Setting up a new USG40 at home, 4.10(AALA.0)C0 firmware.
I set up a test content filter using the trial to block porn on a specific test ip address object, no schedule, LAN1 to any (exc device).
After that rule I placed a timed rule that denys all traffic from that same object, LAN1 to any (exc device).
The content filter works, the block fails unless I move it before the content rule. The plan is to apply the rules to the younger kids in the house.
Is this a bug or as designed?
thanks.
edit: I also tried the block rule without a schedule and it does not work..
↧
usg40 with content filter rule ignores timed access rule after it.
↧
ZyWALL USG 50: L2TP VPN without need for "Send all traffic"
Following Brano's excellent guide on how to setup an L2TP VPN on a ZyWALL USG, my clients are able to successfully connect and access all machines on our subnet. :D
Unfortunately for this to work the Send all traffic over VPN connection feature must be checked on the client as the L2TP pool (i.e. 10.0.6.0/24) is obviously not part of the local network (i.e. 10.0.7.0/24). Changing the L2TP pool to an address range (e.g. 10.0.7.200 to 10.0.7.219) seems to be the wrong approach as no traffic is ever coming back through the VPN connection.
This is a ZyWALL USG 50 with firmware version 3.30(BDS.5).
It's important that the client's internet traffic does not flow through the ZyWALL while the VPN connection is active. I would be very grateful for any help.
↧
↧
Has the USG100-PLUS been EOL'ed?
Hi folks -- apologies for having been silent for several years, but my career has taken a different turn and I've been almost inactive in the small network arena (and very busy with family and grand-children).
The title says it all -- I can get hold of a USG100-PLUS bundle (the device plus a year's worth of IDP, anti-virus, content filtering and anti-spam) for a really low price. I currently have a USG100 (a legacy from when I was self-employed), and even though it is rock-solid and handling IPv6 as a true champ, it is not exactly a spring chicken, and doesn't support fibre speeds, especially when using multiple subnets (peaking at 225Mb/s, routing between interfaces isn't exactly wire-speed).
Hence the interest in the 100-PLUS with its 600Mb/s firewall throughput, but if it's EOLed as shown in the latest German price-list, it might not be the excellent, reliable and long-living investment my USG100 still is.
The screenshot is from ZyXEL Germany's September 2014 price-list ( http://www.zyxel.de/upload/partnerbereich/Preislisten/ZyXEL_Preisliste_Endkunde.pdf ). This section is the only one that mentions the USG100-PLUS. Does this mean just the bundle is EOL'ed, or the device itself, and if so, how long can we expect firmware updates and service licenses to remain available?
Take care,
Stefaan
--
"Technically, Windows is an 'operating system,' which means that it supplies your computer with the basic commands that it needs to suddenly, with no warning whatsoever, stop operating." -Dave Barry
↧
USG100 Firewall Problem
Hi Folks
I could do with some help please. I have setup my mapping under NAT. The problem i am having is with a firewall rule. Its the last rule at the bottom of the firewall rules & its stopping my sip rules. My sip rules are 1 & 2
If i disable Wan -> any (excluding zyxel) Then my PBX recieves calls. Am i safe to just disable this rule?
Thanks
Rich
↧
USG20 image filesystem usage reaches 97% alert?
What does this alert mean?
98 2014-09-17 16:10:53
alert system App Watch Dog
image filesystem usage reaches 97%
--
Jim Anderson
↧
↧
New firmware released for ZyWall 110 - 4.10 AAAA.1 (9-18-14)
I just noticed that a new firmware was recently released for the 110 series router. Has anybody tried this build yet?
↧
Delete
Delete
↧
New firmware for 40/40W/60/60W 4.10(AAxx.1)
40 ftp://ftp.zyxel.com/USG40/firmware/
40W ftp://ftp.zyxel.com/USG40W/firmware/
60 ftp://ftp.zyxel.com/USG60/firmware/
60W ftp://ftp.zyxel.com/USG60W/firmware/
Release Notes don't say much however
quote:Modifications in V4.10(AALA.1)C0 - 2014/09/04
In this release, we align it with 4.10 patch0 MB model.
↧
ZyWALL USG 50: Force specific WAN for certain local addresses
For a mail server on my local network, I need to route all Internet-bound traffic through the first WAN instead of allowing the default WAN trunk to handle it with the load balancing algorithm.
To that end I've setup the following policy route:
Incoming: any (Excluding ZyWALL)Source Address: Servers (Object / Address / RANGE / 10.0.7.10 to 10.0.7.19)Destination Address: anyService: anyNext-Hop: Interface / SDSL
Still some mail is sent through the other WAN connection. Is it not possible to override the behavior of SYSTEM_DEFAULT_WAN_TRUNK this way?
↧
↧
ZyXel Prestige P-871H interoperability issue
I bought several ZyXel Prestige P-871H VDSL modem-routers and wanted to use them with a personal Planet VC-820M DSLAM.
I just discovered that (according to Zyxel's Web site) the Prestige can be used with ZyXel VES-1616 DSLAMs only, while the vendor Web site presented it as a standard VDSL modem.
Does anybody know why the Prestige does not behave as a standard VDSL modem?
Does the Prestige and VES-1616 support a specific VDSL profile that most DSLAM do not support?
Many thanks.
↧
USG20w or 40w? Which Wireless Extender for a Warehouse and Barcode Scanners?
Hey guys,
One of my customers Is expanding their warehouse and I need to take a decision on changing their current zyxel router, thus need a little help in taking a decision.
I was thinking of offering them the USG20w Im using in my home office and getting the new USG40w.
On another note heres the customers setup:
The head office is in Montreal with 5 users, one of them Is a Motorola MC55 handheld scanner for receiving inventory (Were currently using a NetGear well rated consumer router as access point with an older generation ZyXel wired router). The handheld drops wireless while scanning barcodes outside of the warehouse in the 40 foot containers, this causes havoc and needs to be addressed.
We also have the Florida office which is running off of a ZyXel 2WG, has 2 wired users, 2 wireless from which one is a barcode scanner, this office is connected to the Montreal office via VPN. A software called Fishbowl Inventory runs on the server in Montreal where clients from Florida connect to (one or two users at a time along with a barcode scanner). Although only the connections to this particular software freezes regularly while VPN connections is still up, were wondering if current hardware might be the cause.
In summary, would the USG20w be a good option for the Montreal office knowing we have a few users connecting to it from a remote location along with a few locally? The Montreal office is about 60 x 60feet, when a container is received outside we need to take in consideration another 40feet, what type of wireless repeater would you recommend?
Sorry for the long post, thank you in advance.
↧
Zywall110, how to open port 80
Hello,
How do I get port 80 going to a different IP than it self?
I tried and I couldn't get to the Zywall110 interface externally anymore.
I unchecked port 80 on the gui and left 443..
It froze up when I added port 80 on the NAT side with a different IP.
Also on a side note, is the Zywall110 smart enough to do vhosts or something.
So if I want to go to domain1.com it goes to 192.x.x.1 and if I want to go to domain2.com it goes to 192.x.x.2
--
http://www.RestartYourComputer.net
↧
Need help Configure my Zywall USG 300, Firewall, VPN, Load Balancer
Good day fellows,
Need help by configuring my zywall USG 300, if possible step by step guide, answers question and guide me through a process which can solved my problem, i am an IT from an NGO company, my Head purchase two Zywall USG 300 and a couple of USG 20. the usg 300 will be used in our Central office and our usg 20 in our field offices. ive been wondering how to configure and asking any technical help, ive been in Zyxel technical site but for how many days they didn't respond. i am new in this kind of technology but i am willing to learn. any help will so much be appreciated.
i thank you in advance,
mel
↧
↧
Zywall 110 Site-to-Site VPN Not Able to Ping Remote LAN
This Zywall site-to-site VPN lack of ping issue comes up in other posts and I have read each of them. Either the posts does not describe the ultimate resolution or the recommendations do not resolve my issue.
I am testing a site-to-site VPN using two Zywall 110 Firewall Appliances. The network diagram and screen captures of each Zywall 110 are shown. This is an isolated test bed and is not connected to the Internet and there is no DNS. I changed the default settings on the Zywall to respond to a ping on the WAN zone. The IpSec tunnel is connected. I can ping each remote Zywall WAN IP from the respective PC. I can PING the LAN address of the remote Zywall from each respective PC confirming that the tunnel is connected. I can also administer the remote Zywall over https:// confirming that the tunnel is open. The log also confirms that the tunnel does connect. The VPN traffic statistics do show active traffic when there is a remote admin session. I am using the default site-to-site VPN config created by the VPN wizard.
I have set a symmetric policy route in each Zywall to route traffic destined to the remote LAN over the tunnel. The VPN wizard does not create this route. Without this route a PING to the remote LAN returns a "unroutable" error. With the route, the PING to the remote LAN is merely unanswered.
I have upgraded each Zywall to the latest firmware dated September 2014.
Brano suggested that the "Ignore Don't Fragment Header IPV4" be checked on the VPN Connection Screen. You can see from the screen captures that this is checked. This setting does not affect the issue.
The security policy is set to the factory default. There is an existing rule that all traffic and all services can pass in the VPN_IPsec_Zone. However, my issue persists when the security policies are disabled. This disable test would indicate that the Security Settings do not affect the issue.
I have tested each PC and it does respond to a ping when another PC is connected to the local LAN.
Some posters have mentioned that this issue can be resolved by some adjustments to SNAT. However none of the Zywall factory application notes mentions anything about SNAT adjustments in the context of a site-to-site VPN. I tried some experiments with SNAT settings based upon other posts but did not make an progress. SNAT is set to the factory default in the screen captures.
