Port forwarding and NAT loopback on Zyxel USG20

The Zyxel USG20 is a complicated router.  As I mentioned here it is a wonderful router for a highly connected household if you desire content filtering and bandwidth management. But this router isn’t for the feint of heart.

Port forwarding on a traditional consumer is as simple as assigning a static internal IP address to a device, then forwarding ports to that IP address.  (A few routers can actually forward ports to a hostname which doesn’t require setting that static internal IP address.)  But on the USG20 there are far more steps:

  1. Define the static internal IP address for a device.
  2. Create a HOST object for that device
  3. Define the service and the port that the service will use
  4. Allow it through the firewall
  5. Create the virtual server

Yeah, it takes that many steps and if you have a dynamic DNS hostname then you’ll want to enable NAT loopback which takes an additional step.

Step 1 – Define the static internal IP address for a device

Go the Network menu, click Interface and then the Ethernet tab. Select your LAN1 or LAN2 connection. (I use LAN1 for almost everything.) and click Edit.

picture1

Under DHCP setting there is a table used for IP reservations based on MAC address.  Get the MAC address of your device that will receive the static internal IP address, then click Add, select an IP address and give it a name.  (One thing to keep in mind here is that you don’t need to use an IP address normally given out in your IP pool.  My pool starts at 192.168.1.33 and all of my DHCP reservations are below .33.  As long as your reservations are in the same subnet, you’ll be fine.)

picture2

Step 2 – Create a HOST object for that device

Go to the Object menu, select Address and click the Add button.  Give the object a name that is recognizable to you, enter its IP address, and select HOST as the Address Type.

picture3

Step 3 – Define the service and port

Go to the Object menu and click Service. There are many services already defined here. But you will likely need to add an entry for your specific service. Click the Add button at the top, type a name for your service, select the IP Protocol and enter the port. If it is a single port, just enter it in the “Starting Port” box.  If it is a range, define the ending port in the Ending Port box. See my screen capture below for port forwarding the Windows Remote Desktop service.

picture4

Step 4 – Allow it through the firewall

If you are used to consumer routers, then this step seems redundant. (Usually defining the service and port will allow traffic through that port. However on the Zyxel we are defining object. We haven’t actually changed the operation of the router yet. Therefore we need to allow this service through the firewall.

Click on the Firewall menu. Assuming that you have the Firewall enabled, click the Add button. Depending on your configuration, From and To may need to be modified but for simple port forwarding I set them both to “any”. Scroll down and set Source to “any” and Destination to the object that you created. Then under the Service menu, select the service that you created in Step 3.

picture5

Step 5 – Create the virtual server

With the Zyxel, it isn’t enough just to punch a hole through your firewall. You still have to define the virtual server map. Click the Network menu, then NAT. Click Add. Define the name, select the incoming interface as wan1, original IP is any, mapped IP is the object that you created. Port mapping type is “service” and then you’ll be able to set the original service and the mapped service to the service that you created.  Uncheck Enable NAT loopback and you’re done.

Now my screen capture below doesn’t exactly match what I described above. Read on to understand why.

picture6

Optional Step 6 – NAT Loopback

NAT loopback is a feature that will allow your dynamic hostname* to work inside your network. I use dyn.com which works perfectly outside my network, but doesn’t work on the inside.  For example, I can’t use my hostname to connect to my Remote Desktop service if I’m connected to my network.  NAT Loopback allows this to happen.  Unfortunately you can’t just select the “Enable NAT Loopback” box to make this work.  (The router won’t allow you to do this.)

To make NAT loopback work, you’ll need to create a new Object of type Address. (Click Object, select Address, or if you are still on the NAT page, you can create the new object from the drop down menu at the top.) The object name will be something like “WAN_IP”, the Address Type will be Interface IP and the interface is wan1.

Now when you select the Original IP in Step 5, instead of choosing “any” choose the object that you just defined. (In my case it is WAN_IP.) Now you can enable the NAT loopback box at the bottom and you’ll be able to use your dynamic hostname inside your network!  You will need to check this box and select WAN_IP for the original IP for each NAT rule that you define.

* Once you have a dynamic hostname account, the Zyxel can keep this updated for you. Click on Network and then DDNS, add a profile.

line
Powered by WordPress | Designed by Elegant Themes