ZyXEL Communications 802.11g ADSL 2+ 4-Port Security Gateway HW-D Series, User Manual

Page 1: ...P 662H HW D Series 802 11g ADSL 2 4 Port Security Gateway User s Guide Version 3 40 Edition 1 7 2006 ...

Page 2: ......

Page 3: ...y ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subject...

Page 4: ...ful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and the receiver Connect the equipment into an outlet on a circuit different from that to which the recei...

Page 5: ...662H HW D is limited in CH1 11 from 2400 to 2483 5 MHz by specified firmware controlled in USA Viewing Certifications 1 Go to www zyxel com 2 Select your product from the drop down list box on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ...

Page 6: ...e it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will step on them or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrical gas or water...

Page 7: ...ered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or conse...

Page 8: ...ha 4 Modrany Ceská Republika info cz zyxel com 420 241 091 359 DENMARK support zyxel dk 45 39 55 07 00 www zyxel dk ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel fr 33 4 72 52 97 97 www zyxel f...

Page 9: ...pport zyxel es 34 902 195 420 www zyxel es ZyXEL Communications Arte 21 5ª planta 28033 Madrid Spain sales zyxel es 34 913 005 345 SWEDEN support zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sjöporten 4 41764 Göteborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine sales ua zyxel ...

Page 10: ...P 662H HW D Series User s Guide 10 Customer Support ...

Page 11: ...W Wireless Features 45 1 1 2 Applications for the ZyXEL Device 45 1 1 2 1 Internet Access 46 1 1 2 2 LAN to LAN Application 46 1 1 3 Firewall for Secure Broadband Internet Access 46 1 1 4 Front Panel LEDs 47 Chapter 2 Introducing the Web Configurator 49 2 1 Web Configurator Overview 49 2 2 Accessing the Web Configurator 49 2 3 Resetting the ZyXEL Device 51 2 3 1 Using the Reset Button 52 2 4 Navig...

Page 12: ...duction 79 4 2 Predefined Media Bandwidth Management Services 79 4 3 Bandwidth Management Wizard Setup 80 Chapter 5 WAN Setup 85 5 1 WAN Overview 85 5 1 1 Encapsulation 85 5 1 1 1 ENET ENCAP 85 5 1 1 2 PPP over Ethernet 85 5 1 1 3 PPPoA 86 5 1 1 4 RFC 1483 86 5 1 2 Multiplexing 86 5 1 2 1 VC based Multiplexing 86 5 1 2 2 LLC based Multiplexing 86 5 1 3 VPI and VCI 86 5 1 4 IP Address Assignment 87...

Page 13: ...view 109 6 1 1 LANs WANs and the ZyXEL Device 109 6 1 2 DHCP Setup 110 6 1 2 1 IP Pool Setup 110 6 1 3 DNS Server Address 110 6 1 4 DNS Server Address Assignment 111 6 2 LAN TCP IP 111 6 2 1 IP Address and Subnet Mask 111 6 2 1 1 Private IP Addresses 112 6 2 2 RIP Setup 112 6 2 3 Multicast 113 6 2 4 Any IP 113 6 2 4 1 How Any IP Works 114 6 3 Configuring LAN IP 115 6 3 1 Configuring Advanced LAN S...

Page 14: ...WMM QoS 141 7 8 1 WMM QoS Example 141 7 8 2 WMM QoS Priorities 141 7 8 3 Services 142 7 9 QoS Screen 144 7 9 1 ToS Type of Service and WMM QoS 144 7 9 2 Application Priority Configuration 146 7 10 Multiple SSID P 662HW D Models only 147 7 10 1 Multiple SSID Commands 148 7 10 2 Multiple SSID Example 150 Chapter 8 DMZ 151 8 1 Introduction 151 8 2 Configuring DMZ 151 8 3 DMZ Public IP Address Example...

Page 15: ...on to ZyXEL s Firewall 170 10 3 1 Denial of Service Attacks 171 10 4 Denial of Service 171 10 4 1 Basics 171 10 4 2 Types of DoS Attacks 172 10 4 2 1 ICMP Vulnerability 174 10 4 2 2 Illegal Commands NetBIOS and SMTP 174 10 4 2 3 Traceroute 175 10 5 Stateful Inspection 175 10 5 1 Stateful Inspection Process 176 10 5 2 Stateful Inspection and the ZyXEL Device 176 10 5 3 TCP Security 177 10 5 4 UDP I...

