Best Of

Re: ddns

For No-IP I use User custom

https

your no-ip user name

password

Your domain like bounceme.bounceme.net

the interface

update with public IP if interface is not direct with WAN

DYNDNS server dynupdate.no-ip.com

URL /nic/update?system=dyndns&hostname=bounceme.bounceme.net

check public IP URL if needed http://ip1.dynupdate.no-ip.com/

PeterUK

Re: Help getting vlan working

If your devices are not tagged on NIC they can never see the USG.

Set ports on VLAN1 to not member 1-10

Your want USG connected to a port on the switch as tagged port 1 this port PVID does not need to be set to 70 (but is fine as 70) you then need to set ports 2-10 as untagged with the PVID as 70 devices on port 2-10 will then go out port 1 as tagged 70 to USG

PeterUK

Re: voip on a ugs20vpn router

Do you have an on premise system that connects to the server, or just a phone that connects to a server in the cloud?

Do you see any entries in the log showing a blocked connection attempt from the phone provider?
That is found at Monitor > Log. Clear the log first, then make a call and see if it shows in the log as a DROP.

Have you run a packet capture during a call to catch both WAN and LAN1 (or whichever you are using) ports? That can be done at Maintenance > Diagnostics > Packet Capture > Capture.

Do you know how to use Wireshark to look at the packet capture (PCAP)? If so, you should see first the signaling from the phone/phone system using Session Initiation Protocol (SIP), then the audio using Real-time Transport Protocol (RTP).

If you have an on premise system, it also matters whether it connects via registration or not. If it does not register to the server (unregistered SIP trunk), then you will need port forwarding, or Network Address Translation (NAT), rules in place.

But, I like to start with the packet capture to see what is coming in to the WAN and whether or not it is going out to the LAN.

DeanH

Spread the love and win big! Take product survey and enter to win free coupons (May 2023 Closed)

📣 Attention all Zyxel product users, we want to hear from you!

Share your experience with our products by taking our Zyxel Products Satisfaction Survey and you could win free $10 coupons to use on Zyxel Marketplace. Don't miss out on this chance to give us your valuable feedback and win big. The survey runs from April 6th to May 5th, 2023. All you need to do is leave your email address at the end of the survey and you will be entered into a random giveaway. Please note that the discount coupons will be awarded in accordance with the terms and conditions stated in the giveaway rules.

So, what are you waiting for? Seize this opportunity to win and share your valuable feedback with us. Let's get started and make our products even better together.

Zyxel_JudyH

Re: USG FLEX 50W Configuration Files Cleanup

The Zyxel device automatically creates .conf files beginning with ez_ for settings used in Easy Mode, this file creation takes place in Expert Mode. You should not or can not delete those files.
User Guide chapter 4.1.1 Objects and Rules — page 89.

Regarding startup-config-bad.conf, see page 827, chapter 33.2 The Configuration Screen :

if there is a file named startup-config.conf and an error happens during boot, your Zyxel device creates a log and copies startup-config.conf to startup-config-bad.conf . See your User Guide for the remaining description.

TrondBKSuleimanCo

Re: Policy Control in USG FLEX 100

This works for me to block VLAN10 (users) from accessing VLAN1000 (admin).

VLAN1000 can still access VLAN10 – if you want it to be mutual, you need a second, reversed policy.

Source objects would be Hosts – but generally I would just put those hosts on seperate VLANs or Zones.
In your case a host could just chose another IP to be allowed again. With MAC/DHCP enforcement the host could still spoof its' MAC… and so on.

If you generally want to isolate all hosts on that subnet from each other, you want "Layer-2-Isolation" as a concept.

Bildschirmfoto 2023-02-25 um 12.28.57.png

StefanZ

Re: Policy Control in USG FLEX 100

Computers on the same subnet or LAN1 can't blocked due to a switch or if you port role LAN ports to LAN1 which is still a switch before it gets to the Policy Control.

