zyman2008  Master Member

Hi @p4_greg edit running system network-stack arp-seal enabled false system network-stack ipv4 arp-ignore check-interface-and-subnet commit

https://community.zyxel.com/en/discussion/32391/usg-flex-h-series-mac-binding Hi @MarkoK, It's different feature name on USG FLEX H. https://community.zyxel.com/en/discussion/26842/usg-flex-h-series-source-ip-spoofing-prevention

Hi @rcd , Yes, 192.168.5.1 is allowed by the VPN. Since the VPN tunnel already encrypted the traffic. HTTP in VPN tunnel is secured and is quick then HTTPs.

Hi @rcd , To narrow the attack surface. USG FLEX H is not allow to open 2FA page from Internet. It can only be access within the tunnel. You need to set the link IP to LAN interface IP. In my case, LAN interface is 192.168.5.1. And make sure it's in the local networks list if using split tunnel.

https://community.zyxel.com/en/discussion/comment/81326#Comment_81326 Hi @nielsscheldeman It's in AD server not LDAPs server.

I think a option way is to enable LACP on the firewall and switch. At least, it can restrict peers to having LACP functionality in order to connect, generally not the case for user computers or switches without specific configuration. To support layer 2 encryption like MACSec is perfect but it need specific hardware chip…

https://community.zyxel.com/en/discussion/31035/radius-server-on-zyxel-flex-h-with-ssl-vpn Why not using LDAPs (TCP 636) instead of RADIUS/NPS ? https://support.zyxel.eu/hc/en-us/articles/27386297086610-Zyxel-Firewall-Windows-Server-2025-Active-Directory-and-Zyxel-Firewall-ZLD-5-40-uOS-1-32#h_01JZHX2DD5SSH07E4PTVETGT9J

Hi @IWAT , Put commands in a text file. Then run plink with the CLI file. CLI file example: configure terminal hostname ABC address-object AAA 1.1.1.1 write exit exit plink -ssh -no-antispoof admin@192.168.1.1 -pw mypassword < cli.txt

Hi @Ich , You can try this CLI. In case the client is under LAN interface ge3. IP address is 192.168.168.100 with MAC address 00:11:22:33:44:55 > edit running # / vrf main interface ethernet ge3 ipv4 neighbor 192.168.168.100 link-layer-address 00:11:22:33:44:55 # commit # copy running startup # show arp-table

Hi @SunglassesGuy , See if this post helps. https://community.zyxel.com/en/discussion/3000/using-a-zyxel-usg-as-a-radius-server-to-authenticate-users-on-a-gs-series-switch-with-802-1x

Hi @LukeArchbold, Need to setup via CLI. Take interface ge1 as an example. > edit running running config# / vrf main interface ethernet ge1 ipv4 dhcp dhcp-client-identifier-ascii 12345678@skyd sl running config# commit running config# copy running startup

Hi @Username_is_reserved, Create an internal type bridge interface and add both lan2 & sfp interface as member. This can group ports of two interfaces like a virtual software switch. The only drawback is the traffic between ports is not wire speed as a hardware switch.

Hi @AdminSys To work with windows 2025 authentication. The LDAP need to connect via TLS. Change port to TCP 636 and enable "Use SSL" in the AD server setting page.

Hi markracing, "I'm at home, I connect to the VPN, but I want my internet traffic to continue using my home public IP. " This is what's split tunnel doing. With split tunnel, the VPN server(USG FLEX 100H) will not provide you default route. So that the default gateway is router at your home. And go to Internet with public…

Hi @markracing, Using split tunnel instead of full tunnel.