Zyxel zywall usg-20w

D

Draax

Member
Reaction score
0
Hello!

I'm busting my head against the wall right now :confused: a client of mine has a zyxel zywall usg-20w and a html server behind that firewall.
Basically they need to access the html website from their office location and outside the office location.

  • It works perfectly and are accessible from outside the office.

  • Inside the office (behind the firewall) once a client tries to access the html via domain.com they get to the login page of the firewall.

  • If they use the server IP 192.168.0.200 they get to the login page of the firewall.


  • Using the server IP or localhost from the server it self will work flawlessly

I have no idea why the firewall are redirecting me to the login page of the firewall every single time i try to access any website of the html server.

Any input would be highly appreciated!
And sorry for my English its not my native tongue.
 
It is a feature called "loop back"....which the router is possibly not able to support.
Basically it is not allowing traffic from "within" the network to travel outside..do a 180..and come back inside using the external e-mail address.

Now I haven't played with a Netgear/Zyxel UTM in quite a while...but with many firewalls, by default they may not support loopback properly, but with some extra settings, or....by doing an "advanced" port forward rule....you can get loopback to work.
An example...my preferred biz firewall is Untangle. Doing the default easy peasy hand holding port forward wizard did not let loopback work (because it assumed destination was "local"), but doing the port forward in advanced mode...which allows you to provide details for the "destination address"...the external WAN IP (assuming the public DNS FQDN was properly set to that)....would allow loopback to work properly.
 
I've got a few customers with ZyXEL's USG-20Ws and USG-50s. They're pretty capable budget firewalls. Not the most intuitive of interfaces, but they work well and have been very reliable. They can certainly do what you require; I know, I've done it. But they do take a bit of configuring. I would check the loopback first, as Stonecat suggested, which they do support.

This is a screenshot taken from a working configuration. You can see the loopback option bottom-left:

xn634kc.jpg


If that doesn't work, post back and I'll have a look at what other relevant firewall/NAT rules I added to make it work.
 
YeOldeStonecat said:
Ahh great screenie, Moltuae

Is that on by default?
Click to expand...
It is actually but, unless the "original IP" has been specified it will likely be turned off, for this reason:

fSie2dP.jpg



YeOldeStonecat said:
Just curious..can you post a screenie of that Firewall page?
The interface sorta reminds me of a Sonicwall setup.
Click to expand...

With pleasure :)

This shot was taken from the very same model the OP mentioned, a USG 20w:

MLwX2Xc.jpg



This is the one I took the NAT config shot from, a USG 50, but functionally both models are identical:

6VOf4MY.jpg



I've worked quite a bit with ZyXEL units. They're not the easiest of firewalls/routers to learn, but they're very configurable and super reliable. I'm probably tempting fate by saying this now, but the 2 units that the screenshots are from have been running for maybe 5 years or so, without a single issue. These two are mainly being used to establish a VPN site-to-site tunnel, which they do very well. I'm fairly familiar with ZyXELs now, but I remember pulling quite a few hairs out back then trying to get that VPN to work right. But once you figure out how they do things, they're not too bad to work with.
 
Last edited:
Moltuae said:
I've got a few customers with ZyXEL's USG-20Ws and USG-50s. They're pretty capable budget firewalls. Not the most intuitive of interfaces, but they work well and have been very reliable. They can certainly do what you require; I know, I've done it. But they do take a bit of configuring. I would check the loopback first, as Stonecat suggested, which they do support.

This is a screenshot taken from a working configuration. You can see the loopback option bottom-left:

xn634kc.jpg


If that doesn't work, post back and I'll have a look at what other relevant firewall/NAT rules I added to make it work.
Click to expand...

Thanks a lot for this input! I definitely have a lot of things to check tomorrow :)
Also you say that the Zyxel are quiet hard to learn, if I may ask what firewall within a resonable price range would you recommend?

YeOldeStonecat said:
It is a feature called "loop back"....which the router is possibly not able to support.
Basically it is not allowing traffic from "within" the network to travel outside..do a 180..and come back inside using the external e-mail address.

Now I haven't played with a Netgear/Zyxel UTM in quite a while...but with many firewalls, by default they may not support loopback properly, but with some extra settings, or....by doing an "advanced" port forward rule....you can get loopback to work.
An example...my preferred biz firewall is Untangle. Doing the default easy peasy hand holding port forward wizard did not let loopback work (because it assumed destination was "local"), but doing the port forward in advanced mode...which allows you to provide details for the "destination address"...the external WAN IP (assuming the public DNS FQDN was properly set to that)....would allow loopback to work properly.
Click to expand...

Thanks a lot for your input I know ive seen this option before but never really realized what it does.
 
