I have two internet connections configured on my USG 60W.
NAT on the first WAN connection is working fine, but when I type the public address of the 2nd WAN connection, I always see the login page of the Zywall, instead of my OwnCloud server.
My Wan2 connection goes through a PPoE modem (192.168.18.1) and you can see my configuration in 2nd screenshot.
NAT is working between my modem and my zywall (because I see the zywall login page)... Is there anything else I'm supposed to configure ?
↧
Can't NAT on the 2nd WAN connection
↧
LAN access by L2TP_IPSEC
Hello,
I want to create a L2TP_IPSEC between WIN 7 Pro and a Zywall USG20. The goal is to access the lan remotely with all its resources( to see the NAS, Printer and PC as I was there) and browse the internet with Zywall's ip.
I did all the steps of Brano's L2TP VPN on USG - quick how-to. The tunnel was created and the thing is that I can only access the internet, but I can't see the lan1.
The IPSEC pool subnet is different than lan1, could that be the problem?
I did try with the same subnet but it's not working.
Can you please help?
Thank you
↧
↧
New ZyWALL/USG Firmware 4.11(AAxx.0) released
Currently only available from ftp2.zyxel.com ?
From the ZyWALL 110 release notes:
Modifications in V4.11(AAAA.0)C0 - 2015/03/12
1. [ENHANCEMENT]
Management feature enhancement:
1. ZON Utility Support (Device Discovery, Change Admin Password, Firmware Upgrade, Reboot Device, Web GUI Link)
2. Smart Connect Support (Device Discovery, Web GUI Link)
2. [ENHANCEMENT]
Connectivity feature enhancement:
1. AP Controller Technology 1.9
2. LTE dongle support
3. VLAN 802.1P marking support
3. [ENHANCEMENT]
Security feature enhancement:
1. Antivirus white/black list
2. Support ADP scan IPv6 traffic
3. ADP block time period
4. DNS security option control
5. SNMPv3
6. Add Reject Option in Security Policy
7. Add AV EICAR Detect Option
8. Add Action for untrusted cert chainof SSLInspection
9. SSL Inspection certificate support cloud update
10. UTM Performance Tuning #eITS141100375, 150100136, 150100251, 150200495
4. [ENHANCEMENT]
Usability enhancement
1. Wireless Initial Installation Wizard
2. Network Diagnostic tools on GUI
3. Security Policy Rules Filter & Clone
4. UTM Profile Viewer
5. Policy Route Rule Filter
6. NAT rule support service group
7. Dual image enhancement
8. Multi-Lingual GUI
5. [ENHANCEMENT]
VPN Feature Enhancement:
1. L2TP/IPsec behind NAT.
6. [ENHANCEMENT]eITS#141100032
Certificate support space character in the following field: Organizational Unit, Organization, Town, State (Province), Country.
7. [ENHANCEMENT]eITS#141000153
Support GUI check box Use Static-Dynamic Route to Control 1-1 NAT Route to change routing order. Static-Dynamic Route has higher priority to 1-1 NAT Route when it is enabled.
8. [ENHANCEMENT]
Patches for CVE-2015-0235, GHOST Vulnerability of glibc.
9. [FEATURE CHANGE]SPR#141007503
AP Controller default configuration changed from Always Accept to Manual setting.
10. [FEATURE CHANGE]
WAS:
AV, CF, AS black and white list and IDP custom signature DO NOT work without license.
IS:
AV, CF, AS black and white list and IDP custom signature DO work even without license.
11. [FEATURE CHANGE]
Enlarge Log Entry Size by each model
WAS:
For USG110/210/310/ and ZyWALL110/310: 512
For USG1100/1900 and ZyWALL 1100: 512
IS:
For USG110/210/310/ and ZyWALL110/310: 1024
For USG1100/1900 and ZyWALL 1100: 2048
USG40/40W/60/60W keep log entry size as 512.
