two USG Flex 50 connection between LAN1 and LAN2
Hello at all
I write as I have a "problem" in the network configuration of two Firewall zyxel usg flex50 purchased for a customer.
The customer needs two separated LANs with the two firewalls in "waterfall", but that one can communicate with the other. I did not consider the configuration of VLAN because I would like to understand the functioning of the Lan1 and Lan2 default settled on the Zyxel Firewall.
I set the first firewall with address on LAN1 interface 192.168.1.1 and as DHCP Server.
In Lan2 I gave address 192.168.2.2 and no dhcp server
On this firewall I put a policy route that says all the packages from Any (Excluding Zywall) with Source Subnet 192.168.1.0/24 and intended for LAN2 192.168.2.0/24 have the Firewall 192.168.2.1 as Next-Hop (I created An Address with Firewall n.2 and I put 192.168.2.1 as IP Host)
The second firewall has address Lan1 192.168.1.2 not as DHCP Server
In Lan2, on the other hand, he has address 192.168.2.1 and is DHCP Server.
On this firewall I put a policy route that says all the packages coming from Any (Excluding Zywall) with Source Subnet 192.168.2.0/24 and intended for Lan1 192.168.1.0/24 have the Firewall 192.168.1 as a Next-Hop (I created An Address with Firewall n.1 and I put IP Host 192.168.1 as IP Host)
In the middle there is a switch (not Zyxel) who has ports that allow the passage of packages of all kinds, in trunk, and I state that I have already replaced the switch and the problem is not him.
The two firewalls are then connected to the switch and so far work here.
If I connect a client to Lan1 192.168.1.x and Ping the Firewall 1 (192.168.1.1) and Firewall2 (192.168.1.2) Ping succeeds
If with the same client I ping the Lan2 the firewall 1 (192.168.2.2) replies me while 192.168.2.1 NO.
From Lan1 therefore basically, apart from your gateway (192.168.1.1lan1 and 192.168.2.2lan2) I can't reach Lan2
From Lan2, with the Static Route cited above, connecting a client that takes an IP address 192.168.2.0/24 I can ping the devices connected to LAN1 but I still cannot season on 192.168.2.2 (the other firewall)
Initially, trying to understand if it was some blocker policies, I removed the tick from Enable Policy Control.
How do I speak Lan1 and Lan2 of the two firewalls, then managing the rules later?
All Replies
-
It will be more clear if you turn these descripions into a topology and mark each device with its ip address.
0 -
0
-
Also, have 192.168.1.0 as “main LAN”/LAN1 for both firewalls might be not the greatest idea.
Why is necessary have “dependant” firewall among the networks? I mean… for “simply” two LANs, only 1 USG Flex 50 might be enough (unless these are two companies.
0 -
If this is what I think the setup is there are problems and ways around this to work.
To be clear second firewall WAN1 needs to have 192.168.1.2LAN1 second firewall 192.168.1.2So on the first firewall you need to setup a static route with
destination 192.168.2.0
subnet mask 255.255.255.0
gateway IP 192.168.1.2
On second firewall in routing in advance check “Use IPv4 Policy Route to Overwrite Direct Route” have a routeing rule LAN2 to next hop gateway 192.168.1.1 SNAT none
Then some policy rules like LAN1 to LAN2 and LAN1 to LAN1 rules then that should work.
0 -
Hello thanks for reply:
This is the Topology of Network.
On Firewall N.1 i have a Policy Route:
Send every packet of LAN1 to GATEWAY LAN2 (192.168.2.1)
But if i try to connect a Client on LAN1, it acquire one IP address (example 192.168.1.49) i can:
PING 192.168.1.1
PING 192.168.1.2
PING 192.168.2.2
CANNOT PING 192.168.2.1
CANNOT PING other Devices connect to LAN2
This is the Policy RUle:
OTHERWISE
In the FIrewall N.2 i have a static route, that send all the packet of LAN2 destinated to LAN1 send to Firewall N1 192.168.1.1
SO
if i connect a CLient on LAN2 Example 192.168.2.34 i:
PING 192.168.2.1
CANNOT PING 192.168.2.2
PING 192.168.1.1
PING 192.168.1.2
PING other devices connect to LAN1
Seems that LAN2 can communicate
0 -
Hi @Novaufficio
You can make sure what is client IP gateway address first before clarify your questions.
(1) When PC connected to LAN1PC IP address was offered by FW#1. And switch connected to both of Port3(LAN1 Interface) of firewalls. So there is no problem to communicate 192.168.1.0/24 IP segment between both of firewalls.
But when accessing to 192.168.2.1 & 192.168.2.2.
PC IP gateway is 192.168.1.1, so ICMP request packet passed to 192.168.1.1 first and FW#1 send ARP request for 192.168.2.1 & 192.168.2.2 on LAN2 interface.(routed by Direct Route)
Since Port5(LAN2 Interface) did not connect to any switch, so 192.168.2.1 of FW#2 is unavailable.(2) When PC connect to LAN2. (I guess PC was connected Port5 of FW#2)
PC IP gateway is 192.168.2.1. And also could access to 192.168.1.0/24 IP sgement without problem. It is because switch connected to both of Port3(LAN1 Interface) on firewalls.
But when sending traffic to 192.168.2.2, the packet will not pass to "192.168.1.1" via swtich.It is because 192.168.2.2 is belonging to LAN2 subnet of FW#2. So FW#2 will send ARP request on LAN2 for 192.168.2.2. And it is the reason why PC can not reach to LAN2 of FW#1.0 -
So the way I said above will work just that you don't use WAN on second firewall.
0 -
Thanks at all for answer, now i try the solution of @Zyxel_Stanley.
I Must keep two WAN, because the customer business will divide in two companies, so with two different WAN's.
0 -
I have done a setup you need see my post.
https://community.zyxel.com/en/discussion/comment/49460/#Comment_49460
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 264 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight