Also remember electronics have a high failure rate 2 weeks to 2 months after a near hit lightning hit. You most likely will see more failures of equipment in the future. But maybe not.
↧
lightning
↧
Baffling network issue after storm
We took a devastating amount of lightning damage a week or so ago at work (I was on vacation). The guys at work took care of all the audio related gear, but left the networking mess up to me.
I am completely baffled, and I don't know how to proceed:
A large number of computers cannot get on the internet. They CAN see every computer in the building, can connect to network resources, and can even do local file transfers...
But they CAN'T ping the gateway (A ZyXel USG 200 @ 192.168.1.1).
I have bypassed switches. I have plugged two of these machine's network cables into my laptop, and it works just fine. I have disabled on the onboard NICs and tried a different NIC. I have even took one computer and did a factory restore out of desperation in the event of some weird software corruption. All to no avail.
I have replaced our router (I had a spare).
Everything seems to point to some internal damage to all these computers, but other than no internet, they show no obvious signs of trouble. I have seen many a network card get blown up in my day, but never a computer "damaged" in such a way that throwing a new NIC in doesn't help.
I am about to try a second new NIC in the event the first new one I used was bad. Grasping at straws here, but I am open to suggestions...
-Alan
↧
↧
Setting Up ZyWall USG 20 for group of servers using /20 public IP
Hello,
I just purchased this firewall to use in my shared hosting service network. I'm lost trying to get it setup.
I have several shared hosting servers (all with multiple IP address) all using my own public IP address block, which is a full Class 20 (ie x.x.144.0/20 or x.x.144.0-x.x.159) group of IP address.
All my servers are in a datacenter, and I have managed to setup the USG20 by assigning an IP address from my pool (x.x.144.1) to the WAN - I can access the device from the Inernet right now from home. I just have WAN port plugged into my directly into switch.
Obviously I want to set it up so that I can plug my datacenter feed into the WAN port, and bridge the traffic back to my switch (the switch also connects to all my servers) ... I want to be able to use the firewall and bandwidth tools to manage the traffic to my servers (open only needed ports/services to specific servers or IPs, control SMTP traffic, etc.) , but I am lost as how to proceed with setup. I tried to setup bridging, but both attempts froze the thing up. I see in Address Objects the /20 subnet that is named WIZ_LAN_SUBNET type INTERFACE SUBNET - wan1-x.x.144.0/20 that could be useful ... but I have no clue. I am totally lost about what to do next.
I apologize for my ignorance. This is very different from the firewall tools I have used in the past. Could someone please provide me an outline or a step-by-step guide for a solution. I gave up working directly at the datacenter -- but I left it setup there, and hoped I could get some good information here to help me setup from the home access I currently have. If so, I could get it going correctly and just have the datacenter remote hands 'switch the cables' if you know what I mean.
Many thanks. -KB
↧
GRE over IPSec
How to configure GRE over an IPSec tunnel on Zywall 110 ?
↧
ZyWALL USG-110 Unboxing
[att=1]
[att=2]
[att=3]
[att=4]
[att=5]
[att=6]
[att=7]
[att=8]
↧
↧
Zyxel NBG-416N firmware recovery within the RS232 ?
Hello,
My NBG-416N is bricked when flashing the last firmware.
I can't upload to it root.bin, I tried hours and hours.
Is their a possibility to create a RS232 connection ?
I don't find any thing at the mainboard !
Thanks for help
↧
Detailed review of the ZyWall 110 - 10 months in (warning: it's a long read)
This is a long overdue review of the ZyXel ZyWall 110. I've posted a lot of these comments in various threads, but thought I'd consolidate in one massive review (I was bored while writing this). So here it goes:
------
I wanted to love this little router, I really did, but found a host of issues that have yet to be fixed. On paper, the router seems superb great specs, fast VPN, nice overall design (and look). But after using this router since September 2013, I can safely say that there is much to be desired. Let me start with the things I liked about the router:
POSITIVES:
1) Fairly quick initial setup I was able to plug the router in, and get up and running in 20 minutes or so. Well, almost. My first unit had a defective gigabit Ethernet port that would revert to 10/100 speeds after 3 hours of usage. This didnt impact initial connectivity, however, and a replacement unit fixed this issue (see negatives). The VPN setup is also a bit complicated (somewhat unnecessarily, IMHO 3 disparate screens just to get the VPN configured not including user management). But ZyXel tech support was very helpful and even remotely logged into my router and set the VPN up for me. Thanks! Which brings me to my next positive:
2) Free telephone tech support ZyXels support staff are based in the US, and their support engineers have been very helpful (to the extent they are able to help - especially given the router's limitations). However, the design engineers are all in Taiwan, while the telephone support staff is in the USA, so I'm not sure how often the two parties communicate.
