Configure wan-interface with IPoe

KMP

Hi,

We need to configure our Zywall310. We have received a new configuration from our ISP to setup the wan-interface with static IP over a "numbered link".

- IP public subnet: 77.60.xx.xxx/29
- Encapsulation type: IPoe
- numbered link: 145.54.xxx.xxx/30
- gateway: 145.54.xxx.xxx

The problem is that our provider (NL KPN) does not have any guidance available for configuration exept for Cisco routers. This is an example for Cisco:

!

Interface GigabitEthernet1/0

description connection to internal network

ip address 77.60.xx.xxx 255.255.255.248

no cdp enable

ip verify unicast reverse-path

no ip redirects

speed 1000

duplex full

no shutdown

!

Interface GigabitEthernet0/0

description connection to KPN / CapID : CIN60629

ip address 145.54.xxx.xxx 255.255.255.252

no cdp enable

no ip directed-broadcast

speed 1000

duplex full

no shutdown

!

no service finger

no service udp-small-servers

no service tcp-small-servers

no ip source-route

ip subnet-zero

ip classless

ip cef

ip name-server 194.151.228.18

ip name-server 194.151.228.34

!

ip route 0.0.0.0 0.0.0.0 145.54.xxx.xxx

Can anyone help us with a working config for our Zywall 310?

Zyxel_Stanley

Hi @KMP

The reason is because incoming traffic hits rule#4. So source IP address is replaced as 77.60.XX.XX

You can add an additional rule to NAS server for incoming traffic. Then source IP address will not replace as interface IP.
e.g. Source: any, Destination: NAS server, Service: any, SNAT: none

Zyxel_Charlie

@KMP
Regarding to your description, I would like to clarify the configuration which you want to set .
On Wan interface, do the two public IP(145.54.X.X/30,77.60.xx.xxx/29) connect with one Wan Interface? or two  Wan Interface separately?
Charlie

KMP

Hi Charlie,

There is only 1 physical link from the wan-port of the Zywall to the ISP-gateway (fiber switch). The IP 145.54.x.x is only a "numbered link" the ISP uses to NAT our public subnet 77.60.x.x/29 they say..

So only 1 interface should be used i think. The funny thing is, if you look at the provided Cisco example there are 2 interfaces in use, but how are they linked?

Zyxel_Charlie

@KMP
Regarding to your description, you may follow the configuration as below
Wan interface: 145.54.X.X/30 and Gateway Ip is 145.54.xxx.xxx, Lan interface: 77.60.xx.xxx/29

Disable Default SNAT on Wan Trunk. DNS1:194.151.228.18, and DNS2: 194.151.228.34

The below Steps as your reference.
Go to configuration>Network>Interface>Ethernet> Create the Wan

and then Create lan interface 

Disable Default SNAT on Wan Trunk and press apply

Go to configuration>System>DNS

Charlie

KMP

Thanks for the info Charlie. Will test the setup this way.
There is one more issue: The Zywall is connected to the fiber-switch from isp (Alcatel OS6250-8m)
This switch has 2 combo 1000baseT ports, one is connected to te Zywall to provide 500mb up/down internet-connection. The Zywall only shows a link speed of 100mb while it should be 1000mb.
I have read we cannot force the connection speed to 1000m, it should auto-negotiate. What could be the problem?

Zyxel_Charlie

@KMP
I modified the configuration on previous post, so please recheck it.
Regarding to link speed, can you double check the Ethernet cable or Switch support 1000mb? since USG auto-negotiation is 1000mb. 
Charlie

KMP

Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:

1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.

2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:

What could be the issue?

I hope you could help me with this.

Zyxel_Stanley

Hi @KMP

What firmware version is working on your USG310?

According source IP address question, can you share screen shot on NAT and policy route rule?

And can you describe traffic direction when user accessing to NAS service? (Is coming from Internet user? Or Local user?)

KMP

Hi Charlie,

1) It is running v4.33 firmware.
2) I will make the screenshots for you later. 
3) I see it mentioned outbound traffic, but of course it is inbound traffic.. So all traffic coming from internet, via Dnat rule forwarded to NAS at tcp 8080

Zyxel_Stanley

Hi @KMP
Can you send your configuration by private message for check your question more detail?

KMP

KMP said:

Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:

1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.

2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:

What could be the issue?

I hope you could help me with this.

Above issue nr1: has been solved by creating a Policy Route specifically for the NAT rules created for port forwarding. The default Policy route is in use for outbound traffic SNAT and caused to translate that traffic with our own Public IP.

Maybe @Zyxel_Stanley can clarify further?