Centro Business PSB4212N (IP passthrough) + ZyWALL USG 300

Hello @Suissinho

You’re not the only one who’s a bit stuck with the Centro Business when it’s in IP Passtrhough mode.

There is an interesting post by >> [here](https://community.swisscom.ch/t5/Discussions-et-feedbacks-%C3%A0/Centro-Business-FW-7-10-10-et- function-Passthrough/m-p/409352#M129) <<!

I currently don’t have an answer to this problem…

Have a nice day everyone

@Suissinho

Before switching to All IP, I’m getting my hands on this Centro Business coupled with a Zywall USG 40. As I’m still with a Business Internet Light + Fixed IP + PME Office ****.

Currently, Centro Business is local, no internet access. The line is only available on weekends.

That being said, using your settings, I see that I can ping and trace the Centro Business (192.168.1.1) from a PC (192.168.110.XXX) which is behind the Zywall USG 40 (192.168.110.2 ).

Lan1 (Centro Business) -> Wan (Zywall USG 40)

NB: I have not yet been able to test, for the reasons already mentioned, whether internet access is possible for the network behind the Zywall USG 40.

Good evening everyone

Thanks Xtreme66, but if you have not activated the option in the Centro Business “IP passthrough (Local security gateway) on LAN1” you cannot have done the same test as me… or else show me the configs on the ZyWALL WAN port and the Centro Business configs in “Settings > Router”.

I was told that for my case, it is necessary to create a routing static in the ZyWALL towards the WAN port with the Swisscom IP but I do not yet know how to do it…I am looking always…

THANKS,

Greetings

---

Suisso wrote: you did not activate the option in the Centro Business “IP passthrough (Local security gateway) on LAN1” you cannot have done the same test as me…

---

This option is naturally activated (“IP passthrough (Local security gateway) on LAN1”).

In the device (Centro Business), the IP of the Zywall USG 40 is static (IP: 172.31.255.6).

For your static routing, maybe this document can help you.

I’ll give you a printscreen as soon as I have a moment….

[upl-image-preview liId=“20483iFC1EE99AFE6E7B33” alt=“40-1.jpg” uuid=“https://community.swisscom.ch/t5/image/serverpage/image-id/20483iFC1EE99AFE6E7B33/image-size/original?assetToken=HW-Udlv90Ey5Hn9WhOLqloDZj0 xZ_n_LcabKd_xNV2AZqeGrdujokEDMLikVlUIc5WZdCgUwVVplFt21unc78A_LT5hLRNnXMU 6CQB2-EdX3xpnPMCG4sThRq0E15SkRVY74cYSj52EeMUL7B8ovVdyxvQ&v=mpbl-1&px=-1”]

With this configuration, I access Centro Business from my PC (192.168.1.1)

I still have to check if internet access is possible with this configuration. We’ll see all that at the end of the week.

Thank you very much for this information, I will seriously have to re-test!

Can you send me printscreens in the following settings of your ZyWALL USG40 please:

- “Configuration > Routing > Routing rules”

- “Configuration > Routing > Static routing”

- “Configuration > Firewall”

- “Configuration > Interface > Ethernet > lan1”

Thanks in advance,

Best regards.

Good evening,

I started from a basic configuration at the Zywall level, so after a hard reset. The same goes for Centro Business.

No changes have been made to routing rules, static routing, or firewalls.

At lan1, I simply modified the IP address of lan 1 and its range.

For Wan, the modifications are those available above.

I added my user/pass for access to wan1_ppp for access to the swisscom server with the fixed IP information.

At the Centro Business level, I added the Zywall USG 40 IP as a static IP.

For the rest, I need to have the VDSL2 line to check that everything works.

I hope you can find the solution…

@Suissinho

Hi,

a solution maybe:

You keep your Centro Business configuration, LAN port 1 in IP Passthrough mode to the WAN port of your USG.
This will give you a public IP on your USG and you will therefore have your VPN management.

On your USG 300, if you have free Ethernet ports on the LAN side, take a port, put it in the DMZ Zone.
Then you configure it with these parameters on the DMZ ethernet interface:

IP 192.168.1.2 (of course if you don’t use it for anything else, and it must be outside the DHCP of the Swisscom router)
Mask 255.255.255.0
No DHCP.

Once done you go to Configuration => Routing => Static route => add

You put this:

you put an ethernet cable between your DMZ port and one of the 3 remaining ports of the Centro business, and you should be able to ping your history.

If that doesn’t work, simply change in configuration => interface => port role you put your port (P1-5) in the same Zone as you (LAN1 if your personal network is in LAN1).

Test and tell me again

Jimmy

Hello Jim1926, thank you for your response.

I tested as you said but I managed to make it simpler.

