Static routes not working in this setup unless

PeterUK

USG FLEX 200H V1.30(ABWV.0)

So due to real DMZ not quite working in V1.30 I wanted to redirect traffic for the WLAN to FLEX200 from FLEX200H so I did this and it now works but the rules need for FLEX200H should they be need in red?

It was the case that WLAN on port 6 of the FLEX200H would of SNAT out the WAN2 port 2 and the Static routes was needed and works but not for this setup which need the extra routing rule.

So heres my thinking
192.168.253.1 on AP goes to gateway 192.168.252.1 USG60W
routes out WAN1 SNAT none
FLEX200H on routing for 192.168.254.0/23 to gateway 192.168.255.237 SNAT none
FLEX200 on router for 192.168.254.0/23 to gateway with SNAT to internet
then reply
Static routes on FLEX200 for 192.168.254.0/23 to gateway 192.168.255.235
and then it gets to the FLEX200H where I would think Static routes 192.168.254.0/23 to gateway 192.168.254.2 would send the reply but it didn't unless I add the routing rules in red

Zyxel_Kay

Hi @PeterUK

Based on your current configuration, everything appears to be correct, and the overall flow is set to NAT first, then routing. At the moment, we can’t think of any further issues that might arise.

If possible, please also capture packets on ge6 interface.

Zyxel_Kay

Hi @PeterUK

FLEX200H on routing for 192.168.254.0/23 to gateway 192.168.255.237 SNAT none

Could you provide additional details about your setup? The source packet should be 253.1, and there’s no SNAT.

If possible, please capture the entire packet flow for us to investigate further.

PeterUK

Hi Kay thanks for your interest

I'm not sure if its a normal thing or a FLEX200H thing like I said the setup works just not sure why I needed the routing rule when I think Static routes should work or if it because I have many hops when routeing SNAT none two times

So the idea is I have device 192.168.253.1 on USG60W to then go to FLEX200H but I don't want to SNAT outgoing WAN so its none then when it gets to FLEX200H I need to send it to FLEX200 again without SNAT outgoing so its SNAT none when if gets to FLEX200 then I SNAT outgoing WAN but now I have to Static routes this traffic back so from FLEX200 192.168.254.0/23 gateway 192.168.255.237 to FLEX200H then from FLEX200H 192.168.254.0/23 gateway 192.168.254.2 then it gets to USG60W

Zyxel_Kay

Hi @PeterUK

Based on our understanding, here’s the suspected traffic flow for your setup:

Outgoing Traffic:

• AP: 192.168.253.1/23 -> Internet (no SNAT)
• (200H): 192.168.253.1 -> Internet (no SNAT)
• (USG60): SNAT -> Internet

Return Traffic:

• (USG60): Internet -> 192.168.253.1
• (200H): Internet -> 192.168.253.1
• (200): Internet -> AP.

If this reflects your setup accurately, then based on the configuration you shared, everything appears to be in order.

FLEX200H on routing for 192.168.254.0/23 to gateway 192.168.255.237 SNAT none
FLEX200 on router for 192.168.254.0/23 to gateway with SNAT to internet

A few questions to clarify:

1. Could you confirm if the 192.168.254.0/23 reference is accurate? Since FLEX200 is not performing SNAT, we would expect the incoming IP to be 192.168.253.1. Was this possibly a typo?
2. Please verify if the traffic flow we outlined aligns with your current setup.

Additionally, to assist with further investigation, could you provide the following?

• Packet captures on FLEX200H, specifically on Port 4 and Port 6 when the issue arises.
• Results of the “show ipv4-routes” command.
• Confirmation that Internal is selected as the interface type on FLEX200H’s ge4 and ge6 interfaces, as this setting is optimal for your application.

