Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 4 5 [6] 7 8

Author Topic: Over 31,000 access attempts via RDP - how to setup Zxyel to allow only my IP add  (Read 21931 times)

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Thanks Chrysalis & John, I opted for the add an exception route.

I followed this guide https://www.draytek.com/support/knowledge-base/5330 to setup the VPN and now have that working, is there anything I need to add that's not in the guide?

I only enabled "SSL VPN Service", none of the others, and have used the DrayTek Smart VPN client.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

I have an AP-900 which I'm setting up the other end of the building to the router, but I cant see or find out how to simply copy the routers Wi-fi settings to it. Considering the auto provisioning and management options you'd think this option would be there.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

I have not used one of those but I would have thought you do not copy any settings.

Once you join the AP to router, I would have thought it uses the router Wi-Fi settings

I will have to have a look later though, as I am not available until late today

Many thanks and sorry if I’m wrong, perhaps tony knows

John
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi Ronski

Sorry just did it quickly, and it was as I thought - see picture.  So once you have joined the AP900 to router, on AP900, you select to be central managed and all should work, as derived from router wifi settings

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Thanks for your time John, but that just takes the profile that's stored on the router under "Central Management >> AP >> WLAN Profile" which you have to manually enter. There seems no way to take the wireless settings that are in use on the router and use them as the auto provision profiles.

I'll manually set up the profiles, perhaps this is just an oversight by Draytek, I may even email them.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

atkinsong

  • Reg Member
  • ***
  • Posts: 165

I would imagine a lot of businesses use the non-wifi Draytek versions, in which case having a centralised source of wifi settings for APs perhaps makes more sense.
Logged
ISP:A&A, FTTP 160/30, Router Fritzbox 7530

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

That's what I was thinking to.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

On the Draytek router I have two wireless networks on both 2.4Ghz & 5Ghz, they are the office network and the guest network, both of these work as expected.

The guest network is separated and on a VLAN, all network ports on the router are members of this VLAN, as are the guest SSID's.

I have the same wireless networks set up on the AP-900, and the appropriate VLAN ID for the guest network.

On the AP-900 the office network functions as expected, however the guest network is not getting issued with IP addresses and DNS does not work. If I configure a laptop with a suitable static IP then I can reach sites via IP address, so do have internet access.

Any thoughts on the issue, could the VLAN ID being lost somewhere thus causing the above?

We have a Procurve 1800-24G which I believe should pass the VLAN ID tags as it's currently setup (default settings). It's possible there is a dumb switch somewhere, but I don't think there is - the cabling is a mess and not easy to follow.

Edited to add:

This is what the Procurve manual says for VLAN's, it says all ports have a VID of 1, so does that mean it won't pass a VID of say 5? But it then says "All ports can send and receive both VLAN-tagged and untagged packets (that is, they are hybrid ports)", so I'm a bit confused.

Quote
VLAN Setup

This page allows you to create up to 64 VLANs based on the 802.1Q standard.
You can also delete or modify VLANs.

Introduction to VLANs

VLANs are logical partitions of the physical LAN. You can use VLANs to
increase network performance, improve internal network security, or create
separate broadcast domains.

If the network has adequate performance and security for your current needs,
it is recommended that you leave the VLAN settings in the default
configuration. The default configuration is as follows:

• All ports are members of VLAN 1
• The switch management interface is on VLAN 1 (this cannot be
changed)
• All ports have a Port VLAN ID (PVID) of 1
• All ports can send and receive both VLAN-tagged and untagged
packets (that is, they are hybrid ports)

In the default configuration, any port is able to send traffic to any other port,
and a PC connected to any port will be able to access the management
interface. Broadcast traffic, for example, will be flooded to all ports on the
switch.

The four VLAN parameters you can configure for each port on the switch
include VLAN Aware Enabled, Ingress Filtering Enabled, Packet Type, and
PVID. Note that the ports within a trunk cannot be configured individually;
configure the trunk instead (trunks are labelled T1 to T12 for the 24 port
switch, and T1 to T4 for the 8 port switch).
« Last Edit: March 15, 2019, 12:35:39 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

Sorry been a hard day today

If I understand correctly, your main lan is vlan 1 and guests use vlan 2 (Wi-Fi vlan 2 that is)

Main lan works as expected

Guest network works as expected on main router but not on ap900

Procurve is still set to default vlan 1 on all ports

So to correct, you would need to make sure ap900 is set to vlan2

Main router, make sure dns is set to use same as vlan 1 for all vlans (or set dns for vlan2 separately)

Locate the lan number used on procurve for AP900 and log into procurve, set the port number to be vlan aware and set to vlan 2

You do not need to tag any vlan, so keep it simply as you just need 2 lans

Many thanks

John
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi ronski

Sorry if you do not trace hardware to trace lan, take a note of what ports are lit up on procurve, then unplug network cable from ap900, then check which light is not lit

Plug network cable back in ap900 and check the unlit light is now lit

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

Hi John, thank you for your reply, you understand correctly, not sure that I do though and not sure if it will work.

