I was talking to zyxel support on some advice of setting up App Patrol. Misc question got us to me asking about how I saw the new Zyxel videos and how they had stuff setup with the UTM icons on Lan1_outgoing factory setting. I put my UTM policies there too. I surfed some malware sites and got a couple of hits 6 to 8 total on the AV, and 8 or so IDS hits. I brought up were I had the UTM policy on the Lan1 outgoing and the Zyxel guy said all I am doing is scanning outbound and that would mean my computer is very infected.
Can't be it, is a newly imaged Mac with AV that scans for PC malware and I scan with on-demand Dr Web too. The stuff I caught was PC based and Zyxel's Kaspersky has 22 Mac signatures that never hit. The Zyxel guy said I would need to make a rule from WAN to Lan1 and add the AV and IDS to that for incoming. But then why did I catch incoming stuff when I only had the UTM policy on Lan1 outgoing?
Then that would mean I would have to add just the Cyren content filter and App Patrol to Lan1 outgoing and make a rule Wan to Lan1 for AV and IDS??
What is the proper way to setup?
↧
New USG policy control question
↧
Firewall Rule - USG40W
Guys,
This is driving me nuts, Im sure Ive done it correctly!
Im trying to write a rule that allows, traffic from the WAN to access a server on the lan1 - the server is correctly configured as I can access it from the inside of me lan.
I've created the object, with the IP of the lan server - please have a look at the screen shot.
Ive stuck this rule at the top of the list (1)
↧
↧
VPN l2tp ipsec configured - How do I connect with my lan
Guys,
I've managed to successfully setup a vpn with the help for excellent support from this forum.
I can vpn in and use the internet from the wan of the USG, how do I connect with my nas (qnap)
My lan settings are on on 192.168.0.0 network and and my vpn has been configured to the 192.168.0.5.0 network.
so there are both within the same class c range, just on different network address segments - is there some sort of routing/vlan to do within the USG?
↧
Zyxel usg 100 Ooma DMZ
I have recently purchased an USG 100 and I would like to set up my Ooma Telo on the DMZ port. I have used the IP/MAC binding, and the 100 shows that has successfully bound. I have a link light, however the Ooma device shows no connection to the internet. I have also attempted to insert a new rule into the firewall that allows DMZ to WAN for any which did not exist previously. I am obviously a Noob, and any help would be appreciated.
Thank you
BAK
↧
How important is idp?
Hi guys,
I'm jet having a think with regards to my network security, currently running 1 workstation, couple laptops, a Qnap NAS drive and various iPads etc..
Enabling the trial idp in the USG40W obviously has obviously slowed down my throughput from 80/20 to about 45/18.
How important would it be to have idp, is it worth the extra investment in upgrading to the USG60W and getting a licence?
Like to hear your thoughts guys
↧
↧
"Network Risk" NAG SCREEN
I will switch on the "Network Risk" NAG SCREEN Warning.
The system-default.conf don't bring it back.
I think, I have read about a CLI command, but I can't find it.
↧
Zywall USG 50 throughput gradually slows until rebooted
Hi,
I have a Zywall USG 50 and apparently lack the necessary knowledge or skills to troubleshoot it.
I have a 20/1 DSL connection which normally tests at about 16Mbps. I have a static IP address. Every couple of days, my internet connection slows to the 4Mbps range. If I connect a computer directly to the modem, the speed is back to the 16Mbps range, and if I reboot the Zywall, it returns to normal speeds (for a couple days).
My impression is that this did not happen before I was assigned the static IP address. However, the fault is definitely in the router and not the modem.
I'm not sure what to post here to aid troubleshooting.
Configuration files? http://pastebin.com/xpXVgHqh
Logs? http://pastebin.com/J6qers5k
Nothing on the "dashboard" seems amiss. Few sessions (less than 100), average CPU and memory use. All the security services, except for the firewall, are disabled. There's no extra logging or tracking enabled.
My DSL regularly loses internet connectivity, requiring a power cycle of the modem. The static IP was issued to me as an attempt (not successful) to fix this problem. I suspect I'll be switching to cable soon as while I'm very happy with my ISP in general, they've been unable to solve the occasional drops I'm experience. However, I want to make sure my router isn't causing any other problems.
Thanks in advance for any help.
↧
USG50 firewall rules
Hi!
