How to connect & Configure my Zyxel USG20 VPN firewall with ONT Router of my ISP

Hi, I have a Zyxel USG20 VPN Firewall. Recently, i migrated to a new ISP who provides fiber connection. So i got an ONT Router in premises provided by the ISP with static IP configured. When requested to configure the router in bridged mode (I wanted it on bridged mode, so i can configure Zyxel with the same static IP assigned to the router), they did and now the internet doesn’t work. The ISP says, the internet will only work after configuring the Static IP in our firewall which i did, but still doesn’t work.

 

I have two queries:

1) Is the internet connectivity has something to do with the bridged mode. But my internet doesn’t work even when firewall is not connected and when i connect a client device directly to the router.

2) How do i properly configure the Zyxel USG 20 VPN Firewall with the ONT Router (and vice versa) to have my network connectivity up and running?


«1

All Replies

  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Seems the scenario is similar to the following examples. Try to add a bridge interface just like the suggestion in the posts.
  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    1) Is the internet connectivity has something to do with the bridged mode. But my internet doesn’t work even when firewall is not connected and when i connect a client device directly to the router.
    This is what you need to solve first with help from your ISP before connect your USG20 VPN firewall.

  • Seems the scenario is similar to the following examples. Try to add a bridge interface just like the suggestion in the posts.
    Hi Jasailfan,

    The examples are not exactly similar. We have one static IP provided by our ISP (150.160.70.X) with a DG & DNS addresses. The ISP ONT Router is configured in bridged mode by the ISP. The Router LAN IP is 192.168.100.1 & the LAN port is connected to the USG20 Firewall WAN Port. The USG LAN is set to same subnet whose IP is 192.168.100.10. So, now how do i configure my Firewall to access the OT Router through which internet would be connected to my LAN network?


  • Ian31 said:
    1) Is the internet connectivity has something to do with the bridged mode. But my internet doesn’t work even when firewall is not connected and when i connect a client device directly to the router.
    This is what you need to solve first with help from your ISP before connect your USG20 VPN firewall.

    Hello Lan31,

    I checked with the ISP. They said, when the router goes on to a bridged mode, the static IP should be configured in the Firewall and the router shall only be used to allow traffic through it. They also said internet would only be accessible via the firewall and no clients can be connected to the ONT Router directly for internet access.

    So my scenario is:

    We have one static IP provided by our ISP (150.160.70.X) with a DG & DNS addresses. The ISP ONT Router is configured in bridged mode by the ISP. The Router LAN IP is 192.168.100.1 & the LAN port is connected to the USG20 Firewall WAN Port. The USG LAN is set to same subnet whose IP is 192.168.100.10. So, now how do i configure my USG20 Firewall to access the ONT Router through which internet would be connected to my LAN network?


  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi @RAV_ZYXEL,
    There are two type of topology
    1. ISP DG --- ONT(bridge) --- Firewall(bridge mode) --- Clients(public IPs)
    In case, ISP offer a block of public IPs for clients & firewall
    (1)You need to configure USG20 as bridge mode
    (2)All client setup static public IP and DG is the DG of ISP

    2. ISP DG --- ONT(bridge) --- (public IP)Firewall(NAT mode) --- Clients(private IPs)
    In case, ISP offer only one public IP
    (1)Setup ISP public IP and DG on WAN of USG20
    (2)You cannot configure LAN of USG20 as the same IP subnet as WAN port.
    You can use the default 192.168.1.1/24
    (3)On USG20, go to System > DNS > add Zone Forwarder to ISP DNS server

    (4)USG20 as DHCP server for LAN clients



  • RAV_ZYXEL
    RAV_ZYXEL Posts: 15
    Friend Collector
    edited January 2022
    Ian31 said:
    Hi @RAV_ZYXEL,
    There are two type of topology
    1. ISP DG --- ONT(bridge) --- Firewall(bridge mode) --- Clients(public IPs)
    In case, ISP offer a block of public IPs for clients & firewall
    (1)You need to configure USG20 as bridge mode
    (2)All client setup static public IP and DG is the DG of ISP

    2. ISP DG --- ONT(bridge) --- (public IP)Firewall(NAT mode) --- Clients(private IPs)
    In case, ISP offer only one public IP
    (1)Setup ISP public IP and DG on WAN of USG20
    (2)You cannot configure LAN of USG20 as the same IP subnet as WAN port.
    You can use the default 192.168.1.1/24
    (3)On USG20, go to System > DNS > add Zone Forwarder to ISP DNS server

    (4)USG20 as DHCP server for LAN clients




    Hello @lan31,

    I followed your steps as mentioned for the topology 2 which best suites our connection. The ONT ISP Router LAN has a separate Subnet private IP. The ONT LAN port eth0 is connected to the WAN port of the USG Firewall which is assigned the Public Static IP Provided by the ISP. DHCP is enabled in the firewall and clients are connected through the LAN port of the firewall.
    I also added the DNS Server IP addresses provided by the ISP under System > DNS > Add DNS Zone Forwarder > Public DNS Server.
    But still i cant get internet working. In the USG Dashboard, only the static IP is shown, the DNS is not shown even after adding it in DNS Forwarder. Pls. refer to the image below.
    Am i missing anything? I have not added any Route or NAT rules so far. Should i create a bridge interface in USG?
    Sorry for the trouble, could you please throw in your expertise and guide me?

  • WJS
    WJS Posts: 155  Master Member
    5 Answers First Comment Friend Collector Second Anniversary

    Very weird, Since it is bridge mode for ISP Router. then router's LAN connect to the FW WAN.
    Then the router's lan should not set to IP address (or It should set to Bridge interface instead of "LAN"). And FW's WAN set public IP directly.
    Next,I think you should disable router's lan or check with ISP whether there is correct Bridge setting on router.

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi @RAV_ZYXEL,

    You can go to Expert mode GUI. To run diagnostic test,
    (1)ping DG


    (2)If ping DG is OK. Then do traceroute


  • Ian31 said:
    Hi @RAV_ZYXEL,

    You can go to Expert mode GUI. To run diagnostic test,
    (1)ping DG


    (2)If ping DG is OK. Then do traceroute


    Hi @lan31, tried them and they were not reachable. I have requested the ISP to come over to verify the modem config as it seems weird. Will keep posted.

  • WJS said:

    Very weird, Since it is bridge mode for ISP Router. then router's LAN connect to the FW WAN.
    Then the router's lan should not set to IP address (or It should set to Bridge interface instead of "LAN"). And FW's WAN set public IP directly.
    Next,I think you should disable router's lan or check with ISP whether there is correct Bridge setting on router.


    Hi @WJS, when i meant the router's LAN, its not the eth0 port IP. But the LAN IP of the modem that we used to connect the router. If that is disabled, how do we access the modem? I have also requested the ISP to come over to verify the modem config as it seems weird. Will keep posted.

Security Highlight