Connection between LANs without Gateway

RichRD

I have the following network setup:

Device B needs to connect to Device A, but no other device from either switch may connect to any of the devices on the other switch.

Device A and Device B are on completely separate networks with their own firewalls/gateways.

I can connect a USG20 device to both switches, LAN1 to Switch 1, LAN2 to Switch 2.

If I change the gateways of Device A and Device B to the IPs of the USG20, the connection from Device B to Device A works.

However I am not allowed to change those gateway IPs nor am I able to change any settings in FW1 and FW2.

So my solution would be to let Device B connect to the LAN2 IP of the USG20. The USG20 configures a Virtual Server and forwards the traffic to its LAN1 IP. Now this works, too. The missing part is how I add another forward from the USG20 LAN1 to Device A?

I have added another Virtual Server from USG20 LAN1 to Device A which works on its own, too. Is there a way to chain those two Virtual Servers?

Or is there maybe a simpler solution to this problem?

PeterUK

Their is a way which I do in my setup with no gateway. The problem happens when you NAT device B it still has its IP 192.168.50.2 which device A will use its gateway to send to 20.10.0.1 and not send back to the USG20-VPN

To solve this you NAT then SNAT so that device B looks to come from 20.10.0.50

NAT rule

LAN2

External 192.168.50.5

internal 20.10.0.11

routing rule

incoming LAN2

destination 20.10.0.11

next hop LAN1

SNAT outgoing-interface

Then do the same in reverse but note be careful you can still access the USG

smb_corp_user

Not sure what the simpler solution could be, but I assume you would need firewall rules on the USG20 to allow traffic between the devices.

LAN1 → Device 2 (allow traffic to device 2 from device 1 IP)

LAN2 → Device 1 (allow traffic to device 1 from device 2 IP)

Other than that, I hope some of the other Zyxel gurus will offer some useful advice.

RichRD

Thank you!

I have the standard policies enabled, so there shouldn't be any traffic limitations between devices from LAN1 and LAN2 yet.

My thought is that for the second Virtual Server Rule to take effect, the first Virtual Server Rule not just needs to route the traffic to the LAN1 IP but also change the destination address to the LAN1 IP.

Is this correct? Can it be done?

smb_corp_user

Well, I am currently not using any active Zyxel USG although I used to manage a USG60.

I would very much like for someone from the ZyXEL team to try to answer your question. I do not have enough experience with your scenario to be certain about what to do.

My ignorant approach would be to apply double rules, just to make sure all traffic paths are open.

smb_corp_user

https://community.zyxel.com/en/discussion/comment/61255#Comment_61255

Maybe. I do not have a testing scenario available. It sounds correct to me, route the traffic to a specific IP address instead of the whole LAN subnet of the target device. You would want to experiment with multiple settings and test which of the settings work as intended.

PeterUK

Their is a way which I do in my setup with no gateway. The problem happens when you NAT device B it still has its IP 192.168.50.2 which device A will use its gateway to send to 20.10.0.1 and not send back to the USG20-VPN

To solve this you NAT then SNAT so that device B looks to come from 20.10.0.50

NAT rule

LAN2

External 192.168.50.5

internal 20.10.0.11

routing rule

incoming LAN2

destination 20.10.0.11

next hop LAN1

SNAT outgoing-interface

Then do the same in reverse but note be careful you can still access the USG

RichRD

Thank you, Peter, this solved the problem!

I want to add that for the Next Hop of the routing rule I couldn't choose the interface.

However selecting

• Type: Gateway
• Gateway: Target IP

worked.