I cannot for the life of me allow any incoming connection from WAN to LAN1 (or anything for that matter) on a zyxel USG50,
it will always catch the default rule, and block it.
notice Firewall Match default rule, DROP [count=2] 81.240.92.189:52715 80.201.175.91:21 ACCESS BLOCK
here's the rules, from ssh (show firewall any any):
firewall rule: 1
description:
user: any, schedule: none
from: WAN, to: LAN1
source IP: any, source port: any
destination IP: PC1, service: FTP
log: log, action: allow, status: yes
connection match: no
firewall rule: 2
description:
user: any, schedule: none
from: LAN1, to: any
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 3
description:
user: any, schedule: none
from: LAN2, to: any
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 4
description:
user: any, schedule: none
from: DMZ, to: WAN
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 5
description:
user: any, schedule: none
from: IPSec_VPN, to: any
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 6
description:
user: any, schedule: none
from: SSL_VPN, to: any
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 7
description:
user: any, schedule: none
from: TUNNEL, to: any
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 8
description:
user: any, schedule: none
from: LAN1, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 9
description:
user: any, schedule: none
from: LAN2, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 10
description:
user: any, schedule: none
from: DMZ, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: Default_Allow_DMZ_To_ZyWALL
log: no, action: allow, status: yes
connection match: no
firewall rule: 11
description:
user: any, schedule: none
from: WAN, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: Default_Allow_WAN_To_ZyWALL
log: no, action: allow, status: yes
connection match: no
firewall rule: 12
description:
user: any, schedule: none
from: IPSec_VPN, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 13
description:
user: any, schedule: none
from: SSL_VPN, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
firewall rule: 14
description:
user: any, schedule: none
from: TUNNEL, to: ZyWALL
source IP: any, source port: any
destination IP: any, service: any
log: no, action: allow, status: yes
connection match: no
↧
USG 20 - NAT multiple LAN IPs to second WAN IP? (VPN Problem)
I'll start off with the question and add the details below for those that don't want to wade through it. Lets say that I have a block of WAN IPs: 100.1.1.0/29 and my LAN is 192.168.1.0/24. The WAN of the Zywall is configured as 100.1.1.1/29 with a gateway of .6. Can I make it so that by default, all LAN IPs are NATed to 100.1.1.1 except a block of 5 IPs (say 192.168.1.10 through 192.168.1.14) are NATed to 100.1.1.2? 1:1 and Many1:1 NAT seem to be 1 LAN to 1 WAN IP. I was hoping to NAT multiple LAN to a second WAN IP.
Now the details:
Our customer has 2 VPNs and is adding a 3rd shortly. The first is a site-to-site VPN to a branch office with another USG 20. The second is a client to site hosted by one of their vendors. They use a software client (Shrew) to connect. This periodically gets dropped and they have to reconnect. The site-to-site stays up no problems. The logs indicate that periodically, the Zyxel is responding to the VPN traffic rather than passing it through. I removed IKE and NATT from the Default_Allow_WAN__To_Zywall service group. They aren't dropping as regularly, but it still happens a couple times a day.
In the course of writing this post, I noticed that I did not remove ESP from the group. Should this be removed? Will it affect the site-to-site?
In the meantime, I figured I might save some trouble by just routing the 5 computers that use the VPN client to use a different, unused IP address in their block. There's only 2 free. Can I NAT one of those IPs to those 5, or does it need to be 1 WAN to 1 LAN? Will this even solve my problem?
Please let me know if you need any more information.
↧
↧
USG50 L2TP/IPSEC VPN almost working (I think)
hello all,
I am really close (I think) to getting my L2TP/IPSEC VPN working.
I can connect using the Win7 client.
I can't ping or see any computers on the network
IPConfig shows:
PPP Adapter ConnectToOffice:
DHCP Enabled: No
Autoconfiguration Enabled: Yes
IPv4 Address: 192.168.55.2(Preferred)
Subnet Mask: 255.255.255.255
Default Gateway:
DNS Servers: 192.168.55.200
NetBIOS over TCPip: Enabled
Is this right? Where is this IP coming from? Why is the subnet mask 255.255.255.255? Won't that block the whole subnet? Why isn't there a Gateway listed?
Also, if I look in the logs of the USG50, I see is a lot of this error:
error IPSEC SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping UDP packet Source:(the Zyxel LAN IP) Destination:(there are a few. None seem to match know IPs)
Zyxel LAN IP: 192.168.55.1
Win7 machine's LAN IP: 192.168.1.67
thanks,
-John
I have a USG50 with 3.30(BDS.5) firmware.
↧
Zywall 110 and Internet access while VPN'd
Read through as many related posts as I could find on here, but nothing jumping out at me as the solution.
I've set up my Zywall 110 VPN following instructions cobbled together from here and elsewhere... It's working - I can VPN back in to my home network while on remote connections, etc.
However, all I can do is access local network resources by IP address (192.168.1.x). My remote computer is getting an address assigned in the 192.168.250.x range.
My two issues:
1.) I am unable to browse the Internet ... and no DNS is resolving. I'd like to be able to VPN to my home network and then hit the Internet outbound from there.
and
2.) I would have thought that with all traffic tunneled that I would be able to browse on my Mac local network resources (such as Share Screen of another Mac, AFP, etc.) but doesn't seem to show up like it does when I am sitting on the local network.
