Networking is as the following picture: AR28 uses PPPoE dial to obtain the public IP, USG50 works in routing mode, terminal PC through L2 switch accesses network, terminal PC can ping the public IP but can’t access the web page.
1, Can ping the public network IP, the routing has no problem, it may be the problem of the DNS. Set DNS manually, still can’t access. Ping WWW.BAIDU.COM found can’t analyze the domain name and can ping DNS address, namely the sent data request didn’t reached the public network. Check the session of USG50, there is the sent request message, but has no the response message, there is no problem in firewall.
2, pluck out the firewall, connect the PC, configure its address in the same network segment with the inbound interface of AR28, can access the external network. Connect the firewall, do a NAT, transform the source address to the outbound address of the firewall, found it can access the external network. Check the NAT configuration of AR28, the ACL is configured to allow the source address in the network segment of the USG50 outbound interface address, and the internal network is the address of another network segment, it can’t be transformed to the public network IP and can’t access the external network.
The network segment in AR28 used as NAT translation network segment is the outbound interface address of the USG50, not the internal network’s segment. When the data packets reached the router, checked the source address can’t match the ACL associated with NAT, so it would not handle it, then the terminal PC can’t access the external network, but can ping the IP address of the public network.