Forward multiple Public IP through DMZ to VMs directly

Ckat1212
Ckat1212 Posts: 5
First Anniversary First Comment
edited March 2023 in Security

Hello all,

We run several virtual routers behind NAT currently. We have to VPN into the device and then NAT over to the internal IP. We are seeing a huge drop in speeds because of slow SSL VPN (Ipsec is not possible for various reasons).

We want the Virtual routers to be exposed via DMZ and have Public IP. There is firewall in place on the virtual routers. I have multiple public IPs, and want to pass the /26 range over to them (it runs on separate physial network).

Plan is that each router will be manually (via scripts) assigned a Public IP and then I expect that to be reachable via DMZ right after.

I believe I need Bridge Mode for this, but in my Zywall 110 I can only Bridge 1 IP at a time. How do I pass a whole range of IP over (essentially I expect it to work as if its connected to a dumb switch).

So two questions

  1. How do I do the above?
  2. Should I be doing this differntly for better security?

All Replies

  • Ckat1212
    Ckat1212 Posts: 5
    First Anniversary First Comment
    edited March 2023

    For clarification - this is the post where I saw one IP at a time - https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015541&lang=EN

    Also note that the switch has its own IP, and the pass through public IP are different. So I dont want to put the entire Zywall 110 in bridge mode, just one port of it will pass through (and are wired on different switch and server nic)

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023

    One way is your ISP gives you a IP on WAN different to your subnet and you put your subnet on LAN1 then do a routing rule LAN1 to WAN SNAT none.

  • Ckat1212
    Ckat1212 Posts: 5
    First Anniversary First Comment

    Thanks Peter -

    Just so I understand correctly, and to put it in terms of what I have -

    I have 1 line currently going to WAN1 port - this carries my SSL, IPSEc etc for the core (LAN1).

    Could I do it such that I use my P7 (LAN2) port to separate out my Public traffic - I do the LAN2 to WAN1 SNAT None

    WIll that work same way? Or if I use WAN1 to LAN2 it will also take LAN1 dedidated IPs (I have mutiple blocks of IP - so I want to use block 1 for LAN1 which I manually NAT, and LAN2 which is the direct public IP attached to the virtual routers.

    the switch is in data center so am trying to come up with a plan of action before I go there!

    Thanks in advance!

  • PeterUK
    PeterUK Posts: 2,705  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023

    Do you know what IP is on the WAN currently? if it different to you WAN block of IP's then setup LAN2 with like 5.0.0.1/26 your devices will get WAN IP's on LAN2 then SNAT none route LAN2 to WAN. Any incoming traffic should be forwarded by the provider to WAN IP/MAC of Zywall and routed to LAN2.

  • Ckat1212
    Ckat1212 Posts: 5
    First Anniversary First Comment

    Yes, I know the WAN IP currently (dont want to post publicly) - lets call it 64.60.100.10/28 (LAN1)

    The other block is (fake) 64.55.100.10/26 (LAN2)

    I will leave the original alone, and do the LAN2 for 64.55.100.10/26 and SNAT none route LAN2 to WAN

  • Zyxel_James
    Zyxel_James Posts: 614  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Ckat1212,
    According to your request, how about connecting the virtual routers to the DMZ and setting up static Public IP on the virtual routers? then Allow WAN to DMZ if you want to access them from the internet.

    James

Security Highlight