USG40 - routing traffic between two networks
Freshman Member
I have two networks in our office: one for general office traffic (192.168.2.x - P1/lan1), and one for a control system (machine automation, PLCs, etc) (192.168.15.x - P4/DMZ). I need to keep the control network isolated so it doesn't get bogged down by heavy office traffic. However, I want to be able to access specific nodes on the .15.x control network from the office network. Can anyone point me to the right way to do that? Thanks!
Accepted Solution
-
So you can do a rule
from LAN1
to DMZ
source any
destination group of control devices
service if you know it
The office PC's will make the connection into DMZ for a reply back and DMZ can not make connections to LAN1 unless you make a rule to do so.
0
Guru Member
All Replies
-
Depending on the Zones you used it be from LAN1 to DMZ policy rule you can add source/destination IP and service what you can't do is allow broadcast traffic between subnets
0 -
Thanks for the reply! Since many office PCs will want to access three control network devices, is there an easy way to open access from all office PCs to three individual control devices, without allowing broadcast traffic? What if I had three rules allowing "from any" on LAN1 to a specific IP on DMZ? Is that safe to do? And in doing this, I'd be exposing specific 192.168.15.x devices to the office network, and they would be accessed from the office network via that same IP (.15.x), right? (Sorry if my novice-ness is showing!)
0 -
So you can do a rule
from LAN1
to DMZ
source any
destination group of control devices
service if you know it
The office PC's will make the connection into DMZ for a reply back and DMZ can not make connections to LAN1 unless you make a rule to do so.
0 -
Many thanks, Peter. Worked like a charm. Created the group of control devices, added the policy rule, and added a route on my desktop PC, and voila! Connected!
0 -
@PeterUK Hi, Peter. So this seemed to work at the time, but having made some changes in various places, seems to not work now! I've even restored the config to a previous version and still no luck. Very frustrated!
Just to clarify the current objective:
Using a USG40. (I have moved from DMZ to OPT port for the control network since my previous post.) LAN1 network IP is 192.168.2.x. OPT network IP is 192.168.15.x. I want traffic on LAN1 addressed to 192.168.15.x to simply be routed to the OPT network.
I have created security policies that allow traffic from LAN1 to OPT and vice-versa, unconditionally.
1
LAN1_to_ControlNetwork
LAN1
OPT
any
any
any
any
none
allow
no
2
ControlNetwork_to_LAN1
OPT
LAN1
any
any
any
any
none
allow
no
I created a route between the two networks:
1
any
none
LAN1
any
ControlDevices
any
any
any
auto
preserve
none
That's incoming: LAN1, source: any, destination: ControlDevices (a group of IP addresses), Next-Hop: auto (I've tried different options), SNAT: none.
If I test this with the built-in ZyXel Network Tools, I can ping the devices when directing it to the Control network (OPT), but can't ping them when directing to LAN1.
I must have something very basic wrong, I hope!
Thanks so much in advance.
0 -
You do not need a route rule you can delete it
is “Use IPv4 Policy Route to Overwrite Direct Route” unchecked?
Is OPT set with internal and with what zone?0 -
Thanks for the quick reply.
OPT is set to internal and zone OPT.
LAN1 is set to internal and zone LAN1 (that's fixed, I guess)
"Use IPv4 Policy Route to Overwrite Direct Route" is NOT checked.0 -
Also, if I ping one of the devices on the control network, I get this. Not a timeout, but "unreachable".
0 -
the problem with ping is if the device allows to be pinged.
I don't understand why its not working for OPT from DMZ is the IP of DMZ changed to something else now?
you can do a packet capture on OPT for ICMP as you ping from LAN1 to see if it makes it
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
