ZYXEL USG FLEX 50 USG20-VPN (01) PDF MANUAL

• Quick Start Guide: Shows how to connect the Zyxel Device and access the Web Configurator wizards. It also contains a connection diagram and package contents list.

• CLI Reference Guide: Explains how to use the Command-Line Interface (CLI) to configure the Zyxel Device. (Note: It is recommended you use the Web Configurator).

• Web Configurator Online Help: Click the help icon in any screen for help on configuring that screen and supplementary information.

• More Information: Go to support.zyxel.com to find other information on Zyxel Device.

Warnings and Notes:

Warnings tell you about things that could harm you or your device.

Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.

Syntax Conventions:

• All models in this series may be referred to as the “Zyxel Device” in this guide.

• Product labels, screen names, field labels and field choices are all in bold font.

• A right angle bracket (>) within a screen name denotes a mouse click. For example, Configuration > Network > Interface > Ethernet means you first click Configuration in the navigation panel, then Network, then the Interface sub menu and finally the Ethernet tab to get to that screen.

Icons Used in Figures:

Figures may use generic icons. The Zyxel Device icon is not an exact representation of your device. Common icons represent: Zyxel Device, Generic Router, Wireless Router / Access Point, Switch, Firewall, Server, Internet, Network Cloud, Smartphone, USB Dongle.

• Configuration > Content Filter > Trusted Web Sites

• Configuration > Anti-Spam/Email Security > Block/Allow List

1. Log into NCC (https://nebula.zyxel.com) with your Zyxel account. If you don’t have one, you’ll be prompted to create one.

2. After logging in, click Go under Nebula Control Center, then Let’s Start to run the NCC setup wizard. Create or select an existing organization and site.

3. Add the Zyxel Device to the site by entering its MAC address and serial number (found on the device label) or by scanning the QR code with the Nebula Mobile app.

4. Configure the WAN interface the Zyxel Device will use to connect to NCC via the Internet.

5. If possible, select Native Mode. If not available, configure the email address of the person who will manage the device via NCC. An activation email will be sent to this person.

1. Connect the WAN port (P1 or P2) of the Zyxel Device to an Ethernet port providing Internet access.

2. Connect a LAN port (P3 or P4) of the Zyxel Device to your computer. Ensure your computer obtains an IP address automatically (default setting).

3. Connect the power and turn on the Zyxel Device. Wait for the SYS LED to turn solid green.

4. (Optional but recommended) Back up your current configuration via Maintenance > File Manager > Configuration File > startup-config.conf > Download.

5. If you could not select Native Mode in the NCC Portal setup: Reset the Zyxel Device to factory defaults by pressing the Reset button until port LEDs turn off (approx. 5 seconds). This erases all previous configurations. Skip this if the device was never configured before. A reset is necessary if it doesn’t have the factory default configuration.

1. Check your mailbox (including spam folder) for an email from NCC.

2. Follow the instructions in the email. Click the activation link or copy it to your web browser. You will see a screen indicating NCC registration is in progress.

3. Wait for the confirmation screen stating NCC registration has succeeded. Management is now passed to Nebula Control Center.

1. Log into NCC (https://nebula.zyxel.com) with your Zyxel account.

2. Go to Organization-wide > License & Inventory > Devices.

3. Select the Zyxel Device you want to remove from NCC (identify by MAC address and serial number).

4. Click Remove from organization.

5. If the Zyxel Device is connected to NCC, it will automatically reset after removal. If not connected, press the reset button manually to reboot to factory defaults. All NCC configurations will be erased.

6. Log into the Zyxel Device’s web configurator. Run the Initial Setup Wizard and choose On Premises Mode.

7. (Optional) To restore a previous configuration backup: Go to Maintenance > File Manager > Configuration File. Under Upload Configuration File, browse to your saved startup-config.conf file and click Upload.

1. (Optional but recommended) Back up your current configuration in Maintenance > File Manager > Configuration File.

2. Reset the Zyxel Device to factory defaults by pushing the Reset button until the port connection LEDs turn off (about 5 seconds). The device will reboot.

3. Log into the Zyxel Device’s web configurator. Run the Initial Setup Wizard and choose Nebula Mode.

4. If prompted to choose between Native Mode or ZTP, select Native Mode.

5. Follow the steps in the Nebula Mode setup wizard (adding the device to NCC, etc.).

Registration is done at portal.myZyxel.com, Zyxel’s online services center. You need to register your device to manage subscription services (viewable in Configuration > Licensing > Registration > Service).

• Devices with firmware 4.25 or later require registration and service activation via myZyxel.com (can be done through the device interface).

• Devices upgrading to 4.25 or later can potentially skip registration/activation, but it’s highly recommended to register. Registration provides benefits like the Firmware Upgrade license (for Cloud Helper notifications), which is often free upon registration.

You’ll need a Zyxel account (create one at portal.myZyxel.com) and may need the device’s serial number and LAN MAC address (found on the label).

• Security Router: Provides security features including a Stateful Packet Inspection (SPI) firewall.

• IPv6 Routing: Supports IPv6 Ethernet, PPP, VLAN, and bridge routing. Can create IPv6 policy routes/objects and route IPv6 packets through IPv4 networks using tunneling.

• VPN Connectivity: Set up secure VPN tunnels (site-to-site, remote access for telecommuters/travelers) to access your network. Can use an external Authentication Server (AS).

• SSL VPN Network Access: Allows remote users easy VPN access via web browsers. Full tunnel mode provides a private IP address on the local subnet for seamless resource access.

• User-Authentication Access Control: Restrict access to resources based on user identity. Different users can have different access levels (e.g., Internet only, Internet + file server).

• Load Balancing: Set up multiple Internet connections (on the same or different ports, including cellular) and balance traffic loads between them.

• Web Configurator: An HTML-based interface for easy setup and management via an Internet browser (HTML5 compatible like Edge, IE11, Firefox, Chrome recommended).

• Command-Line Interface (CLI): Use text-based commands for configuration. Access via remote management (SSH, Telnet) or the physical/Web Console port.

• FTP: Use File Transfer Protocol for firmware upgrades and configuration backup/restore.

• SNMP: Monitor and/or manage the device using an SNMP manager.

• CloudCNM: Enable and configure management via a Central Network Management system (details in Configuration > Mgmt. & Analytics > Nebula).

• Nebula Control Center (NCC): Manage the device remotely via the cloud portal (requires Nebula Mode).

• Local Zyxel Device authentication

• An external RADIUS server

• An external LDAP server

• Certificates

• A compatible browser (HTML5 support, e.g., Microsoft Edge, Internet Explorer 11, Mozilla Firefox, Google Chrome).

• Web browser pop-up windows allowed from your device.

• JavaScript enabled (default).

• Java permissions enabled (default).

• Recommended minimum screen resolution: 1024 x 768 pixels.

1. Ensure hardware is properly connected (see Quick Start Guide).

2. Open your browser and go to https://192.168.1.1 or https://myrouter.local. The device defaults to HTTPS.

3. The Login screen appears.

1. On the Login screen, enter the default User Name (“admin”) and Password (“1234”).

2. Optionally, select a different display language from the drop-down list.

3. Click Login.

4. You will be immediately prompted by the Update Admin Info screen to change the default password. Enter a new password (1 to 64 characters) and confirm it.

5. Note the Password Complexity option (Configuration > Object > User/Group > Setting): If enabled, the password must be 8-64 characters and include at least one number, one lowercase letter, one uppercase letter, and one special character (e.g., !@#$%^&*()_+). You can also enforce periodic password changes here.

6. Click Apply after entering the new password.

7. A Terms of Use screen appears. Read it and click Acknowledge. (Note: May download automatically in Internet Explorer).

• Password Change Notification: This screen appears after the Terms of Use (step 7 above). It lists privileged accounts and their last password change/expiry dates. It reminds you to change passwords regularly for better security. You can select how often to see this reminder (e.g., “every time”) and click OK.

• Network Risk Warning: This screen appears next. It highlights any unregistered or disabled security services. If the device isn’t registered, it prompts you to do so. Select how often to display this screen and click OK.

Router> enable
Router# configure terminal
Router(config)# service-register_setremind every-time
Router(config)#

• Secure SSL access from the Internet to the Zyxel Device.

• Secure SSL access from the Internet to the network behind the Zyxel Device.

• The default port for IPSec VPN clients to retrieve VPN rules.

• The default port for two-factor authentication for VPN clients.

• The default HTTPS port is 443. If you change this port (e.g., to 8800), remote connections must use the new port (e.g., https://[Device_IP]:8800).

• Use the ‘Security Check for Web Interface’ screen or relevant configuration sections to specify the trusted source IP addresses or FQDNs allowed for remote management.

• Configure a new port between 1024 and 65535 that is not used by other services.

• The default SSL VPN port is 443. If you change this port on the Zyxel Device, you must make the same change in the SecuExtender SSL VPN client software.

• Configure a new port between 1024 and 65535 that is not used by other services.

• You can restrict SSL VPN access to up to 3 specific locations (IP addresses, FQDNs, or geographic regions) from the Internet using the ‘Security Check for Web Interface’ screen or relevant configuration sections.

You can change the default port (443) that IPSec VPN clients use to retrieve VPN rule settings from the Zyxel Device. Since 443 is often used for remote management and SSL VPN, changing this can avoid conflicts.

• Configure a new port between 1024 and 65535 that is not in use by other services.

• If you change the port on the Zyxel Device, you must configure the Zyxel IPSec VPN client to use the same new port.

You can change the default port used by VPN clients for two-factor authentication when accessing the network behind the Zyxel Device.

• VPN clients do not need to manually change the port number on their end; the authentication link provided (via email/SMS) will automatically include the new port number (e.g., https://[Device_Link]:8008 if changed to 8008).

• Configure a new port between 1024 and 65535 that is not in use by other services.

• This port can also be changed in Object > Auth. Method > Two-factor Authentication > VPN Access.

• Regularly check for and update firmware via Maintenance > Firmware Management.

• Change admin passwords regularly.

• Enable Password Complexity (Object > User/Group > Setting) to enforce strong passwords (at least 8 characters, including upper case, lower case, number, and special character).

• Two-Factor Authentication: Adds a second layer of security for VPN access. After username/password (first layer), users must authenticate via an authorized SMS or email address (second layer).

• Device Insight: Identify and view basic info/status of clients connected to the Zyxel Device networks (Monitor > Network Status > Device Insight). Create profiles (Configuration > Object > Device Insight) to block specific clients from accessing the Internet or the Zyxel Device.

• IPSec VPN: Create highly secure VPN connections using IKEv2 or EAP authentication for remote workers to access company resources.

• Upload Bandwidth Limit: (Requires Zyxel SecuExtender subscription and specific client versions) Set maximum upload bandwidth limits for traffic from IPSec VPN clients over their tunnels.

• A – Title bar

• B – Navigation panel

• C – Main window

Navigation Panel: Located on the left side of the Web Configurator, this panel contains menu items (like Monitor, Configuration, Maintenance) that expand to show links to various status and configuration screens. You can click the arrow on its right edge to hide/show the panel or drag to resize it.

Dashboard: The main screen displayed after login (if not intercepted by wizards or warnings). It shows widgets with general device information, system status, resource usage, licensed service status, and interface status. You can rearrange these widgets to suit your needs.

Sorting: Click a column heading to sort the table entries based on that column’s criteria. Click again to reverse the sort order.

Filtering/Grouping/Columns: Click the down arrow next to a column heading for more options:

• Sort Ascending/Descending.

• Columns: Select which columns to display or hide.

• Group By This Field: Group entries that have the same value in this column.

• Show in Groups: Toggle the display of grouped entries.

• Filters: Apply filters based on mathematical operators (<, >, =) or text search for that column.

Resizing Columns: Click and drag the right border of a column heading cell to resize the column width.

Moving Columns: Click and drag a column heading cell to a different position. A green check mark indicates a valid drop location.

Navigating Pages: Use the icons (|< < > >|) and page number fields at the bottom of the table to navigate through multiple pages of entries. Use the “Show [number] items” dropdown to change how many entries display per page.

Selecting Multiple Entries: You can often use [Shift]+click or [Ctrl]+click to select multiple entries for actions like removing, activating, or deactivating.

• Double-click an item in either list to move it to the other list.

• Select one or more items (using [Shift] or [Ctrl] keys for multiple selections) in one list.

• Click the arrow button pointing towards the other list to move the selected item(s).

1. Welcome Screen (Overview)

2. Connect to Internet (WAN): Configure primary (and optionally secondary) WAN interface settings (Encapsulation, IP assignment, etc.).

3. Date and Time Settings: Synchronize time.

4. Register Device: Register the device with myZyxel.com.

5. Activate Service: Activate licensed security services.

6. Service Settings: Enable/configure specific services like Content Filter, Anti-Spam, SecuReporter.

7. Wireless Settings (if applicable): Configure built-in AP settings (SSID, security).

8. Remote Management: Configure secure remote access settings.

• I have two ISPs: (First WAN interface screen only) Select to configure two connections; leave unchecked for one.

• VLAN Tagged: Select to enable 802.1Q tagging. Enter the VLAN ID (1-4080).

• Encapsulation: Choose Ethernet (standard), PPPoE, PPTP, or L2TP based on ISP info.

• MTU: Maximum Transmission Unit (bytes, 576-1500, usually 1500).

• WAN Interface: Shows the interface being configured (e.g., wan1, wan2).

• Zone: Security zone for this interface (usually WAN).

• IP Address Assignment: Select Auto (for DHCP) or Static (if ISP provided a fixed IP).

• DHCP Option 60: (If Auto IP is selected) Enter a Vendor Class Identifier string (up to 63 chars: a-zA-Z0-9!\”#$%&\'()*+,-./:;<=>?@\[\\\]^_`{}) if required by the ISP’s DHCP server.

If Static IP Address Assignment selected:

• IP Address: Enter the static IP address from your ISP.

• IP Subnet Mask: Enter the subnet mask from your ISP.

• Gateway IP Address: Enter the default gateway IP address from your ISP.

• First / Second DNS Server: Enter primary and secondary DNS server IP addresses. Leave as 0.0.0.0 if not configuring DNS here.

Specific Encapsulation Settings:

• PPPoE: Service Name (optional, alphanumeric+- _@$./, up to 64 chars), Authentication Type (Chap/PAP, Chap, PAP, MSCHAP, MSCHAP-V2), User Name (alphanumeric+- _@$./, up to 31 chars), Password (up to 64 ASCII, no []?), Nailed-Up (keep connection active) or Idle Timeout (seconds).

• PPTP: Authentication Type (as PPPoE), User Name, Password, Nailed-Up/Idle Timeout. Requires: Base Interface (Ethernet port), Base IP Address (static), IP Subnet Mask, Gateway IP Address, Server IP (PPTP server), Connection ID (optional, “c:id” or “n:name” format, alphanumeric+-_:, up to 31 chars).

• L2TP: Authentication Type (as PPPoE), User Name, Password, Nailed-Up/Idle Timeout. Requires: Base Interface, Base IP Address, IP Subnet Mask, Gateway IP Address, Server IP (L2TP server).

• Ensure the cable is connected to the correct WAN port on the Zyxel Device and to the modem/Internet source.

• Verify the modem/Internet source device is powered on and connected. The WAN port LED on the Zyxel Device should be lit (typically orange or green).

Specific errors:

• Ethernet (DHCP): If no IP obtained, confirm ISP uses DHCP. Check settings with ISP.

• Ethernet (Static): If IP address fails, double-check the IP, subnet mask, and gateway address provided by ISP. Re-enter exactly. Check with ISP if errors persist.

• PPPoE: Check Service Name (if used) and Authentication Type are correct. Re-enter username/password exactly. Confirm WAN settings and credentials with ISP.

• PPTP: Check Service IP, Base IP, Subnet Mask, Gateway IP, Connection ID (if used), and Authentication Type. Re-enter username/password exactly. Confirm WAN settings and credentials with ISP.

• L2TP: Check Server IP, Subnet Mask, Gateway IP, Base IP, and Authentication Type. Re-enter username/password exactly. Confirm WAN settings and credentials with ISP.

• Static IP Assignment (General): If static IP fails, re-enter IP, subnet mask, gateway, and DNS server info exactly as provided by ISP. Check with ISP if errors persist.

After making corrections, click Back to re-enter settings or use the Connection Test button on the summary screen.

• Content Filter: Enable/Disable (Recommended: Enable)

• Anti-Spam: Enable/Disable (Recommended: Enable) (Note: USG FLEX 50AX does not support anti-spam)

• SecuReporter: Enable/Disable. If enabling SecuReporter for the first time, you may need to accept the Terms of Use/GDPR policy via a checkbox.

• Server Status: Shows connection status (Connected, Timeout, Fail).

• Device Name: Enter a name for this device within SecuReporter.

• Organization:

• If you have existing organizations: Select “Select from existing organization” and choose the organization from the dropdown.

• If creating a new one: Select “Create new organization”, enter a name (up to 255 chars) and optionally a description.

• Data Protection Policy: Choose the level of data anonymization for logs sent to SecuReporter:

• Partially Anonymous: Replaces personal data (usernames, MACs, emails, hostnames) with artificial identifiers in downloaded logs. Data can be removed.

• Fully Anonymous: Replaces personal data with anonymized info in Analyzer, Reports, and logs. Data cannot be traced back.

• Non-Anonymous: Personal data is clearly identifiable. Data cannot be removed.

If the device is already added to an organization, the screen will simply display the Server Status, Device Name, and Organization.

1. Management Mode Screen: Choose “Built-in AP” to use the device’s wireless capabilities or “AP Controller” to manage external Zyxel APs (cannot do both). Click Next.

2. AP Controller Screen (if AP Controller selected): Choose Yes to enable the AP Controller feature, No otherwise. Click Next.

3. SSID & Security Screen (if Built-in AP selected):

• SSID: Enter a wireless network name (up to 32 printable characters).

• Security Mode: Select “Pre-Shared Key” for password protection or “None” for an open network.

• Pre-Shared Key: (If Security Mode is Pre-Shared Key) Enter a password (8-63 case-sensitive ASCII characters or 64 hex characters).

• Hidden SSID: Check this box to prevent the SSID from being broadcast.

• Enable Intra-BSS Traffic Blocking: Check this to prevent wireless clients on this SSID from communicating directly with each other (they can still access the wired network).

• Bridged to: (Specific models like ‘W’ versions) Select a wired interface (e.g., lan1) to bridge the wireless network to. Wireless clients will be part of the same broadcast domain as the selected wired interface.

• Allow secure remote management from WAN: Check to enable remote HTTPS access.

• Port: Set the HTTPS port (default 443, range 1-65535). Change recommended.

• Restrict access only to trusted host: Check to limit access.

• Trusted Host 1-3: Enter allowed source IP addresses or FQDNs (optional).

• Allow SSL VPN access from WAN: Check to enable remote SSL VPN access.

• Port: Set the SSL VPN port (default 443, range 1-65535). Change recommended.

• Restrict access by GeoIP: Check to limit access by country.

• Trusted Geolocation 1-3: Select allowed countries (optional).

1. Connect to Internet (WAN): Configure the primary (and optionally secondary) WAN interface that the device will use to reach NCC. Settings are similar to the On Premises wizard (Encapsulation, IP assignment, VLAN, MTU etc.).

2. Add Device / Go to Nebula: After WAN configuration, a screen appears with instructions and a QR code to add the device to your Nebula organization/site using either the Nebula web portal or the Nebula mobile app.

