dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9099
share rss forum feed


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 recommendation

2013 USG SHOULD ADD FUNCTIONALITY

Presumably Zyxel will had some beef to the lean cuisine of zyxel CPU prowess (lets admit they are underpowered with regard to the services they want all to pay extra for). Not content with more brawn, what more brain power can be added to the lineup. That Italian Hippie has given me pause for thought to start up a list of highly ESSENTIAL new functioinality the USG should acquire (so at least the stuff they have matches the bugs they never fix).

Dont know if these are actually plausible but here goes:
(1) Ability to bridge layer 2 traffic
(2) Ability to tag packets with 802.1p at layer 2
(3) Ability to turn off permanently the update popup
(4) Allow URLs in rules vice simply IP addresses.
(5) Actually auto-update dyndns type services
(6) Ability to group Schedules for rules (like other objects damnit).
(7) Ability to ENFORCE schedule rules so that when it hits a block time the cache-tables whatever are flushed and the rules actually in place
(8) Ability to have both UDP and TCP in rules (especially so as to not have to create extra virtual server rules.*
(9) Better control of DNS and specifically if only want OPEN DNS available so users cant get thru on ISP.
(10) Ability to put group service rules into Virtual Server.
(11) packet trace test tool like as in CISCO ASDM (and shhh dont tell Hellfire)

Your turn!!
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


u475700
Premium
join:2004-02-16
Reviews:
·Callcentric
·Comcast

The ZyWALL USG 20 phones home daily to ZyXEL supposedly to verify the status of any supplemental licensed products even when there were never any installed or currently registered. I don't know if the other models mimic this "feature" but there is no provision to disable it.

Technical Support suggested that ZyXEL wants to monitor the status of the devices for unspecified reasons but could not identify what information is actually sent. Nevertheless, I certainly don't want ZyXEL to covertly monitor my equipment especially under the pretext that this somehow benefits me!


u475700
Premium
join:2004-02-16
reply to Anav

Another issue that I want addressed is the inaccessible hard-coded addresses for DNS and NTP servers, which Brano previously cited here:
»Re: ZyWALL USG 20 Phones Home Daily to ZyXEL


Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..

1 recommendation

reply to Anav

The only additional ones I can think of at the moment are

o GUI button to flush the state/session tables faster than rebooting
o Access (under some advanced tab) to see and change all the netfilter state table timeout values that can be changed in the CLI. Presently the GUI exposes a single UDP timeout. Probably a reset button to default values or at least a listing of them nearby might help the hapless recover from misguided tweaking.
o IDS without AV (as the AV never seems to detect anything). AV may be helpful to systems running mail servers, but my ISPs pretty much remove stuff that the AV would catch.
o While the links in some menus to other related relevant menus are helpful, a table of contents tab with links to functions would be nice so when the path to a menu item has been forgotten one doesn't have to spend a lot of time digging into the menu structure to rediscover it.

Anav: In at least one menu that I have recently used, the selection is TCP/UDP/ALL. I don't remember ALL being there when I originally wrote firewall rules. Since most other common protocols don't use ports, ALL is pretty much TCP + UDP. (If they really just meant both, then it should read BOTH.)

kirby



superataru

join:2004-12-07
Kearny, NJ

1 recommendation

reply to Anav

I was thinking to ...

-) One valid device-certificate for SSL connections;
-) Remove WAN Zone constraints also in USG 50, 100 and 200;
-) "NAT-T if required" option in VPN Policy Gateway;
-) Logging: customizable SMTP port, not only SMTP 25 TCP;
-) More customizable WEB Login page for remote UserAware/SSL VPN users;
-) Allow some grouped functions (say "Activate/ Deactivate log for all firewall/AppPatr rules" or add allow/deny action for selected rows in AppPatr);
-) Reverse proxy RDP support for other Browsers, not only IE.


lorennerol
Premium
join:2003-10-29
Seattle, WA

1 recommendation

reply to Anav

1. Stop leaving HTTPS/443 open in the default WAN/ZyWALL rule. Bad, bad idea that we've already seen exploited.



superataru

join:2004-12-07
Kearny, NJ

Maybe also
ZONE WAN - Address ANY Deny
in Web management ADMIN settings


JPedroT

join:2005-02-18
kudos:1

1 recommendation

reply to Anav

Will somebody summarise and send it to ZyXEL?



