USG60W - forward http(s) from WAN1 to local LAN7vLANs. ?

ChrisGer
ChrisGer Posts: 205  Ally Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited April 2021 in Security
Hello Community,
i've upgraded to FW 4.39 right now - that works fine, but i've two questions about routing from WAN1 to internal (v)LANs. Here is a simple ascii scenario what i'm trying, but i can't play on the USG cause the device is in productive usage at my HomeOffice :'(

My requirement
The USG60W is the Office to DMZ Firewall in my requiremen. the next Firewall is the INAC (InterNetAccessConnect) Firewall from my ISP. SSL VPN is working well, but how to forward http/s traffic from the ISP Firewall to an (v)LAN behind the USG60W ?

Mainly the USG60W is using 443 for HTTPS connect from WAN1 - in my scenario the USG should forward http/s to the (v)LAN behind the WAN1 port (LAN1/2/DMZ Zone). Routing is allready configured to get http/s request to the WAN1 port.

How to disable HTTPS and HTTP redirect only on WAN1 port and not for Management on LAN1 ?

SSLVPN-INAC Firewall --------> HTTP/HTTPS -----> USG -----> (v)LAN1/2/xxxx ?

Thanks and regards
Christian

All Replies

  • PeterUK
    PeterUK Posts: 3,459  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    See workaround

    https://businessforum.zyxel.com/discussion/comment/14529/#Comment_14529

    With the ports in a group go to NAT use Virtual Server

    Incoming interface WAN1

    source IP any

    external IP any

    Internal IP the server IP

    port mapping type Service-Group

    external service HTTP and HTTPS group

    Make firewall rule from WAN1 to LAN1


  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    in my case the USG is routing but do no S/DNAT on WAN1 interface. and i remember if there is a connect from WAN1 back to LAN1 the USG admin interface is listening and responding with the authentication window :/

    Regards
    Christian

Security Highlight