ZyWALL 110: Why are pfw's for WAN1 active on WAN2 as well? (2 different IP's, same ISP)

jwladd
jwladd Posts: 6  Freshman Member
First Comment Third Anniversary
edited April 2021 in Security
Have different static IP's (from same ISP) assigned to WAN1 & WAN2. Have a few NAT rules for virtual servers specifying WAN1 only. When accessing WAN2's IP from offsite, same ports are forwarded as those for WAN1's IP.  Since firewall policies don't differentiate between WAN1 & WAN2 (just WAN zone), is there somewhere else I need to config to have no incoming ports open for WAN2? (this for PCI compliance)

Best Answers

  • jwladd
    jwladd Posts: 6  Freshman Member
    First Comment Third Anniversary
    Answer ✓
    You're the best! Specifed external IP as WAN1 IP (instead of 'any'), works like a champ! Is this happening this way because IP's are both from the same block of IP's from ISP?

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @jwladd

    The NAT rule seems only forwarding the traffic from specific WAN interface which you configured.

    Could you provide configuration to me by private message or take a screenshot of your NAT rules?


  • jwladd
    jwladd Posts: 6  Freshman Member
    First Comment Third Anniversary

  • jwladd
    jwladd Posts: 6  Freshman Member
    First Comment Third Anniversary
    Have Exch svr & RDS svr on LAN1 accessible by WAN1 IP. Want to use WAN2->LAN2 for credit card terminal only (PCI compliance). If I access WAN2 IP, ports 80, 4085 & 443 all are forwarded to LAN1, even though NAT rules specify WAN1. Btw, all rules/policies setup via GUI, none from CLI.
  • ChrisGer
    ChrisGer Posts: 206  Ally Member
    Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula

    jwladd

    Where is a NAT rule from Interface WAN2 to your destination in the DMZ area ?

    Regards
    Christian

  • jwladd
    jwladd Posts: 6  Freshman Member
    First Comment Third Anniversary
    I currently have nothing in DMZ... is that what I need to do to stop pfw's (that specify WAN1) from being active when accessing WAN2 IP? My goal is to have no open ports/pfw's incoming on WAN2, so I never saw reason to NAT WAN2 to DMZ. FYI: credit card terminal (requiring PCI compliance scans) is on LAN2.
  • jwladd
    jwladd Posts: 6  Freshman Member
    First Comment Third Anniversary
    Answer ✓
    You're the best! Specifed external IP as WAN1 IP (instead of 'any'), works like a champ! Is this happening this way because IP's are both from the same block of IP's from ISP?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,386  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @jwladd

    It is because your NAT rule is setup as “any”.

    So both of WAN will “listen” the traffic from ISP.

    If there is request from Internet, then will forward traffic to internal server.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)