dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9328
share rss forum feed


mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON

1 recommendation

reply to JPedroT

Re: 2013 USG SHOULD ADD FUNCTIONALITY

said by JPedroT:

said by Anav:

Is this a guess JP or gleaned from conversations?

Guesstimate

1. ALL the Services must perform at close to 80% of wire speed and cost for the service needs to be reasonable -- currently not so.
2. Performance is EVERYTHING and when performance suffers beyond the 80% threshold with ALL services .... no tickie no washee!
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business

AndreSt

join:2013-02-05

1 recommendation

reply to Kirby Smith
said by Kirby Smith:

As Avav implies, the point of a unified security gateway is unified security, so boosting firewall rates without boosting UTM rates is missing the point of the device.

Yes, that's correct of course. I've to admit that I don't use any of the UTM services of my USG 50.

Who will be buying this new ZyWALL USG 100-Plus? Zyxel is going to have hard times ahead. Cisco Small Business has released some interesting competition products. Their ISA570 is an quite interesting product. But does it really do what it advertised for?

»www.cisco.com/en/US/prod/collate···997.html


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Yes it very much looks like an emulation of zyxel offerings.


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to AndreSt
said by AndreSt:

Cisco Small Business has released some interesting competition products. Their ISA570 is an quite interesting product. But does it really do what it advertised for?

Looks interesting, its missing some features like "ip helper" -- if it had that I would buy today.

lorennerol
Premium
join:2003-10-29
Seattle, WA
reply to AndreSt
said by AndreSt:

Cisco Small Business has released some interesting competition products.

If Cisco has proven anything in the last ten years, it's that they have ZERO ability to create and support viable products for SOHO and SMB segments. You want a $5000 router to go with your $3000 switch? Cisco all the way. You want a Flip video camera or a Linksys router? Oops.

That said, ZyXEL needs to step it up. Users don't want to pay $800 to get a router that keeps up with their $100/month 100/20 Comcast Internet service, especially to then be told it maxes out at 5 megabit over VPN connections (as I was today).

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to bbarrera
I learn something new here almost everyday. A little digging reveals that ip helper == DHCP relay; first time I had seen the ip-helper term, although it seems to be popular with Cisco CLI.

bb, your network must be pretty complex if the USG's ability to do DHCP for all its LANs and VLANs isn't sufficient.

kirby


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Does not the USG do relay, of something anyway.

JPedroT

join:2005-02-18
kudos:1
reply to bbarrera
said by bbarrera:

said by AndreSt:

Cisco Small Business has released some interesting competition products. Their ISA570 is an quite interesting product. But does it really do what it advertised for?

Looks interesting, its missing some features like "ip helper" -- if it had that I would buy today.

We both know that is just because they do not want to sell that product into that segment
And maybe even avoid getting extra support when it might get used out of its comfortzone?

--
"Perl is executable line noise, Python is executable pseudo-code."

JPedroT

join:2005-02-18
kudos:1

1 recommendation

reply to Anav
When it comes to new products except for retail stuff, you tailor the product for certain projects. And then you also release it into rest of the channels.

Which I am betting that ZyXEL is doing with the 100-Plus, I have no inside info on this, just an educated guess.
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to JPedroT
said by JPedroT:

I thought that WoL used Broadcast? The way it was done on ZyNOS was to forward the WoL port to .255 to send it to all devices on LAN.

Broadcast from WAN to LAN to .255 did work on Zynos but it does not work on the USG series. We've had discussions here about it in the past, and setting up a static ARP entry in the router for specific computers to use with WoL seemed to solve the problem for awhile. But even that doesn't work anymore.

JPedroT

join:2005-02-18
kudos:1

1 edit
said by Gork:

said by JPedroT:

I thought that WoL used Broadcast? The way it was done on ZyNOS was to forward the WoL port to .255 to send it to all devices on LAN.

Broadcast from WAN to LAN to .255 did work on Zynos but it does not work on the USG series. We've had discussions here about it in the past, and setting up a static ARP entry in the router for specific computers to use with WoL seemed to solve the problem for awhile. But even that doesn't work anymore.

Problem in general is that the magic packet is magic :)
But what you want is a proxy/gw for WoL packets then.

Shouldn't be to hard to fix, since it looks like its just a line in IPTables and a static arp entry.

»calvinsohk.blogspot.no/2011/05/i···oxy.html

sudo iptables -t nat -A PREROUTING -p udp --dport 7 -j DNAT --to-destination <UNUSED_IP>
sudo ip neigh add <UNUSED_IP> lladdr ff:ff:ff:ff:ff:ff nud permanent dev eth0
 

But if that was what was done before on the USG, it might be some smurf attack protection that now blocks it. See if you can disable dos protection etc on the USG.

