Since upgrading to v4.30 I notice that I am no longer able to rename an Interface Name in the "Configuration \ Ethernet \ Edit \ Interface Properties \ Interface Name:" textbox. For example, if I attempt to rename aaa1 to bbb1, I get a popup informing me that this Interface will conflict with the ip address of "aaa1". It is almost like it is interpreting the rename as an "add", and not a rename.
This use to work under the previous firmware version.
Is it possible to to this under the CLI commands?
Thanks
Bob
↧
Can Not Rename Interface Name on USG40
↧
Problems with an internet access on USG 100
Guys, I’ve got some problems configuring USG 100 ... I used to have a USG 200 and had no problems configuring it, and now, doing more or less the same for USG 100 – I’m getting some problems. The problem is that not all of my devices in my home network can get an access to the internet if IP - MAC binding is enabled.
E.g. I’ve got a NAS in the network and if I allocate a fixed IP to it using MAC binding on USG – I get no internet access on the NAS (no problems with accessing NAS inside the network). If I remove the rule so NAS gets an IP via DHCP – it has an access to the internet. The same for a windows laptop – no internet access unless it gets IP automatically. At the same time, iMac has no problems with internet access with fixed IP (using MAC binding on USG).
Similar problem with accessing my home network from outside via IPSec VPN. My phone gets an access to home network (can see and access all network devices, such as NAS etc), but has no access to the internet while connected to the home network.
What can be the problem? SNAT is of course enabled …
P.S. Answering my previous question regarding the config files transfer between USG 200 and USG 100 – it does not work :(
↧
↧
USG/UTM to ensure an ethernet line connects only to a specified IP
I have a junk WiFi Arris router that came with my ISP a few years ago. It can handle basic connections, for the most part, day to day. It ignores outbound access control directives that I set up. The bridge in the back of that box has four outlets, one of which has a VPN on ethernet that I want to ensure is always pointed to one and only one IP.
I was planning to build a Linux box to sit immediately adjacent to the Arris, between it and the rest of the line that connects to the equipment down the way. Knowing almost nothing about UTM gateways, my plan is to run one short ethernet line from the back of the Arris router to a piece of USG hardware--where I plan to set up an outbound IP access table for the ethernet. Am I on the right track?
Thank you for any help.
↧
SSL Mismatch or Certificate - USG40?
How to remedy this?
If I disable http but leave https admin [web] access it seems to lock me out. For now, I leave http enabled.
I'm the only person w/ physical access to the usg. I can live with error\warning but would like to only use https.
Happens on XP, W7 w/ all browsers (at this time, I don't have a linux box up to test).
Device is used but in excellent condition. Same thing happens with older usg20.
Saw Brano's fantastic info on securing usg but am more than a bit lost. :(
↧
SSL VPN using USG20-VPN
I need help and I only have a week to figure this out.
I'm currently in the Philippines where my ISP has all my ports blocked. I need to be able to access my network here from my home network in the USA. The reason, I am only in the Philippines once a year and would like to be able to access my network from the USA to see my cameras in my house. I have access to my home in the USA through remote access. So I can test whatever changes I make to see if the VPN will work.
This is sort of what my network looks like. Forgive me but I am very limited on setting up a network. I am just learning how to use the USG20-VPN. I can do remote desktop just fine, port forwarding just fine. But not setting up a SSL VPN.
NOTE: there is an error in my map it says "Smart Wi-Fi" under the ZyXel USG20. It does not have Wi-Fi.
I have tried following YouTube videos I found on the internet on setting up SSL VPN for . But something is not right.
First question: If I am doing remote access to my home in the USA and I try running ZyWall VPN client would it let me? Would the remote desktop block any attempt to VPN?
Second question: Can the Cisco DCP3825 be blocking it somehow? It has WIFi not that that matters. But I saw somewhere that it had VPN in it. It also has some form of firewall.
Third question: Since the Cisco DCP3825 is a router, do I have to do any port forwarding to the USG20 since the WAN address for the USG20 is from the Cisco DCP3825?
Fourth question: I can not access the ZyXel USG20-VPN using remote management. Any thoughts on why I can not see it? I think this is related to the Cisco DCP3825.
Any help would be appreciated. Thank you.
↧
↧
How to block any incomming traffic by default from certain countries?
Is there any easy way to block any incoming traffic by default from certain countries on a USG40?
It seems that ZyXEL maps IP to country int he log.
↧
Zyxel USG 100 IPv6 PD
Hi,
I have Setup the IPv6 Prefix Delegation on my Zyxel USG 100. From my ISP, I get a /62 Network prefix. On my USG via RA, I Hand out a /64 prefix via DHCPv6.
