Zyxel router Access Control log stops access
This is a P-660HW-D1.
I have enabled multi-nat, and mapped an external address to an internal one (1:1). The internal address has a server set to respond to SSH (port 22). A firewall rule permits any WAN address access.
From the outside, I can connect to this service, no problem.
The firewall log feature has an "Access Control" option. If I turn this on, the above access is blocked. Turn logging off again, it works fine. What on earth is going on?
I have enabled multi-nat, and mapped an external address to an internal one (1:1). The internal address has a server set to respond to SSH (port 22). A firewall rule permits any WAN address access.
From the outside, I can connect to this service, no problem.
The firewall log feature has an "Access Control" option. If I turn this on, the above access is blocked. Turn logging off again, it works fine. What on earth is going on?
ASKER
Thanks for the tip. I'd already found out the first bit the hard way!
When setting a 1:1 for a server, do you also need a Server entry? It wasn't clear from the docs if I just needed 1:1, Server, or both.
The Access Control is a check box in the log settings. The manual doesn't say what it's for, but it seems to log matches (or mismatches) on the access control rules.
In fact I've found the problems go deeper than that. Making even the slightest change to the address mapping rules if doing remote admin disconnects me, then I have to wait for the timeout before logging in again.
When setting a 1:1 for a server, do you also need a Server entry? It wasn't clear from the docs if I just needed 1:1, Server, or both.
The Access Control is a check box in the log settings. The manual doesn't say what it's for, but it seems to log matches (or mismatches) on the access control rules.
In fact I've found the problems go deeper than that. Making even the slightest change to the address mapping rules if doing remote admin disconnects me, then I have to wait for the timeout before logging in again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
One "trick" you may find helpful, it used to be important on earlier firmware, though these days doesn't appear necessary, but it can't hurt to try. When you switch from SUA to Full Nat Control, as well as setting up the 1:1 you need for your server and a 1:Many for the rest of your LAN, set up a 1:1 between the router WAN address and the router LAN address. So you have a plan something like this:-
210.121.126.1 <1:1> 192.168.1.1 (the router)
210.121.126.2 <1:1> 192.168.1.2 (your server)
210.121.126.3 <1.Many> 192.168.1.33 to 192.168.1.66 (your DHCP range)