2 Internet connections, 1 ZyWall 310, 2 Different paths based on FW rules.

Options
SyLvEsTeR_AFS
SyLvEsTeR_AFS Posts: 3
First Comment
edited January 2023 in Security
Hello All,
I am new to Zyxel products and not fully briefed on what is and is not possible in general on most firewalls.  I know how I would like it to work, but thus far after a couple of days doing the Google thing, I am still stuck.

We have just had a second internet connection installed in our office, a Fiber.  We have a VDSL line already and that is working fine over PPPoE from ZyWall 310 to a Draytek Modem.

We do not want to switch everything over to the Fiber, we only want to assign specific tasks to it, like VPN.

Currently ge1 is connected to VDSL modem, ge2 is for the Fiber.

I went to Network -> Interface -> Ethernet -> ge2 and defined the: - 
Interface Type as External
IP, subnet and Gateway

Now I am stuck at Zone.  The current VDSL is assign to WAN
If I go to Object -> Zone and look at System Default. WAN Zone has ge1_ppp,ge1 and vdsl_vlan7 as members. All good!

This is where I am stuck, you see, I do not want to do any kind of fancy load balancing between the two lines, I simple want to define which traffic goes over each WAN connection.

I thought to myself, Zone names are really just that, a name, WAN or LAN1, LAN2,DMZ ect dont matter, it is just a matter of defining what goes where under Security Policy -> Policy Control.

So, I assigned LAN2 to Zone in the Interfrace -> Ethernet -> ge2 (because it has nothing referencing it in Object -> Zone menu).

I figured the easiest way to test this would be to change our guest VLAN to use the fiber.  So I changed all Security Policies for the guest VLAN in Policy control to point at LAN2 instead of WAN.  

I assume you have all figured out that this has not worked...
or are surprised that it has not worked...

And now I am here to ask for help please.
I am humble and and thick skinned, so I do not mind being teased, just try and help me too ;-)

Thank you!

Best Answers

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Options

    Zones for Security Policy don't say where the traffic goes.

    You can set Ge2 to ZONE OPT

    For control over where traffic goes you need a routing rule in network > routeing

    incoming Interface

    member like LAN1

    source address if needed

    next hop interface

    interface OPT

    This will stop the load balancing


  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    You should not need to setup the load balancing the default should be fine.

    Once understand the routing you need in place for Ge2 to Zone OPT and Ge1 Zone WAN along would Security Policy for LAN to WAN or OPT it should start working.


  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @SyLvEsTeR_AFS
    As PeterUK said, zones for Security Policy don't say where the traffic goes.
    Please kinldy see the diagram to understand routing flow. 

    Default WAN Trunk will be used when the path no match "Policy Route" "Static-Dynamic Route". 
    So, You have to create "Policy Route" or "Static Route" let traffic hit first to prevent into "WAN Trunk".

    (Note: You can find Trunk setting at "Network -> Interface -> Trunk". By default, zywall will take all your outgoing interface as members of load-balancing.)

    Thank you
    Kevin


All Replies

  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited January 2023 Answer ✓
    Options

    Zones for Security Policy don't say where the traffic goes.

    You can set Ge2 to ZONE OPT

    For control over where traffic goes you need a routing rule in network > routeing

    incoming Interface

    member like LAN1

    source address if needed

    next hop interface

    interface OPT

    This will stop the load balancing


  • SyLvEsTeR_AFS
    Options
    Thanks for the answer Peter.
    To follow up, do I need to setup load balancing first too regardless?
    What about outgoing traffic, why is it that guest network does not work in my current setup, is it because there is no route out?

    I am sorry to sound dense, it is only because I am. :-P
  • PeterUK
    PeterUK Posts: 2,865  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    You should not need to setup the load balancing the default should be fine.

    Once understand the routing you need in place for Ge2 to Zone OPT and Ge1 Zone WAN along would Security Policy for LAN to WAN or OPT it should start working.


  • SyLvEsTeR_AFS
    Options
    Thank you Peter.
    I continued to use LAN2 for my Zone and added a new route for for the vlan and the next hop for the interface and it started working like a charm.

    Thank you for pointing me in the right direction!

    Have a nice evening mate.  TTFN
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 799  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options
    Hi @SyLvEsTeR_AFS
    As PeterUK said, zones for Security Policy don't say where the traffic goes.
    Please kinldy see the diagram to understand routing flow. 

    Default WAN Trunk will be used when the path no match "Policy Route" "Static-Dynamic Route". 
    So, You have to create "Policy Route" or "Static Route" let traffic hit first to prevent into "WAN Trunk".

    (Note: You can find Trunk setting at "Network -> Interface -> Trunk". By default, zywall will take all your outgoing interface as members of load-balancing.)

    Thank you
    Kevin


Security Highlight