Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Setting up a ZyXel USG40W security appliance

Posted on 2017-06-18
2
Medium Priority
?
136 Views
Last Modified: 2017-07-06
Hi Folks:

     I am somewhat familiar with working with the Zyxel USG line of products, but have not done things like having multiple LAN segments, VLANS and setting bandwidth rules. I am setting up a ZyXEL USG40W for a client and need to accomplish the following:

Setup requirements:

1) Set up for Cable modem in bridged mode - This is DONE

2) Have separate LANs for computers and VOIP phones - Computers on LAN1 and VOIP phones on LAN2 (Have two separate unmanaged switches - (D-LINK) one for phones and one for the computers.

     -  I have done this by setting P2 to LAN 1 and P3 to LAN 2 under "Interface > Port Role" and then under "Interface >Ethernet" setting the IP Address for LAN2 to be 192.168.2.1 as opposed to 192.168.1.1 for LAN1. I assume this is the correct way to handle this issue. (Confirmation?)


3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

     - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.

5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Any assistance would be greatly appreciated. If possible "step by step" through the menus on the USG40W as they are extensive and easy to get lost in!

Best regards, Dave Melnyk
0
Comment
Question by:d_melnyk
2 Comments
 
LVL 41

Accepted Solution

by:
noci earned 2000 total points
ID: 42183734
@1 OK
@2 OK

3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

    - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

well, you can setup Egress limitation, ingress is harder to control. Ingress Control could be done by limitting the amount of traffic from WAN -> LAN1 + WIRELESS. It is a property of IP where you can control transmission, but AFTER you receive data (and have processed it) you know where it should go... so dropping is really wasted bandwidth & CPU and won't help the preferred service.


4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.
  You need to setup 2 SSID's and assign them to zones. (Also add the [V]LAN's to those zones if needed).
I have no access to a zywall with WL atm. ...


5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

You can setup a Rules in the Firewall (policy/ Security policies, Colicy Control)  which only allowes traffic from the GUEST ZONE -> WAN ZONE and nothing else.  (obviously you need to disallow rules that allow the opposite later in the list.)


6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Easiest is to start out with L2TP, that should accomplish EVERYTHING you want in that department, including filtering based on user group .f.e. to allow dial user access to specific objects.
See: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
Now they claim DO NOT change security settings...., BUT modern devices might need AES-256 + SHA1 to be able to connect,
and DES could be dropped to support that. Plain DES is considdered broken anyway.
0
 

Author Closing Comment

by:d_melnyk
ID: 42206402
Thanks for the reply ... did get some input from ZyXel on VOIP issue as well ... seems to be working phones and systems all happy.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft has changed the look and feel of Azure AD and Microsoft account sign-in pages so that you will have a more unified look and feel when moving between the two interfaces.
Simulator games are perfect for generating sample realistic data streams, especially for learning data analysis. It is even useful for demoing offerings such as Azure stream analytics, PowerBI etc.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question