Re: Zyxel ZyWall 10 router MADNESS

From: MC (daven(delete_this)_at_miraclecatDELETETHISTOO.com)
Date: 09/11/04


Date: Sat, 11 Sep 2004 19:14:11 GMT

Hi,

Here is exactly what is going on.
First off, there is no ISP involved here. All systems get pre-configured in
a staging network whereby equipment can be evaluated
to see if it will work as advertised.

The WAN IP port is STATIC and set to 192.168.1.1 255.255.255.0 (e.g.
internal class C)
The LAN IP port is STATIC and set to 192.168.0.1 255.255.255.0 (e.g.
internal class C)
DHCP is turned off.
Firewall is turned off (temporarily, for testing connections, of course).

3 machines on the LAN side are configured mapped MANY-TO-ONE OVERLOAD
192.168.0.10-12 LAN mapped to IPs 192.168.1.10-12 WAN

No static routes are configured.
No port forwarding is configured (you don't need it if you are mapping
internal IPs directly to external IPs on a 1-1 basis).

I have a computer on the WAN side (my laptop) that is set to 192.168.1.42 of
which I do the WAN-side testing.
There is a router on the network at 192.168.1.2 for outside access (but
taking it out of the loop has no effect on this issue).

My problem is that as soon as I switch from "SUA-Only" to "Full Feature"
mode, ALL WAN access to the router is completely disabled (no pinging, no
telnetting, no HTTP, nada! - completely shut down). For example, pinging
192.168.1.1 no longer generates a response after making the switch.
REMEMBER the FIREWALL IS STILL OFF!
Just in case the unit mysteriously turned the firewall back on, I went in
the LAN side and telnetted in to 192.168.0.1 and verified with 100%
certainty, that the firewall was indeed turned off. I also went in and
verified with 100% certainty that remote management was still enabled.
For kicks, I made certain that the packets on all interface directions (Wan
to Lan, etc) were set to being forwarded and not dropped.

To make sure that it was the switching of modes that caused the blockage of
192.168.1.1, I switch the mode back to "SUA Only" from "Full Feature" and
remote access to the router was restored. (eg I can ping 192.168.1.1 again).

Once again: The WAN address is NOT being forwarded (why on Earth would
anyone do that anyway?)
The FIREWALL is TURNED OFF (turning on the firewall does not fix the problem
and only would add another variable to this insanity).

I cannot use SUA because there are 4 websites with 4 separate IPs on the
same NIC interface on the same computer all needing port 80. I could just
set the router to not use NAT at all, but the extra layer of security NAT
provides is very desirable especially with automated worms, also I may wish
to set up an additional rule sharing a single outside IP with many inside
boxes.

As far as remote management, when this is put in place it will be managed
via the serial port connected to an outside power controller box with
terminal abilities via HTTPS (pretty neat actually) - 2 levels of security
there and all SSL. The power controller owning its own WAN IP so that the
router can be rebooted remotely (as most routers need to be every now and
then).

Anyway, it makes no sense whatsoever that the WAN port becomes in accessible
when switching modes, so I think that I have a defective unit, unless there
is a SECRET MAGICAL METHOD of getting it to work As Advertised.

"shopping.nowthor.com" <nospam@shopping.nowthor.com> wrote in message
news:j7t4k01a51dhbesfk673uu2lhegk9oso3q@4ax.com...
> On Sat, 11 Sep 2004 01:51:38 GMT, "MC"
> <daven(delete_this)@miraclecatDELETETHISTOO.com> wrote:
> >
> >Has anyone had much luck in configuring a Zywall firewall router?
> >
>
> Yes, absolutely!
>
> >
> >Every time I set the the NAT to "Full Feature", remote access is turned
off
> >(the unit can no longer be managed via the WAN port) and the unit locks
me
> >out, regardless of whether the firewall is turned on or off.
> >
>
> First, make sure the firewall is always on. There is no point in
> buying a firewall and then disable it.
>
> Second, do you have more than one public IP address? If the answer is
> no then you don't need "Full Feature". "SUA Only" is the way to go.
>
> Are you trying to connect to the ZyWALL from the WAN side using the
> WAN IP address? If yes, have you created a firewall tule to allow HTTP
> access to the ZyWALL?
>
> Or, if you are using Multi-NAT and created forward rules, make sure
> you aren't forwarding (WAN IP address/port 80) to some other device.
>
> BTW, it's not a very good idea to remotely configure a ZyWALL over
> HTTP. It's better to create an IPsec tunnel first.



Relevant Pages

  • Re: Routers Firewall
    ... I ask him do you have a firewall and he says yes. ... I still have an IDS/firewall on all my machines behind the router. ... > to connect to a port your public IP address the router would reject the ... > An open port on the router could be connected to a service running on the ...
    (comp.security.firewalls)
  • Re: Possible Mail Relay or just new usages of returned mail by spammers
    ... If you have ANY type of firewall, be it a NAT router or true firewall ... ISA can be used in conjunction with the router/firewall, but if you do, you ... to be done twice...once in ISA, and once in the router to port forward to ...
    (microsoft.public.windows.server.sbs)
  • Re: Home firewall Hits
    ... >Port 162 with a UDP message. ... than theres nothing blocking access from the internet to your router. ... >Subject: Home firewall Hits ... >simplify the management and deployment of PGP and reduce overall PGP costs ...
    (Security-Basics)
  • Re: Routers Firewall
    ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ...
    (comp.security.firewalls)
  • Re: Remote Desktop problems
    ... my pc with the wan address I gave her....the wan changes periodically, ... > router doesn't "know" what that ip is and for what computer. ... >>> forwarding is for TCP port not udp. ... >>>> connection for my pc in her Network Connections area. ...
    (microsoft.public.windowsxp.help_and_support)