3) GUI chock full of options You can configure most (all?) of the routers features using the GUI interface. This is particularly if youre not familiar with CLI configuration (not my case, but worth mentioning). There are a lot of options, and I mean a lot. Not for the faint of heart, but spend enough time and even novices would get used to it. While the interface has a lot of features, there definitely could be some more thought put into the layout. Ive often found myself having to click through various disconnected menu options to perform one simple task. But Im listing this as a positive, since the options are there, and you can call tech support if youre really stuck.
4) Good router performance at least when it works. Ive test the router using QOS, and it does a good job. Much better load balancing than my previous router. While I havent maxed out the routers throughput, it hasnt choked on my 75 megabit connection. SmallNetBuilder did test the router, however, and found the router throughput to be ~half the rated speed of 1 Gbps. I dont have that kind of connection yet, and by the time I do, hopefully the issue will be rectified by a firmware update.
5) Load balancing wan with fallback while I never tried this feature, it seems like a nice option to have. But honestly, I think the target demographic (SMBs, homes?) would rarely use this feature, if ever. Regardless, +1 for effort
6) Multiple configurable Ethernet ports for DMZ, VLANs, etc. Again, a feature Im not currently utilizing, but nice to have. But given that companies are moving their servers to the cloud, and layer 3 switches do a better job with VLANs and intra-office routing, Im not sure how beneficial these ports will ultimately be.
NEGATIVES:
1) Interface crashes Seriously. Three times in the past 7 months. The router interface froze on me, and locked me out of accessing the VPN, router configuration, or communicating directly with the router in any manner whatsoever. Oddly enough, internet access through the router wasnt impacted, just access to the router itself. I needed to physically reboot the router to restore access. This can be problematic if youre at a remote location (my situation). I had to buy a remote reboot switch that periodically pings the router to avoid this from happening. Totally unacceptable, IMHO.
2) Frequent VPN disconnections Ive found the router to frequently disconnect me from L2TP VPN connection. This is especially apparent during peak times. Ive read that these issues arent unique to ZyXel, but other router manufacturers have been able to mitigate these problems somehow. The disconnect issue is particularly bothersome as once youre disconnected, the previous state is locked for a few minutes and you cant log back in until the router drops the connection. This is incredibly frustrating, especially once it start happening more than two times in an hour.
3) No support for multiple remote IPSEC VPN clients behind a single public IP address. To be fair, this issue also isnt unique to ZyXel (something to do with the encrypted connection), but other manufacturers have been able to mitigate this limitation as well. In addition, if a remote user is logged into the VPN, another remote user with the same IP address as the VPN user is completely locked out from accessing the router services VPN, configuration, etc. This is especially frustrating if you need to remotely modify router settings, and another user from your local LAN (assuming youre sharing public IPs) is logged into the VPN. Heres what I mean:
Imagine two remote users behind the same public IP address, and the ZyWall 110 at a different location, with both IPSec VPN and router configuration access enabled over the WAN side. One remote user decides to log into the ZyWall 110 using the IPSec VPN. All is good. Then, the second user, using a different computer, decides to access the ZyWall 110 configuration page through the public IP address (not VPN). Denied! Even though the web interface uses a different port (SSL - 443) than the IPSec VPN, the ZyWall cant differentiate the traffic. Same thing happens if two users behind the same IP address try to use the VPN simultaneously.
4) Proprietary 2-step verification - You'll need to use ZyXels silly offering no support for 3rd party tools such as Google Authenticator. Really? Come on ZyXel. Other router manufacturers are on top of this, why arent you? ZyXels solution is pricey (you need a dongle) and cumbersome, given that Googles app is free and runs on most smartphones. The free price range also probably best fits the target market of ZyXels customers SMBs with limited budgets. I mean, if I wanted faux-enterprise security with a silly little dongle, Id call Cisco and RSA (Or is that the NSA?).
5) No support for OpenVPN, GRE routing, multicast tunnel, etc. Its not as though the router and its fast processor couldnt handle these tasks. OpenVPN is great since its highly secure and you can specify a port (unlike IPSEC). Certain WiFi hotspots block most ports aside from 80 and a few others, and only OpenVPN allows for custom port numbers to sidestep this limitation. Multicast routing and GRE tunnels have been available on other ZyXel routers in the past, but not with the 110. Its a guessing game when (if?) these features will ever make it to the 110. Ubiquiti Edge Router is only $100, and seems to support these aforementioned features , why can't ZyXel?
