Route through specific public IP

I'm trying to have a machine use a specific external\public IP address.

I found the following article but I can't get it to work.
https://community.zyxel.com/en/discussion/2325/force-public-ip-address

Device is ZyWALL 110 v4.65

Trying to have machine1 use x.x.x.83 and machine2 use x.x.x.84 for example. When I try the steps from above and I check the public IP from machine2 it still shows .83

All Replies

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2021
    have you been given a subnet?

    Can we see the routeing rule you made?
  • PeterUK - I'm assuming you mean a public block and yes we have a /28

    Followed the example from link I provided and have the following policy.

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2021

    If you run a ping -t 1.1.1.1 on the VMhost and do a capture on the WAN do you see 1.1.1.1 going out or ARP from x.x.x.84 to gateway IP?

    try disable Default SNAT in network>interface > trunk >advance


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Costas,
    Can you see corresponding policy route and SNAT rule show on Packet Flow explorer?
    Assume we create a policy route to tell firewall that SRC 192.168.1.55 need to SNAT to 10.214.48.192 to Internet. it supposed to have both rules as below.

    MAINTENANCE > Packet Flow Explorer  > Routing status

    MAINTENANCE > Packet Flow Explorer  > SNAT status

  • @Cooldia




    This is currently only the one I'm trying to test but there will be a few that I'd like to behave this way. With policy in place and I go to myipaddress.com it still shows the gateway address of .82. I can come in on any of them, .83 or .84 etc, and sends me to the correct machine. Outbound everyone shows .82
  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    For Zyxel USG or ZyWALL.
    If you want specific machine mapping to specific public IP.
    Then I suggest you to use 1:1 NAT instead of policy route with SNAT.

    The different of 1:1 NAT and policy route route SNAT,
    1:1 NAT,
    (1) 1:1 NAT auto create the reverse SNAT mapping. (internal machine IP to public IP)
    (2) Create a virtual interface on wan side with specific public IP. So that firewall will reply MAC address of WAN port for the ARP query of the specific public from ISP.

    Policy route with SNAT,
    (1) Matched traffic will translate internal source IP to another public IP set in the rule.
    (2) Firewall will not reply ARP query for the public IP.


    The new Zyxel USG FLEX and ATP support proxy arp settings on wan interface.
    So that beside 1:1 NAT. It can be archive by policy route with SNAT + proxy arp setting.
    But this is not support on USG/ZyWALL firewall.

  • @zyman2008 - I have a 1:1 NAT for port forwarding RDP. I changed it to Any but it still reports back as the router IP (.82). There still is a policy in place as restricted external access. As for creating a virtual interface I'm afraid I would need more information on that process.

    @PeterUK - Sorry didn't get back to you. If I disable Default SNAT I loose connection to the outside. There must be more to that such as creating replacements?

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2021

    When you disable Default SNAT you will need to make a routing rule below your other rule for SNAT .84 so other traffic SNAT off .83.

    It might be your ISP don't allow IP's off a single MAC? If you connect a switch off your modem and connect to WAN1 and WAN2 to it do you get two WAN IP's?

    For virtual interface not that I see why you need it select the WAN1 then virtual interface for .84

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    First, make sure you has 2 1:1 NAT rules, 
    (1)External IP: x.x.x.83, Internal IP: internal IP of machine, Port Mapping Type: any
    (2)external IP: x.x.x.84, Internal IP: internal IP of machine 2, Port Mapping Type: any

    Second, no policy route

    Third, Login your ZyWALL via SSH or serial console. 
    Doing a simple test to make sure the ISP side aware this IPs. (ARP table is right on ISP gateway)
    ping wan gateway IP address with specific public IP address.
    Router> ping w.x.y.z source x.x.x.83
    Router> ping w.x.y.z source x.x.x.84

  • Ok, finally got back to this plus waiting for a Sunday.

    The issue was me, of course. To recap and make it easier to understand...

    x.x.x.82 is the router itself
    x.x.x.83 VMHost1
    x.x.x.84 ServerAD
    etc

    Network\NAT - 1:1NAT
    Source:Any ; Ext:Ext_IP_VMHost1 ; Int:VMHost1 ; Type:Any
    Source:Any ; Ext:Ext_IP_ServerAD ; Int:ServerAD ; Type:Any
    etc

    Of course I have Object\Address created for Ext & Int names.

    So why was it resolving to .82 when I checked the public IP? Because when I was testing I was doing it from VMHost1. Machine has multiple NICs and one was getting an IP from our DHCP server so the router saw both the static (routing to the int address) and one from our internal pool. I assume defaulted when it saw both. When I connect to say ServerAD and check its public IP it traces back to .84

    Fortunately for me it isn't an issue that the VMHost1 machine doesn't trace back. Policies allow for source and port traffic.

    Thanks all for the help with this.

Security Highlight