[Tips & Tricks] See how Zyxel resolves the WAN / LAN subnet conflict

zyxel_Lin
zyxel_Lin Posts: 73  Zyxel Employee
Friend Collector Third Anniversary
edited September 2022 in Security Highlight
The typical network topology looks like the image below when we install a firewall into the network. Users directly connect the WAN port of the firewall to an external ISP router using an Ethernet cable.


What causes subnet conflicts?

In cases of using the Zyxel USG FLEX/ATP firewall series, the default setting of the WAN interface is DHCP. This means it acquires an IP address from the ISP router, and the default setting of the LAN interface, which is 192.168.1.1/24. On some occasions, the ISP router assigns an IP address belonging to the subnet 192.168.1.0/24 to the WAN interface of the firewall. The result is WAN / LAN subnet conflict, and it will cause problems whenever the firewall or the client attempting to connect to the Internet, due to a routing table loop or IP addresses conflict.

See How Zyxel can help

To help our customers tackle the subnet conflict easily, we added a mechanism to automatically resolve the subnet conflict after ZLD5.31. If there is a subnet conflict between the WAN and LAN interface, the mechanism will change the LAN interface subnet automatically.

l  LAN1: 192.168.1.1/24 -> 192.168.10.1/24

l  LAN2: 192.168.2.1/24 -> 192.168.11.1/24

l  LAN3: 192.168.3.1/24 -> 192.168.12.1/24

l  LAN4: 192.168.5.1/24 -> 192.168.13.1/24

(The solution supports both on-premise firewalls and Nebula-managed firewalls.)


Comments

  • mMontana
    mMontana Posts: 1,425  Guru Member
    Zyxel Certified Network Administrator - Switch 50 Answers 1000 Comments Friend Collector
    .... poor network designe is a "Security Highlight" more than the advisories?
    Moreover: assuming than...
    0: I have a USG100 flex with port4 configured as WAN2
    1: my Lan1 interface is configured for 192.168.1.1, Port 2.
    2: my new ISP provides me a new CPE, configured to 192.168.1.1
    3: I connect the CPE to WAN2/Port4 of the USG100 Flex
     
    What it's gonna happen? The firewall automatically will change LAN1 address to 192.168.10.1?
    I seriously hope that's not the scenario...
  • Zulgrib
    Zulgrib Posts: 27  Freshman Member
    First Comment Friend Collector Third Anniversary
    If the conflict doesn't prevent me from reaching the USG, I would rather lose internet and reconfigure the ISP provided equipment. Changing LAN settings that way will break networks where static IP are configured on client's NIC.

Categories

Label

EnglishTiếng ViệtРусскийไทย中文(台灣)