Re: Zyxel ZyWall 10 router MADNESS
From: MC (daven(delete_this)_at_miraclecatDELETETHISTOO.com)
Date: Sat, 11 Sep 2004 21:24:40 GMT
I meant to say that the 3 machines are configured to
"Many to One No Overload" rather than "Many to One Overload"
"MC" <daven(delete_this)@miraclecatDELETETHISTOO.com> wrote in message
> Here is exactly what is going on.
> First off, there is no ISP involved here. All systems get pre-configured
> a staging network whereby equipment can be evaluated
> to see if it will work as advertised.
> The WAN IP port is STATIC and set to 192.168.1.1 255.255.255.0 (e.g.
> internal class C)
> The LAN IP port is STATIC and set to 192.168.0.1 255.255.255.0 (e.g.
> internal class C)
> DHCP is turned off.
> Firewall is turned off (temporarily, for testing connections, of course).
> 3 machines on the LAN side are configured mapped MANY-TO-ONE OVERLOAD
> 192.168.0.10-12 LAN mapped to IPs 192.168.1.10-12 WAN
> No static routes are configured.
> No port forwarding is configured (you don't need it if you are mapping
> internal IPs directly to external IPs on a 1-1 basis).
> I have a computer on the WAN side (my laptop) that is set to 192.168.1.42
> which I do the WAN-side testing.
> There is a router on the network at 192.168.1.2 for outside access (but
> taking it out of the loop has no effect on this issue).
> My problem is that as soon as I switch from "SUA-Only" to "Full Feature"
> mode, ALL WAN access to the router is completely disabled (no pinging, no
> telnetting, no HTTP, nada! - completely shut down). For example, pinging
> 192.168.1.1 no longer generates a response after making the switch.
> REMEMBER the FIREWALL IS STILL OFF!
> Just in case the unit mysteriously turned the firewall back on, I went in
> the LAN side and telnetted in to 192.168.0.1 and verified with 100%
> certainty, that the firewall was indeed turned off. I also went in and
> verified with 100% certainty that remote management was still enabled.
> For kicks, I made certain that the packets on all interface directions
> to Lan, etc) were set to being forwarded and not dropped.
> To make sure that it was the switching of modes that caused the blockage
> 192.168.1.1, I switch the mode back to "SUA Only" from "Full Feature" and
> remote access to the router was restored. (eg I can ping 192.168.1.1
> Once again: The WAN address is NOT being forwarded (why on Earth would
> anyone do that anyway?)
> The FIREWALL is TURNED OFF (turning on the firewall does not fix the
> and only would add another variable to this insanity).
> I cannot use SUA because there are 4 websites with 4 separate IPs on the
> same NIC interface on the same computer all needing port 80. I could just
> set the router to not use NAT at all, but the extra layer of security NAT
> provides is very desirable especially with automated worms, also I may
> to set up an additional rule sharing a single outside IP with many inside
> As far as remote management, when this is put in place it will be managed
> via the serial port connected to an outside power controller box with
> terminal abilities via HTTPS (pretty neat actually) - 2 levels of security
> there and all SSL. The power controller owning its own WAN IP so that the
> router can be rebooted remotely (as most routers need to be every now and
> Anyway, it makes no sense whatsoever that the WAN port becomes in
> when switching modes, so I think that I have a defective unit, unless
> is a SECRET MAGICAL METHOD of getting it to work As Advertised.
> "shopping.nowthor.com" <firstname.lastname@example.org> wrote in message
> > On Sat, 11 Sep 2004 01:51:38 GMT, "MC"
> > <daven(delete_this)@miraclecatDELETETHISTOO.com> wrote:
> > >
> > >Has anyone had much luck in configuring a Zywall firewall router?
> > >
> > Yes, absolutely!
> > >
> > >Every time I set the the NAT to "Full Feature", remote access is turned
> > >(the unit can no longer be managed via the WAN port) and the unit locks
> > >out, regardless of whether the firewall is turned on or off.
> > >
> > First, make sure the firewall is always on. There is no point in
> > buying a firewall and then disable it.
> > Second, do you have more than one public IP address? If the answer is
> > no then you don't need "Full Feature". "SUA Only" is the way to go.
> > Are you trying to connect to the ZyWALL from the WAN side using the
> > WAN IP address? If yes, have you created a firewall tule to allow HTTP
> > access to the ZyWALL?
> > Or, if you are using Multi-NAT and created forward rules, make sure
> > you aren't forwarding (WAN IP address/port 80) to some other device.
> > BTW, it's not a very good idea to remotely configure a ZyWALL over
> > HTTP. It's better to create an IPsec tunnel first.