USG FLEX 500 - lan1 to lan 2 and lan2 to lan1

Smartmob
Smartmob Posts: 5  Freshman Member
First Comment Friend Collector

Hello I have a firewall usg flex 500 with lan 1 (192.168.0.0 GW 192.168.0.230) and lan 2 (192.168.33.0 GW 192.168.33.230) for both lan the GW is the firewall itself


I need to make the two lan's and consequently the clients talk by enabling ips control
I can ping the firewall from both subnets on ex: 192.168.0.190 --> 192.168.33.230 but I can't ping client to client 192.168.0.190--> 192.168.33.100
I have tried state route and policy route but to no effect. What am I missing?

All Replies

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    You don't need to add routes, those destinations are included in "direct route".

    You could look at the logs, to see if some other firewall rule blocks traffic.

  • Smartmob
    Smartmob Posts: 5  Freshman Member
    First Comment Friend Collector

    I see nothing from the firewall logs.
    Only if I enter a policy control (lan1 to lan2) I can see the ICMP pass as accepted even though I still receive unreachable from the client.

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    It could be remote device that doesn't respond.

    What kind of device are you unable to ping? PC, printer, etc…

  • PeterUK
    PeterUK Posts: 3,443  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited October 23

    likely a firewall on end device

    unless you have enabled "Use IPv4 Policy Route to Overwrite Direct Route" ?with routeing rule like LAN1 next hop WAN?

  • Smartmob
    Smartmob Posts: 5  Freshman Member
    First Comment Friend Collector

    is a server with dual ports 1) with the subnet 192.168.0.179 the 2) with the subnet 192.168.33.100
    And I am trying to ping the second port from a client under subnet 192.168.0.x

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,526  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Smartmob,

    It seems like your client is using Windows OS. Have you disabled the Windows firewall before testing?

    And if 192.168.33.230 can ping to 192.168.33.100?

    Zyxel Melen


  • Smartmob
    Smartmob Posts: 5  Freshman Member
    First Comment Friend Collector

    Yes, the firewall is deactivated.
    Indeed it seems that from 192.168.33.230 I cannot ping the .100
    but I simply set a static ip

  • valerio_vanni
    valerio_vanni Posts: 104  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Inside 192.168.33.x LAN you have only that host (.100)?

    Don't you have something other to ping?

Security Highlight