I receive global unicast IPV6 addresses on my LAN1 Clients and I can ping the IPv6 addresses of LAN1 but I am neither able to ping the IPv6 address of WAN1 nor any IPv6 address on the Internet such as the Google DNS Servers. I disabled the FW already for testing purposes but that did not help…
Please find below my current config in the screenshots.
Any Idea what could be the issue?
KR
Chris
↧
USG-50 limiting the bandwidth on a LAN
Hello,
A few days ago we changed our ISP and currently paying for 300mb. When testing the internet speed behind the Zywall USG-50 we get speed of 150 only. If I bypass the USG-50 I get up to 300mb. Im not sure why the USG-50 is limiting the bandwidth on our lan. Any idea where i can look or how I can set the usg-50 to be able to take advantage of the full bandwidth im paying?
↧
USG40 new firmware?
Looks like there is an update for the USG40 to 4.31(AALA.0)
Doing it now but it looks like it might be hung :(
↧
↧
Antivirus changed from kaspersky to bitdefender?
With latest firmware update for my USG60 I noticed from changelog that AV signatures are now coming from Bitdefender. I don't have active AV subscription right now but can someone with subscription confirm if the maximum signature number is still somewhere 600-700k and signature release interval takes as long as three days? These were two reasons why I didn't renew my AV subscription.
↧
Zyxel USG 100 Hardware Specificaions
I could not find this information available online through searches, or via communication with Zyxel. I have included it here so it could be found by anyone looking
I had to open up one of our units to obtain this information. I provided pics of the motherboard as well.
Note: There is a mystery button between the Console and Aux ports on the board.
The Zyxel Zywall USG 100 has the following:
Vitesse VSC7388XYU - Ethernet IC
NXP USA Inc MPC8343EVRAGDB 400/266 MHZ (info from digikey - PowerPC e300 Microprocessor IC MPC83xx 1 Core, 32-Bit 400MHz 620-PBGA (29x29) )
2 x Hynix H5PS1G63EFR Y5C 212AK - i was unable to determine the amount of RAM. it is DDR2.
↧
PK5001z WiFi not working
PK5001z, CenturyLink ADSL2+, WiFi was working fine until two days ago, then quit. SSID is not showing up.
Tried rebooting, hard reboot, toggle wifi on & off, change from auto channel to 1, 6, or 11. Seeing "zero" packets passed.
Any other tricks I can try?
↧
USG20W-VPN scheduled shutdown of wireless network
I have a USG20W-VPN that I use at home. Like many of us here I use the content filtering for my kids which work well but I need to cut them off the wireless SSID that have setup for them at night so they wont play silly flash games all night long. I see the unit has a schedule option but it dose not appear to have any option on what to do with that schedule. Dose anyone have any ideas on how I might shut down the one kids SSID network for a daily time frame?
Thanks
↧
↧
ZyWall 310 and Gigabit WAN (Fibre via media converter, PPPoE) speeds?
I have my new service hooked up to my 310, it's a gigabit fibre connection I'm using a media converter to hook up to the 310, authenticate via PPPoE and using a VLAN interface to tag the traffic.
Everything works fine, but my speed tests are inconsistent. Speed swings up and down and usually settles in at 800-850 Mbps at best and sometimes lower (just tested to 750). Direct speed testing with the ISP equipment not involving the Zywall were 1100 Mbps. Which I don't expect through an ethernet interface, obviously, but I should be consistently seeing 900-950 Mbps.
I'm only using the Zywall for SPI, none of the subscription services are active and my rule set is not large or complicated. CPU use during the test runs never goes above 30% so I'm at a loss as to what it might be. Using the same PC on the LAN I'm able to transfer files from NAS at the full gigabit link speed so it's not a cabling issue.
Is the Zywall terrible at PPPoE? Should I stop attempting to implement the vlan tagging on the Zywall and instead do it at my switch?
Humm... interesting, the speed test results are much more erratic (and slower results) when using Chrome compared to Edge or Firefox.
↧
Old Z2+ acting funny
I gave my old Z2+ to a friend and they are having internet problems so they asked me to check it out. I went to check it out and I could not log in to it. Not that the log in failed, it just sat there and did nothing. I tried power cycling it and when it came back up it looked like it was going to work but then it just timed out again. No failure for having the wrong password or anything, just timed out sitting there doing nothing.
Any ideas?
↧
IPSec VPN disconnects
Dear experts
We have a Zyxel ZyWall USG 1000 device in Location A.
We have configured an IPSec VPN Tunnel between Location A and Location B (Location B is a partner of us.)
