zyman2008 
Master Member
Comments
-
-
Hi @Zolik , Zyxel firewall doesn't support multiple subnets in the same IPSec rule. You need to setup it in separate VPN connection rules but with same Gateway. StrongSwan setting: conn office authby=secret left=%defaultroute leftid=xxxxx leftsubnet=10.1.4.0/24 right=xxxxx rightsubnet=10.54.0.0/22…
-
I think it not an easy task to DIY. First, you need to know how to setup the Microsoft NPS + NPS extension to integrate with Microsoft MFA. Better to consult a certified Microsoft service company first.
-
Hi @Datamail, Yes, that's my understanding My setup on USG FLEX 50 (firmware version 5.38) is using a domain users account on Domain Authentication for MSChap. By default, AD domain users member has privilege to add computer into the AD(Join Domain). My IKEv2 VPN with EAP-CHAPv2 authentication works without issue.
-
Hi @Datamail , No administrator privileges required. A user with read privilege for AD is enough. By default, the domain users has the AD read privilege.
-
Here the string mapping between Windows and USG, Windows: MD596 to USG: MD5 Windows: SHA196 to USG: SHA1 Windows: SHA256128 to USG: SHA256
-
Hi @AntonK , Using power shell command to change the phase 1 & phase 2 proposal. 1. Show phase 1 & phase 2 proposal of VPN connection Get-VpnConnection -name "YourConnectionName" | Select-Object -ExpandProperty IPsecCustomPolicy 2. Set phase 1 & phase 2 proposal of VPN connection Set-VpnConnectionIPsecConfiguration…
-
Hi @bav, Hi @bav, The answer of the first question could be found in the packet flow explorer. Go to MAINTENANCE > Packet Flow Explorer. It's show up the routing priority of zyxel firewall. Once you setup local/remote policy on wizard. The route rule is set into the S2S VPN route table. The second answer, Yes. You can…
-
Hi @bav, There're two type of IPSec S2S VPN: Policy Based and Route Based The setup via wizard is policy based. And the VPN routing is depends on local/remote subnets settings. In your case, the network address of each site is Site A: 192.168.1.0/24 Site B: 192.168.2.0/24 Site C: 192.168.3.0/24 Site A, B, C network is…
-
Hi @FelixSchneider , Give a try to disable the "Redirect HTTP to HTTPS" in System > WWW page.
-
Hi @cmanley , If you want to control only from LAN of FLEX 700 can route to LAN of ATP800. Then policy route is better than static route. You need add policy route on both FLEX 700 and ATP800 On FLEX 700, add policy route: source: LAN of FLEX 700, destination: LAN of ATP800, next-hop: IP address of port 10 of ATP800 On…
-
@QuiteSmart I found here the discussion about the Samsung Apps with the behavior. https://www.reddit.com/r/pihole/comments/hi1s69/is/ I didn't try the NetGuard Apps. (donate 7.50 EUR to get pro features) So that I don't know is that true or not, just FYI.
-
Hi @QuiteSmart , I found Samsung mobile phone with this DNS query behavior once switch on WiFi. There're 3 weird DNS domain queried. *google.com www.goooooooooooooooooooooooooooooooooooooooooooooooooooooooooogle.com google.com.onion Check VirusTotal look like safe now so far. I think the workaround to block the DNS query…
-
Hi @NoE , If the web services need to public to Internet. The FLEX firewall just control the access to the web service. If there're vulnerabilities on the web application (web codes) itself. That's the only potential risk and that FLEX cannot help. To narrow the attack surface of your web services. You need to well…
-
Hi @kawer83 , It's better to post the topology. So that can make it easy to give you comments of the settings base on best practice. Is it like this ? VPN client — Internet — Fritzbox — USG — RDP target First scenario: VPN client(IPSec client) → USG (IPSec VPN server) → RDP target Second scenario: VPN client(WireGuard…
