AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-5 3:27 pm
2014 Functionality USG Should Have.What functionality and requirements do you have that are not being met or that are not working as desired. Repeat of last years effort as it is overly stale. Assuming more robust processing (aka the new 11X series)
I will start with an observation from recent posts.... (1) ADP granularity - Going through dozens of settings under each protocol type and changing the default from allow to drop is very, very slow. Anyone know of a way to change them all, or in large groups quickly? |
|
JPedroT Premium Member join:2005-02-18
1 recommendation |
JPedroT
Premium Member
2014-Apr-5 5:34 pm
They should just kill the whole USG thingy, go with just a firewall, imho. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON
1 recommendation |
to Anav
Alex, we had thread like this at least twice from what I remember and it lead to nothing. Unless we get active representation from ZyXel this is waste of time. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-5 7:58 pm
okay, sounds good. |
|
|
to Anav
The only thing they should do IMO is up beef up the hardware as far as they can and keep the price low. Edge Router Lite has kind of set the standard of what you can do for just $100. ZyXel held that lower-end market for a long time (sat on it actually for 8 years) and now people are challenging them. Makes you feel like you're being ripped off @ $250 for a USG50 or $350 for a ZyWall 110.
The new ZyWall line is no longer impressive either with the ERL coming out not long after. If they cut the current ZyWall and future USG models by 50% whatever they are now or were thinking of selling them for, then we can talk. |
|
Mainia join:2010-10-02 Minneapolis, MN 1 edit |
to JPedroT
As for Zyxel to drop the UTM feature from the USG series... Then that gives you the new Zywall Firewall/VPN series that the hardware has the gravitas that is needed for 2014 and beyond. As we ALL know the USG series is WAY underpowered and should be replace ASAP by the same or more powerful processors as in the Zywall/VPN series.
By the Declaration of Conformity of the ZyWALL 110, it looks like that the new UTMs will use the same hardware as they used both the Zywall/VPN and USG series name for that hardware.
The need for Unified Threat Management Systems in small to mid sized business is what I think is needed more and more. With no on staff IT people to babysit employees willy-nilly clicking on everything while surfing on business hours, a good UTM with enterprise grade content filtering, IDS/IPS, AV, and application control is a must.
The hardware IS coming with UTM features. I talked to a high up Zyxel sales guy and he said they are coming in 2014. UTM is not dead. Most of you seem to not like it. I love UTM features. I run Zyxel as a gateway and Sophos UTM in bridge. I couldn't be happier.....Yes I could....a new Zyxel USG110 would be nice!!!
. |
|
Mainia |
to Anav
Oh yea, added features.
With the increased power, add increased AV signatures. As per Sophos UTM with Sophos gateway scanner that have 5 to 6 million sigs and for the Sophos UTM second gateway scanner Avira having 5 to 6 million sigs. When Untangle had Kaspersky it had millions of signatures, Not the wimpy Zyxel 2,500 Kaspersky and 15,000 Zyxel/AhnLab AV signatures. I know gateway AV has less of an advantage then a good enterprise content filter, but hey.... 2,500/15,000 sigs vs 5 to 6 million.... No contest.
Zyxel, how about country blocking? I only let 14 countries send and receive from my network. As per Sophos UTM.
. |
|
Mainia |
to C4Xplosive
said by C4Xplosive:The only thing they should do IMO is up beef up the hardware as far as they can and keep the price low. Edge Router Lite has kind of set the standard of what you can do for just $100. ZyXel held that lower-end market for a long time (sat on it actually for 8 years) and now people are challenging them. Makes you feel like you're being ripped off @ $250 for a USG50 or $350 for a ZyWall 110.
