ZyXEL Port forwarding

Soldato
Joined
2 May 2004
Posts
19,950
Hi,

Has anyone got any idea how to port forward properly on a ZyXEL router please?

I have read a few guides and they all say do it through NAT and enter the port and the IP of the machine you want to forward it to but it never works.

I'm just looking to be able to run a public internet service from another machine so the service can be accessed using http://my.internet.ip.address: port but port forwarding never helps.

Any ideas please?

Thanks,
Craig.
 
you have to set up a NAT rule to forward the appropriate port the the correct IP address and you also have to set up a firewall rule to allow that traffic through! took me months to work this out... seems a very stupid way of doing it and the manuel didnt really explain it very well.
 
Back when I got a ZyXEL (652H) it took me a while to get port forwarding working. Not that I couldn't forward the ports, I was quite happy with that. It took me a while to realise that it wasn't running local loopback. This was pretty much essential since it didn't have a local dns server I could use.

A bit of research and I found you can enable local loopback, which will allow you to access internal services from the WAN address. However, with the 652H (and presumably most others) to get this working required editing of config files by Telnet to the router, which was the source of much frustration (the text editor within the Telnet session had not very helpful documentation). At one stage I thought I had bricked it, and had to reflash it from vie Hyperterminal from the console port. Anywho point is if it's important to you, it's possible to enable nat loopback. I can't remember exactly how, but could have a look. It was something similar to adding 'nat loopback 1' to the console file - not that I can remember the name of it.

HTH, null :)
 
Right, I dug out the manual and tried to remember what it is.

To get to a command line on it, make sure Telnet is enabled (through the web interface). Then click start>run and type in telnet 192.168.1.1 or whatever the router's IP is. Login.

Press 24, enter for the system maintenence menu and then 8, enter for the command interpreter. Just type in "ip nat loopback on" and hit enter, nat loopback is now on. Test it out by opening the web server's WAN address from a LAN client.

Problem is, that's not all of it :( When I did it, I thought wow that wasn't so bad. However, just doing that, nat loopback is no longer enabled the next time the router restarts since it isn't actually stored in the config anywhere, and that's the tricky bit. To add nat loopback to the config you have to edit the file autoexec.net, and add ip nat loopback on the last line (well any line will do but meh). The big diificulty with this is that the text editor, like I said, was not very intuitive.

The command to edit autoexec.net is "sys edit autoexec.net". However it's so long since I did so I just can't remember how to use the editor so you'll have to work it out for yourself. To quote something I found on Google while searching as a memory aid:
had a few typing problems ("pilot error") while editing autoexec.net, so I started over by reloading the firmware. I highly recommend using the serial port connection between the PC and router when doing firmware upgrades. The only issue with the serial connection is strange cursor behavior on menu 24.10 (but this menu works fine using the Telnet interface).
That's pretty much the same as what happened to me, though I didn't realise immediately that I could upload a new firmware via the serial port. But I don't really see any point in me explaining how to do this, since I can't remember anyway you may as well just look at the manual:

ftp://ftp.zyxel.dk/P650_series/document/P650_series_v3-40_UsersGuide.pdf

That's the one for my 652H because I know for fact that it tells you how to restore the firmware. It should be the same procedure for yours. Don't forget that you of course need a firmware to upload to it, so it might be worth downloading one before editing autoexec.net just in case it does go wrong ;)

And, I think, that's just about it. Finally, have you considered remapping the WebGUI's port to 8080? Then you could run your web service thing on port 80, saving having to specify 8080 every time, unless that's what you want... :)

HTH, null :)
 
Thanks very much :)

Are there in risks in doing the "ip nat loopback on" thing normally (when it doesn't get stored) ?

[Edit]
Right, I did it and it works :)

I'll look in to storing it like that some other time.

I've managed to port forward port 8080 properly and I can access it all fine. Am I safe if I have a firewall on the computer I've forwarded port 8080 to or can people now get through on port 8080 ?

Also, where do I type in sys edit autoexec.bat ?

Thanks,
Craig.
 
Last edited:
sys edit autoexec.net in the command interpreter, same as the original nat loopback enabling
Press 24, enter for the system maintenence menu and then 8, enter for the command interpreter.
Craig321 said:
Am I safe if I have a firewall on the computer I've forwarded port 8080 to or can people now get through on port 8080 ?
If the firewall on the computer is set up to allow traffic on port 8080/allow incoming requests to the web server process (which may be the case with Windows XP SP2 firewall) then it should work fine. However, using basic NAT as you are, you shouldn't need a firewall if you can trust all the PCs on the LAN. Just makes things easier to configure. Not a bad idea at all to run one either though :)

HTH, null :)
 
tolien said:
I'm not denying that - but you were asking about the need for a firewall :p

Yeah was just wondering as if I've got port 8080 forwarded to a unfirewalled PC then surely people can hack through port 8080 ?

Or does that all depend on the software I'm using?

Craig.
 
Unless the firewall's doing some kind of intrusion prevention (ie scanning every packet with some kind of signature), it isn't going to do you any good (since most firewalls are blocking based on port or IP address).

You're more or less dependant on the server not having any (exploitable) vulnerabilities.
 
Back
Top Bottom