Configure wan-interface with IPoe
Freshman Member
We need to configure our Zywall310. We have received a new configuration from our ISP to setup the wan-interface with static IP over a "numbered link".
- IP public subnet: 77.60.xx.xxx/29
- Encapsulation type: IPoe
- numbered link: 145.54.xxx.xxx/30
- gateway: 145.54.xxx.xxx
The problem is that our provider (NL KPN) does not have any guidance available for configuration exept for Cisco routers. This is an example for Cisco:
!
Interface GigabitEthernet1/0
description connection to internal network
ip address 77.60.xx.xxx 255.255.255.248
no cdp enable
ip verify unicast reverse-path
no ip redirects
speed 1000
duplex full
no shutdown
!
Interface GigabitEthernet0/0
description connection to KPN / CapID : CIN60629
ip address 145.54.xxx.xxx 255.255.255.252
no cdp enable
no ip directed-broadcast
speed 1000
duplex full
no shutdown
!
no service finger
no service udp-small-servers
no service tcp-small-servers
no ip source-route
ip subnet-zero
ip classless
ip cef
ip name-server 194.151.228.18
ip name-server 194.151.228.34
!
ip route 0.0.0.0 0.0.0.0 145.54.xxx.xxx
Can anyone help us with a working config for our Zywall 310?
Accepted Solution
-
Hi @KMP
The reason is because incoming traffic hits rule#4. So source IP address is replaced as 77.60.XX.XX
You can add an additional rule to NAS server for incoming traffic. Then source IP address will not replace as interface IP.
e.g. Source: any, Destination: NAS server, Service: any, SNAT: none
5
Zyxel Employee
All Replies
-
@KMP
Regarding to your description, I would like to clarify the configuration which you want to set .
On Wan interface, do the two public IP(145.54.X.X/30,77.60.xx.xxx/29) connect with one Wan Interface? or two Wan Interface separately?
Charlie
0 -
Hi Charlie,
There is only 1 physical link from the wan-port of the Zywall to the ISP-gateway (fiber switch). The IP 145.54.x.x is only a "numbered link" the ISP uses to NAT our public subnet 77.60.x.x/29 they say..
So only 1 interface should be used i think. The funny thing is, if you look at the provided Cisco example there are 2 interfaces in use, but how are they linked?
0 -
@KMP
Regarding to your description, you may follow the configuration as below
Wan interface: 145.54.X.X/30 and Gateway Ip is 145.54.xxx.xxx, Lan interface: 77.60.xx.xxx/29Disable Default SNAT on Wan Trunk. DNS1:194.151.228.18, and DNS2: 194.151.228.34
The below Steps as your reference.
Go to configuration>Network>Interface>Ethernet> Create the Wan
and then Create lan interface
Disable Default SNAT on Wan Trunk and press apply
Go to configuration>System>DNS
Charlie
0 -
Thanks for the info Charlie. Will test the setup this way.
There is one more issue: The Zywall is connected to the fiber-switch from isp (Alcatel OS6250-8m)
This switch has 2 combo 1000baseT ports, one is connected to te Zywall to provide 500mb up/down internet-connection. The Zywall only shows a link speed of 100mb while it should be 1000mb.
I have read we cannot force the connection speed to 1000m, it should auto-negotiate. What could be the problem?0 -
@KMP
I modified the configuration on previous post, so please recheck it.
Regarding to link speed, can you double check the Ethernet cable or Switch support 1000mb? since USG auto-negotiation is 1000mb.
Charlie0 -
Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:
1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.
2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:
What could be the issue?
I hope you could help me with this.0 -
Hi @KMP
What firmware version is working on your USG310?
According source IP address question, can you share screen shot on NAT and policy route rule?
And can you describe traffic direction when user accessing to NAS service? (Is coming from Internet user? Or Local user?)
0 -
Hi Charlie,
1) It is running v4.33 firmware.
2) I will make the screenshots for you later.
3) I see it mentioned outbound traffic, but of course it is inbound traffic.. So all traffic coming from internet, via Dnat rule forwarded to NAS at tcp 8080
0 -
Hi @KMP
Can you send your configuration by private message for check your question more detail?0 -
KMP said:Hello (Charlie), the configuration has been working for the past few weeks now. With a slight change in config. There also was a policy route necessary for outgoing trafic. But that's not why i'm asking for help. Main problems we currently have are:
1) Incoming outbound (DNAT-rule) traffic to a specific device (NAS-ftp service) is now somehow recognized in the NAS as traffic originating from our (configured) external IP. How is this possible? It used to display the originating IP from the remote host , now somehow it gets translated as our own public IP.
2) Maybe the most important issue.. the only solution is to reboot via CLI every time it happens..
The Zywall has not been responding to the web-interface since the new configuration for a few times now. When trying to access by browser we are able to provide credentials and login however then the message "loading" is displayed continuously:
What could be the issue?
I hope you could help me with this.
Above issue nr1: has been solved by creating a Policy Route specifically for the NAT rules created for port forwarding. The default Policy route is in use for outbound traffic SNAT and caused to translate that traffic with our own Public IP.
Maybe @Zyxel_Stanley can clarify further?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
