How to guide on connecting two sites using a Zyxel Zywall product.

The purpose of this guide is to demonstrate the proper setup for a point to point using the Zyxel Zywall product line. It is recommended to use this case only when a dedicated link is used. In this example we are using Zyxel Zywall USG 50 on both ends. Here is the logical layout of the scenario:

The objective in this case is to allow the subnet at SITE A to communicate with the subnet at SITE B. This scenario will work if an internet connection exists at both sites. We want to take this one step further to demonstrate the ability to use one internet connection at both sites. This also applies to situations where there is a server at one site, and you would like to access the services at the second site.

We will start with the configuration for SITE A. Here is a screenshot for the interfaces on SITE A router:

The inside interface, or office network, for SITE A is lan1. The point-to-point connection is plugged into the DMZ interface with IP address 192.168.3.1. The same applies for SITE B. The inside interface, or office network, is lan1. The opposite end of the point-to-point connection is plugged into the DMZ with IP address 192.168.3.2. Now that we have this configured, we need to create our routes:

In the above screenshot we create a Static Route so that the Zywall knows that any traffic that is destined for the SITE B subnet, 192.168.88.0/24, is routed to the Next-Hop 192.168.3.2. The IP address 192.168.3.2 is the DMZ interface for the router at SITE B. Once the route is in place, we need to create the firewall rules to allow the traffic to pass through:

In the above screenshot, the only rules we’ve added are the top two. The first rule allows traffic from SITE A, destined for SITE B, to travel across the DMZ. The second rule allows traffic coming from SITE B, destined for SITE A, to come from the DMZ.

To program the router at SITE B follow the above steps again. The difference is the local subnet and remote subnet.  These need reversed. The Next-Hop will also be the remote DMZ which has an IP address of 192.168.3.1. Here is a recap:

SITE A:

• lan1 interface = 10.100.1.0/24
• dmz interface = 192.168.3.1
• route = Destination:192.168.88.0/24 — Next-Hop:192.168.3.2
• Firewall Rule 1 = FROM:lan1 TO:DMZ SOURCE:lan1_subnet DESTINATION: Remote_lan1
• Firewall Rule 2 = FROM:DMZ TO:lan1 SOURCE:Remote_lan1 DESTINATION:lan1_subnet

SITE B

• lan1 interface = 192.168.88.0/24
• dmz interface = 192.168.3.2
• route = Destination:10.100.1.0/24 — Next-Hop:192.168.3.1
• Firewall Rule 1 = FROM:lan1 TO:DMZ SOURCE:lan1_subnet DESTINATION: Remote_lan1
• Firewall Rule 2 = FROM:DMZ TO:lan1 SOURCE:Remote_lan1 DESTINATION:lan1_subnet

The final step in the whole process is to utilize the internet connection at one site for both locations. In this example we are going to use the internet connection at SITE A to provide internet at SITE B. The only addition to make this work is one Static Route:

We added the static route with a destination of 0.0.0.0 to use the Next-Hop 192.168.3.1 which is the router at SITE A.