Information Security 5 min read

Configuring a USG to Enable Internal Users to Access the Internet via WAN

This guide details the step‑by‑step configuration of a Huawei USG firewall, including WAN interface setup, static routing, NAT and security policies, and LAN DHCP and zone settings, to allow a trusted internal network to reach the untrusted Internet.

Practical DevOps Architecture

Nov 12, 2020

Configuring a USG to Enable Internal Users to Access the Internet via WAN

Business requirement: The ISP provides an interface IP of 100.100.1.2/30 with gateway 100.100.1.1; internal users must access the external network through the USG.

Network planning: Connect the WAN port (GE1) to the ISP, assign the LAN to the 192.168.1.0/24 subnet, use DHCP for internal hosts, place the LAN in the trust zone and the WAN in the untrust zone.

WAN side configuration

1. Configure the static IP interface and security zone:

[USG] interface gigabitethernet 0/0/1

[USG-GigabitEthernet0/0/1] ip address 100.100.1.2 255.255.255.252

[USG-GigabitEthernet0/0/1] quit

[USG] firewall zone untrust

[USG-zone-untrust] add interface gigabitethernet 0/0/1

[USG-zone-untrust] quit

2. Add a default route:

[USG] ip route-static 0.0.0.0 0.0.0.0 100.100.1.1

3. Create a NAT policy for outbound traffic:

[USG] nat-policy interzone trust untrust outbound

[USG-nat-policy-interzone-trust-untrust-outbound] policy 1

[USG-nat-policy-interzone-trust-untrust-outbound-1] action source-nat

[USG-nat-policy-interzone-trust-untrust-outbound-1] easy-ip gigabitethernet 0/0/1

[USG-nat-policy-interzone-trust-untrust-outbound-1] quit

[USG-nat-policy-interzone-trust-untrust-outbound] quit

4. Define a security policy to permit traffic from trust to untrust:

[USG] policy interzone trust untrust outbound

[USG-policy-interzone-trust-untrust-outbound] policy 1

[USG-policy-interzone-trust-untrust-outbound-1] action permit

[USG-policy-interzone-trust-untrust-outbound-1] quit

[USG-policy-interzone-trust-untrust-outbound] quit

LAN side configuration

Enable DHCP and configure the internal interface (either VLANIF or a Layer‑3 port):

[USG] dhcp enable

[USG] interface vlanif 1

[USG-Vlanif1] ip address 192.168.1.1 255.255.255.0

[USG-Vlanif1] dhcp select interface

[USG-Vlanif1] dhcp server dns-list 114.114.114.114

[USG-Vlanif1] quit

[USG] firewall zone trust

[USG-zone-trust] add interface vlanif 1

[USG-zone-trust] return

If a Layer‑3 interface (GE2) is used instead of VLANIF, configure it directly:

[USG] dhcp enable

[USG] interface gigabitethernet 0/0/2

[USG-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0

[USG-GigabitEthernet0/0/2] dhcp select interface

[USG-GigabitEthernet0/0/2] dhcp server dns-list 114.114.114.114

[USG-GigabitEthernet0/0/2] quit

[USG] firewall zone trust

[USG-zone-trust] add interface gigabitethernet 0/0/2

[USG-zone-trust] return

After completing these steps, internal users in the trusted zone can obtain IP addresses via DHCP and access external resources through the NAT and security policies defined on the USG.

firewall NAT network configuration DHCP security zones USG

Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.