ZyXEL → Re: USG20W VLAN setup

Why VLAN?

Sorry, I think I put the horse before the cart because I was playing with the device so much without luck.

Basically I want to have the following on the USG20W:

1. Gbit ports are Home;
2. SSID for Home;
3. SSID for Guest;
4. Guest don't see resources on Home (they only need to get to the Internet)

Here's VLAN solution for inspiration »VLAN to SSID help but you don't really need to do that.

Just create two home networks, LAN1 and wlan-1-1 and put them into same zone i.e. LAN1 ... this will be HOME.
Then create wlan-1-2 and put it into separate zone (create a custom zone) GUEST ... this will be GUEST.
Create appropriate routing and firewall rules for each zone and you're done.

Alternatively you can bridge LAN1 and wlan-1-1 to have the flat HOME lan (search this forum on how to bridge wireless and lan interfaces ... been posted several times).

Sorry, I think I put the horse before the cart because I was playing with the device so much without luck.

Basically I want to have the following on the USG20W:

1. Gbit ports are Home;
2. SSID for Home;
3. SSID for Guest;
4. Guest don't see resources on Home (they only need to get to the Internet)

Brano,

Oops, looks like I hit the submit button twice by mistake. Anyways, thank you for the tips - I will search the forum for bridging lan-to-wlan. I have a question: so having them in different 'zones' are not enough - i.e. we need to add rules in the firewall of USG20W to keep them separate?

It all depends on your existing firewall rules and default rule.
Under "normal" circumstances you would not need anything else, but "normal" varies from implementation to implementation. ...just review your FW rules to ensure you're safe

Some additional tips »Secure your USG - quick how-to

Thank you for the 'quick how-to' link - I'm learning so I need to reread it (and reread it again ).

Using your input I created the WLAN-Guest zone with a sole member. Then using the default FW rules as my guide for now:

1) after WLAN WAN default rule, created WLAN-Guest WAN rule of ALLOW ANY;

2) right before the last default rule of DENY ANY ANY, created WLAN-Guest LAN1 rule of DENY ANY;

3) after WLAN ZyWALL default rule, created WLAN-GuestZyWALL rule of ALLOW ANY.

Am I doing okay thus far?

For #3 above I couldn't mimic the 'Service' parameter that says "Default_Allow_WLAN_To_ZyWALL" as similar entry for WLAN-Guest was not in the drop down list so I instead used ANY in the Services parameter.

I think I have segregated the WLAN-Guest from the rest but my next thing is to figure out a rule so that WLAN-Guest does not get to the mgmt portal.

After that I need to jump into the abyss of enabling VPN ... scary ... but learning!

*update*

Found out what I was doing wrong above. Deleted the WLAN-Guest Zyxel rule so they don't get to mgmt portal. Then found out that on the WLAN-Guest WAN settings there was a DNS setting at the bottom. Once I changed the DNS setting from the default Zyxel to ISP's 1st server, it started working fine.

Also found out that there is a wizard for creating IPSec rule so trying that.

*update*

Found out what I was doing wrong above. Deleted the WLAN-Guest Zyxel rule so they don't get to mgmt portal. Then found out that on the WLAN-Guest WAN settings there was a DNS setting at the bottom. Once I changed the DNS setting from the default Zyxel to ISP's 1st server, it started working fine.

Also found out that there is a wizard for creating IPSec rule so trying that.

You need to delete your twin.

Indeed! And my stupid typos are double-posted too! I just noticed that I've been typing Zyxel when I should've typed ZyWALL - duh! I've been reading posts after posts - great stuff in the forums!

For WLAN-Guest if you want to use ZyWall DNS proxy, you need to create WLAN-Guest to ZyWall Allow rule for DNS.

In regards to management access, you can create WLAN-Guest deny rule in WWW management access setup.

By trial-and-error I set the "First DNS server (optional)" entry to "from ISP" & "wan1 1st DNS server" for wlan-1-3 which is the WLAN-Guest zone. Is this same as the ZyWall DNS proxy instructions you gave above?

For mgmt I currently have DENY rule for WLAN-Guest to ZyWALL. Rather, should I be following your instructions regarding WWW mgmt access setup (I'm guessing this is adding admin or user ACL where I select "All, WLAN-Guest, Deny")?

ISP servers are queried directly through WAN, that's why they're working when you have WLAN-Guest to ZyWall Deny all.

You can disable router admin access either way, depends on your other needs. ...if the setup is working for you then leave it.

Okay, thank you. Don't fix what is not broken sounds good!

I do have another question: for simple use of USG20W where I want to protect my home office network, have the capability to VPN to my home office from outside (not site-site) to reach my network resources and the option to manage the USG20W, is using their QuickSetup sufficient? EDIT: I mean Quick Setup for the VPN portion?