Opening Ports for external access on ZyWall USG20W

PerA
PerA Posts: 3
Friend Collector First Comment
edited April 2021 in Security
Hi,

I have tried to follow both videos and tips on those forums how to get access from internet to a server located on my LAN- without success....

My IP according to www.whatsmyip.com is 83.209.29.154 and I want to connect to the device that has a fixed IP of 192.168.0.10.

The access is from a mobile phone with 4G data and I can set whatever port to be used and it should be mapped on the inside to 8080

What the heck am I doing wrong?




Comments

  • Line2
    Line2 Posts: 40  Freshman Member
    First Anniversary Friend Collector First Answer First Comment
    your ZyWALL wan1 IP address is a private (RFC1918) address. Is the ZyWALL behind another router which is also doing NAT?
  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Your WAN IP is not set to 83.209.29.154 its 172.16.0.168 going by your NAT rule so your behind another router? Can it be changed to modem mode or bridge mode? Or your ISP blocks you from forwarding ports?


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PerA,

     

    If there are double/multiple NAT in your topology, you need to configure NAT and firewall rules on not only USG20W but also the routers which are placed ahead of USG20W.

    You can follow the guide in the following discussion thread.

    USG60 - NAS conecntion from Home to Office

  • PerA
    PerA Posts: 3
    Friend Collector First Comment
    Hi,
    No - it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2. Looking at some cases at YouTube there seems to be many suggested ways to configure that and I have to admit that I get lost.
    If I do it in the following sequence I see step 1, 2 and 3 as understandable:

    Step 1 - I define a service rule named AVH that is TCP and port 8080

    Step 2 - I define an address object for the AVH where TYPE is HOST and I use the fixed IP address 192.168.0.10

    Step 3 - add a FW rule stating from WAN and to LAN1 (where the system 192.168.0.10 is). Source ANY, destination AVH and service AVH

    The comes the tricky thing where I loost contrul/understanding and that is the NAT rule where I cant select WAN as incoming interface - only WAN1...
    I set original IP as ANY, mapped IP as defined AVH, and then port mapping type SERVICE with both following defined av AVH

    PLEASE NOTE - I have changed so the outbound port from mobile device now is 8080 exactly as the port I want to access on AVH - PLEASE NOTE

    Any suggestions welcome/Per-Arne

    PS - my ISP states that they block no ports at all - DS


  • PerA
    PerA Posts: 3
    Friend Collector First Comment

    Hi @PerA,

     

    If there are double/multiple NAT in your topology, you need to configure NAT and firewall rules on not only USG20W but also the routers which are placed ahead of USG20W.

    You can follow the guide in the following discussion thread.

    USG60 - NAS conecntion from Home to Office


    Hi,
    No - it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2. Looking at some cases at YouTube there seems to be many suggested ways to configure that and I have to admit that I get lost.
    If I do it in the following sequence I see step 1, 2 and 3 as understandable:

    Step 1 - I define a service rule named AVH that is TCP and port 8080

    Step 2 - I define an address object for the AVH where TYPE is HOST and I use the fixed IP address 192.168.0.10

    Step 3 - add a FW rule stating from WAN and to LAN1 (where the system 192.168.0.10 is). Source ANY, destination AVH and service AVH

    The comes the tricky thing where I loost contrul/understanding and that is the NAT rule where I cant select WAN as incoming interface - only WAN1...
    I set original IP as ANY, mapped IP as defined AVH, and then port mapping type SERVICE with both following defined av AVH

    PLEASE NOTE - I have changed so the outbound port from mobile device now is 8080 exactly as the port I want to access on AVH - PLEASE NOTE

    Any suggestions welcome/Per-Arne

    PS - my ISP states that they block no ports at all - DS
  • PeterUK
    PeterUK Posts: 2,653  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Sorry but No you have another router upstream from the USG20W if you was directly connected your WAN1 on the USG20W would show 83.209.29.154 which it does not and shows 172.16.0.168


  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @PerA,

     

    "it is my ISP directly into the USG20W and behind it I have a LAN1 and a LAN2."

    Could you share the topology with us?

    For example, is there a xDSL router provided by the ISP?

    ISP----xDSL router------(wan)USG20W

     

    Please confirm with ISP if they provide public IP address to you.

    In your screen shot, wan1 is 172.16.0.168 which is private IP address.

    If the ISP gives you private IP address, or there is a xDSL router in your topology, you need to configure firewall rule or NAT rule on the router if it is allowed for configuration.

  • Alfonso
    Alfonso Posts: 257  Master Member
    First Anniversary Friend Collector First Answer First Comment
    Hi @PerA

    I suppose your ISP is lacking public IPv4 address and it is giving internal ip address like 172.16.0.168, and then it "nats" using a CGNAT router in the network.

    In this scenario, the only way to what you want is talking to your ISP provider.

Security Highlight