VPN Zugriff auf VLANs Zyxel USG 60

Hallo zusammen,

ich versuche ein ganz normales Client-Server L2TPoverIPSEC VPN in meiner USG 60 einzurichten. Die VPN Verbindung funktioniert wunderbar und auf das Internet und meine USG kann ich über das VPN dann auch wunderbar zugreifen. Nur bekomme ich es einfach nicht hin, Zugriff mein 10er und 20er VLAN zu erhalten. Irgendwas mache ich hier falsch. Ich hatte es so verstanden, dass ich für den LAN-Zugriff keine Routing-Regeln benötige und nur eine passende Firewall-Regel brauche, welche ich denke zu Testzwecken in einer ganz offenen Form definiert zu haben. Es geht nur einfach nicht.

ich bekomme es einfach mit meinen Kenntnissen nicht hin. Ich glaube, durch das ganze ausprobieren habe ich meine Config mittlerweile mal so richtig verpfuscht.

Ich hatte bereits öfters hier tolle Zyxel-Tipps von Kollegen, welche diese Geräte in und auswendig kennen, gelesen und hoffe auf einen Tipp.

Meine anonymisierte Config habe ich beigefügt.

Falls jemand beim durchsehen noch einen Tipp zu meinem 2ten Problem sieht wäre ich ebenfalls sehr dankbar. Dieses ist, dass meine VOIP Kanäle, welche meine Auerswald Telefonanlage, welche an der USG hängt immer nicht mehr funktionieren, sobald die USG eine neue IP-Adresse von ISP zugewiesen bekommt. Da kämpfe ich auch schon ewig dran run...

Vielen Dank für einen Hinweis!


! saved at 2015-05-19 16:15:38
! model: USG60
! firmware version: 4.11(AAKY.2)
!
language German
!
hardware-watchdog-timer start
!
software-watchdog-timer 60
!
interface-name ge1 wan1
interface-name ge2 wan2
interface-name ge3 lan1
interface-name ge4 lan2
interface-name ge5 dmz
!
interface-name ppp0 ppp0
!
username admin encrypted-password xxx user-type admin
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
username xxx encrypted-password xxx user-type user
username xxx description xxx
username xxx logon-time-setting default
!
groupname VPN-user
user xxx
user xxx
user xxx
user xxx
user xxx
user xxx
user xxx
user xxx
user xxx
!
port-grouping lan1
port 3
!
port-grouping lan2
port 4
!
port-grouping dmz
port 6
port 5
!
account pppoe WAN1_PPPoE_ACCOUNT
user xxx
encrypted-password $xxx
authentication chap-pap
service-name 1und1
compression no
idle 0
!
account pppoe WAN2_PPPoE_ACCOUNT
user xxx
encrypted-password xxx
authentication chap-pap
service-name Vodafone
compression no
idle 0
!
account cellular CELLULAR1_ACCOUNT
profile custom
cid 1
dial-string *99#
apn web.vodafone.de
!
ip dhcp pool LAN1_POOL
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
first-dns-server 8.8.8.8
starting-address 192.168.1.2 pool-size 200
lease 2 0 0
!
ip dhcp pool DMZ_POOL
network 192.168.3.0/24
default-router 192.168.3.1
first-dns-server ZyWALL
starting-address 192.168.3.33 pool-size 200
lease 2
!
ip dhcp pool Network_Pool_VLAN10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
first-dns-server 8.8.8.8
lease infinite
starting-address 192.168.10.2 pool-size 200
!
ip dhcp pool Network_Pool_VLAN20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
first-dns-server 8.8.8.8
lease infinite
starting-address 192.168.20.2 pool-size 200
!
ip dhcp pool Network_Pool_VLAN30
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
first-dns-server 8.8.8.8
lease infinite
starting-address 192.168.30.2 pool-size 200
!
ip dhcp pool Static_VLAN10_0011323831F3
host 192.168.10.14
hardware-address 00:11:32:38:31:F3
description NAS
!
ip dhcp pool Static_VLAN10_080037BCBCDE
host 192.168.10.8
hardware-address 08:00:37:BC:BC:DE
description Drucker
!
ip dhcp pool Static_LAN1_4C9EFF7ADBF6
host 192.168.1.4
hardware-address 4C:9E:FF:7A:DB:F6
description AP 1
!
ip dhcp pool Static_LAN1_4C9EFF7ADCA4
host 192.168.1.5
hardware-address 4C:9E:FF:7A:DC:A4
description AP 2
!
ip dhcp pool Static_LAN1_4C9EFF7ADA64
host 192.168.1.7
hardware-address 4C:9E:FF:7A:DA:64
description AP 3
!
ip dhcp pool Static_VLAN20_00095203B9EC
host 192.168.20.2
hardware-address 00:09:52:03:B9:EC
client-name COMpact5000
description Auerswald Compact 5000
!
ip dhcp pool Static_VLAN20_7C2F8087F04B
host 192.168.20.4
hardware-address 7C:2F:80:87:F0:4B
client-name N510-IP-PRO
!
ip dhcp pool Static_VLAN20_7C2F8082AD68
host 192.168.20.3
hardware-address 7C:2F:80:82:AD:68
client-name N510-IP-PRO
!
ip dhcp pool Network_Pool_LAN2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
starting-address 192.168.2.2 pool-size 200
first-dns-server 8.8.8.8
lease infinite
!
interface wan1
ip address dhcp metric 0
type external
upstream 10048
downstream 1048576
mtu 1500
igmp version 2
!
interface wan2
ip address dhcp metric 0
type external
upstream 1024
downstream 1048576
mtu 1500
igmp version 2
!
interface lan1
ip address 192.168.1.1 255.255.255.0
ip dhcp-pool LAN1_POOL
type internal
igmp version 2
ip dhcp-pool Static_LAN1_4C9EFF7ADBF6
ip dhcp-pool Static_LAN1_4C9EFF7ADCA4
ip dhcp-pool Static_LAN1_4C9EFF7ADA64
!
interface lan2
ip address 192.168.2.1 255.255.255.0
type internal
igmp version 2
ip dhcp-pool Network_Pool_LAN2
!
interface dmz
ip address 192.168.3.1 255.255.255.0
ip dhcp-pool DMZ_POOL
type internal
shutdown
!
interface vlan10
port lan1
vlan-id 10
description LAN VLAN
ip address 192.168.10.1 255.255.255.0
upstream 1048576
downstream 1048576
mtu 1500
type internal
ip rip send version 2
ip rip receive version 2
ip ospf priority 1
ip ospf cost 10
igmp version 2
ip dhcp-pool Network_Pool_VLAN10
ip dhcp-pool Static_VLAN10_0011323831F3
ip dhcp-pool Static_VLAN10_080037BCBCDE
!
interface vlan20
port lan2
vlan-id 20
description VOIP VLAN
ip address 192.168.20.1 255.255.255.0
upstream 1048576
downstream 1048576
mtu 1500
type internal
ip rip send version 2
ip rip receive version 2
ip ospf priority 1
ip ospf cost 10
igmp version 2
ip dhcp-pool Network_Pool_VLAN20
ip dhcp-pool Static_VLAN20_00095203B9EC
ip dhcp-pool Static_VLAN20_7C2F8087F04B
ip dhcp-pool Static_VLAN20_7C2F8082AD68
!
interface vlan30
port lan1
vlan-id 30
description Gast VLAN
ip address 192.168.30.1 255.255.255.0
upstream 1048576
downstream 1048576
mtu 1500
type internal
ip rip send version 2
ip rip receive version 2
ip ospf priority 1
ip ospf cost 10
igmp version 2
ip dhcp-pool Network_Pool_VLAN30
!
interface wan1_ppp
no shutdown
account WAN1_PPPoE_ACCOUNT
connectivity nail-up
metric 0
upstream 1048576
downstream 1048576
mtu 1492
description 1und1
bind wan1
!
interface wan2_ppp
no shutdown
account WAN2_PPPoE_ACCOUNT
bind wan2
description Vodafone
connectivity nail-up
metric 0
upstream 1048576
downstream 1048576
mtu 1492
!
interface cellular1
no shutdown
account CELLULAR1_ACCOUNT
encrypted-pin xxx
ping-check default-gateway method icmp period 30 timeout 5 fail-tolerance 5
no ping-check activate
!
address-object LAN1_SUBNET interface-subnet lan1
address-object LAN2_SUBNET interface-subnet lan2
address-object DMZ_SUBNET interface-subnet dmz
address-object IP6to4-Relay 192.88.99.1
address-object vlan10 192.168.10.0/24
address-object vlan20 192.168.20.0/24
address-object vlan30 192.168.30.0/24
address-object LAN_L2TP 192.168.11.0/24
address-object Public_IP interface-ip wan1_ppp
!
address-object RFC1918_1 10.0.0.0/8
!
address-object RFC1918_2 172.16.0.0/12
!
address-object RFC1918_3 192.168.0.0/16
!
address6-object LAN1_SUBNET_STATIC interface-subnet lan1 static
address6-object LAN1_SUBNET_SLAAC interface-subnet lan1 slaac 1
address6-object LAN1_SUBNET_DHCPv6 interface-subnet lan1 dhcpv6 1
address6-object LAN2_SUBNET_STATIC interface-subnet lan2 static
address6-object LAN2_SUBNET_SLAAC interface-subnet lan2 slaac 1
address6-object LAN2_SUBNET_DHCPv6 interface-subnet lan2 dhcpv6 1
address6-object DMZ_SUBNET_STATIC interface-subnet dmz static
address6-object DMZ_SUBNET_SLAAC interface-subnet dmz slaac 1
address6-object DMZ_SUBNET_DHCPv6 interface-subnet dmz dhcpv6 1
!
service-object Any_UDP udp range 1 65535
service-object Any_TCP tcp range 1 65535
service-object AH protocol 51
service-object AIM tcp eq 5190
service-object NEW_ICQ tcp eq 5190
service-object AUTH tcp eq 113
service-object BGP tcp eq 179
service-object BOOTP_CLIENT udp eq 68
service-object BOOTP_SERVER udp eq 67
service-object CAPWAP-CONTROL udp eq 5246
service-object CAPWAP-DATA udp eq 5247
service-object CU_SEEME_TCP1 tcp eq 7648
service-object CU_SEEME_TCP2 tcp eq 24032
service-object CU_SEEME_UDP1 udp eq 7648
service-object CU_SEEME_UDP2 udp eq 24032
service-object DNS_TCP tcp eq 53
service-object DNS_UDP udp eq 53
service-object ESP protocol 50
service-object FINGER tcp eq 79
service-object FTP tcp range 20 21
service-object FTPS tcp eq 990
service-object GRE protocol 47
service-object H323 tcp eq 1720
service-object HTTP tcp eq 80
service-object HTTPS tcp eq 443
service-object ICQ udp eq 4000
service-object IKE udp eq 500
service-object IMAP4 tcp eq 143
service-object IMAP4S tcp eq 993
service-object IP6to4 protocol 41
service-object IRC_TCP tcp eq 6667
service-object IRC_UDP udp eq 6667
service-object MSN tcp eq 1863
service-object MULTICAST protocol 2
service-object NEWS tcp eq 144
service-object NetBIOS_TCP1 tcp range 137 139
service-object NetBIOS_TCP2 tcp eq 445
service-object NetBIOS_UDP1 udp range 137 139
service-object NetBIOS_UDP2 udp eq 445
service-object NFS udp eq 2049
service-object NNTP tcp eq 119
service-object NTP udp eq 123
service-object PING icmp echo
service-object POP3 tcp eq 110
service-object POP3S tcp eq 995
service-object PPTP tcp eq 1723
service-object PPTP_TUNNEL protocol 47
service-object RCMD tcp eq 512
service-object RDP tcp eq 3389
service-object REAL-AUDIO tcp eq 7070
service-object REXEC tcp eq 514
service-object RLOGIN tcp eq 513
service-object ROADRUNNER_TCP tcp eq 1026
service-object ROADRUNNER_UDP udp eq 1026
service-object RTELNET tcp eq 107
service-object RTSP_TCP tcp eq 554
service-object RTSP_UDP udp eq 554
service-object SFTP tcp eq 115
service-object SMTP tcp eq 25
service-object SMTPS tcp eq 465
service-object SNMP_TCP tcp eq 161
service-object SNMP_UDP udp eq 161
service-object SNMP-TRAPS_TCP tcp eq 162
service-object SNMP-TRAPS_UDP udp eq 162
service-object SQL-NET tcp eq 1521
service-object SSDP udp eq 1900
service-object SSH_TCP tcp eq 22
service-object SSH_UDP udp eq 22
service-object STRMWORKS udp eq 1558
service-object SYSLOG udp eq 514
service-object TACACS udp eq 49
service-object TELNET tcp eq 23
service-object TFTP udp eq 69
service-object VDOLIVE tcp eq 7000
service-object VRRP protocol 112
service-object NATT udp eq 4500
service-object RIP udp eq 520
service-object OSPF protocol 89
service-object SIP udp range 5000 7000
service-object Kerberos-TCP tcp eq 88
service-object MS-RPC tcp eq 135
service-object LDAP-TCP tcp eq 389
service-object LPR tcp eq 515
service-object LDAPS-TCP tcp eq 636
service-object VNC5800 tcp eq 5800
service-object VNC5900 tcp eq 5900
service-object Kerberos-UDP udp eq 88
service-object LDAP-UDP udp eq 389
service-object LDAPS-UDP udp eq 636
service-object L2TP udp eq 1701
service-object RADIUS-AUTH udp eq 1812
service-object RADIUS-ACCT udp eq 1813
service-object BONJOUR udp eq 5353
service-object ICMPv6_PTB icmpv6 packet-toobig
service-object ICMPv6_RS icmpv6 router-solicitation
service-object ICMPv6_RA icmpv6 router-advertisement
service-object ICMPv6_NS icmpv6 neighbor-solicitation
service-object ICMPv6_NA icmpv6 neighbor-advertisement
service-object ICMPv6_MLD_Query icmpv6 130
service-object ICMPv6_MLD_Report icmpv6 131
service-object ICMPv6_MLD_Done icmpv6 132
service-object ICMPv6_MLD_v2 icmpv6 143
service-object DHCPv6_CLIENT udp eq 546
service-object DHCPv6_SERVER udp eq 547
service-object SSO tcp eq 2158
service-object SIP2 udp eq 5062
service-object RTP udp range 49152 49408
!
object-group service CU-SEEME
service-object CU_SEEME_TCP1
service-object CU_SEEME_TCP2
service-object CU_SEEME_UDP1
service-object CU_SEEME_UDP2
!
object-group service DNS
service-object DNS_TCP
service-object DNS_UDP
!
object-group service IRC
service-object IRC_TCP
service-object IRC_UDP
!
object-group service NetBIOS
service-object NetBIOS_TCP1
service-object NetBIOS_TCP2
service-object NetBIOS_UDP1
service-object NetBIOS_UDP2
!
object-group service ROADRUNNER
service-object ROADRUNNER_TCP
service-object ROADRUNNER_UDP
!
object-group service RTSP
service-object RTSP_TCP
service-object RTSP_UDP
!
object-group service SNMP
service-object SNMP_TCP
service-object SNMP_UDP
!
object-group service SNMP-TRAPS
service-object SNMP-TRAPS_TCP
service-object SNMP-TRAPS_UDP
!
object-group service SSH
service-object SSH_TCP
service-object SSH_UDP
!
object-group service Default_Allow_ICMPv6_Group
description Default Allow icmpv6 to ZyWALL
service-object ICMPv6_MLD_Done
service-object ICMPv6_MLD_Query
service-object ICMPv6_MLD_Report
service-object ICMPv6_MLD_v2
service-object ICMPv6_NA
service-object ICMPv6_NS
service-object ICMPv6_RA
service-object ICMPv6_RS
service-object ICMPv6_PTB
!
object-group service Default_Allow_WAN_To_ZyWALL
description System Default Allow From WAN To ZyWALL
service-object AH
service-object ESP
service-object HTTPS
service-object IKE
service-object NATT
service-object GRE
service-object VRRP
!
object-group service Default_Allow_DMZ_To_ZyWALL
description System Default Allow From DMZ To ZyWALL
object-group DNS
object-group NetBIOS
service-object SSO
!
object-group service Default_Allow_v6_WAN_To_ZyWALL
service-object AH
service-object ESP
service-object HTTPS
service-object IKE
service-object VRRP
service-object GRE
description System Default Allow IPv6 Form WAN To ZyWALL
!
object-group service Default_Allow_v6_DMZ_To_ZyWALL
description System Default Allow IPv6 From DMZ to ZyWALL
object-group DNS
object-group NetBIOS
!
object-group service DHCPv6
service-object DHCPv6_CLIENT
service-object DHCPv6_SERVER
!
object-group service Default_Allow_v6_any_to_ZyWALL
description System Default Allow IPv6 From any To ZyWALL
object-group Default_Allow_ICMPv6_Group
!
object-group service VPN_IPSEC
service-object ESP
service-object IKE
service-object NATT
!
wlan-security-profile default
mode none
!
wlan-ssid-profile default
ssid ZyXEL
qos wmm
security default
!
