For Zyxel USG60 unified security gateway, how can we set it to have private LAN & pubblic IPs in DMZ

Hi, We have a firewall: Zyxel USG60 unified security gateway.

Currently, we use the USG60 firewall (as a router), by creating, only, LAN IPs (, on port N. 3 &4, as a private network (and do protect this one) & by means of an external interface (for example, WAN2 port N. 2) make a connection to the internet.

In short, for example, we have:

A router CISCO with IP address: (as a gateway);

A Zyxel USG60 as firewall, with an external interface, WAN2, IP: (on port N. 2) connected, by means of a switch, to the CISCO router for the internet connection. Our private LAN1 is connected to port N. 3 with IPs 192…..

We would like to create a DMZ interface (for example, on port N. 6), with IP:, to put our machine with public IPs, such as: DNS1&2 server (IP: &, mail & www server (, E-Learning platform (, etc.. in this zone & go to the internet by means of IP of WAN1 (port N. 1). How can we set our USG60 firewall? It is important to define the DMZ interface to transfer, to the internet, the original public IP of the every machine putted in this zone. For example, when I go to web site, from a machine with IP:, I can see the same IP ( identified by that server.



  • I tried to make a BRIDGE as following suggestions found in the Zyxel forum:

    How to route multiple public IPs to devices behind a Zyxel router, where the device behind the Zyxel holds a public IP.  Typically this method is used when routers are connected behind the Zywall.

    Method 1:  Use this method to provide "no NAT" to the device behind the Zyxel.  This method only works when their is a router in front of the Zyxel so that both the Zyxel and the device behind the Zyxel can use the same gateway.

    *Go to Network>Interface>Bridge

    *Set Interface type to: external

    *Interface name: br1

    *Zone: WAN

    *Members: WAN1,dmz

    *Go to Network>Interface>Trunk and create a new Trunk Group with "br1" as the primary member

    *Go to Object>Address and add a host for each usable public static IP

    *If the device behind the Zyxel is a router, Go to Security Policy > Session Control and disable the session limits

    *Configure the device behind the Zyxel with a usable public static IP and point it to the same gateway that Zyxel is using.

    *Plug device behind the Zyxel into a DMZ port.

    *Add a route in the Zyxel that states: Incoming > Interface: DMZ > Source Address: Object_Address_PublicIP > Destination: Any > Next hop: Interface br1 > SNAT: Object_Address_PublicIP.

    I made the following:

    Internet <-------> Gateway( <-----------> (WAN1, P1)USG(DMZ, P6) <-------> IP-to-Pulic (

    When I go to add a route as: Network > Routing > Policy Route, have the following error:

    CLI Number: 11
    Warning Number: 28005
    Warning Message: 'Invalid gateway from Next-Hop interface. Policy route rule will not work

  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 269  mod

    Follow the example to set interface type and zone. 
    There is no error message when you create the policy route.
    Since it might be configuration issue, I need to check your configuration file to see what the problem is. I will send you private message later.

  • Hi Zyxel_Emily, thanks for your suggestion.
    I will try this one as soon as possible and will send you a comment.
  • Hi Zyxel_Emily, thanks for your reply.
    As your suggestion we set our network with the following:

    WAN2 (P2) ----> with a static IP, Net-Mask & GW. 
    LAN1 (P3, P4, P5) ---->192........ 
    WAN1 ----> P1, DMZ ----> P6. 
    WAN1 (No IP, NM & GW) + DMZ (No IP, NM & GW) ----> BR1 (No IP, NM & GW). 
    It is ok now. So, we have all PC with public IP in DMZ zone .
    Now, I would like to know, if the PCs, in DMZ zone are protected by firewall?
    Also, I would like to ask you, If it is possible to share some disk/folder/files in LAN1 zone with the PCs in DMZ zone?
    You can found some screenshots of configuration of our network, as attached file.
    Thanks again,
  • Zyxel_EmilyZyxel_Emily Zyxel Official Agent Posts: 269  mod
    After DMZ joins bridge interface, it becomes a "port", not interface. It still keeps its original zone, so it is protected by firewall.
    The bridge is only used for management.
    In your scenario, it is suggested to set interface type as external and set zone as WAN.
    Attached is the guide with detailed configuration steps for sharing disk/folder/files in LAN1 zone with the PCs in DMZ zone.  
  • virtualwarevirtualware Member Posts: 4
    edited January 10, 2019 5:18AM
    My configuration:
    1 OVH XDSL Zyxel VMG8924_B10D in bridge mode with 1 IP public and an additional ipv4 / 29 block that is connected to the WAN1 of a USG 100.
    I have several virtual machines (DNS server, WEB server, MAIL server, SQL server .....) that currently works on the DMZ leg in NAT on the main IPV4 address of the OVH box.

    My question
    Is it possible or rather how to assign my block IPV4 / 29 (6 ipv4) directly on the DMZ leg to assign them to my different virtual machines without doing NAT.

    Thank you for your help

  • Zyxel_CharlieZyxel_Charlie Zyxel Official Agent Posts: 686  mod
    You can follow @Zyxel_Emily 's attached SOP on previous post, and also you need to add one more rule on security policy "Wan >DMZ" with requested service which virtual server using
    Or did you face some issue during operation?
  • Hello,
    I would like to know if I should definitely put VMG8924_B10D in bridge mode because I have 2 phone lines attached to my xdsl subscription, and when I'm in bridge mode I'm no longer those phone lines.
    Thank you
  • Zyxel_CharlieZyxel_Charlie Zyxel Official Agent Posts: 686  mod
    Regarding to your description,
    do you want to configure the VMG as routing mode? and your purpose is that you would like to remote management to you local servers?
    If so, you need to create the NAT rule(port forwarding) on VMG and USG.
    Please send your configuration. I will private message you later.

Sign In to comment.