Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


best network configuration for lan and vpn,  1 static Ip + Router + Firewall

Posted on 2008-10-26
Medium Priority
Last Modified: 2012-05-05
hello people,please help me with this network configuration...
I have to setup a small lan with one kind of vpn connection.

Situation is:
1 ip static address from my Isp
1 router dlink DI624 (only to establish connection)
1 firewall Zyxel Usg 100 (to manage vpn, web auth, backup line...and so on)
1 dhcp and dns server (on internal hp server ,Dc with Windows 2003R2)

I cannot establish an l2tp connection from outside (on Zyxel),and i cannot use dlink wer femote interface (on Dlink).
Now router has on wan interface the isp ip information
and on the lan side address.
On dmz i put
So firewall has on the wan interface address (this to obtain vpn and firewall administration remoting) and on the lan side (inner 10 clients and 2 servers on this network)
But something miss...maybe static router or port forwarding between router and firewall.

These are the question.
1)i suppose i can put dlink like a bridge instead of using a dmz, and firewall in this condition has on wan side the Isp Ip.
This is better than use dlink with dmz, like above?Can u explain in that way?
2)Why i cannot see from outside the firewall? dlink needs static route to route traffic to firewall?dmz is not enough?
3)remote http management of's enabled , wit " * " in the ip field, on 8080 port. but from outside it doesn't work.because of Dmz?

I would information to configuring router+firewall in the best way,using some of the zyxell ability (first of all, a reliable vpn.I was talking of 2lpt cause of Ssl has only 2 license)
Ask me for details, i have router and firewall manual available.
Question by:Mattia Minervini
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2

Expert Comment

ID: 22807788
L2TP typically uses port 1701.  Try opening that port on the router and pointing it to the firewalls IP.

You can put the router to forward ALL traffic to your firewall as well.  That should do the trick.

If you're not planning on putting computers in the DMZ then either bridge the router so your firewall has the public IP or forward all traffic from the router to the firewall.  

See if that works and let me know if I haven't answered all your questions.

Hope this helps!


Author Comment

by:Mattia Minervini
ID: 22807901
Only to learn:
Ok, but Dmz is not enough? all traffic should be directed to firewall,isn't it?
So what layer is dmz? why i have to add also a specific route.
Real case:
I think in a couple of days i could try to manage dlink.
Under "static route configuration" ,"virtual server" or "port redirection"(i it there's)?
In a few words, what are the differences between dmz and the last three?
Thanks a lot Ltxda

Author Comment

by:Mattia Minervini
ID: 22849486
nothing to do...
router has lan ip
it has in dmz firewall wan1 ip,

I thought this was enough, but from external pc i cannot reach firewall.

So i added virtual server feature on router, passing port udp/tcp 1701 + udp 500 for ike + udp 4500 to ip
Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.


Expert Comment

ID: 22849644
-  Need to make sure that the WAN/outside IP of your router (not firewall) is something other than 192. or 172. or 10.  Let's make sure your ISP isn't natting and firewalling you from the beginning.

-  Can you ping from within your router at

-  Can you pass ALL traffic from the router to the firewall to see if that works and if it does we'll go from there.

Accepted Solution

Mattia Minervini earned 0 total points
ID: 22851522
wan router
lan router .240 in dmz)
wan1 firewall
lan1 firewall

My router wan ip is
This is a PPoA connection with my Isp, stable since 2004.

Only to test, i put a pc with directly connected on lan side of router (it has 4 port).
Surfing internet is ok , and i can open web interface of router (.241) and web interface of firewall (.240).I cannot try ping now, but it's ok for me.

I cannot pass ALL traffic to .241(lan router) to .240(wan firewall)  because of my dlink router has only DMZ, or VIRTUAL SERVER options.i can't find STATIC ROUTE option.
So i tried with DMZ and VIRTUAL SERVER to .240 for 1701/4500/500 UDP port and 1710 TCP port.

Another strange thing.
Router has WEB MANAGEMENT MODE to control interface from outside.
This function is enabled accepting all ip on 8080 port.
But from outside,typing (in a browser of a pc using another internet connection)  nothing to do,doesn't go.


Author Comment

by:Mattia Minervini
ID: 25446742
I need to close this question!!!! I need to ask another thing....u cannot do this! abandoned from 14 days, there 's no a solution , no one help me. I changed hardware and technologies to solve my problem. in the alert box i can see this question should be closed yesterday.Please help me...

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question