Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Ronski]

Well it's all switched over this morning, can now RDP in from my home IP only, also access the router via HTTPS also only from my home IP.

Phones, and CTTV all working, still need to find out if I can close port 80 for the CCTV as the guy that deals with that has not answered my email, may even put the CCTV on a separate VLAN, but I need the admin password for that which I did have but have forgotten/can't find.

Still need to setup the VPN, also HTTPS certificates, possibly some other things.

I have the guest network set up on it's own VLAN with isolate member, and isolate VPN ticked, which states:

The isolate VPN configuration will isolate the wireless traffic from VPN connections and thus, wireless clients will not be able to access the VPN network under this setting.

Does that mean that if you are on the guest network I've setup you can't access the routers VPN's?

[d2d4j]

Hi ronski

Excellent news

Sorry I maybe a little (or a lot dim), but even if on guest Wi-Fi you could reach the router vpn (you could set the vpn to only act from wan I think), you would only end up back where you started from.

However, I would need to test but I believe guest would not be able to reach router vpn

Many thanks

John

[Ronski]

Hi John, it's not that I want to access the VPN from the guess wi-fi, its more a case of I'm just curious to know what it means - see the circled bits in the attached picture. I've ticked it as it sounds more secure.

[g3uiss]

ell it's all switched over this morning, can now RDP in from my home IP only, also access the router via HTTPS also only from my home IP

Great. Is this with rules avoiding the need for the VPN ? So you have effectively sorted the problem, although I recal the other user doesn’t have a fixed IP. Is dyndns an option

[Ronski]

I still need to set up the VPN for the other user. I've setup rules for my own IP which is sticky static on VM,  it's never changed since I signed up last April.

I'm pleased with the router and its fairly easy to setup, in fact my brothers probably going to buy a pair of them. I'm also impressed with Drayteks knowledge base, plenty of helpful articles which are easy to find.

[d2d4j]

Hi ronski

Sorry was a little busy yesterday

The simplest way to look at isolate VPN is like isolate users. It stops access to any vpn connections already in use/new created  so say from a vpn lan to lan or dial in vpn user.

Your thought of guest creating a dial in vpn made me think, as if guest could create a dial in vpn, then they would no longer be guest.

However, for that to happen they would need to know the dial in credentials/settings, so would not be able to create a vpn dial in account

I am sorry if that kinda doesn’t make sense and maybe tony could explain better

Many thanks

John

[Chrysalis]

glad you got it working ronski, indeed that interface looks a big step up from zyxel

[Ronski]

It's a huge step up, you can even create block/allow rules for whole countries like in PfSense and I find the online help and guides easier to understand.

[g3uiss]

A Draytec convert 

[Ronski]

Just trying to setup a self signed certificate so I don't get warnings when using HTTPS to login to the router remotely and also for the VPN.

On the attached page it states to enable SSLv3.0, but on doing so I get a security warning that it may not be secure, and general googling seems to recommend not enabling it. Is it really required???

[d2d4j]

Hi ronski

To be honest, I rarely create self signed as they will still give warnings

It probably just needs SSLv3 enabled so it can create the self signed cert and you can disable SSLv3 afterwords.

You do not need a valid/self signed cert to use encryption and of course, you know exactly where your connecting to, so ssl certs not really required

Others though may disagree and prefer to have a ssl cert

Many thanks

John

[Ronski]

Thanks John, if it won't cause issues with the VPN then I'll probably just create an exception on the PC at home then.

[d2d4j]

Hi ronski

Many thanks

It has never caused any issues to all our setups and we access using external IP address (so we know where we are going)

Vpn do not give issues and are fully TLS Encrypted

Login to router is restricted to a few of our cidr ranges only

The only warning happens when you access https://router-ip, which is a correct warning but we know the ipv4 address and you cannot have a SSL cert on IP address anymore

Many thanks

John

[Chrysalis]

You can do self signed certs on ip's, but self signed will still by default generate a warning because its not trusted by the browser.

I dont know if you can import certificates on the device you have, if you can then I suggest this ronski.

On your local pfsense, goto the certificate manager and create a CA cert.
Then still in pfsense make a certificate for the device, for the common name just put something like PFSENSE in doesnt matter, then at the bottom you can add an ip address for the certificate and use your work ip, make sure its sha256 (default) and I suggest 3072 bits for the RSA strength.
Export the cert you just made, the key for it and the CA cert.

Import all 3 to the zyxel device (if it lets you).

Add your CA cert to the the trusted certs for your browser (chrome uses the windows CA store like IE, firefox has its own).  The advantage of this is whenever you make a new cert using the same CA then you will no longer get prompts as the CA is now trusted in your local browser, and pfsense also will store the certificates for you as well in case you need to install them again.

If you cannot import, or simply cannot be bothered, then just do as he said, add the cert and add exception for it in browser, keep sslv3 disabled for operational use as its now obsolete.

[d2d4j]

Hi chrysalis

Ronski is using draytek

Drayteks can do all you suggest, including self gen cert or create a CSR etc...

The draytek will already have a self signed draytek cert as default installed

My point is it is a known device and known ip connecting too.

Many thanks

John