Multiple public ip addresses used in source NAT, in a ZyWall usg2000, how does it actually work

hansjalbertsson
hansjalbertsson Posts: 34  Freshman Member
First Comment Friend Collector
edited April 2021 in Security
I found that in my usg2000 I can use a pool of addresses rather than just the out-going interface WAN address.
However, the information on how this pool of addresses is actually used is scant.

Can I configure how the next address to be used is found, like round-robin, hashed-address or random, and can I configure when a particular pool address translation is released?

And will the ZyWall do NAT translation overload with addresses in a pool like with a single WAN ip address?

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello hansjalbertsson,
    As your description,
    configuration of the load-balancing(trunk) is based on port, so you cannot configure the pool address on trunk.
    Secondly, on the NAT,  select Many 1:1 NAT, and you can set the pool address for original IP, 

    Charlie
  • hansjalbertsson
    hansjalbertsson Posts: 34  Freshman Member
    First Comment Friend Collector
    edited December 2017
    I missed to say "in configuring snat under policy route or in the snat part of an interface's configuration panels". 
    The help facility in the usg300 and 2000 describes how you can use an address object containing a range of publically known addresses and have the usg do NAT to that range rather than a single address.
    I 'm  sure I'll have to set up virtual interfaces in the zywall, have my isp route that range via my zywall's WAN port, and possibly set up some routing information.

    Or am I being too optimistic.
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    you can try the policy route.
    ex: Range of Public IP: 8.222.222.220~8.222.222.223, range of client IP: 192.168.2.22~192.168.2.33
    Create the object for range of public IP and range of client IP and each public IP.
    Go to policy route, Source Address"Range of client IP", Destination Address"Range of Public IP", Next Hop:Type"Interface",Interface"Wan interface", Address Translation: Select one of public IP.
    You need to create three (policy routing)profiles for each public IP on Address translation.
  • hansjalbertsson
    hansjalbertsson Posts: 34  Freshman Member
    First Comment Friend Collector
    edited December 2017
    Jeremylin: what I want to find out are the rules followed by the ZyWall in doing SNAT using multiple public ip addresses, and, also, what else I need to do to enable internet traffic to reach the addresses in that pool.

    So, I have 3 questions:
    1st: when a second, new client in my private net connects to the internet, how does the ZyWall determine which public address to use for that client? Can this be configured?

    2nd: when all the public ip addresses used for SNAT are already in use, what happens when the next private net client tries to connect? And, can this be configured?

    3rd: I presume my ISP must route traffic for all of my assigned public addresses to my WAN connection(s), but what must I do in my usg2000 to enable the ZyWall to pick up that traffic and route it properly?

    P.S. My ZyWall usg2000 is running what I think is the very latest patch to the 3.30(AQW.7) ZLD FW.
  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Answer First Comment Third Anniversary
    edited December 2017
    If you want to configure the client"A" access network via Public IP"A", you need to set routing on USG. 

    Moreover, the clients will route to the same public IP, however, the public IP with different ports.
    please set and test the configuration which I mentioned on previous message on your environment to see the result.
    The 3.30(AQW.7) is the latest firmware for sure, but as I know the USG 2000 is old model on USG Series.
  • electsystech
    electsystech Posts: 41  Freshman Member
    First Comment Friend Collector Fifth Anniversary

    Update. If your router is running firmware 4.35 firmware, please note that NATing configuration looks a bit different. Here's an update:

    In cases where the devices behind the Zyxel hold private IPsbecause they required firewall protection. Typically this method is used when servers are connected behind the Zyxel.

    Method 1is 1:1 NAT and is used if firewall functionality is desired. This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.

    *Go to Object>Address and add a host for each public static IP

    *Go to NAT and add a rule that says: 1:1 NAT Type>Interface WAN1>Source IP=any>External IP=Public Address>Internal IP=Private IP of the device you're NATIng to

Security Highlight