Static routes can´t access to internet

ewing
ewing Posts: 17  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi, I migrate to usg1100 from 310, I got two lans 192.168.50.0 and 172.16.0.0 from a mikrotik router not doing masquerade, only route to 192.168.1.1 zyxel, I made the static routes into zyxel

Destination IP 172.16.0.0/24
Gateway IP 192.168.1.2 (mikrotik)

Destination IP 192.168.50.0/24
Gateway IP 192.168.1.2 (mikrotik)

With the old 310 I only make static routes and everithing works.
Do I missing something?
«1

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Is the USG1100 natting the traffic to internet?
    Do the servers ping to USG1100?

    I think more information is needed to solve the issue.
  • ewing
    ewing Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Yes, the 1100 is natting, the serves with ip in the same lan of the zyxel can access the internet, the servers in different lan can not, I did the routes but dont work.
    What information you need.?

    NOTE
    I have this problem with the 310 with firmware 4.31, but with firmware 4.25 everithing works.
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @ewing
    Had you configured any policy route on your usg1100 which may cover your static route since the policy routes have higher priority than Static route
  • ewing
    ewing Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    I disable all the snat rules for test, and nat rules with same reaults.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ewing,

     

    "I have this problem with the 310 with firmware 4.31, but with firmware 4.25 everything works."

    Do you have the backup configuration file with firmware 4.25 version?

    We need the configuration file to check the root cause, so I will send you what information we need in the private message.


  • ewing
    ewing Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    I'm putting this video because maybe someone can give me some clue.

    https://youtu.be/o1LSem_6g5w
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @ewing
    It's difficult to identify what's going on and the root cause in your device base on the video. It will be more helpful if you can provide us the config file (both  config files on 4.25 and 4.31). So that we can check directly by using the our device
  • ewing
    ewing Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    Zyxel_Vic said:
    Hi @ewing
    It's difficult to identify what's going on and the root cause in your device base on the video. It will be more helpful if you can provide us the config file (both  config files on 4.25 and 4.31). So that we can check directly by using the our device
    I send you the files.
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,296  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited November 2018

    Hi @ewing,

     

    I follow your topology and set up a router to run the test.

    Router: NBG-419N v2

    NAT is disabled on the router.


    Topology

    ISP----(ge1: 10.214.48.25)USG310(lan: 192.168.99.4)----(wan: 192.168.99.5)Router(lan: 172.16.0.1)----PC(172.16.0.2)

     

    Apply config_usg_1100_v4.31_AAPK1.conf to USG310.

    USG310 is running with firmware 4.31(AAPJ.0).

    In the configuration file, the next hop of static route is modified because the router gets IP 192.168.99.5.

    Change the IP of ge1.

    Other settings remain the same as yours.


    PC(172.16.0.2) ping 8.8.8.8 and 192.168.99.4 successfully.

    There is no problem with the static route with firmware 4.31(AAPJ.0) and 4.25.

     

    If PC is still unable to ping 8.8.8.8, we need further information such as remote access to find out the root cause.


  • ewing
    ewing Posts: 17  Freshman Member
    First Anniversary Friend Collector First Comment
    edited November 2018
    After doing so many test, finally I found the solution, I assigned first the public IPs to the interface, removed it, then made the rule 1:1 nat and its working .
    What happend if I got 100 ips? this time was only 3.

Security Highlight