The new ZyWall line is no longer impressive either with the ERL coming out not long after. If they cut the current ZyWall and future USG models by 50% whatever they are now or were thinking of selling them for, then we can talk. You are asking too much for too little. Hardware is priced right after discount from MSRP, but sigs could be 20 to 25% less and add "2 year" sig discount pricing. . |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-6 8:12 pm
How do you effect country blocking. |
|
Mainia join:2010-10-02 Minneapolis, MN 3 edits |
Mainia
Member
2014-Apr-6 9:55 pm
Sopho UTM Country Blocking Screen |
said by Anav:How do you effect country blocking. Here is an image of the screen. You have the option of All (block), Off (no block) , Inbound, and Outbound. It works great. Here is a link, because DSL Reports is not showing it to me with above link. » www.walleyecentral.com/f ··· id=25593Edit: I guess it is closer to 19 counties I let in. Some of the ones I have opened COULD be blocked with no issue, but I left them open. I think I could get by with 10 to 12 or so. |
|
|
Mainia |
Mainia
Member
2014-Apr-6 10:20 pm
I added the Country Block screen of mine (above post) because there were none in this montage of all the different Sophos UTM backend screen shots in the below link. » www.google.com/search?q= ··· 84%3B612. |
|
|
to Anav
Yes, country blocking would be very useful. Also, there needs to be a way to create batch NAT records. I know there is CLI but I'm lazy to RTFM. Clicking around to create 5 Virtual Server records for each server behind USG is a PITA. Especially when you do it on regular basis as a consultant. If I could apply the same service group to a Virtual Server entry as I use in the Firewall rules, with incoming/outgoing port(s) defaulting to the same value, that would be fantastic. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2014-Apr-7 8:31 am
said by stascom: I know there is CLI but I'm lazy to RTFM. Well, don't be There's CLI that can do this for you, alternatively you can edit the startup-config.conf and there's a zysh script you can write and re-run as often and whenever you please. |
|
Brano
1 recommendation |
to Anav
OK, I'll pitch in with one request. Give as full root access to the device. Almost all competitors who run devices based on open-source do that today, open-wrt based, Linux based, BSD based and Ubiquity too.
This gives options for community to pitch in, start porting more functionality or, in worst case, try fixing bugs. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-7 3:49 pm
Not a chance, see post 3 you mangy cur. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Apr-7 4:09 pm
I'm aware. But I had to say it out loud anyway |
|
lorennerol Premium Member join:2003-10-29 Seattle, WA |
to Anav
Mostly I just need them to do what they do much faster. There are some UI issues and some stability/reliability issues that need to be addressed, but those are minor compared to their long-term inability to run at modern Internet connection speeds.
Oh, and don't leave port 443 open to the entire planet by default. Bad, bad choice as a default. |
|
JPedroT Premium Member join:2005-02-18 |
JPedroT
Premium Member
2014-Apr-7 5:25 pm
said by lorennerol:Mostly I just need them to do what they do much faster. There are some UI issues and some stability/reliability issues that need to be addressed, but those are minor compared to their long-term inability to run at modern Internet connection speeds.
Oh, and don't leave port 443 open to the entire planet by default. Bad, bad choice as a default. That is usually based on feedback on what customer finds weird, ie why is not my firewall accessable from WAN on https etc. Trust me, its how these "great" decisions are made. As for faster, I agree, but when you average out the speeds people do have, then we are at the front end of the curve. As for Brano's request about root access, it gets you some part of the way, but you also need the source code to fix bugs. Or at the very least the cross-compilation tool chain to actually change anything.But you would still not be able to change the ZyXEL proprietary code on it. Unless you want to dump a linux distro of your own choice on it, but then you probably could build a cheaper device, than for the price of a decent USG. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Apr-7 5:43 pm
Yeah, I know, everything you said, but still it'll be nice to be able to use the unit for more. Especially some automation/scripting tasks could be achieved with much lesser pain. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 1 edit |
to stascom
