dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2194

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

2014 Functionality USG Should Have.

What functionality and requirements do you have that are not being met or that are not working as desired. Repeat of last years effort as it is overly stale.
Assuming more robust processing (aka the new 11X series)

I will start with an observation from recent posts....
(1) ADP granularity - Going through dozens of settings under each protocol type and changing the default from allow to drop is very, very slow. Anyone know of a way to change them all, or in large groups quickly?
JPedroT
Premium Member
join:2005-02-18

1 recommendation

JPedroT

Premium Member

They should just kill the whole USG thingy, go with just a firewall, imho.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

1 recommendation

Brano to Anav

MVM

to Anav
Alex, we had thread like this at least twice from what I remember and it lead to nothing. Unless we get active representation from ZyXel this is waste of time.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

okay, sounds good.
C4Xplosive
join:2002-02-21
Vancouver, WA

C4Xplosive to Anav

Member

to Anav
The only thing they should do IMO is up beef up the hardware as far as they can and keep the price low. Edge Router Lite has kind of set the standard of what you can do for just $100. ZyXel held that lower-end market for a long time (sat on it actually for 8 years) and now people are challenging them. Makes you feel like you're being ripped off @ $250 for a USG50 or $350 for a ZyWall 110.

The new ZyWall line is no longer impressive either with the ERL coming out not long after. If they cut the current ZyWall and future USG models by 50% whatever they are now or were thinking of selling them for, then we can talk.
Mainia
join:2010-10-02
Minneapolis, MN

1 edit

Mainia to JPedroT

Member

to JPedroT
As for Zyxel to drop the UTM feature from the USG series... Then that gives you the new Zywall Firewall/VPN series that the hardware has the gravitas that is needed for 2014 and beyond. As we ALL know the USG series is WAY underpowered and should be replace ASAP by the same or more powerful processors as in the Zywall/VPN series.

By the Declaration of Conformity of the ZyWALL 110, it looks like that the new UTMs will use the same hardware as they used both the Zywall/VPN and USG series name for that hardware.

The need for Unified Threat Management Systems in small to mid sized business is what I think is needed more and more. With no on staff IT people to babysit employees willy-nilly clicking on everything while surfing on business hours, a good UTM with enterprise grade content filtering, IDS/IPS, AV, and application control is a must.

The hardware IS coming with UTM features. I talked to a high up Zyxel sales guy and he said they are coming in 2014. UTM is not dead. Most of you seem to not like it. I love UTM features. I run Zyxel as a gateway and Sophos UTM in bridge. I couldn't be happier.....Yes I could....a new Zyxel USG110 would be nice!!!

.
Mainia

Mainia to Anav

Member

to Anav
Oh yea, added features.

With the increased power, add increased AV signatures. As per Sophos UTM with Sophos gateway scanner that have 5 to 6 million sigs and for the Sophos UTM second gateway scanner Avira having 5 to 6 million sigs. When Untangle had Kaspersky it had millions of signatures, Not the wimpy Zyxel 2,500 Kaspersky and 15,000 Zyxel/AhnLab AV signatures. I know gateway AV has less of an advantage then a good enterprise content filter, but hey.... 2,500/15,000 sigs vs 5 to 6 million.... No contest.

Zyxel, how about country blocking? I only let 14 countries send and receive from my network. As per Sophos UTM.

.
Mainia

Mainia to C4Xplosive

Member

to C4Xplosive
said by C4Xplosive:

The only thing they should do IMO is up beef up the hardware as far as they can and keep the price low. Edge Router Lite has kind of set the standard of what you can do for just $100. ZyXel held that lower-end market for a long time (sat on it actually for 8 years) and now people are challenging them. Makes you feel like you're being ripped off @ $250 for a USG50 or $350 for a ZyWall 110.

The new ZyWall line is no longer impressive either with the ERL coming out not long after. If they cut the current ZyWall and future USG models by 50% whatever they are now or were thinking of selling them for, then we can talk.

You are asking too much for too little. Hardware is priced right after discount from MSRP, but sigs could be 20 to 25% less and add "2 year" sig discount pricing.

.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

How do you effect country blocking.
Mainia
join:2010-10-02
Minneapolis, MN

3 edits

Mainia

Member

Click for full size
Sopho UTM Country Blocking Screen
said by Anav:

How do you effect country blocking.

Here is an image of the screen. You have the option of All (block), Off (no block) , Inbound, and Outbound. It works great.

Here is a link, because DSL Reports is not showing it to me with above link.

»www.walleyecentral.com/f ··· id=25593

Edit: I guess it is closer to 19 counties I let in. Some of the ones I have opened COULD be blocked with no issue, but I left them open. I think I could get by with 10 to 12 or so.
Mainia

Mainia

Member

I added the Country Block screen of mine (above post) because there
were none in this montage of all the different Sophos UTM backend screen shots in the below link.

»www.google.com/search?q= ··· 84%3B612

.
stascom
join:2013-12-12

stascom to Anav

Member

to Anav
Yes, country blocking would be very useful.
Also, there needs to be a way to create batch NAT records. I know there is CLI but I'm lazy to RTFM. Clicking around to create 5 Virtual Server records for each server behind USG is a PITA. Especially when you do it on regular basis as a consultant.
If I could apply the same service group to a Virtual Server entry as I use in the Firewall rules, with incoming/outgoing port(s) defaulting to the same value, that would be fantastic.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

said by stascom:

I know there is CLI but I'm lazy to RTFM.

Well, don't be
There's CLI that can do this for you, alternatively you can edit the startup-config.conf and there's a zysh script you can write and re-run as often and whenever you please.
Brano

1 recommendation

Brano to Anav

MVM

to Anav
OK, I'll pitch in with one request. Give as full root access to the device.
Almost all competitors who run devices based on open-source do that today, open-wrt based, Linux based, BSD based and Ubiquity too.

