Firewall with Lan to Lan, with a twist!!

Forums Network Management Networking Firewall with Lan to Lan, with a twist!!

  • This topic is empty.
Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #42071

    Hello All….

    Here’s what we’re doing this time.

    We will have 2 ZS boxes, call them ZS1 and ZS2, each with ETH00 as internal (lan) side and eth01 as the outside.

    ZS1 will have a VPN to ZS2 for lan to lan connectivity. That’s easy, and we have that running.

    The catch is on ZS2. It will be replacing a firewall with 2 outside IP addresses. One of the address will be for the VPN to connect to. The other address on the ouside of ZS2 will be used to take smtp, HTTPS, and 3389 traffic to forward into an internal server. We would like people to be able to NAT out to the internet and use the 2nd address on this device.

    The firewall in ZS is complete greek to a Windows junkie and a self expressed Linux Noob. (No offense to the actual greek members in the forum…love the gyros!)

    So…how does one configure the static entries on the outside addresses to react differently?

    To be more exact…let’s say that the outside addresses of ZS2 will be and We’ll have the VPN from ZS1 to connect to and we would like inbound SMTP, inbound https, inbound 3389 to respond on the address and be forwarded to an internal lan ip of lets say Plus…how does one direct internal traffic from users to go out (NAT) and use the address?

    Here’s the interesting part….how does one prevent the address HTTPS from interfering with the remote https administration that I would like to have respond on

    That about sums it up.

    Thanks for everyone’s help

    Tom P


    It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the interface of ZS2 add only one static route for the ZS1 WAN interface. On the interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the only! NAT only on the interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.