12. [BUG FIX]eITS#150200052
Dynu DDNS cannot work
13. [BUG FIX]eITS#150100468, 140900136
Not connected to ZySH daemon due to deadlock by sshipsecpm connectivity_check.
14. [BUG FIX]eITS#141200823
DUT cannot connect to SSO agent and output CLI command as below:
Router# show sso agent status
% connect failed
% SSO: domain socket fial!
ZySSO Primary Agent: offline
ZySSO Secondary Agent: offline
15. [BUG FIX]eITS#150100588
Apply configuration failed in the following steps:
1. reset the device back to default
2. Modify the WWW HTTPs port from 443 to 447, and some NAT and policy route rules.
3. Download the startup.conf which with HTTPs port as 447.
4. Change the startup.conf name as test_www and upload it.
5. Apply test_www config.
6. After device bootup, the device will fall back to default.
16. [BUG FIX]eITS#141100503
Strange behavior when ZyWALL is in DNS proxy role.
[Condition]
1. Add zone forwarder 8.8.8.8 for zone * via WAN interface
2. Add A-record for domain ftp.zanolari.net, IP 192.168.200.3
3. On PC, ping www.zanolari.net
4. Run CLI 'show ip dns server cache' and check www.zanolari.net is in DNS cache
5. Capture packets on device for WAN interface and port 53 (DNS)
6. On PC, run command 'ipconfig /flushdns' to flush DNS cache on PC, and then ping www.zanolari.net again
7. From captured packets you will find device sends DNS query for www.zanolari.neteven if it is found in device's DNS cache.
17. [BUG FIX]eITS#141200186
After enabling AS, the throughput is low.
18. [BUG FIX]eITS#141200341, 141200033
Move the log App ID has been changed from 83886594 to 83886855 to debug log.
19. [BUG FIX]eITS#141001029
User cannot be configured in security policy rule with zone to zone rule from WAN to ZyWALL.
20. [BUG FIX]eITS#141100574
After rebooting, WAN gateway will disappear.
21. [BUG FIX]eITS#141100745
Management IP will carry dynamic MAC.
22. [BUG FIX]eITS#141000415
The tunnel shows to be up in VPN Connections in both sides.However, no traffic can pass the tunnel and the log shows IPsec error with "no rule found, Dropping ESP packet".
23. [BUG FIX]eITS#141100945
Device HA failed to synchronize backup device with master device.
24. [BUG FIX]eITS#141200132
The IP pool size cannot be varied with the changing of IP pool start address on GUI.
[Condition]
1. Default "IP Address" is 192.168.1.1 and "IP Pool Start Address" is 192.168.1.33.
The maximum pool size value is 223.
2. Change the "IP Pool Start Address" to 192.168.1.60, the pool size should be 196 but
it is still 223.
25. [BUG FIX]eITS#141100753
Signature release date didnt display based on different time zone.
26. [BUG FIX]eITS#141100849
Changing the firewall rule to deny traffic to ZyWALL but not take effect immediately.
27. [BUG FIX]eITS#141100177
Building IPsec VPN tunnel with FortiGate, VPN tunnel cannot build after rekeying.
28. [BUG FIX]eITS#140800319
Download files may get stuck when UTM is activated.
29. [BUG FIX]eITS#141100097
Validation result of my certificate is failed.
30. [BUG FIX]eITS#141100402
Packets are sending out in the wrong interface.
31. [BUG FIX]eITS#141001052
Device has wrong or missing DNS cache record.
32. [BUG FIX]eITS#141000951
When using for SHA256 as intermediate certificate, the certificate path will shows incomplete path.
33. [BUG FIX]eITS#141000870, 141100240
Rename a zone which has been used in Policy Control Rules will cause the zone field of these policy control rules cannot be changed or modified to other zones.
34. [BUG FIX]eITS#140900955
[RIP]When setting RIP redistribute OSPF as metric=3,reboot DUT will show error message and cause applying startup configuration failed.
35. [BUG FIX]eITS#140926122
[DHCPv6] When LAN interface set DHCPv6 client, it cannot send NS Packet.
