Route through specific public IP

Costas

I'm trying to have a machine use a specific external\public IP address.

I found the following article but I can't get it to work.
https://community.zyxel.com/en/discussion/2325/force-public-ip-address

Device is ZyWALL 110 v4.65

Trying to have machine1 use x.x.x.83 and machine2 use x.x.x.84 for example. When I try the steps from above and I check the public IP from machine2 it still shows .83

PeterUK

have you been given a subnet?

Can we see the routeing rule you made?

Costas

PeterUK - I'm assuming you mean a public block and yes we have a /28

Followed the example from link I provided and have the following policy.

PeterUK

If you run a ping -t 1.1.1.1 on the VMhost and do a capture on the WAN do you see 1.1.1.1 going out or ARP from x.x.x.84 to gateway IP?

try disable Default SNAT in network>interface > trunk >advance

Zyxel_Cooldia

Hi @Costas,
Can you see corresponding policy route and SNAT rule show on Packet Flow explorer?
Assume we create a policy route to tell firewall that SRC 192.168.1.55 need to SNAT to 10.214.48.192 to Internet. it supposed to have both rules as below.

MAINTENANCE > Packet Flow Explorer  > Routing status

MAINTENANCE > Packet Flow Explorer  > SNAT status

Costas

@Cooldia - 




This is currently only the one I'm trying to test but there will be a few that I'd like to behave this way. With policy in place and I go to myipaddress.com it still shows the gateway address of .82. I can come in on any of them, .83 or .84 etc, and sends me to the correct machine. Outbound everyone shows .82

zyman2008

For Zyxel USG or ZyWALL.
If you want specific machine mapping to specific public IP.
Then I suggest you to use 1:1 NAT instead of policy route with SNAT.

The different of 1:1 NAT and policy route route SNAT,
1:1 NAT,
(1) 1:1 NAT auto create the reverse SNAT mapping. (internal machine IP to public IP)
(2) Create a virtual interface on wan side with specific public IP. So that firewall will reply MAC address of WAN port for the ARP query of the specific public from ISP.

Policy route with SNAT,
(1) Matched traffic will translate internal source IP to another public IP set in the rule.
(2) Firewall will not reply ARP query for the public IP.


The new Zyxel USG FLEX and ATP support proxy arp settings on wan interface.
So that beside 1:1 NAT. It can be archive by policy route with SNAT + proxy arp setting.
But this is not support on USG/ZyWALL firewall.

Costas

@zyman2008 - I have a 1:1 NAT for port forwarding RDP. I changed it to Any but it still reports back as the router IP (.82). There still is a policy in place as restricted external access. As for creating a virtual interface I'm afraid I would need more information on that process.

@PeterUK - Sorry didn't get back to you. If I disable Default SNAT I loose connection to the outside. There must be more to that such as creating replacements?

PeterUK

When you disable Default SNAT you will need to make a routing rule below your other rule for SNAT .84 so other traffic SNAT off .83.

It might be your ISP don't allow IP's off a single MAC? If you connect a switch off your modem and connect to WAN1 and WAN2 to it do you get two WAN IP's?

For virtual interface not that I see why you need it select the WAN1 then virtual interface for .84

zyman2008

First, make sure you has 2 1:1 NAT rules, 
(1)External IP: x.x.x.83, Internal IP: internal IP of machine, Port Mapping Type: any
(2)external IP: x.x.x.84, Internal IP: internal IP of machine 2, Port Mapping Type: any

Second, no policy route

Third, Login your ZyWALL via SSH or serial console. 
Doing a simple test to make sure the ISP side aware this IPs. (ARP table is right on ISP gateway)
ping wan gateway IP address with specific public IP address.
Router> ping w.x.y.z source x.x.x.83
Router> ping w.x.y.z source x.x.x.84

Costas

Ok, finally got back to this plus waiting for a Sunday.

The issue was me, of course. To recap and make it easier to understand...

x.x.x.82 is the router itself
x.x.x.83 VMHost1
x.x.x.84 ServerAD
etc

Network\NAT - 1:1NAT
Source:Any ; Ext:Ext_IP_VMHost1 ; Int:VMHost1 ; Type:Any
Source:Any ; Ext:Ext_IP_ServerAD ; Int:ServerAD ; Type:Any
etc

Of course I have Object\Address created for Ext & Int names.

So why was it resolving to .82 when I checked the public IP? Because when I was testing I was doing it from VMHost1. Machine has multiple NICs and one was getting an IP from our DHCP server so the router saw both the static (routing to the int address) and one from our internal pool. I assume defaulted when it saw both. When I connect to say ServerAD and check its public IP it traces back to .84

Fortunately for me it isn't an issue that the VMHost1 machine doesn't trace back. Policies allow for source and port traffic.

Thanks all for the help with this.