USG 110 - VPN - Geo ip blocking.
firerabbit
Posts: 6
in Security
Hi,
Having a VPN connection using L2TP over IPSec with a pre-shared password. Latest firmware installed.
I would very much appreciate if someone could help me with the setup of blocking access to my VPN from all other countries than my home country.
Some time ago when I loged into the USG110 I was suggested to use a wizzard to setup the geo blocking of all other countries than my home contry. I did that but it seems not to work. I have meanwhile tested it from other countries and I can login and use the VPN to connect to my home LAN.
I am not happy about that as I can see in the logfile that the VPN is under heavy attrack from countries around the world now and then. I know - none of those that try - have anything to do here as the VPN only is going to be used by my child.
Many thanks in advance.
Some time ago when I loged into the USG110 I was suggested to use a wizzard to setup the geo blocking of all other countries than my home contry. I did that but it seems not to work. I have meanwhile tested it from other countries and I can login and use the VPN to connect to my home LAN.
I am not happy about that as I can see in the logfile that the VPN is under heavy attrack from countries around the world now and then. I know - none of those that try - have anything to do here as the VPN only is going to be used by my child.
Many thanks in advance.
0
Accepted Solution
-
Hi firerabbit,
1. First, create a country address object.
(1) Go to Object > Address/Geo IP > Address.
(2) Click Add, in the pop-up window give a name for the object. Ex. US, DE, NL ...
(3) Address type select GEOGRAPHY. And region select your country.
2. Edit the default WAN to ZyWALL Security policy, change the Source Address from "any" to the country address object created in previous step.
(1) Go to Security Policy > Policy Control. Select the rule Name "WAN_to_Device" and click Edit.
(2) Change source from "any" to the country address object.
0
Master Member
All Replies
-
Hi firerabbit,
1. First, create a country address object.
(1) Go to Object > Address/Geo IP > Address.
(2) Click Add, in the pop-up window give a name for the object. Ex. US, DE, NL ...
(3) Address type select GEOGRAPHY. And region select your country.
2. Edit the default WAN to ZyWALL Security policy, change the Source Address from "any" to the country address object created in previous step.
(1) Go to Security Policy > Policy Control. Select the rule Name "WAN_to_Device" and click Edit.
(2) Change source from "any" to the country address object.
0 -
Hi zyman2008,Thank you very much for your help but unfortunately I could not get it to work.The VPN request from remote uses port 4500 on my side.Have created the address object described in step 1 - "My_country".I now have in the Policy Control:Name: WAN_to_DeviceFrom: WANTo: ZyWALLSource: My_countryDestination: anyService: Default_Allow_WAN_To_ZyWALLUser: anySchedule: noneAction: allowLog matched traffic: logI can see in the logfile that there still are category IKE traffic from outside.Any suggestions?Thanks.
0 -
Hi @firerabbit,
My USG110 4.73 works fine with the GeoIP settings.
Maybe you can using filter in Policy control page to check if any other rule allow the UDP 500, 4500 traffic to your USG.
1 -
Hi zyman2008,found another rule by using the filtering you suggested.Now it works !!Thank you so much for your time and help. Highly appreciated.
0
Categories
- All Categories
- 388 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 914 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 330 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 875 Nebula FAQ
- 414 Security FAQ
- 220 Switch FAQ
- 193 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
