dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7619
share rss forum feed


NPB

@cox.net

ZyWALL USG 20W Setup

Hi all,

I have a new USG 20W that I need to configure to replace an existing consumer level cisco wireless router, in order to implement a VPN tunnel. Unfortunately, as tech capable as I am, I'm completely stumped at the documentation and setup!

I have a static WAN IP
I have three static LAN IP's for very simple intranet services (NAS, Printer etc)
I have a half dozen DHCP WLAN users who I want to be on the same subnet as the LAN users (for file sharing etc).

I have 3-4 users who will need to VPN into the LAN, no special routing or rules or anything, just a simple VPN tunnel to all LAN devices and services.

So far I can't even get the LAN/WLAN bridge to work. I know I'm doing something wrong, because the documentation is so fragmented, that instructions I can find for one part of the setup do not reference the other parts in any useful order.

As of now, four hours of hair pulling have gotten me nothing but a locked up web management interface that forces me to factory reset the device every time. It happens as soon as I try to set up the LAN/WLAN bridge, which I must be doing wrong.

Thanks!!!


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
OKay so please confirm - will assume that you got your WANIP and internet access going just fine.

Now for the rest.

A. Static LANIPs, best to ensure they are within the subnet and outside subnet pool
Ex. subnet pool starts at 192.168.x.33
put server 1 and .5
server 2 and .10
server 3 and .15.

Go to configure IP/MAC BInding and add them to the list (will need mac address).

If you would rather not and they have already been assigned an IP address by the DCHP service you can go to the dashboard and scroll down to System Status and DHCP Table, and then click on the numbers to the right, find the server and click the Reserve box.

B. It is not clear if all WLAN users should be on the same LAN subnet. Personally I would ignore the WLAN of the USG and use my own wifi unit and simply plut that into one of hte ports designated as LAN.

I am not sure there is a way to make the WLAN part of the LAN if using the WIFI on the router but here is my suggestions.

(1) have a common storage server on the LAN. Create firewall rule for users or range of users to be able to access the storage server for common files. (one way if you want them to be able to pull or two way if both push and pull).

Assuming its one to one access and not common storage.

(2) If you have more that do need, than dont need access.
- create WLAN to LAN Rule any any allow
- create WLAN to LAN rule (wlanip or wlanip range) to any DENY
- create LAN to WLAN rule any any allow
- create Lan to WLAN rule any (to wlanip or wlanip range) DENY

(3) If you have minority that need access.
- default rules is deny deny both ways
-create WLAN to LAN rules for few ips or small range
-create LAN to WLAN rules for few ips or small range

Lets not worry about VPN until we get the above sorted.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5

2 edits
reply to NPB
Click for full size
Note in this example. Folks in WLAN can all access the FTP server IP address in LAN1. I could have narrowed it down to FTP service as well and only to certain times of the day.
Note I could have narrowed down any on the WLAN to a single WLANIP or a range of WLANIPs and similarly on the destnation side.

What is not clear to me, and what I hope others can clarify is that members on the WLAN with this rule could see and pull information (Copy) from that server but could not PUSH data onto the server. I believe that would require a LAN to WLAN rule. ???????????

Note that after this rule all access follows the default of DENY any to any , all.

NPB

join:2013-06-05
San Diego, CA
reply to Anav
Thanks. Let me give you more information.

WAN setup no problem.

I'm having trouble at the moment getting the LAN and WLAN to bridge. I followed the instructions provided in this post exactly,

»Basic Config help sought: Zywall 20w

and the 20W freezes up as soon as I try to save the brige settings every time.

LAN subnet 192.168.1.xxx DHCP
WLAN subnet 10.1.1.xxx DHCP
Bridge subnet 10.1.100.xxx DHCP

I'm sure there are more details that matter, but I'm sure the problem is that I'm not understanding something critical in the instructions provided...

NPB

join:2013-06-05
San Diego, CA
reply to NPB
Okay I'm confused at your replies...I'm not sure how they apply to my needs.

My WAN works fine. My LAN works fine. My WLAN works fine. But I cannot get the WLAN to connect to the LAN.

That's problem number one, and I'm missing some very important piece of information as to how this works.

Why does the bridge need DHCP? It's just a bridge. The LAN should be issuing the DHCP addresses yes?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I will read that post and see.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to NPB
Okay it seems Jonatan (possibly a tech drive by LOL) provided a working solution as follows........
Hi.
I noticed that you have had some trouble with the USG 20W.
I sugest that you try the following:
(you will find guide with pictures attached.)
---
ZyWALL USG-20W
Guideline to create a bridge between LAN and WLAN subnet.

This guideline describes how to setup ZyWALL USG-20W to bridge between LAN and WLAN, so the wireless network is on same network as LAN1.

1.Select Network->Interface menu. Select the Bridge tab. Click Add.

2.Enable Interface. Select an Interface Name (br1) and select LAN1 as Zone.

3.Select the lan1 and wlan-1-1 interface as member.

4.Click the Show Advanced Settings button.

5.Type an Interface IP-address within a new subnet.

6.Set DHCP as DHCP-Server and type an IP Pool Start Address and Pool Size.

7.Set ZyWALL as First DNS Server. Click OK.

To allow traffic from Bridge-interface to the Internet, we need to create an address object and a policy route.

8.Go to Object->Address menu, and click Add.

9.Type a name for the address object. Select Interface Subnet as Address Type, and select the bridge interface.

Now we will complete the last steps, by creating a policy route.

10.Go to Network->Routing menu. Select Policy Route tab, and click Add.

11.Enable Interface.

12.Set Source Address as your bridge interface. Set Service Type as Any.

13.Set Next-Hop as Trunk, and select the SYSTEM_DEFAULT_WAN_TRUNK.

14.Select Outgoing-interface as Source Network Address Translation. Click OK.

Configuration is now completed. Clients on LAN and WLAN is now on same subnet, and are able to communicate through NetBIOS. All clients are also able to connect to the Internet.
---
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

NPB

join:2013-06-05
San Diego, CA
reply to Anav
Thanks!

I have to start from scratch again. The minute I try to set up a bridge the device freezes up completely and I have to do a factory reset. This will be the seventh time today.

NPB

join:2013-06-05
San Diego, CA
reply to Anav
Sorry but that's either not a complete solution, or there is an error in my understanding. That process leaves me with a frozen device at step 7. I input those exact settings, hit apply, and the device freezes up.

NPB

join:2013-06-05
San Diego, CA
reply to NPB
Never mind. Thanks for the attempt at helping.

I'm returning it. I can't waste my time with obtuse interfaces, poor technical support, and buggy software. It's already cost me a day of my life that could have been spent on something productive.


Gork
Ou812ic

join:2001-10-06
Bountiful, UT

2 edits
reply to NPB
I can understand your negative descriptions, I agree. But I have exactly what you're referring to working through my 20W and it was a fairly easy setup. I don't have the "disadvantage" of having already worked with more professional routers, so that may have been why it was easier for me. (I don't have any bridges in place - my setup is simplistic in comparison to what's been described above. I also combine guest access for most WLAN users for no LAN access with specified static DHCP users with full LAN access.)


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to NPB
Would concur that there is something missing in those instructions or the order is wrong or something......

polarisdb

join:2004-07-12
USA
reply to Anav
said by Anav:

ZyWALL USG-20W
Guideline to create a bridge between LAN and WLAN subnet.

This guideline describes how to setup ZyWALL USG-20W to bridge between LAN and WLAN, so the wireless network is on same network as LAN1.

1.Select Network->Interface menu. Select the Bridge tab. Click Add.

2.Enable Interface. Select an Interface Name (br1) and select LAN1 as Zone.

3.Select the lan1 and wlan-1-1 interface as member.

4.Click the Show Advanced Settings button.

5.Type an Interface IP-address within a new subnet.

6.Set DHCP as DHCP-Server and type an IP Pool Start Address and Pool Size.

7.Set ZyWALL as First DNS Server. Click OK.

To allow traffic from Bridge-interface to the Internet, we need to create an address object and a policy route.

8.Go to Object->Address menu, and click Add.

9.Type a name for the address object. Select Interface Subnet as Address Type, and select the bridge interface.

Now we will complete the last steps, by creating a policy route.

10.Go to Network->Routing menu. Select Policy Route tab, and click Add.

