Re: Zyxel ZyWall 10 router MADNESS

From: MC (daven(delete_this)_at_miraclecatDELETETHISTOO.com)
Date: 09/11/04

  • Next message: Charles Newman: "Port 1026"
    Date: Sat, 11 Sep 2004 21:24:40 GMT
    
    

    I meant to say that the 3 machines are configured to
    "Many to One No Overload" rather than "Many to One Overload"

    "MC" <daven(delete_this)@miraclecatDELETETHISTOO.com> wrote in message
    news:78I0d.174619$mD.52778@attbi_s02...
    > Hi,
    >
    > Here is exactly what is going on.
    > First off, there is no ISP involved here. All systems get pre-configured
    in
    > a staging network whereby equipment can be evaluated
    > to see if it will work as advertised.
    >
    > The WAN IP port is STATIC and set to 192.168.1.1 255.255.255.0 (e.g.
    > internal class C)
    > The LAN IP port is STATIC and set to 192.168.0.1 255.255.255.0 (e.g.
    > internal class C)
    > DHCP is turned off.
    > Firewall is turned off (temporarily, for testing connections, of course).
    >
    > 3 machines on the LAN side are configured mapped MANY-TO-ONE OVERLOAD
    > 192.168.0.10-12 LAN mapped to IPs 192.168.1.10-12 WAN
    >
    > No static routes are configured.
    > No port forwarding is configured (you don't need it if you are mapping
    > internal IPs directly to external IPs on a 1-1 basis).
    >
    > I have a computer on the WAN side (my laptop) that is set to 192.168.1.42
    of
    > which I do the WAN-side testing.
    > There is a router on the network at 192.168.1.2 for outside access (but
    > taking it out of the loop has no effect on this issue).
    >
    > My problem is that as soon as I switch from "SUA-Only" to "Full Feature"
    > mode, ALL WAN access to the router is completely disabled (no pinging, no
    > telnetting, no HTTP, nada! - completely shut down). For example, pinging
    > 192.168.1.1 no longer generates a response after making the switch.
    > REMEMBER the FIREWALL IS STILL OFF!
    > Just in case the unit mysteriously turned the firewall back on, I went in
    > the LAN side and telnetted in to 192.168.0.1 and verified with 100%
    > certainty, that the firewall was indeed turned off. I also went in and
    > verified with 100% certainty that remote management was still enabled.
    > For kicks, I made certain that the packets on all interface directions
    (Wan
    > to Lan, etc) were set to being forwarded and not dropped.
    >
    > To make sure that it was the switching of modes that caused the blockage
    of
    > 192.168.1.1, I switch the mode back to "SUA Only" from "Full Feature" and
    > remote access to the router was restored. (eg I can ping 192.168.1.1
    again).
    >
    > Once again: The WAN address is NOT being forwarded (why on Earth would
    > anyone do that anyway?)
    > The FIREWALL is TURNED OFF (turning on the firewall does not fix the
    problem
    > and only would add another variable to this insanity).
    >
    > I cannot use SUA because there are 4 websites with 4 separate IPs on the
    > same NIC interface on the same computer all needing port 80. I could just
    > set the router to not use NAT at all, but the extra layer of security NAT
    > provides is very desirable especially with automated worms, also I may
    wish
    > to set up an additional rule sharing a single outside IP with many inside
    > boxes.
    >
    > As far as remote management, when this is put in place it will be managed
    > via the serial port connected to an outside power controller box with
    > terminal abilities via HTTPS (pretty neat actually) - 2 levels of security
    > there and all SSL. The power controller owning its own WAN IP so that the
    > router can be rebooted remotely (as most routers need to be every now and
    > then).
    >
    > Anyway, it makes no sense whatsoever that the WAN port becomes in
    accessible
    > when switching modes, so I think that I have a defective unit, unless
    there
    > is a SECRET MAGICAL METHOD of getting it to work As Advertised.
    >
    >
    >
    >
    >
    >
    >
    > "shopping.nowthor.com" <nospam@shopping.nowthor.com> wrote in message
    > news:j7t4k01a51dhbesfk673uu2lhegk9oso3q@4ax.com...
    > > On Sat, 11 Sep 2004 01:51:38 GMT, "MC"
    > > <daven(delete_this)@miraclecatDELETETHISTOO.com> wrote:
    > > >
    > > >Has anyone had much luck in configuring a Zywall firewall router?
    > > >
    > >
    > > Yes, absolutely!
    > >
    > > >
    > > >Every time I set the the NAT to "Full Feature", remote access is turned
    > off
    > > >(the unit can no longer be managed via the WAN port) and the unit locks
    > me
    > > >out, regardless of whether the firewall is turned on or off.
    > > >
    > >
    > > First, make sure the firewall is always on. There is no point in
    > > buying a firewall and then disable it.
    > >
    > > Second, do you have more than one public IP address? If the answer is
    > > no then you don't need "Full Feature". "SUA Only" is the way to go.
    > >
    > > Are you trying to connect to the ZyWALL from the WAN side using the
    > > WAN IP address? If yes, have you created a firewall tule to allow HTTP
    > > access to the ZyWALL?
    > >
    > > Or, if you are using Multi-NAT and created forward rules, make sure
    > > you aren't forwarding (WAN IP address/port 80) to some other device.
    > >
    > > BTW, it's not a very good idea to remotely configure a ZyWALL over
    > > HTTP. It's better to create an IPsec tunnel first.
    >
    >


  • Next message: Charles Newman: "Port 1026"

    Relevant Pages

    • Re: Zyxel ZyWall 10 router MADNESS
      ... Firewall is turned off. ... 192.168.0.10-12 LAN mapped to IPs 192.168.1.10-12 WAN ... No port forwarding is configured (you don't need it if you are mapping ... There is a router on the network at 192.168.1.2 for outside access (but ...
      (comp.security.firewalls)
    • Re: WAN IP address from a computer..
      ... you're doing your NAT on your router or firewall. ... least have something with which to look it up, though I'd generally keep WAN ... Use a spreadsheet or use internal comments to comment your router/ firewall ... If you're using multihomed machines with a NIC in each network, both LAN ...
      (microsoft.public.win2000.networking)
    • Re: ISA and Separating Networks
      ... > Have them buy a firewall, ... does the cable that goes into his WAN link come from? ... If the Cisco router is providing basic NAT, ... I have the router doing my NAT and that is basically it? ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: Zyxel ZyWall 10 router MADNESS
      ... >Firewall is turned off. ... >verified with 100% certainty that remote management was still enabled. ... I made certain that the packets on all interface directions (Wan ... >set the router to not use NAT at all, but the extra layer of security NAT ...
      (comp.security.firewalls)
    • Re: ISA and Separating Networks
      ... I would not recommend attempting to use your SBS to provide network management in this fashion. ... does the cable that goes into his WAN link come from? ... of the cisco router. ... the WAN side of that firewall. ...
      (microsoft.public.backoffice.smallbiz2000)