LAN 1 - LAN2 : USG Flex 200

dupstech Posts: 3
First Comment First Anniversary
edited April 2021 in Security

This is my first time using a Zyxel FW appliance and I need a little assistance.

I have two physical LAN's in office, LAN1 - (P4) and LAN2 - (P5) and I need them to talk to each other.
No DHCP on either ports (LAN1 managed by inhouse domain controller, LAN2 no DHCP)
LAN1(P4) => office network switch
LAN2(P5) => 3rd party Cisco router w/4 active switch ports (gateway for LAN2)

I am able to ping from the USG appliance to all (ping-able) devices on either LAN but I am unable to ping/access anything from one LAN to another.

I have setup FW rules to allow traffic flow both ways but I have had no luck. Policies below:
LAN1 - LAN2 - any - any - any - any - allow
 - any - any - any - any - allow

Is there something I am missing? I have used SonicWALL and Sophos appliances before and this is how I would normally have achieved my desired goal. I am not using VLANs

Any help would be appreciated and I am happy to provide additional info if needed.


Best Answers

  • dupstech
    dupstech Posts: 3
    First Comment First Anniversary
    Answer ✓
    zyman2008 said:
    It's could be relate to routing settings.
    What's the gateway address of clients on LAN1 and LAN2 ?

    Thanks for this, I setup a policy route on the USG from LAN1 to LAN2 with SNAT of the outgoing interface P5 ( and it's working great.

All Replies

  • zyman2008, thanks for your quick input.

    LAN1 gw is the USG -
    LAN2 gw is the Cisco router -

    USG is connected to the Cisco with IP Both networks can ping this interface but traffic is not going any further.

    Should the Cisco be configured with a route to the network? Could I setup NAT/Masquerading on this LAN2 port? Getting any assistance from the 3rd party who manage the Cisco router is tricky at the best of times...
  • zyman2008
    zyman2008 Posts: 184
    25 Answers First Comment Friend Collector Sixth Anniversary
     Master Member
    The best practice is routing between USG FLEX and Cisco router without any NAT/Masquerading.
    If you can add a static route entry, next-hop:
    And enable "Allow Asymmetric Route" in Security Policy > Policy Control page.
    Then you don't need to add the policy route on USG FLEX for NAT/Masquerading the LAN1 client.

    But in case, if it's not easy to setup Cisco router in time.
    What's you current setup is a work-around for LAN1 to LAN2.
    But what you lose is for LAN2 to all LAN1 services.
    You can only set NAT port forwarding for LAN2 to access specific service in LAN1 via IP address

    For example, map to

Security Highlight