Small interface type bug with general on boot up to SNAT traffic

PeterUK
PeterUK Posts: 2,702  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited July 2022 in Security

V4.72(AAAA.0)ITS-22WK28-r104687

In order for the Zyxel devices to connect to the internet they must use VLAN443 and SNAT to OPT

Normally the VLAN443 would be set to external but changed to general for testing DHCP

On rebooting the USG40 and Zywall 110 I found the USG40 on service license refresh failed but Zywall 110 service license refresh was fine when I changed the interface type for VLAN443 to external on the Zywall 110 the USG40 could get the service license refresh then changed it back to general it still worked so only on a reboot dose this happen.

Here is a cut down setup


All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,444  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @PeterUK,
    Can you help to check if the routing information of cli Router> debug system ip route show table default-wan-trunk is same after device reboot?
  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    After reboot and the issue happened when VLAN443 set to general 
    Router# debug system ip route show table default-wan-trunk
    default mpath LLF-total
            nexthop via 192.168.44.2  dev vlan443 weight 1
            nexthop via xxx.173.xxx.1  dev eth2 weight 1

    Then changed to external and working
    Router# debug system ip route show table default-wan-trunk
    default mpath LLF-total
            nexthop via 192.168.44.2  dev vlan443 weight 1
            nexthop via xxx.173.xxx.1  dev eth2 weight 1
  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    With some testing help from Zyxel_Cooldia the reason why was the DHCP setting is not setup (set to none) on the Zywall 110 but Enable IP/MAC Binding was checked so on a reboot for some reason it blocks the traffic but changing the interface type allows traffic or uncheck Enable IP/MAC Binding.


Security Highlight