Two way to block is to have the computers on different subnets which the Policy Control can see or with a VLAN set to general with proxy arp and a managed switch with Send the packet to the egress port with ARP out the port to USG which you make a LAN to LAN Policy Control rules to limit what computers can connect to each other on the same subnet.

PeterUK

My experience on 5.32 firmware starting from scratch (on premises)

As 2022 is... quite few years that i use Zyxel firewalls. My first experience was Zywall 5, and now on a USG Flex 50 maybe is the 50/60th device I use/configure/manage.

Latest experience was USG Flex 100 starting from scratch at the beginning of the year, but starting "as new" give me some more insights about the "new default" (by my perspective) proposed by zyxel.

Take your time, something nice to sip, a bit of ease.

I loved the automatic update at latest released firmware at second login.
At the first one I had to change the password (pro tip: write down some notes, as first the definitive password), but at the second login the device looked for and updated the firmware. It's so gamechanger to avoid vulnerabilities. On the other hand, this approach make really difficult the "bootup" of a new instance without internet access. IMHO this can lead to some hiccups in specific environments (like mac-locked ISP access: i cannot use the connection unless the MAC Address of my adapter is not the one allowed by the next hop).
I am not a Nebula fan, so i found naggy to specify twice that I wanted to take "on premises" route. At reboot with new login, the default password has already been changed and Nebula was already refused: why keep nagging the tech guy? If the path were Nebula, it could be chosen at step 1 or at reset

I still find coercive pretend the registration of the device to allow the configuration: this forced path lead to help request on this forum or through Zyxel representatives for moving, if necessary, the device from one account to another, Nebula or myZyxel. For myZyxel portal... meh. For Nebula, maybe a "tech access" for the major "firm account" might be helpful: tech access can login, add devices, create or retrieve configuration, then test it, then deliver it to the premises, without messing around with other devices/templates for the firm.

After registration, the wizards are strict. A lot. For a non experienced tech it's quite tough to create unwise remote access to the device and the configuration, and that's really good, because leaving open doors it's way, way difficult and "tricky" to do. It's a longer job for me allowing the access that i need (L2TP, IKE/NATT, SSLVPN, Remote admin).

So... Update done. Registration done, remote access sealed up. What's next?Objects.
Especially if you are replacing an old device (zyxel or other firewalls doesn't matter), creating all needed objects as first task will be really useful for being a fast deployer. CLI commands are really useful, you can script the creation of all bells an whistles needed for have your "stuff" ready to kick in any other part of the device:IPSec tunnels, L2TP access, SSLVPN, services (default and custom) users. It will take, at the beginning, 30 to 40% of the time, but after it will save you more than 50%. Of course: if you already know what you will need.
The only thing that will be a bit trickier is the creation of VPN gateways/IKE Phase 1, because most of that is not object-enabled.
But for:
VPN connections/IKE phase 2
SSL VPN
L2TP
security policies
routing
AP profiles
and something more
having all the "gizmos" ready to deploy will boost substancially your setup. If you're scared about "too many useless objects", don't worry: after the deployment, the test and eventual adjustments of the setup, you can still have report about where and how many times objects are used into the configuration; in few clics the cleanup is done.
I did not enjoy that much the DHCP from CSV import. I can understand why the wiping of present table, but I don't agree: should be an option or a button/command to clear the reservation list. I find the option useful but needs refinement.

The option for check for updated firmware: I may not want an automatic upgrade, but the automatic check should be enabled by default, after the mandatory connection to a Zyxel Portal account.

Hints for beginners: design your firewall "on paper". Managing firewalls can be done like jamsession, following the flow and the groove, but you need at least how to pinch the strings or make the reed sing. If you're a newbie or you're installing in a new kind of environment, create something "working on paper" will save you time and headaches for solving issue. When in doubt, keep the port shut, check the log, make your brain work. ;-)

Don't forget some TCP/IP notes close, and keep looking at two wonderful tools/charts:
Routing Flow
Snat Flow
they will tell you all the steps packages take from inside to outside (and the other way around)