dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2897

New To ZYXEL
@173.216.243.x

New To ZYXEL

Anon

ZyXel Zywall USG 50

I have to ask some stupid questions because 1. I am stupid. 2. I have never used a real router that had to actually be set up.
I just replaced a Netgear home router at work with the ZYXEL USG 50 and because that wasn't enough I added a wireless AP to it so my techs can use their laptops in the building without connecting to the expensive connections through the wireless company. Now you have that story I can start with the stupid questions.
What are the PORTS on the front (besides connecting to the switches). DMZ? LAN1 Lan2? Why are they switchable?
I have a Dell T110 Server set up already Windows Server essentials. I cannot get it to cooperate with the router. I need to get it set up so I can access it from home but the server cannot even get the correct name or setup from the router. Says Router Unknown.
I can get to the wireless AP after I understand some of the issues understood with the main router. For now I need an idea of how to set up the main router then I can get to figuring out the AP.
Any help offered will be accepted and appreciated and you will have a friend for life. In the case you already have too many friends, you will have a silent stalker for life. Thank you.
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith

Member

Unfortunately, I do not have time this morning to provide good instructions, but there are others here who may be able to help before I can. I will note, however, that ZyXEL has a vast literature base of user manuals that you can find at their site looking for service and firmware. You can read the literature after downloading it. While written to earlier firmware, the information can be quite helpful in understanding what is going on. Also, there is a help function within the router that can supply useful information.

Further, I recall there being a wizard that should take you through the initial steps to making the router at least the equal of a dumb router.

kirby
dual FiOS > USG-50 > Cisco SG200-26 > VLANs

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano to New To ZYXEL

MVM

to New To ZYXEL
And make sure you upgrade to latest firmware before you start anything. This will save you time chasing old known bugs.
»ftp://ftp.zyxel.com/ZyWALL_USG ··· 5)C0.zip

Manuals and support notes with examples are here: »ftp://ftp.zyxel.com/ZyWALL_USG_50/
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

Ok I am doing that first. At least I know how to do something. BTW TY!

lacibaci
join:2000-04-10
Export, PA
Technicolor CGA4131
Ubiquiti EdgeRouter ERPro8
Ubiquiti UniFi UAP-AC-PRO

lacibaci to New To ZYXEL

Member

to New To ZYXEL
If you don't want to run any public facing services (web, mail server) there is very little you need to do.
Make sure firewall is on (I think by default it is)

As for your AP, set it's IP outside of the router's DHCP range (192.168.1.100 for example), gateway, DNS IPs and you should be set.

Lac

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano to JRiess421

MVM

to JRiess421
You should give this a quick read too »Secure your USG - quick how-to

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to New To ZYXEL

Premium Member

to New To ZYXEL
I cannot remember exactly the ports on the USG50 but.........
There are two USB ports I think, which I never used, may be able to attach a printer but not sure.
There there are two WAN ports, if you only have one ISP ignore WAN2.
Then you have four LAN ports. They can be cold booted into any one of the three available LANs on the router. LAN1, LAN1 and DMZ. All three are identical but have those hardwired names.

The reason for the different LANS is that some people like to have different LANS within ones business or home. ONe can then run segragated networks but all with if desired access to the same INternet connection. THis is done via Firewall rules. If you wish to poke small holes in the firewall , aka access a printer in another network, this can be done as well.

So you have 3 private home or business networks you can setup, each giving out different DHCP addresses.

If you are running windows server, and you want to make it available outside the router then you have to do two things.

Create an address object (IP of the server)
Create service objects (TCP, UCP, ports etc) for the services it will provide.

Make a virtual server, NAT rule to forward those service objects to the address object
Make associated firewall rules to allow those service objects to access the address object.

In both cases above you can create address objects (that are coming in on the WAN) in order to limit outside access through NAT and through the Firewall to the service objects - by only allowing those identified external addresses for both rules.

Do you have an AP or a wifi router acting as an AP?
thirdlife
join:2014-08-20
Minneapolis, MN

thirdlife

Member

I assume that all of this information would relate to a USG 100? I have a Zywall USG100 that I received this week that I am going to set up tonight, and I found this thread researching how to set it up.

Am I safe to assume all this information applies to all/most USG devices?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

yes there is very little difference between the USG50 and 100.
the most obvious is 5 physical lan ports vice 4 on the USG50
thirdlife
join:2014-08-20
Minneapolis, MN

thirdlife

Member

Thanks. I'm sure I'll have questions after I attempt my first deployment, but figure I should try it out first before worrying about it too much.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421 to Anav

Premium Member

to Anav
The USB ports are for 3g/4g connectors.
I only have one ISP so will be ignoring the other one.

