ZyWall USG 1100 routing

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security
Hi all. Have a problem with configuration usg 1100.
Configurating 2 locals net 172.20.0.0/16 with gw 172.20.0.5 (ZyWall) and 172.21.0.0/16 with gw 172.21.0.99.
Add route to 3rd net 192.168.0.0/16 via gw 172.20.0.99.
From 2 locals net all goes well to 3rd net. From 192.168.0.0/16 to 172.21.0.0/16 all good too, but in 172.20.0.0/16 work good only ping. Rdp connections losts every 5-10 sec after connecting, dns, smb don't work. Logs are clear.
If i add manually route to server 192.168.0.0/16 gw 172.20.0.99 in net 172.20.0.0/16, that it goes directly to gw without ZyWall, all work fine.
Disable firewall, don't change nothing. Help please.
«1

Comments

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited October 2017

    Does seting gateways IP to .1 help?

    What are the IP's of the client/server RDP?

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    PeterUK said:

    Does seting gateways IP to .1 help?


    Sorry, don't understand. You mean set gw to 172.20.0.1 & etc?

    ip between client/server different.

    like 192.168.4.38 - client & 172.20.0.45 as server.

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    If you can provide a topology of your network, is help to understand the possible issue.

  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    edited October 2017
    Curious your exactly topology , what's the topology and ip address in this case.
  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited October 2017
    local lan 172.20.0.0/16 with gw 172.20.0.5 on zyxell
    provider vpn 172.21.0.0/16 with gw 172.21.0.99 on zyxell
    second provider vpn 192.168.0.0/16 with gw 172.20.0.99 on provider's router
    zywall lan 172.20.0.5 & 172.20.0.99 in 1 switch
    in zywall add route to 192.168.0.0/16 network via 172.20.0.99

    from 172.20. to 172.21 all good. reverse to.
    from 172.20 & 172.21 to 192.168 all good.
    from 192.168. to 172.21 perfect
    from 192.168 to 172.20 bad

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    OK, so it's a triangle route case.
    Need to check the firewall settings on both of the USG and provider's router.

    On USG,
    1.Go to Security Policy > Policy Control, enable "allow Asymmetrical Route" option
    2.Add a static route, 192.168.0.0/16 next-hop: 172.20.0.99

    On the provider router also need to find out the related settings to modify.
    What's the model of provider's router ?
    Maybe I can find out the related technical article for your reference.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited October 2017
    1 asymmetrical route enabled
    2 static route already add, without him zywall don't see lan 192.168

    I don't think that firewall. 172.21 & 172.20 is the same zone - lan1. And if firewall is disabled, the problem remains.

    Provider router is Dlink des 1210-10/ME. And i have not access to it. I try to contact with providers engineers, but they are silent on current moment((

    And with static route 192.168.0.0/16 via 172.20.0.99 on the server in 172.20 zone, 192.168. work perfect with 172.20. Servers starts answear via 172.20.0.99, not via Zywall with 1st gw 172.20.5, and then only redirect to 172.20.0.99. May the problem with SNAT? 
     

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    You cannot do SNAT on USG for the traffic to 192.168.0.0/16
    Do you has any policy route on USG so that will do the SNAT ?

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary
    edited October 2017

    Yes. Around 40 policy throw global ip to the all 3 net.

    Yes, 3 policies throw net 172.20. to the 192.168., 172.21 and internet via 3 different gw

  • zyman2008
    zyman2008 Posts: 219  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary
    Then on the policy for 172.20 to 192.168,
    The SNAT setting should be: none

Security Highlight