6) Infrequent firmware updates I cant fathom this especially since the router has some serious bugs. The latest router firmware (as of this writing) was dated in June 2014. Prior to that, it was Sept. 2013. Seriously, almost a year between firmware updates? Come on! It may be because ZyXels design engineers are in Taiwan and they might not be reading the forums, or have infrequent communication with the tech support staff based in the USA. Whatever the case, one year is too long of a wait.
7) Weird IP address sorting scheme - IE if you click on Sort Ascending (or vice versa), you'll see x.x.x.1, x.x.x.101, x.x.x.2, etc. WTF? since when did 101 come before 2? So silly. Who came up with that logic?
8) No mounting holes underneath case - The manual indicates there are wall mounting holes (one of the reasons I initially bought the router), but that was a pipe dream. There are no mounting holes. At least for my unit (manufactured July 2013). Just a solid back. I guess somebody forgot to tell the factory. Silly factory.
9) Fan Noise - Okay it's not as loud as a laser printer, but its still loud. Mind you, I have the router in a fairly quiet bedroom where you can actually hear the noise. What I cant figure out is why the fan was needed in the first place: The unit runs fairly cool (at least for the apps I run), and given the ridiculously spacious housing (you could cut off the left 1/3 of the router its just air), Im sure lowering the fan speed, or ditching the fan altogether wouldnt be much of an issue.
10) Faulty Gigabit Ethernet port I bought my unit in September 2013, and several times my gigabit connection would drop to 10/100 speeds. I tried various cables to no avail. This may have been a manufacturing issue. I replaced my unit and the problem went away, but there are reports of other people having the same issue. Caveat emptor.
11) Power brick As I mentioned before - the router has a lot of empty space. So why ZyXel didnt incorporate the external power supply inside the unit is beyond me but it certainly wasnt for a lack of space. Now, I have to keep track of yet another power brick (especially frustrating when moving), and since my unit is rack mounted I now also need to find a place to mount the brick - the dinky 2.5mm connector wont support the bricks weight.
12) Abysmal Logs and Reporting Statistics A serious item of contention for me especially since other SMB router manufacturers (along with DD-WRT, Tomato, etc) have much better graphical offerings. I found ZyWalls traffic reports to be confusing, and mostly unusable. Let me elaborate:
Limited traffic statistic visibility - You can only see a limited subset of current traffic going through the router (20 biggest, or last 20), yet there is a drop down menu that shows 50, 100, 200, as selectable options. I had to read through the fine print of the manual to realize that 20 is the limit. WTF? Why even present a drop down option then?
Limited charts or statistics data looking for charts to identify biggest bandwidth users, sites most frequently visited, traffic by interface, period, etc? Ha! Good luck. The only solution I found was to upload the data to a syslog server and use that software to analyze your traffic.
Limitations on DHCP IP address bindings Want to see what addresses have been assigned through DHCP, or which static IP addresses are active on the LAN side? Well, you can only do that if you enable IP address binding, which will block any devices with static IP addresses (unless you manually add them to the MAC table). Even then you wont see which devices are transmitting using static IPs on the LAN. Why this silly limitation? I have no clue. ZyXel, care to comment?
Log File format While you can upload a plethora of data to a syslog server, but you need additional software to parse through the log(s), which only come in CIF or a proprietary VRPT format. These packages cost money, and most off the shelf CIF packages I encountered didnt support the ZyXel. ZyXel makes its own report analyzer, but thats another piece of software to buy just to get some basic summary data. Plus, its overkill for most users. Come on ZyXel!
CONCLUSION:
All in all, the router has good performance when it works, but given all these limitations, theres a lot to be desired. I paid $360 for this router, but considering its limitations and the issues I encountered, I feel its overpriced. This is especially true when you consider offerings from the competition, particularly Ubiquiti's Edge Router which sells for $100.
Granted, the Edge Router lacks the multiple Ethernet ports, load balancing capability, and the GUI configurability, but its CLI configuration gives it options and flexibility that the ZyWall 110 can't match. The Ubiquiti router seems to mitigate a bulk of my issues above, and it has better performance (firewall throughput, VPN) to boot (according to Small Net Builder)!
