Help with setup testing of type 2 real DMZ

PeterUK

I have found a type 3 setup of real DMZ that works fine has made me happy but means more hardware to setup but wanted to see if this type 2 could be made to work better

So its looking like my 1st type real DMZ will no longer be supported on newer models (which I might be wrong but thats what I think) due to its asymmetrical way traffic comes in on the bridge...So I have done it another way which some what works but has problems that need looking into here is the setup for type 2.

And for testing the team can ask for Teamviewer session and login to flex200H for double checking my finding as to the problem if it can be made to be fixed if not then type 3 will work and I go with that.

Test PC remote in on is by bridge DMZ to WAN1 with WAN IP on FLEX200H the PC by VirtualBox is on VLAN47 to FLEX200H out GE2 WAN2

First problem needing to be looked at is needing to ACL drop RST TCP flag Speed test by port 8080 by bridge PC look on ge2 and slow unstable speed and ICMP Destination Unreachable by YouTube QUIC by bridge PC look on ge2

By VLAN47 everything is fine when doing a https://www.speedtest.net/ traffic goes out Ge2 comes in on Ge2 and the bridge side blocks traffic that does not match. But when you do a https://www.speedtest.net/ on PC by bridge traffic goes in on DMZ out ge1 bridge comes in on bridge Ge1 out DMZ but also in on ge2 which you would think just drops the traffic for no match but instead floods a load of TCP RST and ICMP Destination Unreachable which is why the Cisco switch drops them from Flex200H ge2 and it works but causes a speed slow down.

Second problem the bridge is not truly isolated as in traffic sessions don't stay to just the bridge like VLAN47 can ping out ge2 to 8.8.8.8 by receives a extra ping reply same with TCP SYN, ACK which is how type 1 real DMZ would work but in this case stops after the first reply then ping goes as normal.

Thanks if you can do some testing and seeing if the FLEX200H can be made to work with this setup as I be interested in buying the next gen models with 10Gb in years down the line.

Zyxel_James

Please provide TeamViewer of the bridge PC for further checking if your DMZ scenario works with USGFLEX200H.

PeterUK

So I guess James you got busy on something more important that needed looking into?

Any way a update on this with V1.10(ABWV.1)ITS-rc9300b15 I have been given the speed is now more stable but still the FLEX is sending RST for when I do a speed test with port 8080 which had I not blocked with a switch would cause problems.

Edit: the speed seems more stable but at times it stalls the speed seemed fine when I tested but now its not.

Is their a way to turn off this generating TCP RST and ICMP Destination Unreachable that happening from the interface itself?

thanks

PeterUK

V1.21(ABWV.0)ITS-24WK35-0813-240800592

in testing this again I found you had in fact did turn off this generating TCP RST and ICMP Destination Unreachable and now speed test for port 8080 is fast and no more  ICMP Destination Unreachable for UDP

in talking with Jan in support about another issue to do with NAT port mapping over a bridge which was solved but with this setup causes a slow down for inbound TCP traffic.

I do know of a tested way I call type 3 of this setup that works but needs more hardware so I'm not sure this can be relooked at to have inbound speed fixed outbound seems fine as of type 2 currently is.

PeterUK

update

now type 2.1

I found a way to stop the slow down for TCP inbound with the cisco switch so with the above setup I now add a ACL rule to drop TCP SYN on port 7 which means inbound TCP on the WAN1(P1) bridge now only sees the SYN and WAN2 (P2) does not which is fine and does what I need it to do.

or maybe it can be fixed without needing to do this?

PeterUK

Ok so I found out the reason the setup work was due to another problem that needed to be looked in to so that this setup type 2.1 works only because User-Defined Trunk does not have WAN2 in it which makes the setup work when I add WAN2 to the trunk then it starts doing RST and ICMP Destination Unreachable.