Using Nebula Portal:

1. Log into the Nebula portal (http://nebula.zyxel.com) with your myZyxel account.

2. Follow the portal’s wizard/instructions to create/select an organization and site.

3. Enter the device’s MAC address and serial number (S/N) found on the label when prompted.

4. Click “Go To Nebula” (or similar prompt in the portal) to finish.

Using Nebula App:

1. Download the Nebula app (App Store/Google Play).

2. Run the app and select/create a site.

3. Scan the QR code displayed in the wizard screen using the app to register the device with its MAC/Serial Number.

Click “Finish” in the Zyxel Device’s wizard screen after successfully adding the device via either method.

If you cannot access Nebula after this step, log into the device locally using the support account and use the Local GUI/Web Configurator for troubleshooting the WAN connection.

1. Ensure the device surface is clean and dry.

2. Remove the adhesive backing from the included rubber feet.

3. Attach one rubber foot to each corner on the bottom of the Zyxel Device to prevent shock/vibration and allow air circulation.

1. Determine the correct distance “X” between mounting holes for your model:

2. Drill two holes in the wall, distance “X” apart. Holes should be 3-4 mm (0.12″-0.16″) wide and 20-30 mm (0.79″-1.18″) deep. Insert the included screw anchors into the holes.

3. Screw the included screws (with 6-8 mm / 0.24″-0.31″ wide heads) into the anchors. Do NOT screw them all the way in. Leave a gap of 1-1.5 mm (0.04″-0.06″) between the screw head and the wall. Ensure screws are securely fixed and can hold the device’s weight.

4. Align the mounting holes on the bottom of the Zyxel Device with the screws in the wall and slide the device down to hang it on the screws. The gap allows cables to run behind the device.

• Web Configurator: Maintenance > Shutdown > Shutdown

• CLI command: `shutdown`

Easy Mode: Designed for simpler network environments (typically one WAN, one LAN). It provides wizards for common tasks (Initial Setup, VPN, Port Forwarding, Wi-Fi/Guest, Security Service), links to portals (MyZyxel, One Security), and basic dashboard views. Configuration changes made here automatically create corresponding objects and rules prefixed with “EZ_” in Expert Mode.

Expert Mode: Provides access to the full set of advanced configuration menus and features.

Switching: You can switch between modes. When logged in, Easy Mode shows an “Expert Mode” button/link, and Expert Mode shows an “Easy Mode” button/link. When switching to Expert Mode for the first time after login, a confirmation prompt appears asking which mode should be the default starting mode for future logins.

Note: Changes made in Expert Mode might not display correctly back in Easy Mode. Some models do not support Easy Mode (check Section 1.1).

Guest Network Note: Enabling the guest network in Easy Mode renames the OPT port (or the highest-numbered copper Ethernet port, P6 by default) to “guest” and creates a corresponding guest interface (visible in Expert Mode’s Configuration > Network > Interface > Port Role).

You generally interact with Easy Mode settings via the Easy Mode interface. If you switch to Expert Mode, you can see the “EZ_” objects and rules created by Easy Mode.

Editing/Deleting rules in Expert Mode:

Important:

• Editing EZ_ rules directly in Expert Mode might cause unexpected behavior in Easy Mode.

• You cannot delete EZ_ objects or rules if they are currently used by a policy. You must first delete the corresponding policy/configuration in Easy Mode or remove the reference in Expert Mode.

• If you delete an EZ_ object/rule in Expert Mode, the corresponding configuration in Easy Mode may stop working.

• It is generally recommended to manage Easy Mode configurations through the Easy Mode interface.

Wizards:

• Initial Setup Wizard: For first-time Internet access setup.

• VPN Wizard: For site-to-site or remote client VPN tunnels.

• Port Forwarding Wizard: To set up access to internal servers (like NAS).

• Wi-Fi and Guest Wizard: To configure wireless network name/security for normal and guest access.

• Security Service Wizard: To configure subscriptions like content filtering, IDP, anti-virus.

Links:

• MyZyxel Portal: To subscribe to security services.

• One Security Portal: For configuration walkthroughs and help on security/VPN.

• Expert Mode: To access the full advanced configuration menus.

• Create Recovery Point: Saves the current device configuration as a restore point. Use this when the configuration is known to be working correctly.

• Restore Last Recovery Point: Reverts the device configuration back to the most recently created recovery point. Use this if recent changes caused problems. All changes made after the recovery point was created will be lost.

• Restart: Reboots the Zyxel Device. Useful after firmware upgrades or for troubleshooting. Web configurator changes are saved automatically; CLI changes require the ‘write’ command before rebooting to persist.

• Shutdown: Safely prepares the device to be powered off. Writes cached data, stops processes. Does not physically turn off power. Wait for completion before removing power.

• If new firmware is available, the icon displays a red “N”.

• Clicking the icon (with or without the red “N”) checks for updates.

• If an update is found, a “What’s New” pop-up appears showing release notes.

• To upgrade directly from this pop-up, you need a Firmware Upgrade license associated with the device. If licensed, the “Upgrade Now” button is active. Click it to download and install the firmware (the device will reboot automatically).

• If unlicensed, “Upgrade Now” is grayed out.

• If the device is not registered with myZyxel, a message indicating this will appear.

• System Information: Firmware Version, System Uptime, Current Date/Time.

• Internet Status: Connection Type, WAN IP, Gateway, DNS. Includes a “Test Connection” button.

• VPN Status: Indicates if VPN rules are configured. Links to VPN Wizard if none exist.

• Security Status: Shows Firewall status (Enable/Disable) and Content Filter status (Enable/Disable, Licensed/Not Licensed). Links to Security Service Wizard.

• Network Client (LAN): Shows which ports are assigned to LAN1. Displays the number of connected clients.

• Network Client (Guest): Shows the guest network status (often N/A initially). Displays number of connected clients and guest Wi-Fi status.

• Wi-Fi / AP Status: Indicates if APs are configured. Links to Wi-Fi and Guest Wizard if none exist.

• Guest Wi-Fi / AP Status: Indicates if Guest APs are configured. Links to Wi-Fi and Guest Wizard if none exist.

• System information, such as firmware version, the length of time the Zyxel Device has been on, date and time.

• Internet information such as Internet connection type, WAN IP address and a button to test the connection.

• VPN tunnel information and a button to monitor and create VPN tunnels.

• Security information such as if the firewall is enabled and if supported security services are licensed. You will be prompted to create a secure policy when a service is licensed and you turn it on in order for the service to be used.

• Network Client information.

1. Click the settings icon to manage clients.

2. Click + to add a new network client.

3. In the pop-up screen (Add a Client Device), enter the client’s interface (LAN1 or Guest), IP Address, MAC Address and Name.

4. Click OK.

• LAN information on wired and wireless connections to the Zyxel Device

• Guest Network information on guest wired and wireless connections to the Zyxel Device

• Wi-Fi button to change Wi-Fi channel

• Guest button turn the guest wireless network off or on.

1. Connect to Internet (WAN)

2. Date and Time Setting

3. Register Device

4. Activate Service

5. Wireless LAN

• Security Service (Content Filter)

• Port Forwarding

• Guest LAN (Wired Network)

• VPN

1. Verify that your Internet access information uses PPPoE as the WAN connection type.

2. Re-enter your PPPoE user name and password exactly as provided by your ISP.

3. If the error persists, contact your ISP to confirm the correct WAN settings and user credentials.

1. Confirm that your Internet access information uses DHCP as the WAN connection type.

2. If it fails again, check with your ISP to ensure DHCP is expected and verify the correct WAN settings.

1. Double-check that you were given a specific IP address, subnet mask, and gateway address by your ISP.

2. Re-enter the IP address, subnet mask, and gateway address exactly as provided.

3. If the problem continues, contact your ISP to verify the correct IP address, subnet mask, gateway address, and any other necessary WAN settings.

1. Ensure the Zyxel Device has a working Internet connection.

2. In the ‘Date and Time Settings’ step of the wizard, click the ‘Sync. Now’ button to manually trigger synchronization with the time server.

• Receiving notifications about new firmware availability.

• Activating security service licenses (like Content Filter, IDP, Anti-Virus).

• Content Filter (to block websites by category, such as Gambling)

• IDP (Intrusion Detection & Protection, to recognize and drop traffic with attack patterns)

• Anti-Virus (to detect virus patterns in files)

• Anti-Spam (to mark or discard unsolicited commercial or junk e-mail)

1. Wait a few moments for the information to update.

2. Ensure the Zyxel Device has a working Internet connection. Try accessing the Internet from a computer connected to a LAN port on the Zyxel Device.

3. If the Internet connection is working, click “Refresh” again.

4. If you still cannot connect, check your Internet access settings on the Zyxel Device.

1. Select the “Enable Wi-Fi Network” checkbox.

2. Configure a descriptive name (SSID) for the wireless network under “Wi-Fi”. Use 1 to 32 alphanumeric characters, hyphens, or underscores (a-z A-Z 0-9 -_).

3. Set a strong “Password” (see requirements).

Note: You must change the default password to continue.

1. Select the “Enable Guest Wi-Fi Network” checkbox.

2. Configure a descriptive name (SSID) for the guest wireless network under “Guest Wi-Fi”. Use 1 to 32 alphanumeric characters, hyphens, or underscores (a-z A-Z 0-9 -_).

3. Set a strong “Password” (same requirements as the main Wi-Fi password).

Note: The Guest Wi-Fi Network allows Internet access only for a limited time (default 4 hours).

• Security Service (Content Filter, IDP, Anti Virus)

• Port Forwarding

• Guest LAN (Wired Network)

• VPN

• Site-to-site: Connecting two Zyxel Device networks securely.

• Remote client (Zyxel client): Allowing remote users with Zyxel VPN software to connect securely to your network.

• Remote client (Other): Allowing remote users with other standard VPN software (like L2TP) to connect securely.

1. Ensure the service is licensed (not grayed out). Activate it at myZyxel if necessary and click Refresh.

2. Select the “Enable Content Filter with the following contents blocked” checkbox.

3. Select the checkboxes for the website categories you wish to block.

4. Click Next.

1. From the ‘Client’ drop-down list, select the internal device (e.g., NAS server) that will receive the forwarded traffic. (Click ‘Add here’ if the client is not listed).

2. From the ‘Service List’ (Available box), select the service(s) or port(s) that the internal device provides (e.g., FTP, HTTP, HTTPS).

3. Use the right arrow button to move the selected service(s) to the ‘Member’ box.

4. Click Next.

1. Select the “Enable Guest Network (for wired clients)” checkbox.

2. Click Next.

1. Enable Guest Wi-Fi Network (in the Wi-Fi setup step or wizard).

2. Enable Guest LAN (Wired Network) (to designate the OPT/P6 port as the guest port).

• IPSec VPN Settings (for site-to-site or standard client VPNs)

• IPSec VPN Settings for Configuration Provisioning (for Zyxel VPN clients)

• VPN Settings for L2TP VPN Settings (for L2TP clients)

• Settings on both Zyxel Devices must be correct and reciprocal (e.g., local settings on one match remote settings on the other).

• The pre-shared key, negotiation mode, encryption, authentication settings, DH key group, etc., must be identical on both devices.

• Both devices must be able to communicate with each other (try pinging the remote gateway).

• Ensure no firewall in front of either Zyxel Device is blocking VPN traffic (typically UDP ports 500 and 4500, and ESP protocol).

• The Zyxel client VPN software must be installed and configured correctly on the remote computer.

• The VPN settings (pre-shared key/certificate, negotiation mode, encryption, authentication, DH group) must match between the client configuration and the Zyxel Device rule.

• The client must be able to communicate with the Zyxel Device (try pinging the Zyxel Device from the client).

• The L2TP VPN client software must be installed and configured correctly on the remote computer or device (refer to the OS/device help).

• The client must be able to communicate with the Zyxel Device (try pinging the Zyxel Device from the client).

• Ensure that L2TP traffic (typically UDP ports 500, 4500, and 1701) is allowed through the WAN on the Zyxel Device and not blocked by any intermediate firewalls.

• Express: Creates a VPN rule using default Phase 1 and Phase 2 settings, typically for connecting to another ZLD-based Zyxel Device using a pre-shared key. It simplifies the setup process.

• Advanced: Allows you to customize the Phase 1 and Phase 2 settings (like negotiation mode, encryption/authentication algorithms, key groups, lifetimes) and/or use certificates instead of a pre-shared key. It offers more flexibility for connecting to other IPSec devices or meeting specific security requirements.

• IKEv1: Supports X-Auth for authentication.

• IKEv2: Supports Extended Authentication Protocol (EAP), which is important for integrating with existing enterprise authentication systems (like RADIUS).

• Length: 1 to 31 characters.

• Allowed characters: Alphanumeric (a-z, A-Z, 0-9), underscores (_), dashes (-).

• Restriction: The first character cannot be a number.

• Case-sensitive: Yes.

• If the scenario chosen makes this field non-configurable (like Remote Access Server Role or Site-to-Site with Dynamic Peer), it will display “Any”.

• Otherwise, enter the static WAN IP address or domain name of the remote peer.

• Use 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (applicable in the Site-to-Site scenario when the remote peer initiates).

• Both ends of the VPN tunnel must use the exact same Pre-Shared Key.

• Requirements: Up to 128 case-sensitive ASCII characters OR up to 128 pairs of hexadecimal characters (“0-9”, “A-F”).

• Hexadecimal keys must be preceded with “0x” (e.g., 0x1234ABCD…).

• Using mismatched keys will result in connection failure (PYLD_MALFORMED error).

• If the scenario chosen makes this field non-configurable (like Remote Access Server Role or Client Role), it will display “Any”.

• Otherwise, enter the IP address and subnet mask of the remote computer or subnet (e.g., 192.168.10.0 / 255.255.255.0). This must match the ‘Local Policy’ configured on the remote IPSec device.

• Rule Name

• Secure Gateway (IP address, FQDN, or Any)

• Pre-Shared Key (masked or displayed depending on context)

• Local Policy (IP/Mask)

• Remote Policy (IP/Mask or Any)

• The Phase 1 rule settings (IKE settings) appear in the VPN > IPSec VPN > VPN Gateway screen.

• The Phase 2 rule settings (IPSec policy) appear in the VPN > IPSec VPN > VPN Connection screen.

• For L2TP rules, they appear in VPN > L2TP VPN and also influence the IPSec VPN Gateway/Connection screens.

• Phase 1 (Authentication): Establishes a secure channel called the IKE SA (Security Association). This phase authenticates the peers and agrees on cryptographic parameters for securing the IKE communication itself.

• Phase 2 (Key Exchange): Uses the secure IKE SA established in Phase 1 to negotiate the parameters for the actual data tunnel, known as the IPSec SA. This defines how user data will be encrypted and authenticated.

• Main: More secure as it encrypts the identities of the communicating peers (ZyWALL/USG and remote router). However, it takes more time and message exchanges to establish the IKE SA.

• Aggressive: Faster negotiation as it exchanges more information in fewer messages. However, it does not encrypt the peer identities during the exchange, making it potentially less secure against eavesdropping.

• 3DES (Triple DES): Uses a 168-bit key. More secure than DES but slower and requires more processing power.

• AES (Advanced Encryption Standard): Offered in different key lengths:

• AES128: Uses a 128-bit key. Faster than 3DES.

• AES192: Uses a 192-bit key.

• AES256: Uses a 256-bit key. Offers the highest level of encryption strength but may impact throughput most.

• MD5 (Message Digest 5): Provides minimal security; generally considered weak and deprecated for security purposes.

• SHA1 (Secure Hash Algorithm 1): Stronger than MD5, but also has known vulnerabilities.

• SHA256 (SHA-2 family): Offers higher security than SHA1.

• SHA512 (SHA-2 family): Offers the highest security among common options.

• DH1: 768-bit random number (considered weak).

• DH2: 1024-bit (1Kb) random number (minimum recommended).

• DH5: 1536-bit random number (stronger).

• Pre-Shared Key: Both peers are configured with the same secret password (the pre-shared key). This is simpler to set up.

• Certificate: Each peer uses a digital certificate (issued by a Certificate Authority or self-signed) to authenticate. This is generally considered more secure and scalable, especially for larger deployments, but requires managing certificates.

• ESP (Encapsulating Security Payload): Provides confidentiality (encryption), data origin authentication, connectionless integrity, and anti-replay protection. ESP is compatible with NAT Traversal.

• AH (Authentication Header): Provides data origin authentication, connectionless integrity, and anti-replay protection, but does NOT provide encryption (confidentiality). AH is generally NOT compatible with NAT.

• Tunnel: Encapsulates the entire original IP packet (including header) inside a new IP packet. The new IP header has the source and destination IP addresses of the VPN gateways. Tunnel mode is required for site-to-site VPNs and is compatible with NAT.

• Transport: Only encrypts/authenticates the payload of the original IP packet, keeping the original IP header. This is typically used for end-to-end security between two hosts on the same network and is generally not compatible with NAT.

• 3DES

• AES128

• AES192

• AES256

• Null: This option specifies that no encryption should be applied. This is generally only used if confidentiality is not required or if AH protocol is used (which doesn’t support encryption).

• MD5

• SHA1

• SHA256

• SHA512

• Options involve selecting a Diffie-Hellman group (e.g., DH1, DH2, DH5) for this Phase 2 key exchange.

• DH5 is more secure than DH1 or DH2, but may slow down the Phase 2 setup.

• Disabling PFS allows faster IPSec setup but is less secure, as compromising the Phase 1 key could potentially compromise all data sent over the tunnel.

• Rule Name

• Secure Gateway

• Pre-Shared Key / Certificate Info

• My Address (interface)

• Phase 1 settings (Negotiation Mode, Encryption, Authentication, Key Group, SA Life Time, NAT-T, DPD)

• Phase 2 settings (Active Protocol, Encapsulation, Encryption, Authentication, SA Life Time, PFS)

• Policy settings (Local Policy, Remote Policy, Nailed-Up)

• Configuration for Secure Gateway script

• AH active protocol (only ESP is supported)

• NULL encryption (data must be encrypted)

• SHA512 authentication (use SHA1 or SHA256)

• A subnet or range remote policy (the client typically determines its own traffic)

• Rule Name

• Secure Gateway (will be ‘Any’)

• Pre-Shared Key

• Local Policy (IP/Mask)

• Remote Policy (will be ‘Any’)

• Rule Name: A name to identify the L2TP VPN rule.

• My Address (interface): The WAN interface on the Zyxel Device that will accept L2TP connections.

• Authentication Method (Pre-Shared Key): The secret key that both the L2TP client and the Zyxel Device must use for the initial IPSec authentication.

• Rule Name

• Secure Gateway (will be ‘Any’ as it’s a server role)

• Pre-Shared Key

• My Address (interface)

• IP Address Pool (Range or Subnet details)

1. Click Add.

2. Enter a descriptive Service Name.

3. Enter the Starting Port number (1-65535).

4. Enter the Ending Port number (1-65535). Use the same number as the starting port if forwarding a single port.

5. Click OK.

• UPnP (Universal Plug and Play) and NAT-PMP (NAT Port Mapping Protocol) are network protocols that allow devices on your local network (like game consoles, media servers, etc.) to automatically discover each other and configure network services, including automatically creating port forwarding rules on the Zyxel Device (router) without manual configuration.

1. Select the “Enable UPnP” checkbox.

2. Click Refresh to view the current UPnP Port Status (rules automatically created by devices).

3. Click Finish.

To configure Wi-Fi:

1. Check “Enable Wi-Fi Network”.

2. Set the Wi-Fi name (SSID).

3. Set the Password.

To configure Guest Wi-Fi:

1. Check “Enable Guest Wi-Fi Network”.

2. Set the Guest Wi-Fi name (SSID).

3. Set the Password.

4. Specify the access Duration (default 4 hours) or select Always.

1. Select the “Enable Guest Network (for wired clients)” checkbox.

2. Click Finish.

1. Ensure the “Enable Content Filter with following contents blocked” checkbox is selected.

2. Review the listed categories (grouped under headings like Adult Related, Leisure, Liability Concerns, etc.).

3. Select the checkboxes next to the categories you wish to block.

4. Click Next.

• To add a trusted (always allowed) site: Click Add under “Trusted Web Sites”, enter the host name (e.g., http://www.good-site.com, *.zyxel.com) without “http://&#8221;, and click OK/Save.

• To add a forbidden (always blocked) site: Click Add under “Forbidden Web Sites”, enter the host name (e.g., http://www.bad-site.com, *.malicious.com) without “http://&#8221;, and click OK/Save.

• `*zyxel.com` allows or blocks `www.zyxel.com`, `partner.zyxel.com`, `press.zyxel.com`, etc.

• `*.com` allows or blocks all `.com` domains.

1. Find the device you want to exempt in the “Client_list”.

2. Select the device.

3. Click the right arrow button (>) to move it to the “Exemption_list”.

1. Click the “Add Client Address” button.

2. In the pop-up screen, enter the client’s Name, IP Address, and MAC Address.

3. Specify the interface (e.g., LAN1).

4. Click OK.

• To enable IDP: Select the “Enable IDP” checkbox.

• To enable Anti-Virus: Select the “Enable Anti-Virus” checkbox.

1. Go to portal.myzyxel.com.

2. Create an account or sign in.

3. Follow the instructions on the portal to register your device. You may need the device’s serial number and LAN MAC address (usually found on a label on the device).

4. If you purchased subscription services (e.g., via an iCard), enter the license key(s) on the portal to activate the services for your registered device.

• An Encyclopedia: Search for virus/malware names or file hashes to view details, history, signature info, and how ZyWALL defends against them.

• Release Notes: Information about signature updates.

• Virus / Malware Information: Details on viruses and malware.

• Intrusion Detection Information: Details on network-based intrusions.

• Application Patrol Information: Details on application identification signatures.

• URL Checker: Allows you to check the categorization of a specific website URL.

• WAN Interface: Configures a WAN (Internet) connection, including ISP account settings for PPPoE/PPTP/L2TP.

• Remote Access VPN Setup: Configures VPN rules for remote clients (IKEv2 IPSec or L2TP over IPSec).

• VPN Setup: Configures general VPN rules, including site-to-site, Configuration Provisioning for Zyxel clients, and L2TP for clients.

• Wireless Setup: Configures the device as an AP Controller or manages the built-in AP (if applicable).

• Choose Ethernet if your connection uses standard Ethernet (typically with Auto/DHCP or Static IP).

• Choose PPPoE, PPTP, or L2TP if your ISP requires a dial-up type connection using one of these protocols (you’ll need credentials from your ISP).

• For dynamic IP: Select “Auto” from the “IP Address Assignment” drop-down. The device will attempt to get an IP via DHCP.

• For fixed IP: Select “Static” from the “IP Address Assignment” drop-down. You will then need to enter the IP Address, IP Subnet Mask, Gateway IP Address, and optionally DNS Server addresses provided by your ISP.

• Authentication Type (e.g., Chap/PAP)

• User Name (from ISP)

• Password (from ISP)

• Base Interface (the physical Ethernet port used)

• Server IP (the IP address of the ISP’s PPTP server)

• Authentication Type (e.g., Chap/PAP)

• User Name (from ISP)

• Password (from ISP)

• CHAP/PAP: Accepts either CHAP or PAP when requested by the remote server.

• CHAP: Accepts only CHAP (Challenge Handshake Authentication Protocol).

• PAP: Accepts only PAP (Password Authentication Protocol).

• MSCHAP: Accepts only MSCHAP.

• MSCHAP-V2: Accepts only MSCHAP-V2.

• Encapsulation (Ethernet, PPPoE, etc.)

• WAN Interface name

• Zone (usually WAN)

• IP Address Assignment (Auto or Static)

• IP Address

• IP Subnet Mask

• Gateway IP Address

• DNS Servers

• ISP Parameters (User Name, Service Name, Server IP, etc., if applicable)

• Using the Zyxel SecuExtender IPSec VPN client software.

• Using a computer or mobile operating system with built-in IKEv2 support (referred to as a non-SecuExtender VPN client).

• Windows 8 and later versions.

• iOS 14.8 and later versions.

• macOS 10.12 and later versions.

• Android 10.0 and later versions (requires installing strongSwan first).

• Windows 8 and later versions.

• iOS 13 and later versions.

• macOS 10.12.2 and later versions.

• Android 10.0 and later versions.

• Interface: Select a pre-configured physical interface (like ge2, wan1) from the drop-down list. Use this if the Zyxel Device has a static IP on that interface.

• Domain Name / IPv4: Select this if you are using DDNS to assign a dynamic IP address a domain name, or if you want to enter a static IP address directly. Enter the domain name (e.g., vpn.zyxel.com) or the static IPv4 address in the text box.

• Auto: The Zyxel Device generates a certificate automatically based on the wizard settings (recommended for simplicity).

• Manual: Select an existing certificate from the drop-down list. Ensure the certificate’s Host IP Address or Domain Name matches the Incoming Interface setting. You may need to create a suitable certificate first under Configuration > Object > Certificate > My Certificate.

• Full Tunnel: All network traffic from the remote VPN client is encrypted and sent through the VPN tunnel to the Zyxel Device. This includes traffic destined for the internal network and traffic destined for the Internet.

• Allow Client VPN Traffic Through WAN: Check this box to allow the client’s Internet traffic to exit through the Zyxel Device’s WAN connection. Clear it to block client Internet access via the tunnel.

• Split Tunnel: Only traffic destined for specific networks behind the Zyxel Device is encrypted and sent through the VPN tunnel. Select the local network interface (LAN, DMZ, guest) from the drop-down list. Traffic destined for the Internet from the remote client does not go through the Zyxel Device and is not encrypted by this VPN.

• Default Range (e.g., 192.168.50.1-192.168.50.250): Use the default range provided.

• Custom Defined: Select this to enter a specific Starting IP Address and Ending IP Address for the pool.

• First DNS Server:

• ZyWALL: The Zyxel Device acts as a DNS proxy.

• Custom Defined: Enter the IP address of a specific DNS server reachable from the network behind the Zyxel Device.

• Second DNS Server: Optionally enter a secondary DNS server IP address (checked if the first is unavailable).

1. A list of “Available” local users configured on the Zyxel Device is shown.

2. Select the user(s) you want to allow VPN access.

3. Click the right arrow button (>) to move them to the “Member” list.

• For Windows, iOS, macOS clients: Click the appropriate download link, save the script file, and send it to the remote VPN user to install/run on their device.

• For Android clients: Install strongSwan on the Android device first. Then click the download link for Android, save the script file, and send it to the user along with the Pre-Shared Key (if used) for manual configuration within strongSwan.

• Upload Bandwidth Limit

• Split Tunnel (only Full Tunnel is configured via script)

• Two-factor Authentication (like Google Authenticator)

• Pre-Shared Key: The secret key for IPSec authentication (8-128 alphanumeric or hex pairs starting with 0x).

• Incoming Interface: The WAN interface (physical like ge4 or logical like Domain Name/IPv4) that will accept the L2TP/IPSec connections.

• Local Network: Set to Full Tunnel. You can choose whether to “Allow L2TP traffic Through WAN” (allowing clients Internet access via the tunnel).

• IP Address Pool: Define the range of IP addresses assigned to clients (either the default 192.168.50.1-192.168.50.250 or a Custom Defined range).

• First DNS Server / Second DNS Server: Specify DNS servers for clients (either ZyWALL proxy or Custom Defined IPs).

1. Select allowed local users from the “Available” list.

2. Move them to the “Member” list using the arrow button.

• For Windows, iOS, macOS clients: Download the script file and send it to the user to run on their device.

• For Android and Windows 7 clients: These require manual configuration. You need to provide the user with the Pre-Shared Key and the Zyxel Device’s public IP address or domain name (from the Incoming Interface setting) so they can configure the L2TP over IPSec connection manually on their device.

• WAN Interface: Walks you through getting your device connected online.

• Remote Access VPN Setup: Allows employees anywhere to securely connect to their company’s remote LAN.

• VPN Setup: Provides a simplified process for creating secure communications between nodes.

• Wireless Setup: Walks you through getting your device connected online via Wireless LAN.

1. Select a WiFi network and click Edit, or create a new one.

2. Configure the following fields:

• Activate: Check this box to enable the WiFi network.

• Wireless Name (SSID): Enter a unique name to identify the WiFi network.

• Outgoing Interface: Select the interface the wireless network uses to transmit packets.

• Security Mode: Select WPA2 to use WPA2 security with a Pre-Shared Key. Enter the key in the Pre-Shared Key field. Select Open if you do not want security (not recommended).

3. Click OK to save the settings and return to the wizard, or click Cancel to discard changes. Click Next to proceed to the Radio settings.

• Band Mode: Select the wireless band (2.4GHz for 802.11b/g/n/ax, 5GHz for 802.11ax/ac/a/n).

• Channel Width: Select the channel bandwidth (20 MHz, 40 MHz, 80 MHz, 160 MHz, 320 MHz, or combinations like 20/40MHz). Select 20 MHz for environments with obstructions or interference, or if clients don’t support bonding. Note: The device may switch to lower bandwidth in poor SNR environments.

• Channel Selection: Choose DCS (Dynamic Channel Selection) for automatic channel selection based on interference, or Manual to specify a channel. DCS is not supported in repeater mode.

• Output Power: Set the transmission power. Higher power increases coverage but may cause interference.

Click Next to continue or Back to return to SSID settings.

1. Review your settings on the Summary screen (Figure 179).

2. Click Save to apply the changes to the Zyxel Device.

3. Click Back if you need to make further changes.

4. The Wizard Completed screen (Figure 180) confirms your changes have been saved.

5. Click Close to exit the wizard.

• System Resources: CPU Usage, Memory Usage, Flash Usage, USB Storage Usage, Active Sessions.

• Network Status: DHCP Table count, Number of Login Users, VPN Status, SSL VPN Status.

• Device Status: Virtual Device panel (front/rear panel status), Device Information (System Name, Serial Number, MAC Address, Firmware Version), System Status (Boot Status, Uptime, Date/Time), Tx/Rx Statistics, The Latest Logs.

You can rearrange, collapse, refresh, and close individual widgets. Clicking the OneSecurity icon provides guidance on configuration walkthroughs and troubleshooting.

• Ethernet Interface:

• Inactive: Interface is disabled.

• Down: Interface is enabled but not connected, or has no associated physical ports.

• Speed / Duplex: Interface is enabled and connected, showing port speed and duplex (Full or Half).

• WLAN Card: Status is ‘none’.

• Cellular Interface: See Section 10.7 for possible statuses.

• Auxiliary Interface:

• Inactive: Interface is disabled.

• Connected: Interface is enabled and connected.

• Disconnected: Interface is enabled but not connected.

• System Name: The name identifying the Zyxel Device on the network. Click the link to edit the Host Name.

• Serial Number: The unique serial number for device tracking and control.

• MAC Address Range: The MAC addresses used by the device’s physical ports.

• Firmware Version: The currently running firmware version and date. Click the link to access the Firmware Package screen for uploads.

• OK: Successful startup.

• Firmware update OK: Successful firmware update.

• Problematic configuration after firmware update: Configuration failed after firmware upgrade.

• System default configuration: Successfully applied system defaults (first start or intentional reset).

• Fallback to lastgood configuration: Failed to apply startup-config.conf, used lastgood.conf instead.

• Fallback to system default configuration: Failed to apply lastgood.conf, used system-default.conf instead.

• Booting in progress: System configuration application is ongoing.

• #: Entry rank.

• Time: Date and time the log was created.

• Priority: Severity of the log.

• Category: Type of log generated.

• Message: The actual log message text.

• Source: Source IP address (if applicable).

• Destination: Destination IP address (if applicable).

• Hover over CPU Usage or Memory Usage to see an icon; click it to view a historical usage chart (Figure 188).

• Hover over Active Sessions to see icons; click the Detail icon to go to the Session Monitor screen, or click the Show Active Sessions icon for a usage chart.

Click the number in the DHCP Table widget on the Dashboard to open the DHCP Table screen (Figure 189).

This screen (Table 31) shows IP addresses assigned to DHCP clients or reserved for specific MAC addresses. You can:

• Set a Refresh Interval for automatic updates or click Refresh Now to update immediately.

• View details: Interface, IP Address, Host Name, MAC Address, Expiration Time, Description.

• Identify static entries via the Reserve checkbox and Description field.

• Create a static entry: Select an existing dynamic entry, check the Reserve box, and click Apply.

• Remove a static entry: Select a static entry, uncheck the Reserve box, and click Apply.

• Click Cancel to close the window.

Click the link in the Number of Login Users widget on the Dashboard to open the Number of Login Users screen (Figure 190).

This screen (Table 32 & Table 44) lists currently logged-in users. You can:

• View details: User ID, Reauth/Lease Time, Session Timeout, Type (login method), IP Address, User Info (account type/group), Created Date, Accounting Status, RADIUS Profile Name.

• Force Logout: Select a user row and click the Logout icon to end their session.

• Refresh: Click the Refresh button to update the list.

• VPN Tunnel Status: Click the link in the VPN Status widget to view currently established VPN tunnels (Figure 192, Table 33). You can see the tunnel Name, Encapsulation type, and hash Algorithm. Set a Refresh Interval or click Refresh Now.

• SSL VPN Status: The SSL VPN Status widget (Figure 193) shows the current number of active SSL VPN tunnels versus the maximum allowed.

• VPN Overview (VPN Models): The VPN tab on the Dashboard (Figure 194) provides a detailed overview including:

• Connections/max per type (IPSec/L2TP/SSL).

• In/Out traffic (bps) per type.

• Number of connected tunnels per type (Site to Site/Dynamic/L2TP/SSL).

• Top 5 Logged in VPN Users (per country, per Service Type, online).

• Tunnel Health (Top 5 DPD Failures).

• Top 5 Connectivity Failures.

• Graphical tunnel statistics.

Click the Refresh icon to update this screen.

• Set the Poll Interval (1-60 seconds) and click Set Interval for automatic updates, or click Stop to halt updates.

• View statistics per port: Status (Down, Speed/Duplex), Transmitted Packets (TxPkts), Received Packets (RxPkts), Collisions, Transmission Speed (Tx B/s), Reception Speed (Rx B/s), Up Time.

• Click Switch To Graphic View to see a line graph of Tx/Rx speed over time for a selected port (Figure 196, Table 35). Set Refresh Interval or click Refresh Now on the graph view. Click Switch To Grid View to return to the table.

• Interface Status (IPv4): View Name, Port/Binding, Status (Inactive, Down, Speed/Duplex, Connected, Disconnected, Up), Zone, IP Address/Netmask, IP Assignment (Static, DHCP Client), Services provided (DHCP, DDNS, RIP, OSPF), and Actions (Renew DHCP, Connect PPPoE/PPTP).

• Tunnel Interface Status: View Name, Status (Active/Inactive icon), Zone, IP Address, My Address, Remote Gateway Address, Mode.

• IPv6 Interface Status: Similar to IPv4 status, showing IPv6 addresses and services.

• Interface Statistics: Click Refresh to update packet stats. View Status, Transmitted Packets (TxPkts), Received Packets (RxPkts), Transmission Speed (Tx B/s), Reception Speed (Rx B/s) for each interface. Click the ‘+’ icon next to an interface name to view virtual interface details if applicable.

1. Data Collection:

• Check the ‘Collect Statistics’ box and click Apply to start collecting data. The collection period will be displayed.

• Uncheck the box and click Apply to stop collection.

• Click Reset to revert to the last saved settings.

2. Statistics:

• Select the Interface to monitor.

• Choose the report type from the Sort By dropdown: Host IP Address/User, Service/Port, Web Site Hits, or Country.

• Click Refresh to update the displayed statistics report.

• Click Flush Data to discard all collected statistics for the screen and update the display.

The report shows ranked data based on the ‘Sort By’ selection, including direction (Ingress/Egress) and amount of traffic or hits. Note the limits on records, byte count, and hit count (Table 38).

• Use the View dropdown to display sessions grouped by users, services, source IP, source region, destination IP, destination region, or view all sessions individually.

• When viewing ‘all sessions’, you can filter by User, Service, Source Address, Destination Address, Source Country, and Destination Country. Enter criteria and click Search.

• View session details: User, Service (protocol), Source IP/Port/Country, Destination IP/Port/Country, Rx Bytes, Tx Bytes, Duration (seconds).

• Click Refresh to update the list.

• To terminate sessions: Select one or more sessions and click Clear, or click Clear All to terminate all displayed sessions. Terminated sessions are logged in Log > View Log.

• Filter the list by selecting an Interface and/or entering a Keyword, then click Search.

• Click Reset to clear filters.

• View lease details: Interface, IP Address, Host Name, MAC Address, Expiration Time, Last Access Time, Description, Static (Yes/No).

• Release a dynamic lease: Select the entry and click Release.

• Reserve an IP (Static DHCP): Select a dynamic entry and click Reserve.

• Unreserve an IP (Make Static Dynamic): Select a static entry and click Unreserve.

• Export the table: Select entries and click Export to save as a CSV file. This file can be imported later in Configuration > Network > Interface > Ethernet/VLAN > DCHP Setting.

• View client details: Status (Online, Offline, Blocked, CDR Blocked), MAC/IP Address, Hostname, Manufacturer, Category, OS, Type, First/Last Seen, User, Auth Method, TX/RX Rate, Connected To, Description.

• Toggle Hide/Show Advanced Settings for more/less detail.

• Edit Description: Select a client and click Edit, or double-click the entry (Figure 203, Table 42). Enter a descriptive name and click OK.

• Remove inactive client: Select a client that is no longer connected and click Remove (cannot remove blocked clients).

• Block/Unblock client: Select a client and click Add to block list or Remove from block list.

• Provide Feedback: If a client is misidentified, select it and click Feedback (Figure 204, Table 43). Correct the Category, Operating System, or Type as needed and click OK to send feedback to Zyxel.

• View user details: User ID, Reauth/Lease Time, Session Timeout, Login Type, IP Address, Country, MAC Address, User Info, Accounting Status, RADIUS Profile Name, Created Date.

• Force Logout: Select a user and click the Force Logout icon.

• Refresh: Click the Refresh button to update the list.

• View details: Group, Source IP, Incoming Interface, Packet Count, Bytes transferred, Outgoing Interface.

• Click Refresh to update the statistics.

• View status per profile: Profile Name, Domain Name, Effective IP (resolved IP), Last Update status (Successful/Updating), Last Update Time.

• Click Update next to an entry to force the Zyxel Device to attempt to resolve the IP address for that domain name and update the DDNS server.

• Click Refresh to update the displayed information.

• Select the Interface from the dropdown menu.

• View details: IP Address, Host Name, MAC Address, Last Access time, Description.

• Click Refresh to update the information.

• View basic status: Extension Slot, Connected Device model, Status (e.g., No device, No Service, Device detected, Active, Device ready, etc.), Service Provider, Cellular System type, Signal Quality.

• Click Refresh to update the status.

• For more details (requires attached/activated device), click More Information (Figure 210, Table 49). This shows Signal Strength (dBm), Device Manufacturer/Model/Firmware, IMEI/ESN, and SIM Card IMSI. Click Cancel to close the detailed view.

