Nat rule creation issue on our 500H
Ally Member
Hello,
Firmware: V1.32(ABZH.0)ITS-0423-250300903
I'm here again... I don't wkonw what excactly is going on our 500H, and sincerly I don't have the time to waste on this....but…
This is the third NAT rule I created that freezed the device and I had to reboot it
To summarize
action made: Create a new NAT rule
What happened after:
Log setting section broken, display "page loading"
Lost connectivity from some vlans
DHCP not working on some vlans
Tried to Switching to secondary device HA with same symptoms
Tried to collect the logs from the gui, aborted after a lot waiting time (more of 10 mins)
Tried to collect the logs from ssh, same as from gui
Accepted Solution
-
For users encountering a similar issue, here is a summary of our findings and a suggested workaround:
Symptom
When modifying the NAT rule, certain VLANs are unable to access the internet.
Root Cause
ARP entry disappears after NAT rule change
After a NAT rule is modified, we observed that the ARP entry disappears from the firewall. This causes return packets to fail, leading to interrupted connectivity.Special ISP configuration: PPP bind /32 with a different gateway subnet
Upon further inspection, we found that the WAN interface is using a /32 PPPoE IP address with a gateway outside of the same subnet. This setup is common with some Italian ISPs, and may require specific handling.
In such scenarios, we’ve seen unexpected behaviors — such as HA being affected, or the issue only appearing after NAT changes. These are likely due to the current firmware not fully supporting this kind of routing setup. A feature request addressing this was previously submitted, and it may be included in future release. Please kindly follow our Security Gateway News and Release to stay updated on the latest information.
Workaround
To ensure return traffic is properly routed, we recommend manually adding the WAN secondary IPs.
Zyxel Tina
1
Zyxel Employee
All Replies
-
Hi @Mk88_it,
Could you please provide us with your current configuration and the third NAT rule you intend to apply?
We'll contact you through private message.
Zyxel Tina
0 -
For users encountering a similar issue, here is a summary of our findings and a suggested workaround:
Symptom
When modifying the NAT rule, certain VLANs are unable to access the internet.
Root Cause
ARP entry disappears after NAT rule change
After a NAT rule is modified, we observed that the ARP entry disappears from the firewall. This causes return packets to fail, leading to interrupted connectivity.Special ISP configuration: PPP bind /32 with a different gateway subnet
Upon further inspection, we found that the WAN interface is using a /32 PPPoE IP address with a gateway outside of the same subnet. This setup is common with some Italian ISPs, and may require specific handling.
In such scenarios, we’ve seen unexpected behaviors — such as HA being affected, or the issue only appearing after NAT changes. These are likely due to the current firmware not fully supporting this kind of routing setup. A feature request addressing this was previously submitted, and it may be included in future release. Please kindly follow our Security Gateway News and Release to stay updated on the latest information.
Workaround
To ensure return traffic is properly routed, we recommend manually adding the WAN secondary IPs.
Zyxel Tina
1
Categories
- All Categories
- 438 Beta Program
- 2.7K Nebula
- 188 Nebula Ideas
- 121 Nebula Status and Incidents
- 6.2K Security
- 454 USG FLEX H Series
- 303 Security Ideas
- 1.6K Switch
- 81 Switch Ideas
- 1.3K Wireless
- 44 Wireless Ideas
- 6.8K Consumer Product
- 278 Service & License
- 435 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 91 Security Highlight
