V4.32 NAT port 80 and 443 not allowed

Options
2»

All Replies

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2019
    Options

    Just to bring that back its still a iusse with on frimware V4.33(AAAA.0)ITS-WK19-r88384

    80.png

    This is when connecting to LAN1 so it should not conflict

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK

    My test procedure as below,

    -USG OPT interface ip is 10.214.48.21

    -opt_ip is 10.214.48.21

    -opt_ip_2 is 10.214.48.22

    The NAT rule will check if that external IP is conflict with interface IP

    1) External IP is another IP => No error, because it’s different IP  

    image.png

    2) External IP is same as OPT interface IP => Show error, user cannot click “OK” to save this rule. It’s expected behavior assume it’s same IP.

    image.png


    Is the device address object “OPTIP” same as interface IP? 

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    But what if you have one WAN IP for years the USG/ZyWALL have been able to have port 80 or 443 from external to LAN IP with the GUI on ports 80 and 443 with no conflict when connecting to the GUI from LAN. Thats the point am making.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK

    In the case, it will not have waring message if the rule was exist before firmware updating to V4.33WK19.

    However, if you delete the original NAT rule(port 80,443) and add it back, the waring message will still show up

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    So in the next firmware will we be able to have ports 80 and 443 from external to a LAN IP and have them ports for the GUI?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK ,

    If there’s port confliction. The device is not allowed to add this setting. You can change the device’s HTTP/HTTPS port to different ones (ex. 80 to 8080, 443 to 4433) so that the NAT virtual server on port 80/443 won’t be rejected then. 

    WWW port setting at "CONFIGURATION > System > WWW > Service Control"

    image.png


  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2019
    Options

    Their no conflict! For years! Years!! I and everyone has been able to the have ports 80 and 443 from external to a LAN IP and have them ports for the GUI on ONE WAN IP. Yes I get doing that means you can't get to the GUI from external BUT it does not matter as you can get to the GUI from internal.

    So to that end why not add a check box override or even a check how the GUI is being accessed (a smarter check) to know the user can still log in after the rule.

    The good thing that you can do is edit the config to force the change.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK

    Thanks for the suggestion, I would like to move this topic to ideal section.

    Feel free to add comment here.

    https://businessforum.zyxel.com/discussion/2932/v4-32-nat-port-80-and-443-not-allowed#latest

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)