I leave my configs and the solution:

Centro Business PSB4212N

IPv4 settings:
---———————————————- ——————————
Source | Status | Enable | IP address | Subnet mask
---———————————————- ——————————
Static | Enabled | true | 192.168.1.1 | 255.255.255.0
---———————————————- ——————————

Main FW Version: 7.10.10
xDSL Version: A2pv6C038q.d24j

---———————————————- ——————————

LAN IPv4: 192.168.1.1
LAN IPv6: fe80::ea74:e6ff:fe70:e955
WAN Connection: WAN-VDSL-PPP
WAN Mode & Profile: VDSL2, Profile 17a, PTM Mode, Showtime

---———————————————- ——————————

routing:

arp:

**

**

ZyWALL USG 300

**

**

Interface Properties

Interface Type: external
Interface Name: ge7
Area: WAN

IP Address Assignment
Use Fixed IP Address:
IP Address: 172.31.255.6

Subnet Mask: 255.255.255.252Gateway: 172.31.255.5

Interface Properties

Interface Type: internal
Interface Name: ge1
Area: LAN1

IP Address Assignment

IP Address: 192.168.10.1
Subnet Mask: 255.255.255.0

**

**

The problem I had was the following ( .pdf 😞

Before Firmware version 2.20, SNAT operated via the Policy Route. From version 2.20 a new function “Default SNAT” is implemented, with this new function the Policy routes for SNAT are no longer necessary. After a Firmware update all USG interfaces are by default defined with the “general” type. In order to use the “Default SNAT” the interfaces must be changed to the “internal” type. or “external”. All interfaces which belong to the local network (LAN zone, DMZ, WLAN, etc.) must be defined with the type “internal” and all interfaces which connect for example to the Internet (WAN zone) must be defined defined with the type “external”. The “Default SNAT” only passes between an “internal” interface to an “external” interface.

A little diagram:

Best regards

@Suisso

Thank you for this very detailed and complete feedback!

Perfect 😉

@Suisso Thank you for your feedback,

I didn’t understand what passtrough IP was. So my solution was not suitable.
It’s a funny solution that Swisscom is proposing… With their history you therefore have no public IP on your USG.

I now understand why it didn’t work and this might help me.

Impec, that’s good to know.

Greetings

@Xtreme66 You’re welcome 🙂

@Jim1926 Exactly, it’s not a real DMZ, so I didn’t have the Public IP on the WAN, as before we could do it on Netopia (Motorola) with the “IP Transparency” function . According to the information I have had, to have access to the “Public DMZ” function with Centro Business you need at least a range of 4 Fixed IP’s (20.–/month). Info here.

For the moment, the IP Passthrough solution with 1 Fixed IP suits me: smileyvery-happy:

@Suisso

I was finally able to test the configuration that I described previously (Centro Business (IP Passthrough) + Zywall USG 40), everything works perfectly. The internet connection works perfectly for all users.

I have a quick question for Zywall USG users and @Suisso, with your Zywall, have you already performed the GRC test? ShieldsUP!

Usually all ports are Stealth with my old Zywalls, but in the case of Zywall USG 40, port 1 is Closed and not Stealth.

Port: 1

Name: tcpmux

Purpose: TCP Port Service Multiplexer

And at home?

@+

@Xtreme66 here are my results:

[upl-image-preview liId=“20551iA41E1722867A82D9” alt=“grc.png” uuid="https://community.swisscom.ch/t5/image/serverpage/image-id/20551iA41E1722867A82D9/image-size/original?assetToken=HW-UnAos_ZRvDasstGi_VZ3_od AANwJ5GPvnhCqDO_DHVP6lYmlwOWb5Nfust34n74rpKbIXkDo54WmUkhwoRRO8sK5eWDP18L MXRnXgPmo50ENAX0KWTfIUDwgdc9IsDIvNUn3n80WuOo4R4MWy3QoKOg&v=mpbl-1&px=-1

[upl-image-preview liId=“20552i4D513DA5CCD24361” alt=“grc1.png” uuid="https://community.swisscom.ch/t5/image/serverpage/image-id/20552i4D513DA5CCD24361/image-size/original?assetToken=HW-UG1TFWwBy9MPEk6_HuG8IGI 7JS0gC9WbS8l1VdOb_Y7XIFInLFfyceNw9FXvsKzDTOkqVlopPWlvS3ULW58Jyp7pz5DL5pm qyk3tby2VDGy3WcI5fao0IUVZRo74_dRfgzt66R1yTi5eyZxTblDaXlg&v=mpbl-1&px=-1

Just to complete, I did scan’s with NMAP:

Nmap scan report for XXX.XXX.XXX.XXX.static.wline.lns.sme.cust.swisscom.ch (XXX.XXX.XXX.XXX)

PORT STATE SERVICE
53/tcp open domain

---————————————————————– ———–

Nmap scan report for 172.31.255.5

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain

---————————————————————– ———–

Nmap scan report for 172.31.255.6

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https

---————————————————————– ———–

Nmap scan report for 192.168.1.1

PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https

---————————————————————– ———–

Nmap scan report for 192.168.10.1

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https

---————————————————————– ———–

Best Regards:smileyhappy:

@Suisso

Thank you for your message!

I also use the test on this site Pentest-tools but it is based on Nmap.

Excellent end of the day

@+

Hello everyone,

Good news, since firmware version 4.25, the Zywall USG 40 has the DHCP 60 option by indicating the value 100008.0001, ZYXEL it can be used downstream of a bridge.

Configuration > Network > Interface > Ethernet > WAN1 > Show Advanced Settings

Source: USG Firewall and Centro Business

:smileyhappy: