VMG8924-B10A cannot nat additional subnets

palfreman · December 2019

Hi. I've got a VMG8924-B10A running the latest 1.00(AAKL.28)C0 firmware.

This is my layout, with "=" being interfaces

global ip=[Zyxel]=10.0.1.30------[10.0.1.0/27]-------10.0.1.2=[OpenBSD router]=10.0.2.254------[10.0.2.0/24]------10.0.2.1=server

* The OpenBSD router has firewall disabled, and only a default gateway of the Zyxel.

* The server 10.0.2.1 has only the default gateway of its local router, 10.0.2.254

* The Zyxel router has a static route to 10.0.2.0/24 via 10.0.1.2, the BSD router's other IP. This is set on the br0 interface in the web gui.

So, servers inside 10.0.1.0/27 can ping servers inside 10.0.2.0/24, and vice versa, clearly relaying on the static route on the Zyxel.

BUT - nothing on 10.0.2.0/24 can ping the 10.0.1.30 address of the Zxcel router, nor make any kind of connection to the Internet

AND the Zyxel router cannot ping anything inside 10.0.2.0/24, including the 10.0.2.254 address that network's router. But it can ping 10.0.1.2 address of same router.

I don't get it. It's like there is a firewall setting on the router that I've missed somewhere, that only allows traffic from 10.0.1.0/27 network it is configured to sit on and do DHCP for. So it is happy to route traffic to and from the 10.0.2.0/24 subnet, but not accept the traffic itself or for NATting.

Any ideas?

#SP_Dec_2019

palfreman · January 2020

I've fixed it. I've added this ACL rule:

I was thinking about what you said about the topology and disagreeing, as the Zyxel does know about the network topology and can route to it using its static route, as long as the traffic isn't for itself or the Internet - devices that don't know about the 10.0.2.0/24 subnet are able to get there via the Zyxel.

So it had to be a missing ACL. And it was! Found it in the Firewalls section. Seems to be a stateful ACL as it doesn't seem to need a rule back in the other direction.

Happy new year and thanks for your help!

Hummel · December 2019

@palfreman,

Do you mind taking screenshots for related settings on your VMG8924-B10A device and OpenBSD router so that we could have a clearer picture of your current topology? What is your purpose to use 2 routers and 2 subnets?

Is there a NAT setting in OpenBSD router too for the 10.0.2.0/24 subnet?
Can the OpenBSD route(10.0.1.2) ping 10.0.1.30 successfully?

palfreman · December 2019

There aren't many settings on an OpenBSD router - just the network interfaces and enabling routing. The purpose of the second network is to be a DMZ, although there are no services yet, and no firewall. The OpenBSD router doesn't NAT.

This shows the two main network interfaces of the OpenBSD router:
$ ifconfig vio0; ifconfig vio1
vio0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 08:00:27:9a:8b:29
    index 1 priority 0 llprio 3
    groups: egress
    media: Ethernet autoselect
    status: active
    inet 10.0.1.2 netmask 0xffffffe0 broadcast 10.0.1.31
vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    lladdr 08:00:27:dd:0d:37
    index 2 priority 0 llprio 3
    media: Ethernet autoselect
    status: active
    inet 10.0.2.254 netmask 0xffffff00 broadcast 10.0.2.255

This setting makes it a router:
$ sysctl -a | grep ip.forward

net.inet.ip.forwarding=1

Firewall on OpenBSD router is disabled. NAT is also disabled, as that the PF firewall too:
# pfctl -d
pf disabled

OpenBSD router is able to ping Zyxel router and Internet sites, in this case the 8.8.8.8 Google DNS server:

$ ping 10.0.1.30
PING 10.0.1.30 (10.0.1.30): 56 data bytes
64 bytes from 10.0.1.30: icmp_seq=0 ttl=64 time=1.332 ms

$ ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=13.156 ms

I'm confident the OpenBSD router is working is working as it should be. I can ping and connect to things inside its 10.0.2.0/24 subnet from the network directly connected to the Zyxel router (eg my laptop). Servers inside 10.0.2.0/24 can connect back (in this instance, test server 10.0.2.1 that uses 10.0.2.254 as default gateway)

My laptop has only its Zyxel-supplied default route set up, but it is able to get to 10.0.2.1 due to the static route set up on the Zxcel router:

My laptop routing table: $ ip r
default via 10.0.1.30 dev wlp2s0 proto dhcp metric 600
10.0.1.0/27 dev wlp2s0 proto kernel scope link src 10.0.1.12 metric 600
169.254.0.0/16 dev wlp2s0 scope link metric 1000

From my laptop: $ ping -c1 10.0.2.1
PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data.

64 bytes from 10.0.2.1: icmp_seq=1 ttl=254 time=3.57 ms

From 10.0.2.1 to my laptop:
$ ping -c1 10.0.1.12
PING 10.0.1.12 (10.0.1.12): 56 data bytes
64 bytes from 10.0.1.12: icmp_seq=0 ttl=63 time=3.451 ms

BUT - from that same server, it CANNOT ping or connect to the Zyxel router or Internet sites:

From 10.0.2.1 to Zyxel router: $ ping -c1 10.0.1.30
PING 10.0.1.30 (10.0.1.30): 56 data bytes
--- 10.0.1.30 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

$ ping -c1 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

Looking at the Zyxel router itself:

Image: https://us.v-cdn.net/6029482/uploads/editor/zq/07cbshza1y7j.png

Image: https://us.v-cdn.net/6029482/uploads/editor/q0/56xmskm49fjs.png

skipped some irrelevant DNS and IPv6 settings

Image: https://us.v-cdn.net/6029482/uploads/editor/se/n2lhi9kc0jn2.png

Static route:

Image: https://us.v-cdn.net/6029482/uploads/editor/84/pxqixqwkfccp.png

Firewall settings - vague IMO. Setting to "low" made no difference. Protocol, Access Control and DoS tabs are all empty.

Image: https://us.v-cdn.net/6029482/uploads/editor/og/tb6mbdjq605a.png

I'm convinced something on the Zyxel router is blocking the 10.0.2.0/24 subnet. It has to be some setting Ive missed somewhere, that means that it is only NATing and accepting traffic from its directly connected subnet. Because the static route *is* working, as long as the packet isn't going to the Zyxel router or WAN.

Hummel · January 2020

@palfreman,

Your OpenBSD router(10.0.1.2) is able to access the Internet via VMG8924-B10A in your test, so basically there is no problem for VMG8924-B10A to connect to Internet. Because 10.0.2.0/24 is the local side of OpenBSD router, for me, I think it is normal that it doesn't work in such topology. In your topology, how could VMG8924-B10A know where 10.0.2.0/24 is and passes the traffic to the subnet(10.0.2.0/24) if your OpenBSD doesn't enable NAT and forward traffic to manage the network?

If your purpose is for DMZ, how about try to use DMZ feature in VMG8924-B10A to set 10.0.1.2 and enable NAT in OpenBSD router and also set port forwarding rules for the servers at the LAN side of OpenBSD router? Just think about that VMG8924-B10A is at the WAN of your OpenBSD router.

palfreman · January 2020

I've fixed it. I've added this ACL rule:

I was thinking about what you said about the topology and disagreeing, as the Zyxel does know about the network topology and can route to it using its static route, as long as the traffic isn't for itself or the Internet - devices that don't know about the 10.0.2.0/24 subnet are able to get there via the Zyxel.

So it had to be a missing ACL. And it was! Found it in the Firewalls section. Seems to be a stateful ACL as it doesn't seem to need a rule back in the other direction.

Happy new year and thanks for your help!

VMG8924-B10A cannot nat additional subnets

Accepted Solution

All Replies

Categories

Consumer Product Help Center