wlan-radio-profile default
activate
role ap
band 2.4G band-mode 11n
2g-channel 6
ch-width 20m
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
output-power -0dB
ssid-profile 1 default
!
wlan-radio-profile default2
activate
role ap
band 5G band-mode 11n
2g-channel 6
ch-width auto
dtim-period 2
beacon-interval 100
ampdu
limit-ampdu 50000
rssi-dbm -76
subframe-ampdu 32
amsdu
limit-amsdu 4096
block-ack
guard-interval short
tx-mask 7
rx-mask 7
output-power -0dB
ssid-profile 1 default
!
isakmp policy L2TP_IPSEC_DYN_GW
activate
local-ip interface wan1_ppp
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
encrypted-keystring xxx
local-id type ip 0.0.0.0
peer-id type any
fall-back-check-interval 300
lifetime 86400
group2
transform-set 3des-sha
mode main
dpd-interval 30
xauth type server default deactivate
!
crypto map VPN
activate
adjust-mss auto
ipsec-isakmp L2TP_IPSEC_DYN_GW
scenario remote-access-server
encapsulation transport
transform-set esp-aes256-sha
set security-association lifetime seconds 86400
set pfs none
local-policy Public_IP
remote-policy any
no conn-check activate
!
vpn-configuration-provision authentication default
!
interface-group WAN_Load_Balancing
algorithm wrr
loadbalancing-index total
interface 1 wan1 weight 3
interface 2 wan2 weight 1
!
system default-interface-group WAN_Load_Balancing
!
router rip
!
router ospf
!
zone LAN1
interface lan1
interface cellular1
interface vlan30
interface vlan10
crypto VPN
!
zone LAN2
interface lan2
interface vlan20
!
zone DMZ
interface dmz
!
zone WAN
interface wan1
interface wan1_ppp
interface wan2
interface wan2_ppp
!
zone SSL_VPN
!
zone IPSec_VPN
!
zone TUNNEL
!
session timeout udp-deliver 180
!
session timeout udp-connect 180
!
ip ddns profile VPN
service-type dynu-basic
username none encrypted-password xxx
host xxx.dynu.com
wan-iface wan1_ppp
ip-select iface
ip-select-backup iface
https activate
activate
!
ip dns security-options 1
name Customize
address-object-group RFC1918_1
address-object-group RFC1918_2
address-object-group RFC1918_3
!
ip dns security-options default
name Default
address-object-group any
!
ip http server
ip http server table admin rule 1 access-group ALL zone LAN1 action accept
ip http server table user rule 1 access-group ALL zone LAN1 action accept
!
ip http secure-server cert default
ip http secure-server
ip http secure-server force-redirect
ip http secure-server cipher-suite aes 3des des rc4
ip http secure-server table admin rule 1 access-group ALL zone LAN1 action accept
ip http secure-server table user rule 1 access-group ALL zone LAN1 action accept
ip http secure-server table user rule 2 access-group ALL zone LAN1 action accept
!
hostname USG60
domainname xxx
!
ip ssh server cert default
!
console baud 115200
!
ip ftp server cert default
!
ntp
clock time-zone +02
ntp server 0.pool.ntp.org
!
snmp-server version v2c
!
package site official
!
ip ip-mac-binding vlan10 activate
ip ip-mac-binding lan1 activate
ip ip-mac-binding vlan20 activate
ip ip-mac-binding vlan20 log
!
ip virtual-server UDP interface wan1 original-ip IP6to4-Relay map-to IP6to4-Relay map-type original-service Any_UDP mapped-service Any_UDP nat-loopback
ip virtual-server UDP2 interface wan2 original-ip IP6to4-Relay map-to IP6to4-Relay map-type original-service Any_UDP mapped-service Any_UDP nat-loopback
ip virtual-server TCP interface wan1 original-ip IP6to4-Relay map-to IP6to4-Relay map-type ports protocol tcp original-port-begin 30000 original-port-end 30019 mapped-port-begin 30000 nat-loopback
!
utm-manager portless activate
!
utm-manager content-filter defaultport 80
utm-manager content-filter defaultport 3128
utm-manager content-filter defaultport 8080
!
utm-manager anti-spam defaultport 25
utm-manager anti-spam defaultport 110
!
utm-manager anti-virus defaultport 80
utm-manager anti-virus defaultport 3128
utm-manager anti-virus defaultport 8080
utm-manager anti-virus defaultport 25
utm-manager anti-virus defaultport 110
utm-manager anti-virus defaultport 143
utm-manager anti-virus defaultport 21
!