Other posters report that site-to-site VPN works reliably so I am overlooking something.
Please reply if you have any suggestions to help revolve this issue.
Orlofsky
↧
Zywall 100 VPN Failover Unstable IPsec Connections
I don't see a lot of posts about Zywall VPN Failover/Failback. There are a couple of posts but they do not raise my issue.
I am testing an application for the Zywall 100 in a private network where a VPN is used used between two locations over DSL. Recently, we have installed a radio link between the two locations. When the DSL fails we want to shift the traffic automatically to the Radio Link. The radio link is significantly lower bandwidth than the DSL but sufficient for essential operations. When the DSL returns we want the traffic to shift back the DSL automatically. The Zywall 110 appears to be able to perform this functionality on paper.
I have been guided by a Zyxel Application Note for the USG series Version 4.1 Dated May 2014. Scenario 6 is what I am testing. See the network configuration diagram of the testbed.
At one level the system is working but at a deeper level I have noticed that the VPN connections are not stable. The primary IPSec DSL_VPN_CONN lives for about 5 seconds and then disconnects. The RADIO_VPN_CONN then connects for about a second. The RADIO_VPN_COMM the disconnects and the DSL_VPN_CONN connects. The cycle repeats. See the screen capture of the log to confirm this interpretation. In my opinion this is not a satisfactory operation and I would not be willing to put this configuration into production even though most of the time I can ping end-to-end.
I have verified that the underlying IPSec Site-to-Site connections are stable without the GRE Trunk overlays that implement the monitoring of the link health.
My initial diagnosis was that I had messed up the configuration of the GRE Tunnels and the IPSec connectivity checks but I have checked these against the application notes carefully. I can post the GRE tunnel and trunk screens if that is helpful.
I am using the latest Firmware from September 2014.
Please reply if you have any suggestion on how to better diagnose or correct the configuration so that the tunnels are stable and don't switch unless there is a failure.
Orlofsky
↧
ZyWall 35
Hi forum,
Sorry for my english. Im in deep trouble, and I need help :,(.
Well, thats my situation:
I have a VPN tunnel established between 3 cities.
Area1: Zyxel35, in this place is the server and the VoIP Server.
Area2: ZyxelZyWall2, connect correctly the VPN tunnel to Area1
Area3: P661H-D1, was working fine until yesterday. There were no changes in the configuration, but I can't connect it to Area1 via VPN tunnel.
I've deactivate (down) firewall in Area 1 and Area 3 but when I try to "call/connect", there are a message that say the connection have failed.
I open the log and I see all time the same msg: "IKE PACKET RETRANSMIT".
Then, I opened 500 port but I can't connect yet.
Configurations, remember that It was working fine 2 days ago and there were no changes.
ZYXEL35:
-------------------------
IPSec Proposal: Tunel, ESP, DES, MD5, 28800, NONE (PFS)
Gateway Policy: PreSharedKey (igual en ambos lados) > IKE PROPOSAL: Main, DES, MD5, 28800, DH1.
P661H-D1
-------------------------
IPSec Setup: IKE, Main, Tunnel, DNS Server puesto en 0.0.0.0.
Security Protocol: ESP, Pre-Shared Key, DES, MD5
thanks!!1
↧
Bash bug. Non-ZyNOS affected?
http://www.theverge.com/2014/9/25/6843669/bash-shellshock-network-worm-could-cause-internet-meltdown
Anyone know if the newer ZyWALL routers that don't run ZyNOS are affected? At minimum, it seems advisable to shut down access to the web server from the WAN zones. Yet another example of why this is an ATROCIOUS thing to have enabled by default.
↧
↧
Zywall "Test Connectivity" Button. What is trick with this button?
In some recent testing of a Zywall 110, I noticed there is a button on some screens titled "Test Connectivity". I presume this button appears on other Zywall models. The pop-up form takes an argument of an IP address. Enter an IP address and click OK and an hourglass type animation appears for about 15 seconds. Presumably this pop-up form is triggering a PING command. Regardless of the IP address I type, the test always reports that there is no connectivity. However I know independently that there is connectivity to that IP address.
Between browser certificate issues and JAVA issues I have not tested the underlying PING command available in the CLI using the GUI console.
Is there some trick with the security policy or elsewhere in the configuration to make this button work as expected? Have others gotten useful results form this button?
Orlofsky
↧
ZyWALL 110 IPSec VPN without L2TP/IPSec
Is there anyway to setup IPsec VPN to let iPhone or Android phone to connect to ZyWALL without the use of L2TP/IPSec?
↧
Disabling Internet access to connected PC's
Hi,
I'm kinda new to the ZyXel and I would like to ask you how could I block user PC's from connecting to the internet?
Thanks in advance
↧