dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1385
share rss forum feed

ur2punk

join:2002-12-01
united state

USG20W VLAN setup

Greetings.

Finally received a USG20W for home office. I've setup the four ports to be LAN1, assigned different STATIC 10.x.x.1 range address to LAN1, LAN2 & DMZ; WAN is DHCP.

Inactivated the default wlan-1-1 (zyxel SSID) while adding & activating wlan-1-2 (home SSID) and wlan-1-3 (guest SSID).

The wlan-1-2 and lan1 is members of LAN1 zone. wlan-1-3 and wlan-1-1 (inactive) is member of WLAN zone.

I'm having difficulties on how to setup so that LAN1 (wlan-1-2 and the lan1 ports) is not visible nor reachable from the wlan-1-3 (guest SSID). I think I need to setup VLAN but having a little trouble. Are there any documents out there that shows these exact steps? Are there anything else that needs to be modified other than VLANs or are the firewall rules created automatically when VLANs are created?

Thank you for your help!



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

I will never figure out what you want to do with an explanation of a solution that is convoluted.

If you can state what you want to accomplish and do not use the words, router, vlan, switch, SSID etc. In other words functionality in terms of access, control, tasks, whom etc.........
(the requirement)



superataru

join:2004-12-07
Kearny, NJ
reply to ur2punk

Why VLAN?


ur2punk

join:2002-12-01
united state

Sorry, I think I put the horse before the cart because I was playing with the device so much without luck.

Basically I want to have the following on the USG20W:

1. Gbit ports are Home;
2. SSID for Home;
3. SSID for Guest;
4. Guest don't see resources on Home (they only need to get to the Internet)



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

1 recommendation

Here's VLAN solution for inspiration »VLAN to SSID help but you don't really need to do that.

Just create two home networks, LAN1 and wlan-1-1 and put them into same zone i.e. LAN1 ... this will be HOME.
Then create wlan-1-2 and put it into separate zone (create a custom zone) GUEST ... this will be GUEST.
Create appropriate routing and firewall rules for each zone and you're done.

Alternatively you can bridge LAN1 and wlan-1-1 to have the flat HOME lan (search this forum on how to bridge wireless and lan interfaces ... been posted several times).


ur2punk

join:2002-12-01
united state
reply to superataru

Sorry, I think I put the horse before the cart because I was playing with the device so much without luck.

Basically I want to have the following on the USG20W:

1. Gbit ports are Home;
2. SSID for Home;
3. SSID for Guest;
4. Guest don't see resources on Home (they only need to get to the Internet)


ur2punk

join:2002-12-01
united state
reply to Brano

Brano,

Oops, looks like I hit the submit button twice by mistake. Anyways, thank you for the tips - I will search the forum for bridging lan-to-wlan. I have a question: so having them in different 'zones' are not enough - i.e. we need to add rules in the firewall of USG20W to keep them separate?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

said by ur2punk:

so having them in different 'zones' are not enough - i.e. we need to add rules in the firewall of USG20W to keep them separate?

It all depends on your existing firewall rules and default rule.
Under "normal" circumstances you would not need anything else, but "normal" varies from implementation to implementation. ...just review your FW rules to ensure you're safe

Some additional tips »Secure your USG - quick how-to

ur2punk

join:2002-12-01
united state

Thank you for the 'quick how-to' link - I'm learning so I need to reread it (and reread it again ).

Using your input I created the WLAN-Guest zone with a sole member. Then using the default FW rules as my guide for now:

1) after WLAN WAN default rule, created WLAN-Guest WAN rule of ALLOW ANY;

2) right before the last default rule of DENY ANY ANY, created WLAN-Guest LAN1 rule of DENY ANY;

3) after WLAN ZyWALL default rule, created WLAN-GuestZyWALL rule of ALLOW ANY.

Am I doing okay thus far?

For #3 above I couldn't mimic the 'Service' parameter that says "Default_Allow_WLAN_To_ZyWALL" as similar entry for WLAN-Guest was not in the drop down list so I instead used ANY in the Services parameter.

I think I have segregated the WLAN-Guest from the rest but my next thing is to figure out a rule so that WLAN-Guest does not get to the mgmt portal.

After that I need to jump into the abyss of enabling VPN ... scary ... but learning!


ur2punk

join:2002-12-01
united state

*update*

Found out what I was doing wrong above. Deleted the WLAN-Guest Zyxel rule so they don't get to mgmt portal. Then found out that on the WLAN-Guest WAN settings there was a DNS setting at the bottom. Once I changed the DNS setting from the default Zyxel to ISP's 1st server, it started working fine.

Also found out that there is a wizard for creating IPSec rule so trying that.


ur2punk

join:2002-12-01
united state
reply to ur2punk

*update*

Found out what I was doing wrong above. Deleted the WLAN-Guest Zyxel rule so they don't get to mgmt portal. Then found out that on the WLAN-Guest WAN settings there was a DNS setting at the bottom. Once I changed the DNS setting from the default Zyxel to ISP's 1st server, it started working fine.

Also found out that there is a wizard for creating IPSec rule so trying that.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

You need to delete your twin.


ur2punk

join:2002-12-01
united state

Indeed! And my stupid typos are double-posted too! I just noticed that I've been typing Zyxel when I should've typed ZyWALL - duh! I've been reading posts after posts - great stuff in the forums!



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10

For WLAN-Guest if you want to use ZyWall DNS proxy, you need to create WLAN-Guest to ZyWall Allow rule for DNS.

In regards to management access, you can create WLAN-Guest deny rule in WWW management access setup.


ur2punk

join:2002-12-01
united state

By trial-and-error I set the "First DNS server (optional)" entry to "from ISP" & "wan1 1st DNS server" for wlan-1-3 which is the WLAN-Guest zone. Is this same as the ZyWall DNS proxy instructions you gave above?

For mgmt I currently have DENY rule for WLAN-Guest to ZyWALL. Rather, should I be following your instructions regarding WWW mgmt access setup (I'm guessing this is adding admin or user ACL where I select "All, WLAN-Guest, Deny")?



Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit

ISP servers are queried directly through WAN, that's why they're working when you have WLAN-Guest to ZyWall Deny all.

You can disable router admin access either way, depends on your other needs. ...if the setup is working for you then leave it.


ur2punk

join:2002-12-01
united state

1 edit

Okay, thank you. Don't fix what is not broken sounds good!

I do have another question: for simple use of USG20W where I want to protect my home office network, have the capability to VPN to my home office from outside (not site-site) to reach my network resources and the option to manage the USG20W, is using their QuickSetup sufficient? EDIT: I mean Quick Setup for the VPN portion?