Hi,
Anybody have an idea for my post ?
https://www.dslreports.com/forum/r30903513-VLAN-over-VPN-with-Zywall-Can-ping-gateway-but-nothing-else
At this moment, I can ping from my second Zywall (Zywall USG 20) my server in VLAN30. I can connect with RDP connexion but when i'm in my server, I cannot access to internet.
"Access Internet" is say in right bottom.
Thank's in advance
↧
Zywall USG site to site VPN with VLAN
↧
USG v4.20 New Features Summary
USG v4.20 may be released end of Aug.
New Features Summary:
- Fixed USG low throughput issue
- Content Filter Enhancement
- Geo IP blocking
- HTTPS / SSL Enhancement
- Device HA Pro
- Hotspot Enhancement
- Easy Mode Wizard
- WEB GUI Speed Enhancement
- Dashboard loading time improvements
- AD / LDAP Enhancement
- X-Auth Enhancement
- IKE v2 Enhancement
- IPSec VPN Virtual Tunnel Interface
- SSO 2.0 Fully Implement with Windows 10 and Server 2012 R2 support
- Cloud helper new firmware online download
- New 3G/4G dongle: WAH3004 / UML295 / AT&T Beam / Netgear341U
- Link Aggregation feature (balance, 802aad, active-passive)
- Android N L2TP Support
- Interface Subnet Mask can set to 0.0.0.0 now
↧
↧
ip_Sec setup
I am trying to setup a vpn tunnel from a static wan ip (no router just a cloud remote desktop server with a static ip) to a usg with a static ip. I need the rdp server to have the ip of the router instead of its own wan so trying to create a client(rdp server) to site(usg) vpn and then have all remote clients outside the usg when they remote into the ip of the usg it will connect to the rdp server. ( i know its convoluted) I cant seem to get it to work. basically all traffic on the rdp server will pass through the usg ip. there are no local clients on the usg . any help ideas would be greatly appreciated
↧
Several VLANs/subnets via single physical interface on USG100?
Hi guys,
I've got a question and hope that someone can help me. I've got an USG100 which now has two internal interfaces configured for two networks (say guest and production). On the network switches (managed HP Procurve 1800) both subnets are encapsulated within their own VLANs and I extract/untag both VLANs on two different ports within the switch and go with separate cables to p3 and p4 on the USG100, so that the USG100 is actually unaware of the VLAN config. This is working very fine.
Now I would need to implement two more subnets. But instead of dedicating one physical cable/port to each subnet, I would like to go via a single port on the USG100 with VLANs enabled there. Could you please help me how to configure two VLANs on a single port?
Lets say the two new subnets are s3 and s4 with IP's 192.168.32.0/24 and 192.168.33.0/24.
Gateways should be 192.168.32.1 and 192.168.33.1.
The production network s1 which is 192.168.30.0/24 must see all devices from all networks, so route must be set within s1 to s3 and s4 right?
Many thanks in advance.
↧
Next Gen USG 4.20 Firmware Thoughts
Have upgraded a few of our USG40s and USG20-VPNs to the v4.20 firmware. So far we've had no problems. But you definitely have to do a couple things once you upgrade.... Also noted a couple CPU overload bugs that were fixed in the release notes (though tagged against the 60 and 110). Hoping they fixed that for the 40s as part of that as we've seen it happen off and on across most of our clients.
So you upgraded to v4.20...
1) The cloud firmware update has a license tied to it. Go to Licensing -> Registration -> Service Tab and do a refresh. This SHOULD get your Firmware License activated
2) Go to Maintenance -> Firmware Management and it should auto sync to the Cloud. If not, click Check Now. Once that's done - you can do cloud updates
3) Content Filter 2.0 - you have to enable the https domain checking if you want it! Also, there is an SSLv3 block that's enabled by default - disable if you have ancient SSL devices (hopefully not)
4) GeoIP - AWESOME. Not intuitive at first, but then makes perfect sense. Go to Object -> Address -> GeoIP and click Update Now to get the latest database. IP blocks don't change countries very often so lack of an auto update likely not a huge deal. Bet they add it soon.
5) So lets say you want to block access to all but US IP addresses. Go to Object->Address->Add and call it UnitedStates_IPv4_IPs (if you use IPv6 you'll need to create another object and group them). Select GEOGRAPHY Type and select United States. If you have other countries that need access, create objects for them and group them.
6) Now go to your WAN->LAN security rules and set the Geographic Address or Address Group you want to allow as the source (instead of 'any'). Make sure you do it for your WAN->Zywall rule as well!
If you upgrade a USG20(W)-VPN! They've added ADP (I'd give ANYTHING if they tossed out Anti-Spam and added App Patrol instead - then the 20 becomes an IDEAL high end residential gateway MSPs could sell like hotcakes). ANYway - ADP is *not* configured at all. Go to Security Policy -> ADP -> Profile Tab -> Add. Name it ADP_PROFILE and select all. Then click the general tab and Add. Select WAN as From and select the Profile you just created. Activate it and Apply.
Think that's it so far...
↧
↧
can I set Zyxel USG60 to block certain *file types*?
I'd like to use the Zyxel USG60 to prevent users from accessing/downloading files with certain extensions, such as .BAT or .SCR files.
Is there a way to do this using the Content Filter's Blocked URL Keywords or something like that? I tried using the pattern */*.bat and *.bat
The first one doesn't work at all. The second one will also block domains such as www.batteries.com
Is there a way to do this so it blocks the portion of the url *after* the domain so that we *can* still access e.g. www.batteries.com and www.scrwhatever.com but block www.domain.com/something.bat or domain.com/something/something.scr?
↧
USG 50/20w site-to-site - No rule found, Dropping ESP packet
I've been having this problem for awhile with a site-to-site connection between a usg50 and usg20w. Both are on 3.30(B*S.7). The connection works great without any errors or alarming log entries. After about 24 hours the tunnel disconnects. After logging in to one of the USGs and manually disconnect/connect the tunnel gets successfully built again. However, after the tunnel is rebuilt there are a lot of [NOTIFY:R_U_THERE_ACK] and WAN to ZyWALL, UDP, service VPN_IPSEC, ACCEPT entries getting logged. Rebooting the usg20w seems to get rid of those. Its as if once the SA lifetime is reached they can no longer negotiate correctly until reboot occurs on one of the USGs. Both ends are nailed up and have dead peer detection enabled. I guess I can up the SA lifetime to verify it only occurs after the time is reached. Any leads to a resolution greatly appreciated. I'm not sure where to start looking when the issue only occurs until after a day goes by.
Once the disconnect occurs the usg20w continuously logs the following line:
SPI: 0xdd23fc36 (3710123062) SEQ: 0x626 (1574) No rule found, Dropping ESP packet
On the USG50 at around the same time the following is logged.
x4692016-08-22 00:26:27errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x9 (9) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4702016-08-22 00:26:26errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x8 (8) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4712016-08-22 00:26:26errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x7 (7) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4722016-08-22 00:26:25errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x6 (6) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4732016-08-22 00:26:24infoIKESend:[HASH][NOTIFY:R_U_THERE_ACK] [count=2]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4742016-08-22 00:26:24infoIKERecv:[HASH][NOTIFY:R_U_THERE] [count=2]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4752016-08-22 00:26:24infoIKEPhase 1 IKE SA process donexxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4762016-08-22 00:26:24infoIKESend:[ID][HASH]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4772016-08-22 00:26:24infoIKERecv:[ID][HASH]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4782016-08-22 00:26:24infoIKESend:[KE][NONCE][PRV][PRV]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4792016-08-22 00:26:24infoIKERecv:[KE][NONCE][PRV][PRV]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4802016-08-22 00:26:24errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x5 (5) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4812016-08-22 00:26:24infoIKESend:[SA][VID][VID][VID][VID][VID][VID][VID][VID]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4822016-08-22 00:26:24infoIKEThe cookie pair is : 0x9819afac32b79274 / 0x085ef8815455b88e [count=6]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4832016-08-22 00:26:24infoIPSecrecv sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 768 bit MODP; [1] protocol = IKE (1), A [count=3] IPSEC_LOG4842016-08-22 00:26:24infoIKERecv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4852016-08-22 00:26:24infoIKEThe cookie pair is : 0x085ef8815455b88e / 0x9819afac32b79274 [count=5]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4862016-08-22 00:26:24infoIKERecv Main Mode request from [xxx.xxx.xxx.xxx]xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4872016-08-22 00:26:24infoIKEThe cookie pair is : 0x9819afac32b79274 / 0x0000000000000000xxx.xxx.xxx.xxx:500xxx.xxx.xxx.xxx:500IKE_LOG4882016-08-22 00:26:23errorIPSecSPI: 0x1e12458d (504513933) SEQ: 0x4 (4) No rule found, Dropping ESP packetxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxipsec4892016-08-22 00:26:23noticeFirewallpriority:6, from WAN to ZyWALL, service VPN_IPSEC, ACCEPTxxx.xxx.xxx.xxxxxx.xxx.xxx.xxxACCESS FORWARD
↧
Strange wireless issue
Has anyone ever seen this issue?
