Setting up a ZyXel USG40W security appliance

Posted on 2017-06-18
1
35 Views
Last Modified: 2017-06-22
Hi Folks:

     I am somewhat familiar with working with the Zyxel USG line of products, but have not done things like having multiple LAN segments, VLANS and setting bandwidth rules. I am setting up a ZyXEL USG40W for a client and need to accomplish the following:

Setup requirements:

1) Set up for Cable modem in bridged mode - This is DONE

2) Have separate LANs for computers and VOIP phones - Computers on LAN1 and VOIP phones on LAN2 (Have two separate unmanaged switches - (D-LINK) one for phones and one for the computers.

     -  I have done this by setting P2 to LAN 1 and P3 to LAN 2 under "Interface > Port Role" and then under "Interface >Ethernet" setting the IP Address for LAN2 to be 192.168.2.1 as opposed to 192.168.1.1 for LAN1. I assume this is the correct way to handle this issue. (Confirmation?)


3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

     - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.

5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Any assistance would be greatly appreciated. If possible "step by step" through the menus on the USG40W as they are extensive and easy to get lost in!

Best regards, Dave Melnyk
0
Comment
Question by:d_melnyk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 40

Expert Comment

by:noci
ID: 42183734
@1 OK
@2 OK

3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

    - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

well, you can setup Egress limitation, ingress is harder to control. Ingress Control could be done by limitting the amount of traffic from WAN -> LAN1 + WIRELESS. It is a property of IP where you can control transmission, but AFTER you receive data (and have processed it) you know where it should go... so dropping is really wasted bandwidth & CPU and won't help the preferred service.


4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.
  You need to setup 2 SSID's and assign them to zones. (Also add the [V]LAN's to those zones if needed).
I have no access to a zywall with WL atm. ...


5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

You can setup a Rules in the Firewall (policy/ Security policies, Colicy Control)  which only allowes traffic from the GUEST ZONE -> WAN ZONE and nothing else.  (obviously you need to disallow rules that allow the opposite later in the list.)


6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Easiest is to start out with L2TP, that should accomplish EVERYTHING you want in that department, including filtering based on user group .f.e. to allow dial user access to specific objects.
See: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
Now they claim DO NOT change security settings...., BUT modern devices might need AES-256 + SHA1 to be able to connect,
and DES could be dropped to support that. Plain DES is considdered broken anyway.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Join & Write a Comment

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question