This gives options for community to pitch in, start porting more functionality or, in worst case, try fixing bugs.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Not a chance, see post 3 you mangy cur.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

I'm aware. But I had to say it out loud anyway
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol to Anav

Premium Member

to Anav
Mostly I just need them to do what they do much faster. There are some UI issues and some stability/reliability issues that need to be addressed, but those are minor compared to their long-term inability to run at modern Internet connection speeds.

Oh, and don't leave port 443 open to the entire planet by default. Bad, bad choice as a default.
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

said by lorennerol:

Mostly I just need them to do what they do much faster. There are some UI issues and some stability/reliability issues that need to be addressed, but those are minor compared to their long-term inability to run at modern Internet connection speeds.

Oh, and don't leave port 443 open to the entire planet by default. Bad, bad choice as a default.

That is usually based on feedback on what customer finds weird, ie why is not my firewall accessable from WAN on https etc. Trust me, its how these "great" decisions are made.

As for faster, I agree, but when you average out the speeds people do have, then we are at the front end of the curve.

As for Brano's request about root access, it gets you some part of the way, but you also need the source code to fix bugs. Or at the very least the cross-compilation tool chain to actually change anything.But you would still not be able to change the ZyXEL proprietary code on it. Unless you want to dump a linux distro of your own choice on it, but then you probably could build a cheaper device, than for the price of a decent USG.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Yeah, I know, everything you said, but still it'll be nice to be able to use the unit for more.
Especially some automation/scripting tasks could be achieved with much lesser pain.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 edit

Anav to stascom

Premium Member

to stascom
said by stascom:

Yes, country blocking would be very useful.
Also, there needs to be a way to create batch NAT records. I know there is CLI but I'm lazy to RTFM. Clicking around to create 5 Virtual Server records for each server behind USG is a PITA. Especially when you do it on regular basis as a consultant.
If I could apply the same service group to a Virtual Server entry as I use in the Firewall rules, with incoming/outgoing port(s) defaulting to the same value, that would be fantastic.

Stascom just so I understand what your saying. The functionality you desire is to be able to create GROUP objects for services and then use those groups in setting up Virtual Mapping rules. I too find it weird that one can do this for FWs but not for the Port forwarding. The only concern is not duplicating the same port range in two separate virtual server rules or for that matter within a group rule for the same virtual rule.

Is there more to your requirement??
What do you mean same ingoing, outgoing ports default etc..
From my work, a Group object is a group object. Do your groupings in objects not at the rule........ ie per defaults.......
JPedroT
Premium Member
join:2005-02-18

JPedroT to Brano

Premium Member

to Brano
said by Brano:

Yeah, I know, everything you said, but still it'll be nice to be able to use the unit for more.
Especially some automation/scripting tasks could be achieved with much lesser pain.

Depends on how you can access the flash, on other devices its not just a plain filesystem in the flash. But a compressed image that gets unpacked and you need to write the image to certain blocks etc. Pain in the ass, but you can usually reverse engineer it by looking at how its done on the device. Then again, its easy to go down the old brick lane

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

ZyXel has it as standard partition. The main system is squashfs. ...anyway, all moot point in current state.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

2 edits

Anav

Premium Member

1. features such as voltage, current and
temperature monitoring (internal and external)

2. Better tie-in with hardware functionality of other product lines, think LACP between switch+router,

Good ideas or stupid??

3. Brano in your construct would that give users the ability to add their own DDNS site if it wasnt on zyxels provided list..... is that what you mean, do you have some better concrete examples please.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Yes, with root access one could relatively easy add sensors (voltage, temp monitoring), add custom DDNS, custom FTP server, proxy server and other standard linux packages that are available. Level of integration would vary, but some packages i.e. DDNS don't really need any integration. ...but again, all moot at this point.

janderso1
Jim
MVM
join:2000-04-15
Saint Petersburg, FL

janderso1 to Anav

MVM

to Anav
The ability to reserve DHCPv6 addresses

The ability to set DHCPv6 lease times

Add the interface ID to DHcpv6 solicit and request log entries

Include DHCPv6 in the DHCP table or separate display

Log the Zywall responses to DHcpv6 solicit and request

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Are those DHCP 6 functions that are missing (required), available on other routers?. Are they possible. Do they then provide the same level of functionality as per currently available for IPV4. In others an implemenation that fell short of previous functionality.

janderso1
Jim
MVM
join:2000-04-15
Saint Petersburg, FL

1 recommendation

janderso1

MVM

The Zywall uses something (my educated guess is the client DUID) to track client IPv6 addresses that it has assigned from a DHCPv6 address pool (for IPv4 it uses the client MAC address). A DHCPv6 address reservation would lock the IPv6 address to the identifier (as is done for IPv4 addresses to MAC addresses).

If you are using Linux for your DHCPv6 servers then IPv6 addresses reservations (and lease times) are supported.

Except for the interface ID in the log entry all I am asking for is what it already does for IPv4. The interface ID would be useful when you get hundreds of solicit and/or request log entries from a client that is unable to obtain an IPv6 address via DHCPv6.

Other than Linux I don’t know what other routers do. However, the USG series and the newer models are not $40 home routers.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

I guess what I am asking Janders, being ipv6 deficient, is what your asking normal functionality on other business class routers and your saying usg is like ipv6 lite???
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith to Mainia

Member

to Mainia
said by Mainia:

I run Zyxel as a gateway and Sophos UTM in bridge.

Are we going to get a description of your setup details someday, or should I just plan on throwing away my USG50 when the new UTMs arrive?

kirby
Mainia
join:2010-10-02
Minneapolis, MN

Mainia

Member

what are you looking for????