Best Of

Re: Odd 2FA Security Issue With The USG40

I would guess, that maybe the former session/s get cached and since it's the same client/machine the credentials are still valid? Or the 2FA has a general grace period per user/machine?

Are the links you receive maybe even the same?

I would try logging in, clicking the 2FA, logging out immediately, logging in, compare the links.

Next I would try different clients and see if the 2FA can be skipped with those too.

If it just applies to the same client, the real world implications would exist, but the chances of exploiting this are very slim.

StefanZ

1

Re: Odd 2FA Security Issue With The USG40

Hi @JCE,

Can you test again and check if the IP shows up in twofa-ipsec-ip? It should be listed in twofa-ipsec-ip before clicking the authorization email.
Once you click the authorization email, it will be delisted from twofa-ipsec-ip.

Here are the steps:

Connect the VPN client.
Type the CLI command "debug system ipset" to check if the VPN client's IP address is listed in twofa-ipsec-ip."

e.g.
Name: twofa-ipsec-ip
Type: hash:ip
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16496
References: 2
Members:
X.X.X.X <= You should be able to see the IP address in the member list before clicking the authorization email

Zyxel_Cooldia

1

Re: SMS 2FA On Usg 40 (Latest FW) Question For UK Based Unit

Hi @JCE ,

You can use ClickSend to send SMS for 2FA. Please refer to the link below for instructions on how to configure two-factor authentication (2FA).

https://kb.zyxel.com/KB/searchArticle!viewDetail.action?articleOid=018012&lang=EN

Zyxel_Cooldia

1

Re: USG Flex 100 L2TP VPN not letting me access shared folders of the LAN

https://community.zyxel.com/en/discussion/comment/49707#Comment_49707

windows firewall

mMontana

1

Re: Trunking port on GS1200-5/GS1200-8?

The configuration I posted in september 2019 needed only minor changes to the GS1900-24E setup (as shown in the included image here).

Since I changed it to the following settings, everything works now as I wanted to.

I have 2 separated VLANS for all wired connections and two WIFI networks, one for VLAN1 and the other one for VLAN 100.

So far I was very happy with this.

zebra1220

1

Re: GS1200-8 802.1Q VLAN: Must all ports be connected to VLAN 1?

Not sure if you got this worked out.

Think of Tagged also as Trunked. PC's cannot tag, so a PC will always be untagged (switch port Access) and the PVID should match the VLAN. It would only share another VLAN on the same port if it were an IP phone, which does have the capability to TAG if programed to do so. SO, a trunk / uplink will be tagged for all vlans. PVID should have no relevance.

As for security, VLANS are LAYER 2 protocol not LAYER 3. The router would be set up for .1q trunking, and any cross over of VLAN traffic only occurs at that layer (3), .1q, also known as "Router on a Stick". This is known as inter vlan routing and must have firewall rules in place to block that crossover traffic. VLAN's have no relationship with any IP address / subnet you created so firewall rules will be IP based rules.

To sum it up. Ports should not be assigned multiple VLANS where all are untagged.

Tagged ports are trunk ports for uplink

or

a port used for multi device connection such as an IP Phone in say Voice VLAN 10 (TAGGED) with the data VLAN 20 untagged with PVID 20

One important thing. PC's do have a capability in the NIC to modify, change, add vlan info for tagging. It is set to NO by default on every machine out there. Under no circumstances should you EVER change that, unless you enjoy punishing yourself.

You can always buy a Cisco CCNA study guide and learn everything you wanted know about VLANS. It is a good read. Become a CCNA today.

Cheers.

DustMite

1

Re: NWA50AX & NWA55AXE Email Log option disappeared

Hi @NickU ,

You can download the full CLI-reference manual for the NWA/WAC/WAX Series here.

By the way, you also can download other materials at Zyxel Download Library

Zyxel_Judy

1