I have a cellphone (Moto X 2nd Gen) that suddenly won't connect to my USG40W wireless.
The logs show this:
"STA is blocked by pre-Auth Failed. MAC [cellphone MAC address]"
Can't find any reference to that. All other wireless devices connect just fine...
Sometimes I'll get "STA is blocked by Band Select" as well even though band select is set to disable (USG40W is single band anyway)
↧
IPv6 WAN Configuration - /56 block
I'm finally getting around to doing some IPv6 testing on our USGs and by default TWC will hand out /64 blocks (which you aren't supposed to 'split' across subnets). IN order to have VLANs and subnets, you need a /56 block to split.
By sending a 'prefix-hint' to TWC, you supposedly can request a /56 block. But I can't see anywhere in the configurations to set this. SLAAC seems to have a prefix length field, but not sure that's what we want.
The DHCPv6 prefix delegation object is auto set when the ISP assigns your IP block...
Anyone gone through this yet? Searched documentation up and down but have yet to come up with anything.
Or is the 'better' option to use prefix delegation entries to request /64's for each internal network interface (LAN2, DMZ, VLANs).
↧
↧
ZyXEL ZyWALL USG 20W + Synology DS112J = No Connectivity
i have a ZyWALL as my primery wifi router and i simply would like my NAS to get along with my ZyWALL. Everything on my router (zywall) is by default. Do i have to bridge the two? The NAS (Synology DS112J) is on my LAN2. Everything seems to work fine on my wifi side but whenever i tried typing LAN2 address on the URL, it just redirects me back to my zywall. If anyone that can help me - i'd deeply appreciate it. Many thanks!
↧
Zywall 110 + Strongswan IPSEC VPN Issues
Hi folks:
Is there anyone out there with experience running a VPN between a Zyxel 110, or similar model, and the Strongswan VPN software package that's used on Linux? I have an IPSEC VPN connection between those two that works 99% of the time, but every once in a while something happens, I suspect during key exchanges, that causes the VPN connection to hang and the only way to fix it is to inactivate and reactivate the gateway settings on the Zyxel (resetting Strongswan or rebooting the Linux machine won't fix anything once it's gotten into this state).
I'm using IKEV2 with preshared key as I had some issues with IKEV1. Originally I had two SAs under one gateway policy, but that appears to cause the problem more often than having multiple gateway policies each with only one SA. I've tried various combinations of settings, and I'm having some modest success with trying to put all the rekeying and rebuilding settings (e.g. dead peer detect, reauth/rekey interval etc.) all on the Strongswan side, as I am suspecting that this situation is triggered when both sides are trying to re-establish a failed session or rekey one at the same time. However, it doesn't look like I can entirely shutoff all that stuff on the Zyxel side as placing a zero on some of the timing fields is not allowed.
Lastly, is there anyway to run some sort of a command line script that issue commands to the Zyxel? I can detect the situation in software and if I could inactivate and reactivate the gateway policy on the Zywall 110 through a script I could circumvent this problem. Right now I have to do it manually which is a pain.
Suggestions welcome.
↧
Http Redirect
This feature seems designed to facilitate a proxy server.
Considering the ransomware out there.
Would use of a proxy server with http redirect be helpful or useless??
Other steps taken
(1) use of opendns servers for all outgoing traffic as setup on the router
(should I also hardcode all PCs to use same servers)
(2) Blocked all ports/services from lan to wan except http, https, smtp, pop3.
To cheap to buy services for IDP/ADP etc.........
Could consider white lists perhaps?
↧
Zyxel P-661HNU-DI-F1 lost default password
Hello from Finland. I have Zyxel P-661HNU-DI-F1 router and after I reset it, I can't access it anymore. It's working, as you can see, but I can't change the password etc. I kept the reset-switch pushed over 10 seconds when switching the power on. Wonder if that's some kind of Deep Master Reset or something. I can't access the router using admin / 1234 or previous password. I tried accessing with the MAC address as password but no use either. The WPA2_PSK key didn't work. I tested all of these too: hjVi7cli#u6 and all these: http://setuprouter.com/router/zyxel/passwords.htm
↧
↧
Zywall 110 - separate two networks
Hi
I'm not an network expert, that's why I am asking this question to you guys in here :)
I have a Zywall 110 router and two switches. I have two LAN's configured:
Port 4: 192.168.1.x
Port 5: 192.168.2.x
These port's are connected to each switch. Everything working OK!
I wan't to separate the two networks, so computers on each subnet can't communicate with each other. One of the subnets are for "private" use, the other for "work" use (guests, conference rooms etc).
