Setting up a ZyXel USG40W security appliance
Posted on 2017-06-18
I am somewhat familiar with working with the Zyxel USG line of products, but have not done things like having multiple LAN segments, VLANS and setting bandwidth rules. I am setting up a ZyXEL USG40W for a client and need to accomplish the following:
1) Set up for Cable modem in bridged mode - This is DONE
2) Have separate LANs for computers and VOIP phones - Computers on LAN1 and VOIP phones on LAN2 (Have two separate unmanaged switches - (D-LINK) one for phones and one for the computers.
- I have done this by setting P2 to LAN 1 and P3 to LAN 2 under "Interface > Port Role" and then under "Interface >Ethernet" setting the IP Address for LAN2 to be 192.168.2.1 as opposed to 192.168.1.1 for LAN1. I assume this is the correct way to handle this issue. (Confirmation?)
3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.
- not sure how to accomplish this. Should it be done by setting the Egress and Ingress bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?
4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.
- partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.
5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.
6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
- I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.
Any assistance would be greatly appreciated. If possible "step by step" through the menus on the USG40W as they are extensive and easy to get lost in!
Best regards, Dave Melnyk