Solved

Zyxel Router multi-nat

Posted on 2009-05-18
17
2,386 Views
Last Modified: 2012-05-07
I have a P-660HW-D1
Firmware V3.40(AGL.6) | 04/24/2009

I've set up full feature NAT, and have a block of 8 external addresses (5 usable).

There are several problems, but the first is that response to external access is intermittent (and the rules I have to set seem strange).

1. First, if I map (IP changed for security reasons)
  External A.B.C.117 to Internal 10.0.0.5
then hit the external address, the log reports "access denied" to A.B.C.117 (not 10.0.0.5).
2. Fair enough, I add a firewall rule to permit access WAN to WAN/Router A.B.C.117
then my attempt shows "Access Permitted".  However, it's pot luck whether I actually do get access, sometimes yes, sometimes no.  Occasionally, the connection drops, and I just can't get in again.
3. There is a similar problem with remote management.  When I do occasionally manage to login remotely, virtually any addition to the address mapping or firewall rules disconnects me.  Extremely irritating. It can then be minutes or hours before I can login again.

Anyone actually managed to get multi-nat on these routers to work?
0
Comment
Question by:wohenben
  • 9
  • 5
  • 3
17 Comments
 
LVL 22

Expert Comment

by:mutahir
ID: 24415700
Does your Zyxel router offers the 2nd Subnet option as they do in DrayTek Routers ? You can specify that block of address in 2nd Subnet and One IP Address from the Public range will be consumed by your router apart from the private IP.
Your problem more likely seems to be a firmware corruption issue as I have recently faced something similar on a watchguard that it was denying access even though the filter was there and re-flashing the firewall resolved it.
I would suggest is to do a proper firmware flash which erases everything and installs the firmware to factory defaults.
Then create your topology ; once you are up and running with internet connecting fine then create a port redirection or open port to a pc behind your router and see if that works fine (http://canyouseeme.org/) use this website to see if the ports are visible, once your router is responding and acting as it should then add your 2nd Block of Public Addressess and it should be fine.
Also, don't forget to change http and https port on your router if you want to use those ports behind your router on anyother server/device.
Hoep this helps
0
 

Author Comment

by:wohenben
ID: 24417328
Yes, I'm beginning to suspect a firmware problem.  Looking at the logs, this is what seems to be happening:

External A.B.C.D1 is NAT'd to 10.0.0.4  (https service)
External A.B.C.D2 is NAT'd to 10.0.0.5  (nothing yet)

So I connect from the outside to A.B.C.D1, which correctly takes me to the service on 10.0.0.4.  All goes fine for a while, then the connection drops.  Attempts to reconnect fail. Then I look at the logs and see that my external source IP is trying to connect to 10.0.0.5!
0
 
LVL 22

Expert Comment

by:mutahir
ID: 24419325
Try a firmware reflash and see if it persists
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 200 total points
ID: 24419412
Have used hundreds of Zyxel Prestige routeres and Zywall firewalls, all fine once you get your head around it.

> 1. First, if I map (IP changed for security reasons)
>  External A.B.C.117 to Internal 10.0.0.5
> then hit the external address, the log reports "access denied" to A.B.C.117 (not 10.0.0.5).

Indeed - creating the NAT mapping does NOT create a PERMIT firewall rule, you have to do both.

> 2. Fair enough, I add a firewall rule to permit access WAN to WAN/Router A.B.C.117

Your "destination" address should be 10.0.0.5 not the .117 public address. I assume you've also selected appropriate services (ports) for that access rule, and created it in the WAN-to-LAN rule group.

> 3. There is a similar problem with remote management.  When I do occasionally manage to login remotely, virtually any addition to > the address mapping or firewall rules disconnects me.  Extremely irritating. It can then be minutes or hours before I can
> login again.

I never use the Remote Management config page, I just create a WAN-to-WAN/Router rule which Permits the sort of access I want (e.g. HTTP) from my office address space. Actually, I usually permit ANY-TCP/ANY-UDP from my office space.

Here's a few general notes on on "full nat" on Zyxel.

Note that when you take it off SUA you have no auto default, you have to create a complete map.
This means that as well as your 1:1 mapping you need to create a 1:Many mapping for the rest of your private range, if you want them to see out. And if your 1:1 mapping isn't at one end of the local range, you may need two 1:Many rules, e.g.

