USG FLEX 50 (USG20-VPN) Internet works, WAN is not accessible from outside
Hello,
I have a problem with a freshly installed (replaced older Zyxel) device. I had here older Zyxel and it was ok, WAN was accessible with similar rules (nearly identical), but the new configuration was done from scratch.
Everything works fine…BUT I can't reach to the https (or any) port on my public IP from outside. Device is not accessible from internet, but it should be, previous device was accessible.
What i did:
1. I put the HTTPS+ICMP ports to the Default_Allow_WAN_To_ZyWALL rulle.
2. I changed default rule to ALLOW, add TEST_WTF rule to Allow, there is no block rulle
3. I can reach my management WAN IP from inside, but not from outside.
4. I put another switch infront of Zyxel, so WAN lead to testing computer and the new Zyxel, I can reach any port or service of this testing computer from new Zyxel, but testing computer cant reach nothing (no HTTP, HTTPS, SSH, ICMP) on new Zyxel…
I can connect to anything on the WAN-NB, but no port is open on the USG.
Im diging in it almost whole day.
- When I put there original GW, it is accessible from Internet and NB, I can also ping it.
- The test computer is literally next to the gateway, with the firewall turned off, every online port scanner shows that no port is accessible.
- I restored the original configuration and recreated the rulers four times.
- I tested many of the security policies I found, but without any change.
- I turned off every deny rulle.
- I walked through the new and older configuration and it looks similar. I don't see any violations or stinky settings.
It is the same for all services, here I did a try with SSH:
For instance this howto for SSH, It is not the HTTPS, but it is the same problem.
https://support.zyxel.eu/hc/en-us/articles/4403947447186-USG-USG-FLEX-ATP-VPN-How-to-allow-HTTPS-Web-GUI-Access-from-WAN
- enable SSH
- created rulle + FW
- it is working from inside but not from outside :-(
But no luck….
Thanks for any advice…
Accepted Solution
-
Here is the solution:
It was necessary to download the firmware package to the computer, extract it, take the configuration file and upload it to the Zyxel.WHAT I DID WRONG:
The firmware inside the device was old and I ran a clean update, then did the configuration.
What is the problem? The configuration file remains original and can become problematic..
CORRECT WAY:
Start the device, update the device, download firmware package from the internet and upload STARTUP and DEFAULT configuration from the FIRMWARE PACKAGE to the device. Do not skip this step or it will makes your live harder.0
All Replies
-
If you still got the old USG get its WAN MAC and put on new FLEX WAN port
Do a packet capture on WAN by FLEX and scan for the port by web site and check
0 -
The ISP has already changed the MAC and the old MAC is no longer functional, this was the first step. The test computer and the new Zyxel are now connected by my own switch.
I've been doing some more digging. I've put it on the table and am trying to get to any port on the Zyxel WAN directly on the table, but no luck. I have done many reboots and tests, but the Zyxel only connects outward and refuses any external connection going inward.
It works perfectly…just something (with higher priority) is blocking connections from outside.
By the way, I saw the rules I made in the configuration file. They are just ignored or there is something else… I will try my luck with packet sniffer.
It will be something stupid - for example a corrupted default configuration file or something else.
I'll check the startup log...bah...I hate digging like this when I don't have time.0 -
Here is the solution:
It was necessary to download the firmware package to the computer, extract it, take the configuration file and upload it to the Zyxel.WHAT I DID WRONG:
The firmware inside the device was old and I ran a clean update, then did the configuration.
What is the problem? The configuration file remains original and can become problematic..
CORRECT WAY:
Start the device, update the device, download firmware package from the internet and upload STARTUP and DEFAULT configuration from the FIRMWARE PACKAGE to the device. Do not skip this step or it will makes your live harder.0
Guru Member
Categories
- All Categories
- 398 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 83 Nebula Status and Incidents
- 5.2K Security
- 99 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 923 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 212 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.1K FAQ
- 1K Nebula FAQ
- 445 Security FAQ
- 238 Switch FAQ
- 213 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 142 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight
