Forward multiple Public IP through DMZ to VMs directly
Hello all,
We run several virtual routers behind NAT currently. We have to VPN into the device and then NAT over to the internal IP. We are seeing a huge drop in speeds because of slow SSL VPN (Ipsec is not possible for various reasons).
We want the Virtual routers to be exposed via DMZ and have Public IP. There is firewall in place on the virtual routers. I have multiple public IPs, and want to pass the /26 range over to them (it runs on separate physial network).
Plan is that each router will be manually (via scripts) assigned a Public IP and then I expect that to be reachable via DMZ right after.
I believe I need Bridge Mode for this, but in my Zywall 110 I can only Bridge 1 IP at a time. How do I pass a whole range of IP over (essentially I expect it to work as if its connected to a dumb switch).
So two questions
- How do I do the above?
- Should I be doing this differntly for better security?
All Replies
-
For clarification - this is the post where I saw one IP at a time - https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=015541&lang=EN
Also note that the switch has its own IP, and the pass through public IP are different. So I dont want to put the entire Zywall 110 in bridge mode, just one port of it will pass through (and are wired on different switch and server nic)
0 -
One way is your ISP gives you a IP on WAN different to your subnet and you put your subnet on LAN1 then do a routing rule LAN1 to WAN SNAT none.
0 -
Thanks Peter -
Just so I understand correctly, and to put it in terms of what I have -
I have 1 line currently going to WAN1 port - this carries my SSL, IPSEc etc for the core (LAN1).
Could I do it such that I use my P7 (LAN2) port to separate out my Public traffic - I do the LAN2 to WAN1 SNAT None
WIll that work same way? Or if I use WAN1 to LAN2 it will also take LAN1 dedidated IPs (I have mutiple blocks of IP - so I want to use block 1 for LAN1 which I manually NAT, and LAN2 which is the direct public IP attached to the virtual routers.
the switch is in data center so am trying to come up with a plan of action before I go there!
Thanks in advance!
0 -
Do you know what IP is on the WAN currently? if it different to you WAN block of IP's then setup LAN2 with like 5.0.0.1/26 your devices will get WAN IP's on LAN2 then SNAT none route LAN2 to WAN. Any incoming traffic should be forwarded by the provider to WAN IP/MAC of Zywall and routed to LAN2.
0 -
Yes, I know the WAN IP currently (dont want to post publicly) - lets call it 64.60.100.10/28 (LAN1)
The other block is (fake) 64.55.100.10/26 (LAN2)
I will leave the original alone, and do the LAN2 for 64.55.100.10/26 and SNAT none route LAN2 to WAN
0 -
Hello @Ckat1212,
According to your request, how about connecting the virtual routers to the DMZ and setting up static Public IP on the virtual routers? then Allow WAN to DMZ if you want to access them from the internet.James
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight