[Tips & Tricks] See how Zyxel resolves the WAN / LAN subnet conflict

zyxel_Lin
zyxel_Lin Posts: 37
First Anniversary
 Freshman Member
edited September 15 in Security Highlight
The typical network topology looks like the image below when we install a firewall into the network. Users directly connect the WAN port of the firewall to an external ISP router using an Ethernet cable.


What causes subnet conflicts?

In cases of using the Zyxel USG FLEX/ATP firewall series, the default setting of the WAN interface is DHCP. This means it acquires an IP address from the ISP router, and the default setting of the LAN interface, which is 192.168.1.1/24. On some occasions, the ISP router assigns an IP address belonging to the subnet 192.168.1.0/24 to the WAN interface of the firewall. The result is WAN / LAN subnet conflict, and it will cause problems whenever the firewall or the client attempting to connect to the Internet, due to a routing table loop or IP addresses conflict.

See How Zyxel can help

To help our customers tackle the subnet conflict easily, we added a mechanism to automatically resolve the subnet conflict after ZLD5.31. If there is a subnet conflict between the WAN and LAN interface, the mechanism will change the LAN interface subnet automatically.

l  LAN1: 192.168.1.1/24 -> 192.168.10.1/24

l  LAN2: 192.168.2.1/24 -> 192.168.11.1/24

l  LAN3: 192.168.3.1/24 -> 192.168.12.1/24

l  LAN4: 192.168.5.1/24 -> 192.168.13.1/24

(The solution supports both on-premise firewalls and Nebula-managed firewalls.)


Comments

  • mMontana
    mMontana Posts: 985
    25 Answers 500 Comments Friend Collector Third Anniversary
     Guru Member
    .... poor network designe is a "Security Highlight" more than the advisories?
    Moreover: assuming than...
    0: I have a USG100 flex with port4 configured as WAN2
    1: my Lan1 interface is configured for 192.168.1.1, Port 2.
    2: my new ISP provides me a new CPE, configured to 192.168.1.1
    3: I connect the CPE to WAN2/Port4 of the USG100 Flex
     
    What it's gonna happen? The firewall automatically will change LAN1 address to 192.168.10.1?
    I seriously hope that's not the scenario...
  • If the conflict doesn't prevent me from reaching the USG, I would rather lose internet and reconfigure the ISP provided equipment. Changing LAN settings that way will break networks where static IP are configured on client's NIC.