Frequently Asked Questions about ZeroShell

All   Generic   Storage   Networking   VPN   Wi-Fi security

General questions

  1. I have just started ZeroShell and the console displays the commands menu, but how can I connect to the web interface to configure it?
  2. I have an embedded device without a VGA outlet and the keyboard connector and only have a RS232 serial interface. Can I get a text console for ZeroShell?
  3. Having incorrectly configured the firewall or the network in general I can no longer connect via the web interface. Even rebooting the system doesn’t work. How can I resolve the problem?
  4. Once booted, a text commands menu appears on the ZeroShell console. But how can I start the graphic server? How can I start the graphic application, for example a web browser?

Questions on storage configuration and storage devices

  1. ZeroShell is available in the livecd and compact flash version for embedded devices. However, is it possible to install it on a hard disk?
  2. How can I permanently configure ZeroShell and save information on users, hosts, X.509 certificates, system logs and other objects on the LDAP and Kerberos v5?
  3. Can the database be stored on a partition which already has another operating system installed on it?
  4. What happens if excess syslog server activity causes a full disk on the partition hosting the database?
  5. During the database creation phase, other than the admin password and IP address of one of the Ethernet interfaces, I must specify the Kerberos v5 realm and the LDAP base. I don’t need a KDC Kerberos and a LDAP server. What should I do?
  6. If instead of the live cd version of ZeroShell, I use the version for Compact Flash, must I have a further storage device to store the database?
  7. I would like to upgrade to the latest ZeroShell release, but I am afraid I have to reconfigure everything. Are there any risks?
  8. I would like to increase my server reliability with a configuration of fault tolerance disks. Can ZeroShell manage mirroring or distribution parity via RAID 5?
  9. How can I start ZeroShell from Compact Flash?

Questions about network configuration

  1. I see that the Ethernet interfaces are called ETH00, ETH01, ETH02, … while I was used to other Linux distributions with names like eth0, eth1, eth2, … Why have these names been used instead of the usual ones?
  2. I would like to use ZeroShell as an ADSL router for my LAN. What types of modems are supported?
  3. My LAN connects to Internet with a dynamic IP address that changes if the connection is closed and then reopened. I would like the web server, the mail server and a machine with the active SSH daemon that have private IP addresses on the LAN to be reachable externally via Internet. Can I do so using ZeroShell as a router?
  4. I need to create a bridge that includes the Ethernet interface with which I am connected through the web interface. Unfortunately when I confirm the creation of the bridge I lose the ZeroShell connection. What does it depend on? Can the problem be resolved?

    Virtual LAN (VLAN)

  5. What are Virtual LANs or VLANs?
  6. Terminology referring to Virtual LANs often refers to a trunk or trunking. What is it?
  7. In trunking protocol 802.1Q what is a Native VLAN?
  8. Does ZeroShell support VLAN IEEE 802.1Q?
  9. I configured a VLAN on a ZeroShell Ethernet port, but the packets that are too big don’t reach their destination. What does it depend on?

Questions on Virtual Private Networks

  1. What is the difference between LAN-to-LAN (or site-to-site) VPNs and host-to-LAN VPNs?
  2. What does VPN Passthrough and IPSec NAT-T mean?

    VPN LAN-to-LAN

  3. I have noticed that ZeroShell creates the VPN LAN-to-LAN using a tunnel encrypted with SSL which encapsulates the Ethernet frames instead of using the more widely known IPSec protocol. Why is this?
  4. If the ZeroShell site-to-site VPNs are in fact similar to an Ethernet connection, can I bridge one or more VPNs with one or more Ethernet interfaces?
  5. My company is composed of a head office with a very fast Internet connection and peripheral offices that connect to the Internet using slower ADSL lines. I would like the peripheral offices to connect to head office using a site-to-site VPN, but the slowness of the ADSL lines is creating a bottleneck. Could I merge multiple ADSL connections to increase the bandwidth and reliability?
  6. ZeroShell implements the Virtual Private Network LAN-to-LANs by encapsulating Ethernet frames inside an authenticated and SSL encrypted tunnel using host X.509 certificates. However, must I use a ZeroShell box on both the VPN endpoints?
  7. I see that OpenVPN can be configured to use TUN devices or TAP devices. What are they? Which of the two devices is used by ZeroShell?

    VPN Host-to-LAN

  8. ZeroShell implements the Host-to-LAN Virtual Private Networks using standardised L2TP/IPSec protocol. Why is OpenVPN not used in this case?
  9. I configured Windows XP to create a VPN L2TP/IPSec towards a ZeroShell VPN gateway. However, when I try to activate the VPN, Windows XP gives me the message that there is no certificate to establish the IPSec connection. What does it depend on?

Questions on Wi-Fi Wireless network security

  1. I have a Wi-Fi network and would like to protect it from unauthorised access. It is better to use a RADIUS server that allows me to have 802.1x authentication and protection with WPA or WPA2 or use a Captive Portal that authenticates access via web login?

    RADIUS server, 802.1x, WPA, 802.11i (WPA2)

  2. In RADIUS terminology in reference to WiFi network protection, what does supplicant, authenticator, NAS and authentication server mean?
  3. Does the ZeroShell RADIUS server support WPA and 802.11i (WPA2) protocol to protect the wireless networks?
  4. When configured, the supplicant on my computer, must choose the authentication method among EAP-TLS, EAP-TTLS and PEAP. What is involved?
  5. I have an Access Point the uses the Multiple SSID functionality so that different SSIDs can be configured and mapped on different VLANs. If I use ZeroShell as the RADIUS server, can I associate the Wi-Fi clients on the different VLANs based on the username used during 802.1x authentication?
  6. During configuration of the access point and the RADIUS server, I am requested to specify a Shared Secret. What is it?
  7. The ZeroShell RADIUS server can also function in proxy mode. What does it mean exactly?
  8. Does ZeroShell support WEP and WPA-PSK to protect Wi-Fi networks?

    Captive Portal

  9. The ZeroShell Captive Portal is composed of two modules: the Web Login server and the Captive Gateway. What is the advantage of such modularity?
  10. I want to create a multi-gateway structure with the ZeroShell Captive Portal. What is the maximum number of captive gateways I can have on the same web login server?
  11. What are the authentication sources used by the ZeroShell Captive Portal web login server to validate users?
  12. Can the ZeroShell Captive Portal use a RADIUS server as an authentication source?
  13. Can the ZeroShell Captive Portal simultaneously use multiple authentication sources?
  14. I am afraid that an impostor, using a spoof IP address, can replace the web login server with a fake one and trick the gateways into making them authorised clients that shouldn’t be there. Is there any danger of this for ZeroShell Captive Portals?
  15. When I authenticate with the ZeroShell Captive Portal, immediately after inserting my username and password and pressing the network access button, at the same time as the popup appears to control the connection, the browser warns me that my data will not be encrypted and therefore security problems may arise. Should I be worried? Will my data be available on the network?
  16. Should an impostor capture the authenticator on the network and, without decrypting it, sends it as is to the captive gateway, could he or she obtain illegal access to the network?
  17. Why should not the user close the popup control window which appears after the authentication with the CaptivePortal?
  18. Captive gateways can work in Routed Mode or in Bridged Mode. What does that mean?
  19. Is the ZeroShell’s Captive Portal able to authenticate the clients by using X.509 certificates?