2 Internet connections, 1 ZyWall 310, 2 Different paths based on FW rules.
I am new to Zyxel products and not fully briefed on what is and is not possible in general on most firewalls. I know how I would like it to work, but thus far after a couple of days doing the Google thing, I am still stuck.
We have just had a second internet connection installed in our office, a Fiber. We have a VDSL line already and that is working fine over PPPoE from ZyWall 310 to a Draytek Modem.
We do not want to switch everything over to the Fiber, we only want to assign specific tasks to it, like VPN.
Currently ge1 is connected to VDSL modem, ge2 is for the Fiber.
I went to Network -> Interface -> Ethernet -> ge2 and defined the: -
Interface Type as External
IP, subnet and Gateway
Now I am stuck at Zone. The current VDSL is assign to WAN
If I go to Object -> Zone and look at System Default. WAN Zone has ge1_ppp,ge1 and vdsl_vlan7 as members. All good!
This is where I am stuck, you see, I do not want to do any kind of fancy load balancing between the two lines, I simple want to define which traffic goes over each WAN connection.
I thought to myself, Zone names are really just that, a name, WAN or LAN1, LAN2,DMZ ect dont matter, it is just a matter of defining what goes where under Security Policy -> Policy Control.
So, I assigned LAN2 to Zone in the Interfrace -> Ethernet -> ge2 (because it has nothing referencing it in Object -> Zone menu).
I figured the easiest way to test this would be to change our guest VLAN to use the fiber. So I changed all Security Policies for the guest VLAN in Policy control to point at LAN2 instead of WAN.
I assume you have all figured out that this has not worked...
or are surprised that it has not worked...
And now I am here to ask for help please.
I am humble and and thick skinned, so I do not mind being teased, just try and help me too ;-)
Thank you!
Best Answers
-
Zones for Security Policy don't say where the traffic goes.
You can set Ge2 to ZONE OPT
For control over where traffic goes you need a routing rule in network > routeing
incoming Interface
member like LAN1
source address if needed
next hop interface
interface OPT
This will stop the load balancing
0 -
You should not need to setup the load balancing the default should be fine.
Once understand the routing you need in place for Ge2 to Zone OPT and Ge1 Zone WAN along would Security Policy for LAN to WAN or OPT it should start working.
0 -
Hi @SyLvEsTeR_AFS,
As PeterUK said, zones for Security Policy don't say where the traffic goes.
Please kinldy see the diagram to understand routing flow.
Default WAN Trunk will be used when the path no match "Policy Route" "Static-Dynamic Route".
So, You have to create "Policy Route" or "Static Route" let traffic hit first to prevent into "WAN Trunk".
(Note: You can find Trunk setting at "Network -> Interface -> Trunk". By default, zywall will take all your outgoing interface as members of load-balancing.)
Thank you
Kevin0
Guru Member
Zyxel Employee
All Replies
-
Zones for Security Policy don't say where the traffic goes.
You can set Ge2 to ZONE OPT
For control over where traffic goes you need a routing rule in network > routeing
incoming Interface
member like LAN1
source address if needed
next hop interface
interface OPT
This will stop the load balancing
0 -
Thanks for the answer Peter.
To follow up, do I need to setup load balancing first too regardless?
What about outgoing traffic, why is it that guest network does not work in my current setup, is it because there is no route out?
I am sorry to sound dense, it is only because I am. :-P0 -
You should not need to setup the load balancing the default should be fine.
Once understand the routing you need in place for Ge2 to Zone OPT and Ge1 Zone WAN along would Security Policy for LAN to WAN or OPT it should start working.
0 -
Thank you Peter.
I continued to use LAN2 for my Zone and added a new route for for the vlan and the next hop for the interface and it started working like a charm.
Thank you for pointing me in the right direction!
Have a nice evening mate. TTFN0 -
Hi @SyLvEsTeR_AFS,
As PeterUK said, zones for Security Policy don't say where the traffic goes.
Please kinldy see the diagram to understand routing flow.
Default WAN Trunk will be used when the path no match "Policy Route" "Static-Dynamic Route".
So, You have to create "Policy Route" or "Static Route" let traffic hit first to prevent into "WAN Trunk".
(Note: You can find Trunk setting at "Network -> Interface -> Trunk". By default, zywall will take all your outgoing interface as members of load-balancing.)
Thank you
Kevin0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
