Best Of
Re: NR2101 IP Pass-through
FYI I've opened a ticket for this issue as well since it seems more of a bug than a config issue. I will report back on any progress.
Happy new year 🚀🌈
Happy new year 🚀🌈
Brackan
3
Source/Destination "External"
It would be convenient if we had the option to an "External" to the Source and/or Destination fields under security policy. Basically, I would like to allow traffic to all WAN/Internet resources, but not to any internal subnets or VLANs.
TAPTech
5
Combine On Premise and Cloud Mode
Let us configure everything on premise and use Nebula to have insights on usage and stats, DHCP-Leases, Data-Usage, Application, VPN-Connections...
Re: Tommy
Maybe I am reading too much into this, but for your question to be answered, you may have to provide more information or be more specific in describing the scenario.
If your intention is to keep your units powered when power is removed, I can only suggest using some form of UPS to power those units by battery cells when power is down.
Failing that, if your post means to describe a situation where all the Configuration of said unit is lost when power is removed, then please confirm if this is the case. In that case, I refer to ZyXel Support or the power users in this forum to post their answers to you, given that they have enough information to know your actual issue.
Thank you for your continued interest.
If your intention is to keep your units powered when power is removed, I can only suggest using some form of UPS to power those units by battery cells when power is down.
Failing that, if your post means to describe a situation where all the Configuration of said unit is lost when power is removed, then please confirm if this is the case. In that case, I refer to ZyXel Support or the power users in this forum to post their answers to you, given that they have enough information to know your actual issue.
Thank you for your continued interest.
specify an onsite NTP host
In situations where all the traffic needs to be routed through a proxy and only specific protocols are allowed it'd be helpful to be able to specify an onsite NTP host
Add an option to "only allow IP/MAC listed" in "Static DHCP Table"
This discussion was created from comments split from: Enable IP/MAC Binding and DHCP Enforcement
Description:
Add an option to "only allow IP/MAC listed" in "Static DHCP Table"
Click like if you think the feature is useful and beneficial.
GS1200 series need the MAC table for monitor
Dear community,
We create this feature request based on this post, again anyone who likes this idea please feel free to leave your comment or click vote.
We create this feature request based on this post, again anyone who likes this idea please feel free to leave your comment or click vote.
Re: FLEX500: Match default rule DNAT Packet, DROP
https://community.zyxel.com/en/discussion/3993/match-default-rule-dnat-packet-drop
Not sure how much it helps, but at least it can give you a little bit of insight to what the parts can be. You may also want to review the list of rules to see if any of them affect the NAT behaviour.
Not sure how much it helps, but at least it can give you a little bit of insight to what the parts can be. You may also want to review the list of rules to see if any of them affect the NAT behaviour.
My experience on 5.32 firmware starting from scratch (on premises)
As 2022 is... quite few years that i use Zyxel firewalls. My first experience was Zywall 5, and now on a USG Flex 50 maybe is the 50/60th device I use/configure/manage.
Latest experience was USG Flex 100 starting from scratch at the beginning of the year, but starting "as new" give me some more insights about the "new default" (by my perspective) proposed by zyxel.
Take your time, something nice to sip, a bit of ease.
I loved the automatic update at latest released firmware at second login.
At the first one I had to change the password (pro tip: write down some notes, as first the definitive password), but at the second login the device looked for and updated the firmware. It's so gamechanger to avoid vulnerabilities. On the other hand, this approach make really difficult the "bootup" of a new instance without internet access. IMHO this can lead to some hiccups in specific environments (like mac-locked ISP access: i cannot use the connection unless the MAC Address of my adapter is not the one allowed by the next hop).
I am not a Nebula fan, so i found naggy to specify twice that I wanted to take "on premises" route. At reboot with new login, the default password has already been changed and Nebula was already refused: why keep nagging the tech guy? If the path were Nebula, it could be chosen at step 1 or at reset
At the first one I had to change the password (pro tip: write down some notes, as first the definitive password), but at the second login the device looked for and updated the firmware. It's so gamechanger to avoid vulnerabilities. On the other hand, this approach make really difficult the "bootup" of a new instance without internet access. IMHO this can lead to some hiccups in specific environments (like mac-locked ISP access: i cannot use the connection unless the MAC Address of my adapter is not the one allowed by the next hop).
