Use NXC as a router (with an external WAN Interface)

This step by step guide shows how to let the NXC controller act as a router like USG.
 

Introduction

The NXC-series normally work solely as WiFi-Controllers, which means there are no outbound routing rules engaged onto the NXC. This especially is important because when you route something outbound the device, you have to make sure that there is a proper Source Network Address Translation (S-NAT) implemented to the routing. 

But sometimes, you might need to set up your NXC that it works as a router, in this case setting up an outbound routing rule with S-NAT is crucial for functionality. How can you do so on an NXC2500? We will tackle this setup in this article.

Procedure

The interfaces of the NXC by default are defined by VLANs, which are set on top of the physical Ethernet interfaces. The physical interfaces are then linked to the VLAN as a member. This membership, however, can be deactivated, so that we can use the physical interface properly, decoupled from VLAN settings. This is our first important step to take when setting this up.

We are choosing GE1 as our "WAN"-port of the NXC.

Make sure that you are connected via a different port than P1, otherwise, you will kick yourself out of the unit by setting this up.

1. Log onto the NXC using the admin credentials (by default, username = admin; password = 1234 ). Default IP should be 192.168.1.1
   
   
2. Navigate to Configuration > Network > Interface > VLAN (tab), double click on VLAN0 (which by default has all Ethernet ports set as members, untagged), take away ge1's membership and click "OK"
   
3. You have now decoupled the physical interface ge1 from VLAN0. Proceed to navigate to Configuration > Network > Interface > Ethernet (tab), DoubleClick ge1 to edit it and set it up as an external interface and set the IP either static or dynamically, as needed within your setup:
   
4. Now you have set up ge1 so far, that it can act as a WAN-Port. However, we still haven't taken care of the initial problem - changing the behavior, that packets are being sent out of ge1 and having their source NAT changed to ge1's IP address, the so-called S-NAT. Navigate to Configuration > Network > Routing > Policy Route (tab), Add a new route and set it up according to your criteria. In this example, we simply send out anything coming from VLAN0 towards the ge1 interface (see screenshot below).
   
   
5. Let's recap for a short moment. The very special thing about the NXC is, that by default the policy routes show no S-NAT settings. If you just now set up the route in a hurry, it will still not work, because the S-NAT settings are set to None. This means, that traffic being sent out via the route will not be changed, their source address will be kept (in this case, an address from VLAN0). This, in turn, will lead to the situation, that when the traffic wants to find it's way back, the packet will not be accepted by ge1, because WAN and LAN are separate broadcast-domains - ge1 thinks, that the packet doesn't belong to him, but to the other client, and this will lead to the gateway-router of ge1 will drop the packet, because no device will find itself responsible for it.
   
   
6. In order to be able to change the S-NAT settings of the NXC, go to the top of the "Edit"-page and click the "Advanced Settings"-Button. Now when scrolling to the very bottom, we can define the S-NAT Behavior. Change this to "outgoing-interface". This will change the source address of packets leaving ge1 to ge1s actual IP address, and this, in turn, will lead to ge1 "feeling" responsible for replies coming back on these packets, when asked.
   
   See the below screenshot for reference:
   
7. That's basically all there is to it, the process as such is done! Congratulations!

Afterthoughts

If we recap the situation, there might be two very important things to consider:

Firstly, the NXC is not designed to be a high, performance router! The maximum traffic which can be pushed through the NXC is quite limited, about 100 - 200Mbps at max. 

Also, there are no firewall rules in place, so to run the NXC as a fully capable firewall is a very tedious task, since you have to manually add all firewall rules in question. 

Also, if you check the routing we just created, one might think, that we basically now interrupted internal traffic between VLAN0 clients, since we forward all traffic from VLAN0 out of the ge1 interface

But do not fear, most Zyxel Devices, such as USGs, NXCs, and others, have so-called Direct Routes being worked off the unit prior to working off the Policy Routes. In the direct routes, it is determined, that as soon as internal traffic is crossing the NXC, this traffic is being forwarded firstly:



Enjoy your new setup, if any issues pop up, do not hesitate to contact our support team!

Also interesting:
Do you want to have a look directly on one of our test devices? Have a look here in our virtual Lab:

Virtual Lab - NXC Professional WiFi Solution

KB-00320