11.Enable Interface.

12.Set Source Address as your bridge interface. Set Service Type as Any.

13.Set Next-Hop as Trunk, and select the SYSTEM_DEFAULT_WAN_TRUNK.

14.Select Outgoing-interface as Source Network Address Translation. Click OK.

This is pretty much the procedure I used on my parents' USG20w with firmware version BDR.4. I wonder if OP got a bad unit if the GUI keeps locking up when configuring the bridge?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
I suspect the bridge is hanging things up.

Polaris can you shed light on step...
When it says type an interface IP address with new subnet...

What does that mean ...... that were creating a brand new subnet and IP structure......... such as 192.168.20.1 ???
The data to be filled in this step including subnet^^ are not clear.

I suspect its this step that is buggering up the router.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

polarisdb

join:2004-07-12
USA
said by Anav:

I suspect the bridge is hanging things up.

Polaris can you shed light on step...
When it says type an interface IP address with new subnet...

What does that mean ...... that were creating a brand new subnet and IP structure......... such as 192.168.20.1 ???
The data to be filled in this step including subnet^^ are not clear.

I suspect its this step that is buggering up the router.

For step #5, the Interface IP-address within a new subnet is just the IP of the USG20w you want the bridge to use, in the case of your example 192.168.20.1. With the bridge in place everything is accessible in the 192.168.20.0 network instead of segregated into 192.168.1.0 for LAN1 and 10.59.1.0 for WLAN. There is a guide with the GUI screens here, although their example uses network 192.168.100.0 for the bridge.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Thanks I will try that on my non working USG. I also froze up the other day playing with bridge. I got the CLI error of death. Whenever i get that (Major Beef), I have physically reset router to defaults and upload a good configuration.
Another major beef is that often I get DNS issues when I reconnect the network. Its as if various PCs can get a new IP but their DNS does not reset or work. Not sure if its just me but its a pain in de butt. I have resorted to using zywall as my interface dns, vice putting in others such as dyndns or ISp directly
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

FirebirdTN

join:2012-12-13
Brighton, TN
kudos:1
Reviews:
·Comcast
WOW! He joins two days ago, and gives up after one day???

Guess I must have some serious patience. I have come across quite a few projects that have taken me MUCH longer than a day to figure out.

Not meaning to wreck the OP's thread, but I don't think he is coming back anyway.....The ZyXel just never ceases to amaze me. Okay, so I am easily amused. I have configured MORE than my fair share of consumer grade routers, and "dabbled" in one or two "business grade" routers. I don't know what "extras" you get buy purchasing some of the expensive Cisco's, or Sonicwalls, but as far as I am concerned, my USG50 is the greatest thing since sliced bread. The only bad thing is I am constantly thinking to myself "I wonder if I can do x", configure it, and it has done everything I have asked. I am not doing anything too complicated, but wow, I LOVE this thing. My *BEST* computer related purchase EVER.

-Alan


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
My main problem is garbage in garbage out......... ie the weak link is me LOL.

jc112203

join:2013-06-07
Cortez, CO
Hey guys, I just happened to be in the same exact boat as Anav and the OP. I have been messing around with my Zywall USG 20W for about 3 or so months trying to figure a bunch of things out. One thing was this whole "Bridge my WLAN with my LAN" issue. Everytime I tried to make a bridge I got that CLI error and I have to reset the firewall to defaults.

I had all but given up on the project until I tried again last night and got it! I now have my LAN and WLAN bridged, pinging eachother and my NAS with my desktop and my smartphones and tablets. I will write down exactly how to do this and post again. I am at work ATM and I don't have time.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
JC, thats fantastic. Jpegs are great too.
Important is the order in which you were successful and by that I mean avoided the damn CLI errors LOL.

jc112203

join:2013-06-07
Cortez, CO
Click for full size
step 1
Click for full size
step 2
Click for full size
step 3
Click for full size
step 4
Okay here is how I created a virtual Bridge between my LAN1 and WLAN1 subnets. POST 1 of 2

jc112203

join:2013-06-07
Cortez, CO
Click for full size
step 5

step 6
Click for full size
step 7
Click for full size
step 8
And here are the last steps. I also want to note that once you create the bridge your computer needs to aquire a new IP address and you need to re-connect to the Zywall Firewall using the new default gateway address 192.168.100.1 then proceed with the screenshots. I also wanted to point out I am using Firmware version 3.00(BDR.4) / 1.17 / 2013-01-18 16:53:20