36. [BUG FIX]eITS#140900251, SPR#140922847
[File Manager]Rename configuration file to 64 characters will fail with wrong CLI command.
37. [BUG FIX]eITS#141000516
[File Manager]Trying to download a file from download.microsoft.com or using the windows update service, in USG logs, IDP blocks the access
38. [BUG FIX] eITS#140900051
Route packets from a bridge interface according to the NAT result.
39. [BUG FIX] eITS#140900272
Ge3 is configured as IP/MAC binding enabled. Disable interface any one of ge4 ~ ge8. The DHCP client of ge3 is unable to ping the default gateway anymore.
40. [BUG FIX] eITS#141100569
[Interface]Routing didnt change even connective check failed.
41. [BUG FIX] eITS#150100603
IPsec VPN daemon causes high memory usage(99%).
↧
Wan1 access
Hello to all!
I have a usg100 firewall with a modem adsl in bridge mode, a zyxel amg1001.
All is work fine also the L2TP vpn, my question is.. Is possibile to access the web interface of modem when i'm connected in my lan? I want This for check sometimes the adsl line parameters, now i can only if i plug directly the modem to my pc. The configuration is: zywall 192.168.1.1
Modem 10.0.0.1
Thanks to everyone.
Pierantonio
↧
L2TP IPSec always failing phase2 "local policy mismatch/no proposal chosen"
Trying to establish a tunnel to my USG60W with laptop/smartphone/tablet; have created the configs over and over again as per Branos guide (thanks!). Phase 1 is always passing, even with certificates and xauth but phase 2 is failing. I have tried all various proposals, even the most insecure ones DES/MD5 etc. and even single proposals but I always end up like in the screenshot. (The IPs are both public; USG is sitting behind cable modem but receives public ip).
the red alerts in the screenshots are forwards, no drops.
any ideas?
↧
↧
ZONES on USG40
It seems I unable to add zones.
We get a default group only to deal with.
I would like create a LAN zone but they have it split into lan1 and lan2 etc.....
Is it possible to unlock more capability via CLI ??
↧
Programming USG for Multicast??
Dare I say it, trying to emulate something apparently an edgerouter can do.
No smirking there Brano!!
here is the info the person is doing.
The USG40 can do most of the VLAN stuff and with latest firmware can assigne 802.1p values as well. The problem is I have no clue IF and HOW to do some of the stuff noted in this note...
Ive had the Internet and IPTV working flawlessly without the ActionTec for a few months now. Im using an Ubiquiti EdgeRouter PoE (The Lite version would be just as effective). I have 2 IPTV receivers running on the same LAN subnet as my other devices. The FibreOP Remote App is working as well (including remote control capabilities). As far as I know, all IPTV features are fully functional.
Heres a basic overview of the configuration.
WAN Port
I recommend cloning the ActionTecs MAC address. I havent verified whether this is necessary for either the HSI or IPTV interfaces, but itll save a lot of headaches when switching back and forth between the ActionTec and the other router. Aliant wont send an offer to a different MAC address until the existing lease either expires or is released. While the HSI leases expire every 20 minutes, the IPTV leases are good for 19 hours.
VIF 34 (IPTV)
egress QoS map 0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
DHCP enabled
default route disabled
ignore the name servers
VIF 35 (Internet)
DHCP enabled
default route enabled
name servers enabled
Create a static route for the IPTV traffic.
10.236.0.0/15 via 10.195.128.1
I dont know if this is the same for everyone. You should see the route on the ActionTecs routing table. Its also available in the DHCP offer if you send the classless-static-routes dhcp-option.
Use igmpproxy to forward the IPTV multicast traffic.
Warning: The IPTV Multicast traffic can kill your WIFI. Be sure to block this traffic from your WIFI interface(s).
igmpproxy.conf snippet
Code:
phyint eth1.34 upstream ratelimit 0 threshold 1
altnet 10.236.0.0/15
phyint switch0 downstream ratelimit 0 threshold 1
The IPTV receivers will acquire an IP from your LANs DHCP server. I recommend using a static DHCP addresses for the IPTV receivers as the Remote App had some trouble once when the IP of the receiver changed.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment
↧
Half of the internet blocked
Hi,
I've got a few ZyWALL 110.