Attached a screenshot of my firewall rule setup...
Thanks in advance for any help/ideas...
Cheers
SpaceLeeB
↧
USG110/210 questions
Do the new USGs have the Endpoint Security feature (EPS) that is in the USG100/200? This is where the USG checks the version of Windows for patches and antivirus before allowing on network?
I really wanted to use this feature on the USG200 I have but its implemented poorly. Doesn't support 64bit OS. Anyone know if they improved this for the new USGs?
Also, if using the UTM capabilities, is the antivirus database better than the paltry database they had for the older USGs?
Thanks
↧
Zywall USG 20 and the Liftmaster 828LM Gateway
I'm trying to get a LiftMaster 828LM Internet Gateway working with my Zyxel 20, and for some reason it just repeats the DHCP cycle over and over - request IP, assign IP, confirm IP, wash, rinse, repeat.
The Chamberlin support tech suggested that I increase UDP timeout to 180 seconds, which I have done, and make sure the firewall isn't blocking UDP Port 80. I fixed the timeout via the CLI, but I am not sure what needs to be changed to assure that UDP 80 is open through the firewall.
Has anyone used that Liftmaster gateway? Any thoughts on that UPD port 80?
Thanks!
↧
↧
Zywall 110 has new 3.20 FW
ftp://ftp.zyxel.com/ZyWALL_110/firmware/
↧
Thoughts on USG210 versus Watchguard XTM330
Yes, I know this is a Zyxel forum. That said, I know some here have also used other products.
In looking at the new USG210, and in comparing to the XTM330, they are priced very similar. Yes, Watchguard charges $100/year for support to keep getting firmware but when using their UTM security, its included. And from I can tell their UTM AV seems more robust. They've been inspecting HTTPS for a long time now. And they claim the UTM AV database has 2.5 million signatures. Also, looking at their Windows management tool, it looks like some slick reporting can be created.
Any thoughts?
↧
Writing a Rule that allows ISP multicast
Hi Guys,
Im writing a rule that allows Mulitcast (224.0.0.1) from the ISP to my router, as its always coming up blocked.
Can someone guide me through?
Destination - Local Multicast 224.0.0.1
Source - ISP Multicast 217.32.145.225
Service - Multicast
Set to allow and log, but it keeps dropping it, Access Block
↧
USG 20: Site-Site & L2TP Enabled At The Same Time?
Hi Everyone,
I have successfully set up a site-to-site connection and an L2TP connection. My goal is to link two offices and then be able to dial into the main office using the USG 20 for administrative purposes.
In order to do that I need to be able to establish a client connection with my laptop.
I am able to get my L2TP connection to work with my Site-To-Site settings disabled but not with them enabled.
I'm at a loss as to why as they both work with the other disabled but never with both enabled.
I was under the assumption that the USG 20 supported up to 2 VPN connections at the same time. Should this work, or am I missing something?
↧
↧
ARP table
Hi all,
My client has a very wierd problem were their server hosting partner's ip-address is in the ARP-table causing all internal traffic to be routed to the gateway itself. How that got there from the beginning is unknown and very stange, but for now we want to have this deleted.
Router(config)# show arp-table
Address HWtype HWaddress Flags Mask Iface
81.XXX.215.11 * MP wan1
If I have understood correctly, flag MP means permanent pubished and it does not help to have the gateway rebooted because it's still there.
I've also tried to run 'arp-table flush', but that only removes the C-flags (completed).
I also tried removing the ARP-entry using 'no arp'.
Router(config)# no arp 81.XXX.215.11
% Manipulate ARP Cache has failed: err:65280.
No ARP entry for 81.XXX.215.11
Vendor: Zyxel
Model: USG 20W
Boot module: 1.17
Current Version: 3.30(BDR.2)
Released date: 2013-10-17 15:43:41
Thanks for helping!
↧
USG 20 Site-To-Site Tunnel Established but can't ping.
I'm in a bit of a bind. I can't for the life of me figure out why this isn't working.
The title pretty much says it. I have a working site to site VPN tunnel using two USG 20 routers. Each has a static IP and I am able to build a tunnel between them. I cannot ping any machine on either network from either side though.
I figured it was a routing issue and started creating routing policies but no matter what I tried I couldn't get any results.
I'm uploading screenshots of of each offices configuration.
↧
Zyxel Switches
Greetings-
Anyone using the gs1910-48hp? I have one in my companies office and it seems pretty good for the slim price -- here's the dilemma I need to get a 48 port POE (for 10 VoIP) for a small radiology center and can't decide between a Cisco and Zyxel switch. I see similar prices on Cisco 200 series and gs1910-48hp. Also was interested in gs1900-48hp but Zyxel can't seem to get them in US (I like the GUI/Wizard). I have a few USG20W in the field and they work great so I figured I'd give the switches a try.
↧