If there are any workarounds for the issues I mentioned above, I'd love to get any of your thoughts. I'm by no means an expert with the router and would love to hear other people's input on what I'm doing wrong.
I'll give an update once I spend a few months playing around with the Ubiquiti router. Hope you enjoyed the read. It's just my $0.02. For whatever it's worth.
Cheers!
↧
USG40/40W/60/60W - Port down / Port Up
I think, it's better, you can translate it by yourself.
http://www.zyxel.ch/de/support/knowledgebase/detail/3554
I have it with my Western Digital My Net N750 for some seconds one time a day.
↧
Finally Did It - Locked Out of USG20
Well, one of our 'techs' in their infinite wisdom decided to setup an AP -
I guess they had problems and ended up changing all port roles to LAN2.
Guess what? They didn't check with me and didn't check the router itself
so they missed the fact that I had configured USG to DENY login ability from LAN2!
I had already setup one port role as LAN2 for just that (a separate AP).
He missed that also :o and for some reason decided to change all port roles to LAN2. :mad:
And they also missed that I had setup a FW rule to DENY access to LAN1 from LAN2 (not that it mattered after the first snafu).
I had thought there was a sticky on how to regain access without having to reset entire router (HORRORS). Did I miss it or imagine it? Maybe it was a thread where someone else somehow locked themselves out?
My very first time getting locked out of a Zywall, so I never ran into this and didn't need to deal with it. Guess I've been just plain lucky?!
Needless to say, any help would be appreciated. Thank you very much!
↧
↧
zywall USG 50 VPN to access lan, local connection to internet
I have configured the zywall VPN with help of this great forum.
Everything works when I connect from my windows 8 pc at home to the zywall at my work. I can access the work pcs on IP and I can browse through the VPN connection.
Here is also my question. My internet at home is faster than the internet at my work. Is it possible to configure to VPN to only be used to access my work lan and internet through my own connection?
Local ip range: 192.168.2.xxx
Work ip range: 192.168.1.xxx
VPN ip range: 192.168.5.xxx
Policy Route:
1 any none any any vpn_range any any any VPN_GW preserver none 0
2 any none any any lan1_subnet any any any Wam_trunk preserver none 0
3 any none any any vpn_range any any any Wam_trunk preserver none 0
When I uncheck the default gateway remote network of the vpn connection. It cant find the work lan range. Probably because it is missing a route on the windows 8 client. Is there a way the enable this?
Is it possible to use names on of the pcs at work instead of the ip addresses?
We dont use a domain server.
↧
zyxel nbg-416n access point problem
I have zyxel nbg 416n router and I wanna use it as access point, problem is, it's work fine, about hour or two, and then just say limited connection, then I have to turn off router, turn on, and then work fine for about hour, and again the same, please help.
↧
Downloading issue on zywall usg 100 while content filter is on
Hi
we are facing issue with zywall usg 100. While we download any file from web or install any software like skype which use online installer download get stuck in middle. it also stuck while installing or updating android device applications. i can download file if i use IDM.
downloading works normal if i disable content filter service.
Any Suggestion..
↧
Open firewall and port forward to different ports
I wants to enter thru public IP 123.123.123.123 port 99 and that should redirect me to the internal LAN port of 192.168.100.70 port 80
This is on a ZyXEL USG 50
I have this:
NAT
Virtual server
Incoming server: wan1
Original IP: any
Mapped IP: The object related to the IP
Port mapped type: Service
Original Service: The object related to the port
Original Service: Same as above
NAT Loopback: Disabled
Firewall
Schedule: none
User: any
Source: any
Destination: The object related to the IP
Service: The object related to the port
Access: allow
Log: no
What do I need to do differently to get this to work coming in from public WAN on a different port?
↧
↧
SSL VPN ZyXEL USG 100 PLUS - Help Meeeee
Hello everyone !
I am writing because I have a problem with the Zyxel USG 100 Firewall Plus.
I mounted the firewall, I made small basic configurations, clients go to the internet and network functions.
But now ...
I ... need to connect a PC via SSL VPN (firewall that offers free connections 2 licenses).
I followed this step by step guide on YouTube:
https://www.youtube.com/watch?v=SXHg_ivu6zc
but unfortunately when a client external to my network I go to visit the public ip it is connected to the firewall does not appear on the login page ... but simply "I can not display the page".
---------------------------------------------
I configured the router and so zyxel:
Zyxel ---> WAN1 port with static IP 192.168.1.6
Router ---> dmz Public IP of 192.168.1.6
Router ---> I opened port 443 on 192.168.1.6
So far so good?