Location A --> FW A --> Public IP A --> Subnet A
Location B --> FW B --> Public IP B --> Subnet B
The IPSec VPN Tunnel is not the usual setup because for Phase 2 we are using the following specific configuration:
- For the local Subnet instead of Subnet A we are using the Public IP A /32
- For the remote Subnet we are using the Subnet B
The tunnel is connecting and for a short period of time it's possible to communicate from Subnet A with the Systems from Subnet B.
Now after this very short time the tunnel will disconnect.
The partner B is assuming that the NAT is not working. or that there is a mismatch (the partner said that not all Subnets from Location B were configured on FW A which is not the case)
The Firewall log:
"[COOKIE] Invalid cookie, no sa found [count=2]"
Any idea what might be wrong ?
Best regards
Imbalance
↧
USG, how to limit traffic on WAN2 to a predefined value of GB/month?
Hi!
I would like to use the second WAN port where I connect a 4G modem with, at the moment, 400 GB/month available (but in the future I could buy an unlimited plan), is it a way to limit the traffic inbound/outbound at 400GB/month?
I don't need to limit the inbound/outbound speed but only the traffic per month that could be done in CELLULAR section but only for USB dongles.... A RJ45-to-USB converter could do the trick?
↧
↧
IPSec VTI issues USG40
Hi Guys,
I am configuring a ikev2 IPSec tunnel (w/ VTI), and have attached a schema to help you guys understand the setup.
The remote server is running strongswan. Both IPsec phases pass successfully, and the VTI interface is created ad UP on both ends.
However, I had an issue whereby tunnel traffic on the USG ends up getting lost somewhere.
When I ping the USG's VTI from the server, the USG gets the response, replies to it but it never reaches the server (confirmed via a packet capture on the USG).
There are Tx hits but no Rx hits for the sever VTI, however the USG VTI has both Rx and Tx hits.
The FW is behind a nat, and I am doing NAT-T. I am running the latest firmware. Below is my strongswan config:
conn swiss1
type=tunnel
ike=3des-md5-modp2048
esp=3des-md5
keyexchange=ikev2
authby=secret
forceencaps=yes
mark=100
leftupdown="/usr/local/sbin/ipsec-int-updown.sh --sourceip 10.0.51.1/24 --mtu 1370"
leftsourceip=10.0.51.1/24
left=95.183.52.144
leftsubnet=0.0.0.0/0
right=%
rightsubnet=10.0.48.0/22
auto=start
Just really puzzled with this one. I should be-able to ping each VTI endpoint at the very least, but the usg is losing the traffic somewhere.
Any advice ?
↧
ZyWALL 110 - password expired, and could not be changed
Just for your information (might be useful to others): I suddenly had a hell of a time trying to log-in into the web interface of my ZyWALL 110.
When logging in I got the message "As a security precaution, it is required to change your password".
Apparently this is a new feature since the latest firmware update, that has been enabled and set to come up after 180 days by default.
So it must have been 180 days since I updated the firmware.
This is a good security measure in itself, but it would be better if this was communicated more clear: at least I was not aware of this change.
Anyhow, the problems started when I tried to change the password through the login screen: the new password was not accepted, and I got the message "Invalid username or password".
I am 100% sure that this new password was in accordance with the complexity rules as defined in the ZyXEL manual.
But I tried it several times with different new passwords, all of which should fulfill the password complexity rules, but got the same message every time, and after five attempts I was locked out.
So I was already afraid I had to reset my Z110 and start from scratch.
But then I tried to log-in via a CLI connection, and luckily I was able to log-in (still using the old password).
So I created a new admin user through the CLI, using these commands:
Router> configure terminal
Router(config)# username password user-type admin
With this new user I could log-in into the web interface, and modify the password of the old admin user via "Object -> User/Group".
After that I also could log-in again with the old user.
So all fine in the end, but it was a frustrating experience...
↧
help me diagnose instability of Zyxel C3000Z connection
I have Centurylink VDSL2 with 60down\5up. When it is working it works great, and speed test is showing good results. I've had a problem that about every 2-3 days, some devices on the network can no longer get HTTP traffic (other ports like ping are still working). It isn't the same devices every time either. Power cycle the modem has always solved the problem.
I previously disabled wifi on the C3000Z and moved the wifi \ ethernet traffic to a separate router to reduce some of the load on this box, such as local LAN traffic - there are only 2 devices connecting to the C3000Z which is the separate router and my VOIP OBI box. However, when I do experience this web connectivity problem - I find that resetting the C3000Z modem (not the downstream router) is actually what fixes the problem.
Any suggestions what I can do to fix or at least troubleshoot this?
↧