Help with setup testing of type 2 real DMZ

PeterUK

I have found a type 3 setup of real DMZ that works fine has made me happy but means more hardware to setup but wanted to see if this type 2 could be made to work better

So its looking like my 1st type real DMZ will no longer be supported on newer models (which I might be wrong but thats what I think) due to its asymmetrical way traffic comes in on the bridge...So I have done it another way which some what works but has problems that need looking into here is the setup for type 2.

And for testing the team can ask for Teamviewer session and login to flex200H for double checking my finding as to the problem if it can be made to be fixed if not then type 3 will work and I go with that.

Test PC remote in on is by bridge DMZ to WAN1 with WAN IP on FLEX200H the PC by VirtualBox is on VLAN47 to FLEX200H out GE2 WAN2

First problem needing to be looked at is needing to ACL drop RST TCP flag Speed test by port 8080 by bridge PC look on ge2 and slow unstable speed and ICMP Destination Unreachable by YouTube QUIC by bridge PC look on ge2

By VLAN47 everything is fine when doing a https://www.speedtest.net/ traffic goes out Ge2 comes in on Ge2 and the bridge side blocks traffic that does not match. But when you do a https://www.speedtest.net/ on PC by bridge traffic goes in on DMZ out ge1 bridge comes in on bridge Ge1 out DMZ but also in on ge2 which you would think just drops the traffic for no match but instead floods a load of TCP RST and ICMP Destination Unreachable which is why the Cisco switch drops them from Flex200H ge2 and it works but causes a speed slow down.

Second problem the bridge is not truly isolated as in traffic sessions don't stay to just the bridge like VLAN47 can ping out ge2 to 8.8.8.8 by receives a extra ping reply same with TCP SYN, ACK which is how type 1 real DMZ would work but in this case stops after the first reply then ping goes as normal.

Thanks if you can do some testing and seeing if the FLEX200H can be made to work with this setup as I be interested in buying the next gen models with 10Gb in years down the line.

Zyxel_James

Please provide TeamViewer of the bridge PC for further checking if your DMZ scenario works with USGFLEX200H.

PeterUK

So I guess James you got busy on something more important that needed looking into?

Any way a update on this with V1.10(ABWV.1)ITS-rc9300b15 I have been given the speed is now more stable but still the FLEX is sending RST for when I do a speed test with port 8080 which had I not blocked with a switch would cause problems.

Edit: the speed seems more stable but at times it stalls the speed seemed fine when I tested but now its not.

Is their a way to turn off this generating TCP RST and ICMP Destination Unreachable that happening from the interface itself?

thanks