• View rule details: Remote Host (source IP), External Port, Protocol (TCP/UDP), Internal Port, Internal Client (IP or name), Internal Client Type, Description.

• Remove a rule: Select the entry and click Remove.

• Remove all rules: Click Delete All.

• Click Refresh to update the list.

• View information: Device Description, Usage (used/total %), File System (shows Unknown if unsupported like NTFS), Speed, Status (Ready, Unused, none), Detail (Deactivated, OutofSpace, Mounting, Removing, none).

• If Status is Ready: Click Remove Now to safely unmount the device before removing it.

• If Status is Unused (and file system is supported): Click Use It to mount the device.

• View discovered neighbor details: Local Port (on Zyxel Device), Model Name, System Name, Firmware Version, Port (first internal port on neighbor), IP Address, MAC Address.

• Click Refresh to update the information.

• View IPv4 or IPv6 cache lists separately.

• Select a configured FQDN Object from the dropdown to filter the list for related caches.

• View cache details: Name (of FQDN object), FQDN, IP Address (mapped IP), TTL (seconds remaining in cache).

• Click Refresh to update the displayed cache information.

Note: FQDN objects are configured in Configuration > Object > Address/Geo IP.

• View list of AP radios: Loading status, AP Description, Frequency Band, Channel ID, Tx Power, Station count, Rx/Tx bytes, Model, MAC Address, Radio number, Operating Mode.

• Click Refresh to update the list.

• Check ‘Enable Column Freeze’ to lock index columns while scrolling.

• Click the More Information icon for a selected radio to see detailed statistics (traffic, station count, SSID info, etc.) for the last 24 hours (Figure 216, Table 55). Click OK or Cancel to close the detailed view.

• View information per SSID: Name, Number of connected clients on 2.4GHz/5GHz/6GHz bands, SSID Profile Name, Security Mode.

• Click the number link in the 2.4GHz, 5GHz, or 6GHz column to go to the Station Info > Station List screen, filtered for that SSID and band.

• Click Refresh to update the screen.

• View connected station details: MAC Address, SSID Name, Associated AP, IP Address, Channel, Rx/Tx Rate, Signal Strength, Association Time, etc. Use Hide/Show Advanced Settings for more/less detail.

• Click Show Filter to reveal filtering options.

• Enter criteria: IP Address, SSID Name (multi-select), Security Mode (multi-select), Associated AP (multi-select), MAC Address, Band, Account, Login Type.

• Click Search to apply filters. Click Reset to clear filters.

• Click Refresh to update the list.

• Check ‘Enable Column Freeze’ to lock index columns.

• Top N Stations: Go to Monitor > Wireless > Station Info > Top N Stations (Figure 219, Table 58). Select View (Top 5 or Top 10 by Usage), Usage by (GB or MB), and Date range. The graph shows traffic usage for the top stations. Click Refresh to update.

• Single Station: Go to Monitor > Wireless > Station Info > Single Station (Figure 220, Table 59). Select the specific Station from the dropdown, Usage by (GB or MB), and Date range. The graph shows download and upload traffic for that station. Click Refresh to update.

• View active IPSec Security Associations (SAs).

• Filter the list by Name or Policy using keywords or regular expressions (see Section 7.22.1 for regex help) and click Search.

• View SA details: User (if EAP/X-auth), System Name, SA Name, Policy, My Address, Secure Gateway, Up Time, Timeout remaining, Inbound Bytes, Outbound Bytes.

• Disconnect an SA: Select the SA and click Disconnect.

• Check Connection: Select the SA and click Connection Check.

• Click Refresh to update the list.

• View active SSL VPN user connections.

• View details: User account, Access (application), Login Address, Connected Time, Inbound Bytes, Outbound Bytes.

• Terminate a connection: Select the user connection and click Disconnect. This removes the entry and deletes session information.

• Click Refresh to update the list.

• View connected L2TP VPN sessions.

• View details: User Name, Hostname, Assigned IP (tunnel IP), Public IP (user’s internet IP).

• Disconnect a session: Select the session and click Disconnect.

• Click Refresh to update the list.

• Enable Collection: On either tab, check ‘Collect Statistics’ and click Apply to start collecting data (Figure 224, 225; Table 63, 64). Collection starts from the displayed time. Statistics are erased on device restart or by clicking Flush Data.

• Update/Clear Stats: Click Refresh to update the display. Click Flush Data to discard all statistics for the current tab.

• Web Content Filter Tab (Table 63): View summary statistics like Total Web Pages Inspected, Blocked counts (by category, custom service, restricted features, forbidden sites, URL keywords), Warned count, and Passed count.

• DNS Content Filter Tab (Table 64): View summary statistics like Total DNS Inspected, Redirected count, and Passed count.

• Click Reset on either tab to return to last-saved settings.

• Summary Tab (Figure 226, Table 65):

• Enable Collection: Check ‘Collect Statistics’ and click Apply. Start time is displayed. Stats erased on restart/Flush Data.

• Update/Clear Stats: Click Refresh to update. Click Flush Data to discard stats.

• View Email Summary: Total Scanned, Safe Mails (Total, By White List), Spam Mails (Total, By Black List, By Malicious Mail, By DNSBL), Query Timeouts, Sessions Forwarded/Dropped (when threshold reached).

• View Statistics: Select Top Sender By (Sender IP or Sender Email Address) to see top spam sources and occurrence count.

• Click Reset to return to last-saved settings.

• Status Tab (Figure 227, Table 66):

• Resource Status: View Concurrent Mail Session Scanning load (current/max/historical high).

• Mail Scan Statistics: View queries, average response time, and no responses for Mail Scan and IP Reputation services.

• DNSBL Statistics: View queries, average response time, and no responses for configured DNSBL domains.

• Click Refresh to update status. Click Flush to clear DNSBL stats and the scanning historical high.

• View Logs: Regular logs display in black, alerts in red. Columns are sortable.

• Filter Logs: Click Show Filter. Select Category (All Logs, specific category, Debug Log). Optionally filter by Priority, Source/Destination Address, Source/Destination Interface, Service, Keyword, Protocol. Click Search to apply filters. Filter settings are saved if you navigate away.

• Email Logs: Click Email Log Now to send unsent logs matching configured active categories to configured email addresses.

• Refresh/Clear: Click Refresh to update the log view. Click Clear to delete the entire log.

• View Details: Time, Priority, Category, Message, Source, Destination, Note.

• MONITOR: Traffic Statistics, Wireless, VPN Monitor, Log.

• CONFIGURATION: Wireless, Network, VPN, BWM, Web Authentication, Security Policy, Object, System, Log & Report.

• MAINTENANCE: File Manager, Diagnostics, Packet Flow Explore, Shutdown/Reboot.

Note: Security services like Content Filtering, Anti-Spam, IDP, etc., require licenses.

• Register: Click the portal.myzyxel.com link (Figure 229) to register your device. Ensure the device has Internet access.

• Refresh Registration Status: After registering or making changes on the portal, click Refresh on the Registration tab (Figure 229) to update the ‘Device Registration Status’.

• View Service Status: Click the Service tab (Figure 231, Table 69) to see the Status (Activated, Expired, Not Licensed, etc.), Service Type (Standard, Trial), Expiration Date, and Count (if applicable) for your subscription services.

• Activate/Renew/Buy Licenses:

• Use the Action column on the Service tab: Click Buy to purchase a new license, or Renew to extend an expired Standard license. This usually involves going to the MyZyxel portal.

• If you have purchased an iCard (license key), register it on portal.myzyxel.com.

• After purchasing/registering, click Activate in the Action column (if available) or click the Service License Refresh button to update the license status on the device.

Note: License updates require TCP port 443 to be allowed outbound.

• General Tab (SSID Summary – Figure 232, Table 70):

• Manage SSIDs: Add, Edit, Activate, or Inactivate SSID profiles (up to 4).

• Quick Setup: Launch the Wireless Setup Wizard.

• Dynamic Channel Selection (DCS): Apply DCS to selected APs (if applicable, usually configured under Radio).

• Click Apply to save changes, Reset to discard.

• Radio Tab (Figure 234, Table 72): Configure 2.4GHz and 5GHz radio settings including 802.11 Band, Channel Width, Channel Selection (DCS/Manual), Output Power, advanced settings like Guard Interval, Aggregation, Thresholds, Beacon/DTIM intervals, Signal Thresholds, and Multicast settings.

Configure the following main settings:

• Activate: Enable or disable the profile.

• SSID: Enter the network name (up to 32 characters).

• Band Mode: Choose 2.4 GHz or 5 GHz.

• Outgoing Interface: Select the LAN interface.

• Security Mode: Choose security type (e.g., open, wpa2, wpa3). Configure relevant settings like Pre-Shared Key (for Personal modes) or RADIUS settings (for Enterprise modes).

• Optional Settings: Configure QoS, Hidden SSID, Intra-BSS blocking, U-APSD, ARP Proxy, Scheduling, MAC Authentication, MAC Filtering, etc.

• Click OK to save the profile, or Cancel to discard.

• open: No security. Allows any client to connect without authentication.

• wep: Older, less secure encryption method.

• wpa2: Standard WPA2 security. Can be used in Personal (Pre-Shared Key) or Enterprise (802.1x/RADIUS) mode.

• wpa2-mix: Allows both WPA2 and older WPA clients to connect (transitional mode).

• wpa3: Latest security standard, offering enhanced protection. Can be used in Personal or Enterprise mode.

• 802.11 Band: Select the allowed Wi-Fi standards (e.g., 11b/g/n, 11ax for 2.4GHz; 11a/n, 11ac, 11ax for 5GHz).

• Channel Width: Set the channel width (e.g., 20MHz, 20/40MHz, 20/40/80MHz).

• Channel Selection: Choose DCS (automatic) or Manual. If Manual, specify the channel(s). Configure DCS options like Client Aware, Selection Method, Deployment, Time Interval/Schedule.

• Output Power: Set the transmission power (dBm).

• Advanced Settings: Configure Guard Interval, A-MPDU/A-MSDU Aggregation limits, RTS/CTS Threshold, Beacon Interval, DTIM period.

• Signal Threshold: Enable and set thresholds for minimum connection signal and dissociation signal strength. Configure retry options.

• Multicast Settings: Configure Transmission Mode (Multicast to Unicast / Fixed Rate) and the Multicast Rate (Mbps) if fixed.

• Click Apply to save changes, Reset to discard.

• Load balancing by station number: Limits the maximum number of devices that can connect to the AP.

• Load balancing by traffic level: Limits the total bandwidth usage allowed for connected devices. Connections are allowed as long as the total usage is below the configured cap.

• Ethernet: The foundation for most network connections, bound to physical ports or port groups.

• PPP: For Point-to-Point Protocol connections like PPPoE, PPTP, L2TP, typically requiring ISP accounts.

• Cellular: For connections using a mobile broadband card.

• VLAN: Logical interfaces that receive/send tagged frames, dividing a physical network into multiple logical ones. Each VLAN is associated with one Ethernet interface.

• Bridge: Software connection merging multiple Ethernet or VLAN interfaces into a single L2 segment.

• Tunnel: For Generic Routing Encapsulation (GRE), IPv6 in IPv4, or 6to4 tunnels.

• Virtual (VTI): Used for route-based VPNs (IPSec).

• Port Group: Hardware L2 connection grouping multiple physical ports (created via Port Role/Port Group screens).

• Trunk: Manages load balancing between multiple interfaces.

• Ethernet interfaces require a physical port or port group.

• VLAN interfaces require an Ethernet interface.

• Bridge interfaces require Ethernet or VLAN interfaces.

• PPP interfaces can be built on Ethernet, VLAN, or bridge interfaces (or specific WAN/OPT ports).

• Virtual interfaces (Ethernet, VLAN, Bridge) require the corresponding base interface type.

• Trunk interfaces require Ethernet, Cellular, VLAN, bridge, or PPP interfaces.

Note: You cannot create PPP or virtual interfaces on an interface that is part of a bridge. You also cannot add an interface to a bridge if it already has a PPP or virtual interface configured on it.

• Use the radio buttons in the matrix to select the desired ZONE interface for each physical port.

• Be aware that changing the role of a port you are connected through may change its IP address, potentially requiring you to adjust your computer’s IP or reconnect using the new interface IP.

• Click Apply to save changes.

• Click Reset to revert to the last saved configuration.

Note: This feature may not be available on all models.

• Select a port entry and click Edit.

• In the Settings dropdown, choose the desired speed and duplex mode:

• Auto Negotiate (Recommended): Allows the port to automatically determine the best speed/duplex with its peer.

• Manual Settings (e.g., 1000Mbps-Full Duplex, 100Mbps-Full Duplex, 100Mbps-Half Duplex, etc.): Forces the port to use the selected mode. Ensure the peer port is configured identically if not using Auto Negotiate.

• Click OK in the edit window.

• Click Apply on the main screen to save changes.

• Click Reset to revert to the last saved configuration.

Note: Speed and duplex cannot be configured for fiber ports.

• View Interfaces: See both IPv4 (Configuration) and IPv6 (IPv6 Configuration) interfaces, their status, name, description, IP address, and mask.

• Edit: Select an interface and click Edit (or double-click) to configure its settings (IP assignment, parameters, RIP, OSPF, DHCP, etc. – see Section 10.5.1, Figure 245).

• Activate/Inactivate: Select an interface and click Activate or Inactivate to enable/disable it.

• Create Virtual Interface: Select a base Ethernet interface and click Create Virtual Interface to add a virtual interface on top of it.

• Remove Virtual Interface: Select a virtual interface (e.g., lan1:1) and click Remove.

• References: Select an interface and click References to see where it’s used in the configuration.

• Apply/Reset: Click Apply to save changes, Reset to revert.

Important Note: Ensure WAN and LAN IPv4 subnets do not conflict. The device may automatically change the default LAN subnet (e.g., 192.168.1.0/24 to 192.168.10.0/24) upon detecting a conflict with the WAN IP if the LAN is still using default settings (Figure 241, 242).

• General Settings: Enable/disable the interface.

• Interface Properties: View/set Type, Name, Port, Zone, MAC Address (Use Default, Overwrite, Clone), Description.

• IP Address Assignment:

• Get Automatically (DHCP Client): Obtain IP, subnet mask, gateway via DHCP. Can configure DHCP Option 60.

• Use Fixed IP Address: Manually assign IP Address, Subnet Mask, Gateway.

• Set Metric (routing priority, lower is preferred).

• Enable IGMP Support: Configure as IGMP Upstream or Downstream for IGMP Proxy (Section 10.5.1.1).

• Interface Parameters: Set Egress/Ingress Bandwidth limits (Kbps), MTU size (Bytes).

• Connectivity Check: Enable checks (ICMP/TCP/HTTP) to verify gateway or specified addresses are reachable. Configure Check Method, Period, Timeout, Fail Tolerance.

• RIP Setting: Enable RIP, set Direction (Send/Receive/Both), Send/Receive Versions, V2-Broadcast.

• OSPF Setting: Assign to OSPF Area, set Priority, Link Cost, Passive Interface option, Authentication.

• MAC Address Setting: Choose to use default, overwrite, or clone MAC address.

• Proxy ARP: Enable and add IP addresses for which the device should answer ARP requests.

• Related Setting: Link to configure PPPoE/PPTP if applicable.

• Click OK to save changes to the interface, then Apply on the summary screen.

General Settings:

Enable Interface: Check this box to enable the interface.

Interface Properties:

Interface Type: Set to ‘internal’.

Interface Name: e.g., lan1 (read-only for default interfaces).

Port: Displays the physical ports assigned (e.g., P3, P4, P5).

Zone: Select the security zone (e.g., LAN1).

MAC Address: Displays the interface’s MAC address (read-only).

Description: Enter an optional description.

IP Address Assignment:

IP Address: Enter the static IP address for this interface (e.g., 192.168.1.1).

Subnet Mask: Enter the subnet mask (e.g., 255.255.255.0).

Enable IGMP Support: Optionally enable IGMP proxy functions (Upstream/Downstream).

Interface Parameters:

Egress Bandwidth: Set the outgoing bandwidth limit (Kbps).

Ingress Bandwidth: Set the incoming bandwidth limit (Kbps).

MTU: Set the Maximum Transmission Unit size in bytes (e.g., 1500).

Connectivity Check (Optional):

Enable Connectivity Check: Check to enable.

Check Method: Select ‘icmp’ or ‘tcp’.

Check Period: Enter the interval in seconds (5-600).

Check Timeout: Enter the timeout in seconds (1-10).

Check Fail Tolerance: Enter the number of failures before considering the connection down (1-10).

Check These Addresses: Specify IP addresses or domain names to check.

Probe Succeeds When: Choose if ‘any one’ or ‘all’ addresses must respond.

DHCP Setting:

DHCP: Select ‘DHCP Server’.

IP Pool Start Address: Enter the starting IP address for the DHCP pool (e.g., 192.168.1.33).

Pool Size: Enter the number of addresses in the pool (e.g., 200).

First/Second/Third DNS Server: Configure DNS servers for clients (e.g., ZyWALL, None, Custom).

First/Second WINS Server (Optional): Configure WINS servers.

Default Router: Set the default gateway for clients (e.g., lan1 IP).

Lease Time: Set the DHCP lease duration (e.g., infinite, 2 days).

Extended Options (Optional): Add custom DHCP options.

PXE Server (Optional):

PXE Server: Enter the IP address of the PXE server.

PXE Boot Loader File: Enter the boot loader filename.

IP/MAC Binding (Optional):

Enable IP/MAC Binding: Check to enforce IP/MAC binding.

Enable Logs for IP/MAC Binding Violation: Check to log violations.

Static DHCP Table: Add static DHCP entries (IP, MAC, Description).

RIP Setting (Optional):

Enable RIP: Check to enable RIP.

Direction: Select BiDir, In-Only, or Out-Only.

Send/Receive Version: Select RIP version (1, 2, or 1 and 2).

V2-Broadcast: Optionally enable broadcast for RIPv2.

OSPF Setting (Optional):

Area: Select the OSPF area or ‘none’ to disable.

Priority: Set the OSPF priority (0-255).

Link Cost: Set the OSPF cost (1-65535).

Passive Interface: Check to make the interface passive.

Authentication: Configure OSPF authentication (None, Text, MD5).

Click OK to save the settings.

General Settings:

Enable Interface: Check this box.

Interface Properties:

Interface Type: ‘general’.

Interface Name: e.g., opt.

Port: Displays the physical port (e.g., P6).

Zone: Select the security zone (e.g., OPT).

MAC Address: Displays the MAC address.

Description: Optional description.

IP Address Assignment:

Get Automatically: Select this to obtain an IP via DHCP. Optionally specify DHCP Option 60.

Use Fixed IP Address: Select this to assign a static IP.

IP Address: Enter static IP (e.g., 0.0.0.0 if unused or a specific IP).

Subnet Mask: Enter static subnet mask.

Gateway: Enter static default gateway IP.

Metric: Set the metric for the gateway (0-15).

Enable IGMP Support: Optional.

Interface Parameters:

Egress/Ingress Bandwidth: Set bandwidth limits (Kbps).

MTU: Set MTU size (Bytes).

Connectivity Check (Optional): Configured similarly to the internal interface.

DHCP Setting:

DHCP: Usually set to ‘None’ for a general interface unless acting as a relay or server for a specific scenario.

Enable IP/MAC Binding: Optional.

Static DHCP Table: Optional.

RIP Setting (Optional): Configure as needed.

OSPF Setting (Optional): Configure as needed.

MAC Address Setting:

Use Default MAC Address: Use the factory default MAC.