123.1.1.2 - 1:Many - 192.168.1.2 to 192.168.1.99
123.1.1.3 - 1:1  - 192.168.1.100
123.1.1.4 - 1:Many - 192.168.1.101 to 192.168.1.254

FINALLY note that you MAY need to create a hard map between the router's own wan address and its lan address. This used to be required, later firmware has removed the requirement but it can't hurt to try it to see if it helps, e.g.

123.1.1.1 - 1:1 - 192.168.1.1 (Where 123.1.1.1 is your first assigned address and the router WAN address, and 192.168.1.1 is the router LAN address.)

0
 

Author Comment

by:wohenben
ID: 24431989
> Have used hundreds of Zyxel Prestige routeres and Zywall firewalls, all fine once you get your head around it.

Thanks for the reply

>> 1. First, if I map (IP changed for security reasons)
>>  External A.B.C.117 to Internal 10.0.0.5
>> then hit the external address, the log reports "access denied" to A.B.C.117 (not 10.0.0.5).

> Indeed - creating the NAT mapping does NOT create a PERMIT firewall rule, you have to do both.

>> 2. Fair enough, I add a firewall rule to permit access WAN to WAN/Router A.B.C.117

> Your "destination" address should be 10.0.0.5 not the .117 public address. I assume you've also selected appropriate services (ports) for that access rule, and created it in the WAN-to-LAN rule group.

This confused me.  On other routers/firewall's I've used from Cisco to Netgear, the firewall rule is External -> Internal.  Yet here, the logs complained that access was refused because there was no permit External -> External.  This suggests to me that the NAT was not working.  [I presume for incoming traffic, NAT is done before applying the rules?]

>> 3. There is a similar problem with remote management.  When I do occasionally manage to login remotely, virtually any addition to > the address mapping or firewall rules disconnects me.  Extremely irritating. It can then be minutes or hours before I can
>> login again.

> I never use the Remote Management config page, I just create a WAN-to-WAN/Router rule which Permits the sort of access I want (e.g. HTTP) from my office address space. Actually, I usually permit ANY-TCP/ANY-UDP from my office space.

Yes, that's what I've done, but it doesn't work.  I don't get anything in the logs.

> Here's a few general notes on on "full nat" on Zyxel.

> Note that when you take it off SUA you have no auto default, you have to create a complete map.
This means that as well as your 1:1 mapping you need to create a 1:Many mapping for the rest of your private range, if you want them to see out. And if your 1:1 mapping isn't at one end of the local range, you may need two 1:Many rules, e.g.

> 123.1.1.2 - 1:Many - 192.168.1.2 to 192.168.1.99
> 123.1.1.3 - 1:1  - 192.168.1.100
> 123.1.1.4 - 1:Many - 192.168.1.101 to 192.168.1.254

> FINALLY note that you MAY need to create a hard map between the router's own wan address and its lan address. This used to be required, later firmware has removed the requirement but it can't hurt to try it to see if it helps, e.g.

Yes, I do seem to have to do this

> 123.1.1.1 - 1:1 - 192.168.1.1 (Where 123.1.1.1 is your first assigned address and the router WAN address, and 192.168.1.1 is the router LAN address.)

Well, you have confirmed most of what I'd worked out, but it's great to have confirmation from someone who's used these boxes before, so I'm now going to try a complete re-flash with the last but one firmware (currently running the latest) to see if that works better. My gut feeling at the moment is that the NAT tables are getting scrambled somehow.  Though it could be a RAM fault I suppose ...

0
 
LVL 16

Expert Comment

by:ccomley
ID: 24432171
This confused me.  On other routers/firewall's I've used from Cisco to Netgear, the firewall rule is External -> Internal.  Yet here, the logs complained that access was refused because there was no permit External -> External.  This suggests to me that the NAT was not working.  [I presume for incoming traffic, NAT is done before applying the rules?]

I don't follow that but if there isn't a rule, it won't work, so don't worry about what the log says, create the rule!! :-)

Zywall rules are groupd, you need to make sure you're in the right group. Which in this case is defnitily "WAN to LAN". You should see this has a default "deny" at the top, so you just add "permit" rules to it.

(The odd quirk is the "WAN to WAN/Router" rule group, which is only used to set uP VPNS and remote access to the router *itself*. )

Still, sounds like you have the config you shoudl have so yes, a start-over with a clean config is probably the next thing to try.

Note when you flash it, you get a binary file with the firmware AND a file with a blank config in - in this case it's probably as well to upload both to be on the safe side!!

0
 

Author Comment

by:wohenben
ID: 24433805
Right, done that, still have the same problems.  So, did the following simple tests. A.B.C.x is on my group of external IP's.  D.E.F.G is a client on a completely separate WAN for testing. 10.0.0.0/8 is my LAN range.

1. Created 1:1 NAT  A.B.C.117 to 10.0.0.5  [this has ssh port 22 running]
2. Created 1:1 NAT A.B.C.118 to 10.0.0.222 [an internal client with fixed IP]
2. Firewall rule Permit D.E.F.G to any LAN IP, any port
3. Now, from my test external client D.E.F.G, run ssh to A.B.C.117
4. This gives the log entry
       05/20/2009 17:07:55 Firewall rule match: TCP (W to L, rule:1) D.E.F.G:43595      10.0.0.5:22      ACCESS PERMITTED

Fine.  So I login, do some tests, logout

5. Wait a bit, then try again - no luck this time.  Check the logs and I see:

  05/20/2009 17:08:39      Firewall default policy: TCP (W to W/PRESTIGE)      D.E.F.G:43596      A.B.C.117:22      ACCESS DROPPED

So now it's looking for a WAN to WAN rule (which isn't there) and failing.

6. Now the truly horrible bit.  Wait a bit longer, then try again

05/20/2009 17:22:07      Firewall rule match: TCP (W to L, rule:1)      D.E.F.G:42171      10.0.0.222:22      ACCESS PERMITTED

So now the NAT is mapping the outside IP to my other internal IP(!!!), permitting access (though there is no ssh there to respond).

Is it just me or is this box broken?

On a hunch, I'm going to try this again with the default LAN settings. Failing that, there is an open window close by ...
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24433968
Sounds like a broken box, I've never seen anything like that. Well worth contacting Zyxel coz it's just about weird enough I would hope they would want to see it back to see if theu can see what happened. (The "normal" things to go wrong with these boxes (and you have to have sold thousands like we have to see any regular pattern!) is blown power supplies or blown switch ports.

Actually, i see you're in the UK, who did you get it from? We're on v good terms with the main UK disti so if you can't get any luck via your purchase channel give me a yell and I'll see if they have any interest in talking to you. Alternativly, ignore it, just get 'em to swap it out for a new one. (Is it new? 2 year warranty remember.)

0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:wohenben
ID: 24434405
Yes, I think it's a return to sender coming up.  It's only  a week old.  The distributer was a Company called Ballicom who I think are UK only.  But I'll have a chat with Zyxel first.
Thanks for the offer of help - let's see how I get on.
.
0
 
LVL 22

Expert Comment

by:mutahir
ID: 24436663
Return it and get a draytek, just a thought
www.draytek.co.uk their distributors are www.seg.co.uk
have you tried firmware reflash ? also try just some basic settings as you have mentioned the default lan thing
I had a similar problem recently with a watchguard ; it rebooted and then never let me rdp in to the server even the rule was specified.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24438891
No no - return it and get a *working* Zyxel - far superior to Drayteks. Yes, I've used both...

0
 

Author Comment

by:wohenben
ID: 24439721
Will be a few days before I can get back to this - will update with the results
0
 

Author Comment

by:wohenben
ID: 24488376
Zyxel tech support have confirmed there's a problem.  Just waiting to hear if it's hardware (1 unit) or firmware - widespread :)
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24491096
I suspect the former - unless it's a bug in a recent f/w release that can be fixed by rolling back or rushing on to the next version!! I've never seen anything like it and we move a LOT of zyxel routers. :-)  www.wizards.co.uk
0
 

Author Comment

by:wohenben
ID: 24569992
Received a replacement router today.  Will update in a couple of days with the good (or bad) news.
0
 

Accepted Solution

by:
wohenben earned 0 total points
ID: 24643501
OK, finally got to testing the replacement.  It immediately had a better "feel" to it - just seemed to respond quicker during the config.  And so far, so stable.  So, looks like I simply had a rogue box after all.

Thanks everyone for your responses.  My faith in Zyxel is being restored.
0
 

Author Comment

by:wohenben
ID: 26157880
Thought I should post an update to this in case anyone else encounters the same problem.  Recently, I updated the firmware on the working replacement router and the NAT issue resurfaced.  This time, Zyxel admitted that there *is* a software problem and issued a fix for me.  At the time of writing, this fix is not available on their FTP site, but if you come across this error, contact their support people and they should be able to help out.

To summarise, the problem occurs when you define NAT for incoming traffic;  the tables get scrambled so that the external connection is mapped to the wrong internal IP.  The effect seems random, so sometimes it works correctly, other times it fails.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now