As was mentioned, you need to specify the original IP for Loopback to work. You'll first need to create an object for the WAN_IP and then use that as the original IP for the loopback to work.
I've setup a few USG60Ws this way.
 
Draax said:
Also you say that the Zyxel are quiet hard to learn, if I may ask what firewall within a resonable price range would you recommend?
Click to expand...
As far as low budget firewalls go, from a configurability and reliability point of view at least, ZyWalls are hard to beat. So I would still recommend them but with the caveat that you need to spend a little time getting to know them. Now that I've gained a better understanding of how they do things, I've grown quite fond of them.

They're quite 'object orientated', as tek9 mentions, which is a good thing. Create objects for each host, service, IP, subnet, interface, etc, etc first, then use these in your rules.

If you can't get it to work, post some screen shots of your firewall and NAT rules and I'll check them against my known-working configs.
 
Moltuae said:
As far as low budget firewalls go, from a configurability and reliability point of view at least, ZyWalls are hard to beat. So I would still recommend them but with the caveat that you need to spend a little time getting to know them. Now that I've gained a better understanding of how they do things, I've grown quite fond of them.

They're quite 'object orientated', as tek9 mentions, which is a good thing. Create objects for each host, service, IP, subnet, interface, etc, etc first, then use these in your rules.

If you can't get it to work, post some screen shots of your firewall and NAT rules and I'll check them against my known-working configs.
Click to expand...

Are the Zyxel's more/less difficult to setup than the Ubiquity products?
 
YeOldeStonecat said:
Thank Moltuae...he hooked you up. I start figured it was the Loopback thing..but he posted screenies with your exact model on how to do it.
Click to expand...

Either way you put in effort and i appreciate that :)

Moltuae said:
As far as low budget firewalls go, from a configurability and reliability point of view at least, ZyWalls are hard to beat. So I would still recommend them but with the caveat that you need to spend a little time getting to know them. Now that I've gained a better understanding of how they do things, I've grown quite fond of them.

They're quite 'object orientated', as tek9 mentions, which is a good thing. Create objects for each host, service, IP, subnet, interface, etc, etc first, then use these in your rules.

If you can't get it to work, post some screen shots of your firewall and NAT rules and I'll check them against my known-working configs.
Click to expand...

Thanks in advance, i'll might get back to you :)
 
Nat loopback, create object called wan link to wan1, recreate rule .

Usg20 are very underpowered
 
Mike McCall said:
Are the Zyxel's more/less difficult to setup than the Ubiquity products?
Click to expand...
I haven't got around to trying Ubiquiti's networking products yet, but I do intend to. So far I've only worked with their WAPs and CCTV stuff. Comparing brands, I would say that ZyXel's products (or the USGs at least) are very old school. All of the Ubiquiti products I've dealt with so far have had much more modern (new school?) interfaces. Ubiquiti products tend to simplify things a lot (perhaps too much sometimes), with wizards and drag-and-drop type interfaces that make it possible to configure them with almost no technical knowledge. By comparison, for anything more than a basic setup, ZyXel's USGs require a good knowledge of networking terminology (including some proprietary terminology). Configuration pages tend to contain a lot of advanced settings that'll have you studying and searching for information at each step and, being highly configurable and not as wide-spread as some alternative products, if you're attempting anything a little unusual it can be difficult to find the relevant information. They can be rewarding to work with though, especially if you have a good knowledge of networking or enjoy a challenge.

To give you an example, this is a video I found back when I was trying to get site-to-site VPN working (between 2 USGs) 4 or 5 years ago. I don't sprechen a word of deutsch, but that was the best info I could find at the time. As you can probably see from the video, it's not a simple matter of clicking through a few wizards, but it's not super difficult either, at least for a fairly regular/documented setup.
 
I use and enjoy working with these firewalls. I don't have anything smaller than a USG40 though. They are pretty capable little UTM's, and they have a built-in WiFi controller which I really like.

Also to keep in mind- They have SIP ALG and two other goofy SIP options enabled, which of course, don't help SIP traffic at all. So make sure to uncheck those if you have IP phones behind the box!
 
You must log in or register to reply here.

Similar threads

HCHTech
It's always DNS
2
Replies
22
Views
2K
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Unify L2TP VPN issues ... please help.
Replies
8
Views
1K
Sky-Knight
Sky-Knight
Appletax
[SOLVED] Need to Extended Wi-Fi Network
2
Replies
20
Views
2K
Appletax
Appletax
HCHTech
Sizing a UPS
Replies
7
Views
1K
Sky-Knight
Sky-Knight
Tech Savvy
[SOLVED] GPO deployed printers not printing.
Replies
1
Views
1K
bitznpcz
bitznpcz
Back
Top