Overwrite Default MAC Address: Manually specify a MAC or clone from a host.

Proxy ARP (Optional):

Enable Proxy ARP: Check to enable.

Add IP Address/Range: Define target IP addresses for ARP responses.

Related Settings: Optionally configure PPPoE/PPTP, WAN TRUNK, or Policy Route.

Click OK to save.

General Settings

Enable Interface: Enable or disable the interface.

General IPv6 Setting

Enable IPv6: Enable or disable IPv6 on this interface.

Interface Properties

Interface Type: Select internal, external, or general (configurable for OPT interface only). Determines automatic configuration adjustments (routing, SNAT, DHCP options).

Interface Name: Specify a unique name (alphanumeric, hyphens, underscores, up to 11 characters).

Port: Displays the physical port name (read-only).

MAC Address: Displays the interface’s MAC address (read-only).

Description: Optional description (up to 60 characters).

IP Address Assignment (IPv4)

Get Automatically: (External/General) Use DHCP to get IP configuration.

DHCP Option 60: (External/General with Get Auto) Specify Vendor Class Identifier (VCI) string for DHCP server identification.

Use Fixed IP Address: (External/General) Manually configure IP settings.

IP Address: Enter the IPv4 address.

Subnet Mask: Enter the IPv4 subnet mask.

Gateway: (External/General) Enter the default gateway IP address.

Metric: (External/General) Set the gateway priority (lower number = higher priority).

Enable IGMP Support: Enable IGMP proxy functionality.

IGMP Upstream: Enable on the interface connecting towards the multicast server.

IGMP Downstream: Enable on the interface connecting to multicast hosts.

IPv6 Address Assignment

Enable Stateless Address Auto-configuration (SLAAC): Generate IPv6 address from prefix obtained from an IPv6 router.

Link-Local Address: Displays the generated IPv6 link-local address (read-only).

IPv6 Address/Prefix Length: Enter a static IPv6 address and prefix length (optional).

Gateway: Enter the IPv6 default gateway address.

Metric: Set the IPv6 gateway priority.

Address from DHCPv6 Prefix Delegation: Configure prefix delegation.

Delegated Prefix: Select a DHCPv6 request object.

Suffix Address: Enter the suffix and prefix length to append to the delegated prefix.

Address: Displays the combined IPv6 address (read-only after saving).

DHCPv6 Setting

DHCPv6: Select N/A, Client, Server, or Relay.

DUID: Displays the DHCP Unique Identifier.

DUID as MAC: Generate DUID from default MAC address.

Customized DUID: Enter a custom DUID.

Enable Rapid Commit: Shorten DHCPv6 message exchange (requires client support).

Information Refresh Time: (Client) Seconds to wait before refreshing info.

Request Address: (Client) Request an IPv6 address from the server.

DHCPv6 Request/Lease Options: Configure options to request (Client) or offer (Server).

Relay Server: (Relay) Specify DHCPv6 server IP address.

IPv6 Router Advertisement Setting

Enable Router Advertisement: Enable periodic RA messages.

Advertised Hosts Get Network Configuration From DHCPv6: Indicate hosts should use DHCPv6 for network settings.

Advertised Hosts Get Other Configuration From DHCPv6: Indicate hosts should use DHCPv6 for DNS information.

Router Preference: Set router preference (Low, Medium, High).

MTU (IPv6): Set IPv6 Maximum Transmission Unit.

Hop Limit: Set IPv6 hop limit.

Advertised Prefix Table: Configure fixed IPv6 prefixes to advertise.

Advertised Prefix from DHCPv6 Prefix Delegation: (Internal) Configure network prefix using a delegated prefix.

Interface Parameters (IPv4/IPv6)

Egress Bandwidth: Outgoing bandwidth limit (Kbps).

Ingress Bandwidth: Incoming bandwidth limit (Kbps).

MTU: Maximum Transmission Unit (Bytes).

Connectivity Check (IPv4 – External/General)

Enable Connectivity Check: Enable the check.

Check Method: Select icmp or tcp.

Check Period: Interval in seconds (5-600).

Check Timeout: Timeout in seconds (1-10).

Check Fail Tolerance: Number of failures before marking down (1-10).

Check Default Gateway: Use the default gateway for the check.

Check this address: Specify a custom IP or domain name for the check.

Check Port: (TCP only) Specify the port number.

Check These Addresses: Specify up to two IPs or domain names.

Probe Succeeds When: Select ‘any one’ or ‘all’ for multi-address checks.

DHCP Setting (IPv4 – Internal/General)

DHCP: Select None, DHCP Relay, or DHCP Server.

Relay Server 1 / Relay Server 2: (Relay) Specify DHCP server IPs.

IP Pool Start Address: (Server) Starting IP of the pool.

Pool Size: (Server) Number of IPs in the pool.

DNS Server(s): (Server) Specify DNS servers for clients (Custom Defined, From ISP, Zyxel Device).

WINS Server(s): (Server) Specify WINS servers.

Default Router: (Server) Specify default gateway for clients (Interface IP, Custom Defined).

Lease Time: (Server) Set lease duration (infinite, days/hours/minutes).

Extended Options: (Server) Configure additional DHCP options.

PXE Server (IPv4 – Internal)

PXE Server: IP address of the PXE server.

PXE Boot Loader File: Filename of the boot loader.

IP/MAC Binding (IPv4 – Internal/General)

Enable IP/MAC Binding: Enforce static IP/MAC mapping.

Enable Logs for IP/MAC Binding Violation: Log binding violations.

Static DHCP Table: Configure static IP assignments based on MAC address.

Import/Export: Import/Export static DHCP entries via CSV.

RIP Setting (IPv4/IPv6)

Enable RIP: Enable RIP protocol.

Direction: BiDir, In-Only, Out-Only.

Send Version: RIP version for sending (1, 2, 1 and 2).

Receive Version: RIP version for receiving (1, 2, 1 and 2).

V2-Broadcast: Use broadcast instead of multicast for RIPv2.

OSPF Setting (IPv4/IPv6)

Area: OSPF area ID or ‘none’.

Priority: OSPF router priority (0-255).

Link Cost: OSPF interface cost (1-65535).

Passive Interface: Prevent sending OSPF hellos.

Authentication: Configure OSPF authentication (Same-as-Area, None, Text, MD5).

MAC Address Setting (External/General)

Use Default MAC Address: Use the factory MAC.

Overwrite Default MAC Address: Specify a custom MAC or clone from host.

Proxy ARP (IPv4 – External/General)

Enable Proxy ARP: Enable the feature.

Add: Add target IP addresses or ranges for which the device will answer ARP requests.

Related Settings

Configure PPPoE/PPTP: Link to PPPoE/PPTP configuration.

Configure WAN TRUNK: Link to WAN Trunk configuration.

Configure Policy Route: Link to Policy Route configuration.

Normally, ARP requests are broadcast only within the same subnet. If a host (Sender) on an external network (e.g., WAN Subnet A) needs the MAC address of a target IP address that resides on an internal network (e.g., LAN Subnet B) with the same network IP range, its ARP broadcast won’t reach the target because routers don’t forward these layer-2 broadcasts.

When Proxy ARP is enabled on the Zyxel Device’s external interface, and the target IP address matches an entry configured in the Proxy ARP list:

1. The Zyxel Device receives the ARP request from the Sender on its external interface.

2. Instead of forwarding the broadcast, the Zyxel Device replies to the ARP request using its own external interface’s MAC address.

3. The Sender updates its ARP table, associating the target IP address with the Zyxel Device’s external MAC address.

4. Subsequent packets from the Sender destined for the target IP address are sent to the Zyxel Device’s external MAC address.

5. The Zyxel Device receives these packets and forwards them to the actual target device on the internal network.

To configure it, you need to enable Proxy ARP on the external/general interface and add the specific internal IP addresses (or ranges/CIDR blocks) that the Zyxel Device should respond for.

Interface Name: This field shows the interface you are configuring (read-only).

Address Type: Select the type of target address:

IPv4 Address: For a single host IP.

IPv4 CIDR: For a subnet (e.g., 192.168.1.0/24).

IPv4 Range: For a range of IPs (e.g., 192.168.1.100-192.168.1.150).

Enter the target IP address information based on the selected type.

Interface Properties:

Interface Name: Automatically derived from the underlying interface (e.g., wan2:1). (Read-only)

Description: Enter an optional description.

IP Address Assignment:

IP Address: Enter the static IP address for this virtual interface.

Subnet Mask: Enter the subnet mask for this virtual interface.

Gateway: Enter the default gateway IP address (optional, must be on the same network).

Metric: Enter the priority for the gateway (0-15).

The screen typically shows:

Name (at the top): The object you selected.

#: Sequential number.

Service: The type of configuration using the object (e.g., Policy Route, Security Policy, NAT Rule). Clicking the service name often navigates to that configuration section.

Priority: The position of the item in its list, if applicable (e.g., policy route number).

Name: The specific name of the configuration item using the object (e.g., the policy route name).

Description: The description of the configuration item, if configured.

You can use the Refresh button to update the list. Click Cancel to close the References screen.

This screen is useful for understanding where an object is used before deleting or modifying it, helping to avoid unintended consequences.

Click the ‘Add’ button below the table.

The ‘Add Request Object’ (or similar) window appears.

Select one object: Choose a pre-configured DHCPv6 request or lease object from the dropdown list. You may need to create these objects beforehand (e.g., via the ‘Create new Object’ button on the main interface screen if available, or in the Object > DHCPv6 Option menu).

Click OK.

Select the entry in the table.

Click the ‘Remove’ button below the table.

Click the ‘Add’ button.

The ‘Add DHCP Option’ window appears.

Option: Select the desired DHCP option from the dropdown list (e.g., TFTP Server Name (66), VIVC (124), SIP Server (120)) or select ‘User Defined’ for custom options.

Name: Displays the standard name or allows you to enter a name for ‘User Defined’.

Code: Displays the standard option code or allows you to enter a code for ‘User Defined’.

Type: Displays the required data type (e.g., TEXT, IP, BOOLE) or allows selection for ‘User Defined’.

Value: Enter the appropriate value based on the selected option and type. For options requiring IP addresses (like TFTP Server, NTP Server, SIP Server), you can enter one or more IPs.

Click OK.

Select the option in the table.

Click the ‘Edit’ button.

Modify the values in the ‘Edit DHCP Option’ window.

Click OK.

Select the option in the table.

Click the ‘Remove’ button.

General Settings:

Enable Interface: Check to enable.

General IPv6 Setting (Optional):

Enable IPv6: Check to enable IPv6 over this PPP interface.

Interface Properties:

Interface Name: Enter a name (up to 11 characters).

Base Interface: Select the physical interface (e.g., wan1, sfp) this PPP connection runs over.

Zone: Select the security zone (e.g., WAN).

Description: Optional description.

Connectivity:

Nailed-Up: Connection is always active.

Dial-on-Demand: Connection activates only when traffic needs to pass.

ISP Setting:

Account Profile: Select the pre-configured ISP Account object.

Protocol, User Name, Service Name: Displayed from the selected profile (read-only).

IP Address Assignment (IPv4):

Get Automatically: Obtain IP address from the ISP automatically (most common).

Use Fixed IP Address: Manually specify an IP address provided by the ISP.

IP Address: (Fixed IP only) Enter the static IP.

Gateway: (Fixed IP only, Advanced) Enter gateway IP if needed (usually not required for PPP).

Metric: Set the priority for the gateway (0-15).

IPv6 Address Assignment (if IPv6 enabled):

Enable Stateless Address Auto-configuration (SLAAC): Obtain IPv6 address automatically.

Metric: Set IPv6 gateway priority (0-15).

Address from DHCPv6 Prefix Delegation (Advanced): Configure if your ISP provides a prefix via DHCPv6-PD.

DHCPv6 Setting (if IPv6 enabled):

DHCPv6: Select ‘Client’ to act as a DHCPv6 client or ‘N/A’.

DUID: Configure DUID settings (DUID as MAC / Customized DUID).

Enable Rapid Commit: Optional.

Request Address: Request an IPv6 address via DHCPv6.

DHCPv6 Request Options: Add DHCPv6 request objects.

Interface Parameters:

Egress/Ingress Bandwidth: Set bandwidth limits (Kbps).

MTU: Set Maximum Transmission Unit (Bytes, e.g., 1492 for PPPoE).

Connectivity Check (Optional):

Enable Connectivity Check: Enable the check.

Configure Method, Period, Timeout, Fail Tolerance, Check Default Gateway / Check this address similar to Ethernet interfaces.

Related Setting: Configure WAN TRUNK or Policy Route if needed.

General Settings:

Enable Interface: Check to enable.

Interface Properties:

Interface Name: Enter a name (e.g., cellular1).

Zone: Select the security zone (e.g., WAN).

Extension Slot: Displays the selected USB slot (read-only).

Connected Device: Displays the detected dongle model (read-only).

Description: Optional description.

Connectivity:

Nailed-Up: Connection is always active.

Idle timeout: Set time in seconds (0-360) before disconnecting an idle connection (0 = disabled).

ISP Settings:

Profile Selection: Choose ‘Device’ to use profiles stored on the dongle (select Profile 1 unless instructed otherwise) or ‘Custom’ to manually configure.

APN: (Custom or if not on device profile) Enter the Access Point Name provided by your carrier.

Dial String: (Custom or if not on device profile, GSM only) Enter the dial string if provided by your carrier (often includes APN).

Authentication Type: (Custom or if not on device profile) Select None, CHAP, or PAP as required by your carrier.

User Name / Password: (Custom or if not on device profile) Enter credentials if required by your carrier.

SIM Card Setting:

PIN Code: Enter the SIM card PIN if required. Enter it twice (Retype to Confirm).

Interface Parameters:

Egress/Ingress Bandwidth: Set bandwidth limits (Kbps).

MTU: Set Maximum Transmission Unit (Bytes, e.g., 1492).

Connectivity Check (Optional): Configure similarly to Ethernet interfaces.

IP Address:

Get Automatically: Obtain IP address from the carrier (most common).

Use Fixed IP Address: Manually specify a static IP if provided by the carrier.

Metric: Set the gateway priority (0-15).

Device Settings (Advanced):

Network Selection: Choose ‘auto’ or manually select network type (e.g., LTE only, WCDMA only) if supported by the dongle.

Band Selection: Choose ‘auto’ or manually select frequency bands if supported.

Budget Setup (Optional):

Enable Budget Control: Check to enable usage limits.

Time Budget: Set monthly hour limit.

Data Budget: Set monthly Mbyte limit (Download/upload/both).

Reset counters on: Select day of the month to reset counters.

Actions when over budget: Configure logging, new connection behavior (Allow/Disallow), current connection behavior (Keep/Drop).

Actions when over % budget: Configure actions when a percentage threshold is reached.

General Settings:

Enable: Check to enable the interface.

Interface Properties:

Interface Name: Enter a name (e.g., tunnel0, tunnel1…).

Zone: Select the security zone (e.g., TUNNEL, IPSEC_VPN).

Tunnel Mode: Select GRE, IPv6-in-IPv4, or 6to4.

IP Address Assignment (for GRE):

IP Address: Enter the IPv4 address for this end of the GRE tunnel.

Subnet Mask: Enter the subnet mask for the tunnel interface.

Metric: Enter the metric for routing purposes (0-15).

IPv6 Address Assignment (for IPv6-in-IPv4 or 6to4):

IPv6 Address/Prefix Length: Optionally enter a static IPv6 address and prefix length for the tunnel interface.

Metric: Enter the metric for routing purposes (0-15).

6to4 Tunnel Parameter (for 6to4):

6to4 Prefix: Enter the IPv6 prefix of the destination network.

Relay Router: Enter the IPv4 address of a 6to4 relay router.

Remote Gateway Prefix: Enter the IPv4 network address and bits of a remote 6to4 gateway.

Gateway Settings:

My Address: Select the source ‘Interface’ or specify a source ‘IP Address’ used to identify this end of the tunnel.

Remote Gateway Address: Enter the IP address or domain name of the remote tunnel endpoint. (Displays ‘Automatic’ for 6to4).

Interface Parameters:

Egress/Ingress Bandwidth: Set bandwidth limits (Kbps).

MTU: Set Maximum Transmission Unit (Bytes, e.g., 1476 for GRE).

Connectivity Check (for GRE, Optional): Configure similarly to Ethernet interfaces.

Related Setting: Configure WAN TRUNK or Policy Route if needed.

General Settings:

Enable Interface: Check to enable.

General IPv6 Setting (Optional):

Enable IPv6: Check to enable IPv6 on this VLAN.

Interface Properties:

Interface Type: Select ‘internal’, ‘external’, or ‘general’. This affects automatic routing/SNAT settings and available DHCP options.

Interface Name: Enter a name (e.g., vlan10).

Zone: Select the security zone (e.g., LAN1, DMZ, CUSTOM_ZONE).

Base Port: Select the physical Ethernet interface this VLAN runs on (e.g., ge3, sfp).

VLAN ID: Enter the VLAN tag number (1-4094).

Priority Code (Advanced): Set the 802.1p priority (0-7).

Description: Optional description.

IP Address Assignment (IPv4): Configure as ‘Get Automatically’ or ‘Use Fixed IP Address’, similar to Ethernet interfaces, depending on the Interface Type selected.

IPv6 Address Assignment (if IPv6 enabled): Configure SLAAC, static addressing, or Prefix Delegation as needed, similar to Ethernet interfaces.

DHCPv6 Setting (if IPv6 enabled): Configure as N/A, Client, Server, or Relay.

IPv6 Router Advertisement Setting (if IPv6 enabled): Configure RA settings.

Interface Parameters: Configure Egress/Ingress Bandwidth and MTU.

Connectivity Check (Optional, for external/general): Configure connectivity checks.

DHCP Setting (IPv4, for internal/general): Configure as None, DHCP Relay, or DHCP Server.

IP/MAC Binding (Optional): Configure static DHCP and IP/MAC binding.

RIP Setting (Optional): Configure RIP.

OSPF Setting (Optional): Configure OSPF.

MAC Address Setting (Optional, for external/general): Configure MAC address override.

Proxy ARP (Optional, for external/general): Configure Proxy ARP.

Related Setting: Configure WAN TRUNK or Policy Route if needed.

General Settings:

Enable Interface: Check to enable.

General IPv6 Setting (Optional):

Enable IPv6: Check to enable IPv6 on this bridge.

Interface Properties:

Interface Type: Select ‘internal’, ‘external’, or ‘general’.

Interface Name: Enter a name (e.g., br0).

Zone: Select the security zone (e.g., LAN1).

Description: Optional description.

Member Configuration:

Available: Lists interfaces that can be added to the bridge.

Member: Lists interfaces currently in the bridge.

Use the >> and << arrows to move interfaces between the Available and Member lists. Note: An interface cannot be added if it has a virtual interface or is part of another bridge. A bridge can contain at most one VLAN interface.

IP Address Assignment (IPv4): Configure as ‘Get Automatically’ or ‘Use Fixed IP Address’.

IPv6 Address Assignment (if IPv6 enabled): Configure SLAAC, static addressing, or Prefix Delegation.

DHCPv6 Setting (if IPv6 enabled): Configure as N/A, Client, Server, or Relay.

IPv6 Router Advertisement Setting (if IPv6 enabled): Configure RA settings.

Interface Parameters: Configure Egress/Ingress Bandwidth and MTU.

DHCP Setting (IPv4, for internal/general): Configure as None, DHCP Relay, or DHCP Server.

IP/MAC Binding (Optional): Configure static DHCP and IP/MAC binding.

