usg40's - vpn tunnel not working - no change in config in 12 months

we have two usg40's that allow access to internet but also have a vpn tunnel between them.  This allows our two shops a common intranet server for invoices and pricing.  As of Monday morning, both shops can still access the internet but, traffic from 192.168.2.1 subnet cannot get to 192.168.1.1.   It looks one sided.  From .1.1 I can web into .2.1 router and look at it's settings....the vpn tunnel says it is up.  From 2.1 side of the network, I cannot look into the .1.1 router.  I almost want to say that the router at .2.1 is defective but we also have a camera system there that can be accessed through the web as normal, etc.   This morning while troubleshooting I did upgrade the firmware on both routers.  It had been about a 16 months since that was last checked and performed.  How do I tell who/which one is the issue?

Accepted Solution

  • SimplyRem
    SimplyRem Posts: 3
    Answer ✓
    @zigandzag, this seems like a compromise on zyxel routers, please remove unknown user accounts and ssl vpn settings and change all password and remove the routes pointing to any and disable HTTPS access. This has happened to a couple of our customers routers. Zyxel needs to patch this ASAP!

All Replies

  • Blabababa
    Blabababa Posts: 142  Ally Member
    Turn off the https service on WAN or limit the accessible IP addresses 
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,139  Zyxel Employee
    edited June 2021

    We’re aware of the situation and have been working our best to investigate and resolve it.

    In the interim, here’s a list of currently known to be the most effective ways to mitigate the impact:”

     

    Scenario#1

    If you allow traffic from Internet to your device with WebGUI and SSL VPN tunnel, you can follow these steps to protect your device.

    1.    Add IP address object(s) to trusted addresses or trusted countries.

    (Configuration > Object > Address/GeoIP)


    2.    Allow trusted IP addresses and Deny others traffic from Internet

    (Configuration > Security Policy > Policy Control)

    #1. You can allow trusted IP addresses and WebGUI/SSL service ports from WAN side for access.

    #2. Deny other IP addresses that you do not trust to access your WebGUI.

     

    3.    Change HTTPS connection port from the default 443 to another port (without conflicting with other services) and make sure that this port is added in policy control rule #1.

    (Configuration > System > WWW)

    Change HTTPS connection port. e.g 17443


    After changing HTTPS Service port, you must reconnect to your device using the new port. If you would like to use SSL VPN tunnel to access your device, make sure that the public IP address of your PC is added in your Trusted IP List. While connecting to your device, make sure to enter the correct port in SecuExtender.



    Scenario#2

    If there is no WebGUI/SSL VPN tunnel required, you can move the default rule (WAN_to_Device) as the first rule and keep the last rule as “deny”.

    (Allowed services are for IPSec VPN/VRRP/GRE)

    Make sure there is no HTTP/HTTPS WebGUI service port in service group.


    We also suggest to change the admin password.

    In addition, you can refer to our latest document “Best Practice to Secure a Distributed Network Infrastructure” to design and secure your network.

Security Highlight