They're all IPSEC VPN connected.
LAN (192.168.6.x) should go over the VPN (to the SBS server 192.168.2.x)
On the PC's behing this ZyWALL 110, half of the internet is not working, even ping to dslreports is not working.
These are a few of the DROPPED lines in my logs:
35 2015-03-28 17:40:00 192.168.6.160:60445 212.79.84.37:443
error ipsec IPSec
SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3]
SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3]
60 2015-03-28 17:40:27 192.168.6.160:60448 204.79.197.203:80
error ipsec IPSec
SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet [count=3]
63 2015-03-28 17:40:31 192.168.6.160 208.73.211.70
error ipsec IPSec
SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping ICMP(8:0) packet [count=3]
What am I doing wrong ? What other info do you guys need ?
↧
Couple of questions for my new Zyxel USG60
Just got my USG60 on Friday and spent a few hours getting everything programmed up and put the USG into use Saturday night.
Works great so far. I am really impressed with the way things are working. It is handing both WAN connections like a champ.
I do have a question that I can't seem to find and answer for.
Is there any way to see the active devices that have obtained IP addresses? I setup DHCP reservations for all my devices but I like to keep an eye out for anything that may have received a different IP address (whether I fat fingered the MAC in the table or what-not)?
Also, how do I configure it so any device not handed an IP by DHCP can't access the WAN ports?
What software package do you guys recommend on setting up to track usage per device? I want to be able to pull a hourly/daily/monthly reports for bandwidth usage. I have a Winblows 2012 server and have an Ubuntu VM setup on it as well. Would Cacti be something to configure or maybe you all can give me some better options. I used to use a Netflow Analyzer when I had a Cisco router but since Netflow is for Cisco I need something for the Zyxel.
Thanks in advance!
↧
↧
Does the USG support iPhone / iPAD IPSec VPN connection?
Hi,
Does the USG support iPhone / iPAD IPSec VPN connection (not L2TP)?
↧
Does the USG L2TP over IPSec support 2 or more users from the same public IP
Hi all,
I have a problem with L2TP over IPSec VPN. I can not connect more than 1 user from the same public IP.
eg : 2 or more home workers have the same public IP 1.1.1.1 They want to connect to their office over L2TP over IPSec, only 1 user able to connect. Is there any restriction regarding this?
Thank you in advance,
Bests Regards,
↧
real "L2TP/IPsec behind NAT" with 4.11?
I can't find no difference. There is no additional option to choose and it don't work like 3.30 to 4.10.
Any other Information?
↧
USG40W and firmware 4.11
Yesterday I upgraded one of 4 USG40W device to firmware version USG40W_4.11(AALB.0)C0
This is a heads-up:
this update has massive changes --- it will take significant time and effort to understand all the changes. The current documentation is NOT helpful --- so why release something that is not properly documented ---- grrrrrrrrr
I initially believed the update failed ---- BUT --- in actual fact the update did succeed;
I was using a MacBook Air [OS-X 10.10.2] and did the update using Safari. The update started but the update notice would not complete [30 minutes later] and Safarie just hung on LOADING --- however everything seemed to work -- all devices were communicating;
I went home and logged in remotely using IE11 and successfully logged in but IE was like Safari stuck on the Loading Screen .... grrrrrrr .... so I went to sleep --- a very long day
In the morning I decided to use Firefox to login and that worked ---- no LOADING screens. So I cleared the IE11 CACHE and then tried the login again and this time it worked. What a relief ..... :)
Strongly recommend that before you upgrade to 4.11 READ everything you can that ZyXEL provides for this update [regardless of its adequacy] .... very significant changes made with this update.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Busines
↧
↧
USG/Zywall 4.11 firmware withdrawn
It's no more available... what's happen?
