UCM routing on multi ip public


hi, everybody,

I have to activate a UCM 6208 at a customer having a special situation with a package of public ip (as an example), I wanted to ask you for advice as in queue there will be a firewall with other public ip…
This is the scenario/guide of Draytek 2862 example + its link (imagine having a Zyxel Firewall instead of the server in the figure)

Referring to the scheme and the link posted, I have to tell the Router that uses the range of public ips
so the example router will have local ip with DHCP off and public ip and public gw
UCM and gw (UCM imagine it instead of the pc in the top left corner of the photo)
Firewall Wan Zyxel - Local firewall Lan (the then sets their example computer, of course all network infrastructure behind the firewall will have the Firewall LAN as gw

I hope I have explained myself well and above all I hope I have understood well what I must do.

Do you think there are any mistakes in my project?
Could the firewall class be or should it be different from Drytek 2862? (if the same would be better so PCs can reach UCM for LDAP etc…)
Does the QoS on the Draytek also affect the Zyxel Firewall? (being upstream)

I imagine that at this point all that concerns ip public only concerns the Draytek and instead ip public only the Firewall Zyxel (with its rules towards the Lan).

Advice and variations are welcome :slight_smile:


I think you are after hairpin nat, and assigning a public ip to an internal nic… should be able to program it on the router if noy replace it with something that can


Without knowing more about the Zyxel, why two routers? I assume the Zyxel is there because it is a USG or other high-end security device?
On which network will the phones be located?
Are both the 192.168.X.X and the on the same LAN cable?

You shouldn’t place the Draytek behind the Zyxel, This is double NATting and it will compromise the messaging.


Good pickup Larry… I thought it was only 1…

Damiano, you would have to change to one firewall only… double nat is bad…


I apologize is a messed up situation for me too, with the screen below I hope to make the idea and add:

  • I am aware that in VoIP there must be no double NAT (UCM is connected in fact on the Draytek and comes before the Firewall Zyxel)
  • the double NAT is probably in the infrastructure after the Zyxel Firewall, and not being there VoIP in that area does not cause me problems at the UCM.


My questions still remain. Why 2 routers? Phones on 192. Network? One LAN cable or two? The diagram does not show a switch, leaving the implication two completely different networks/cables.

The Draytek can handle multiple WAN IPs using the alias function and if the Zxyel is not a home version, it too can handle multiple IPs via their virtual interface function.


Unfortunately, the current Zyxell firewall is managed by the client’s IT system, which does not want to remove it, so I have to find a solution.
The zyxel does not manage the QoS (at least it does not manage it properly), so I have to find a solution that suits everyone, the 2862 only manages the Voip part (then UCM and its phones), and the zyxel only the PC network, etc. … the customer (I changed the screen above)



yes, unfortunately the QoS of Zyxel is not even comparable to that of the Draytek, impiaga us about 3 seconds to “wake up” and in the VoIP is not available, however I do not manage the Zyxel (fortunately), so I only look for a solution that can make the 2 parts agree :slight_smile:


Ok, but my question still remains -

Is the output from each router physically separate all the way to the endpoints or do they share a common cable?


I think that as I intend to do it the Draytek manages its own local network “192” (VoIP only) and public ip “1”, the firewall manages a local network “10” and public ip “2”, I imagine that being able to see the local class “192” with the local network “10” will be done on the Draytek, but I do not think I will be interested in doing it


Well, however you end up doing it, good luck.


should my project be working?


Don’t know.

Using the IP routed subnet is not an issue, but the way you made it seem is that the client IT company does not want anything to do with you and vice versa. I am wondering how they will take the idea of all streams being dependent on the Draytek that only you control? It is more of a hypothetical question and maybe they have no concerns at all.


this is not a problem, my question is only if my project will work, I asked several engineers who have told me yes, but I have doubts.


It will work if you set up according to the Draytek KB which you posted. If in doubt set-up a test using two Drayteks in your office.


my doubt is the Zyxel, I don’t know him, I don’t have any at my disposal and I absolutely don’t like him, however I thank you