NAT to SNAT broken in 4.35(AAAA.3)

PeterUK
PeterUK Posts: 2,699  Guru Member
First Anniversary 10 Comments Friend Collector First Answer
edited April 2021 in Security

Not sure how far back this goes but V4.35(AAAA.0)ITS-WK46-r90773 works fine.

Heres the setup

ZyWALL 110

OPT WAN IP

LAN2 192.168.138.1\255.255.255.240

SERVER PC connected to LAN2 with 192.168.138.2 (no gateway set)

NAT rule

routing SNAT rule

So what should happen when working is:

80.0.253.70 > WAN IP:25 > NAT and routeing SNAT > 192.168.138.1 > 192.168.138.2:25

traffic back to sender

192.168.138.2:25 > 192.168.138.1 > NAT and routeing SNAT >WAN IP:25 >80.0.253.70

«1

Comments

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Ok after doing some reboots the issue happens with V4.35(AAAA.0)ITS-WK46-r90773 and I have found that its trying to go out of VLAN443 with WAN IP to target IP I think this has same thing to do with this issue.

    https://businessforum.zyxel.com/discussion/3047/ping-request-gose-in-on-opt-the-reply-out-vlan443/p1

    even with the rules its broken

    https://businessforum.zyxel.com/discussion/comment/9552/#Comment_9552

    But the workaround of set to SYSTEM_DEFAULT_WAN_TRUNK then back to my vlan443andopt trunk works.

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    So after many reboots and switching between firmwares I can't re-create the issue maybe caused be incoming packets hitting the Zywall when booting up but thats a guess.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK

    This symptom we do not met on V4.35(AAAA.0)ITS-WK46-r90773.

    Can you share your configuration and topology for us?

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    like I say a I can't re-create the issue if it happen again by upgrading the firmware I update this post.

  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2020

    So its happened again on a reboot on V4.38(AAAA.0) and I leave it for a bit but likely a reboot will fix it or the workaround I said above.

    So here is whats going on when the problem happens for both SMTP and DNS.

    OPT


    LAN2 it then correctly sends by NAT to SNAT from 192.168.138.1 to 192.168.138.2


    VLAN443 and for some reason it does not go out OPT but out VLAN443


  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PeterUK


    I would like to know if it happens every time the firmware upgrade is done.

    Or it only happened on the specific firmware upgrade?

    Can you share with us which firmware do you upgrade from?


  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2020

    This time it did not happen when I did a upgrade it happened just when doing a reboot of V4.38(AAAA.0) and it does not happen all the time.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,052  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

     Hi @PeterUK

     I’ve tried to set up the configuration you provided for us, however the symptom do not happened after reboot device many times,

    Can you share the remote access via private message to us when the symptoms occurred?


  • PeterUK
    PeterUK Posts: 2,699  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2020

    Like I said its a hard bug to happen and does not happen all the time.

    The ZyWALL 110 is not something I what for you to remote access too but if I want this fixed I guess I have no choice.

    luckily I have not rebooted or done the workaround to fix the issue.  

Security Highlight