Best Of
Re: ddns
For No-IP I use User custom
https
your no-ip user name
password
Your domain like bounceme.bounceme.net
the interface
update with public IP if interface is not direct with WAN
DYNDNS server dynupdate.no-ip.com
URL /nic/update?system=dyndns&hostname=bounceme.bounceme.net
check public IP URL if needed http://ip1.dynupdate.no-ip.com/

Re: Help getting vlan working
If your devices are not tagged on NIC they can never see the USG.
Set ports on VLAN1 to not member 1-10
Your want USG connected to a port on the switch as tagged port 1 this port PVID does not need to be set to 70 (but is fine as 70) you then need to set ports 2-10 as untagged with the PVID as 70 devices on port 2-10 will then go out port 1 as tagged 70 to USG

Re: voip on a ugs20vpn router
Do you have an on premise system that connects to the server, or just a phone that connects to a server in the cloud?
Do you see any entries in the log showing a blocked connection attempt from the phone provider?
That is found at Monitor > Log. Clear the log first, then make a call and see if it shows in the log as a DROP.
Have you run a packet capture during a call to catch both WAN and LAN1 (or whichever you are using) ports? That can be done at Maintenance > Diagnostics > Packet Capture > Capture.
Do you know how to use Wireshark to look at the packet capture (PCAP)? If so, you should see first the signaling from the phone/phone system using Session Initiation Protocol (SIP), then the audio using Real-time Transport Protocol (RTP).
If you have an on premise system, it also matters whether it connects via registration or not. If it does not register to the server (unregistered SIP trunk), then you will need port forwarding, or Network Address Translation (NAT), rules in place.
But, I like to start with the packet capture to see what is coming in to the WAN and whether or not it is going out to the LAN.

Spread the love and win big! Take product survey and enter to win free coupons (May 2023 Closed)
📣 Attention all Zyxel product users, we want to hear from you!
Share your experience with our products by taking our Zyxel Products Satisfaction Survey and you could win free $10 coupons to use on Zyxel Marketplace. Don't miss out on this chance to give us your valuable feedback and win big. The survey runs from April 6th to May 5th, 2023. All you need to do is leave your email address at the end of the survey and you will be entered into a random giveaway. Please note that the discount coupons will be awarded in accordance with the terms and conditions stated in the giveaway rules.
So, what are you waiting for? Seize this opportunity to win and share your valuable feedback with us. Let's get started and make our products even better together.
Re: USG FLEX 50W Configuration Files Cleanup
The Zyxel device automatically creates .conf
files beginning with ez_
for settings used in Easy Mode, this file creation takes place in Expert Mode. You should not or can not delete those files.
User Guide chapter 4.1.1 Objects and Rules — page 89.
Regarding startup-config-bad.conf
, see page 827, chapter 33.2 The Configuration Screen :
if there is a file named startup-config.conf and an error happens during boot, your Zyxel device creates a log and copies startup-config.conf
to startup-config-bad.conf
. See your User Guide for the remaining description.
Re: Policy Control in USG FLEX 100
This works for me to block VLAN10 (users) from accessing VLAN1000 (admin).
VLAN1000 can still access VLAN10 – if you want it to be mutual, you need a second, reversed policy.
Source objects would be Hosts – but generally I would just put those hosts on seperate VLANs or Zones.
In your case a host could just chose another IP to be allowed again. With MAC/DHCP enforcement the host could still spoof its' MAC… and so on.
If you generally want to isolate all hosts on that subnet from each other, you want "Layer-2-Isolation" as a concept.

Re: Policy Control in USG FLEX 100
Computers on the same subnet or LAN1 can't blocked due to a switch or if you port role LAN ports to LAN1 which is still a switch before it gets to the Policy Control.
Two way to block is to have the computers on different subnets which the Policy Control can see or with a VLAN set to general with proxy arp and a managed switch with Send the packet to the egress port with ARP out the port to USG which you make a LAN to LAN Policy Control rules to limit what computers can connect to each other on the same subnet.

My experience on 5.32 firmware starting from scratch (on premises)
At the first one I had to change the password (pro tip: write down some notes, as first the definitive password), but at the second login the device looked for and updated the firmware. It's so gamechanger to avoid vulnerabilities. On the other hand, this approach make really difficult the "bootup" of a new instance without internet access. IMHO this can lead to some hiccups in specific environments (like mac-locked ISP access: i cannot use the connection unless the MAC Address of my adapter is not the one allowed by the next hop).
I am not a Nebula fan, so i found naggy to specify twice that I wanted to take "on premises" route. At reboot with new login, the default password has already been changed and Nebula was already refused: why keep nagging the tech guy? If the path were Nebula, it could be chosen at step 1 or at reset

Especially if you are replacing an old device (zyxel or other firewalls doesn't matter), creating all needed objects as first task will be really useful for being a fast deployer. CLI commands are really useful, you can script the creation of all bells an whistles needed for have your "stuff" ready to kick in any other part of the device:IPSec tunnels, L2TP access, SSLVPN, services (default and custom) users. It will take, at the beginning, 30 to 40% of the time, but after it will save you more than 50%. Of course: if you already know what you will need.
The only thing that will be a bit trickier is the creation of VPN gateways/IKE Phase 1, because most of that is not object-enabled.
But for:
VPN connections/IKE phase 2
SSL VPN
L2TP
security policies
routing
AP profiles
and something more
having all the "gizmos" ready to deploy will boost substancially your setup. If you're scared about "too many useless objects", don't worry: after the deployment, the test and eventual adjustments of the setup, you can still have report about where and how many times objects are used into the configuration; in few clics the cleanup is done.
I did not enjoy that much the DHCP from CSV import. I can understand why the wiping of present table, but I don't agree: should be an option or a button/command to clear the reservation list. I find the option useful but needs refinement.
Routing Flow
Snat Flow
they will tell you all the steps packages take from inside to outside (and the other way around)

Re: Error Nebula VPN L2TP
Re: IPSec VPN. How to create connection with multiple local and remote networks
172.31.99.0/24
