Configure wan-interface with IPoe

KMP
KMP Posts: 17  Freshman Member
edited April 2021 in Security
Hi,

We need to configure our Zywall310. We have received a new configuration from our ISP to setup the wan-interface with static IP over a "numbered link".

- IP public subnet: 77.60.xx.xxx/29
- Encapsulation type: IPoe
- numbered link: 145.54.xxx.xxx/30
- gateway: 145.54.xxx.xxx

The problem is that our provider (NL KPN) does not have any guidance available for configuration exept for Cisco routers. This is an example for Cisco:

!

Interface GigabitEthernet1/0

description connection to internal network

ip address 77.60.xx.xxx 255.255.255.248

no cdp enable

ip verify unicast reverse-path

no ip redirects

speed 1000

duplex full

no shutdown

!

Interface GigabitEthernet0/0

description connection to KPN / CapID : CIN60629

ip address 145.54.xxx.xxx 255.255.255.252

no cdp enable

no ip directed-broadcast

speed 1000

duplex full

no shutdown

!

no service finger

no service udp-small-servers

no service tcp-small-servers

no ip source-route

ip subnet-zero

ip classless

ip cef

ip name-server 194.151.228.18

ip name-server 194.151.228.34

!

ip route 0.0.0.0 0.0.0.0 145.54.xxx.xxx


Can anyone help us with a working config for our Zywall 310?

Accepted Solution

«1

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    @KMP
    Regarding to your description, I would like to clarify the configuration which you want to set .
    On Wan interface, do the two public IP(145.54.X.X/30,77.60.xx.xxx/29) connect with one Wan Interface? or two  Wan Interface separately?
    Charlie


  • KMP
    KMP Posts: 17  Freshman Member
    Hi Charlie,

    There is only 1 physical link from the wan-port of the Zywall to the ISP-gateway (fiber switch). The IP 145.54.x.x is only a "numbered link" the ISP uses to NAT our public subnet 77.60.x.x/29 they say..

    So only 1 interface should be used i think. The funny thing is, if you look at the provided Cisco example there are 2 interfaces in use, but how are they linked?

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    edited April 2019

    @KMP
    Regarding to your description, you may follow the configuration as below
    Wan interface: 145.54.X.X/30 and Gateway Ip is 145.54.xxx.xxx, Lan interface: 77.60.xx.xxx/29

    Disable Default SNAT on Wan Trunk. DNS1:194.151.228.18, and DNS2: 194.151.228.34

    The below Steps as your reference.
    Go to configuration>Network>Interface>Ethernet> Create the Wan

    and then Create lan interface 

    Disable Default SNAT on Wan Trunk and press apply



    Go to configuration>System>DNS

    Charlie


  • KMP
    KMP Posts: 17  Freshman Member
    Thanks for the info Charlie. Will test the setup this way.
    There is one more issue: The Zywall is connected to the fiber-switch from isp (Alcatel OS6250-8m)
    This switch has 2 combo 1000baseT ports, one is connected to te Zywall to provide 500mb up/down internet-connection. The Zywall only shows a link speed of 100mb while it should be 1000mb.
    I have read we cannot force the connection speed to 1000m, it should auto-negotiate. What could be the problem?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    edited April 2019
    @KMP
    I modified the configuration on previous post, so please recheck it.
    Regarding to link speed, can you double check the Ethernet cable or Switch support 1000mb? since USG auto-negotiation is 1000mb. 
    Charlie
  • KMP
    KMP Posts: 17  Freshman Member
    Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:

    1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.

    2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
    The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:


    What could be the issue?

    I hope you could help me with this.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,072  Zyxel Employee

    Hi @KMP

    What firmware version is working on your USG310?

    According source IP address question, can you share screen shot on NAT and policy route rule?

    And can you describe traffic direction when user accessing to NAS service? (Is coming from Internet user? Or Local user?)

  • KMP
    KMP Posts: 17  Freshman Member
    Hi Charlie,

    1) It is running v4.33 firmware.
    2) I will make the screenshots for you later. 
    3) I see it mentioned outbound traffic, but of course it is inbound traffic.. So all traffic coming from internet, via Dnat rule forwarded to NAS at tcp 8080



  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,072  Zyxel Employee
    Hi @KMP
    Can you send your configuration by private message for check your question more detail?
  • KMP
    KMP Posts: 17  Freshman Member
    KMP said:
    Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:

    1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.

    2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
    The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:


    What could be the issue?

    I hope you could help me with this.

    Above issue nr1: has been solved by creating a Policy Route specifically for the NAT rules created for port forwarding. The default Policy route is in use for outbound traffic SNAT and caused to translate that traffic with our own Public IP.

    Maybe @Zyxel_Stanley can clarify further?

Security Highlight