{{ $t('productDocDetail.updateTime') }}: 2025-12-29

In route mode, the device functions as a router. The device is typically deployed at the egress of the intranet or behind a router to implement Internet access for the LAN. The following figure shows a typical deployment scenario.

Example: The customer's network covers L3—the device functions as a gateway to implement Internet access for intranet users. A public network line (fiber) is available and assigned a fixed IP address.

1. Configure the device and log in to the device by using the default IP address. For example, to log in by using the LAN interface, whose default IP address is 10.251.251.251/24, configure an IP address on this network segment on the PC and log in to the device by accessing https://10.251.251.251. The default login username and password are both admins.

2. Navigate to System > Network > Deployment. On the Deployment pane on the right, click Settings. Then, select Route Mode and click Next.

3. Define a LAN interface and a WAN interface. Specifically, select an idle network interface and click Add to move it to the corresponding network interface list.

LAN interface list: A network interface added to the LAN interface list serves as an internal network interface and needs to be connected to the internal network.

WAN interface list: A network interface added to the WAN interface list serves as a WAN interface and needs to be connected to the external network. If multiple WAN interfaces are required, apply for multi-line authorization.

DMZ interface list: A network interface added to the DMZ interface list serves as an internal network interface. Important servers can be connected to the DMZ, and the firewall settings on the device can restrict the access of intranet users, thereby ensuring the security of the servers.

The default LAN interface is eth0, the default DMZ interface is eth1, and the default WAN interface is eth2. It is recommended that the positions of these network interfaces not be modified and conform to the device panel.

Other idle network interfaces can be added to any interface list.

4. Click Next and configure the IP address of the LAN interface.

In this example, set the IP address of LAN interface eth0 to 192.168.20.1/255.255.255.0.

The current IAG version is compatible with IPv6. Therefore, IPv6 addresses can be configured for the network interfaces, gateway, and DNS. The following is an example of configuring IPv4 addresses.

If virtual local area networks (VLANs) are divided on the switch, and the LAN interface of the device is a trunk interface, VLAN needs to be enabled. In this example, an L3 switch is used, and therefore VLAN does not need to be enabled.

In IP Address, enter the ID and IP address of each VLAN. The IP address assigned to a VLAN must be idle. If VLAN 2 exists and resides on network segment 10.10.0.0/255.255.0.0, and the IP address

10.10.0.1 is not used on the intranet, 2/10.10.0.1/255.255.0.0 can be entered in the IP address list. Add information about other VLANs one by one on different rows.

5. Configure WAN interface eth2.

The WAN interface supports Auto assigned, Specified, and PPPoE modes. In this example, the public network line is an optical fiber and assigned a fixed public network IP address. Therefore, select Specified.

If the public network IP address is automatically obtained over DHCP, select Auto assign. In this example, the public network IP address has been assigned. Therefore, enter the assigned public network IP address, gateway address, and DNS address.

If PPPoE is employed, connect the WAN interface to a modem. If Enable is selected in Auto Dial-up, automatic dialup will be performed after the connection line is disconnected abnormally or the device is restarted. Enter the dialup account and password.

6. Configure DMZ interface eth1. Set the IP address and subnet mask.

7. Configure IPv4 SNAT rules. When the device functions as a gateway and directly connects to the public network line, proxy settings must be completed to implement Internet access for intranet users. Set the proxy network segment and select a WAN interface, which can be set to a single or all network interface in the WAN interface list.

A proxy rule is added in NAT on the page displayed after choosing System > Firewall > IPv4 SNAT. The rule name and IP address to which a source address is translated cannot be modified here. They can be modified on the IPv4 SNAT page. If Internet access needs to be achieved for users on another network segment through a proxy, add another IPv4 SNAT rule on IPv4 SNAT.

8. Confirm the configuration information and click OK[A243].

Restart the device for the configurations to take effect. Click Yes in the dialog box that asks for your confirmation.

9. In this example, the LAN interface and the intranet are not on the same network segment. Therefore, a system route from the device to the intranet needs to be added. Navigate to Network > Static Routes. Click Add to add routes on the Static Routes pane on the right. If the intranet covers multiple network segments, add multiple system routes.

10. Add a user or user group or add a user authentication policy on the Authentication Policy to avoid Internet access failures caused by the lack of identity authentication.
11. Connect the device to the network. Specifically, connect the WAN interface to the public network line and the LAN interface to the intranet switch. Then, configure the route of the intranet switch to direct to the LAN interface of the device.