So thank you for your good tips. I won’t write anything else here because it has nothing to do with the problem anymore.
The solution to the problem is to use a Centro Grande and not an Internet box. You have to weigh up which services you want. If you want the official IP on the firewall you need a Centro Grande. If you want all the other goodies (time control for WiFi, guest WiFi, etc.) you need an Internet box. TV 2.0 works on both routers.
Hello
Ask; Is there anything new on this question? I’m also waiting for the IP forwarding function on the InternetBox. I need this for the P-P VPN which terminates on firewalls.
Background: Currently P-P VPN with Zyxel USG, VDSL router and Centro Pccolo as well as ISDN. If ISDN is no longer available, I will probably have to switch to VoIP, then I need the InternetBox if I want to use all the functions of IP telephony, but how do I then do P-P VPN to permanently connect my two locations?
I’m looking forward to the solution.
Greetings
Neanderthals
Hello Neanderthals
There is no solution on the Internet box. Actually, we should be a business customer with this requirement.
I also use IP telephony and use a Centro Grande. As far as I know, I can do anything with it. The Grande is also available as a glass version.
Beate greetings
AJ
PS: I also do a VPN to two locations with USG from ZyXel.
Hello
Thank you very much for your answers.
I would like to use the DECT function DECT base station of the InternetBox, e.g. for using the current HD-IP telephones e.g. the Arosa type, which only works together with the InternetBox. In any case, Swisscom writes: “The HD-Phone Arosa only works on a landline connection (IP) with the Swisscom Internet-Box .”
As a business customer I don’t get an InternetBox, apart from that I’m a private customer. My site-to-site VPN (IPsec) is about the connection between the house and the holiday apartment.
@VTX
Are you sure that IP forwarding (1:1 NAT) is no longer needed for a permanent site-to-site VPN based on IPsec with Zyxel USG 20 and 50? Then it should work with the InternetBox, right?
Greetings
Neanderthals
Why 2 threads on the same topic? –> See answers here:
[https://community.swisscom.ch/scs/board/message?board.id=internet\_de&message.id=39210#M39210](https://community.swisscom.ch/scs/board/message?board. id=internet_de&message.id=39210#M39210)
Yes, the various answers are not so clear.
Just this much: The Internet box doesn’t have a bridge/IP passthrough mode and you’re apparently now using that with the old router.
I don’t know if there is another option. Ev. But another user who has implemented such a solution without a bridge/IP passthrough can answer this in detail. According to @XT it should be possible.
Hello
So in order for an IPSec VPN to be made on a ZyWall, I need the public IP on the WAN port of the ZyWall. In other words, the Internet box or the Centro Grande must be set to bright mode. This is the only way the IPSec VPN works.
I don’t know whether you can set up a VPN in another way or not. I need to apply this so I can make a VPN to another ZyWall.
Swisscom’s 3rd level support also informed me that there will be no bright mode for the Internet box. Even an approach from the group that takes care of the Internet box did not listen to this concern.
Now about telephony and I really don’t know much about that. I operate various telephones on my Centro Grande. They are all from the Gigaset brand, e.g. C780, C430 (IP Tel) and the 920.
I just came across this topic.
Does this solution still work with the Centro Grande? Or are there better solutions now?
I was (unfortunately) assured by the support hotline that all my claims with DMZ had been resolved…
Which is unfortunately not the case… The firewall needs the public IP.
However, I would also like to use Swisscom TV and the telephone…
I don’t need the functions like WLAN and other things from the Swisscom IB - I do everything with my own hardware.
Greeting
Dominic
@Dodooo Sorry, I only saw your question now, but I can assure you that P2P VPN (IPsec) still runs smoothly and stably over the old Centro Grande.
Unfortunately, the time is getting closer and closer when I will have to switch to an Internet box due to the discontinuation of ISDN. I now have two questions about this:
1. Is there any news about the timing and functions of the new Internet-Box plus? Especially of course functions like P2P VPN or IP forwarding?
2. Useful solutions for Internet Box and P2P VPN with e.g. Zyxel USG? or experience whether something like this works with the DMZ function, for example?
I am grateful for your help.
Greetings
Neanderthals
@Neandertaler wrote:
1. Is there any news about the timing and functions of the new Internet-Box plus? Especially, of course, functions such as P2P VPN or IP forwarding?-…
The Internetbox Plus has no longer been available since May. Afaik the successor IB2 will be released in November
Afaik no IP forwarding is offered until further notice…
….keep on rockin' 🤘🏼🤘🏼🤘🏼
I don’t want to tell you how things are going with my VPN solutions now that both locations are equipped with the new Internetbox2.
