H Series - Virtual Server NAT loopback bug?

Alex_91
Alex_91 Posts: 31  Freshman Member
First Comment Friend Collector Sixth Anniversary
in USG FLEX H Series

Hello everyone,
it seems only to me or on H firewalls, the loopback in the virtual server does not working?

I followed this guide to avoid making mistakes.

To keep the IP in your example: From the internet I can correctly reach the internal web servers (Net → 192.168.168.31:80) work.

If I open a browser from an internal IP to server web this not working. (From 192.168.168.22 → 192.168.168.31:80) NO WORK.

ideas?

PS: if i change Virtual Server in 1:1 NAT nothing apparently change..

Accepted Solution

  • Alex_91
    Alex_91 Posts: 31  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    edited May 6 Answer ✓
    immagine.png

    This option in H Series is not present.

    I hope I solved it in the best way.
    I created 2 NATs, one with loopback, setting the public IP as the External IP.
    In the other NAT I put (in External IP) the WAN IP (Interface Wan 10.x.x.150) without loop, it seems to work

All Replies

  • PeterUK
    PeterUK Posts: 3,771  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 5

    NAT loopback only works if the FLEX has the WAN IP local IP to local IP (remote IP not WAN) should work so if your server and client are in 192.168.168.0/24 it be at the switch layer if you have another LAN subnet like 192.168.1.0/24 it will route by FLEX from zone to zone firewall rule.

  • Alex_91
    Alex_91 Posts: 31  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    but I'm trying from 192.168.168.22 (to open web browser with address 93.x.x.200:80)

    Obviously if I open 192.168.168.31:80 it works, same problem from 192.168.168.31 (open web browser with address 93.x.x.200:80) not working, (clearly from 168.31 open 127.0.0.1:80 working)

  • PeterUK
    PeterUK Posts: 3,771  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Does the Zyxel WAN interface have IP 93.x.x.200 ?

  • Alex_91
    Alex_91 Posts: 31  Freshman Member
    First Comment Friend Collector Sixth Anniversary

    no, firewall is under DMZ of router.

    So Wan 93.x.x.200 is natted, Firewall Wan Interface have 10.x.x.150 - GW: 10.x.x.1 (router).

    Traffic from net is all natted to 10.x.x.150.

  • PeterUK
    PeterUK Posts: 3,771  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited May 6

    Then NAT loop back is not to do with Zyxel it be down to router WITH the WAN IP because thats how it works and works on any other router.

    when you connect from 192.168.168.22 > 93.x.x.200 because the Zyxel does not have 93.x.x.200 it will not NAT loopback only when it goes to the router with 93.x.x.200 does NAT loopback apply.

    Now some ISP router don't support NAT loopback which means your out of luck or if you can't put the ISP router in bridge mode.

    But is there a way to do NAT loopback which this limitation? yes but it has to be written because no one I know has done it.

    it will look some thing like this.

    Screenshot 2025-05-06 172429.png

    This way when 192.168.168.22 > 93.x.x.200 and 93.x.x.200 is the IP for bridgemode.bounceme.net it will NAT loopback to 192.168.255.193 even if the Zyxel does not have 93.x.x.200

    This might be a interesting read

    Nat Loopback not Working — Zyxel Community

  • Alex_91
    Alex_91 Posts: 31  Freshman Member
    First Comment Friend Collector Sixth Anniversary
    edited May 6 Answer ✓
    immagine.png

    This option in H Series is not present.

    I hope I solved it in the best way.
    I created 2 NATs, one with loopback, setting the public IP as the External IP.
    In the other NAT I put (in External IP) the WAN IP (Interface Wan 10.x.x.150) without loop, it seems to work

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)