For Zyxel USG60 unified security gateway, how can we set it to have private LAN & pubblic IPs in DMZ

Mammad
Mammad Posts: 4  Freshman Member
First Comment
edited April 2021 in Security

Hi, We have a firewall: Zyxel USG60 unified security gateway.

Currently, we use the USG60 firewall (as a router), by creating, only, LAN IPs (192.168.0.xxx), on port N. 3 &4, as a private network (and do protect this one) & by means of an external interface (for example, WAN2 port N. 2) make a connection to the internet.

In short, for example, we have:

A router CISCO with IP address: 172.10.1.1 (as a gateway);

A Zyxel USG60 as firewall, with an external interface, WAN2, IP: 172.10.1.80 (on port N. 2) connected, by means of a switch, to the CISCO router for the internet connection. Our private LAN1 is connected to port N. 3 with IPs 192…..

We would like to create a DMZ interface (for example, on port N. 6), with IP: 172.10.1.13, to put our machine with public IPs, such as: DNS1&2 server (IP: 172.10.1.100 & 172.10.1.10), mail & www server (172.10.1.77), E-Learning platform (172.10.1.22), etc.. in this zone & go to the internet by means of IP 172.10.1.8 of WAN1 (port N. 1). How can we set our USG60 firewall? It is important to define the DMZ interface to transfer, to the internet, the original public IP of the every machine putted in this zone. For example, when I go to http://www.speedtest.net web site, from a machine with IP: 172.10.1.22, I can see the same IP (172.10.1.22) identified by that server.

Thanks   

All Replies

  • Mammad
    Mammad Posts: 4  Freshman Member
    First Comment

    I tried to make a BRIDGE as following suggestions found in the Zyxel forum:

    How to route multiple public IPs to devices behind a Zyxel router, where the device behind the Zyxel holds a public IP.  Typically this method is used when routers are connected behind the Zywall.

    Method 1:  Use this method to provide "no NAT" to the device behind the Zyxel.  This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.

    *Go to Network>Interface>Bridge

    *Set Interface type to: external

    *Interface name: br1

    *Zone: WAN

    *Members: WAN1,dmz

    *Go to Network>Interface>Trunk and create a new Trunk Group with "br1" as the primary member

    *Go to Object>Address and add a host for each usable public static IP

    *If the device behind the Zyxel is a router, Go to Security Policy > Session Control and disable the session limits

    *Configure the device behind the Zyxel with a usable public static IP and point it to the same gateway that Zyxel is using.

    *Plug device behind the Zyxel into a DMZ port.

    *Add a route in the Zyxel that states: Incoming > Interface: DMZ > Source Address: Object_Address_PublicIP > Destination: Any > Next hop: Interface br1 > SNAT: Object_Address_PublicIP.

    I made the following:

    Internet <-------> Gateway(172.10.1.1) <-----------> (WAN1, P1)USG(DMZ, P6) <-------> IP-to-Pulic (172.10.1.xxx)

    When I go to add a route as: Network > Routing > Policy Route, have the following error:

    CLI Number: 11
    Warning Number: 28005
    Warning Message: 'Invalid gateway from Next-Hop interface. Policy route rule will not work


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Follow the example to set interface type and zone. 
    There is no error message when you create the policy route.
    Since it might be configuration issue, I need to check your configuration file to see what the problem is. I will send you private message later.




  • Mammad
    Mammad Posts: 4  Freshman Member
    First Comment
    Hi Zyxel_Emily, thanks for your suggestion.
    I will try this one as soon as possible and will send you a comment.
  • Mammad
    Mammad Posts: 4  Freshman Member
    First Comment
    Hi Zyxel_Emily, thanks for your reply.
    As your suggestion we set our network with the following:

    WAN2 (P2) ----> with a static IP, Net-Mask & GW. 
    LAN1 (P3, P4, P5) ---->192........ 
    WAN1 ----> P1, DMZ ----> P6. 
    WAN1 (No IP, NM & GW) + DMZ (No IP, NM & GW) ----> BR1 (No IP, NM & GW). 
    It is ok now. So, we have all PC with public IP in DMZ zone .
    Now, I would like to know, if the PCs, in DMZ zone are protected by firewall?
    Also, I would like to ask you, If it is possible to share some disk/folder/files in LAN1 zone with the PCs in DMZ zone?
    You can found some screenshots of configuration of our network, as attached file.
    Thanks again,
    Mammad  
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
     
    After DMZ joins bridge interface, it becomes a "port", not interface. It still keeps its original zone, so it is protected by firewall.
    The bridge is only used for management.
    In your scenario, it is suggested to set interface type as external and set zone as WAN.
    Attached is the guide with detailed configuration steps for sharing disk/folder/files in LAN1 zone with the PCs in DMZ zone.  
  • virtualware
    virtualware Posts: 4  Freshman Member
    First Comment
    edited January 2019
    Hello,
    My configuration:
    1 OVH XDSL Zyxel VMG8924_B10D in bridge mode with 1 IP public and an additional ipv4 / 29 block that is connected to the WAN1 of a USG 100.
    I have several virtual machines (DNS server, WEB server, MAIL server, SQL server .....) that currently works on the DMZ leg in NAT on the main IPV4 address of the OVH box.

    My question
    Is it possible or rather how to assign my block IPV4 / 29 (6 ipv4) directly on the DMZ leg to assign them to my different virtual machines without doing NAT.

    Thank you for your help
    Sebastian


  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @virtualware
    You can follow @Zyxel_Emily 's attached SOP on previous post, and also you need to add one more rule on security policy "Wan >DMZ" with requested service which virtual server using
    Or did you face some issue during operation?
    Charlie
  • virtualware
    virtualware Posts: 4  Freshman Member
    First Comment
    Hello,
    I would like to know if I should definitely put VMG8924_B10D in bridge mode because I have 2 phone lines attached to my xdsl subscription, and when I'm in bridge mode I'm no longer those phone lines.
    Thank you

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @virtualware
    Regarding to your description,
    do you want to configure the VMG as routing mode? and your purpose is that you would like to remote management to you local servers?
    If so, you need to create the NAT rule(port forwarding) on VMG and USG.
    Please send your configuration. I will private message you later.
    Charlie 

Security Highlight