I do not want to run multiple networks so does this mean I can change to the single LAN1 or LAN2? Or simply change all three to the LAN1 or LAN2 ports? I use switches to the other parts of the building and wanted to leave room for expansion later.

The Server is intended to allow users to access popular "in" company programs that are shared throughout the organization.

I want to keep my server protected from the outside world, however I also need everyone to have internet access.

I have an NWA3160-N I need to set up for the technicians that come in and out. I am trying to use it as an AP. It has given me nothing but trouble so far. I cannot figure out how to set it up for authentication, I don't want anyone who comes in the building having access to my internet.

I also need to be able to access the Server from home so if I am not able to get in to the brick building I can still do things I have to from home.
thirdlife
join:2014-08-20
Minneapolis, MN

thirdlife

Member

I know very little about these routers, but I got my USG 100 up and running last night.

What I do know is that you can change all the ports to LAN1 or LAN2 and all your devices on your network will be on the same network.

From what I understand, these USG's come pretty locked down, but I think somewhere on this forum there is a guide explaining a few things to turn off to be even more secure.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to JRiess421

Premium Member

to JRiess421
said by JRiess421:

The USB ports are for 3g/4g connectors.
I only have one ISP so will be ignoring the other one.

I do not want to run multiple networks so does this mean I can change to the single LAN1 or LAN2? Or simply change all three to the LAN1 or LAN2 ports? I use switches to the other parts of the building and wanted to leave room for expansion later.

The Server is intended to allow users to access popular "in" company programs that are shared throughout the organization.

I want to keep my server protected from the outside world, however I also need everyone to have internet access.

I have an NWA3160-N I need to set up for the technicians that come in and out. I am trying to use it as an AP. It has given me nothing but trouble so far. I cannot figure out how to set it up for authentication, I don't want anyone who comes in the building having access to my internet.

I also need to be able to access the Server from home so if I am not able to get in to the brick building I can still do things I have to from home.

Yes..... You can set the ports however you wish.

By default all LANs have access to the internet, you may wish at a later date via FW rules to narrow it down but its pretty wide open. In addition by default, WAN to LAN traffic is blocked so that outside access is not permitted.

To allow home access to your server will require you to identify your home WANIP and add it as an address object which will be used in both a NAT rule (virtual server) and a firewall rule WAn to LAn.

As far as the AP, to set up any wifi router as an AP see the faq. »Wireless Networking Forum FAQ »Using a Wireless Router as an Access Point
As far as security, use WPA2 and provide the password to the technicians. Rotating the password at your discretion.

If you have a radius or authentication server setup, you probably can setup an alternative scheme.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

Ok I read the "Using wireless Router..." I have a wired router only ATM. I bought the NWA3160-N to add the wireless ability to the network, essentially separating the wired from the wireless. The wireless is really only for the wandering techs and maybe the wireless printers in the office and some cell phones. It will have no other purpose. Should I then plug that in to the other LAN port and use it as a wireless router or will that cause an issue with the wired network?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

I would plug it into one of the LAN type ports and reboot it as associated with your DMZ Lan. Use a different IP structure from the LAN1. Using it as a router vice an AP/switch is complicating matters unnecessarily and provides no additional security or functionality. In your Firewall Rules simply verify (probably default) that DMZ to WAN access is set to allow and DMZ to LAN, LAN to DMZ and WAN to DMZ are set to deny.

On the access point add WPA2 security and make the password available to the staff that need it. Change the password when appropriate.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

said by Anav:

I would plug it into one of the LAN type ports and reboot it as associated with your DMZ Lan. Use a different IP structure from the LAN1.

I may be mentally blocked but I do not understand what you mean by this.
I am having an issue with the NWA3160-N. When I click on the SSID tab its says "Loading" and never changes. If I refresh the page after a while it will log me out and Let me in but will still do the same thing when I go back in. I cannot change the SSID.
Do I need to change the IP address of the AP?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Okay, the first bit refers to the zyxel unit.
If you have decided to use the DMZ zone for your wifi then you need to decide which port on the zyxel unit is going to be assigned to the DMZ. Do that and I believe you have to restart the router.. but not sure, its been awhile.
After that ensure that port is used to physically connect the NWA unit (over your wired network).

