Avatar of Lloyd Charlier
Lloyd Charlier
Flag for United States of America asked on

Configure ZyWALL Firewall/Router to work with Cox CIDR and WAN IP

I have a small business network (~20 workstations and a few dozen VM-based servers) that is served by Cox Business.  All machines on our LAN have private IP addresses (192.168.1.xx) although some have a 1:1 NAT mapping to static public IPs.  Historically, we have paid Cox to provide us with a small number (~10) static IPs and configuring the network was a no-brainer.  Having now moved to a new office however, Cox initially provided us with five (5) static IPs but has now informed us that they are taking away four (4) of the five (5) static IPs and replacing them with a CIDR block (in an entirely different subnet).  I have read postings from others (both here on EE and elsewhere) who, like me , were confused as to how to configure their hardware to work with CIDR but their specific cases were slightly different than mine and they used different hardware).  While I am happy that Cox has assigned me what appears to be a much larger pool of usable public addresses (29), I am unsure how to take advantage of them!

My particulars are as follows (IPs changed slightly from actuals):

Router/Firewall: ZyXEL ZyWALL 110 (part of the ZyWALL 100/200/300 family)
WAN Address:
WAN Network Mask:
WAN Gateway:

Customer Network:
Suggested Default Gateway:
Customer Netmask:
Usable CIDR IPs: -
Broadcast IP:

I would like to keep all of my machines on the same private network and, where necessary, provide either 1:1 NATing or port mapping as needed.

Can someone please:


Explain the difference between my old approach (with dedicated static IPs, all in the same subnet) and the new CIDR approach with a block of IPs (in a different subnet from the assigned WAN IP).


Educate me on how best to configure my specific firewall/router to work with this new approach.

Thanks in advance for any-and-all assistance!
RoutersHardware FirewallsNetwork Architecture

Avatar of undefined
Last Comment
Lloyd Charlier

8/22/2022 - Mon

just add the CIDR range to the WAN interface as a secondary range.
Select the right WAN interface(f.e. wan1), then create a virtual interface on it.
 (you will then get: wan1:1 ..) and fill out the fields with ipaddress & netmask.

Also adjust the firewall rules accordingly (in case an interface is mentioned f.e. wan1  is not equal to wan1:1
Then use those address for  NAT.
Lloyd Charlier


Thanks for the quick reply.  Your directions sound simple enough however I don't see any place to specify a range/block in the ZyWALL configuration screens:

ZyWALL 110 - Create Virtual Interface
In addition to the ZyXEL forums, I have searched the ZyWALL 110 User's Guide and Application Note docs but cannot find any reference to "secondary range" or "CIDR".  Perhaps they call it something else?  Do I have to create Virtual Interfaces for each-and-every IP address in the CIDR block instead?  Also where would I specify the CIDR default gateway and broadcast IP params?

ok you have the IP address & netmask field.
CIDR is a different netmask spec.

/32 =
/30 =   252 = (128 + 64 + 32 +16 + 8 + 4)
/28 =   240 = (128 + 64 +32 + 16)
/26 =  192 = (128 + 64)
/24 =
/16 =
/8 =
/0 =
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Lloyd Charlier


Again, much appreciate the reply.

Per your last response, I understand how a netmask is derived.  That said, it is still unclear to me where I can enter the CIDR information (in its entirety) as it was supplied to me by Cox:

The range of CIDR addresses:
The default gateway associated with the above CIDR block:
The netmask associated with the above CIDR block:
The broadcast IP associated with the above CIDR block:

Does the ZyWALL 110 device even have a facility for specifying a range?  If so, I don't see it.  If not, if I want to take advantage of all of the available usable IPs in the CIDR block ( -, do I need to explicitly define a Virtual Interface for each-and-every IP (i.e. 29 Virtual Interfaces - wan:1:1-wan1:29)?

FWIW, I tried creating a Virtual Interface for one of the IPs ( but it didn't appear to work (could not ping machine 1:1 NATed to IP):
Virtual Interface - wan1:1
Sorry if I'm being dense.  Please feel free to point out my stupidity... <grin>  Thanks.

Now did you get the block as a replacement for the current address or in addition to the one WAN address....
(What happens is that your provider has setup your entire block as being routed over the original WAN link.

(Additional CIDR Block)
If you have 1 address on WAN and a 2nd CIDR block on a virtual interface, then normaly only the WAN default gateway applies for ALL routes. In some cases you can also use the Broadcast & Base address as an address.

If it is a replacement then the old address appearantly are droppen, then you don't need the virtual interface, but modify the WAN. (BTW, THis is not what i read from your original Q).

Virtual addresses should not be created per address.
A NAT routing entry should be created for that. (And obviously a Firewall rule to allow the traffic to that address on the WAN). Also a WAN -> Zywall rule would be needed including that CIDR address range to respond to Ping.
And you may need specific routing rules specifying outgoin NAT settings for traffic. (A 1:1 NAT rule would do that for you).
Lloyd Charlier


Per your question, our ISP is routing the CIDR block over the original WAN IP.  That said, from your last posting, it appears that we need to create one Virtual Interface on WAN1.  Not to beat this to death, but the Virtual Interface dialog doesn't appear to accept IP address ranges - just discrete IPs (see image from previous post).  How do I specify the CIDR range?  In your post, you state "In some cases you can also use the Broadcast & Base address as an address".  In lieu of specifying the CIDR range, are you suggesting I try using one of these two address in the Virtual Interface instead?  I'll give it a try...

With respect to the ping testing, I already created firewall/routing rules to enable pinging a public IP and having it return an echo if the corresponding 1:1 mapped private IP is up-and-running.  I was already doing this without problems when I was using plain old static IPs in the same subnet as my WAN IP.

I will try re-configuring the Virtual Interface again using either the broadcast IP or base address and see if this fixes things.

Thanks again!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Ip address =
Netmask =
The description that this is the X/Y/Z Address range provided by... [ if you want to ]
And possibly bandwidth settings.

(the first two define the range from - [ inclusive ]. )
nothing else.
Lloyd Charlier

Sorry for the long delay in responding.  I have been dealing with a major health issue that arose in December of last year...

Per your last post, I was never able to configure my specific firewall device (ZyWALL 110) according to your recommendations and get it to work.  I reached out multiple times to ZyXEL (via voice-mails, CSR ticket submissions and forum postings - no response).  Needless to say, I am less than impressed with their customer service... <grrr>

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Lloyd Charlier


While I still cannot find any place in the 110's UI or their documentation that addresses specifying a CIDR block range, you have bent over backwards trying to help me and I won't string you along any further.  I finally made contact with ZyXEL Support asking them the same questions posed here and they seem to be just as much in the dark as I am (not very reassuring).  Regardless, I will continue to bang on them until they figure it out.

Thanks again for sticking with the thread as long as you did!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

Well CIDR ranges need to be transposed to their netmask equivalences...

/1 =
/2 =
/3 =
/4 =
/5 =
/6 =
/7 =
/8 =
/16 =
/24 =
/32 =
Lloyd Charlier

FWIW, this is the response I just received from ZyXEL (sounds like they're admitting that the ZyWALL 110 does not not natively support CIDR block addressing):


Unfortunately our devices is limited and we cannot accommodate the addresses with their suggested gateway. You would have to input each address under 1;1 NAT so you can map them to internal devices.

Please call our support center to better assist you at:

1-800-255-4101 Opt. 5