Connectivity Check (Optional, for external/general): Configure connectivity checks.

Proxy ARP (Optional, for external/general): Configure Proxy ARP.

Related Setting: Configure WAN TRUNK or Policy Route if needed.

General Settings:

Enable: Check to enable the VTI.

Interface Properties:

Interface Name: Enter a name in vtix format (e.g., vti0).

Zone: Select the security zone (e.g., IPSec_VPN).

vpn-rule: Select the pre-configured VPN Connection rule that uses the VPN Tunnel Interface scenario.

IP Address Assignment:

IP Address: Enter the IPv4 address for this end of the VTI tunnel.

Subnet Mask: Enter the subnet mask for the VTI interface (often a /30 or /31 mask).

Metric: Enter the metric for routing purposes (0-15).

Enable IGMP Support: Optional, enable if multicast routing over VTI is needed.

Interface Parameters:

Egress/Ingress Bandwidth: Set bandwidth limits (Kbps).

RIP Setting (Optional): Configure RIP if needed for dynamic routing over the VTI.

OSPF Setting (Optional): Configure OSPF if needed for dynamic routing over the VTI.

Connectivity Check (Optional): Configure connectivity check for the tunnel endpoint if needed (appears when a vpn-rule is selected).

Related Setting: Configure WAN TRUNK or Policy Route if needed.

Name: Enter a descriptive name for the trunk (e.g., Main_Trunk, Failover_Trunk).

Load Balancing Algorithm: Select the desired method:

Least Load First: Sends new sessions to the least utilized member based on current bandwidth usage relative to configured capacity.

Weighted Round Robin: Distributes sessions based on assigned weights (requires configuring weights for members).

Spillover: Fills the first active interface up to its threshold (if set, otherwise its capacity) before sending new sessions to the next active interface.

Load Balancing Index(es) (Least Load First/Spillover): Select which traffic direction(s) the algorithm applies to (Outbound, Inbound, Outbound + Inbound). For Spillover, specify the Egress Bandwidth threshold (Kbps) for each interface before spilling over.

Click ‘Add’ in the member table section.

Member: Select a WAN interface (e.g., wan1, wan2, ppp0, cellular1) from the dropdown.

Mode: Choose ‘Active’ (interface participates in load balancing/is primary for failover) or ‘Passive’ (interface is used only if all Active members fail). Only one passive member is typically used per trunk.

Weight (Weighted Round Robin only): Assign a weight (1-10).

Bandwidth/Spillover: Displays bandwidth (for LLF) or allows setting the spillover threshold (for Spillover).

Repeat to add all desired WAN interfaces to the trunk.

Use ‘Edit’, ‘Remove’, or ‘Move’ to manage the member list. The order matters for Spillover.

Select ‘SYSTEM_DEFAULT_WAN_TRUNK’ to use the automatic trunk containing all external interfaces.

Select ‘User Configured Trunk’ and choose the trunk you created from the dropdown list to make it the default gateway for traffic not matching any policy routes.

Configuration:

Enable: Check to activate the route.

Description: Enter a descriptive name.

Criteria: Define the traffic this route applies to.

User: Select ‘any’ or a specific user/group object.

Incoming: Select the incoming interface (e.g., ‘any’, ‘lan1’, ‘ge3’). ‘any (Excluding ZyWALL)’ excludes traffic originating from the device itself.

Source Address: Select ‘any’ or an address/geoIP/FQDN object/group.

Destination Address: Select ‘any’ or an address/geoIP/FQDN object/group.

DSCP Code: Select ‘any’, ‘default’, a specific AF code, or ‘User Define’ (requires entering code in User-Defined DSCP Code field).

Schedule: Select ‘none’ for always active (if enabled) or a schedule object.

Service: Select ‘any’ or a service object/group.

Source Port (Advanced): Select ‘any’ or a service object/group for the source port.

Next-Hop: Define where matching traffic should be sent.

Type: Select the next-hop type:

Auto: Use the standard routing table.

Interface: Send out a specific interface towards a directly connected gateway.

Trunk: Send via a configured WAN Trunk.

VPN Tunnel: Send through a specific IPSec VPN tunnel (including VTI).

Gateway: Send to a specific gateway IP address (requires a HOST object for the gateway).

Specify the Interface, Trunk, VPN Tunnel, or Gateway object based on the selected Type.

Auto Destination Address (VPN Tunnel Type, Dynamic Peer): Automatically use the remote peer’s network as the destination.

DSCP Marking: Define how the DSCP value of outgoing packets is handled.

DSCP Marking: Select ‘preserve’, ‘default’, a specific AF value, or ‘User Define’ (requires entering code in User-Defined DSCP Marking field).

Address Translation (SNAT – IPv4 only): Define source NAT.

Source Network Address Translation: Select ‘none’, ‘outgoing-interface’, or a specific address object/group to use as the source IP.

Healthy Check (Optional): Configure connectivity checks for Interface or Gateway next-hop types.

Enable Connectivity Check: Enable the check.

Configure Method, Period, Timeout, Fail Tolerance, Check this address similar to interface connectivity checks.

Disable policy route automatically while Interface link down: Automatically disable this policy route if the next-hop interface or trunk goes down.

IPv4:

Destination IP: Enter the destination network address.

Subnet Mask: Enter the subnet mask for the destination network.

Select Next-Hop Type:

Gateway IP: Select this and enter the IP address of the next-hop router.

Interface: Select this and choose the outgoing interface from the dropdown.

Metric: Enter the cost metric for this route (0-127, lower is preferred).

IPv6:

Destination IP: Enter the destination IPv6 network address (use :: for default route).

Prefix Length: Enter the prefix length for the destination network (use 0 for default route).

Select Next-Hop Type:

Gateway IP: Select this and enter the IPv6 address of the next-hop router.

Interface: Select this and choose the outgoing interface from the dropdown.

Metric: Enter the cost metric for this route (0-127, lower is preferred).

Use the RIP screen (Configuration > Network > Routing > RIP) to configure the Zyxel Device to use RIP to receive and/or send routing information. Key configurations include:

Authentication: Specifies how to verify routing information. Options are None, Text (plain text password), or MD5 (most secure). Authentication is only available in RIP version 2.

Redistribute: Allows RIP to advertise routes learned from other protocols like OSPF or static routes. You must specify a Metric (cost) for these redistributed routes, typically between 0 and 16 (2 or 3 is common).

RIP uses UDP port 520.

RIP is suitable for small networks (up to 15 routers), uses hop count as its metric, and converges slowly. OSPF is suitable for large networks, uses multiple factors for its metric (bandwidth, hop count, etc.), and converges quickly.

Configuring OSPF involves several steps and screens:

1. Enable OSPF: This is typically done on the main OSPF screen.

2. Configure OSPF Router ID: Use the OSPF screen (Configuration > Network > Routing > OSPF) to set the Router ID. This can be set to ‘Default’ (uses the first available interface IP) or ‘User Defined’ (manually enter an IP address format ID).

3. Set up OSPF Areas: Use the OSPF Area Add/Edit screen (accessed from the OSPF screen) to create or edit areas. You define the Area ID (32-bit integer or IP format) and Area Type (Normal, Stub, NSSA).

4. Configure Area Authentication: Within the Area Add/Edit screen, set the default authentication (None, Text, MD5) for the area.

5. Configure Interfaces: Assign interfaces to the appropriate OSPF areas (See Section 10.5.1 in the PDF).

6. Configure Redistribution (Optional): On the OSPF screen, you can configure redistribution of routes learned from RIP into OSPF. Select ‘Active RIP’ and choose Type 1 or Type 2 metric calculation, specifying an external cost (Metric).

7. Set up Virtual Links (Optional): If an area is not directly connected to the backbone (Area 0), configure a virtual link through an intermediate Normal area on the relevant ABRs using the OSPF Area Add/Edit screen.

OSPF uses IP protocol 89.

OSPF Autonomous Systems (AS) are divided into areas:

Backbone (Area 0): The central transit area. All other areas must connect to the backbone (directly or via virtual link).

Normal Area: A standard area that has full routing information about the OSPF AS and any connected external networks.

Stub Area: Has routing information about the OSPF AS but lacks information about external networks. It uses a default route to send traffic outside the OSPF AS.

Not So Stubby Area (NSSA): Similar to a stub area but can import external routes (like those from RIP or static routes) learned by an ASBR within the NSSA. It still relies on a default route for other external destinations.

Routers in OSPF can perform different roles, and one router can have multiple roles:

Internal Router (IR): Exchanges routing information only with routers in the same area.

Area Border Router (ABR): Connects two or more areas (one of which is often the backbone Area 0). It filters, summarizes, and exchanges routing information between areas.

Autonomous System Boundary Router (ASBR): Exchanges routing information with routers outside the OSPF AS (e.g., routers running RIP or BGP). This process is called redistribution.

Backbone Router (BR): Any router with at least one interface in Area 0. All ABRs are backbone routers.

Designated Router (DR) / Backup Designated Router (BDR): Elected on multi-access network segments (like Ethernet) to reduce the amount of OSPF traffic. Routers on the segment only exchange information with the DR and BDR.

Redistribution is the process where an ASBR exchanges routing information between OSPF and another routing protocol (like RIP) or static routes. The Zyxel Device allows redistribution of RIP routes and static routes into OSPF.

From RIP to OSPF: Configured on the OSPF screen (Configuration > Network > Routing > OSPF). You enable ‘Active RIP’ and select a ‘Type’ (Type 1 or Type 2) for cost calculation and specify a ‘Metric’ (external cost). Routes learned from RIP are advertised into Normal and NSSA areas, but not Stub areas.

From OSPF to RIP: Configured on the RIP screen (Configuration > Network > Routing > RIP). You enable ‘Active OSPF’ and specify a ‘Metric’ (cost in RIP terms, 1-14). OSPF routes are advertised into the RIP network.

The table below shows which external sources can be redistributed into different OSPF area types:

A virtual link logically connects an area to the backbone (Area 0) through an intermediate “transit” area when a direct physical connection is not possible.

1. Go to the OSPF Area Add/Edit screen for the transit area (the area through which the virtual link will pass). This area must be a ‘Normal’ type area.

2. Navigate to the ‘Virtual Link’ section (this section only appears for Normal areas).

3. Click ‘Add’ to open the Virtual Link Add/Edit screen.

4. Enter the ‘Peer Router ID’ (the 32-bit Router ID of the ABR at the other end of the virtual link, which connects the area needing backbone access).

5. Configure ‘Authentication’ for the virtual link (None, Text, MD5, or Same as Area).

6. Click OK.

Note: You must configure the virtual link on the ABRs at both ends of the transit area. You cannot create a virtual link to a router in a different area.

Configuring BGP (eBGP) involves allowing BGP traffic and then setting up BGP parameters:

1. Allow BGP Packets:

Go to Configuration > Object > Service > Service Group.

Select the Default_Allow_WAN_To_ZyWALL rule and click Edit.

Move BGP from the Available list to the Member list.

Click OK.

2. Configure BGP Screen (Configuration > Network > Routing > BGP):

AS Number: Enter the Autonomous System number (1-4294967295) for the Zyxel Device. Private AS numbers are 4200000000 – 4294967294.

Router ID: Optionally, type the IP address of the interface on the Zyxel Device to use as the BGP Router ID.

Redistribute: Select ‘Connected’ to redistribute routes of directly attached devices into the BGP RIB.

Neighbors Section: Click ‘Add’ to configure peer BGP routers.

IP Address: Enter the peer BGP router’s IP address.

AS Number: Enter the peer BGP router’s AS number.

Enable EBGP Multihop (Optional): Select if the peer is not directly connected (specify max hops).

Update Source: Select the source IP for BGP sessions (Gateway IP, Interface, or None).

MD5 authentication key (Optional): Enter a shared password for MD5 authentication.

Weight (Optional): Specify a weight for routes learned from this peer (higher is preferred).

Keepalive Time: Interval for sending keepalive messages (default 60s).

Hold Time: Max time to wait for a keepalive before declaring peer dead (must be > Keepalive Time, default 180s).

Maximum Prefix (Optional): Limit the number of prefixes received from this neighbor.

Network Section: Click ‘Add’ to configure network routes (IP/mask bits) that will be announced to all BGP neighbors (up to 16).

3. Click Apply to save changes.

1. Get a DDNS Account: Sign up with a supported DDNS provider (e.g., DynDNS, Dynu, No-IP). Record your username, password, and the domain name you registered.

2. Configure the Zyxel Device:

Navigate to Configuration > Network > DDNS.

Click ‘Add’ to open the DDNS Add/Edit screen.

Check ‘Enable DDNS Profile’.

Enter a ‘Profile Name’.

Select your ‘DDNS Type’ (provider) from the list or choose ‘User custom’ for unsupported providers.

Optionally, enable ‘HTTPS’ if your provider supports it.

Enter your DDNS account ‘Username’ and ‘Password’ (retype to confirm).

Under DDNS Settings, enter the ‘Domain Name’ you registered.

Configure ‘Primary Binding Address’:

Interface: Select the WAN interface whose IP address should be associated with the domain name.

IP Address: Choose how the IP is determined: ‘Interface’ (uses the selected interface’s current IP), ‘Auto’ (DDNS server determines source IP, useful behind NAT), or ‘Custom’ (enter a static IP).

Configure ‘Backup Binding Address’ (optional) similarly, selecting an alternate interface (or ‘None’).

Configure Advanced options (Wildcard, Mail Exchanger – DynDNS only) if needed.

If using ‘User custom’, fill in ‘DYNDNS Server’, ‘URL’, and ‘Additional DDNS Options’.

3. Click OK to save the DDNS entry.

4. Click Apply on the main DDNS screen.

Note: You must have a public WAN IP address to use DDNS.

At the time of writing, the Zyxel Device supports the following DDNS service providers:

You can also use the ‘User custom’ option to configure other DDNS services.

1. Navigate to Configuration > Network > NAT.

2. Click ‘Add’ to create a new NAT rule (or select an existing rule and click ‘Edit’).

3. Check ‘Enable Rule’.

4. Enter a descriptive ‘Rule Name’.

5. Select the ‘Classification’ (Port Mapping Type):

Virtual Server: Makes internal servers accessible from the public network (most common for incoming traffic).

1:1 NAT: Maps one external IP to one internal IP for both incoming and outgoing traffic.

Many 1:1 NAT: Maps a range or subnet of external IPs to an equal-sized range or subnet of internal IPs.

6. Configure the ‘Mapping Rule’:

Incoming Interface: Select the interface where the external traffic arrives (e.g., wan1).

Source IP: Usually ‘any’, or specify allowed source IPs/objects.

External IP: The public IP address packets are sent to. Select ‘User Defined’ and enter the IP, select a host object, or choose an interface IP object. For Many 1:1 NAT, select a subnet or range object.

Internal IP: The private IP address packets should be forwarded to. Select ‘User Defined’ and enter the IP, or select a HOST address object. For Many 1:1 NAT, select a subnet or range object.

Port Mapping Type: (For Virtual Server) Select how ports are mapped: ‘Any’, ‘Port’, ‘Ports’, ‘Service’, or ‘Service-Group’.

Protocol Type: (If Port Mapping Type is Port or Ports) Select TCP, UDP, or Any.

External Port / Internal Port: (If Port Mapping Type is Port) Enter the original (external) and translated (internal) port numbers.

External/Internal Start/End Port: (If Port Mapping Type is Ports) Enter the ranges for original and translated ports (ranges must be the same size).

7. Configure ‘Related Settings’:

Enable NAT Loopback (Optional): Allows internal users to access internal servers using the external IP address.

Configure Security Policy: Click this link to create a corresponding firewall rule to allow the NAT traffic.

8. Click OK.

9. Click Apply on the main NAT screen.

Note: For SNAT (Source NAT, changing the source IP of outgoing traffic), configure this using Policy Routes (Configuration > Network > Routing > Policy Route).

Note: Consider enabling the “Use Static-Dynamic Route to Control 1-1 NAT Route” checkbox if using SiteToSite VPN and 1-1 SNAT to simplify routing.

NAT loopback allows users on an internal network (like LAN) to access a server on the same or another internal network using the server’s public (External IP) address defined in a NAT rule, instead of its private (Internal IP) address.

When NAT loopback is enabled for a NAT rule:

1. An internal user tries to connect to the server’s public IP address.

2. The Zyxel Device intercepts this traffic.

3. Instead of sending the traffic out to the Internet and back, it changes the destination IP to the server’s Internal IP address.

4. It also changes the source IP address of the traffic to the Zyxel Device’s own IP address on the user’s internal interface.

5. The server receives the traffic as if it came from the Zyxel Device’s internal interface IP and replies to that IP.

6. The Zyxel Device receives the reply, changes the source IP back to the server’s public IP, and forwards it to the original internal user.

This ensures that the connection succeeds because the reply traffic source matches the user’s original destination. Without NAT loopback, the server might reply directly to the user using its private IP, causing the user’s computer to drop the connection as the source IP doesn’t match the expected public IP.

You enable NAT Loopback in the ‘Related Settings’ section when adding or editing a NAT rule.

Port numbers identify specific services or applications on a network device. They range from 0 to 65535.

Well-known ports (0-1023): Reserved for standard, privileged services. Examples include:

• 20/21: FTP (File Transfer Protocol)
• 22: SSH (Secure Shell)
• 23: Telnet
• 25: SMTP (Simple Mail Transfer Protocol)
• 53: DNS (Domain Name System)
• 80: HTTP (Hypertext Transfer Protocol)
• 110: POP3 (Post Office Protocol version 3)
• 143: IMAP (Internet Message Access Protocol)
• 161: SNMP (Simple Network Management Protocol)
• 179: BGP (Border Gateway Protocol)
• 443: HTTPS (HTTP Secure)

Registered ports (1024-49151): Used by specific applications or services registered with IANA (Internet Assigned Numbers Authority).

Dynamic/Private ports (49152-65535): Used for temporary client-side connections.

The PDF provides a more extensive list (Table 123) of common ports.

Redirect Service forwards HTTP or SMTP traffic to a specific server (like a web proxy or dedicated SMTP server).

1. Navigate to Configuration > Network > Redirect Service.

2. Click ‘Add’ (or select an existing rule and click ‘Edit’).

3. Check ‘Enable’.

4. Select the ‘Service’ to redirect: HTTP Redirect or SMTP redirect.

5. Enter a descriptive ‘Name’ for the rule.

6. Under ‘Criteria’:

User: Select the user account or group this rule applies to (or ‘any’).

Interface: Select the incoming interface where the request must be received (or ‘any’).

Source Address: Select the source IP address object the traffic should come from (or ‘any’).

7. Under ‘Redirect Settings’:

Server: Enter the IP address of the HTTP proxy or SMTP server to redirect traffic to.

Port: Enter the service port number used by the redirect server.

8. Click OK.

9. Click Apply on the main Redirect Service screen.

Important:

You also need appropriate Security Policy rules to allow traffic from the client to the redirect server.

You typically need a Policy Route rule to allow traffic from the redirect server out to the Internet.

Redirect rules are checked before Policy Routes for the same traffic type.

ALGs help NAT-unfriendly applications (like SIP, H.323, FTP) work correctly through the Zyxel Device’s NAT and firewall by inspecting packet payloads and dynamically opening necessary ports or modifying embedded IP addresses.

1. Navigate to Configuration > Network > ALG.

2. For each protocol (SIP, H.323, FTP):

Check ‘Enable [Protocol] ALG’ to turn the ALG on or off.

Check ‘Enable [Protocol] Transformations’ if the Zyxel Device needs to modify IP addresses and port numbers embedded within the protocol’s data payload. Clear this if your end device or server handles transformations itself.

