Issue with virtual server / NAT when using multiple public static IPs

OneZyUser
OneZyUser Posts: 10  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Background:
 Our ISP provides us a WAN connection with 5 (consecutive) static IPs. 

When I try to add a NAT rule as follows, I get the error listed below. I am unable to figure out where the problem is. I'm using a Zywall 1100.

Mapping Type: Virtual Server
Interface: ge1
External IP: <static_ip_4>
Internal IP: <server_ip>
Service: https

Error: The port is conflicting with a port of zyxel device. Please fill-in a different port number or change the service port to a different one.


What I tried:
In system->www, added an admin service control to deny all addresses of WAN zone to access the admin page (forced admin users to go through VPN).

I remember this method worked in the previous versions, but am having issues in the latest version (for some reason, the device suddenly froze and reset to factory default after I updated the SSL certificate and am now having to restore all settings back. It refuses to restore the settings from my backup and so am doing it manually).

All Replies

  • OneZyUser
    OneZyUser Posts: 10  Freshman Member
    First Anniversary Friend Collector First Comment
    I was able to add it via CLI. Still don't understand why I cannot add it via GUI/Web interface though. So, leaving this thread open in case someone can explain.

    The CLI command I used was:
    configure terminal
    ip virtual-server <rule_name> interface wan1 original-ip WAN4 map-to <server_host_ip_object> map-type port protocol tcp original-port 443 mapped-port 443 nat-loopback


  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited February 2019

    Same issue here

    https://businessforum.zyxel.com/discussion/1678/v4-32-nat-port-80-and-443-not-allowed

    Its to stop people making a rule that locks you out of the GUI which I think was a bad move but as you have done you have worked around it if you now check your NAT rule in the GUI you will see a warning on the port.

    What your meant to do is change the GUI ports but you shouldn't have too.

    Their is said to be a update for checking where you login in from so that you can NAT them ports without locking you out the GUI.


  • Jeremylin
    Jeremylin Posts: 166  Master Member
    First Anniversary First Answer First Comment
    The https already be used by Unit, so you cannot configure the https service on NAT rule.
    Therefore, just modify the port number of accessing GUI on WWW page first.
  • PeterUK
    PeterUK Posts: 2,655  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    Nope you don't have too you can config the NAT to use 80 and 443 if you know what your doing without conflict.


  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @PeterUK @OneZyUser
    Regarding to this case,
    The solution will be included in next patch firmware released by the end of Feb.
    @OneZyUser
    For the device's freeze issue,
    can I know what firmware version did you use? and the certificate you upload which you generated by yourself?
    I will private message you for details.
    Charlie

Security Highlight