You have to setup the DMZ zone 192.168.10.1 for example as the DMZ zone IP and setup what IPs the router gives out on this zone. Typically its .33-.whatever

Setup your NWA as an AP and give it an IP address of 192.168.10.10 and its gateway would be 192.168.10.1
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

Ok the only way I can get the AP to work at all is to plug it in to the switch I have all the computers attached. If I try to plug it in to the Router it wont let me in to it at all. It will work through the switch and I did get it to allow me to set up the authentication, however now when I try to log in to the wireless from a client computer it has me log in with the information USER Name and Password, but then comes up with EAP-TTLS Domain/Username and Password/Token. I have no clue what this means. I understand what it is but have no idea what I am supposed to put in there.
gb5102
join:2003-10-07
Saint Paul, MN

gb5102

Member

said by JRiess421:

however now when I try to log in to the wireless from a client computer it has me log in with the information USER Name and Password, but then comes up with EAP-TTLS Domain/Username and Password/Token

Sounds like you selected WPA2-Enterprise(802.1x- requires a RADIUS server) authentication on the AP, you want 'standard' WPA2-PSK.

As for why you are unable to access it when plugged directly into router...no idea...

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Before you hook it to the switch or a router, setup the AP. Its typically not on an IP scheme thats compatible.
In other words hook directly to it from your computer or laptop.
Program it with the info needed to be reachable on your DMZ lan......... (mannually assign gateway IP, and lanip being assigned to the AP).
Then you should be able to stick it on the port on your router assigned to the dmz. You may want to add a switch to that port, so that you can attach a computer for confirmation testing (or change another port on the router to dmz). Confirm that you can access the control panel (login to the AP) on the DMZ from your hardwired computer. Now confirm all the wifi settings you desire. (As noted WPA2-PSK, is what you want. Now take any device such as a smart phone and try to connect to the AP.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

I did that exact thing. I connected it to a laptop directly and when I got to the change password the admin screen disappeared and it would not let me back into the AP admin area or even close. I tried to release and renew IP, however it told me the IP could not be renewed while Media was disconnected. I tried to connect it to the USG50 port and it does the same thing, will not bring the login screen up. If I plug it directly to the switch that all the Land computers are connected I can access the AP.
JRiess421

JRiess421 to Anav

Premium Member

to Anav
I am also unsure how to manually assign IP, Gateway, LAN IP.
JRiess421

1 edit

JRiess421 to Anav

Premium Member

to Anav
Ok on the Manually assigning IP, etc. Let's say the DMZ port is set to 192.168.2.1, will that be the IP I need to set the AP on for it to work on that port? And it looks like the ports all use the same Subnets 255. (etc).Should I set the AP IP to Static or dynamic.
JRiess421

JRiess421 to Anav

Premium Member

to Anav
You have to setup the DMZ zone 192.168.10.1 for example as the DMZ zone IP and setup what IPs the router gives out on this zone. Typically its .33-.whatever

Setup your NWA as an AP and give it an IP address of 192.168.10.10 and its gateway would be 192.168.10.1

I think you answered this part earlier. I am a bit thick headed.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

yes standard subnet is 255.255.255.0.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

Ok I got it! It is hooked to the USG50. Now how can I change the Authentication issue? Do I need to create a different certificate?

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

Even though fellow colleagues are directing you towards AP on DMZ my question is, do you need it? Do you need wireless clients on separate network? Because if you don't need it, it is just going to complicate your life. If you do need it, that's fine, you can segregate the users for tiny bit of added complexity.

As for the cert, which one do you mean? As mentioned earlier, you should change WPA2 Enterprise to WPA2 Peronal (or known as WPA2-PSK). The cert issue should go away.
JRiess421
Premium Member
join:2014-08-20
Nixa, MO

JRiess421

Premium Member

I do not need them on a separate network, I just need them to be able to connect. I did finally get the NWA3160-n to connect to the USG50, however now I am getting limited connection (no Internet Access). And I cant get the AP to let me back in it.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

said by JRiess421:

I do not need them on a separate network, I just need them to be able to connect.

In that case put the AP on same LAN as your other users and be done with it.

1) Switch all your ports to the same zone i.e. LAN
2) Connect your AP to USG or separate switch (if you have one) hanging of LAN ... I always recommend to locate the AP as high as possible.
3) If your AP has DHCP server turn it off!
4) Assign your AP static IP outside the DHCP range or create DHCP reservation outside the AP range. i.e. if your LAN subnet is 192.168.10.0/24 and DHCP range is from .50 to .200 assign the AP some IP below .50.
5) Use WPA2-PSK/AES for wireless security

EDIT: If you're using router as AP make sure you connect it to USG via LAN port. WAN port on the AP will remain unused.

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to New To ZYXEL

Premium Member

to New To ZYXEL
First, being able to use the DMZ lan, is dirt simple, its the same as the normal LAN except you setup a different IP structure.

THe router will handle giving out IP addresses.
When your changing the IP address in the NWA unit, you will lose connectivity when configuring it because your laptop now has the wrong iP assigned (different network). So change your laptop IP manually to access admin page..

Its a good security practice to put users on a separate lan from your private or work lan. The nwa 3160 has probably other features you may want to delve into down the line.

Is your switch a managed switch by the way??