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
My setup is a bit different; I'm only allowing a single computer on the WLAN to access the LAN. But I didn't use bridge or anything fancy. I simply assigned a static DHCP address to that computer (IP/MAC binding) and created a WLAN to LAN1 firewall rule allowing that computer to access "all". I was surprised it worked that easily, but it does.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Hi Gork, that was my initial thoughts simply create WLAN to LAN firewall rules to access resources on the LAN.

(1) Did you change any other settings (ie which zone the wlan was part of for example).

(2) Could you copy and ADD through that wlan to lan1 rule. Ie two way comms push and pull data??

Note: I would think you could pull only (copy) and not post data ie if doing ftp you could download but not upload - assuming perhaps incorrectly that one would need a lan1 to WLAN rule to be able to upload.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to jc112203
JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

I understand the policy routing to ensure all bridged users (new IP) have access to the internet. The only subtle change would be to use a user defined trunk vice default if needed (already in place).

The other thing on the Policy route is incoming,,,,, why not state the bridge interface instead of any (except zywall). Its a routing policy for all those on the bridged interface??? Source you should be able to leave as ANY.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment

polarisdb

join:2004-07-12
USA
said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

After I set up the bridge, LAN1 & WLAN clients all got IPs from the bridged network.

jc112203

join:2013-06-07
Cortez, CO
reply to Anav
said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

I understand the policy routing to ensure all bridged users (new IP) have access to the internet. The only subtle change would be to use a user defined trunk vice default if needed (already in place).

The other thing on the Policy route is incoming,,,,, why not state the bridge interface instead of any (except zywall). Its a routing policy for all those on the bridged interface??? Source you should be able to leave as ANY.

Thanks,
As far as LAN and WLAN having their own separate IPs I think Zywall is referring to the physical bridge of the network, not the Logical. Think this: Zywall asking where to physically look for these clients to bridge them together, not what you logically defined as LAN and WLAN (not to be confused with changing Router Port Roles on the back of your Zywall).

As far as using a User defined Trunk yes, that is fine, except Trunking isn't really covered in my example. Setting up a working Trunk is a whole nother beast, so I simply used the one created by default in the Zywall.

I didn't set my rule as "any" because this hasn't worked for me in the past. It might be because I was doing other things wrong, but I find that when I am setting up a routing policy or a network object it is better to be more specific so that your policy/object doesn't have unintended consequences (like creating an exploit by accident). I guess I am just paranoid. (I am almost done getting my associates degree in Network Security)
said by polarisdb:

said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

After I set up the bridge, LAN1 & WLAN clients all got IPs from the bridged network.

Correct, All clients will now use the B ridged network's IP. This shouldn't be a problem because we want traffic to be routed to eachother anyway.


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
reply to Anav
said by Anav:

(1) Did you change any other settings (ie which zone the wlan was part of for example).

(2) Could you copy and ADD through that wlan to lan1 rule. Ie two way comms push and pull data??

1) Not that I recall... wlan-1-1 shows in the WLAN zone and my LAN shows in the LAN1 zone... And the laptop is assigned an IP address in the wlan-1-1's range of 192.* whereas LAN1 is 10.*.

2) It's been awhile since I had my laptop at home, but I can't imagine I wouldn't have used it to upload and download information from and to the LAN (where my file server is) when it was connected through the WLAN. But I don't precisely recall for sure. I do have a LAN1 to ANY (excluding ZyWALL) rule in place though. I actually tried not to pipe up with details herein because I would have liked to completely test with my laptop before posting - just to be sure. But I couldn't keep my mouth shut.

Now that you bring it up, however, it does seem that I initially set up the WLAN on the LAN1 zone to allow for the type of activity we're discussing and it worked perfectly. (I had forgotten I did this.) From memory, it was very simple with no bridges or the like necessary. I later made the changes I did (as I've described) because I really only wanted my own laptop to be able to connect to LAN1 network resources, not anyone who wants Internet access on their own device who might be visiting.