Trouble with Virtual Server NAT problems

PeterUK
PeterUK Posts: 3,387  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited May 3 in USG FLEX H Series

USG FLEX 200H V1.20(ABWV.0)ITS-m4447

USG60W

WAN link to internet

LAN2 192.168.254.9 255.255.255.248

NAT rules for port 80 and 443 to 192.168.254.10

Flex200H

ge3 WAN3 DHCP 192.168.254.10 / 255.255.255.248

ge4 VLAN47 192.168.255.39 / 255.255.255.240

two Virtual Server NAT at rule number 22 and 23

test server on VLAN47 192.168.255.40

Incoming Interface ge3 WAN3

Source IP any

External IP INTERFACE IP, ge3

Internal IP 192.168.255.40

port

TCP 80 and the other rule 443

Enable NAT Loopback off

Problem 1

If the above rules on Flex are disabled on reboot the rules are disabled as expected but when you enable them the rules don't work then you reboot then they work.

Problem 2

On a bootup with the rules enabled all works then on USG60W you IP/MAC Binding the Flex200H WAN3 to IP 192.168.254.14 along with the NAT rules to that IP on USG60W wait on a short lease time to have the Flex change IP and test all works then disable the NAT rules on the Flex test again and the rules still work when it shouldn't.

All Replies

  • Mk88_it
    Mk88_it Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited May 7

    "Problem1" Yes, we are experiencing the same with Flex500H

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK & @Mk88_it,

    Thanks for reporting this issue, We will run some tests to check the symptom and update the result to you later.

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,396  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK & @Mk88_it,

    I just run the test of Problem 1.
    If the above rules on Flex are disabled on reboot the rules are disabled as expected but when you enable them the rules don't work then you reboot then they work.

    I just run the test with the follwing steps.
    Internet----(10.214.48.46)USG60W----(DHCP: 192.168.254.10)USG FLEX 200H----(DHCP: 192.168.255.40)ZyWALL

    Step 1. Disable NAT rules on USG FLEX 200H.Step 2. Reboot USG FLEX 200H. Enable NAT rules on USG FLEX 200H again.

    Test Result 1:Failed to access ZyWALL GUI because the ZyWALL's IP becomes 192.168.255.41 after USG FLEX 200H reboots.

    Test Result 2:
    If I set static IP 192.168.255.40 on ZyWALL, NAT rule is still working after USG FLEX 200H reboots.

  • Mk88_it
    Mk88_it Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited May 27

    Hi Emily,

    thanks for your tests but i think your lab configuration is not the same as our beacuse you are testing with only one nat rule.

    In my 500h this issue appeared after some rules (5, if i remember right) and currently i have the problem active, for every new nat rule i have to reboot the firewall otherwise it doesn't work.

  • JPElectron
    JPElectron Posts: 8
    First Comment

    I can't even access the NAT page via the GUI anymore, all I get is spinny circle and it never loads, tried latest firmware 1.20ADWV.2 still doesn't work, I have 6 rules, I can see them via SSH, but can't figure out how to delete them via command line.

    Also GUI pages for VPN > IPSec VPN > Remote Access VPN have no apply button so can't actually change anything

  • Mk88_it
    Mk88_it Posts: 20  Freshman Member
    First Comment Friend Collector Second Anniversary
    edited June 19

    Hello @Zyxel_Emily,

    i'm still here! I just installed the new firmware versione V1.20(ABZH.2) on my 500 FlexH

    I created a new Nat rule (virtualserver number 14), it didn't work.

    I rebooted the device and it started to work!

    Do you have any news for me/us?

    Thank you

  • ccanales
    ccanales Posts: 4
    First Comment
    edited July 30

    Hola, tengo el mismo problema con el equipo 500H, he creado la regla de NAT para acceder al puerto 90 de una PC con el IIS activo, pero no me resuelve la conexión. Hice la comparación con el diseño creado con mi antiguo equipo USG310 y en el apartado de IP de origen tengo la opción de INTERFACE GATEWAY, pero en el equipo 500H no viene esta opción, es la única diferencia que he encontrado entre ambos equipos. Actualmente la conexión y el NAT con el equipo USG310 si está funcionando, pero he tratado de configurar el NAT en el equipo 500H y no funciona.

    Necesito apoyo para solventar este problema.

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,404  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @ccanales,

    Could you share your configuration for me to check?

    ¿Podrías compartir tu configuración para que la revise?