Routing between Lan1 and Lan2

tsteele

Hi I have a USG200, appreciate it's an old unsupported product, but it's at hand so hopefully I can use it to do what I need.

Have 2 networks, Lan1 172.16.20.0/24 and Lan2 192.168.50.0/24, set ports 4 and 5 to LAN1 and ports 6 and 7 to LAN2.

Lan2 comes from a broadband router it's gateway is 192.168.50.1.

Lan1 is a seperate network with IP cameras that has no interent connectivity currently.

Aim is to get the cameras to have internet access by using the USG200 as a simple router between the two networks.

To get the two networks to talk to each other, I had to add a policy route between LAN1 subnet and LAN2 subnet sith the Snat set to outgoing interface, that lets me ping from Lan1 devices to Lan2 devices, but the cameras on Lan1 are still unable to access the interent provided by the broadband router throgh LAN2.

Plugging my laptop into the LAN1 port P5 I can not ping any internet address's such as 1.1.1.1, nor can I ping the broadband router on 192.168.50.1.

Plugging the laptop into Port 7 which is in the LAn2 192.168.50.0 network, I am able to ping 1.1.1.1 fine.

So it looks like the USG is routing between the two lans fine, but not routing packets outside the two lans destined for the interent through the gateway address of the broadband router,

Anyone offer any suuggestions on how I make this work, it's purely for home use and I do not need any kind of firewall between the two networks as that will all be done in the broadband router.

PeterUK

I see…well thats not going to work you need to use a WAN port to your ISP router normally.

I'm not sure if you can use a internal port as a gateway…guess you can try

make the following routing rule

incoming LAN of cameras 

next hop gateway and your ISP router gateway IP 192.168.50.1

SNAT outgoing-interface

policy firewall rule if needed

LAN1 to LAN2

As for pings between the two networks your laptop gateway is to 192.168.50.1 so when you ping IP 172.16.20.10 it goes to to your ISP router but you can ping from LAN1 to LAN2 by your routing rule
incoming LAN1
next hop LAN2
SNAT outgoing-interface

because ping from 172.16.20.10 will SNAT from 192.168.50.222 to laptop IP but you can't ping from laptop to cameras unless your ISP does static route for 172.16.20.0/24 to gateway 192.168.50.222 or your laptop gateway IP is to 192.168.50.222.

Zyxel_Tina

Hi @tsteele,

To better assist you, please provide us with your topology and configuration file. This will help us understand your problem more accurately and investigate further. Thank you!

For instructions on how to collect your configuration, please:

1. Access the local Web GUI.
2. Navigate to Maintenance > File Manager > Configuration File.
3. Click on startup-config.conf and then click the Download button.

PeterUK

You should not need a policy route between LAN1 subnet and LAN2 and you might of enabled “Use Policy Route to Override Direct Route”? Which might explain why no internet if the policy route has Destination any which would cause the default trunk not to SNAT out the WAN port.

When using “Use Policy Route to Override Direct Route” you must be mindful how it Override Direct Route by rules.

tsteele

PeterUK, I have removed the policy route so now just have the two LANs configured, everything else is default afrter a factory reset.

I have LAN1 on P4 and P5, LAN2 on P6 and P7 ip address's as in the first post, i'm able to ping from the 172.16.20.0 network to the 192.168.50.0 network both ways, but still have no internet access fro the 172.16.20 network.

P6 is connected back to the ISP router on 192.168.50.0 network, 192.16850.1 being it's gateway, I can plug into the second LAN2 port(P7) also on the 192.168.50 network, and ping the internet ip's fine but not from the 172.16.20 network using P4 or P5 on the USG.

Looks like a gateway issue perhaps, but where?

I'll draw up a diagram this evening and post my config as Tina requested in the first reply when I get home tonight.

tsteele

@PeterUK, apologies having removed the policy route I DO NOT get pings between the two networks, I DO when the policy route between lan1 and lan2 is active but Lan1 cannot ping interent ip's 1.1.1.1 for example.

This is what I am trying to achieve, essentially getting the two cameras on the 172.16.20 network natted to the 192.168.50.0 network to provide internet access for them to be remoteley configured / monitored.

I wish to keep the IP adress's for the cameras different to the main network to make management easier.

Appreciate that a switch supporting Vlans would be the best bet, but at the moment I don't have one, but I do have a spare USG lying around hence trying to get it to work with what I have to hand.

startup-config is attached too.

startup-config.conf.txt

PeterUK

I see…well thats not going to work you need to use a WAN port to your ISP router normally.

I'm not sure if you can use a internal port as a gateway…guess you can try

make the following routing rule

incoming LAN of cameras 

next hop gateway and your ISP router gateway IP 192.168.50.1

SNAT outgoing-interface

policy firewall rule if needed

LAN1 to LAN2

As for pings between the two networks your laptop gateway is to 192.168.50.1 so when you ping IP 172.16.20.10 it goes to to your ISP router but you can ping from LAN1 to LAN2 by your routing rule
incoming LAN1
next hop LAN2
SNAT outgoing-interface

because ping from 172.16.20.10 will SNAT from 192.168.50.222 to laptop IP but you can't ping from laptop to cameras unless your ISP does static route for 172.16.20.0/24 to gateway 192.168.50.222 or your laptop gateway IP is to 192.168.50.222.

Zyxel_Tina

Hi @tsteele,

Based on your setup and goals, you need to slightly adjust how your USG200 is connected to the broadband router, simplifying the routing to get internet access working for your LAN1 devices.

Suggested Approach:

1. Move the broadband router connection to the USG’s WAN interface: Instead of connecting your broadband router to LAN2, connect it to the WAN port of the USG200. This way, the router becomes a proper upstream gateway for internet access.
2. Reconfigure LAN2 to act as an internal subnet: Since the broadband router is now connected via the WAN port, the LAN2 subnet should be changed to a different IP range (not 192.168.50.x) to avoid IP conflict or routing issues.
3. Enable DHCP on LAN2: Previously, devices on LAN2 may have received IP addresses from the broadband router. Now that the router is no longer directly connected to LAN2, you'll need to enable the DHCP server on the USG for LAN2 so that devices like your laptop can receive an IP address automatically.

After making these changes, devices on LAN1 and LAN2 should be able to obtain IP addresses from the USG and route traffic through the WAN port, ultimately reaching the internet via your broadband router.

tsteele

@Zyxel Tina, thank you for the reply, sadly I cannot use the WAN port as I need two ports for each network hence using it as I have in the drawing, it does work fine though using the WAN port as the uplink to the ISP router, but I do need a second port on the ISP network, which I am unable to assign another port to the WAN.

@PeterUK, made the changes that you suggested and it works perfectly, the camera network (172.16.20.0) can access the internet and get the correct time now from online NTP servers,

Thank you both for the replies and especially @PeterUK for his solution to get this working.