As far as I can see, it can be done by adding the two LAN's to the membership of "Layer 2 Isolation" or adding rules in "Policy Control". The rules in "Policy Control" is set up to deny traffic from LAN1 to LAN2 and from LAN2 to LAN1. Is this the right way to do it? Both methods seem to work.
Which one is the best and most secure?
What are the differences?
Thank you!
BR Jesper
↧
vpn ipsec USG300 - USG100 connected but no data
Hello,
Since today i have a vpn ipsec between 2 sites, one use usg300 (adsl) and other usg100 (adsl).
It work fine.
Now i want to use an new connexion SDSL from usg300 but i have special issue about this new vpn
Vpn is connected but no data go throw the tunnel.
I have policy route for vpn like before.
ie : Before ping work now ping don't work
Only the connexion change ADSL to SDSL.
I try to put MSS to 1350 : no change
Don't fragment .... is checked
1 thing to know on usg300 :
ge1 : lan
ge2 : adsl (web, mail...)
ge3 : adsl (vpn)
ge4 : wifi (vpn)
ge5 : sdsl (voip)
ge6 : sdsl (vpn) ------> this line make me crazy
ge7 : nothing
Someone can help me to solve this issue ?
THX
↧
[USG 40W] VPN to VPN routing
Hello,
I've successfully set 2 IPsec VPN on my USG box :
One site2site "peer_VPN", strategy LAN1_SUBNET -> PEER_SUBNET
One inbound (server role) "my_VPN", strategy LAN1_SUBNET
I needed the following routes to make them work :
my_VPN -> LAN1_SUBNET , nexthop auto
peer_VPN -> LAN1_SUBNET, nexthop auto
lan1 -> PEER_SUBNET, nexhop peer_VPN
Now I want to access directly PEER_SUBNET from a my_VPN client.
I tried to set a route my_VPN -> PEER_SUBNET, nexthop peer_VPN but of course it doesn't work.
Any help would be appreciated !
Franck
↧
[Zywall USG 100 Plus] L2TP VPN with Active Directory does not work
I want to use a L2TP VPN connection with Active Directory users
When testing the Configuration Validation with a user it says: OK
The same goes for the AAA Server / AD part. It says the same.
When i try to establish a VPN connection with the AD user, it says: ''User has been denied from L2TP service.(Incorrect Username or Password) ''
How does this come, i've allowed the ext group user to use the AD. Is there a policy missing?
L2TP VPN works perfectly when logging in with a local user account.
FW: V3.30(AACV.7) This should be the most recent one.
↧
↧
USG-20W l2tp/ipsec drop connection after 10 minutes
Hi, thanks to your guide i succesfully setup an l2tp over ipsec on my zywall.
The tunnel build correctly from my iphone, win 10 notebook, win 7 notebook etc...
But all have this common problem: after 9-11 minutes the connection stuck for a second (and probably loss some packet) and our software running on the server close the session (of the program itself). I tried to stay connected over rdp from my notebook to my server behind the tunnel, the connection stays up but freeze for some seconds (rpd rejoin itself the session).
Here a log, i cannot see anything else in the log of the zywall... please help me to debug! thanks in advance, cheers.
↧
zywall USG 100 dual wan - can't access 1 from outside
Hi,
I'm trying to achieve external access to a webserver on my lan from both wan 1 and wan 2
wan 1 is a dsl with 5 static public ips and external access is working fine via 1:1 nats and firewall rules (from wan to lan 1)
wan 2 is a ppp wireless connection with more bandwith
i've created a custom trunk with wan 2 active and wan 1 passive in case wan 2 goes down and choose wrr for load balancing (members are wan1 wan2 and wan2_ppp)
wan 2 has 1 static ip; i've configured wan2_ppoe account and set it to receive ip automatically
wan 2 interface is set to dhcp.
i've also set up a ddns that is pointing to my wan 2 ip
so basically...i'm trying to have the webserver responding on wan 2 as it is doing on wan 1
ports 80 and 443 of the webserver were previusly open on the firewall so i tryied to create in the nat a virtual server or a 1:1 nat from public ip of wan2 to the webserver ip on lan1 but the webserver isn't responding outside lan.. in the "from" interface of nat i tryied both wan2 and wan2_ppp
if i watch the monitor log i see connections pass through firewall and goes to lan1 ip but outside webserver is not responding
lan side webserver is working as extepcted
what i'm missing?
glad if someone can help me
ty
bye
Matteo
↧
How to enable UPnP on Zywall USG 100?
Hi guys,
anyone know how to enable UPnP on the Zywall USG 100 and is there a minimum firmware version that supports it? I can't find this anywhere in the menus... Thanks in advance for any feedback!
↧
