USG 20 (WAN) behind USG 60 (DMZ) - Best practice - advice needed
WvandeHoef
Posts: 22 
Freshman Member
Freshman Member
I am asked to setup our network so that an extra internal network will be created that is filtered/firewalled on both incoming and outgoing traffic and where only http/https/ftp/printer is allowed from that network.
As we have an USG 60 operational, where all outgoing ports and networks are already used and VLAN is not an option, my idea is to use an old USG 20 we have lying around and use that to separate and setup the new network. As the users on the LAN1 network behind the USG 20 will need to print on the multifunction that is on the DMZ of the USG 60 my guess is I need to fix the WAN port of the USG 20 to 192.168.3.10 and disable the DMZ (and LAN2) on the USG 20 to prevent conflicts. With this setting I indeed can access the printer and web pages of the devices in the USG 60 DMZ, but I have issues with the http/https traffic from the computers behind the USG 20.
As I am not very familiar with the Zyxel USG I expect I need to change some NAT settings on either the USG 20 or the USG 60, or setup fixed routing rules.
Can someone advise me on this and recommend their best practice for this situation?
Graphical overview of the intended network:
Cheers,
Wouter
As we have an USG 60 operational, where all outgoing ports and networks are already used and VLAN is not an option, my idea is to use an old USG 20 we have lying around and use that to separate and setup the new network. As the users on the LAN1 network behind the USG 20 will need to print on the multifunction that is on the DMZ of the USG 60 my guess is I need to fix the WAN port of the USG 20 to 192.168.3.10 and disable the DMZ (and LAN2) on the USG 20 to prevent conflicts. With this setting I indeed can access the printer and web pages of the devices in the USG 60 DMZ, but I have issues with the http/https traffic from the computers behind the USG 20.
As I am not very familiar with the Zyxel USG I expect I need to change some NAT settings on either the USG 20 or the USG 60, or setup fixed routing rules.
Can someone advise me on this and recommend their best practice for this situation?
Graphical overview of the intended network:
Cheers,
Wouter
0
Accepted Solution
-
Hi Peter,
Just to let you know this was the most valued comment I received in years! Thanks big time!
I now have reworked our networks and it took some time over the weekend, but I am sure it is way better this way. For the additional requested functionality I now do not need the extra USG, the existing one is sufficient :-)
Kind regards,
Wouter0
All Replies
-
Doing a VLAN for servers and printers would make this easier but as thats not a option here is another way by routeing/static route and Asymmetrical Route.
On the USG60 make a static route for
destination IP 192.168.11.0
subnet 255.255.255.0
Gateway IP the USG20 WAN IP 192.168.3.10
On the USG60 in Policy Control enable Asymmetrical Route and make a rule for
from DMZ
to DMZ
allow
On the USG20 make a routing rule for
incoming interface
member LAN1
next hop
type gateway
gateway USG60 gateway IP 192.168.3.1 ?
source network address translation none
1 -
Thanks Peter,
I will follow your instructions and add the routing.
As explanation for a VLAN not being an option is that sofar I have been unable to setup Security Policy Rules on VLAN level. The lowest I got is on Interface level, so the rule would apply to all vlans on that interface and that is not wanted here.
Out of curiosity: I was expecting instructions to setup a VPN between USG20 and USG60, or instructions to setup SNAT on the USG20.
My initial expectation was that SNAT on the USG20 would have been enough to make this work as no-one on the USG60 WAN, LAN1, LAN2 or DMZ should be able to connect to any machine behind the USG20.
The machines behind the USG20 only are allowed to pass the USG20 firewall with the aforementioned ports/services.
In what way is setting up Routing tables conflicting with our targets? Are we exposing more than we actually want?0 -
you can make a Zone so that a VLAN based on DMZ is not in the same zone as DMZ, to make zone in settings > object > Zone
As explanation for a VLAN not being an option is that sofar I have been unable to setup Security Policy Rules on VLAN level. The lowest I got is on Interface level, so the rule would apply to all vlans on that interface and that is not wanted here.
Yes you can do that I just don't like double NAT and showed you a advanced other way of doing it but should that way not work out then its simple to do SNAT on the USG20....or instructions to setup SNAT on the USG20.
0 -
you can make a Zone so that a VLAN based on DMZ is not in the same zone as DMZ
Thanks a lot Peter, I was unaware of that option, but it opens a lot of new possibilities to explore!0 -
Hi Peter,
Just to let you know this was the most valued comment I received in years! Thanks big time!
I now have reworked our networks and it took some time over the weekend, but I am sure it is way better this way. For the additional requested functionality I now do not need the extra USG, the existing one is sufficient :-)
Kind regards,
Wouter0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