Site to Site VPN with IPsec (Zyxel USG 20 and USG 50)
Runs stably with the previous configuration!
Client to Site VPN with L2TP over IPsec (Zyxel USG 20 / 50)
Doesn’t run! I suspect a NAT traversal problem.
With the old Centro routers, the IP forwarding function worked without any problems. I haven’t changed anything in the config of the USG and the clients (so far). Does anyone have an idea how to get this working again?
For information again. The Zyxel USG are behind the Internetbox2. On the Internetbox2 I have so-called. DMZ function directs all ports to the USG (which also gets a fixed IP address from the Internet box). Swisscom TV and guest WLAN are accessed directly on or from the Internet box. Behind the Zyxel USG is the private (protected) LAN and a DMZ. The VPNs should all terminate in the private LAN behind the USG. The IP addresses are of course different, the Internet box on the 192.168.1.1 and behind the USG are 10.0.0.1 - 10.0.50.1 and 10.2.0.1 - 10.2.50.1 networks respectively.
The public IP is published via Dyndns from the USG. The IPv6 firewall is switched off on the Internet box as a precaution. CGNAT is not activated by Swisscom, so I have a normal IPv4 address. The VPN function provided by the Internetbox2 is of no use to me, as it then terminates in front of my private network and I therefore cannot access the applications, drives, NAS,… that are in the private LAN.
Would be glad for help with L2TP issue. @Anonymous
Greetings
Neanderthals
L2TP with USG40
I have a similar constellation, but a CentroBusiness2. Maybe the following information will help:
old configuration:
Location A: upc modem/bridge mode - Zyxel USG40, telephone ISDN
Location B: upc modem/bridge mode - Zyxel USG40, analog telephone
new configuration:
Location A: upc modem/bridge mode - Zyxel USG40, telephone ISDN
Location B: Fiber optic Vivo M (Internet and telephone) - CentroBusiness2 - Zyxel USG40
The CentroBusiness2 was set up as follows:
IP Passthrough Local Security Gateway
[http://documents.swisscom.com/product/1000260-Connectivity\_Geraete\_/Documents/ Specifications/Centro_Business2_IP_Passthrough-de.pdf](http://documents.swisscom.com/product/ 1000260-Connectivity_Geraete_/Documents/ Specifications/Centro_Business2_IP_Passthrough-de.pdf)
dyndns on
USG40 firewall:
- wan1 connected to port 1 of CentroBusiness2
- wan1
ip address 172.31.255.6
subnet mask 255.255.255.252
gateway 172.31.255.5
- DDNS off
(USG40 no longer receives the public IP as before with upc,
this is now done by the CB2)
VPN site to site
- Leave the configuration as upc, works
L2TP
- no longer works because the CB2 no longer receives the public IP as before with the upc modem
- Telephone call with Studerus Support, recommend the following setting:
https://studerus.ch/de/support/knowledgebase/detail/115090
- doesn’t work for me, after countless tests the following finally works:
1. Create Address Object CentroBusiness2_IP with public IP
2. in VPN Connection: change local-policy from wan1 to CentroBusiness2_IP
That’s it, L2TP works again!
Now I have three questions:
1.
It is unpleasant that no dyndns address (e.g. xyhome.dyndns.org) can be entered in VPN Connection, but only an IP address. If the CB2 receives a new public IP from Swisscom after a power failure/restart, the address object CentroBusiness2_IP is no longer correct and access from outside via L2TP would no longer be possible. Is there at most a solution with the dyndns address?
2.
How long does it take for CB2 to notify dyndns of a new public address? In my tests, the CB2 showed a working connection to dyndns, but did not communicate the new address. Since I didn’t want to wait for further setup, I entered the new IP directly at dyn.org. With the USG40, the DDNS status can be queried; the CB2 lacks this option.
3.
You write: The public IP is published via Dyndns from the USG. Does the Internetbox2 forward to the USG with DMZ activated? If that were the case, the IB2 could do more than the CB2…
@Neandertaler wrote:
I don’t want to tell you how things are going with my VPN solutions now that both locations are equipped with the new Internetbox2.
Site to Site VPN with IPsec (Zyxel USG 20 and USG 50)
Runs stably with the previous configuration!
Client to Site VPN with L2TP over IPsec (Zyxel USG 20 / 50)
Doesn’t work! I suspect a NAT traversal problem.
