howto define private IP range on USG interface
All Replies
-
Hi @NoE
here a recap of what i did with an old USG40 i have on my desk for tests...
...
...
...
Last picture is the result of a trace route on a client in LAN2 subnet.
Traffic is routed out via wan2
br1 subnet (192.168.1.xxx) is reachable for shared stuff
... it should be similar to your configuration, right?
Fred
0 -
NoE said:Hi @Fred_77,I have tried the solution you have proposed just a while ago:1) The traffic for the computers within 192.168.94.0/24 went nicely2) The traffic for the main network ceased to access the internet.....and seemed really slow while recognizing it.:-(NoEHi @NoE,Once the bridge WAN is set up, the main WAN stopped to access the internet?The main WAN should not be added to the bridge member I think, you may check on your routing policy setting also.0
-
Hi @Fred_77thanks for the screenshots shared.there are two lines in your Policy Route screenshot.The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
- for main IPS (optics)
LAN_to_Device .... any
WAN_to_Device ... any
LAN_Outgoing ... any
..... - for special "192.168.94.0" WAN
I had the solution you have outlined
As I have written, your solution worked nicely for the 192.168.94.0 network, however for the rest of the networks managed by USG, all the traffic seemed to work except the Internet access.Perhaps I need to define some exception for all the rest (i.e. except 192.168.94.0 subnet) to not try to use GW 192.168.94.1 etc. ....perhaps this had happened somehow, that all other subnets were trying to use this GW, but I am not sure, it is pure speculation.....
0 - for main IPS (optics)
-
zyman2008 said:
4. Setup WAN trunk for company PCs go to Internet through main ISP link
(1)Go to Network > Interface > Trunk.
(2)Add user configuration trunk, name as "MAIN-ISP" for example.
(3)select the trunk as default WAN trunkHi @zyman2008I will try your solution as well....could you please elaborate more on point 4?Does the trunk force all the packets - 192.168.94.0 included - via main ISP?Best regards,NoE
0 -
osake_li_09 said:Hi @NoE,Once the bridge WAN is set up, the main WAN stopped to access the internet?The main WAN should not be added to the bridge member I think, you may check on your routing policy setting also.Yes, exactly. The Internet was ok for bridge WAN (i.e. 192.168.94.0/24 network). All other subnets defined on the USG stopped accessing the internet.No, the bridge WAN has its own policies, the main WAN is not within it. The main WAN has its own Security Policies.But I think like following.....I have set up security policies for bridged WAN very similar to main WAN and perhaps this is the problem because of the word "any".You know I have set up bridged WAN policy like "from any to bridged WAN", "from bridged WAN to any", "from any IP of 192.168.94.0 LAN to bridged one" .... perhaps for USG "any" means literally any packet - i.e. any packet flowing through USG - i.e. also the packets from subnets defined to use main WAN. That is why I guess some routing and/or policy exception(s) need to be defined for both WANs.Cheers,NoE
0 -
NoE said:The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
- for main IPS (optics)
LAN_to_Device .... any
WAN_to_Device ... any
LAN_Outgoing ... anyHi NoE
please correct me if i'm wrong.
0 - for main IPS (optics)
-
I will try your solution as well....could you please elaborate more on point 4?Does the trunk force all the packets - 192.168.94.0 included - via main ISP?
First, you need to know the Zyxel firewall routing priority,
direct route > policy route > static route > Trunk > default route
In step 3, the policy route will "force"
192.168.94.X to any destination not direct connect, goes through ISP2. And does not translate IP(SNAT).
The policy route take before Trunk. So that it will not go to Trunk - main ISP.
Just let me know what's you want for internal LAN and 192.168.94.X can go out through main ISP or ISP2. I can guide you what routing need to setup.
0 -
Fred_77 said:NoE said:The 2nd line for optics has defined the "next hop" - I do not have such hop defined for main ISP WAN connection. Instead, I have rules like
- for main IPS (optics)
LAN_to_Device .... any
WAN_to_Device ... any
LAN_Outgoing ... anyHi NoE
please correct me if i'm wrong.
Yes, it is security policy.
0 - for main IPS (optics)
-
zyman2008 said:I will try your solution as well....could you please elaborate more on point 4?Does the trunk force all the packets - 192.168.94.0 included - via main ISP?
direct route > policy route > static route > Trunk > default route
In step 3, the policy route will "force"
192.168.94.X to any destination not direct connect, goes through ISP2. And does not translate IP(SNAT).
The policy route take before Trunk. So that it will not go to Trunk - main ISP.
Just let me know what's you want for internal LAN and 192.168.94.X can go out through main ISP or ISP2. I can guide you what routing need to setup.192.168.94.X must use its GW only - i.e. for the Internet it should use ISP2 only. This network uses some services reachable via GW 192.168.94.1 which are legally strictly defined and it is not desirable to send related packets via public Internet - i.e. not over main ISP1. This is the situation for 192.168.94.X network as of now, so I want to keep it by - very simply said :- having the GW 192.168.94.1 connected into ge12
- having 192.168.94.X switch connected into ge11
The background - our organization used 192.168.94.X only. However we have been tasked to get another ISP for all the Internet communication except few PCs etc. which would be kept inside 192.168.94.x network.However, some of the PC shares and Synology data storage from 192.168.94.X network (i.e in our premises) should be accessible to other subnets defined on USG which use ISP1 only.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight