router per se and thus is fed from the .2 IP
and here both firewalls and virtual servers (PAT) apply.

LAN2 falls under public IP .3 and firewall rules apply

DMZ fallus under public IP. 4 and firewall rules apply.

The router will only apply PAT (virtual servers) on the IP associated with the router has always been my understanding.

ONe uses policy routes to ensure the users on the networks can reach the internet.

I dont think that VLANS are required at all.

The question is how to assign the Other IPs to the other LAN subnets.= (Lan2 and DMZ).

______________________________
Setup policy router for lan
Basically incoming interface is lan1
source address is lan 1 subnet
destination any
source any
next hop Wan1 .2 IP address
SNAT ougoing interface.

I believe the above Routing above is generated automatically but not sure.

Setup policy routes for other IPs.

description: LAN2toWANIP3
user: any
incoming: any (xcluding zywall)
dest: LAN2 Subnet
dspcode:any
Sched: none
service: any
next hop: auto
AddressTranslation (create address object for .3 public iP)

Do the same for the other IP.

description: DMZtoWANIP4
user: any
incoming: any (xcluding zywall)
dest: DMZ Subnet
dspcode:any
Sched: none
service: any
next hop: auto
AddressTranslation (create address object for .4 public iP)

Ethernet wise you probably need to setup all three lans (lan1,2 and dmz)
I am just not sure how you assign the the three IPs to the single external interface ???????????

Thank you Anav, you put me on the right track !

You were right : there is no reason to create vlans, I just didn't see where I could create virtual interfaces :



Once created, I added 4 policy routes for my 4 public ips :



And it worked !!!!

But i don't understand one thing : why is the destination address my lan2_subset and my translation address my wan 3? For me, I would have done the opposite : anything from lan 2 goes to wan 2 (you said that the policy route is to configure the local network to be able to connect to the internet). I would appreciate your explanation .

And now I can add my NAT & Firewall rules... and I have a last big issue and I'm finally set ! Great forum !

Awesomeness, I might even treat myself to easter bunny chocolate.
I didnt know about virtual interfaces so I am happy as well. I was trying to figure out how you applied Static IPs.

I am not convinced you need four policy routers however.
In fact I think you can get away with Two as the primary one, that includes the WANIP for the router and includes LAN1 has one automatically assigned by the router in the background.

This would match up with your wan1:1 for lan1 and your wan1:2 for dmz. Why you called them that is funny I would have named then WAN1:2, WAN1:D

Why do you have TWO DMZ policy routes and TWO LAN2 policy routers. YOu only need one of each.

user: any
schedule: none
incoming: wan1:2
source: LAN2 subnet
destination: any
dscp
service: any
source port: any
next hop: auto
dscp marking:
snat: outgoing-interface

Substitute WAN1:D and DMZ subnet, for dmz policy route.

Crossing my fingers, legs and toes.

Well, I have actually 5 public ips I could use.

So I created 4 virtual interfaces (1 public ip is for the firewall), and I thought I could associate 2 publics ips for lan2 and 2 for dmz.

This way, I could have a NAT rule 109.xxx.xxx.3:80 -> 192.168.2.2 and 109.xxx.xxx.4:80 -> 192.168.2.3.

Isn't this possible ? If not, how can I use more than 3 public ip (the firewall, lan2 and the dmz) ?

But now nothing is working anymore. I have a fiber modem and I wanted to configure it in bridge mode. So I had to activate the pppoe on my firewall instead of my modem... and now everything is f%ç"* up

IM not sure about how PE and the like are put in as a primary interface but the virtual interfaces probably need to point to it vice the general WAN heading. I Know in my list of interfaces under system status interface status there is a separate subset line under the primary wan interface for the pppoe interface.

As far as extra IPs and how they are applied I think you cannot apply two IPs to the same LAN. If you need to apply a Public IP direct to a private IP (ie like to a server) then you would use the 1 to 1 NAT feature. YOu can however create a LAN3 and a LAN4 and use those for your two other IPs as per the DMZ. YOu can call them whatever you wish but really they are all the same. The only reason however to create extra LANS is if you had a useful purpose to segragate them to some degree and use firewall rules to allow specific access either way.

