Re: Zyxel ZyWall 10 router MADNESS

From: MC (daven(delete_this)
Date: 09/11/04

Date: Sat, 11 Sep 2004 19:14:11 GMT


Here is exactly what is going on.
First off, there is no ISP involved here. All systems get pre-configured in
a staging network whereby equipment can be evaluated
to see if it will work as advertised.

The WAN IP port is STATIC and set to (e.g.
internal class C)
The LAN IP port is STATIC and set to (e.g.
internal class C)
DHCP is turned off.
Firewall is turned off (temporarily, for testing connections, of course).

3 machines on the LAN side are configured mapped MANY-TO-ONE OVERLOAD LAN mapped to IPs WAN

No static routes are configured.
No port forwarding is configured (you don't need it if you are mapping
internal IPs directly to external IPs on a 1-1 basis).

I have a computer on the WAN side (my laptop) that is set to of
which I do the WAN-side testing.
There is a router on the network at for outside access (but
taking it out of the loop has no effect on this issue).

My problem is that as soon as I switch from "SUA-Only" to "Full Feature"
mode, ALL WAN access to the router is completely disabled (no pinging, no
telnetting, no HTTP, nada! - completely shut down). For example, pinging no longer generates a response after making the switch.
Just in case the unit mysteriously turned the firewall back on, I went in
the LAN side and telnetted in to and verified with 100%
certainty, that the firewall was indeed turned off. I also went in and
verified with 100% certainty that remote management was still enabled.
For kicks, I made certain that the packets on all interface directions (Wan
to Lan, etc) were set to being forwarded and not dropped.

To make sure that it was the switching of modes that caused the blockage of, I switch the mode back to "SUA Only" from "Full Feature" and
remote access to the router was restored. (eg I can ping again).

Once again: The WAN address is NOT being forwarded (why on Earth would
anyone do that anyway?)
The FIREWALL is TURNED OFF (turning on the firewall does not fix the problem
and only would add another variable to this insanity).

I cannot use SUA because there are 4 websites with 4 separate IPs on the
same NIC interface on the same computer all needing port 80. I could just
set the router to not use NAT at all, but the extra layer of security NAT
provides is very desirable especially with automated worms, also I may wish
to set up an additional rule sharing a single outside IP with many inside

As far as remote management, when this is put in place it will be managed
via the serial port connected to an outside power controller box with
terminal abilities via HTTPS (pretty neat actually) - 2 levels of security
there and all SSL. The power controller owning its own WAN IP so that the
router can be rebooted remotely (as most routers need to be every now and

Anyway, it makes no sense whatsoever that the WAN port becomes in accessible
when switching modes, so I think that I have a defective unit, unless there
is a SECRET MAGICAL METHOD of getting it to work As Advertised.

"" <> wrote in message
> On Sat, 11 Sep 2004 01:51:38 GMT, "MC"
> <daven(delete_this)> wrote:
> >
> >Has anyone had much luck in configuring a Zywall firewall router?
> >
> Yes, absolutely!
> >
> >Every time I set the the NAT to "Full Feature", remote access is turned
> >(the unit can no longer be managed via the WAN port) and the unit locks
> >out, regardless of whether the firewall is turned on or off.
> >
> First, make sure the firewall is always on. There is no point in
> buying a firewall and then disable it.
> Second, do you have more than one public IP address? If the answer is
> no then you don't need "Full Feature". "SUA Only" is the way to go.
> Are you trying to connect to the ZyWALL from the WAN side using the
> WAN IP address? If yes, have you created a firewall tule to allow HTTP
> access to the ZyWALL?
> Or, if you are using Multi-NAT and created forward rules, make sure
> you aren't forwarding (WAN IP address/port 80) to some other device.
> BTW, it's not a very good idea to remotely configure a ZyWALL over
> HTTP. It's better to create an IPsec tunnel first.