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

I would be more than willing to but only if I can understand what each issue addresses and means, many are zing, over my head.
In addition, my desire would be to prioritize which ones should be addressed before others. I have no sense of that. Maybe once we have a long list, we can
a. put them in priority list.
b. provide brief description (for the not so simple ones)



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Anav

Click for full size
Click for full size
Working on a spread sheet of sorts....... ??? means I dont know what it means or its utility.

JPedroT

join:2005-02-18
kudos:1

Firewall rules with URLs? You know what that is? Thats DPI!



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

1 edit

So your saying its not a reasonable issue. Asking too much? Not practical?
Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO IGR S2 router


Blueshoes

join:2010-10-02
Minneapolis, MN
reply to Anav

Addition of a better anti-virus, from this developer--- SurfRight - Hitman Pro UTM Anti-Virus.

SurfRight is looking for new vendors to add their cloud based Linux module anti-virus in the cloud.

»www.surfright.nl/en/hitmanpro/utm

Here is a European only router manufacture Sitecom's video on this service.

»www.youtube.com/watch?v=2HGWRvMXLEY


.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to Anav

Row 5 was by someone else.

Row 6 was by someone else.

Row 24: I need to check my CLI manual at home, but I think the topic is explained in section 48. The utility of this feature is shortening the time that broken sessions tie up space in the state table (conn_track).

Row 25. Flushing the session table eliminates the list of all sessions momentarily; live existing sessions will reestablish, dead sessions will remain removed. Avoids having to wait until all sessions age out to find specific or new connections within hundreds or thousands that may be listed. Xincom 502 could do this through its GUI. I don't know what was done in its guts, though. Conceptually, it would be as if Linux (of some flavor) were happily sending and receiving information and suddenly the contents of the net filter conn_track file evaporated in one jiffy without anything else being done. Somehow the conn_track file would be more or less immediately reconstructed for the live sessions.

My insight here is very shallow.

kirby



superataru

join:2004-12-07
Kearny, NJ

2 edits
reply to Anav

Hi all.
Anav is right ( i presume, it takes me 30 mins before i can have a little idea about what he's asking me ... )

-) One valid device-certificate for SSL connections;

It would be nice to have a not self-signed certificate for SSL connections. (Too expensive?)

L

-) Remove WAN Zone constraints also in USG 50, 100 and 200;

All Ethernet ports become similar. I can move and manage them, and Zones as i prefer. Like in USG 300 on higher. Not a distinction required between "WAN and the rest", with the little exception for the OPT in the USG200.

M

-) "NAT-T if required" option in VPN Policy Gateway;

Device can establish, if and when, to turn from a NAT-T to a not NAT-T IPSEC Gateway policy.

H

-) Logging: customizable SMTP port, not only SMTP 25 TCP;

no more to say.

H

-) More customizable WEB Login page for remote UserAware/SSL VPN users;

Allow to add links and more text in the login page.

L

-) Allow some grouped functions (say "Activate/ Deactivate log for all firewall/AppPatr rules" or add allow/deny action for selected rows in AppPatr);

Aggregate functions. Disable/Enable logs for all firewall/APatrol rules, or selected ones. Change default rule for all or selected ones Apatrol rules. And so on.

L

-) Reverse proxy RDP support for other Browsers, not only IE.

Have RDP plugins or related for RDP connections, that could work not only with IE6 -> 9 in SSL-VPN connections.
This to allow RDP connections, without full-tunnel and also from different browsers, just with a click on the icon on the page.
Maybe Windows-free?

H



superataru

join:2004-12-07
Kearny, NJ
reply to Anav

I'd like to have OPEN DNS user authentication page.
Maybe too much for ZyXEL, without a partnership.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to Kirby Smith

Hmm Kirby not sure how I attributed those to you , will have to find where I sourced them. Thanks for the flushing bit.


lorennerol
Premium
join:2003-10-29
Seattle, WA

1 recommendation

reply to Anav

Bidirectional BWM/QoS for SIP that actually works. The current "Check the box and hope for the best" system is worthless, in my experience.



superataru

join:2004-12-07
Kearny, NJ
reply to Anav

me?


JPedroT

join:2005-02-18
kudos:1

1 recommendation

reply to Anav

said by Anav:

So your saying its not a reasonable issue. Asking too much? Not practical?
Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO IGR S2 router

It really has nothing to do with firewall settings, since your are looking elsewhere in the packets, IMHO.

Also it needs more CPU to do and would require bunch of ram to do. For instance if you do *anav.com* => DROP/Allow in your rule set. You need to scan every packet for *anav.com* or DNS lookup and find all IP's which resolves to *anav.com* or reverse lookup of DNS.

Now if you use *anav.com* as a src ip thingy for your Firewall, you'll get PWND.

If you use *anav.com* as a dst ip, Then you need to make sure your LAN hosts keeps updating the DNS server that the Firewall uses AND that the TTL is very low. Or just use an static ip and then no need for the URL anyway
--
"Perl is executable line noise, Python is executable pseudo-code."

JPedroT

join:2005-02-18
kudos:1

1 edit

1 recommendation

reply to lorennerol

said by lorennerol:

Bidirectional BWM/QoS for SIP that actually works. The current "Check the box and hope for the best" system is worthless, in my experience.

How should it just work, in general its hard to QoS/BWM incoming traffic from upstream ie down to you, since its the upstream node that really is the only one that can do it "right". At your point, it can always only be best effort, since the SIP traffic might have been delayed/dropped before it gets to your Firewall anyway.

It should be done on the CMTS, DSLAM, OLT or Switch that you are connected to. But that only helps if the ISP's MAN actually has enough bandwith, if not the QoS/BWM needs to be applied to all nodes in the ISP MAN. And then we have the variabels that is the Internet, same issue in regards to Bandwith applies for each node the traffic flows through there.
--
"Perl is executable line noise, Python is executable pseudo-code."

JPedroT

join:2005-02-18
kudos:1
reply to Anav

said by Anav:

Presumably Zyxel will had some beef to the lean cuisine of zyxel CPU prowess (lets admit they are underpowered with regard to the services they want all to pay extra for). Not content with more brawn, what more brain power can be added to the lineup. That Italian Hippie has given me pause for thought to start up a list of highly ESSENTIAL new functioinality the USG should acquire (so at least the stuff they have matches the bugs they never fix).

Dont know if these are actually plausible but here goes:
(1) Ability to bridge layer 2 traffic
(2) Ability to tag packets with 802.1p at layer 2
(3) Ability to turn off permanently the update popup
(4) Allow URLs in rules vice simply IP addresses.
(5) Actually auto-update dyndns type services
(6) Ability to group Schedules for rules (like other objects damnit).
(7) Ability to ENFORCE schedule rules so that when it hits a block time the cache-tables whatever are flushed and the rules actually in place
(8) Ability to have both UDP and TCP in rules (especially so as to not have to create extra virtual server rules.*
(9) Better control of DNS and specifically if only want OPEN DNS available so users cant get thru on ISP.
(10) Ability to put group service rules into Virtual Server.
(11) packet trace test tool like as in CISCO ASDM (and shhh dont tell Hellfire)

Your turn!!

Quick feedback/reply

2. You should clarify this by writing frames, since its not packets that get 802.1p settings. (BTW doesnt the USG support DSCP -> 802.1p translation in the QoS)
4. See other posts
--
"Perl is executable line noise, Python is executable pseudo-code."


mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON

3 edits

1 recommendation

reply to lorennerol

said by lorennerol:

Bidirectional BWM/QoS for SIP that actually works. The current "Check the box and hope for the best" system is worthless, in my experience.