Page 16: ...obing 197 11 10 DoS Thresholds 198 11 10 1 Threshold Values 198 11 10 2 Half Open Sessions 199 11 10 2 1 TCP Maximum Incomplete and Blocking Time 199 11 10 3 Configuring Firewall Thresholds 200 Chapter 12 Anti Virus Packet Scan 203 12 1 Overview 203 12 1 1 Types of Computer Viruses 203 12 2 Signature Based Virus Scan 203 12 2 1 Computer Virus Infection and Prevention 204 12 3 Introduction to the Z...

Page 17: ...28 14 4 User Online Status 229 14 5 Content Access Control Logins 230 14 5 1 User Login 230 14 5 2 Administrator Login 231 Chapter 15 Introduction to IPSec 233 15 1 VPN Overview 233 15 1 1 IPSec 233 15 1 2 Security Association 233 15 1 3 Other Terminology 233 15 1 3 1 Encryption 233 15 1 3 2 Data Confidentiality 234 15 1 3 3 Data Integrity 234 15 1 3 4 Data Origin Authentication 234 15 1 4 VPN App...

Page 18: ...l Key Setup 257 16 14 1 Security Parameter Index SPI 257 16 15 Configuring Manual Key 257 16 16 Viewing SA Monitor 260 16 17 Configuring Global Setting 261 16 18 Telecommuter VPN IPSec Examples 262 16 18 1 Telecommuters Sharing One VPN Rule Example 262 16 18 2 Telecommuters Using Unique VPN Rules Example 263 16 19 VPN and Remote Management 264 Chapter 17 Certificates 265 17 1 Certificates Overview...

Page 19: ... 294 19 5 Scheduler 294 19 5 1 Priority based Scheduler 294 19 5 2 Fairness based Scheduler 295 19 6 Maximize Bandwidth Usage 295 19 6 1 Reserving Bandwidth for Non Bandwidth Class Traffic 295 19 6 2 Maximize Bandwidth Usage Example 296 19 6 2 1 Priority based Allotment of Unused and Unbudgeted Bandwidth 296 19 6 2 2 Fairness based Allotment of Unused and Unbudgeted Bandwidth 297 19 6 3 Bandwidth ...

Page 20: ...2 1 Introducing Universal Plug and Play 321 22 1 1 How do I know if I m using UPnP 321 22 1 2 NAT Traversal 321 22 1 3 Cautions with UPnP 322 22 2 UPnP and ZyXEL 322 22 2 1 Configuring UPnP 322 22 3 Installing UPnP in Windows Example 323 22 4 Using UPnP in Windows XP Example 326 Chapter 23 System 333 23 1 General Setup 333 23 1 1 General Setup and System Name 333 23 1 2 General Setup 333 23 2 Time...

Page 21: ...53 27 2 Problems with the LAN 353 27 3 Problems with the WAN 354 27 4 Problems Accessing the ZyXEL Device 355 27 4 1 Pop up Windows JavaScripts and Java Permissions 355 27 4 1 1 Internet Explorer Pop up Blockers 355 27 4 1 2 JavaScripts 358 27 4 1 3 Java Permissions 360 27 4 2 ActiveX Controls in Internet Explorer 362 Appendix A Product Specifications 365 Appendix B About ADSL 369 Introduction to ...

Page 22: ... 399 Fragmentation Threshold 400 Preamble Type 401 IEEE 802 11g Wireless LAN 401 IEEE 802 1x 402 RADIUS 402 Types of Authentication 403 WPA 2 405 Security Parameters Summary 407 Appendix G Importing Certificates 409 Import ZyXEL Device Certificates into Netscape Navigator 409 Importing the ZyXEL Device s Certificate into Internet Explorer 409 Enrolling and Importing SSL Client Certificates 413 Usi...

