Help with Zyxel USG40 Setup

[Valhalla_tech]

I've just got done spending 8 hours trying to setup a Zyxel USG40 to use IPSec VPN. I've read numerous documents and it's just not clicking for me, plus I'm exhausted from the other stuff I had to do on the network. Here is the scenario:

The client moved locations. Everything was setup, pretty much the way it is now, except for the ISP. They switched to FiOS from Xfinity. The setup was Modem/Router>Zyxel>Switch>Clients. Other than that, I don't know what the configuration was other than what I can see on the Zyxel web GUI. Whoever set it up didn't know what they were doing so there is a bunch of policies setup that were probably used in trial and error cases. I've never setup VPN from scratch, so I can't decipher the garbage from the working config.

Network components:
FiOS Quantum Modem/Router: DHCP off
Zyxel USG40
16 Port Unmanaged Switch
Windows Server 2016: DHCP, DNS, AD, DC
Five desktops
One laptop
Two printers

Goal: Laptop must be able to connect through VPN to the Zyxel, using Zyxel VPN client with IKEv1

When I connect the modem directly to the P1 WAN port on the Zyxel and the P2 LAN port to the switch, I cannot access the Fire Wall or ping it. If connect the Zyxel P1 and P2 ports to the switch, I can access it. However, I'm not sure if this is the right way to set it up. I thought about setting up port forwarding on the router to point IPSEC queries to the Zyxel. I haven't tested that theory yet. I have to go back on-site, tomorrow. Any help would be appreciated; I'm getting desperate. If I missed any pertinent info, I apologize, I'm burnt out. Also, I don't currently have screenshots, but I can provide some tomorrow.

tl;dr: I'm fudged...

 

[TazUk]

When I connect the modem directly to the P1 WAN port on the Zyxel and the P2 LAN port to the switch, I cannot access the Fire Wall or ping it.

Via the LAN or WAN address?

Is the modem running in bridged mode, assuming that's an option?

 

[Valhalla_tech]

I'm assuming where it says Connection Type: Bridge, that means the LAN side is running in bridge mode. And yes, I'm trying to connect via the LAN port. When I scan with Advanced IP Scanner the LAN interface still shows up, but it can't be pinged or connected to. I'm guessing that has something to do with the IP address being stored in some table and the scanner is pulling it from that data.

 

[TAPtech]

Hey Valhalla_tech, I use ZYXEL pretty frequently, but VPN isn't as common as it once was for me. Have you tried simply giving the ZYXEL tech guys a ring? If your device is still under the 1yr support plan... they have great phone support.

Otherwise, remove all the existing VPN gateways, profiles, and security policies and start over using the Wizard. I typically use the USG60's and can't remember if the 40 has dual WAN ports or not. If it has two WAN ports, make sure you're using the correct one. I typically use WAN port 1. You should only have one LAN port plugged into your switch if you have a simple network.

Go to configuration -> Network -> Interface and check to see which ports are assigned to what. Sounds like you may have two LAN profiles set up and its causing confusion. Again, for simple networks, just set all of the LAN ports to LAN1 to make things easier on yourself.

Also, check to see what the WAN IP is on the ZYXEL. Hopefully you're getting the true public IP address. If it is that 192.168 type that is shown in your image, that may cause a lot of difficulty.

 

[Valhalla_tech]

Hey Valhalla_tech, I use ZYXEL pretty frequently, but VPN isn't as common as it once was for me. Have you tried simply giving the ZYXEL tech guys a ring? If your device is still under the 1yr support plan... they have great phone support...

Unfortunately, the device is no longer under warranty or I would have definitely given them a call. But, here is a screen cap of all the garbage that is setup for address objects. I didn't want to start deleting stuff because I'm not sure what exactly is needed.

 

[TAPtech]

It doesn't look very garbagey too me. The ZYXEL setup is a lot like a Sonicwall object based firewall. It takes some getting used to and it certainly ins't a wiz-bang quick and easy to learn setup. It is, however, really powerful and configurable. I would leave everything in the address objects list. No reason to bother it. If you had a working setup before and all you've done is changed ISP's, it's likely that your modem is the culprit. Not being able to access the firewall management is a bit odd unless that has been disabled by a really paranoid previous tech. This is a small network, no need to make things complex.

Are you POSITIVE that the P2 port was plugged into the switch before, and not P3/4?

 

[Valhalla_tech]

I've got the modem directly connected the WAN port right now and, like before, it's not pingable or accessible. Perhaps I should try to connect via the console port and run the WAN wizard?

 

[TAPtech]

Can you clarify what isn't pingable? Are you trying to access the router from the LAN side or from the WAN side? Guessing you're trying to access the https management portal, right?

 

[Valhalla_tech]

Correct. The LAN port isn't pingable, which has an address of 192.168.16.4, which is manually specified in the device's configuration. At this point, I'm not even sure what IP address the WAN port has. When both ports are connected to the switch, the LAN keeps the 192.168.16.4 and the WAN port pulls 192.168.16.40 from the DHCP server.

 

[TAPtech]

OK, so that tells me that your WAN is setup for DHCP. Does your new ISP have a static IP address? If so, you need to set that in the router. If not, good to go. Make sure that your Windows DHCP server isn't providing anyone else with 192.168.16.4. The zyxel should reply to ping though. If you're plugging the WAN and LAN port into the same switch though... I would power cycle the router after doing that. I would imagine this would cause a loop and flood the tables or lock up the router.