--
"Perl is executable line noise, Python is executable pseudo-code."


mozerd
Light Will Pierce The Darkness
Premium,MVM
join:2004-04-23
Nepean, ON

1 recommendation

reply to AndreSt
said by AndreSt:

Cisco Small Business has released some interesting competition products. Their ISA570 is an quite interesting product. But does it really do what it advertised for?

»www.cisco.com/en/US/prod/collate···997.html

I'm impressed with the ISA570 .... no question in my mind that it will be on my shopping list next and will probably nock out ZyXEL from my list of vendors.

CISCO are finally learning that VALUE PROPOSITIONS matter ... on the other hand ZyXEL seems to be going the other way.
--
David Mozer
IT-Expert on Call
Information Technology for Home and Business

JPedroT

join:2005-02-18
kudos:1
Anybody tried the new Cisco and measured what happens when all services are enabled?
--
"Perl is executable line noise, Python is executable pseudo-code."

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
A good point given that Provantage seems to only provide prices for combination service packages along with the physical unit. Most who pay for the entire lot will use the entire lot. Also, the naked unit cost is not obvious to compare with the XyXEL price, and who knows what the renewal cost of the service packs will be. I don't think we can compare costs yet with just the info I found.

kirby


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

2 edits
reply to JPedroT
said by JPedroT:

But if that was what was done before on the USG, it might be some smurf attack protection that now blocks it. See if you can disable dos protection etc on the USG.

I have a NAT entry (& firewall rule) set up to forward WoL packets to the WAN (Internet in my case) address on port 9 to the computer I want to awaken. I also have an ARP entry in the USG (using the arp command via the CLI) relating the IP address of the computer I want to awaken to its MAC address. I have verified this entry still exists in the running configuration. This seemed to work for a few months but stopped for some reason I have yet to figure out. The log in the USG indicates the WoL packet is received and passed on. The only ADP settings in the USG I have set to block packets are related to flood protection. Blocked packets are set to be logged and there is nothing in the log indicating these ADP rules were initiated.

It would just be nice if ZyXEL would offer the capability to multicast from WAN to LAN as an option to users since, whether it's "correct" or not, much cheaper routers will do this.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

3 edits

2 recommendations

I think this thread is good for venting, but otherwise moot.
But hey, let's be a sport and vent with the crowds

It's been a while that I stopped recommending ZyXel routers for home users, instead I recommend decent open-wrt / dd-wrt compatible router (whatever has good specs at the time). In Europe I've installed couple Draytek Vigor's 2130 (integrated VoIP, IPSec acceleration, WiFi, IPv6 and more) which actually runs Draytek's open-wrt customization, but you get full root access and can modify/fix anything you like. Too bad you can't easily get Draytek in NA.

For small-medium business routers I'm actually leaning towards open-source router distros or open-wrt on dedicated HW. And I've just looked up the mentioned Cisco ISA570 and like it very much.

For larger business there's only one answer in my mind ... business class Cisco router.

ZyXel is not listening to the customer. And the number of bug-fixes (some really serious) in each FW release amazes me ... where the heck is your QA ZyXel???

...ok, I feel better now


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

1 recommendation

Been thinking along the same lines, sadly... I'm stuck with what I have for now, but someday I'll have money again. SOMEDAY...

JPedroT

join:2005-02-18
kudos:1
reply to Brano
said by Brano:

ZyXel is not listening to the customer. And the number of bug-fixes (some really serious) in each FW release amazes me ... where the heck is your QA ZyXel???

...ok, I feel better now, uf

I have theory about what happend....
--
"Perl is executable line noise, Python is executable pseudo-code."


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I believe I have heard that theory before..........
»www.google.ca/url?q=http://www.y···emhj1vBA

JPedroT

join:2005-02-18
kudos:1
said by Anav:

I believe I have heard that theory before..........
»www.google.ca/url?q=http://www.y···emhj1vBA

Copyright infringement?
--
"Perl is executable line noise, Python is executable pseudo-code."

JPedroT

join:2005-02-18
kudos:1
reply to Gork
said by Gork:

It would just be nice if ZyXEL would offer the capability to multicast from WAN to LAN as an option to users since, whether it's "correct" or not, much cheaper routers will do this.

I do not understand how Multicast will fix your problem here? Could you please explain?
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.

JPedroT

join:2005-02-18
kudos:1
said by Gork:

It is customary (basically necessary) to send WoL "magic packets" to x.x.x.255 which as I understand it is also known as the multicast address. The USG will not allow you to do this through different interfaces, such as WAN to LAN.

Ahhh okay, now I understand, but that is not correct. The .255 address, if your subnet is a /24 (255.255.255.0) is the broadcast address.
Which is basically how a smurf attack works, which might be the reason they do not allow it.

»en.wikipedia.org/wiki/Smurf_attack
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
If you look at a subnet calculator (»www.subnet-calculator.com/ for instance) it shows that class C addresses 192.168.0.1/24 (subnet mask 255.255.255.0) use an IP address of 192.168.0.255 as their broadcast address.

JPedroT

join:2005-02-18
kudos:1
Yes, but x.x.x.255 = 192.168.0.255 or 172.16.16.255 or 10.0.0.255 if you use a /24.

The multicast addresses are in the range
224.0.0.0 through 239.255.255.255.

»www.iana.org/assignments/multica···sses.xml

That is for v4 and L3, now if we are talking L2 multicasting then look at this to see mapping from L2 to L3.

»technet.microsoft.com/en-us/libr···928.aspx

So I still do not understand what WoL needs Multicast for? Especially since the protocol is designed to be sent as broadcast, if I remember correctly.
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

1 edit
I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer connected to the 192.168.1.1/24 interface addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.

JPedroT

join:2005-02-18
kudos:1
said by Gork:

I am perhaps using incorrect terms. Instead of multicast please replace whatever the correct term is to send to all addresses in a given part of a network. I think the correct term may be "broadcast packet." ?? Using 192.168.1.1/24 on my LAN I would like to be able to send a magic packet over the Internet from work by forwarding it through the router to 192.168.1.255 so that it will wake any computer addressed by the MAC address in the magic packet. That will not work on the USG, but it did used to work with ZyNOS.

That is the broadcast address again

So the question then comes down to, how to reverse what is in #2 in this link: »en.wikipedia.org/wiki/Smurf_attack

That is the question you need to pose to ZyXEL, you can do it with a Cisco, the command is "ip directed-broadcast" it allows sending packets to broadcast addresses, like you did with ZyNOS.

Now ZyNOS is an old OS ie older than 1999 (well technically ZyNOS is released after/aroundish 1999, but its roots are older) so it allowed it. USG uses ZLD which is a more updated OS, it by default does not allow it.

So ping of to ZyXEL how to enable directed broadcast on ZLD devices. That should allow you to forward to the broadcast address of your subnet again.

You probably should also configure hosts that should not be awaken by WoL to not respond to direct broadcast packets.

You are in walking in limbo space here, you want to do something that is basically seen as allowing an exploit on the IP stack. So the "smart" guys decided to not allow it by default.

But everybody should have the choice to shoot themselves in the foot if you ask me ;P As long as you are aware of what the implications of what you are doing, it should be ok.
--
"Perl is executable line noise, Python is executable pseudo-code."


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

4 edits
Yup, now you know what I'm trying to say. That is what I'd like enabled in the router, subnet directed broadcasts. It would be an easy thing for the end user to either (as you say) disable devices from waking to the call of a magic packet if you didn't want them to, or moving devices you wanted to wake to a magic packet to a different subnet or the like. If Cisco allows it (even if not by default) then I don't see why ZyXEL shouldn't be allowing it.

Here's another page which talks about unicast vs subnet directed broadcasts, and it even mentions the DDoS "smurf attack" you referred to: »technet.microsoft.com/en-us/libr···911.aspx. It may be a silly thing to implement at this juncture due to its incompatibility with looming IPv6 though. But as I have mentioned, I am unable to get magic packets via unicast directed broadcasts to work with my setup any longer.

I don't see the harm in allowing this traffic to users who should understand the associated hazards. Were I running a business I'd be more concerned with this approach. But I run a personal network with a small personal web server and other web applications. If someone wants to spend the time infiltrating my setup, well, that's just silly. And I can easily block them anyway.

Thanks for sticking with me through my improper use of terms. I wish people could understand what I MEAN instead of only what I SAY/type.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
How about the hard way (to quote the mariachi).

Attach one port of a minimalist computer with two Ethernet ports to the DMZ, which is blocked from everything except your work address. When some appropriately crafted message gets to this computer , it generates a WOL on its second port. This port is connected to and is part of LAN1 (or what ever LAN the sleepy computer is on).

I doubt I'm knowledgeable enough to set this up without a lot of study, but I don't see why it wouldn't work.

kirby


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
I currently VPN to my network with my laptop, RDP to a server I try to keep running 24x7, then send a WoL packet from there. It works, but it's a pain in the rear. If I understood routing better, I might could send the packet directly from the laptop after the VPN is established. Anyway, the biggest problem is that I'm hosed if that server computer goes down. It'd be must easier to work it as I did before... Log on to BBR and send a magic packet. DONE.