↧
Z5 throughput
Hi Guys,
I have a Z5 running firmware V4.04(XD.9) | 01/26/2011.
I was under the impression that the Z5 max throughput with firewall on was about 5M symmetric. I got the following result from the new speed test from Justin:
http://www.dslreports.com/speedtest/236940
Is that accurate, or too high?
Thanks,
-jig.
--
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam.
↧
PPPoE + VLAN + IPv6
Does anybody run this combination on an USG?
I have a "dual stack". PPPoE IPv4 plus IPv6 works fine on the wan1_ppp interface. But I don't get it run on a VLAN interface.
If I use PPPoE + VLAN + IPv6:
- IPv4 is working,
- the router get a SLAAC IPv6 address,
- but I don't get a prefix!
↧
Logging to 2 SNMP receivers
I would like to send the USG50 log firewall logs to one computer running the following SNMP receivers:
-LinkLogger on UDP port 514
-Kiwi on UDP port 162
The USG50 GUI allows up to 4 remote server profiles where destination addresses are defined by the Admin but not the destination port.
How can I define remote server port, in the CLI?
↧
↧
IPv6 and ICMP
This is the result at http://ipv6-test.com/ with the "Policy Control" default "IPv6 Configuration"
I played a little with addition IPv6 Policy Control but without success.
Is there a solution or must I live with this? May be it nothing to do with the USG.
↧
Communication between branch office and individual L2TP clients
Hi guys,
I have a ZyWALL USG 50 at the main office (10.0.7.0/24) that is connected via IPSec VPN to a ZyWALL 2 Plus at the branch office (10.0.8.0/24). This works fine, the main office's network can communicate with the branch office and vice versa.
Individual VPN clients (10.0.6.0/24) connect via L2TP over IPSec to the USG 50 and can access services on the main office's network but NOT on the branch office's network. I need for example an L2TP client with IP address 10.0.6.1 to be able to communicate with a server in the branch office using IP address 10.0.8.10.
My policy routes are:
#1:Incoming: any (Excluding ZyWALL)Source: anyDestination: branch_subnetNext Hop: branch_vpn_connection #2: Same as #1 with incoming set to ZyWALL #3:Incoming: l2tp_vpn_connectionSource: l2tp_subnetDestination: anyNext Hop: SYSTEM_DEFAULT_WAN_TRUNK #4:Incoming: any (Excluding ZyWALL)Source: anyDestination: l2tp_subnetNext Hop: l2tp_vpn_connection #5: Same as #4 with incoming set to ZyWALL
I added a static route to the branch server (10.0.8.10) using:
route -n add 10.0.6.0/24 10.0.7.1
While the main server (10.0.7.10) is able to both ping 10.0.6.1 and 10.0.8.10 successfully. Neither 10.0.6.1 nor 10.0.8.10 can ping each other.
10.0.6.1's attempts to ping 10.0.8.10 simply timeout. While pinging 10.0.6.1 from 10.0.8.10 additionally shows the error message ping: sendto: Network is unreachable.
Please help. Thanks in advance.
↧
IPSEC Draytek to Zywall - connection dropping a LOT!
Hi
I've recently had to setup a site to site connection between a Draytek and a Zyxel 310. but it keeps dropping every 2-3mins. I have a number of other IPSEC connections which are rock solid but this new one keeps dropping. I've tried changing a few things and the SA Life on phase1 and 2 but no joy. Can any one offer any suggestions please because I'm stumped!
(some details below)
Zywall
Phase 1
IKEv1
LifeTime = 86400
Neg - Main
AES128 SHA1
Phase 2
LifeTime = 3600 (was 86400 made no difference)
ESP
Tunnel
AES192 SHA1
PFS - none
Draytek
Phase 1
Ikev1
LifeTime = 86400
Neg - Main
AES128_SHA1_G1
Phase 2
LifeTime = 3600
IPSEC security - High(ESP) AES with auth
AES192_SHA1
RIP - Disable
↧