Page 23: ... Configuration Text File Format 437 Internal SPTGEN FTP Download Example 438 Internal SPTGEN FTP Upload Example 439 Command Examples 460 Appendix N Splitters and Microfilters 463 Connecting a POTS Splitter 463 Telephone Microfilters 463 ZyXEL Device With ISDN 464 Appendix O Log Descriptions 465 Log Commands 479 Log Command Example 480 Appendix P Triangle Route 481 The Ideal Setup 481 The Triangle ...

Page 24: ...P 662H HW D Series User s Guide 24 Table of Contents ...

Page 25: ...e 17 System General 62 Figure 18 Select a Mode 65 Figure 19 Wizard Welcome 66 Figure 20 Auto Detection No DSL Connection 66 Figure 21 Auto Detection Failed 67 Figure 22 Auto Detection PPPoE 67 Figure 23 Internet Access Wizard Setup ISP Parameters 68 Figure 24 Internet Connection with PPPoE 69 Figure 25 Internet Connection with RFC 1483 69 Figure 26 Internet Connection with ENET ENCAP 70 Figure 27 ...

Page 26: ...115 Figure 56 Advanced LAN Setup 116 Figure 57 DHCP Setup 117 Figure 58 LAN Client List 118 Figure 59 Physical Network Partitioned Logical Networks 120 Figure 60 LAN IP Alias 120 Figure 61 Example of a Wireless Network 123 Figure 62 Wireless LAN General 128 Figure 63 Wireless No Security 129 Figure 64 Wireless Static WEP Encryption 130 Figure 65 Wireless WPA 2 PSK 131 Figure 66 Wireless WPA 2 132 ...

Page 27: ...le Select Customized Services 194 Figure 104 Firewall Example Rules MyService 195 Figure 105 Firewall Anti Probing 197 Figure 106 Firewall Threshold 200 Figure 107 ZyXEL Device Anti virus Application 204 Figure 108 Anti Virus Packet Scan 206 Figure 109 Anti Virus Registration and Virus Information Update 208 Figure 110 Virus Scan Update in Progress 209 Figure 111 Virus Scan Update Successful 209 F...

Page 28: ...ort 269 Figure 143 My Certificate Create 270 Figure 144 My Certificate Details 273 Figure 145 Trusted CAs 276 Figure 146 Trusted CA Import 277 Figure 147 Trusted CA Details 278 Figure 148 Trusted Remote Hosts 281 Figure 149 Remote Host Certificates 282 Figure 150 Certificate Details 282 Figure 151 Trusted Remote Host Import 283 Figure 152 Trusted Remote Host Details 284 Figure 153 Directory Server...

Page 29: ...onnection Status 329 Figure 185 Network Connections 330 Figure 186 Network Connections My Network Places 331 Figure 187 Network Connections My Network Places Properties Example 331 Figure 188 System General Setup 334 Figure 189 System Time Setting 335 Figure 190 View Log 340 Figure 191 Log Settings 341 Figure 192 E mail Log Example 343 Figure 193 Firmware Upgrade 345 Figure 194 Firmware Upload In ...

Page 30: ... Devices 385 Figure 230 Red Hat 9 0 KDE Ethernet Device General 385 Figure 231 Red Hat 9 0 KDE Network Configuration DNS 386 Figure 232 Red Hat 9 0 KDE Network Configuration Activate 386 Figure 233 Red Hat 9 0 Dynamic IP Address Setting in ifconfig eth0 387 Figure 234 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 387 Figure 235 Red Hat 9 0 DNS Settings in resolv conf 387 Figure 236 Red Ha...

Page 31: ...Module Commands 426 Figure 263 Configuration Text File Format Column Descriptions 437 Figure 264 Invalid Parameter Entered Command Line Example 438 Figure 265 Valid Parameter Entered Command Line Example 438 Figure 266 Internal SPTGEN FTP Download Example 439 Figure 267 Internal SPTGEN FTP Upload Example 439 Figure 268 Connecting a POTS Splitter 463 Figure 269 Connecting a Microfilter 464 Figure 2...

Page 32: ...P 662H HW D Series User s Guide 32 List of Figures ...