With the old Centro routers, the IP forwarding function worked without any problems. I haven’t changed anything in the config of the USG and the clients (so far). Does anyone have an idea how to get this working again?
For information again. The Zyxel USG are behind the Internetbox2. On the Internetbox2 I have so-called. DMZ function directs all ports to the USG (which also gets a fixed IP address from the Internet box). Swisscom TV and guest WLAN are accessed directly on or from the Internet box. Behind the Zyxel USG is the private (protected) LAN and a DMZ. The VPNs should all terminate in the private LAN behind the USG. The IP addresses are of course different, the Internet box on the 192.168.1.1 and behind the USG are 10.0.0.1 - 10.0.50.1 and 10.2.0.1 - 10.2.50.1 networks respectively.
The public IP is published via Dyndns from the USG. The IPv6 firewall is switched off on the Internet box as a precaution. CGNAT is not activated by Swisscom, so I have a normal IPv4 address. The VPN function provided by the Internetbox2 is of no use to me, as it then terminates in front of my private network and I therefore cannot access the applications, drives, NAS,… that are in the private LAN.
Would be glad for help with L2TP issue. @Anonymous
Greetings
Neanderthals
I missed it. You write me with zero instead of o in Tux0ne, as is usual with the craziest of the craziest 😄
About your problem. But the VPN function on the Internet boxes is already deactivated?
Update, L2TP with USG40 behind BC2
It’s even easier: see here
[http://www.zyxelforum.de/viewtopic.php?f=318&t=11295&sid=44f42f1917bdfa091c5a73bc702cd889] (http://www.zyxelforum.de/viewtopic.php?f=318&t=11295&sid=44f42f1917bdfa091c5a73bc702cd889)
USG40 firewall:
L2TP
1. Create Address Object L2TP_local_policy_Range: 0.0.0.0 to 255.255.255.255
2. in VPN Connection: change local-policy from wan1 to L2TP_local_policy_Range
That’s it, L2TP works again!
Now I have two questions:
1.
How long does it take for CB2 to notify dyndns of a new public address? In my tests, the CB2 showed a working connection to dyndns, but did not communicate the new address. Since I didn’t want to wait for further setup, I entered the new IP directly at dyn.org. With the USG40, the DDNS status can be queried; the CB2 lacks this option.
2.
You write: The public IP is published via Dyndns from the USG. Does the Internetbox2 forward to the USG with DMZ activated? If that were the case, the IB2 could do more than the CB2…
3.
You write: The public IP is published via Dyndns from the USG. Does the Internetbox2 forward to the USG with DMZ activated? If that were the case, the IB2 could do more than the CB2…
Under no circumstances does the Internet Box direct the public IP directly to an interface. The Zywall’s WAN interface remains in the private range in any case.
But there is auto transmission of the IP in the DDNS settings of the USG. This should theoretically work, but you probably know more than me.
@Tux0ne wrote:
Under no circumstances does the Internet Box derive the public IP directly to an interface. The Zywall’s WAN interface remains in the private range in any case.
But there is auto transmission of the IP in the DDNS settings of the USG. This should theoretically work, but you probably know more than me.
As far as I know, the USG40 can only publish its own WAN_IP via dyndns; it has no access to the public IP of the IB2 or CB2. This is different with a upc modem in bridge mode, then the public IP is directly on the WAN interface of the USG40.
Yes, the problem is reported from time to time, mainly by Zyxel users.
The problem besides Swisscom is Zyxel itself. It would be appropriate for them to be able to do the auto IP determination like the UTM used to be able to do (if it doesn’t work with auto)
It’s the same topic as with DHCP option 60, which is now being implemented in a new firmware after years 👏
So for a part that costs something, the documentation is also terrible. If Studerus didn’t do something himself there would be nothing 🙂
dyndns with Zyxel USG40 behind CB2 with IP passesrough
I have to correct myself, it comes from the USG. Help of the USG 40 says about the DDNS setting auto:
ZyXEL Help:
Auto - If the interface has a dynamic IP address, the DDNS server checks the source IP address of the packets from the ZyWALL/USG for the IP address to use for the domain name. You may want to use this if there are one or more NAT routers between the ZyWALL/USG and the DDNS server.
USG40:
DDNS Settings
Domain Name: xy.dyndns.org
Primary Finding Address
Interface: wan1
IP Address: Auto (instead of the previous interface)
Effective IP then appears in the monitor / DDNS status, which corresponds to the public IP of the CB2! And dyn.org also gets the correct IP!