 

[Valhalla_tech]

192.168.16.4 is a reserved address on the DHCP, so it will only give it to the MAC of the LAN port. I believe the address from the ISP is dynamic. Is 192.168.40 okay to have for the WAN port address?

 

[TAPtech]

Life would be much, much easier if the WAN port address was a public IP address. Find out if there is a static IP available from the ISP, if so, set that in the router. If not, ask if you can get the modem into bridge mode where the downstream router (your zyxel) is getting the public IP address. Double NAT stinks.

 

[Valhalla_tech]

So, to get the modem to pass the public IP to the Zyxel, I have to call Verizon for them to enable that right?

 

[TAPtech]

Usually that's the easiest way to do it. I'm not familiar with the Verizon setup. Sometimes you can do these things yourself, other times you can't.

 

[Markverhyden]

If the new site LAN IP scheme is the same then all you should need to do is update the WAN interface on the router to the new public IP and update the client as well.. @Valhalla_tech I noticed a public IP in the second file you uploaded? Is that the old IP or the new IP?

In the case of VZ. What are you actually hooked up to? A VZ provided device? Does the site have it's own ONT? Are they using FIOS for TV as well or just Internet. If the use if Internet only you can actually dump the VZ modem and just hook the Zyxel directly to the Ethernet port on the ONT. I've had plenty of problems with those VZ devices and another real routers downstream when services are being provided from the site.

 

[Valhalla_tech]

If the new site LAN IP scheme is the same then all you should need to do is update the WAN interface on the router to the new public IP and update the client as well..

That's the theory. However, it looks like the Verizon Modem/Router is not passing the public IP address to Zyxel when I connect the Modem/Router WAN port to the Zyxel WAN port.

@Valhalla_tech I noticed a public IP in the second file you uploaded? Is that the old IP or the new IP?

I'm not sure what you're referring to. If you're talking about the second screen cap, then those are just address objects that are setup on the Zyxel. The Zyxel has yet to pull a public IP on the WAN port. It will pull a LAN address from DHCP, if it's connected to the switch.

In the case of VZ. What are you actually hooked up to? A VZ provided device? Does the site have it's own ONT? Are they using FIOS for TV as well or just Internet. If the use if Internet only you can actually dump the VZ modem and just hook the Zyxel directly to the Ethernet port on the ONT. I've had plenty of problems with those VZ devices and another real routers downstream when services are being provided from the site.

The VZ device is a Quantum Fios-G1100 modem/router. I believe they only have internet, no TV. I'm assuming there has to be an ONT FiOS to work. I didn't think about connecting the Zyxel directly to the ONT, might be an option if the modem can't be bridged to pass the public IP address.

 

[Markverhyden]

Ok, let's take a step back and look at the basics so I'm clear on your setup. You should have the below.

ONT > (coax/cat) > G1100 (coax/WAN port) > G1100 LAN port cat > Zyxel WAN port. The WAN port for the Zyxel needs to be configured for the fixed IP that VZ provided, Gateway, Mask, and DNS. Based on your description above that is all that should need to be done. But that may not all on the same page. For example on a ERL3 it's on three different pages.

If you have cat from the ONT to the G1100 then just leave the G1100 out of the equation, plug the cat into WAN port on the Zyxel. If it's coax you want to log into G1100 and turn off DHCP and firewall. Though, in theory, if you config the WAN port on the Zyxel properly it'll still work. But you want DHCP on the G1100 off for security reasons. Personally I prefer to leave the VZ device out, run a new cat to router.

Edit: on the second file you uploaded, IP Address Configuration, you have a HOST entry with
192.88.99.1, which is a public IP. Is that the old public IP info?

 

[Valhalla_tech]

Ok, let's take a step back and look at the basics so I'm clear on your setup. You should have the below.

If you have cat from the ONT to the G1100 then just leave the G1100 out of the equation, plug the cat into WAN port on the Zyxel. If it's coax you want to log into G1100 and turn off DHCP and firewall. Though, in theory, if you config the WAN port on the Zyxel properly it'll still work. But you want DHCP on the G1100 off for security reasons. Personally I prefer to leave the VZ device out, run a new cat to router.

Diagram of network attached. Upon further thought, the G1100 cannot be left out, because the client needs Wi-Fi, which the USG40 does not provide. Currently, DHCP is disabled on the G1100, I don't think the Firewall is though. When I connect the G1100 to the Wan port on the Zyxel, it will not pull the public address and everything loses internet connectivity. That's why I'm thinking the solution of enabling bridge mode on the G1100 might work, because it should pass the public IP to the USG40.

Edit: on the second file you uploaded, IP Address Configuration, you have a HOST entry with
192.88.99.1, which is a public IP. Is that the old public IP info?

That's a class C address. I didn't think anybody used class C's for public addresses. But, yes that's left over from the old configuration.

 

[Markverhyden]

No diagram attached. Do they have a static or dynamic service? You do not want to be messing around with VPN on dynamic service, even with DDNS. Was VPN working before the move?

Class C has nothing to do with public or private per se. That IP, 192.88.99.1, is a public IP, it's pingable. But, most likely, it's not relevant to this as it belongs to 6to4, a tunneling mechanism between IPV6 and IPV4. The only part of Class C, 192.0.1.1 to 223.255.254.254, that is private is the 192.168.x.x range.

On the wireless. If it was me I'd tell them the wireless on the G1100 is very inferior, which is true, to low cost commercial solutions like a UniFi AP LR.

 

[TAPtech]

I have no experience with the G1100 but i wonder if you could just use it as AP only and attach to the LAN of the ZyXEL.