Zywall 310 can not reach public dns itself System/DNS??

KMP · February 2021

Hi we have a Zywall 310 running the latest firmware 4.62(AAAB.0)

The device itself can not reach public internet, for example i would like to upgrade the security IDP services, but it seems the device can not reacht the license server (portal.zyxel.com)

I have tried setting de System/DNS settings to 8.8.8.8 and tried without.

When running diagnostics and opening nslookupv4 it won't reach dns servers.

What could be the problem? Our infrastructure behind the Zywall will reach internet fine. No problems.

PeterUK · February 2021

Do you have a external interface to the internet?

do you have a bridge setup?

From the Zywall diagnostics use TRACEROUTE IPv4 to 8.8.8.8 and see what you get.

KMP · February 2021

Hi PeterUK,

Yes, an external interface is connected: ISP Fiber -> BaseT switch.
IPoE setup on WAN2 interface of Zywall with fixed IP.

A traceroute. It seems it does route via the ISP gateway. Then at hob 30 it stops.

Image: https://us.v-cdn.net/6029482/uploads/editor/iu/zgdo6m7sh623.png

KMP · February 2021

No Bridge setup.

PeterUK · February 2021

So do you SNAT on a single WAN IP or do you have a subnet of WAN IP's?

KMP · February 2021

Hi, Yes we do SNAT on multiple WAN IP's. Using policy route

PeterUK · February 2021

But have you tried SNAT the WAN IP the interface is on not your other WAN IP's by outgoing-interface ? I think the issue is you can't use that IP for internet and the Zywall is trying that IP and fails.

My setup has some what the same problem but different so what I think might work is if you make another port external zone OPT with a IP of the of your LAN subnet to its gateway connect it to your switch for that LAN so that it becomes a client and SNAT out your set WAN IP then setup a trunk with that interface at the top. If this works like I hope the Zywall will use that interface to make connections for DNS and such.