NAT rule structure for PPPoE pass-through connection?

Finglow

I've used Zyxel routers/firewalls for 20+ years and still when I go to a new model this seems to cause problems!

USG Flex 100 H with dual WAN.

WAN1 (P1) is a Zen full fibre connection, which uses PPPoEpass-through to connect, so has a child PPP1 i/f object

WAN2 (P2) is a Virgin cable connection. The Business Hub doesn't support modem mode so WAN2 is in a private subnet of the hub, but is mapped as a DMZ target so all traffic hits it unfiltered.

I'm trying to allow access to internal services via either WAN i/f

Security Policy is configured for WAN > LAN, with appropriate host and port restrictions.

NAT rule for WAN2 (ge2) allows the connection straight through as it should.

NAT rule for WAN1 (ge1 OR ppp1) configured the same causes the packet to be dropped with a "Match default rule DNAT Packet, DROP" in the event log.

I've obviously missed something, and have gone through all the options I've previously had to use with Prestige, USG, NSG and other models to no avail.

Both WAN interfaces are up and carrying traffic.

What have I missed?

Zyxel_Melen

Hi @Finglow,

Could you share your configuration file and the issue event log with detailed information with us? So, we can investigate if there's anything missed.

I will send you a private message for these files. Thanks~

Finglow

Thank you, I will do so

Zyxel_Melen

Hi @Finglow,

After checking, this issue seems like your NAT rule is misconfigured. Please change the External IP (a.k.a original-ip) from "any" to PPPoE interface (PPP1) object.

Zyxel_Melen

Update:

The issue has been addressed and will be fixed in the next firmware release.