I am not a Nebula fan, so i found naggy to specify twice that I wanted to take "on premises" route. At reboot with new login, the default password has already been changed and Nebula was already refused: why keep nagging the tech guy? If the path were Nebula, it could be chosen at step 1 or at reset
I still find coercive pretend the registration of the device to allow the configuration: this forced path lead to help request on this forum or through Zyxel representatives for moving, if necessary, the device from one account to another, Nebula or myZyxel. For myZyxel portal... meh. For Nebula, maybe a "tech access" for the major "firm account" might be helpful: tech access can login, add devices, create or retrieve configuration, then test it, then deliver it to the premises, without messing around with other devices/templates for the firm.
After registration, the wizards are strict. A lot. For a non experienced tech it's quite tough to create unwise remote access to the device and the configuration, and that's really good, because leaving open doors it's way, way difficult and "tricky" to do. It's a longer job for me allowing the access that i need (L2TP, IKE/NATT, SSLVPN, Remote admin).
So... Update done. Registration done, remote access sealed up. What's next?Objects.
Especially if you are replacing an old device (zyxel or other firewalls doesn't matter), creating all needed objects as first task will be really useful for being a fast deployer. CLI commands are really useful, you can script the creation of all bells an whistles needed for have your "stuff" ready to kick in any other part of the device:IPSec tunnels, L2TP access, SSLVPN, services (default and custom) users. It will take, at the beginning, 30 to 40% of the time, but after it will save you more than 50%. Of course: if you already know what you will need.
The only thing that will be a bit trickier is the creation of VPN gateways/IKE Phase 1, because most of that is not object-enabled.
But for:
VPN connections/IKE phase 2
SSL VPN
L2TP
security policies
routing
AP profiles
and something more
having all the "gizmos" ready to deploy will boost substancially your setup. If you're scared about "too many useless objects", don't worry: after the deployment, the test and eventual adjustments of the setup, you can still have report about where and how many times objects are used into the configuration; in few clics the cleanup is done.
I did not enjoy that much the DHCP from CSV import. I can understand why the wiping of present table, but I don't agree: should be an option or a button/command to clear the reservation list. I find the option useful but needs refinement.
Especially if you are replacing an old device (zyxel or other firewalls doesn't matter), creating all needed objects as first task will be really useful for being a fast deployer. CLI commands are really useful, you can script the creation of all bells an whistles needed for have your "stuff" ready to kick in any other part of the device:IPSec tunnels, L2TP access, SSLVPN, services (default and custom) users. It will take, at the beginning, 30 to 40% of the time, but after it will save you more than 50%. Of course: if you already know what you will need.
The only thing that will be a bit trickier is the creation of VPN gateways/IKE Phase 1, because most of that is not object-enabled.
But for:
VPN connections/IKE phase 2
SSL VPN
L2TP
security policies
routing
AP profiles
and something more
having all the "gizmos" ready to deploy will boost substancially your setup. If you're scared about "too many useless objects", don't worry: after the deployment, the test and eventual adjustments of the setup, you can still have report about where and how many times objects are used into the configuration; in few clics the cleanup is done.
I did not enjoy that much the DHCP from CSV import. I can understand why the wiping of present table, but I don't agree: should be an option or a button/command to clear the reservation list. I find the option useful but needs refinement.
The option for check for updated firmware: I may not want an automatic upgrade, but the automatic check should be enabled by default, after the mandatory connection to a Zyxel Portal account.
Hints for beginners: design your firewall "on paper". Managing firewalls can be done like jamsession, following the flow and the groove, but you need at least how to pinch the strings or make the reed sing. If you're a newbie or you're installing in a new kind of environment, create something "working on paper" will save you time and headaches for solving issue. When in doubt, keep the port shut, check the log, make your brain work. ;-)
Don't forget some TCP/IP notes close, and keep looking at two wonderful tools/charts:
Routing Flow
Snat Flow
they will tell you all the steps packages take from inside to outside (and the other way around)
Routing Flow
Snat Flow
they will tell you all the steps packages take from inside to outside (and the other way around)
mMontana
6