Setup is like this

Draytek wireless Router
Procurve Switch
Cable to other end of building to my office. This cable is not direct and may have other equipment on route.
AP900
5 Port dumb switch for computers, voip and printer in my office.

VID 0 (untagged if understand correctly) is for the internal network, VID 5 is used for the guest WiFi.

So as I understand I need the one port on the procurve to pass both VID 0 (untagged internal lan + WiFi ) and VID 5 (guest WiFi)

Are you saying I don't need to use tagging, but how can a vlan be separate if not tagged??

Hope that makes sense, rather tired.

Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick

It gets rather confusing but switches sometimes just split all the ports into a number of subsets where the ports in each subset can talk to one another but not to other ports in other subsets, and might refer to the subsets as VLANs perhaps?
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

In its default state the switch treats all ports the same.

But I am a bit confused as John says to use Vlan 1 and Vlan 2, but then says I do not need to tag any vlan, if it's not tagged surely its not a vlan.

I think on the AP900 the only way two differentiate between different lans is to tag them, unless you set up it to use Lan B and then I presume that traffic will only be sent to Lan B port.

https://www.draytek.com/en/faq/faq-wlan/wlan.vigorap/how-to-use-multi-ssid-vigorap-to-separate-the-network/

Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300

It gets a bit more confusing because the Procurve documentation seems to imply everything that is untagged will be tagged VID 1, any other tagged packets will be dropped.

Quote
  802.1Q VLAN Setup   
This page allows you to create up to 64 VLANs. You can also delete the VLANs or make changes to the VLAN membership and behavior of individual ports. VLANs are powerful but can be difficult to set up properly. If you are unfamiliar with VLANs please see the Introduction to VLANs. To create a VLAN, enter a VLAN ID into the VLAN ID field. After clicking the ADD button, you will be directed to the 802.1Q VLAN Group page to add port members to the VLAN. Each row of the table corresponds to one VLAN.

There are four main buttons associated with this page:
HELP - Displays this window.
ADD - Creates a VLAN with the specified VLAN ID.
MODIFY - Choose a VLAN to modify.
DELETE - Delete a VLAN from the VLAN table.
Introduction to VLANs
VLANs (or Virtual LANs) are logical partitions of the physical LAN. You can use VLANs to:

Increase network performance
Increase internal network security
Create separate broadcast domains
If the network has adequate performance and security for your current needs, it is recommended that you leave the VLAN settings in the default configuration. The default configuration is as   follows:

All ports are members of VLAN 1
The switch management interface is on VLAN 1
All ports have a Port VLAN ID (PVID) of 1
All ports can send and receive both VLAN-tagged and untagged packets (i.e. they are "hybrid" ports)
In the default configuration, any port is able to send traffic to any other port and a PC connected to any port will be able to reach the management interface. Broadcast traffic, for example, will be flooded to all ports on the switch.

There are three different parameters that can be configured for each port on the switch; VLAN IDs (VLAN   membership), PVID and Packet Type. Note that the ports within a Trunk cannot be configured individually; configure the Trunk instead (Trunks are labeled T1 to T12).


VLAN IDs
The Management VLAN is a special VLAN; it cannot be deleted and, if there is a possibility that a port could become isolated, the Web User-interface will add the port to the mamangement VLAN.
You can add up to 64 VLANs to the configuration of the switch. Each VLAN must be given a VLAN ID in the range 1-4094.
A port can be a member of up to 64 VLANs.
All packets travelling through the switch are associated with one and only one VLAN.
If a port is not a member of a VLAN, it cannot send or receive packets associated with that VLAN.
A tagged packet carries its VLAN ID in the payload of the   packet.
An untagged packet, received on a port with Packet Type set to All, is associated with the VLAN identified by the PVID.

PVID
The PVID (Port VLAN ID) is the VLAN ID that is associated with untagged, ingress packets.
It is not possible to remove a port from VLAN 1 unless its PVID has been changed to something other than 1.
Outgoing packets are tagged unless the packet's VLAN ID is the same as the PVID. When the PVID is set to "None," all outgoing pacekts are tagged.

Packet Type
PCs should be connected to ports with Packet Type set to All. PCs cannot, in general, send or receive tagged packets.
Switches should be connected to each other with Packet Type set to Tagged and PVID set to "None."
If the Packet Type is set to All, the port can accept incoming tagged and untagged packets. Untagged packets will be associated with the VLAN identified by the PVID. Tagged packets will be dropped unless the port is a member of the VLAN identified by the VLAN tag in the packet.
If the Packet Type is set to Tagged, the port will drop untagged packets and will only receive tagged packets. Tagged packets will be dropped unless the port is a member of the VLAN identified by the VLAN tag in the packet.

Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

d2d4j

  • Kitizen
  • ****
  • Posts: 1103

Hi Ronski

Sorry, reading your posts I now have a better understanding of your network. Sorry long hard day yesterday and long hard day tommorow- 700 mile round trip

In your case, yes you would need to tag vlan (both on router, and ap)

You  need to set procurve to be vlan aware

Test

If fails, then bypass the hub in your office, so ap connects directly to procurve (subject to no other mid connection hardware)

Test

Many thanks

John
Logged
Pages: 1 ... 4 5 [6] 7 8