PeterUK

Its more like

Outgoing Traffic:

• AP: 192.168.252.1/23 -> Internet (no SNAT) USG60W
• (200H): device from AP 192.168.253.1 -> Internet (no SNAT)
• FLEX200 SNAT -> Internet

Return Traffic:

• FLEX200: Internet -> 192.168.253.1
• (200H): Internet -> 192.168.253.1
• (USG60W): Internet -> AP to device 192.168.253.1

the subnets on the USG60W are 192.168.250.1/23 and 192.168.252.1/23

login as: admin

Keyboard-interactive authentication prompts from server:

| Password:

End of keyboard-interactive prompts from server

0> show ipv4-routes

Codes: K - kernel route, C - connected, S - static, R - RIP,

       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,

       T - Table, A - Babel, F - PBR, f - OpenFabric,

       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

       t - trapped, o - offload failure


K>* 0.0.0.0/0 [0/0] via 192.168.44.2, VLAN443, 00:00:05

S   0.0.0.0/0 [1/0] via 92.239.64.1, ge2, weight 1, 00:34:54

                    via 192.168.254.9, ge3, weight 1, 00:34:54

C>* 92.239.64.0/20 is directly connected, ge2, 1d00h48m

C>* 192.168.44.0/28 is directly connected, VLAN443, 1d00h51m

C>* 192.168.44.16/28 is directly connected, VLAN444, 1d00h51m

C>* 192.168.53.0/27 is directly connected, VLAN53, 1d00h51m

C>* 192.168.138.0/28 is directly connected, LAN_138, 1d00h51m

K>* 192.168.250.0/23 [0/0] via 192.168.254.2, WLAN, 1d00h49m

K>* 192.168.252.0/23 [0/0] via 192.168.254.2, WLAN, 1d00h49m

C>* 192.168.254.0/29 is directly connected, WLAN, 1d00h51m

C>* 192.168.254.8/29 is directly connected, ge3, 1d00h48m

K>* 192.168.254.32/29 [0/0] via 192.168.44.5, VLAN443, 1d00h49m

K>* 192.168.254.48/29 [0/0] via 192.168.44.30, VLAN444, 1d00h49m

C>* 192.168.255.32/28 is directly connected, VLAN47, 1d00h50m

C>* 192.168.255.192/26 is directly connected, ge4, 1d00h51m

The issue is not that the setup don't work it does just that routing rules (in red above for the topology 1st post) was needed on the FLEX200H which I thought Static routes wound deal with that

Zyxel_Kay

Hi @PeterUK

I appreciate your feedback on the flow.

1. Regarding the static routing table on the 200H, it appears to be correct, but I'd like to point out that the IP information and port details provided in the diagram are incorrect. The routing segment shown is 192.168.255.237/26, while the table lists 192.168.254.9, which doesn’t match. The port information is also inaccurate.
2. For the USG60W, the configuration seems off. The return IP is 192.168.253.1, but the USG60W is using the subnet 192.168.252.1/23. This means the routing table for the USG60W will include the entry:

C: 192.168.252.0/23 directly GEX

This could cause the return traffic to be routed directly through the connected route.

Assuming that the policy route is set to overwrite connected routes, the return flow appears to be functioning correctly:

• USG60W -> 192.168.253.1 (next hop to 200H)
• 200H -> 192.168.253.1 (next hop to Flex200)

K>* 192.168.252.0/23 [0/0] via 192.168.254.2, WLAN, 1d00h49m

So, to summarize:

1. The routing seems fine overall. Could you please provide the interface type for the Flex200H? This information is crucial for understanding NAT functionality.
2. Additionally, please share the configuration for the USG60W.

PeterUK

The diagram is correct Kay

Zyxel_Kay

Hi @PeterUK

To avoid potential NAT issues, we recommend setting the role of all ports except the ISP-connected port to "internal" (which is also the default setting).

PeterUK

https://community.zyxel.com/en/discussion/comment/71321#Comment_71321

That causes more of a problem because the rule in red now only works when next hop is set to auto.

Zyxel_Kay

Hi @PeterUK

Based on the current information, it's challenging for us to fully understand the details of your setup. Could you please provide us with HTTPS WAN access for your devices or the startup-config.conf files of your firewalls?

Due to privacy concerns, please share this information with us via private message.

PeterUK

Just to be clear the WLAN traffic works to route to FLEX200 its just that when traffic comes back to FLEX200H my thinking is static route would take care of of the traffic to go to USG60W and not need a routeing rule to and from.

Anyway the setup is temp due to V1.30 breaking what would normally be a one hop and static route