Two independent network connections

artit
artit Posts: 10  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
I have got Zyxel USG 310. On port GE1 I have got first public address x.x.x.230, on port GE2 I have got second public address x.x.x.229. Port GE1 and GE2 work in failover mode. On port GE3 I have got third public address x.x.x.228. Port GE4 is internal port to subnet 192.168.2.0/24. Port GE5 is internal port to subnet 192.168.5.1.
I would like to connect port GE1 and 2 to port GE4, and port GE3 to port GE5 (independent). 
Who can help me?

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    5 Answers First Comment Friend Collector Second Anniversary
    What does "connect port GE1 and 2 to port GE4" mean?

    There could be diverse interpretations of what you want to do.

    Can you explain what you want more deeply?
  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    You want, that subnet 192.168.2.0/24 goes to internet via GE 1+2, and subnet 192.168.5.0/24 via GE3?
    If yes, you must create 2 policy routes.
    1 like.
    Incoming - interface GE4, source - any, destination - any.
    Next-hop - trunk and select created trunk GE1+GE2.
    SNAT - outgoing-interface.
    2 like.
    Incoming - interface GE5, source - any, destination - any.
    Next-hop - interface GE3
    SNAT - outgoing-interface.

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    USG does not support VRF(virtual routing & forwarding). 
    Do not connect multiple wan ports to the same IP subnet.
    The packet might go in/out different wan ports because of the ARP leaning and reply.
    For example,
    GE1, GE2, GE3 has the same default gateway.
    So which ports will the packets go out to the default gateway ? 

    So that the workaround is binding multiple wan IPs on the same base interface.
    Please create virtual interfaces on the same base interface.
    For example,
    GE1 : x.x.x.230
    GE1:1 : x.x.x.229
    GE1:2 : x.x.x.228

    Then create wan ip address objects,
    WAN_IP_POOL1: IP range, x.x.x_229 - x.x.x._230
    WAN_IP_POOL2: Host, x.x.x.228

    Then create two policy route rules,
    (1) Incoming: GE4, next-hop: GE1, SNAT: WAN_IP_POOL1
    (2) Incoming: GE5, next-hop: GE1, SNAT: WAN_IP_POOL2

  • artit
    artit Posts: 10  Freshman Member
    First Comment Friend Collector
    edited November 2018
    Thank you all for your interest.
    @alexey, almost yes ;)
    In fact, I would like the traffic coming out of the 2.0/24 network to come out of the GE 1+2 interface, and out of the 5.0/25 network by GE3. I would also like the traffic (e.g. https) coming to GE3 to GE5 interface and GE1+2 to GE4.



Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)