Заметки сисадмина » Zyxel ZyWall: How to route multiple public static IPs

Заметки сисадмина о интересных вещах из мира IT, инструкции и рецензии. Настраиваем Компьютеры/Сервера/1С/SIP-телефонию в Москве

Zyxel ZyWall: How to route multiple public static IPs

2024-04-08 · Posted in UTM-система, шлюз безопасности

How to route multiple public IPs to devices behind a Zyxel router, where the device behind the Zyxel holds a public IP.  Typically this method is used when routers are connected behind the Zywall.

Method 1:

Use this method to provide “no NAT” to the device behind the Zyxel.  This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.
Go to Network>Interface>Bridge

  1. Set Interface type to: external
  2. Interface name: br1
  3. Zone: WAN
  4. Members: WAN1,dmz
  5. Go to Network>Interface>Trunk and create a new Trunk Group with “br1” as the primary member
  6. Go to Object>Address and add a host for each usable public static IP
  7. If the device behind the Zyxel is a router, Go to Security Policy > Session Control and disable the session limits
  8. Configure the device behind the Zyxel with a usable public static IP and point it to the same gateway that Zyxel is using.
  9. Plug device behind the Zyxel into a DMZ port.
  10. Add a route in the Zyxel that states: Incoming > Interface: DMZ > Source Address: Object_Address_PublicIP > Destination: Any > Next hop: Interface br1 > SNAT: Object_Address_PublicIP

Method 2:

is the same as method 1 but where a modem is in front of the Zyxel instead of a router.  In this case the Zyxel has to act as a gateway for both itself and the devices behind it.

  1. Go to Network>Interface>Bridge
  2. Set Interface type to: external
  3. Interface name: br1
  4. Zone: WAN
  5. Members: WAN1,dmz
  6. Set the IP to automatic if the Public static is obtained via DHCP (note that the mac address used will not be the MAC of WAN1 even when interface WAN1 is used)
  7. Go to Network>Interface>Bridge and click on “Create Virtual Interface”>Enter the first usable public IP address and subnet mask and leave gateway blank
  8. Go to Network>Interface>Trunk and create a new Trunk Group with “br1” as the primary member Then set the new Trunk Group as the system default trunk
  9. Go to Network>Interface>port role and set one of the ports as a DMZ
  10. Plug in a device or switch into the DMZ port and enter the second usable public IP into the device and set the Virtual Interface IP as the gateway
  11. Make sure the firewall is set say that any to DMZ and DMZ to any is allow.
  12. Go to network Zones and make sure that interzone blocking for both WAN and DMZ is set to “no”
  13. The router is now running in dual mode.  LAN1 is NAT and DMZ is no NAT

In cases where the devices behind the Zyxel hold private IPs because they required firewall protection. Typically this method is used when servers are connected behind the Zyxel.

Method 1:

is 1:1 NAT and is used if firewall functionality is desired.  This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.

  1. *Go to Object>Address and add a host for each public static IP
  2. *Go to NAT and add a rule that says: 1:1 NAT Type>Interface WAN1>Orginal IP=Public address>Mapped IP=private IP of device
Method 2:

is the same as method 1 but where a modem is in front of the Zyxel instead of a router.  In this case the Zyxel has to act as a gateway for both itself and the devices behind it for the second block of IPs.

  1.  Have the cable provider bind the MAC address of the WAN to the public static IP they provide.
  2.  Have the cable provider route the second block of IPs to the public static held by Zyxel WAN
  3.  Add a virtual interface to the WAN and assign it the first usable IP of the second IP block.  Example if the carrier provides a block of 1.2.3.88/29, then the virtual interface would be  .2.3.89 255.255.255.248 (leave the gateway blank)
  4.  Go to Network > Object Address and add an Address Host Object for each remaining Public IP address of the 2nd block
  5.  Also add Host Objects for each device behind the Zyxel that you will be NATing public IPs to
  6.  Go got Network > Routing and add a route for each device behind the Zyxel and the public IP it supposed to route out on: Incoming = LAN1 > Source=DeviceBehindZyxel >  estination=any > Service=any > NextHop=WAN (don’t use the virtual interface) > SNAT=One of the Public IPs
    The check box to “use Policy route to override Direct Route can stay “off”
  7.  Go to Security Policy > Policy Control > From=WAN > To=LAN1 > Source=any > Destination=device behind zyxel > Service=define the service > allow
  8.  Go to Network > NAT > classification=1:1NAT > Incoming=WANinterface > Original IP=The public IP being NATed to the device > Mapped IP=device behind zyxel > Service=define the service > Loopback=”off”

A single block of 5 should be fine.  If you want to assign a public static to .9, .10, .11 respectively, then follow these steps:
In cases where the devices behind the Zyxel hold private IPs because they required firewall protection. Typically this method is used when servers are connected behind the Zyxel.
Method 1 is 1:1 NAT and is used if firewall functionality is desired.  This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.

  1. Go to Object>Address and add a host for each public static IP
  2. Go to NAT and add a rule that says: 1:1 NAT Type>Interface WAN1>Orginal IP=Public address>Mapped IP=private IP of device

Leave a Reply