session-limit activate
session-limit limit 1000
!
session-limit6 activate
session-limit6 limit 1000
!
idp signature update auto
!
idp signature update weekly sun 0
!
idp anomaly activate
!
idp anomaly ADP_PROFILE base all
!
idp anomaly rule 1
from-zone WAN
bind ADP_PROFILE
activate
!
anti-virus update auto
!
anti-virus update daily 0
!
secure-policy 1
name VPNServer2
sourceip LAN_L2TP
action allow
!
secure-policy 2
name VPNServer1
sourceip LAN_L2TP
destinationip vlan10
action allow
!
secure-policy 3
name VPN2
from TUNNEL
to ZyWALL
action allow
!
secure-policy 4
name VPN1
from WAN
to ZyWALL
action allow
!
secure-policy 5
name RDP
from WAN
service RDP
action allow
!
secure-policy 6
name RTP
from WAN
service RTP
action allow
!
secure-policy 7
name SIP2
from WAN
service SIP2
action allow
!
secure-policy 8
name SIP
from WAN
service SIP
action allow
!
secure-policy 9
name Block_vlan30_to_vlan20
from LAN1
to LAN2
sourceip vlan30
destinationip vlan20
action deny
!
secure-policy 10
name Block_vlan30_to_vlan10
from LAN1
to LAN1
sourceip vlan30
destinationip vlan10
action deny
!
secure-policy 11
from LAN1
action allow
name LAN1_Outgoing
!
secure-policy 12
from LAN2
action allow
name LAN2_Outgoing
!
secure-policy 13
from DMZ
to WAN
action allow
name DMZ_to_WAN
!
secure-policy 14
from IPSec_VPN
action allow
name IPSec_VPN_Outgoing
!
secure-policy 15
from SSL_VPN
action allow
name SSL_VPN_Outgoing
!
secure-policy 16
from TUNNEL
action allow
name TUNNEL_Outgoing
!
secure-policy 17
from LAN1
to ZyWALL
action allow
name LAN1_to_Device
!
secure-policy 18
from LAN2
to ZyWALL
action allow
name LAN2_to_Device
!
secure-policy 19
from DMZ
to ZyWALL
action allow
service Default_Allow_DMZ_To_ZyWALL
name DMZ_to_Device
!
secure-policy 20
from WAN
to ZyWALL
action allow
service Default_Allow_WAN_To_ZyWALL
name WAN_to_Device
!
secure-policy 21
from IPSec_VPN
to ZyWALL
action allow
name IPSec_VPN_to_Device
!
secure-policy 22
name L2TP
from TUNNEL
log
action allow
!
secure-policy 23
name L2TP2
to ZyWALL
action allow
from TUNNEL
!
secure-policy 24
from SSL_VPN
to ZyWALL
action allow
name SSL_VPN_to_Device
!
secure-policy 25
from TUNNEL
to ZyWALL
action allow
name TUNNEL_to_Device
!
secure-policy default-rule action deny log
!
secure-policy6 1
to ZyWALL
service Default_Allow_v6_any_to_ZyWALL
action allow
name Device_Default_Allow_Service
!
secure-policy6 2
from LAN1
action allow
name LAN1_Outgoing
!
secure-policy6 3
from LAN2
action allow
name LAN2_Outgoing
!
secure-policy6 4
from DMZ
to WAN
action allow
name DMZ_to_WAN
!
secure-policy6 5
from IPSec_VPN
action allow
name IPSec_VPN_Outgoing
!
secure-policy6 6
from SSL_VPN
action allow
name SSL_VPN_Outgoing
!
secure-policy6 7
from TUNNEL
action allow
name TUNNEL_Outgoing
!
secure-policy6 8
from LAN1
to ZyWALL
action allow
name LAN1_to_Device
!
secure-policy6 9
from LAN2
to ZyWALL
action allow
name LAN2_to_Device
!
secure-policy6 10
from DMZ
to ZyWALL
service Default_Allow_v6_DMZ_To_ZyWALL
action allow
name DMZ_to_Device
!
secure-policy6 11
from WAN
to ZyWALL
service Default_Allow_v6_WAN_To_ZyWALL
action allow
name WAN_to_Device
!
secure-policy6 12
from IPSec_VPN
to ZyWALL
action allow
name IPSec_VPN_to_Device
!
