?
Solved

Setting up a ZyXel USG40W security appliance

Posted on 2017-06-18
2
Medium Priority
?
71 Views
Last Modified: 2017-07-06
Hi Folks:

     I am somewhat familiar with working with the Zyxel USG line of products, but have not done things like having multiple LAN segments, VLANS and setting bandwidth rules. I am setting up a ZyXEL USG40W for a client and need to accomplish the following:

Setup requirements:

1) Set up for Cable modem in bridged mode - This is DONE

2) Have separate LANs for computers and VOIP phones - Computers on LAN1 and VOIP phones on LAN2 (Have two separate unmanaged switches - (D-LINK) one for phones and one for the computers.

     -  I have done this by setting P2 to LAN 1 and P3 to LAN 2 under "Interface > Port Role" and then under "Interface >Ethernet" setting the IP Address for LAN2 to be 192.168.2.1 as opposed to 192.168.1.1 for LAN1. I assume this is the correct way to handle this issue. (Confirmation?)


3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

     - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.

5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Any assistance would be greatly appreciated. If possible "step by step" through the menus on the USG40W as they are extensive and easy to get lost in!

Best regards, Dave Melnyk
0
Comment
Question by:d_melnyk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 42183734
@1 OK
@2 OK

3) Create bandwidth management rules to guarantee LAN2 a minimum amount of bandwidth over the WAN (in and out) - essentially anything on LAN2 is VOIP and needs QoS.

    - not sure how to accomplish this. Should it be done by setting the Egress and Ingress  bandwidths under the "Interface > Ethernet" settings for each of LAN (given that the VOIP phones and Computers are on separate unmanaged switches? Or do I still need to enable BWM and set rules?

well, you can setup Egress limitation, ingress is harder to control. Ingress Control could be done by limitting the amount of traffic from WAN -> LAN1 + WIRELESS. It is a property of IP where you can control transmission, but AFTER you receive data (and have processed it) you know where it should go... so dropping is really wasted bandwidth & CPU and won't help the preferred service.


4) Set up wireless so that devices connect on separate VLAN for purposes of possible bandwidth management - but possibly allow specific wireless users access to LAN1 for connection to the network server - i.e. mobile devices cannot connect to LAN1 but a Laptop computer could connect to network server.

     - partially accomplished. I have found a document detailing setting up Guest Wifi so that it is on a VLAN such as 192.168.40.x. I have noted that under the "default" settings for the wireless, my laptop receives an IP address on LAN2 which is NOT what I want. Presumably I would simply set up two VLANs - one for guests and one for the users , but see note above about allowing laptops to connect to LAN1 for purposes of accessing the Windows Server, but keeping mobile devices such as phones separate.
  You need to setup 2 SSID's and assign them to zones. (Also add the [V]LAN's to those zones if needed).
I have no access to a zywall with WL atm. ...


5) create a separate GUEST wireless access for internet purposes - believe I have accomplished this - but what security rules to prevent guest access to any other LAN or VLAN ... i.e. internet access only.

You can setup a Rules in the Firewall (policy/ Security policies, Colicy Control)  which only allowes traffic from the GUEST ZONE -> WAN ZONE and nothing else.  (obviously you need to disallow rules that allow the opposite later in the list.)


6) set up VPN access to reach lan1 for remote desktop access to individual systems using authentication from AD on the windows server box.
            - I have a sample for setting up a VPN, but requires users to be entered into the ZyXel USG40W for authentication. Can I use authentication from the windows Server 2016 using AD? Note: the Zyxel USG40 is handling DHCP NOT the Windows Server.

Easiest is to start out with L2TP, that should accomplish EVERYTHING you want in that department, including filtering based on user group .f.e. to allow dial user access to specific objects.
See: http://onesecurity.zyxel.com/img/uploads/ZyWALL_L2TP_VPN_Setup.pdf
Now they claim DO NOT change security settings...., BUT modern devices might need AES-256 + SHA1 to be able to connect,
and DES could be dropped to support that. Plain DES is considdered broken anyway.
0
 

Author Closing Comment

by:d_melnyk
ID: 42206402
Thanks for the reply ... did get some input from ZyXel on VOIP issue as well ... seems to be working phones and systems all happy.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Create a Windows 10 custom Image with custom task bar and custom start menu using XML for deployment.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses
Course of the Month12 days, 20 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question