ZyWall USG 1100 routing
Hi all. Have a problem with configuration usg 1100.
Configurating 2 locals net 172.20.0.0/16 with gw 172.20.0.5 (ZyWall) and 172.21.0.0/16 with gw 172.21.0.99.
Add route to 3rd net 192.168.0.0/16 via gw 172.20.0.99.
From 2 locals net all goes well to 3rd net. From 192.168.0.0/16 to 172.21.0.0/16 all good too, but in 172.20.0.0/16 work good only ping. Rdp connections losts every 5-10 sec after connecting, dns, smb don't work. Logs are clear.
If i add manually route to server 192.168.0.0/16 gw 172.20.0.99 in net 172.20.0.0/16, that it goes directly to gw without ZyWall, all work fine.
Disable firewall, don't change nothing. Help please.
Configurating 2 locals net 172.20.0.0/16 with gw 172.20.0.5 (ZyWall) and 172.21.0.0/16 with gw 172.21.0.99.
Add route to 3rd net 192.168.0.0/16 via gw 172.20.0.99.
From 2 locals net all goes well to 3rd net. From 192.168.0.0/16 to 172.21.0.0/16 all good too, but in 172.20.0.0/16 work good only ping. Rdp connections losts every 5-10 sec after connecting, dns, smb don't work. Logs are clear.
If i add manually route to server 192.168.0.0/16 gw 172.20.0.99 in net 172.20.0.0/16, that it goes directly to gw without ZyWall, all work fine.
Disable firewall, don't change nothing. Help please.
0
Comments
-
Does seting gateways IP to .1 help?
What are the IP's of the client/server RDP?
0 -
If you can provide a topology of your network, is help to understand the possible issue.
0 -
Curious your exactly topology , what's the topology and ip address in this case.0
-
local lan 172.20.0.0/16 with gw 172.20.0.5 on zyxell
provider vpn 172.21.0.0/16 with gw 172.21.0.99 on zyxell
second provider vpn 192.168.0.0/16 with gw 172.20.0.99 on provider's router
zywall lan 172.20.0.5 & 172.20.0.99 in 1 switch
in zywall add route to 192.168.0.0/16 network via 172.20.0.99
from 172.20. to 172.21 all good. reverse to.
from 172.20 & 172.21 to 192.168 all good.
from 192.168. to 172.21 perfect
from 192.168 to 172.20 bad
0 -
OK, so it's a triangle route case.
Need to check the firewall settings on both of the USG and provider's router.
On USG,
1.Go to Security Policy > Policy Control, enable "allow Asymmetrical Route" option
2.Add a static route, 192.168.0.0/16 next-hop: 172.20.0.99
On the provider router also need to find out the related settings to modify.
What's the model of provider's router ?
Maybe I can find out the related technical article for your reference.
0 -
1 asymmetrical route enabled
2 static route already add, without him zywall don't see lan 192.168
I don't think that firewall. 172.21 & 172.20 is the same zone - lan1. And if firewall is disabled, the problem remains.
Provider router is Dlink des 1210-10/ME. And i have not access to it. I try to contact with providers engineers, but they are silent on current moment((
And with static route 192.168.0.0/16 via 172.20.0.99 on the server in 172.20 zone, 192.168. work perfect with 172.20. Servers starts answear via 172.20.0.99, not via Zywall with 1st gw 172.20.5, and then only redirect to 172.20.0.99. May the problem with SNAT?
0 -
You cannot do SNAT on USG for the traffic to 192.168.0.0/16
Do you has any policy route on USG so that will do the SNAT ?
0 -
Yes. Around 40 policy throw global ip to the all 3 net.
Yes, 3 policies throw net 172.20. to the 192.168., 172.21 and internet via 3 different gw
0 -
Then on the policy for 172.20 to 192.168,
The SNAT setting should be: none
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 218 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 245 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight