This article will show you how to configure and the differences between Virtual Server, 1:1 NAT, Many 1:1 NAT and Virtual Server Load Balancer when you want to forward a port to a internal server. NAT menu in the USG FLEX / ATP / VPN is used to make internal devices reachable from the internet.

Table of Content

Differences between Virtual server, 1:1 NAT and Many 1:1 NAT

1) Configure Port Forwarding

1.1 Create the Virtual server rule

1.1.1 Mapping rule for Virtual Server

1.1.2 Create objects to insert into the NAT rule

1.2 Add a Firewall rule to allow the NAT (Port Forwarding)

1.2.1 Create a new service object

1.2.2 Add the firewall rule

1.3 Test the result

1.4 Configure 1:1 NAT

1.4.2 Use-case scenario for 1:1 NAT vs. Virtual Server

2) Configure Many 1:1 NAT

2.1 Create the Many 1:1 NAT rule

2.1.1 Mapping Rule for Many 1:1 NAT

3) Configure Virtual Server Load Balancer

3.1 How does the Virtual Server Load Balancer work?

3.1.1 The Load Balancing Process

3.1.2 Load Balancing rules to follow

3.1.3 Virtual Server Load Balancing Algorithms

3.2 Virtual Server Rule Mapping

Differences between Virtual server, 1:1 NAT and Many 1:1 NAT

Virtual Server makes computers on a private network behind the firewall available to a public network outside the firewall (like the internet).

1:1 NAT is used if the internal server will initiate sessions to outside clients. Then select this to have the firewall translate the source IP address of the server's outgoing traffic to the same public IP address that the outside clients use to access the server.

Many 1:1 NAT is used if you have a range of internal servers that will initiate sessions to the outside clients and that have a range of public IP addresses. One many 1:1 NAT rule works like multiple 1:1 NAT rules, but it eases configuration effort since you only create one rule. Select this to have the firewall translate the source IP address of each server's outgoing traffic to the same as the public IP addresses that the outside clients use to access the server.

1) Configure Port Forwarding

Virtual server is most commonly used and is used when you want to make the internal server available to a public network outside the Zyxel Device (like, but not limited to, the internet).

For a more detailed description please see our video:

1.1 Create the Virtual server rule

First start by log in to the device to start the configuration and navigate to Configuration > Network > NAT and create a new rule by clicking on the "Add" button

Then create a rule name and select the port mapping type to "virtual server" and also select your incoming interface to WAN

1.1.1 Mapping rule for Virtual Server

Incoming interface - the interface that the traffic is coming from

Source IP - From where the users are connecting from (e.g. trusted IPs)

External IP - the IP Address of the WAN interface

Internal IP - The IP address of the server where you want to forward the ports to

Port Mapping Type

any -all traffic on will be forwarded

Service - Select a service-object (a protocol)

Service-Group - Select a service-group object (a group of protocols)

Port- Select a port that needs to be forwarded

Ports- Select a port range that needs to be forwarded

1.1.1.1 External vs. Internal ports

The external port is the port that the external user is using to get to the firewall on WAN

The internal port is the port that is forwarded internally on LAN

This can both be a 1:1 translation (port 443 to 443) or port 4433 to 443 for example

1.1.2 Create objects to insert into the NAT rule

1.1.2.1 Add two new objects by clicking on"create new object" > "address"

1.1.2.2 Add your WAN and NAS IP

1.1.2.3 Set the created objects as external and internal IP

1.1.2.4 Set the port mapping type

Set the port mapping type to port and configure them (i.e. port 50000 - please see video for reference)

1.1.2.5 NAT loopback

NAT loopback is used inside the network to reach the internal server using the public IP. Check if NAT loopback is enabled and click OK (allows users connected to any interface to use the NAT rule too)

1.2 Add a Firewall rule to allow the NAT (Port Forwarding)

1.2.1 Add the Firewall Rule to Allow the NAT

Note! You need to allow the internal port and not the external port. Because it's the internal port that is forwarded to the LAN interface of your firewall and needs to be allowed.

Navigate to Configuration > Security Policy > Policy Control and add a new rule:

Then click on "Create new Object" to create a new service object by navigating to Configuration > Object > Service.

Add the port you want to forward (in this example: 50000) and name it as desired:

Then save the rule and now if possible, test the NAT rule from a different remote network.

From: WAN to LAN, Destination: NAS IP, Service: HTTP_NAS Action: allow

You should have access to your NAS via WAN.

1.3 Test the result

Open a browser and type in the WAN IP of your USG and the configured port. Now the NAS is behind the USG and reachable through port forwarding.

Example for our WAN IP https://[yourWAN-IP]:50000

1.4 Configure 1:1 NAT

To configure 1:1 NAT, please follow the same guide above but choose the 1:1 NAT in the "Add NAT" menu shown below:

1.4.1 Mapping rule for 1:1 NAT

Incoming interface - the interface that the traffic is coming from

Source IP - From where the users are connecting from (e.g. trusted IPs)

External IP - the IP Address of your WAN / outgoing interface of your firewall

Internal IP - The IP address of the server where you want to forward the ports to

Port Mapping Type

any -all traffic on will be forwarded

Service - Select a service-object (a protocol)

Service-Group - Select a service-group object (a group of protocols)

Port- Select a port that needs to be forwarded

Ports- Select a port range that needs to be forwarded

1.4.2 Use-case scenario for 1:1 NAT vs. Virtual Server

Question

I would like to publish an internal server for external users, so I created a NAT rule for it.But I can decide between Virtual Server and 1:1 NAT.Which one should I choose?What's the difference between Virtual Server and 1:1 NAT?

Answer

The Virtual Server and 1:1 NAT are able to publish internal servers to the internet.But the difference between Virtual Server and 1:1NAT is: 1:1 NAT has an additional SNAT (source NAT), which virtual server hasn't.

e.g. when set as 1:1 NAT

Original IP: 10.214.30.188, Mapped IP: 192.168.1.33.

Then the outgoing interface for the server 192.168.1.33, will use 10.214.30.188 to access Internet.

In the packet flow explore, you can find the SNAT status.

The source IP 192.168.1.33 access the internet with a SNAT routing.

Then outgoing address will be replaced by Original IP.

2) Configure Many 1:1 NAT

Note! The private and public ranges must have the same number of IP addresses.

The many 1:1 NAT are used to forward all traffic from many external IPs (public IP) to many internal IPs (private IPs) that is in a range. Note that you cannot select ports, but all ports are forwarded in the Many 1:1 NAT function.

2.1 Create the Many 1:1 NAT rule

First log in to the device and navigate to Configuration -> Network -> NAT and click "Add" button to add a new rule

2.1.1 Mapping Rule for Many 1:1 NAT

Incoming interface - the interface that the traffic is coming from (usually wan1 (or wan1_PPPoE))

Source IP - From where the users are connecting from (e.g. trusted IPs)

External IP Subnet/Range - the range of IP addresses of your WAN / outgoing interface of your firewall (Only Ranges and Subnets allowed - not host objects)

Internal IP Subnet/Range - The IP addresses of the server where you want to forward the public IP addresses to

Port Mapping Type

any -all traffic on will be forwarded (note that the Many 1:1 NAT function will only forward "ALL traffic"

NAT Loopback - NAT loopback enables users to connect to the public IPs when they are behind the firewall.

3) Configure Virtual Server Load Balancer

The virtual server load balancer screen is used to distribute local user connections over multiple servers, in order to reduce each serve's workload and to decrease overall response times.

3.1 How does the Virtual Server Load Balancer work?

3.1.1 The Load Balancing Process

1. A client initiates a connection to the virtual server on a specific port

2. The firewall matches the request to a set of servers (Server 1/2/3 in example above), and determines which server will handle the request using a user-specified load balancing algorithm

3. The firewall forwards the request to the chosen server using NAT

4. The server processes the request and then replies back to the firewall

5. The firewall forwards the reply to the client using SNAT

3.1.2 Load Balancing rules to follow

1. One real server can belong to multiple load balancing rules

2. You can only add one interface, IP address, and port to each load balancing rule

3. Virtual servers and real servers only support IPv4 addresses

3.1.3 Virtual Server Load Balancing Algorithms

Round-Robin - Last in, first out rule, all servers are divided equally (e.g. Server A, B and C will be divided CBACBACBA)

Weighted Round Robin - Assigns servers based on specified weight. Servers with a higher weight are assigned before servers with lower weight. (e.g. 4:1 on server 1 & 2 weight means 75% load on server 1 and 25% on server 2).

Least-Connection - Assigns the connection to the server with least number of current connections

Source Hashing - Assigns the connection based on a static has table

e.g. Server A (weight 1) and Server B (weight 2) are mapped like this:

3.2 Virtual Server Rule Mapping

Incoming interface - the interface that the traffic is coming from (usually wan1 (or wan1_PPPoE))

External IP - the IP Address of your WAN / outgoing interface of your firewall

Service - Select a service-object (a protocol)

External Service - The external service (protocol) wanting to be forwarded internally

Port - Select a port that needs to be forwarded

Protocol Type - Choose between the TCP or UDP port for the port
External Port - The external port (number) wanting to be forwarded internally

Healthy Check Method - The system will perform a connectivity check to see if the NAT rule and load balancer is working properly. Here you can choose between ping, HTTP(S) request, SMTP Helo, DNS Query and TCP connection depending on what connection type is used to reach the server from the outside

Comments

2 comments

Alexandr Bodnari

August 13, 2019 15:43
Hi, my request was to configure PPTP-VPN software on old Apple server in the local network behind Zyfirewall....before reading article I have already done everything years ago and have a working configuration on Zywall 2Plus model. something is not clear in that moment when port 1723 is opened, do i need also PPTP Tunnel ? and combine them in a group? maybe problem is in Policy Control? thanks for attention
0
Rudolf Bargholz

March 11, 2022 20:21

Edited
Every tutorial I have seen tells you to use wan1 as the incoming interface value for the NAT. In our case we had to use wan1_ppp as the incoming source, and then everything works as expected. In the Dashboard you will see the Interface Status Summary, and see the wan1 with a small plus sign. Open the tree list object, and use that object that is associated with the external IP address of the router as the incoming interface of the NAT.

NAT
- Incoming interface: wan1_ppp
- Source IP: any
- External IP: WAN_IP (an ip address object pointing to INTERFACE IP wan1)
- Internal IP: an ip address object of type HOST to the internal IP that the NAT is to be routed to
- Port Mapping Type: Port
- Protocol: any
- External port_ 38080
- Internal Port: 38080
Security Policy 1 Allow
- From: WAN
- To: LAN1
- Source: a group ip object for the allowed fixed IP addresses that can use this policy
- Destination: an ip address object of type HOST to the internal IP that the NAT is to be routed to
- Service: a service object that identifies the port that will be routed
- Action: allow
Security Policy 2 Deny
- From: WAN
- To: LAN1
- Source: any
- Destination: any
- Service: a service object that identifies the port that will be routed
- Action: deny
The first policy will only allow a NAT from the allowed source IP addresses

The second policy, which must be after the first object in the policy list, will explicitly deny any access to the port from a non-allowed IP address.
0