Page 33: ...up Wizard 2 75 Table 17 Manually assign a WPA key 76 Table 18 Manually assign a WEP key 77 Table 19 Media Bandwidth Management Setup Services 79 Table 20 Bandwidth Management Wizard General Information 81 Table 21 Bandwidth Management Wizard Configuration 82 Table 22 Internet Connection 91 Table 23 Advanced Internet Connection 93 Table 24 More Connections 95 Table 25 More Connections Edit 96 Table...

Page 34: ... Rules 166 Table 59 Edit Address Mapping Rule 167 Table 60 Common IP Ports 172 Table 61 ICMP Commands That Trigger Alerts 174 Table 62 Legal NetBIOS Commands 174 Table 63 Legal SMTP Commands 174 Table 64 Firewall General 185 Table 65 Firewall Rules 186 Table 66 Firewall Edit Rule 189 Table 67 Customized Services 190 Table 68 Firewall Configure Customized Services 191 Table 69 Predefined Services 1...

Page 35: ...Rules Example 264 Table 101 My Certificates 267 Table 102 My Certificate Import 270 Table 103 My Certificate Create 271 Table 104 My Certificate Details 274 Table 105 Trusted CAs 276 Table 106 Trusted CA Import 277 Table 107 Trusted CA Details 279 Table 108 Trusted Remote Hosts 281 Table 109 Trusted Remote Host Import 283 Table 110 Trusted Remote Host Details 285 Table 111 Directory Servers 287 Ta...

Page 36: ...43 Troubleshooting Starting Up Your ZyXEL Device 353 Table 144 Troubleshooting the LAN 353 Table 145 Troubleshooting the WAN 354 Table 146 Troubleshooting Accessing the ZyXEL Device 355 Table 147 Device 365 Table 148 Firmware 366 Table 149 Classes of IP Addresses 390 Table 150 Allowed IP Address Range By Class 390 Table 151 Natural Masks 391 Table 152 Alternative Subnet Mask Notation 391 Table 153...

Page 37: ...SMT Menu 23 459 Table 178 Menu 24 11 Remote Management Control SMT Menu 24 11 460 Table 179 Command Examples 460 Table 180 System Maintenance Logs 465 Table 181 System Error Logs 466 Table 182 Access Control Logs 466 Table 183 TCP Reset Logs 467 Table 184 Packet Filter Logs 467 Table 185 ICMP Logs 468 Table 186 CDR Logs 468 Table 187 PPP Logs 468 Table 188 UPnP Logs 469 Table 189 Content Filtering...

Page 38: ...P 662H HW D Series User s Guide 38 List of Tables ...

Page 39: ...XEL Device Not all features can be configured through all interfaces Syntax Conventions Enter means for you to type one or more characters Select or Choose means for you to use one predefined choice Mouse action sequences are denoted using a right angle bracket For example In Windows click Start Settings Control Panel means first click the Start button then point your mouse pointer to Settings and...

Page 40: ...suggestions for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan Thank you Graphics Icons Key ZyXEL Device Computer Notebook computer Server DSLAM Firewall Telephone Switch Router Wireless Signal ...

Page 41: ...tionality The P 662HW Dx has an embedded mini PCI module for 802 11g Wireless LAN connectivity Note All wireless features in this guide pertain to the P 662HW Dx series only Models ending in 1 for example P 662HW D1 denote a device that works over the analog telephone system POTS Plain Old Telephone Service Models ending in 3 denote a device that works over ISDN Integrated Services Digital Network...

Page 42: ...t account user name and password is required or the ZyXEL Device cannot connect to the ISP you will be redirected to web screen s for information input or troubleshooting Any IP The Any IP feature allows a computer to access the Internet and the ZyXEL Device without changing the network settings such as IP address and subnet mask of the computer when the IP addresses of the computer and the ZyXEL ...

Page 43: ...n and or subnet You can allocate specific amounts of bandwidth capacity bandwidth budgets to different bandwidth classes Universal Plug and Play UPnP Using the standard TCP IP protocol the ZyXEL Device and other UPnP enabled devices can dynamically join a network obtain an IP address and convey its capabilities to other devices on the network PPPoE RFC2516 PPPoE Point to Point Protocol over Ethern...