secure-policy6 13
from SSL_VPN
to ZyWALL
action allow
name SSL_VPN_to_Device
!
secure-policy6 14
from TUNNEL
to ZyWALL
action allow
name TUNNEL_to_Device
!
secure-policy6 default-rule action deny log
!
policy override-direct-route activate
!
policy controll-ipsec-dynamic-rules activate
!
policy 1
tunnel
dscp any
next-hop interface wan1_ppp
snat outgoing-interface
!
policy 2
description Richtlinie_vlan30
interface vlan30
source vlan30
dscp any
next-hop trunk SYSTEM_DEFAULT_WAN_TRUNK
snat outgoing-interface
!
policy 3
description Richtlinie_vlan20
interface vlan20
source vlan20
dscp any
next-hop interface wan1_ppp
snat outgoing-interface
!
policy 4
description Richtlinie_vlan10
interface vlan10
source vlan10
dscp any
next-hop trunk SYSTEM_DEFAULT_WAN_TRUNK
snat outgoing-interface
!
bwm highest sip bandwidth priority
!
bwm 1
description Richtlinie_vlan30
incoming-interface interface vlan30
outgoing-interface trunk SYSTEM_DEFAULT_WAN_TRUNK
source vlan30
!
bwm 2
description Richtlinie_vlan20
incoming-interface interface vlan20
outgoing-interface trunk SYSTEM_DEFAULT_WAN_TRUNK
source vlan20
inbound guarantee-bandwidth 10000 priority 1
outbound guarantee-bandwidth 10000 priority 1
inbound ceiling maximize-bandwidth-usage
outbound ceiling maximize-bandwidth-usage
!
bwm 3
description Richtlinie_vlan10
incoming-interface interface vlan10
outgoing-interface trunk SYSTEM_DEFAULT_WAN_TRUNK
source vlan10
inbound guarantee-bandwidth 20000 priority 2
outbound guarantee-bandwidth 100000 priority 2
inbound ceiling maximize-bandwidth-usage
outbound ceiling maximize-bandwidth-usage
!
no alg sip transformation
no alg sip inactivity-timeout
!
alg sip defaultport
port 5060
!
no alg h323 transformation
!
fallback-session-disconnect activate
!
users retry-limit
users retry-count 5
users lockout-period 30
!
users update-lease automation
!
app-watch-dog activate
!
web-auth login setting
type internal
!
web-auth exceptional-service DNS
!
web-auth default-rule authentication unnecessary no log
!
l2tp-over-ipsec crypto VPN
l2tp-over-ipsec pool LAN_L2TP
l2tp-over-ipsec first-dns-server 8.8.8.8
l2tp-over-ipsec second-dns-server wan1_ppp 2nd-dns
l2tp-over-ipsec user VPN-user
!
l2tp-over-ipsec activate
!
ip upnp
nat-pmp activate
bypass-firewall activate
listen-interface lan1
listen-interface lan2
listen-interface vlan10
listen-interface vlan20
upnp-igd activate
!
wtp-logging system-log suppression
wtp-logging system-log suppression interval 600
!
wtp-logging mail 1 category all level all
wtp-logging mail 2 category all level all
wtp-logging mail 1 authentication username xxx encrypted-password xxx
wtp-logging mail 1 address smtp.xxx
wtp-logging mail 1 subject Statusbericht Zyxel USG60
wtp-logging mail 1 from xxx
wtp-logging mail 1 send-log-to xxx
wtp-logging mail 1 send-alerts-to xxx
wtp-logging mail 1 authentication
wtp-logging mail 1 schedule weekly day mon hour 8 minute 0
wtp-logging mail 1
wtp-logging mail 2 schedule full
!
no usb-storage activate
no diag-info copy usb-storage
!
no logging usb-storage
!
logging system-log suppression
logging system-log category forward-web-sites disable
logging system-log suppression interval 600
!
logging mail 1 address smtp.xxx
logging mail 1 subject Statusbericht Zyxel USG60
logging mail 1 from xxx
logging mail 1 send-log-to xxx
logging mail 1 send-alerts-to xxx
logging mail 1 authentication
logging mail 1 authentication username xxx encrypted-password xxx
logging mail 1 schedule weekly day mon hour 8 minute 0
logging mail 1 category all level all
!
logging mail 1
!
logging mail 2 schedule full
logging mail 2 category all level all
!
vrpt send interface statistics interval 15
vrpt send system status interval 15
vrpt send device information interval 3600
!