dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4850
share rss forum feed

jc112203

join:2013-06-07
Cortez, CO
reply to Anav

Re: ZyWALL USG 20W Setup

Click for full size
step 1
Click for full size
step 2
Click for full size
step 3
Click for full size
step 4
Okay here is how I created a virtual Bridge between my LAN1 and WLAN1 subnets. POST 1 of 2

jc112203

join:2013-06-07
Cortez, CO

Click for full size
step 5

step 6
Click for full size
step 7
Click for full size
step 8
And here are the last steps. I also want to note that once you create the bridge your computer needs to aquire a new IP address and you need to re-connect to the Zywall Firewall using the new default gateway address 192.168.100.1 then proceed with the screenshots. I also wanted to point out I am using Firmware version 3.00(BDR.4) / 1.17 / 2013-01-18 16:53:20


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com

My setup is a bit different; I'm only allowing a single computer on the WLAN to access the LAN. But I didn't use bridge or anything fancy. I simply assigned a static DHCP address to that computer (IP/MAC binding) and created a WLAN to LAN1 firewall rule allowing that computer to access "all". I was surprised it worked that easily, but it does.



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4

Hi Gork, that was my initial thoughts simply create WLAN to LAN firewall rules to access resources on the LAN.

(1) Did you change any other settings (ie which zone the wlan was part of for example).

(2) Could you copy and ADD through that wlan to lan1 rule. Ie two way comms push and pull data??

Note: I would think you could pull only (copy) and not post data ie if doing ftp you could download but not upload - assuming perhaps incorrectly that one would need a lan1 to WLAN rule to be able to upload.
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:4
reply to jc112203

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

I understand the policy routing to ensure all bridged users (new IP) have access to the internet. The only subtle change would be to use a user defined trunk vice default if needed (already in place).

The other thing on the Policy route is incoming,,,,, why not state the bridge interface instead of any (except zywall). Its a routing policy for all those on the bridged interface??? Source you should be able to leave as ANY.

--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"

LlamaWorks Equipment


polarisdb

join:2004-07-12
USA

said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

After I set up the bridge, LAN1 & WLAN clients all got IPs from the bridged network.

jc112203

join:2013-06-07
Cortez, CO
reply to Anav

said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

I understand the policy routing to ensure all bridged users (new IP) have access to the internet. The only subtle change would be to use a user defined trunk vice default if needed (already in place).

The other thing on the Policy route is incoming,,,,, why not state the bridge interface instead of any (except zywall). Its a routing policy for all those on the bridged interface??? Source you should be able to leave as ANY.

Thanks,
As far as LAN and WLAN having their own separate IPs I think Zywall is referring to the physical bridge of the network, not the Logical. Think this: Zywall asking where to physically look for these clients to bridge them together, not what you logically defined as LAN and WLAN (not to be confused with changing Router Port Roles on the back of your Zywall).

As far as using a User defined Trunk yes, that is fine, except Trunking isn't really covered in my example. Setting up a working Trunk is a whole nother beast, so I simply used the one created by default in the Zywall.

I didn't set my rule as "any" because this hasn't worked for me in the past. It might be because I was doing other things wrong, but I find that when I am setting up a routing policy or a network object it is better to be more specific so that your policy/object doesn't have unintended consequences (like creating an exploit by accident). I guess I am just paranoid. (I am almost done getting my associates degree in Network Security)
said by polarisdb:

said by Anav:

JC, great tutorial there.
What I do not understand is how you decide which computers will get new IP (bridge IPs). DO you set those on the PCs statically? OR
now ALL PCs on LAN1 will no longerbe in LAN1 and will get dhcp from the bridged DHCP, or will this only force WLAN users onto the bridge LAN and get new IPs?

After I set up the bridge, LAN1 & WLAN clients all got IPs from the bridged network.

Correct, All clients will now use the B ridged network's IP. This shouldn't be a problem because we want traffic to be routed to eachother anyway.


Gork
Ou812ic

join:2001-10-06
Bountiful, UT
Reviews:
·magicjack.com
reply to Anav

said by Anav:

(1) Did you change any other settings (ie which zone the wlan was part of for example).

(2) Could you copy and ADD through that wlan to lan1 rule. Ie two way comms push and pull data??

1) Not that I recall... wlan-1-1 shows in the WLAN zone and my LAN shows in the LAN1 zone... And the laptop is assigned an IP address in the wlan-1-1's range of 192.* whereas LAN1 is 10.*.

2) It's been awhile since I had my laptop at home, but I can't imagine I wouldn't have used it to upload and download information from and to the LAN (where my file server is) when it was connected through the WLAN. But I don't precisely recall for sure. I do have a LAN1 to ANY (excluding ZyWALL) rule in place though. I actually tried not to pipe up with details herein because I would have liked to completely test with my laptop before posting - just to be sure. But I couldn't keep my mouth shut.

Now that you bring it up, however, it does seem that I initially set up the WLAN on the LAN1 zone to allow for the type of activity we're discussing and it worked perfectly. (I had forgotten I did this.) From memory, it was very simple with no bridges or the like necessary. I later made the changes I did (as I've described) because I really only wanted my own laptop to be able to connect to LAN1 network resources, not anyone who wants Internet access on their own device who might be visiting.