best network configuration for lan and vpn, 1 static Ip + Router + Firewall

hello people,please help me with this network configuration...
I have to setup a small lan with one kind of vpn connection.

Situation is:
1 ip static address from my Isp
1 router dlink DI624 (only to establish connection)
1 firewall Zyxel Usg 100 (to manage vpn, web auth, backup line...and so on)
1 dhcp and dns server (on internal hp server ,Dc with Windows 2003R2)

I cannot establish an l2tp connection from outside (on Zyxel),and i cannot use dlink wer femote interface (on Dlink).
Now router has on wan interface the isp ip information
and on the lan side address.
On dmz i put
So firewall has on the wan interface address (this to obtain vpn and firewall administration remoting) and on the lan side (inner 10 clients and 2 servers on this network)
But something miss...maybe static router or port forwarding between router and firewall.

These are the question.
1)i suppose i can put dlink like a bridge instead of using a dmz, and firewall in this condition has on wan side the Isp Ip.
This is better than use dlink with dmz, like above?Can u explain in that way?
2)Why i cannot see from outside the firewall? dlink needs static route to route traffic to firewall?dmz is not enough?
3)remote http management of's enabled , wit " * " in the ip field, on 8080 port. but from outside it doesn't work.because of Dmz?

I would information to configuring router+firewall in the best way,using some of the zyxell ability (first of all, a reliable vpn.I was talking of 2lpt cause of Ssl has only 2 license)
Ask me for details, i have router and firewall manual available.
Mattia MinerviniAsked:
Who is Participating?
Mattia MinerviniConnect With a Mentor Author Commented:
wan router
lan router .240 in dmz)
wan1 firewall
lan1 firewall

My router wan ip is
This is a PPoA connection with my Isp, stable since 2004.

Only to test, i put a pc with directly connected on lan side of router (it has 4 port).
Surfing internet is ok , and i can open web interface of router (.241) and web interface of firewall (.240).I cannot try ping now, but it's ok for me.

I cannot pass ALL traffic to .241(lan router) to .240(wan firewall)  because of my dlink router has only DMZ, or VIRTUAL SERVER options.i can't find STATIC ROUTE option.
So i tried with DMZ and VIRTUAL SERVER to .240 for 1701/4500/500 UDP port and 1710 TCP port.

Another strange thing.
Router has WEB MANAGEMENT MODE to control interface from outside.
This function is enabled accepting all ip on 8080 port.
But from outside,typing (in a browser of a pc using another internet connection)  nothing to do,doesn't go.

L2TP typically uses port 1701.  Try opening that port on the router and pointing it to the firewalls IP.

You can put the router to forward ALL traffic to your firewall as well.  That should do the trick.

If you're not planning on putting computers in the DMZ then either bridge the router so your firewall has the public IP or forward all traffic from the router to the firewall.  

See if that works and let me know if I haven't answered all your questions.

Hope this helps!

Mattia MinerviniAuthor Commented:
Only to learn:
Ok, but Dmz is not enough? all traffic should be directed to firewall,isn't it?
So what layer is dmz? why i have to add also a specific route.
Real case:
I think in a couple of days i could try to manage dlink.
Under "static route configuration" ,"virtual server" or "port redirection"(i it there's)?
In a few words, what are the differences between dmz and the last three?
Thanks a lot Ltxda
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Mattia MinerviniAuthor Commented:
nothing to do...
router has lan ip
it has in dmz firewall wan1 ip,

I thought this was enough, but from external pc i cannot reach firewall.

So i added virtual server feature on router, passing port udp/tcp 1701 + udp 500 for ike + udp 4500 to ip
-  Need to make sure that the WAN/outside IP of your router (not firewall) is something other than 192. or 172. or 10.  Let's make sure your ISP isn't natting and firewalling you from the beginning.

-  Can you ping from within your router at

-  Can you pass ALL traffic from the router to the firewall to see if that works and if it does we'll go from there.
Mattia MinerviniAuthor Commented:
I need to close this question!!!! I need to ask another thing....u cannot do this! abandoned from 14 days, there 's no a solution , no one help me. I changed hardware and technologies to solve my problem. in the alert box i can see this question should be closed yesterday.Please help me...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.