When configuring BWM for VoIP I found that by following the Video example provided by ZyXEL in the USG Manuel titled ZYWALL USG 100_v3-00_Ed1 Page 51 very helpful.

Its not just "Check the box and hope for the best" --- its only step 1 "you" have to follow with additional steps to prioritize other traffic classes to be effective. I also dedicate one zone to VoIP traffic exclusively then apply Policies that manage what all other Zones can do with their allocated bandwidth. I do not use the SIP ALG. Check out the Video example --- its a good tutorial as a starting point.

[EDIT to correct reference] Then Check the same guide specifically Managing Traffic on page 104 section 5.1.1 titled Bandwidth Allocation Example which discuses a 10 person office and 7 classes of traffic. I found this to be very appropriate and works great for me in every instance I've applied it.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business

lorennerol
Premium
join:2003-10-29
Seattle, WA

said by mozerd:

said by lorennerol:

Bidirectional BWM/QoS for SIP that actually works. The current "Check the box and hope for the best" system is worthless, in my experience.

When configuring BWM for VoIP I found that by following the Video example provided by ZyXEL in the USG Manuel titled ZYWALL USG 100_v3-00_Ed1 Page 51 very helpful.

Its not just "Check the box and hope for the best" --- its only step 1 "you" have to follow with additional steps to prioritize other traffic classes to be effective. I also dedicate one zone to VoIP traffic exclusively then apply Policies that manage what all other Zones can do with their allocated bandwidth. I do not use the SIP ALG. Check out the Video example --- its a good tutorial as a starting point.

[EDIT to correct reference] Then Check the same guide specifically Managing Traffic on page 104 section 5.1.1 titled Bandwidth Allocation Example which discuses a 10 person office and 7 classes of traffic. I found this to be very appropriate and works great for me in every instance I've applied it.

I called tech support and set it up per their instructions. First on a ZyWALL 5, then on a USG 100. Spent hours over months working on it and finally threw in the towel and switched to a PRI. Tech support told me, "That's the best we can do."

My understanding is that there is way to control downstream by delaying acks on incoming packets. I haven't seen it work, but others say it does.

My item #3: Add a way to permanently turn off the nag to purchase filtering services; the 'remind every 30 days' setting is typical of cheap, Linksys-grade consumer gear, not $1000 business-class routers.

Kirby Smith

join:2001-01-26
Derry, NH
reply to Anav

The CLI section for timeouts is section 40.

k


JPedroT

join:2005-02-18
kudos:1
reply to lorennerol

said by lorennerol:

My understanding is that there is way to control downstream by delaying acks on incoming packets. I haven't seen it work, but others say it does.

Maybe it could have worked, IF all packets needed to be ACK'ed. Which for instance UDP doesn't, so if your pipe is filled with UDP traffic, delaying acks on incoming packets will have no effect what so ever.

Once again, its the point upstream from you that needs to do the QoS if you want it work correctly.
--
"Perl is executable line noise, Python is executable pseudo-code."

lorennerol
Premium
join:2003-10-29
Seattle, WA
reply to mozerd

said by mozerd:

said by lorennerol:

Bidirectional BWM/QoS for SIP that actually works. The current "Check the box and hope for the best" system is worthless, in my experience.

When configuring BWM for VoIP I found that by following the Video example provided by ZyXEL in the USG Manuel titled ZYWALL USG 100_v3-00_Ed1 Page 51 very helpful.

Its not just "Check the box and hope for the best" --- its only step 1 "you" have to follow with additional steps to prioritize other traffic classes to be effective. I also dedicate one zone to VoIP traffic exclusively then apply Policies that manage what all other Zones can do with their allocated bandwidth. I do not use the SIP ALG. Check out the Video example --- its a good tutorial as a starting point.

[EDIT to correct reference] Then Check the same guide specifically Managing Traffic on page 104 section 5.1.1 titled Bandwidth Allocation Example which discuses a 10 person office and 7 classes of traffic. I found this to be very appropriate and works great for me in every instance I've applied it.