Enter the standard ‘[Protocol] Signaling Port’ (e.g., 5060 for SIP, 1720 for H.323, 21 for FTP).

Optionally, add ‘Additional [Protocol] Signaling Port for Transformations’ if the protocol uses non-standard ports.

3. For SIP ALG specifically:

Optionally, check ‘Enable Configure SIP Inactivity Timeout’ to override session timers.

Set ‘SIP Media Inactivity Timeout’ (time without voice traffic before dropping audio session).

Set ‘SIP Signaling Inactivity Timeout’ (time without signaling traffic before dropping signaling session).

Optionally, check ‘Restrict Peer to Peer Signaling Connection’ and ‘Restrict Peer to Peer Media Connection’ to only allow connections from registered IP addresses.

4. Click Apply.

Note: ALGs are generally only needed for traffic passing through NAT. You also need appropriate NAT (port forwarding) and Security Policy rules configured to allow the initial connection to internal servers.

UPnP (Universal Plug and Play) and NAT-PMP (NAT Port Mapping Protocol) allow devices on the internal network to automatically discover each other and configure port mappings on the Zyxel Device.

1. Navigate to Configuration > Network > UPnP.

2. Under ‘General Setting’:

Check ‘Enable UPnP’ to activate UPnP.

Check ‘Enable NAT-PMP’ to activate NAT-PMP.

Optionally, check ‘Allow UPnP or NAT-PMP to pass through Firewall’ to let application traffic bypass the security policy. If unchecked, security policies will block UPnP/NAT-PMP packets.

Select the ‘Outgoing WAN Interface’ (e.g., ‘ALL’ or a specific WAN interface) through which UPnP/NAT-PMP traffic should be sent.

3. Under ‘Support LAN List’:

Move the internal interfaces (e.g., lan1, lan2) on which you want to enable UPnP/NAT-PMP from the ‘Available’ list to the ‘Member’ list.

4. Click Apply.

Caution: Enabling UPnP/NAT-PMP can pose security risks as devices can automatically open ports. Disable it if not needed.

If UPnP is enabled on the Zyxel Device and your computer (Windows 7/10 examples provided):

Finding Devices:

1. Ensure Network Discovery is turned on in your Windows advanced sharing settings.

2. Open File Explorer (Windows Explorer in Win 7).

3. Click on ‘Network’ in the left pane.

4. UPnP-enabled devices, including the Zyxel Device, should appear under ‘Network Infrastructure’.

5. Right-click the Zyxel Device icon and select ‘Properties’. Click the ‘Network Device’ tab to view information like manufacturer, model, and IP address.

Accessing Web Configurator:

1. Follow steps 1-4 above to find the Zyxel Device icon in the Network view.

2. Right-click the Zyxel Device icon.

3. Select ‘View device webpage’.

4. The Zyxel Device’s web configurator login page should open in your browser, without needing to know its IP address beforehand.

IP/MAC Binding links a specific IP address to a specific MAC address on an interface, preventing other devices from using that IP address.

Enable Binding on an Interface:

1. Navigate to Configuration > Network > IP/MAC Binding.

2. Select the interface where you want to enforce binding.

3. Click ‘Edit’.

4. Check ‘Enable IP/MAC Binding’.

5. Optionally, check ‘Enable Logs for IP/MAC Binding Violation’.

Add Static Bindings (Optional but Recommended):

6. While editing the interface, go to the ‘Static DHCP Bindings’ section.

7. Click ‘Add’.

8. Enter the ‘IP Address’ you want to reserve.

9. Enter the ‘MAC Address’ of the device that should receive this IP.

10. Enter a ‘Description’.

11. Click OK.

12. Repeat steps 7-11 for all desired static bindings.

13. Click OK on the IP/MAC Binding Edit screen.

14. Click Apply on the IP/MAC Binding Summary screen.

Note: IP/MAC binding relies on the Zyxel Device’s DHCP server functionality (both dynamic leases and static bindings).

You can configure ranges of IP addresses where IP/MAC binding checks will not be applied.

1. Navigate to Configuration > Network > IP/MAC Binding.

2. Click the ‘Exempt List’ tab.

3. Click ‘Add’.

4. Enter a ‘Name’ for the exempt range.

5. Enter the ‘Start IP’ address of the range.

6. Enter the ‘End IP’ address of the range.

7. Click OK (or Apply on the main screen if adding directly there).

Layer 2 Isolation prevents devices connected to the same internal interface(s) from communicating directly with each other, except for devices specified in an Allow List.

Enable Layer 2 Isolation:

1. Navigate to Configuration > Network > Layer 2 Isolation.

2. On the ‘General’ tab, check ‘Enable Layer 2 Isolation’. (Note: Security Policy control must be enabled first).

3. In the ‘Member List’, move the internal interface(s) (e.g., lan1, Vlan10) on which you want to enable isolation from the ‘Available’ list to the ‘Member’ list.

4. Click Apply.

Configure Allow List (Optional):

5. Click the ‘Allow List’ tab.

6. Check ‘Enable Allow List’.

7. Click ‘Add’.

8. Check ‘Enable’ for the rule.

9. Enter the ‘Host IP Address’ of a device (e.g., a shared printer or server) that should be accessible by other devices on the isolated interface(s).

10. Enter an optional ‘Description’.

11. Click OK.

12. Repeat steps 7-11 for all devices to be allowed.

13. Click Apply.

Devices on an isolated interface can still access devices on non-isolated interfaces, the Zyxel Device itself, and the Internet (subject to firewall rules), and any device on the Allow List.

DNS Inbound Load Balancing allows the Zyxel Device to respond to DNS queries for a specific domain name with the IP address of the least loaded WAN interface.

1. Navigate to Configuration > Network > Inbound LB.

2. Check ‘Enable DNS Load Balancing’.

3. Click ‘Add’ under the Configuration section.

4. Check ‘Enable’ for the rule.

5. Under ‘DNS Settings’:

Enter the ‘Query Domain Name’ (e.g., http://www.example.com, *.example.com) that this rule applies to.

Set the ‘Time to Live’ (TTL) in seconds (0 means use DNS server’s TTL).

6. Under ‘Query From Settings’ (Optional):

Specify the ‘IP Address’ (source IP object) or ‘Zone’ from which queries must originate for this rule to apply (default is ‘any’).

7. Under ‘Load Balancing Member’:

Select the ‘Load Balancing Algorithm’: Weighted Round Robin, Least Connection, Least Load – Outbound, Least Load – Inbound, or Least Load – Total.

Optionally, enter a ‘Failover IP Address’ to return if all member interfaces are unavailable.

Click ‘Add’ to add a member interface.

Select the ‘Monitor Interface’ (e.g., wan1).

If using Weighted Round Robin, enter a ‘Weight’ (1-10).

Select the ‘IP Address’ to return for this interface (‘Same as Monitor Interface’ or ‘Custom’).

Click OK.

Repeat adding members for all desired WAN interfaces.

8. Click OK on the Add DNS Load Balancing screen.

9. Click Apply on the main DNS Load Balancing screen.

Note: You must also configure corresponding Security Policy and NAT rules to allow Internet users to access your internal servers via the WAN interface IPs used in the load balancing.

The Zyxel Device offers pre-defined scenarios to simplify IPSec VPN configuration:

These scenarios pre-fill certain settings in the VPN Connection and VPN Gateway configuration screens.

The VPN Connection defines the Phase 2 parameters (IPSec SA) for a VPN tunnel.

1. Navigate to Configuration > VPN > IPSec VPN > VPN Connection.

2. Click ‘Add’ (or select and ‘Edit’ an existing connection).

3. Check ‘Enable’.

4. Enter a ‘Connection Name’.

5. Select the ‘Application Scenario’ that best fits your needs.

6. Select the ‘VPN Gateway’ (Phase 1 settings) this connection will use. You might need to create this first.

7. Define the ‘Policy’:

Local Policy: Select the address object representing the network behind the Zyxel Device.

Remote Policy: Select the address object representing the network behind the remote peer.

Optionally enable ‘Policy Enforcement’ to strictly enforce traffic matching these policies.

8. Configure ‘Phase 2 Setting’:

Set the ‘SA Life Time’ (in seconds).

Select the ‘Active Protocol’ (ESP is most common).

Select ‘Encapsulation’ (Tunnel is most common).

Configure ‘Proposal(s)’: Click Add/Edit to define acceptable Encryption and Authentication algorithms (e.g., AES128/SHA256). Both sides must have at least one matching proposal.

Select ‘Perfect Forward Secrecy (PFS)’ DH group (or ‘none’ to disable).

9. Configure ‘Related Settings’:

Set the ‘Zone’ (usually IPSec_VPN).

Optionally enable ‘Connectivity Check’ to monitor tunnel status using ICMP or TCP.

10. Optionally configure ‘Inbound/Outbound traffic NAT’ if NAT is required specifically for this tunnel’s traffic.

11. Configure Advanced settings (Nailed-Up, Replay Detection, NetBIOS, MSS Adjustment, GRE, Mode Config, Configuration Payload) as needed based on scenario and peer requirements.

12. Click OK.

The VPN Gateway defines the Phase 1 parameters (IKE SA) for a VPN tunnel.

1. Navigate to Configuration > VPN > IPSec VPN > VPN Gateway.

2. Click ‘Add’ (or select and ‘Edit’ an existing gateway).

3. Check ‘Enable’.

4. Enter a ‘VPN Gateway Name’.

5. Select the ‘IKE Version’ (IKEv1 or IKEv2).

6. Configure ‘Gateway Settings’:

My Address: Select the Interface or enter the Domain Name/IP the Zyxel Device uses for this gateway.

Peer Gateway Address: Select ‘Static Address’ and enter the peer’s IP/Domain name, or select ‘Dynamic Address’ if the peer’s IP changes.

7. Configure ‘Authentication’:

Select ‘Pre-Shared Key’ and enter/confirm the key, or select ‘Certificate’ and choose the Zyxel Device’s certificate (My Certificates).

Configure ‘Local ID Type’/’Content’ and ‘Peer ID Type’/’Content’ to match the peer’s configuration.

8. Configure ‘Phase 1 Settings’:

Set the ‘SA Life Time’ (in seconds).

Select the ‘Negotiation Mode’ (Main/Aggressive for IKEv1; IKEv2 uses a standard mode).

Configure ‘Proposal(s)’: Click Add/Edit to define acceptable Encryption, Authentication algorithms, and the ‘Key Group’ (Diffie-Hellman group, e.g., DH2, DH5, DH14). Both sides must have at least one matching proposal.

Enable ‘NAT Traversal’ if NAT exists between peers (always on for IKEv2).

Enable ‘Dead Peer Detection (DPD)’ (always on for IKEv2).

9. Configure ‘X-Auth’ (IKEv1) or ‘Extended Authentication Protocol’ (IKEv2) if needed for user authentication (Server Mode or Client Mode).

10. Click OK.

A VPN Concentrator is a configuration on the Zyxel Device (acting as a hub) that combines multiple individual IPSec VPN connections (spokes) into a single logical entity. It simplifies management and routing in a hub-and-spoke topology compared to a fully-meshed setup where every site connects directly to every other site.

Instead of each spoke needing routes for every other spoke, they only need a route to the hub (concentrator). The concentrator handles routing traffic between the different spokes.

Requirements/Suggestions:

• Local policy IP addresses in the member VPN rules should not overlap.
• The concentrator needs at least one VPN rule per spoke.
• Security policies can still block VPN traffic.
• Policy Enforcement must be disabled for member VPN Connection rules.

Configure it under Configuration > VPN > IPSec VPN > Concentrator.

1. Ensure you have already configured the individual IPSec VPN Gateway and VPN Connection policies for each spoke router that will connect to this hub.

2. Important: For each VPN Connection policy that will be part of the concentrator, edit it and ensure ‘Policy Enforcement’ under the ‘Policy’ section is disabled.

3. Navigate to Configuration > VPN > IPSec VPN > Concentrator.

4. Choose ‘IPv4 Configuration’ or ‘IPv6 Configuration’.

5. Click ‘Add’.

6. Enter a ‘Name’ for the concentrator.

7. In the ‘Member’ section, select the pre-configured VPN Connection policies (from step 1) from the ‘Available’ list and move them to the ‘Member’ list using the arrow buttons.

8. Click OK.

Configuration Provisioning allows the Zyxel Device IPSec VPN Client software (installed on a user’s computer) to automatically retrieve VPN rule settings from the Zyxel Device simply by entering the Zyxel Device’s IP address.

This simplifies client setup as manual configuration is not needed.

Configure which users or groups can retrieve settings via Configuration > VPN > IPSec VPN > Configuration Provisioning.

Restrictions:

The VPN rules provisioned cannot use:

• AH active protocol
• NULL encryption
• SHA512 authentication
• A subnet or range as the remote policy

The associated VPN Gateway rules cannot use:

• IKEv2 version (for IPv4 rules)
• User-based PSK authentication (for IPv4 rules)

You must enable IPv6 in System > IPv6 on the Zyxel Device to provision IPv6 VPN rules.

This example uses Android software version 13.

1. Go to Settings, search for “VPN”, open the VPN settings screen, and then tap Add.

2. Enter a name for the VPN rule in the Name field.

3. Select IKEv2 as Type.

4. Enter the WAN IP address your Zyxel Device is currently using in the Server address field.

5. Enter the IPSec identifier. By default, it is 0.0.0.0.

6. Enter the pre-shared key in the IPSec pre-shared key field. You can find the pre-shared key on the VPN Gateway screen in the Web Configurator.

7. Tap Save to create the VPN rule.

8. Select the VPN rule you created and tap Connect.

9. To check the connection status, go to Configuration > VPN > IPSec VPN in the Web Configurator.

This example uses iOS software version 17.

1. Go to Settings, search for “VPN”, open the VPN & Device Management screen, and then tap Add VPN Configuration.

2. Select IKEv2 as Type.

3. Enter a name for the VPN rule in the Name field.

4. Enter the WAN IP address your Zyxel Device is currently using in the Server field.

5. Enter the Remote ID. By default, it is 0.0.0.0.

6. Select None as User Authentication.

7. Disable Use Certificate.

8. Enter the pre-shared key in the Password field. You can find the pre-shared key on the VPN Gateway screen in the Web Configurator.

9. Tap Done to create the VPN rule.

10. Select the VPN rule you created and tap Connect.

11. To check the connection status, go to Configuration > VPN > IPSec VPN in the Web Configurator.

Table 148 VPN Example: Matching ID Type and Content

Table 149 VPN Example: Mismatching ID Type and Content

If the Zyxel Device (Z) is behind a NAT router (N), then do the following for remote clients (C) to access the network behind the Zyxel Device (Z) using L2TP over IPv4.

1. Create an address object in Configuration > Object > Address/GEO IP > Address for the WAN IP address of the NAT router.

2. Go to Configuration > VPN > IPSec VPN > VPN Connection and click Add for IPv4 Configuration to create a new VPN connection.

3. Select Remote Access (Server Role) as the VPN scenario for the remote client.

4. Select the NAT router WAN IP address object as the Local Policy.

5. Go to Configuration > VPN > L2TP VPN and select the VPN Connection just configured.

In the following table the configured rates total less than the available bandwidth and maximize bandwidth usage is disabled, both servers get their configured rate.

Table 155 Configured Rate Effect

Here the configured rates total more than the available bandwidth. Because server A has higher priority, it gets up to its configured rate (800 kbps), leaving only 200 kbps for server B.

Table 156 Priority Effect

With maximize bandwidth usage enabled, after each server gets its configured rate, the rest of the available bandwidth is divided equally between the two. So server A gets its configured rate of 300 kbps and server B gets its configured rate of 200 kbps. Then the Zyxel Device divides the remaining bandwidth (1000 – 500 = 500) equally between the two (500 / 2 = 250 kbps for each). The priority has no effect on how much of the unused bandwidth each server gets.

So server A gets its configured rate of 300 kbps plus 250 kbps for a total of 550 kbps. Server B gets its configured rate of 200 kbps plus 250 kbps for a total of 450 kbps.

Table 157 Maximize Bandwidth Usage Effect

Server A has a configured rate that equals the total amount of available bandwidth and a higher priority. You should regard extreme over allotment of traffic with different priorities (as shown here) as a configuration error. Even though the Zyxel Device still attempts to let all traffic get through and not be lost, regardless of its priority, server B gets almost no bandwidth with this configuration.

Table 158 Priority and Over Allotment of Bandwidth Effect

Scenario: Client on LAN1 uses Teams. Goal is to prioritize Teams traffic.

Configuration Steps:

1. Go to Configuration > BWM. Click Add.

2. Set the BWM Type to Shared to apply the BWM rule to all matched traffic.

3. Under Criteria > Service Type, select Application Object, then click the Application Group field and select Teams.

4. Set Guaranteed Bandwidth (Inbound/Outbound) and Priority. For example, set Inbound and Outbound to 20000 kbps and Priority to 1 (highest).

5. Select Maximize Bandwidth Usage to allow the traffic that matches this rule borrow all unused bandwidth on the outgoing interface.

6. Click OK to save your changes.

Example Parameters (based on text and screenshot interpretation):

Open the Configuration > Web Authentication > General screen, then click the Add icon or select an entry and click the Edit icon in the Web Authentication Policy Summary section to open the Auth. Policy Add/Edit screen.

Set up user accounts in the RADIUS server. This example uses the Web Configurator. If you can export user names from the RADIUS server to a text file, then you might configure a script to create the user accounts instead.

1. Click Configuration > Object > User/Group > User. Click the Add icon.

2. Enter the same user name that is used in the RADIUS server, and set the User Type to ext-user because this user account is authenticated by an external server. Click OK.

3. Repeat this process to set up the remaining user accounts.

Set up the user groups and assign the users to the user groups.

1. Click Configuration > Object > User/Group > Group. Click the Add icon.

2. Enter the name of the group. In this example, it is “Finance”. Then, select Object/Leo and click the right arrow to move him to the Member list. This example only has one member in this group, so click OK. Of course you could add more members later.

3. Repeat this process to set up the remaining user groups.

This step sets up user authentication using the RADIUS server. First, configure the settings for the RADIUS server. Then, set up the authentication method, and configure the Zyxel Device to use the authentication method.

1. Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Configure the RADIUS server’s address, authentication port (1812 if you were not told otherwise), and key. Click OK.

2. Click Configuration > Object > Auth. Method. Double-click the default entry. Click the Add icon. Select group radius because the Zyxel Device should use the specified RADIUS server for authentication. Click OK.

3. Click Configuration > Web Authentication. In the Web Authentication > General screen, select Enable Web Authentication to turn on the web authentication feature and click Apply.

4. In the Web Authentication Policy Summary section, click the Add icon to set up a default policy that has priority over other policies and forces every user to log into the Zyxel Device before the Zyxel Device routes traffic for them.

5. Select Enable Policy. Enter a descriptive name, “default_policy” for example. Set the Authentication field to required, and make sure Force User Authentication is selected. Select an authentication type profile (“default-web-portal” in this example). Keep the rest of the default settings, and click OK.

Note: The users must log in at the Web Configurator login screen before they can use HTTP or MSN.

When the users try to browse the web (or use any HTTP application), the login screen appears. They have to log in using the user name and password in the RADIUS server.

The previous example showed how to have a RADIUS server authenticate individual user accounts. If the RADIUS server has different user groups distinguished by the value of a specific attribute, you can make a couple of slight changes in the configuration to have the RADIUS server authenticate groups of user accounts defined in the RADIUS server.