Page 44: ...rtition a physical network into logical networks over the same Ethernet interface The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network IP Policy Routing IPPR Traditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy ...

Page 45: ...ast transmission rates actual speed depends on environment among Wireless g enabled access points and wireless clients Antenna The ZyXEL Device is equipped with a detachable SMA 5dBi high gain Antenna to provide clear radio signal between the wireless stations and the access points Wireless LAN MAC Address Filtering Your ZyXEL Device can check the MAC addresses of wireless stations against a list ...

Page 46: ...he ZyXEL Device allows wireless clients access to your network resources A typical Internet access application is shown below Figure 1 ZyXEL Device Internet Access Application 1 1 2 2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application example for the ZyXEL Device is shown as follows Figure 2 ZyXEL...

Page 47: ...LEDs LED COLOR STATUS DESCRIPTION PWR SYS Green On The ZyXEL Device is receiving power and functioning properly Blinking The ZyXEL Device is rebooting or performing diagnostics Red On Post Power On Self Test failure or the device has malfunctioned Off The system is not receiving power LAN 1 4 Green On The ZyXEL Device has a successful 10 100Mb Ethernet connection Blinking The ZyXEL Device is sendi...

Page 48: ...ot receiving power or there is no DSL connection INTERNET Green On The ZyXEL Device is connected with no traffic detected Blinking The ZyXEL Device is sending receiving data Red On The ZyXEL Device failed to authenticate Off The DSL line is down CON AUX Green On The CON AUX switch is set to CON the CON AUX port is connected to a management computer and someone is logged into the ZyXEL Device Amber...

Page 49: ...efault in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Explorer 2 2 Accessing the Web Configurator Note Even though you can connect to the ZyXEL Device wirelessly it is recommended that you connect your computer to a LAN port for initial configurati...

Page 50: ...min password Enter a new password between 1 and 30 characters retype it to confirm and click Apply alternatively click Ignore to proceed to the main menu if you do not want to change the password now Note If you do not change the password at least once the following screen appears every time you log in with the admin password Figure 7 Change Password at Login 7 It is highly recommended you replace...

Page 51: ...s screen Figure 9 Select a Mode Note The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyXEL Device if this happens to you 2 3 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator you will need to use the RESET button at the back of the ZyX...

Page 52: ...pressing the RESET button for 1 second Start OTIST by pressing the RESET button for 3 seconds 2 4 Navigating the Web Configurator We use the P 662HW D1 web screens in this guide as an example Screens vary slightly for different ZyXEL Device models 2 4 1 Navigation Panel After you enter the admin password use the sub menus on the navigation panel to configure ZyXEL Device features The following tab...

Page 53: ...settings enable Any IP and other advanced properties DHCP Setup Use this screen to configure LAN DHCP settings Client List Use this screen to view current DHCP client information and to always assign an IP address to a MAC address and host name IP Alias Use this screen to partition your LAN interface into subnets Wireless LAN Wirelessdevices only General Use this screen to configure the wireless L...

Page 54: ...onfigure each VPN tunnel Monitor Use this screen to look at the current status of each VPN tunnel VPN Global Setting Use this screen to allow NetBIOS traffic through VPN tunnels Certificates My Certificates Use this screen to generate and export self signed certificates or certification requests and import the ZyXEL Device s CA signed certificates Trusted CAs Use this screen to save CA certificate...

Page 55: ...ich IP address es users can send DNS queries to the ZyXEL Device ICMP Use this screen to change your anti probing settings UPnP Use this screen to enable UPnP on the ZyXEL Device Maintenance System General This screen contains administrative and system related information and also allows you to change your password Time Setting Use this screen to change your ZyXEL Device s time and date Logs View ...

Page 56: ... Name This is the System Name you enter in the Maintenance System General screen It is for identification purposes Model Number MAC Address This is the MAC Media Access Control or Ethernet address unique to your ZyXEL Device ZyNOS Firmware Version This is the ZyNOS Firmware version and the date created ZyNOS is ZyXEL s proprietary Network Operating System design DSL Firmware Version This is the DS...

