ZyXEL Forum

[slacri]

Hello, I have a question! Is it possible to route traffic (or traffic on specific ports) to a different device on a different DSL?

Normally a client contacts a server a on a specific port on a the public address:
In my example:

CLIENT -----> ZYWALL (88.58.231.x) ---> nat-----> SERVER

Now I need to move the server to a different location but the clients need to continue to call the same public IP (88.58.231.x):

The new scenario would then be:

CLIENT -----> ZYWALL1 (88.58.2321.x) ------> ZYWALL2 (79.53.122.x)----->nat-----> SERVER

Of course there's no relathionship or vpn between the two dsl.
I'm afraid I cannot do that. What do you think?
Thanks everybody
Simone

[bbarrera]

What is the server?

Normally this problem is solved by changing a DNS record, then client will stop sending traffic to old IP and use the new IP. Are your clients hard-coded to use a single public IP address instead of FQDN?

[superataru]

What is the server?

Normally this problem is solved by changing a DNS record, then client will stop sending traffic to old IP and use the new IP. Are your clients hard-coded to use a single public IP address instead of FQDN?

And also there would be a loss of speed.

[slacri]

Exactly. The clients hard-coded to use a single public IP address and not a FQDN. Do you think it could work?
Thanks
Simone

[bbarrera]

It may or may not work, depending on the protocol. You may need special software to act as a proxy. Its hard to say because you haven't mentioned the protocol used by the server. If the public IP is hard-coded into the client and the client insists on talking with only that IP then you would likely need to NAT packets on the first ZyWALL and then route to the second ZyWALL for a 2nd NAT and handling by the server, and the server would send back via zw2 then zw1 then client. This assumes that the server is using a NAT friendly protocol, and the ZyWALL can be configured to NAT and route to 2nd ZyWALL.

[slacri]

Thanks for your replies.
The server listens on custom ports, tcp 1000 and 1001.
My doubt is that the definition of next-hop in the static route section is:

This is the IP address of the next-hop gateway or the interface through which the traffic is routed. The gateway is a router or switch on the same segment as your ZyWALL's interface(s). The gateway helps forward packets to their destinations.

Basically you can forward traffic to a gateway not to a public IP

Do you think it is possible to nat directly to a second Zywall using its public IP address? this is what I understand In the last reply by bbarrera.
Thanks
Simone

[bbarrera]

I don't know if it is possible. The USG series is very flexible device, and if possible, you will need to look in Policy Route section.

Policy Routes allow you to apply NAT and specify next hop.

[slacri]

Hello, I have news. I made it! I didn't configure any routing rule, just a 'virtual server' server. As a 'User-Defined Mapped IP' I used th public IP of the device that I wanted to forward traffic to! I did'nt know I could use a public IP address in a virtual server rule.
So, if 1.1.1.1 is my USG300 and 2.2.2.2 is the remote IP i want to forward to, I can forward smtp traffic from 1.1.1.1 to 2.2.2.2
"telnet 1.1.1.1. 25" is now the same as "telnet 2.2.2.2 25"
Nevertheless at the moment I haven't been able to reproduce this situation elsewhere. I don't if this setting has to work or not. Does it have to work or not?
Let me you know what you think!
thanks everyone!
Simone

[superataru]

Hello, I have news. I made it! I didn't configure any routing rule, just a 'virtual server' server. As a 'User-Defined Mapped IP' I used th public IP of the device that I wanted to forward traffic to! I did'nt know I could use a public IP address in a virtual server rule.
So, if 1.1.1.1 is my USG300 and 2.2.2.2 is the remote IP i want to forward to, I can forward smtp traffic from 1.1.1.1 to 2.2.2.2
"telnet 1.1.1.1. 25" is now the same as "telnet 2.2.2.2 25"
Nevertheless at the moment I haven't been able to reproduce this situation elsewhere. I don't if this setting has to work or not. Does it have to work or not?
Let me you know what you think!
thanks everyone!
Simone

Cool. That seems such a kind of evolution of what i wrote some months ago.
Make a fake virtual server, create an object with one of you public IP addresses not involved in a trunk, ad you can nat/route traffic to a public IP of your pool that, with standard setting, would be unused whit the USG. Policy routing is required, anyway.
Please explain with a scheme your results.

[slacri]

I've been able to reproduce this configuration!
Let me summarize:

I want redirect traffic to a public IP in the Internet (whatever public IP):

I have a USG300 with IP address 88.X.X.200 (ge2)

* Create an object with the destination IP address, for example, 89.X.X.133
* Create an object with one of your IP address in your range, for example 88.X.X.201
* Unflag "Block Intra-zone Traffic" on the WAN zone
* Create a 'virtual server' rule setting the object for 88.X.X.201 in your 'Original IP' and the object for 89.X.X.133 in your 'Mapped IP'. Then specify the service, for example SMTP (both 'Original Service' and 'Mapped Service')
* Create a routing rule with 'source' 'any', 'destination' the object for 89.X.X.133, 'next hop' 'ge2', SNAT 'outgoing-interface'.

Now, typing "telnet 88.X.X.201 25" has the the same effect as "telnet 89.X.X.133 25" !

Try it yourself, it takes 5 minutes!

My Zyxel support, though, at the moment, did not confirm this is a feature of USG products. But it works!
What do you think?
Thanks
Simone