1. Click Configuration > Object > AAA Server > RADIUS. Double-click the radius entry. Besides configuring the RADIUS server’s address, authentication port, and key; set the Group Membership Attribute field to the attribute that the Zyxel Device is to check to determine to which group a user belongs. This example uses Class. This attribute’s value is called a group identifier; it determines to which group a user belongs. In this example the values are Finance, Engineer, Sales, and Boss.

2. Now you add ext-group-user objects to identify groups based on the group identifier values. Set up one user account for each group of user accounts in the RADIUS server. Click Configuration > Object > User/Group > User. Click the Add icon.

3. Enter a user name and set the User Type to ext-group-user. In the Group Identifier field, enter Finance, Engineer, Sales, or Boss and set the Associated AAA Server Object to radius.

4. Repeat this process to set up the remaining groups of user accounts.

These are the screens you need to configure:

• Configure the Zyxel Device to Communicate with SSO on page 563

• Enable Web Authentication on page 564

• Create a Security Policy on page 566

• Configure User Information on page 567

• Configure an Authentication Method on page 568

• Configure Active Directory on page 569

Use Configuration > Web Authentication > SSO to configure how the Zyxel Device communicates with the Single Sign-On (SSO) agent.

After you install the SSO agent, you will see an icon in the system tray (bottom right of the screen).

Right-click the SSO icon and select Configure Zyxel SSO Agent.

Configure the Agent Listening Port, AD server exactly as you have done on the Zyxel Device. Add the Zyxel Device IP address as the Gateway. Make sure the Zyxel Device and SSO agent are able to communicate with each other.

Configure the Server Address, Port, Base DN, Bind DN, Login Name Attribute and Group Membership for the AD server settings exactly as you have done on the Zyxel Device. Group Membership is called Group Identifier on the Zyxel Device.

Configure the Gateway IP address, Gateway Port and PreShareKey exactly as you have done in the Zyxel Device Configuration > Web Authentication > SSO screen. If you want to use Generate Key to have the SSO create a random password, select Check to show PreShareKey as clear Text so as to see the password, then copy and paste it to the Zyxel Device.

After all SSO agent configurations are done, right-click the SSO icon in the system tray and select Enable Zyxel SSO Agent.

Table 191 Blocking All LAN to WAN IRC Traffic Example

• The first row blocks LAN access to the IRC service on the WAN.
• The second row is the Security Policy’s default policy that allows all LAN1 to WAN traffic.

Method 1: Using CEO’s IP Address (e.g., 172.16.1.7)

Configure the policies as shown in Table 192. The first rule allows IRC traffic specifically from the CEO’s IP address. The second rule denies IRC traffic from all other LAN sources. The third rule is the default policy allowing other traffic.

Table 192 Limited LAN1 to WAN IRC Traffic Example 1

• The first row allows the LAN1 computer at IP address 172.16.1.7 to access the IRC service on the WAN.
• The second row blocks LAN1 access to the IRC service on the WAN.
• The third row is the default policy of allowing all traffic from the LAN1 to go to the WAN.

Method 2: Using CEO’s User Name (e.g., CEO)

Configure the policies as shown in Table 193. The first rule allows IRC traffic for the user “CEO” regardless of the source IP address. The second rule denies IRC traffic for all other users. The third rule is the default policy.

Table 193 Limited LAN1 to WAN IRC Traffic Example 2

• The first row allows any LAN1 computer to access the IRC service on the WAN by logging into the Zyxel Device with the CEO’s user name.
• The second row blocks LAN1 access to the IRC service on the WAN.
• The third row is the default policy of allowing allows all traffic from the LAN1 to go to the WAN.

Important Note on Policy Order: In both methods, the policy allowing the CEO’s traffic *must* come before the policy that blocks general IRC traffic. This ensures the CEO’s traffic matches the allow rule first.

Has a static IP address configured directly on the computer,

OR

You configure a static DHCP entry for it on the Zyxel Device. This makes the Zyxel Device’s DHCP server always assign the same IP address to that computer based on its MAC address.

– Set up web content filtering profiles (General screens).

– Create a common list of allowed websites (Trusted Web Sites).

– Create a common list of blocked websites (Forbidden Web Sites).

– Block specific web features like cookies or ActiveX by inspecting web pages.

– Block access to websites by inspecting the URL or Server Name Indication (SNI).

– Set up DNS content filtering profiles (General screens).

– Create a list of allowed website addresses (Allow List).

– Create a list of blocked website addresses (Block List).

– Block access even if the user is using TLS 1.3 with Encrypted SNI (ESNI), unlike the Web Content Filter.

1. A user enters a URL into their web browser.

2. The user’s computer sends a DNS query for the URL.

3. The DNS server returns an IP address for the URL.

4. The user’s web browser connects to the IP address.

5. The Web Content Filter detects an HTTP(S) connection and inspects the website requested, often using Server Name Indication (SNI) for HTTPS traffic.

6. If the website contains prohibited material according to the configured policies and profiles, the HTTP request is redirected to a block page (or the connection is dropped/handled as configured).

– Use schedule objects to define *when* to apply a content filter profile.

– Use address and/or user/group objects to define *to whose* web access the content filter profile applies.

– Apply a specific, custom-tailored content filter *profile* that defines the filtering rules (categories, features, specific sites).

– Category-based Blocking: Block access to websites based on predefined content categories (e.g., pornography, gambling).

– Restrict Web Features: Disable web proxies and block features like ActiveX controls, Java applets, and cookies.

– Customize Web Site Access: Specify particular URLs to block or, alternatively, block all URLs except specific allowed ones. You can also block URLs containing specific keywords.

– If the default policy is not set to block, the request is allowed.

– If the default policy is set to block, the request is blocked.

– The domain name/IP address is the part before the first slash (e.g., `www.zyxel.com.tw` in `www.zyxel.com.tw/news/pressroom.php`).

– The file path is the part after the first slash (e.g., `news/pressroom.php` in the same URL).

1. A user enters a URL into their web browser.

2. The user’s computer sends a DNS query for the URL (to the Zyxel Device if it’s the DNS server/forwarder).

3. The DNS Content Filter inspects the requested website domain in the DNS query packet.

4. If the website domain matches prohibited criteria, the DNS reply sent back to the user is altered to redirect the user to a block page IP address instead of the actual website’s IP.

– An address object (defining source/destination IPs or users/groups)

– A schedule object (defining when the policy applies)

– A filtering profile (defining the specific content filtering rules, categories, actions, etc.)

Access the screen by navigating to Configuration > Security Service > Content Filter > Web Content Filter > General.

Use this screen to:

– Enable overall content filtering.

– Enable specific features like HTTPS Domain Filter.

– Configure global settings like block/warn pages, redirect URLs, and denied access messages.

– Set the timeout for the category service.

– Test website categories.

– Manage (Add, Edit, Remove, Reorder) Web Content Filter profiles.

Refer to Table 194 for details on each field.

Table 194 Configuration > Security Service > Content Filter > Web Content Filter> General (Selected Fields)

1. Navigate to the Web Content Filter General screen (Configuration > Security Service > Content Filter > Web Content Filter > General).

2. In the Profile Management section, select the content filter profile you want to apply.

3. Click the icon in the Action column for that profile.

4. This will take you to the Configuration > Security Policy > Policy Control screen.

5. Find the security policy rule you want to apply the profile to (e.g., LAN1_Outgoing).

6. Edit that security policy rule.

7. In the policy rule’s settings, locate the UTM Profile section.

8. Select your desired Web Content Filter profile from the dropdown list.

9. Configure the logging option for the profile (e.g., Log: by profile).

10. Click OK to save the changes to the security policy rule.

Table 195 Configuration > Security Service > Content Filter > Action (Columns)

1. Navigate to Configuration > Security Service > Content Filter > Web Content Filter > General.

2. In the Profile Management section, click Add to create a new profile or select an existing profile and click Edit.

3. Ensure the Category Service tab is selected.

4. Configure the General Settings:

– Enter a Name and optional Description.

– Optionally enable SafeSearch for supported search engines.

– Enable Content Filter Category Service to use the external database (requires license).

– Configure logging options (Log all web pages).

– Choose the Action (Pass, Block, Warn, Log) for Managed Web Pages (categorized sites).

– Choose the Action (Pass, Block, Warn, Log) for Unrated Web Pages (uncategorized sites).

– Choose the Action (Pass, Block, Warn) when the Category Server is unavailable.

– Optionally enable Log-alert for Block/Warn actions.

5. Select Categories: Check the boxes for the website categories you want to manage (typically block).

6. Optionally test a URL against the category server.

7. Click OK to save the profile.

Refer to Table 196 for detailed descriptions of each field.

Table 196 Configuration > Security Service > Content Filter > Web Content Filter > General > Add > Category Service (Selected Fields)

– Adult Topics: Content unsuitable for children.

– Alcohol: Sites selling/promoting alcohol.

– Anonymizing Utilities: Services that hide user identity.

– Auctions Classifieds: Online bidding/selling sites.

– Blogs/Wiki: Sites with dynamic user-generated content.

– Business: Business-related information and services.

– Chat: Real-time web-based messaging rooms (includes IRC).

– Computing Internet: Computer hardware/software reviews, news.

– Consumer Protection: Sites known for cheating consumers.

– Content Server: URLs hosting images/media for other sites.

– Dating Personals: Online dating, matchmaking sites.

– Drugs: Information on illegal/recreational drugs.

– Education Reference: Academic content, school sites.

– Entertainment: Movies, music, TV, celebrity news.

– Finance Banking: Financial information, online banking access.

– Gambling: Sites allowing online betting/wagering.

– Games: Online games, cheats, game info (non-profit).

– Government Military: Official government/military sites.

– Health: Health information and services.

– Illegal UK: Specific illegal content hosted in the UK.

– Information Security: Legitimate data protection information.

– Job Search: Job listings, resume help.

– Media Sharing: Sites for uploading/sharing media files.

– Pornography: Materials intended to be sexually arousing.

– Remote Access: Sites providing remote computer access.

– Social Networking: General social interaction sites.

– Weapons: Information on buying, making, using weapons.

… and many others.

Refer to Table 197 in the PDF for the complete list and detailed descriptions of all categories.

1. Navigate to Configuration > Security Service > Content Filter > Web Content Filter > General.

2. Click Add or select a profile and click Edit.

3. Select the Custom Service tab.

4. Configure the General Settings:

– Enter a Name and optional Description.

– Select Enable Custom Service.

– Optionally, select Allow web traffic for trusted web sites only to block everything *except* sites in the Trusted list.

– Optionally, select Check Common Trusted/Forbidden List to include the global lists configured separately.

5. Configure Restricted Web Features:

– Check boxes under Block to block ActiveX, Java, Cookies, or Web Proxy access.

– Optionally, select Allow Java/ActiveX/Cookies/Web proxy to trusted web sites to permit these features only for sites in the profile’s Trusted Web Sites list.

6. Manage Trusted Web Sites:

– Click Add/Edit/Remove to manage the list of allowed websites (enter domain names like `*.example.com` or `www.good-site.com`).

7. Manage Forbidden Web Sites:

– Click Add/Edit/Remove to manage the list of blocked websites (enter domain names like `*.bad-site.com`).

8. Manage Blocked URL Keywords:

– Click Add/Edit/Remove to manage the list of keywords. URLs containing these keywords in the domain name or path will be blocked (e.g., `*keyword*`).

9. Click OK to save the profile.

Refer to Table 198 for detailed descriptions of each field.

Table 198 Configuration > Security Service > Content Filter > Web Content Filter > General > Custom Service (Selected Fields)

These lists provide a global set of allowed (Trusted) and blocked (Forbidden) websites that can be referenced by individual Content Filter profiles.

Accessing the Lists:

– Navigate to Configuration > Security Service > Content Filter > Web Content Filter > Trusted/Forbidden Web Sites.

– Click the Trusted Web Sites tab for the allowed list or the Forbidden Web Sites tab for the blocked list.

Managing Entries:

– Use the Add, Edit, and Remove buttons to manage the site entries.

– Enter host names (e.g., `www.example.com`, `*.example.com`). Do not include “http://&#8221;.

– Use “*” as a wildcard to match any string. Entries must contain at least one “.”. Maximum 127 characters, case-insensitive.

– Click Apply to save changes.

Using the Lists:

– Within a specific Web Content Filter profile (under the Custom Service tab), check the box labeled “Check Common Trusted/Forbidden List” to make that profile use these global lists in addition to its own specific lists.

Refer to Table 199 (Trusted) and Table 200 (Forbidden) for screen label details.

Table 199/200 Configuration > Security Service > Content Filter > Web Content Filter > Trusted/Forbidden Web Sites (Selected Fields)

Access the screen by navigating to Configuration > Security Service > Content Filter > DNS Content Filter > General.

Use this screen to:

– Configure the Redirect IP address (default or custom) used when a DNS query is blocked.

– Test domain name categories.

– Manage (Add, Edit, Remove, Reorder) DNS Content Filter profiles.

Refer to Table 201 for details on each field.

Table 201 Configuration > Security Service > Content Filter > DNS Content Filter> General (Selected Fields)

1. Navigate to Configuration > Security Service > Content Filter > DNS Content Filter > General.

2. In the Profile Management section, click Add or select a profile and click Edit.

3. Configure the General Settings:

– Enter a Name and optional Description.

– Select the Action (pass or redirect) for matching categories.

– Select the Log option (no, log, alert).

– Optionally enable SafeSearch and Restrict YouTube Access (Strict or Moderate).

4. Configure Scan Options:

– Optionally check Allow List and/or Block List to use the globally defined DNS Allow/Block lists.

5. Select Categories:

– Check the boxes for the website categories you want this profile’s Action to apply to.

– Optionally, Clone Categories Setting From Profile to copy settings from an existing profile.

6. Optionally test a domain name.

7. Click OK to save the profile.

Refer to Table 202 for detailed descriptions of each field.

Table 202 DNS Content Filter Add/Edit Profile (Selected Fields)

These lists provide global sets of allowed (Allow List) and blocked (Block List) domains/IPs specifically for the DNS Content Filter feature.

Accessing the Lists:

– Navigate to Configuration > Security Service > Content Filter > DNS Content Filter.

– Click the Allow List tab or the Block List tab.

Managing Entries:

– Use the Add, Edit, and Remove buttons.

– When Adding/Editing, enter the IPv4 address (Allow List) or domain/FQDN (Block List) associated with the rule.

– Use Activate and Inactivate buttons to enable or disable specific rules.

– Click Apply to save changes.

Using the Lists:

– Within a specific DNS Content Filter profile, check the boxes labeled “Check Allow List” and/or “Check Block List” to make that profile use these global lists. The Allow List check happens first, bypassing other checks if matched. The Block List check typically happens next, blocking if matched.

Refer to Table 204 (Allow List) and Table 205 (Block List) for screen label details.

Table 204/205 DNS Content Filter Allow/Block List (Selected Fields)

1. A computer behind the Zyxel Device tries to access a website.

2. The Zyxel Device first checks its local Content Filter Cache for the website’s category. If found, it applies the configured action (block, log, etc.) based on the cached category.

3. The Content Filter Cache screen allows configuration of cache duration. The cache is cleared on device restart.

4. If the website is not in the cache, the Zyxel Device queries the external content filter database AND simultaneously sends the user’s request to the web server.

5. The external content filter server responds with the category information. The Zyxel Device then blocks and/or logs access based on the profile settings for that category and stores the website’s address and category in its local cache.

This example demonstrates blocking TeamViewer, often categorized under “Remote Access”.

Step 1: Create/Edit a Content Filtering Profile

1. Go to Configuration > Security Service > Content Filter > Web Content Filter > General.

2. Click Add (or Edit an existing profile). Name it (e.g., NoRemoteAccess).

3. On the Category Service tab:

– Ensure Enable Content Filter Category Service is checked.

– Set Action for Managed Web Pages to Block.

– Select Log for Action for Managed Web Pages.

– Check the box for the Managed Category: Remote Access.

– Optionally enable Log-alert for Block/Warn action.

(See Table 206 for parameter summary)

Step 2: Add TeamViewer to Forbidden Sites/Keywords (Optional but Recommended)

1. In the same profile (NoRemoteAccess), go to the Custom Service tab.

2. Select Enable Custom Service.

3. Under Forbidden Web Sites, click Add.

4. Enter `*.*teamviewer*.*` as the keyword/site. (See Table 207)

5. Click OK to save the profile.

Step 3: Apply the Profile to Security Policy

1. Go to Configuration > Security Policy > Policy Control.

2. Select the outgoing LAN policy (e.g., LAN1_Outgoing, LAN2_Outgoing) and click Edit.

3. In the UTM Profile section, select the Web Content Filter profile you created (NoRemoteAccess).

4. Set Log to ‘by profile’.

5. Click OK.

6. Repeat for other LAN outgoing policies if necessary (e.g., LAN2_Outgoing).

Step 4: Verify

1. Check the Policy Control screen; mouse-over the UTM profile icon for the LAN_Outgoing rules to confirm NoRemoteAccess is applied.

2. Check logs in Monitor > Log > View Log for blocked attempts if LAN clients try to access TeamViewer.

Parameter Summary Tables:

Table 206 Content Filtering Profile Configuration Example

Table 207 Forbidden Web Sites Configuration Example

Table 208 Security Policy Configuration Example

– General Profile screens: Turn anti-spam on/off, manage anti-spam policies, and define actions for exceeding mail session thresholds.

– Mail Scan screen: Enable and configure specific mail scanning functions like malicious mail checking and query timeouts.

– Block/Allow List screens: Set up custom lists to explicitly identify spam (Block List) or legitimate email (Allow List) based on sender IP/email, headers, or subject.

– DNSBL screens: Configure the device to check email sender/relay IPs against external DNS Black Lists.

Access the screen by navigating to Configuration > Security Service > Anti-Spam.

Use this screen to:

– Turn the anti-spam feature on or off globally (implicitly by having active profiles and applying them).

– Select the action (Forward Session or Drop Session) the device takes when the concurrent mail session threshold is reached.

– Manage (Add, Edit, Remove, Reorder) Anti-Spam profiles.

– Check the status of your Anti-Spam service license.

Refer to Table 209 for details on each field.

Table 209 Configuration > Security Service > Anti-Spam > Profile (Selected Fields)

1. Navigate to Configuration > Security Service > Anti-Spam.

2. In the Profile Management section, click Add or select an existing profile and click Edit.

3. Configure the General Settings:

– Enter a Name and optional Description.

– Select the Log option (no, log, log alert) for events related to this profile (DNSBL timeouts, list matches).

4. Configure Scan Options:

– Check the boxes for the lists/checks you want this profile to perform: Check Allow List, Check Block List, Check Malicious Mail, Check DNSBL.

5. Configure Actions For Spam Mail:

– For SMTP, select the action: drop, forward, or forward-with-tag.

– For POP3, select the action: forward or forward-with-tag.

6. Click OK to save the profile.

Refer to Table 210 for detailed descriptions of each field.

Table 210 Configuration > Security Service > Anti-Spam > Profile > Add (Selected Fields)

Access the screen by navigating to Configuration > Security Service > Anti-Spam > Mail Scan.

Use this screen to enable and configure Mail Scan functions, which must be enabled here before they can be selected within an Anti-Spam profile.

Options:

– Enable Malicious Mail Checking: Turn on checking for malicious content.

– Define the tag (e.g., `[Malicious]`) added to the subject of detected emails.

– Define a custom X-Header name/value added to detected emails.

– Query Timeout Settings: Configure how the device handles timeouts when querying external mail scan servers (if applicable, though DNSBL timeout is separate).

– Define actions for SMTP and POP3 timeouts (drop, forward, forward with tag).