Since I'm now digging back into this, here is what the manual says right above the SIP BWM config example (Section 5.1.4), in section 5.1.3:

"The most effective way to ensure the quality of SIP calls is to go to the Configuration > BWM screen and enable BWM and select Enable Highest Bandwidth Priority for SIP Traffic. See the following section if you prefer to configure specific bandwidth management rules for SIP instead."

This seems quite clear to me. And I haven't found it to be effective at all.

Section 5.1.2 discusses setting the egress speed on WAN1 (equivalent to upstream Internet). Ingress is listed in the UI and 'for future use'.


imanon

@comcast.net
reply to Anav

(Spreadsheet, row 7) DNS Server Control, Originator U475700, Ability to have finite control over router and user access to any DNS server
...how is this an issue? I'm doing it...
Rule 1) From:LAN1, To:WAN, Source:(your internal DNS server) Destination:Any, UDP 53 = allow
Rule 2) From:LAN1, To:WAN, Source:Any Destination:Any, UDP 53 = deny
Rule 3) From:LAN1, To:WAN, Source:Any Destination:Any, UDP 5353 = deny
...result is no clients inside the LAN can reach any outside DNS server except that which is specified in the first rule.
Granted, the licensing 'checks' to ZyXEL are annoying and not appreciated, but I'm pretty sure such traffic is not simply DNS traffic to a hard-coded source, nor does it effect clients behind the firewall.

(This post, listed 4) Allow URLs in rules vice simply IP addresses.
...this can be done under Content Filter > General + Filter Profile > Custom Service, Forbidden Websites
It will do HTTP traffic inspection on any of the ports specified (default of 3128, 80, 8080) so it is not really limited to just websites but any software making an HTTP request.
It works without any additional licensing, although the pages are worded kind of strangely to suggest it does.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

thanks imanon,
two points.

a. what is the default DNS setting by the router and if the one you made in rule one is not available what happens. I was under the impression that the router will go down your DNS list to find the next one that works including down to the default. I believe the entry was aimed at stopping the default one being used by the router in lieue of any other. I believe we cannot control this.

As for the second point perhaps I was not clear, URLs in NAT and firewall rules. THis is removed in an update (thanks to JP) Im working on because it is only possible in enterprise gear of much higher costs due to the processing power and fidelity required.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



imanon

@comcast.net

a. It's true that ZyXel USG series will pull the ISP (WAN interfaces) DNS servers by default (if obtained through DHCP or PPPoE) and use them, but you can simply change the LAN1/LAN2/DMZ interfaces to use whatever DNS server IP you specify (rather then the router itself, which forwards onto whatever if got from WAN) and then restrict these interfaces to only allow UDP port 53 to the IPs you specify. This restriction works regardless of if the DNS server is internal to the LAN (like an Active Directory domain controller) or external (such as OpenDNS, NortonDNS, etc.) Personally, I would never let the router act as a forwarding DNS server (by handing itself out as the DNS server to clients behind the LAN1/LAN2/DMZ interfaces) but that's neither here nor there. I think that's where this "request" really comes from. Now if you put such restriction in-place, which I assure you works great, what I'm not confident about is if the router itself (for time update and licensing checks) will dis-regard what DNS server's you specified in there, and continue to use some built-in/secret DNS server - that remains to be sniffed out with Wireshark, and I do not have a spare USG to play with at the moment.

b. URLs in NAT. I concur that this is more of a DPI kind of thing, but such feature is not normally found under the firewall ruleset even in those more expensive enterprise devices that offer it. What I'm pointing out is that the USG series can infact do it (basically DPI) when configured through the Custom Service, Forbidden Websites ruleset - as what's really going on there is an inspection and re-write of any URL passing through the device (so long as it's on one of the ports indicated) The only limitation is that any URL "found" to match can only be configured as "re-written" to 1 location, and it can't "peek" inside of any HTTPs URLs (as it shouldn't cause those are supposed to be secured). I remembered where I found how I learned about this, it's here: »dnsredirector.com/sample/Zyxel/