ZyWALL 110: Why are pfw's for WAN1 active on WAN2 as well? (2 different IP's, same ISP)

Options
jwladd
jwladd Posts: 6
First Anniversary First Comment
edited April 2021 in Security
Have different static IP's (from same ISP) assigned to WAN1 & WAN2. Have a few NAT rules for virtual servers specifying WAN1 only. When accessing WAN2's IP from offsite, same ports are forwarded as those for WAN1's IP.  Since firewall policies don't differentiate between WAN1 & WAN2 (just WAN zone), is there somewhere else I need to config to have no incoming ports open for WAN2? (this for PCI compliance)

Best Answers

  • jwladd
    jwladd Posts: 6
    First Anniversary First Comment
    Answer ✓
    Options
    You're the best! Specifed external IP as WAN1 IP (instead of 'any'), works like a champ! Is this happening this way because IP's are both from the same block of IP's from ISP?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,376  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jwladd

    The NAT rule seems only forwarding the traffic from specific WAN interface which you configured.

    Could you provide configuration to me by private message or take a screenshot of your NAT rules?


    Share yours now! https://bit.ly/4aO0BMF

    Stanley

  • jwladd
    Options

  • jwladd
    Options
    Have Exch svr & RDS svr on LAN1 accessible by WAN1 IP. Want to use WAN2->LAN2 for credit card terminal only (PCI compliance). If I access WAN2 IP, ports 80, 4085 & 443 all are forwarded to LAN1, even though NAT rules specify WAN1. Btw, all rules/policies setup via GUI, none from CLI.
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    Options

    jwladd

    Where is a NAT rule from Interface WAN2 to your destination in the DMZ area ?

    Regards
    Christian

  • jwladd
    Options
    I currently have nothing in DMZ... is that what I need to do to stop pfw's (that specify WAN1) from being active when accessing WAN2 IP? My goal is to have no open ports/pfw's incoming on WAN2, so I never saw reason to NAT WAN2 to DMZ. FYI: credit card terminal (requiring PCI compliance scans) is on LAN2.
  • jwladd
    jwladd Posts: 6
    First Anniversary First Comment
    Answer ✓
    Options
    You're the best! Specifed external IP as WAN1 IP (instead of 'any'), works like a champ! Is this happening this way because IP's are both from the same block of IP's from ISP?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,376  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @jwladd

    It is because your NAT rule is setup as “any”.

    So both of WAN will “listen” the traffic from ISP.

    If there is request from Internet, then will forward traffic to internal server.

    Share yours now! https://bit.ly/4aO0BMF

    Stanley

Security Highlight