USG 20 (WAN) behind USG 60 (DMZ) - Best practice - advice needed

WvandeHoef
WvandeHoef Posts: 22  Freshman Member
First Comment Fourth Anniversary
edited April 2021 in Security
I am asked to setup our network so that an extra internal network will be created that is filtered/firewalled on both incoming and outgoing traffic and where only http/https/ftp/printer is allowed from that network.

As we have an USG 60 operational, where all outgoing ports and networks are already used and VLAN is not an option, my idea is to use an old USG 20 we have lying around and use that to separate and setup the new network. As the users on the LAN1 network behind the USG 20 will need to print on the multifunction that is on the DMZ of the USG 60 my guess is I need to fix the WAN port of the USG 20 to 192.168.3.10 and disable the DMZ (and LAN2) on the USG 20 to prevent conflicts. With this setting I indeed can access the printer and web pages of the devices in the USG 60 DMZ, but I have issues with the http/https traffic from the computers behind the USG 20.

As I am not very familiar with the Zyxel USG I expect I need to change some NAT settings on either the USG 20 or the USG 60, or setup fixed routing rules.

Can someone advise me on this and recommend their best practice for this situation?

Graphical overview of the intended network: 



Cheers,
Wouter

Accepted Solution

  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    Answer ✓
    Hi Peter,

    Just to let you know this was the most valued comment I received in years! Thanks big time!

    I now have reworked our networks and it took some time over the weekend, but I am sure it is way better this way. For the additional requested functionality I now do not need the extra USG, the existing one is sufficient :-)

    Kind regards,
    Wouter

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2020

    Doing a VLAN for servers and printers would make this easier but as thats not a option here is another way by routeing/static route and Asymmetrical Route.

    On the USG60 make a static route for

    destination IP 192.168.11.0

    subnet 255.255.255.0

    Gateway IP the USG20 WAN IP 192.168.3.10 

    On the USG60 in Policy Control enable Asymmetrical Route and make a rule for

    from DMZ

    to DMZ

    allow

    On the USG20 make a routing rule for

    incoming interface

    member LAN1

    next hop

    type gateway

    gateway USG60 gateway IP 192.168.3.1 ?

    source network address translation none


  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    Thanks Peter,

    I will follow your instructions and add the routing.

    As explanation for a VLAN not being an option is that sofar I have been unable to setup Security Policy Rules on VLAN level. The lowest I got is on Interface level, so the rule would apply to all vlans on that interface and that is not wanted here.

    Out of curiosity: I was expecting instructions to setup a VPN between USG20 and USG60, or instructions to setup SNAT on the USG20.

    My initial expectation was that SNAT on the USG20 would have been enough to make this work as no-one on the USG60 WAN, LAN1, LAN2 or DMZ should be able to connect to any machine behind the USG20. 

    The machines behind the USG20 only are allowed to pass the USG20 firewall with the aforementioned ports/services. 

    In what way is setting up Routing tables conflicting with our targets? Are we exposing more than we actually want? 
  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited August 2020

    As explanation for a VLAN not being an option is that sofar I have been unable to setup Security Policy Rules on VLAN level. The lowest I got is on Interface level, so the rule would apply to all vlans on that interface and that is not wanted here.

    you can make a Zone so that a VLAN based on DMZ is not in the same zone as DMZ, to make zone in settings > object > Zone 


    ...or instructions to setup SNAT on the USG20.

    Yes you can do that I just don't like double NAT and showed you a  advanced other way of doing it but should that way not work out then its simple to do SNAT on the USG20.
  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    you can make a Zone so that a VLAN based on DMZ is not in the same zone as DMZ

    Thanks a lot Peter, I was unaware of that option, but it opens a lot of new possibilities to explore!
  • WvandeHoef
    WvandeHoef Posts: 22  Freshman Member
    First Comment Fourth Anniversary
    Answer ✓
    Hi Peter,

    Just to let you know this was the most valued comment I received in years! Thanks big time!

    I now have reworked our networks and it took some time over the weekend, but I am sure it is way better this way. For the additional requested functionality I now do not need the extra USG, the existing one is sufficient :-)

    Kind regards,
    Wouter

Security Highlight