Opening Ports for external access on ZyWall USG20W

PerA

Hi,

I have tried to follow both videos and tips on those forums how to get access from internet to a server located on my LAN- without success....

My IP according to www.whatsmyip.com is 83.209.29.154 and I want to connect to the device that has a fixed IP of 192.168.0.10.

The access is from a mobile phone with 4G data and I can set whatever port to be used and it should be mapped on the inside to 8080

What the heck am I doing wrong?

Line2

your ZyWALL wan1 IP address is a private (RFC1918) address. Is the ZyWALL behind another router which is also doing NAT?

PeterUK

Your WAN IP is not set to 83.209.29.154 its 172.16.0.168 going by your NAT rule so your behind another router? Can it be changed to modem mode or bridge mode? Or your ISP blocks you from forwarding ports?

Zyxel_Emily

Hi @PerA,

 

If there are double/multiple NAT in your topology, you need to configure NAT and firewall rules on not only USG20W but also the routers which are placed ahead of USG20W.

You can follow the guide in the following discussion thread.

USG60 - NAS conecntion from Home to Office

PerA

Hi,

No - it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2. Looking at some cases at YouTube there seems to be many suggested ways to configure that and I have to admit that I get lost.

If I do it in the following sequence I see step 1, 2 and 3 as understandable:

Step 1 - I define a service rule named AVH that is TCP and port 8080

Step 2 - I define an address object for the AVH where TYPE is HOST and I use the fixed IP address 192.168.0.10

Step 3 - add a FW rule stating from WAN and to LAN1 (where the system 192.168.0.10 is). Source ANY, destination AVH and service AVH

The comes the tricky thing where I loost contrul/understanding and that is the NAT rule where I cant select WAN as incoming interface - only WAN1...

I set original IP as ANY, mapped IP as defined AVH, and then port mapping type SERVICE with both following defined av AVH

PLEASE NOTE - I have changed so the outbound port from mobile device now is 8080 exactly as the port I want to access on AVH - PLEASE NOTE

Any suggestions welcome/Per-Arne

PS - my ISP states that they block no ports at all - DS

PerA

Zyxel_Emily said:

Hi @PerA,

 

If there are double/multiple NAT in your topology, you need to configure NAT and firewall rules on not only USG20W but also the routers which are placed ahead of USG20W.

You can follow the guide in the following discussion thread.

USG60 - NAS conecntion from Home to Office

Hi,

No - it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2. Looking at some cases at YouTube there seems to be many suggested ways to configure that and I have to admit that I get lost.

If I do it in the following sequence I see step 1, 2 and 3 as understandable:

Step 1 - I define a service rule named AVH that is TCP and port 8080

Step 2 - I define an address object for the AVH where TYPE is HOST and I use the fixed IP address 192.168.0.10

Step 3 - add a FW rule stating from WAN and to LAN1 (where the system 192.168.0.10 is). Source ANY, destination AVH and service AVH

The comes the tricky thing where I loost contrul/understanding and that is the NAT rule where I cant select WAN as incoming interface - only WAN1...

I set original IP as ANY, mapped IP as defined AVH, and then port mapping type SERVICE with both following defined av AVH

PLEASE NOTE - I have changed so the outbound port from mobile device now is 8080 exactly as the port I want to access on AVH - PLEASE NOTE

Any suggestions welcome/Per-Arne

PS - my ISP states that they block no ports at all - DS

PeterUK

Sorry but No you have another router upstream from the USG20W if you was directly connected your WAN1 on the USG20W would show 83.209.29.154 which it does not and shows 172.16.0.168

Zyxel_Emily

Hi @PerA,

 

"it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2."

Could you share the topology with us?

For example, is there a xDSL router provided by the ISP?

ISP----xDSL router------(wan)USG20W

 

Please confirm with ISP if they provide public IP address to you.

In your screen shot, wan1 is 172.16.0.168 which is private IP address.

If the ISP gives you private IP address, or there is a xDSL router in your topology, you need to configure firewall rule or NAT rule on the router if it is allowed for configuration.

Alfonso

Hi @PerA

I suppose your ISP is lacking public IPv4 address and it is giving internal ip address like 172.16.0.168, and then it "nats" using a CGNAT router in the network.

In this scenario, the only way to what you want is talking to your ISP provider.