In other words it may not be neccessary to have to use those available IPs.

I believe the limit on the number of LANS you create is really physical as in the number of physical ports you can connect to different LANs is your limitation.

What do you mean by "PE" ? And I don't understand what you mean.I agree, but let's suppose I have two physical web servers (among other machines) that I would like to configure in the DMZ (192.168.3.x subset). How can I access them from outside other than by have the following two NAT rules :

109.xxx.xxx.3:80 -> 192.168.3.2
109.xxx.xxx.4:80 -> 192.168.3.3

But I would also to be cable to have the following NAT :

109.xxx.xxx.3:22 -> 192.168.3.4How ? This time by creating virtual lans?I have all these public IPs available. I certainly don't need them all today, but who knows about tomorrow? I would like to setup the most flexible possible network.Not sure I understand. The USG 20 has 4 physical ports, but I can only setup as either part of lan1, lan2 or dmz, in other words one subnet will have two ports. Aren't you contradicting yourself with you saying higher to create a lan3 and lan4 ?

Well I am using the USG300 right now which may be part of the problem, I have more LANs available than I know what to do with LOL. They call them gre which probably means general interface or something.

As to the other points.
I meant PPE or PPOE not PE.
As for the physical servers that are on LAN inside the router and not mapped one to one to public IP. GOOD QUESTION.
I think its doable...
I will assum that at a minimum you will need a firewall rule from WAN to LAN1 or LAN2 or DMX to permit the incoming traffic.
If the servers are the main LAN you will also need to create a virtual server rule. I am not sure but you may also have to create virtual server rules on the other LANS as well because at least on the USG300 you can identify the incoming interface (in this case use your virtual interface).

Again my apologies if you cannot create a LAn3 or LAn4.
I would need a snapshot of the NETWORK Interface ethernet configuration tab.

Okay lets take a different fresh approach.
With the primary LAN setup and main wanip nothing is different.

For the other LAN2 and DMZ, remove virtual interfaces, not sure that they are for but lets say for now they dont apply.

Create an address object for WAN1:2 call it w12
Create an address object for WAN1:D call it w1d
Simply create two policy routes.

User: any
Schedule: schedule none
Incoming: LAN2 Subnet
Source: any
Destination: any
DSCP: any
Service: any
Source: any
Next Hop: WAN
DSCP: preserve
SNAT: w12

User: any
Schedule: schedule none
Incoming: DMZ Subnet
Source: any
Destination: any
DSCP: any
Service: any
Source: any
Next Hop: WAN
DSCP: preserve
SNAT: w1D

Then make virtual server rules for any servers behind those other LAN2 or DMZ (and corresponding fw rule).

Under NETWORK - NAT
name: serverL2
mapping type: virtual server
Interface(incoming): w12
Original IP: any
mapped IP: lan2 ip address of serverL2
---------------------------------
Port mapping Type: Port
Protocol: any
Port original: xxxx
Port mapped: xxxx
or
Port mapping Type: Service
original service:
mapped service:

Under NETWORK - NAT
name: serverDMZ
mapping type: virtual server
Interface(incoming): w1d
Original IP: any
mapped IP: dmz ip address of serverDMZ
---------------------------------
Port mapping Type: Port
Protocol: any
Port original: xxxx
Port mapped: xxxx
or
Port mapping Type: Service
original service:
mapped service:

If you are unable to create any more lans (stuck at 3, for the USG 20 then you will not be able to create more LANS, but you could use them for direct links to existing servers using 1:1 Mapping in NAT area.

I'm trying to do something very similar to your situation, but it's missing "wanX" to be selected in SNAT column... How did you get them in there?

There is a good (short) tutorial posted as a PDF file here: »www.zyxel.se/upload/doc/ ··· rver.pdf