Zyxel Firewall [Web authentication] - how to setup Web authentication in DMZ zone with VLAN

Web authentication is a process that captures network traffic and redirects it to a login page where users need to authenticate their connection. This ensures that all web page requests are first directed to the authentication page. Once users successfully authenticate, they can access the rest of the network or the Internet.

The authentication page is only shown once per session. Users usually won't see it again unless their session times out or they close the connection.

In this article, we will show you how to use Web authentification for guest WIFI in a "DMZ" with VLAN.

Note: Typically, the DMZ is located between the external and internal networks, with the firewall restricting access from the DMZ to both the internal network and external resources. The firewall configuration can restrict DMZ access to external networks/resources, affecting services that require access to the Internet or external servers. Strict Traffic Filtering: Firewalls apply strict traffic filtering rules to ensure security. Certain types of traffic or ports may be blocked/restricted, affecting some applications/services.

  • Log in to the web interface of your firewall and go to the section:

First, we need to add the VLAN to the Security Gateway

Configuration > Network > Interface > VLAN > Add

  • Check if "DMZ" is assigned to any port, if not it should be assigned. In our case "DMZ" is assigned to "port 7"

  • The next step is "Enable Web Authentication"
Configuration > Web Authentication > Enable Web Authentication

  • To authorize users in our example, we will use the "Session Page". To do this, check the "Enable Session Page" box and specify a convenient IP address. Keep in mind that the IP address must not overlap with any of the networks on your gateway or other devices in your network.  

Note: It is not necessary to use a "Session Page" with a specified address, because at the first attempt to access any sites, the gateway will direct the user to the authorization page.

  • Also possible to collect additional user data such as email, phone number, and others. The standard form is located on the "Customer User Agreement File" tab.

  • The next step is to add the Web "Authentication Policy Summary". The first time a user tries to access any site, this rule will redirect them to the authentication form page

In our example, we use web authentication for everyone in the "DMZ", as well as a standard form of authentication. 

  • Enable Policy
  • Create a New Object for your "vlan10"
  • Give a clear description
  • Specify the "Incoming Interface", in our case it is "vlan10"
  • The authentication field should contain -  "required"
  • Force User Authentication - "Enable"
  • Click "OK" and "Apply"

  • Note: It is in the DMZ case that we need to allow https and http services, from the DMZ to the Zywall so that the authentication page can be reached. 
Go to Configuration > Object > Service > Service Group

Make the necessary changes with the Service Group Rule named "Default_Alow_DMZ_To_Zywall"

  • The next step is to create a user under which you can authenticate to access the Internet for all members of the "DMZ" zone.

Go to Configuration > Object > User/Group > User
  • Click "Add."

  • Enter a user name that is easy to understand

  • The user type should be specified as "user"

  • Provide a secure password

  • Click "OK"

We have done all the necessary settings on the gateway side, now let's move on to the switch settings. For this example we will use a Zyxel XGS2220 switch.

  • Log in to your switch's web interface and go to the:
SWITCHING -> VLAN Setup 

Add the required VLANs, in our case it is VLAN10. For ports 5 through 10 inclusive. Port 5 will be tagged, our firewall will be connected to this port. Port 6 through 10 will be untagged, access points and PCs will be connected to it.


Save your changes and go to the "VLAN Port Setup" tab to specify the required PVID for ports 5-10. After making all the changes, save the settings.

Settings are done. For the test, we connected a Zyxel NWA110AX access point to port 6 and connected a PC to port 7.

Now all our PCs connected to the access point or ports 7-10 will be redirected to the next page at the first session when trying to go to any site:


Articles in this section

Was this article helpful?
1 out of 1 found this helpful
Share