SPI Firewall

SPI Firewall
Links: home · search · speed test · login · more ·

Links: Reply New Topic
Forums » Hardware By Brand » ZyXEL » SPI Firewall

andremta @ 28th Sep 12:50PM:
SPI Firewall

Using ZyWall USG 300

I'm trying to connect from 192.168.1.10: to the WAN 1.1.1.1:1515 which seems OK!

Although after my connection initialisation, the server answers from 1.1.1.1:35710 to my 192.168.1.10 and now is where the problem begin. The server could not reach my local IP.

The SPI firewall is not detecting the source LAN IP?

I want it to forward to my LAN_IP and not WAN_IP.
reply

nwrickert @ 28th Sep 01:39PM:
Re: SPI Firewall

It is strange for the server to be responding with a different port. That's likely to cause problems with any NAT router, with or without SPI.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.14
reply

andremta @ 29th Sep 09:42AM:
Re: SPI Firewall

This problem is giving me nuts!

Anything I can do to bypass this?

Adding some Routing rule may help?
reply

Bwuutje @ 29th Sep 02:59PM:
Re: SPI Firewall

This has nothing to do with Firewall or SPI. This is because of the NAT form used. There are several implementations of NAT possible, but not all of them are secure and each has their pros and cons. See eg: »en.wikipedia.org/wiki/Network_ad···s_of_NAT

The one you propose is not secure. Think about it: you want to connect to a certain port to a server on the internet and want to give that server "permission" to access your pc from other ports to other ports on your pc.

Suppose I make a "nice" website, you browse to my site and I can access you pc on all ports I want but you probably would not want....

Bwuutje.
reply

andremta @ 29th Sep 05:39PM:
Re: SPI Firewall

Guys, I did some progress!

I create a firewall rule to allow WAN_SERVER to ANY and a Virtual Server rule from WAN_SERVER to 192.168.1.10, so I'm able to connect with no problem!

The problem is... If I want to access it also from 192.168.1.11, I have to manually change the router's Virtual Server IP (192.168.1.10 --> 192.168.1.11).

I'm sure ZyWall USG 300 has some port triggering feature, I'll try to read the manual for it. This shall solve my problem.
reply