valerio_vanni  Ally Member

I changed the subject, since it comes from another thread, and perhaps it was not clear that I was talking about 2FA with Google Authenticator.

>When using manual configuration, the script will be generated automatically but won't be visible in >the local GUI. And it is reachable in other ways? ssh, ftp… Or is it hidden forever?

I always use manual config, I don't remember any script appearing after config… perhaps I didn't noticed it. Now I have another, more important, question: is 2FA supposed to work on L2TP vpn? I did some test and it didn't work. The tunnel goes up, and traffic starts to flow. Even if the user doesn't go through 2FA process.

Non va neanche nella maniera più classica? Impostazione manuale (la più "manuale" che trovi)→ creazione della porta tcp/ip → scelta del driver

Aggiorna il firmware, è uscito il 5.39(ABUI.1). Dalla sede remota riesci a raggiungere l'interfaccia web della stampante? Mi pare di aver capito di sì. In che maniera stai provando a installarla?

I try to explain better. You said: >Once the VPN is configured on the firewall, you should be able to directly click "Get from Server" to >retrieve the script. Ok, I understand that with "get from server" I can retrieve the script. But what script do I retrieve? Is it a script previously uploaded on firewall?

Have you tried to set the url in "when tunnel is opened" script?

From your link: *************************************************************** Initial Access The Truesec CSIRT have primarily observed the Helldown ransomware group obtaining initial access through Zyxel firewalls. More specifically, one investigation showed that the TA would access the victim’s environment directly from…

Or, at least, LAN IP of Fritz. Even if it's likely the same, since I don't think there are other devices between Fritz and VPN100. For sure it cannot work the way is set now.

He suggests to test if the first step (forward from Fritz to VPN100) works. Looking at your screenshots, I don't understand why are you setting "Plex Synology WAN IP" as WAN IP of VPN100. When Fritz forwards port, connection that reaches VPN100 WAN has Fritz IP as source address, not WAN IP of VPN100.

I read here that H version doesn't support FQDN objects: Really? Such a basic function? Does it drop back to pre-USG (Zywall2 etc)? It seems a beta release, not a production one. From "new version of X", one expects at least functions of X. Enhancements could be delayed, not basic functions.

Could you please clarify - are you trying to modify the downloaded VPN script from server (firewall) and upload these changes back to change the server's configuration? I'm not trying anything, I config client by hand. But I'd like to understand how this thing works (let's say a day I decide to use it…) You said that…

Inside 192.168.33.x LAN you have only that host (.100)? Don't you have something other to ping?

Ok, I can "Get from server", and for sure I'll get phase1 and phase2 parameters, but if I can download a script the script need to be on the server. And how do I upload the script to server?

I am on latest firmware too. My issue was that users had "guest" type instead of "user", and on that type you cannot enable Google Authenticator options. Your menu is different because your user is admin. On admin users mine is identical to yours.