VMG8924-B10A cannot nat additional subnets

palfreman Posts: 3  Freshman Member
edited December 2019 in Smart Home Product
Hi. I've got a VMG8924-B10A running the latest 1.00(AAKL.28)C0 firmware.

This is my layout, with "=" being interfaces

global ip=[Zyxel]=[]-------[OpenBSD router]=[]------

* The OpenBSD router has firewall disabled, and only a default gateway of the Zyxel.
* The server has only the default gateway of its local router,
* The Zyxel router has a static route to via, the BSD router's other IP. This is set on the br0 interface in the web gui.

So, servers inside can ping servers inside, and vice versa, clearly relaying on the static route on the Zyxel.

BUT - nothing on can ping the address of the Zxcel router, nor make any kind of connection to the Internet

AND the Zyxel router cannot ping anything inside, including the address that network's router. But it can ping address of same router.

I don't get it. It's like there is a firewall setting on the router that I've missed somewhere, that only allows traffic from network it is configured to sit on and do DHCP for. So it is happy to route traffic to and from the subnet, but not accept the traffic itself or for NATting.

Any ideas?


Accepted Solution

  • palfreman
    palfreman Posts: 3  Freshman Member
    Accepted Answer
    I've fixed it. I've added this ACL rule:

    I was thinking about what you said about the topology and disagreeing, as the Zyxel does know about the network topology and can route to it using its static route, as long as the traffic isn't for itself or the Internet - devices that don't know about the subnet are able to get there via the Zyxel.

    So it had to be a missing ACL. And it was!  Found it in the Firewalls section. Seems to be a stateful ACL as it doesn't seem to need a rule back in the other direction.

    Happy new year and thanks for your help!

All Replies

  • Hummel
    Hummel Posts: 212  Master Member
    Do you mind taking screenshots for related settings on your VMG8924-B10A device and OpenBSD router so that we could have a clearer picture of your current topology? What is your purpose to use 2 routers and 2 subnets?
    Is there a NAT setting in OpenBSD router too for the subnet?
    Can the OpenBSD route( ping successfully?
  • palfreman
    palfreman Posts: 3  Freshman Member
    There aren't many settings on an OpenBSD router - just the network interfaces and enabling routing. The purpose of the second network is to be a DMZ, although there are no services yet, and no firewall.  The OpenBSD router doesn't NAT.

    This shows the two main network interfaces of the OpenBSD router:
    $ ifconfig vio0; ifconfig vio1
    vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 08:00:27:9a:8b:29
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet netmask 0xffffffe0 broadcast
    vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 08:00:27:dd:0d:37
        index 2 priority 0 llprio 3
        media: Ethernet autoselect
        status: active
        inet netmask 0xffffff00 broadcast

    This setting makes it a router:
    $ sysctl -a | grep ip.forward

    Firewall on OpenBSD router is disabled. NAT is also disabled, as that the PF firewall too:
    # pfctl -d     
    pf disabled

    OpenBSD router is able to ping Zyxel router and Internet sites, in this case the Google DNS server:
    $ ping    
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=64 time=1.332 ms

    $ ping -c1
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=55 time=13.156 ms

    I'm confident the OpenBSD router is working is working as it should be. I can ping and connect to things inside its subnet from the network directly connected to the Zyxel router (eg my laptop). Servers inside can connect back (in this instance, test server that uses as default gateway)

    My laptop has only its Zyxel-supplied default route set up, but it is able to get to due to the static route set up on the Zxcel router:

    My laptop routing table: $ ip r
    default via dev wlp2s0 proto dhcp metric 600 dev wlp2s0 proto kernel scope link src metric 600 dev wlp2s0 scope link metric 1000

    From my laptop: $ ping -c1
    PING ( 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=254 time=3.57 ms

    From to my laptop:
    $ ping -c1
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=63 time=3.451 ms

    BUT - from that same server, it CANNOT ping or connect to the Zyxel router or Internet sites:

    From to Zyxel router: $ ping -c1
    PING ( 56 data bytes
    --- ping statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss

    $ ping -c1   
    PING ( 56 data bytes
    --- ping statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss

    Looking at the Zyxel router itself:

    skipped some irrelevant DNS and IPv6 settings
    Static route:

    Firewall settings - vague IMO. Setting to "low" made no difference. Protocol, Access Control and DoS tabs are all empty.

    I'm convinced something on the Zyxel router is blocking the subnet. It has to be some setting Ive missed somewhere, that means that it is only NATing and accepting traffic from its directly connected subnet. Because the static route *is* working, as long as the packet isn't going to the Zyxel router or WAN.
  • Hummel
    Hummel Posts: 212  Master Member
    Your OpenBSD router( is able to access the Internet via VMG8924-B10A in your test, so basically there is no problem for VMG8924-B10A to connect to Internet. Because is the local side of OpenBSD router, for me, I think it is normal that it doesn't work in such topology. In your topology, how could VMG8924-B10A know where is and passes the traffic to the subnet( if your OpenBSD doesn't enable NAT and forward traffic to manage the network?
    If your purpose is for DMZ, how about try to use DMZ feature in VMG8924-B10A to set and enable NAT in OpenBSD router and also set port forwarding rules for the servers at the LAN side of OpenBSD router? Just think about that VMG8924-B10A is at the WAN of your OpenBSD router.