said by stascom:Yes, country blocking would be very useful. Also, there needs to be a way to create batch NAT records. I know there is CLI but I'm lazy to RTFM. Clicking around to create 5 Virtual Server records for each server behind USG is a PITA. Especially when you do it on regular basis as a consultant. If I could apply the same service group to a Virtual Server entry as I use in the Firewall rules, with incoming/outgoing port(s) defaulting to the same value, that would be fantastic. Stascom just so I understand what your saying. The functionality you desire is to be able to create GROUP objects for services and then use those groups in setting up Virtual Mapping rules. I too find it weird that one can do this for FWs but not for the Port forwarding. The only concern is not duplicating the same port range in two separate virtual server rules or for that matter within a group rule for the same virtual rule. Is there more to your requirement?? What do you mean same ingoing, outgoing ports default etc.. From my work, a Group object is a group object. Do your groupings in objects not at the rule........ ie per defaults....... |
|
JPedroT Premium Member join:2005-02-18 |
to Brano
said by Brano:Yeah, I know, everything you said, but still it'll be nice to be able to use the unit for more. Especially some automation/scripting tasks could be achieved with much lesser pain. Depends on how you can access the flash, on other devices its not just a plain filesystem in the flash. But a compressed image that gets unpacked and you need to write the image to certain blocks etc. Pain in the ass, but you can usually reverse engineer it by looking at how its done on the device. Then again, its easy to go down the old brick lane |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2014-Apr-7 6:14 pm
ZyXel has it as standard partition. The main system is squashfs. ...anyway, all moot point in current state. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS 2 edits |
Anav
Premium Member
2014-Apr-7 6:40 pm
1. features such as voltage, current and temperature monitoring (internal and external)
2. Better tie-in with hardware functionality of other product lines, think LACP between switch+router,
Good ideas or stupid??
3. Brano in your construct would that give users the ability to add their own DDNS site if it wasnt on zyxels provided list..... is that what you mean, do you have some better concrete examples please. |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON (Software) OPNsense Ubiquiti UniFi UAP-AC-PRO Ubiquiti NanoBeam M5 16
|
Brano
MVM
2014-Apr-7 7:50 pm
Yes, with root access one could relatively easy add sensors (voltage, temp monitoring), add custom DDNS, custom FTP server, proxy server and other standard linux packages that are available. Level of integration would vary, but some packages i.e. DDNS don't really need any integration. ...but again, all moot at this point. |
|
janderso1Jim MVM join:2000-04-15 Saint Petersburg, FL |
to Anav
The ability to reserve DHCPv6 addresses
The ability to set DHCPv6 lease times
Add the interface ID to DHcpv6 solicit and request log entries
Include DHCPv6 in the DHCP table or separate display
Log the Zywall responses to DHcpv6 solicit and request |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-8 12:30 pm
Are those DHCP 6 functions that are missing (required), available on other routers?. Are they possible. Do they then provide the same level of functionality as per currently available for IPV4. In others an implemenation that fell short of previous functionality. |
|
janderso1Jim MVM join:2000-04-15 Saint Petersburg, FL
1 recommendation |
The Zywall uses something (my educated guess is the client DUID) to track client IPv6 addresses that it has assigned from a DHCPv6 address pool (for IPv4 it uses the client MAC address). A DHCPv6 address reservation would lock the IPv6 address to the identifier (as is done for IPv4 addresses to MAC addresses).
If you are using Linux for your DHCPv6 servers then IPv6 addresses reservations (and lease times) are supported.
Except for the interface ID in the log entry all I am asking for is what it already does for IPv4. The interface ID would be useful when you get hundreds of solicit and/or request log entries from a client that is unable to obtain an IPv6 address via DHCPv6.
Other than Linux I dont know what other routers do. However, the USG series and the newer models are not $40 home routers. |
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
Anav
Premium Member
2014-Apr-9 6:42 am
I guess what I am asking Janders, being ipv6 deficient, is what your asking normal functionality on other business class routers and your saying usg is like ipv6 lite??? |
|
|
to Mainia
said by Mainia:I run Zyxel as a gateway and Sophos UTM in bridge. Are we going to get a description of your setup details someday, or should I just plan on throwing away my USG50 when the new UTMs arrive? kirby |
|
Mainia join:2010-10-02 Minneapolis, MN |
Mainia
Member
2014-Apr-9 1:48 pm
what are you looking for???? |
|