howto define private IP range on USG interface

Options
2

All Replies

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    I have tried the solution you have proposed just a while ago:
    1) The traffic for the computers within 192.168.94.0/24 went nicely
    2) The traffic for the main network ceased to access the internet.....and seemed really slow while recognizing it.
    :-(
    NoE
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @NoE

    here a recap of what i did with an old USG40 i have on my desk for tests...


    ...



    ...



    ...



    Last picture is the result of a trace route on a client in LAN2 subnet.
    Traffic is routed out via wan2

    br1 subnet (192.168.1.xxx) is reachable for shared stuff 

    ... it should be similar to your configuration, right?

    Fred

  • osake_li_09
    osake_li_09 Posts: 9
    First Anniversary Friend Collector First Comment
    Options
    NoE said:
    I have tried the solution you have proposed just a while ago:
    1) The traffic for the computers within 192.168.94.0/24 went nicely
    2) The traffic for the main network ceased to access the internet.....and seemed really slow while recognizing it.
    :-(
    NoE
    Hi @NoE,
    Once the bridge WAN is set up, the main WAN stopped to access the internet? 
    The main WAN should not be added to the bridge member I think, you may check on your routing policy setting also.
  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    thanks for the screenshots shared.
    there are two lines in your Policy Route screenshot.
    The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
    1. for main IPS (optics)
      LAN_to_Device .... any
      WAN_to_Device ... any
      LAN_Outgoing ... any
      .....
    2. for special "192.168.94.0" WAN
      I had the solution you have outlined
    As I have written, your solution worked nicely for the 192.168.94.0 network, however for the rest of the networks managed by USG, all the traffic seemed to work except the Internet access.

    Perhaps I need to define some exception for all the rest (i.e. except 192.168.94.0 subnet) to not try to use GW 192.168.94.1 etc. ....perhaps this had happened somehow, that all other subnets were trying to use this GW, but I am not sure, it is pure speculation.....


  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    zyman2008 said:


    4. Setup WAN trunk for company PCs go to Internet through main ISP link
    (1)Go to Network > Interface > Trunk.
    (2)Add user configuration trunk, name as "MAIN-ISP" for example.

    (3)select the trunk as default WAN trunk






    I will try your solution as well....could you please elaborate more on point 4?
    Does the trunk force all the packets - 192.168.94.0 included - via main ISP? 

    Best regards,
    NoE

  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited May 2022
    Options
    osake_li_09 said:

    Hi @NoE,
    Once the bridge WAN is set up, the main WAN stopped to access the internet? 
    The main WAN should not be added to the bridge member I think, you may check on your routing policy setting also.
    Yes, exactly. The Internet was ok for bridge WAN (i.e. 192.168.94.0/24 network). All other subnets defined on the USG stopped accessing the internet.
    No, the bridge WAN has its own policies, the main WAN is not within it. The main WAN has its own Security Policies.
    But I think like following.....I have set up security policies for bridged WAN very similar to main WAN and perhaps this is the problem because of the word "any".
    You know I have set up bridged WAN policy like "from any to bridged WAN", "from bridged WAN to any", "from any IP of 192.168.94.0 LAN to bridged one" .... perhaps for USG "any" means literally any packet - i.e. any packet flowing through USG - i.e. also the packets from subnets defined to use main WAN. That is why I guess some routing and/or policy exception(s) need to be defined for both WANs.
    Cheers,
    NoE


  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    NoE said:

    The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
    1. for main IPS (optics)
      LAN_to_Device .... any
      WAN_to_Device ... any
      LAN_Outgoing ... anyHi NoE
    what you write sounds to me a secuity policy, not a route policy;
    please correct me if i'm wrong. 

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2022
    Options
    I will try your solution as well....could you please elaborate more on point 4?
    Does the trunk force all the packets - 192.168.94.0 included - via main ISP? 
    Hi @NoE
    First, you need to know the Zyxel firewall routing priority,
    direct route > policy route > static route > Trunk > default route

    In step 3, the policy route will "force"
    192.168.94.X to any destination not direct connect, goes through ISP2. And does not translate IP(SNAT). 
    The policy route take before Trunk. So that it will not go to Trunk - main ISP.

    Just let me know what's you want for internal LAN and 192.168.94.X can go out through main ISP or ISP2. I can guide you what routing need to setup.
  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Fred_77 said:

    NoE said:

    The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
    1. for main IPS (optics)
      LAN_to_Device .... any
      WAN_to_Device ... any
      LAN_Outgoing ... anyHi NoE
    what you write sounds to me a secuity policy, not a route policy;
    please correct me if i'm wrong. 


    Yes, it is security policy.
  • NoE
    NoE Posts: 30  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited May 2022
    Options
    zyman2008 said:
    I will try your solution as well....could you please elaborate more on point 4?
    Does the trunk force all the packets - 192.168.94.0 included - via main ISP? 
    First, you need to know the Zyxel firewall routing priority,
    direct route > policy route > static route > Trunk > default route

    In step 3, the policy route will "force"
    192.168.94.X to any destination not direct connect, goes through ISP2. And does not translate IP(SNAT). 
    The policy route take before Trunk. So that it will not go to Trunk - main ISP.

    Just let me know what's you want for internal LAN and 192.168.94.X can go out through main ISP or ISP2. I can guide you what routing need to setup.


    192.168.94.X must use its GW only - i.e. for the Internet it should use ISP2 only. This network uses some services reachable via GW 192.168.94.1 which are legally strictly defined and it is not desirable to send related packets via public Internet - i.e. not over main ISP1. This is the situation for 192.168.94.X network as of now, so I want to keep it by - very simply said :) :
    1. having the GW 192.168.94.1 connected into ge12
    2. having 192.168.94.X switch connected into ge11
    The background - our organization used 192.168.94.X only. However we have been tasked to get another ISP for all the Internet communication except few PCs etc. which would be kept inside 192.168.94.x network. 
    However, some of the PC shares and Synology data storage from 192.168.94.X network (i.e in our premises) should be accessible to other subnets defined on USG which use ISP1 only.

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)