---------------------------------------
On the zyxel, interface Lan1 -----> ip 192.168.30.1
dhcp server ip from the active clients connected to the firewall 192.168.30.2 - 192.168.30.254.
---------------------------------------
I ask for help to configure the SSL VPN connection and not to do stupid things.
How do I proceed to configure zyxel?
there is something that I forget to do?
↧
Strange Inbound Traffic From ISP USG 20
My network logs keep telling me my firewall is blocking broadcast packets coming from an IP held by my ISP
ISP IP :53090 - > 255.255.255.255:10019 (gets blocked) (UDP)
ISP IP :53090 - > 255.255.255.255:10007 (gets blocked) (UDP)
My log is full of these, i'm not sure what to make of them. Does anyone know if these types of packets are common? Should I talk to my ISP about it?
↧
USG200 IPSec VPN stops working
Hello and thanks for reading. I hope you can enlight me!
Two days ago we configured an IPSec VPN tunnel between our office (ZyWALL USG200) and one of our partners (Mikrotik router).
Yesterday when I arrived at the office, my colleague told me that the VPN connection was not working, I entered the USG ans saw that the VPN connection was up... but I noticed that I can't ping the other router... so something strange is happening. I disabled the firewall for one moment, and enabled it again and everything were working again... Today we've had the very same situation, it looks like there is a time out or something that stops the traffic.
Nailed up option is checked, and I don't know what can be happening.
Do any of you have an idea of what is happening?
Thank you very much!
Jud
↧
Multiple subnets over IPSec-tunnel
Hi all,
I have a problem were I want to enstablish an IPsec VPN-tunnel on which I got multiple local subnets. When creating a VPN Connection (VPN > IPSec VPN) I get stuck on the "Local policy"-definition. This option only allows me to specify one address object rather than multiple. This may be by design, but then I would like some guidance on how to proceed.
Here's some information about the endpoints and their subnets.
[HQ] (USG 20W)
192.168.0.0/24
10.151.4.0/22
[Cloud Partner]
10.151.12.0/22
As seen, the "Remote subnet" can be defined in an address object. However,
How would you define the "Local subnet"-address object? ..or is there any other way?
↧
↧
Policy Routing issue
Hi all,
I have a problem where I can't both have full connectivity between the dial-in VPN (L2TP over IPSec) and our VPN-tunnel to Microsoft Azure, and at the same time allow external traffic to be routed to the dial-in VPN clients. The problem seems to be how Policy Routing is configured.
Early in the configuration process, before the tunnel to Azure was enstablished, I created the following Policy Routing rule to allow external traffic to be routed. It worked perfectly fine. Users connected via L2TP was able to reach internal and external resources over the tunnel.
Status: Activated
User: Any
Incomming: NET-VPN-DIALIN (10.151.3.0/24)
Source: Any
Destination: Any
DSCP Code: Any
Service: Any
Source port: Any
Next-hop: Auto
DSCP Marking: preserve
SNAT: outgoing-interface
However,
when I created the Windows Azure IP-sec tunnel (10.151.12.0/22) i noticed that no traffic was routed between the dial-in clients and the Azure subnets. I thought this was a firewalling issue, but after a while realized that it was the above Policy Route rule.
When disabling it, the traffic between these subnets works just fine - but then external traffic stops working.
Now, how would you configure a Policy Route to both allow and route
a) Traffic between the dial-in subnet (10.151.3.0/24) and Windows Azure (10.151.12.0/22).
b) Route external traffic to dial-in users.
Thanks in advance!
↧
help on Zywall USG210
We have a USG210 with two WAN-ports running (two different ISPs). We need a short, simple steps describing how to make sure that all INTERNET-related traffic of one specific host (192.168.16.210) goes through WAN2 only.
Note: You will not have access to any device of ours at all. You will have to write a simple manual (email, DOC, etc) describing the steps to be performed.
↧
Failing PCI Scans on USG 200 Due to Man in the Middle Vulnerability
Failed our latest PCI Scan due to OpenSSL ChangeCipherSpec Man in the Middle Vulnerability. Contacted Zyxel for fix & OpenSSL version.
According to email I received, current OpenSSL version is 0.9.7 and as for the fix, this was the response at this time there are no plans to change the OpenSSL version on the ZyWALL.
They did provide two work-arounds to try, which I will this weekend, but find it a little un-nerving that they have no plans to fix the vulnerability.
↧