• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 170
  • Last Modified:

Setting up a ZyXel USG40W security appliance

Hi Folks:

     I am somewhat familiar with working with the Zyxel USG line of products, but have not done things like having multiple LAN segments, VLANS and setting bandwidth rules. I am setting up a ZyXEL USG40W for a client and need to accomplish the following:

Setup requirements:

1) Set up for Cable modem in bridged mode - This is DONE

2) Have separate LANs for computers and VOIP phones - Computers on LAN1 and VOIP phones on LAN2 (Have two separate unmanaged switches - (D-LINK) one for phones and one for the computers.

     -  I have done this by setting P2 to LAN 1 and P3 to LAN 2 under "Interface > Port Role" and then under "Interface >Ethernet" setting the IP Address for LAN2 to be 192.168.2.1 as opposed to 192.168.1.1 for LAN1. I assume this is the correct way to handle this issue. (Confirmation?)


3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

     - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.

5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Any assistance would be greatly appreciated. If possible "step by step" through the menus on the USG40W as they are extensive and easy to get lost in!

Best regards, Dave Melnyk
0
d_melnyk
Asked:
d_melnyk
1 Solution
 
nociSoftware EngineerCommented:
@1 OK
@2 OK

3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

    - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

well, you can setup Egress limitation, ingress is harder to control. Ingress Control could be done by limitting the amount of traffic from WAN -> LAN1 + WIRELESS. It is a property of IP where you can control transmission, but AFTER you receive data (and have processed it) you know where it should go... so dropping is really wasted bandwidth & CPU and won't help the preferred service.


4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.
  You need to setup 2 SSID's and assign them to zones. (Also add the [V]LAN's to those zones if needed).
I have no access to a zywall with WL atm. ...


5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

You can setup a Rules in the Firewall (policy/ Security policies, Colicy Control)  which only allowes traffic from the GUEST ZONE -> WAN ZONE and nothing else.  (obviously you need to disallow rules that allow the opposite later in the list.)


6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Easiest is to start out with L2TP, that should accomplish EVERYTHING you want in that department, including filtering based on user group .f.e. to allow dial user access to specific objects.
See: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
Now they claim DO NOT change security settings...., BUT modern devices might need AES-256 + SHA1 to be able to connect,
and DES could be dropped to support that. Plain DES is considdered broken anyway.
0
 
d_melnykAuthor Commented:
Thanks for the reply ... did get some input from ZyXel on VOIP issue as well ... seems to be working phones and systems all happy.
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now