howto define private IP range on USG interface

13»

All Replies

  • Fred_77
    Fred_77 Posts: 120  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary
    Hi NoE
    my screenshoot was about route policy. 
    (Obviously also security policies are needed).

    Try to go 
    Configuration > Objects > Address
    and add 2 obj. as Interface Subnet: one for LAN1 and one for BR1
    then 
    Configuration > Network > Routing > Policy Route

    and add at least a couple of rules to define routes 

    Source: LAN1subnet > Dest: BR1 subnet > next hop "Auto"
    ...
    LAN1subnet > Other Zones/subnets if you have another > next hop "Auto"
    ...
    ...
    Source: LAN1subnet >  Dest: any > next hop "Interface" > "wan1"

    Fred
  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    Thanks @Fred_77
    I will try that, obviously something is missing there ;-)
    NoE

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers
    Hello @NoE
    According to your request, I think a WAN bridge could achieve it.
    You may refer to this KB to set up the WAN bridge. 

    Moreover, I saw you mention the main WAN stops after the WAN bridge is set up. Could you provide some screenshots of your setting including the routing policy?
    Thank you.

    James
  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    NoE said:
    192.168.94.X must use its GW only - i.e. for the Internet it should use ISP2 only. This network uses some services reachable via GW 192.168.94.1 which are legally strictly defined and it is not desirable to send related packets via public Internet - i.e. not over main ISP1. This is the situation for 192.168.94.X network as of now, so I want to keep it by - very simply said :) :
    1. having the GW 192.168.94.1 connected into ge12
    2. having 192.168.94.X switch connected into ge11
    The background - our organization used 192.168.94.X only. However we have been tasked to get another ISP for all the Internet communication except few PCs etc. which would be kept inside 192.168.94.x network. 
    However, some of the PC shares and Synology data storage from 192.168.94.X network (i.e in our premises) should be accessible to other subnets defined on USG which use ISP1 only.
    Hi @NoE ,
    Then, what I told is matching this case exactly.

  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    edited May 2022
    thank you for the KB article. I think I have understood the point, however - one question:
    The port 3 for LAN1 has IP 192.168.1.1 all the time.
    But - in my case (WAN GW 192.168.94.1, IP range for our special PCs:192.168.94.(2-254 )) - the switch with those WAN2 addresses (192.168.94.0/24) will be plugged into USG port 3 in the KB example while GW 192.168.94.1 will be plugged into port 1 in your example.
    So what intrigues me is the static IP defined there - 192.168.1.1 - is it correct?

    Regarding routing policy - I did not define any, I used the default USG FLEX 700 setup in this case, I have setup just the Zones and Secure Policies for them. Perhaps this was the point - having no routes defined the USG operated correctly only on the bridge proposed by @Fred_77 and for all the rest - i.e. for the main ISP connectivity, the USG did not know what to do.....

    Cheers,
    NoE
  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    zyman2008 said:
    NoE said:
    192.168.94.X must use its GW only - i.e. for the Internet it should use ISP2 only. This network uses some services reachable via GW 192.168.94.1 which are legally strictly defined and it is not desirable to send related packets via public Internet - i.e. not over main ISP1. This is the situation for 192.168.94.X network as of now, so I want to keep it by - very simply said :) :
    1. having the GW 192.168.94.1 connected into ge12
    2. having 192.168.94.X switch connected into ge11
    The background - our organization used 192.168.94.X only. However we have been tasked to get another ISP for all the Internet communication except few PCs etc. which would be kept inside 192.168.94.x network. 
    However, some of the PC shares and Synology data storage from 192.168.94.X network (i.e in our premises) should be accessible to other subnets defined on USG which use ISP1 only.
    Hi @NoE ,
    Then, what I told is matching this case exactly.



    I have another downtime agreed next Monday, I will try your proposal and of course....wil let you know.
    Thanks a lot for your inputs and assistance
    Cheers,
    NoE
  • NoE
    NoE Posts: 30  Freshman Member
    First Comment Friend Collector First Anniversary
    edited May 2022

    I have just followed your setup proposal, but what I needed to add was the bridge according KB article proposed by @Fred_77 and mentioned by @Zyxel_James - as the clients within 192.168.94.x network are IP-address-fixed, I could not used DHCP, so that is why the bridge.
    Now everything goes very nice :smile:


    Here is my config
    Related Interfaces:



    Zones:

    Security Policy:

    Route Policy:

    Trunk:

    Bridge:

    Thank you all, guys.
    Internet access via main ISP works as before, without any problem.
    Internet access via 2nd ISP within special WAN/LAN works without any problem too, Internet included.
    I need to finish the access to shared stuff and ISP2 admin, but I think this is solid base :-)
    Thanks to all.

    Cheers,
    Dusan

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)