Page 57: ...rs to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewall The bar displays what percent of the ZyXEL Device s heap memory is in use The bar turns from green to red when the maximum is being approached Memory Usage This number shows the ZyXEL Device s total heap memory in kilobytes The bar displays what percen...

Page 58: ...yXEL Device WLAN Status wireless devices only This screen displays the MAC address es of the wireless stations that are currently associating with the ZyXEL Device Bandwidth Status Use this screen to view the ZyXEL Device s bandwidth usage and allotments Packet Statistics Use this screen to view port status and packet specific statistics VPN Status Use this screen to view VPN status and settings T...

Page 59: ...ercentage of unused bandwidth and the orange color represents the percentage of bandwidth in use Figure 14 Status Bandwidth Status 2 4 6 Status VPN Status Click the VPN Status hyperlink in the Status screen The VPN Status shows the current status of any VPN tunnels the ZyXEL Device has negotiated Table 6 Status WLAN Status LABEL DESCRIPTION This is the index number of an associated wireless statio...

Page 60: ...nterval s The Poll Interval s field is configurable Table 7 Status VPN Status LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocol encryption algorithm and authentication algorithm used in each SA Dis...

Page 61: ...ream speed of your ZyXEL Device Downstream Speed This is the downstream speed of your ZyXEL Device Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Interface This field displays the type of port Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up ...

Page 62: ... Tx B s This field displays the number of bytes transmitted in the last second Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up Collisions This is the number of collisions on this port Poll Interval s Type the time interval for the browser to refresh system statistics Set Interval Click this button to appl...

Page 63: ...word LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Retype to Confirm Type the new password again in this field Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh ...

Page 64: ...P 662H HW D Series User s Guide 64 Chapter 2 Introducing the Web Configurator ...

Page 65: ...access with the information given to you by your ISP Note See the advanced menu chapters for background information on these fields 3 2 Internet Access Wizard Setup 1 After you enter the admin password to access the web configurator select Go to Wizard setup and click Apply Otherwise click the wizard icon in the top right corner of the web configurator to display the wizard main screen Figure 18 S...

Page 66: ...n type you use If the wizard does not detect a connection type and the following screen appears see Figure 20 on page 66 check your hardware connections and click Restart the Internet Wireless Setup Wizard to have the ZyXEL Device detect your connection again Figure 20 Auto Detection No DSL Connection If the wizard still cannot detect a connection type and the following screen appears see Figure 2...

Page 67: ...t account information Enter the username password and or service name exactly as provided 2 Click Next and see Section 3 3 on page 72 for wireless connection wizard setup Figure 22 Auto Detection PPPoE 3 2 2 Manual Configuration 1 If the ZyXEL Device fails to detect your DSL connection type enter the Internet access information given to you by your ISP exactly in the wizard screen If not given lea...

Page 68: ... the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplexing Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more info...

Page 69: ...s screen Figure 25 Internet Connection with RFC 1483 Table 11 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the user name above Service Name Type the name of your PPPoE...

Page 70: ...btain an IP Address Automatically A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Select Obtain an IP Address Automatically if you have a dynamic IP address Static IP Address A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns...

Page 71: ...ng with the IP address and the subnet mask Second DNS Server As above Back Click Back to go back to the previous wizard screen Apply Click Apply to save your changes back to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes Table 14 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the passwo...

Page 72: ...tivated or click Restart the Internet Wireless Setup Wizard to verify your Internet access settings Figure 29 Connection Test Failed 2 3 3 Wireless Connection Wizard Setup After you configure the Internet access information use the following screens to set up your wireless LAN 1 Select Yes and click Next to configure wireless settings Otherwise select No and skip to Step 6 ...

Page 73: ...ies User s Guide Chapter 3 Wizard Setup for Internet Access 73 Figure 30 Connection Test Successful 2 Use this screen to activate the wireless LAN and OTIST Click Next to continue Figure 31 Wireless LAN Setup Wizard 1 ...

Page 74: ...nable OTIST if you want to transfer your ZyXEL Device s SSID and WEP or WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process takes three minutes to complete Note You can start OTIST by pressing the RESET button for 3 seconds Setup Key Type an OTIST Setup Key of u...

Page 75: ...intable 7 bit ASCII characters for the wireless LAN If you change this field on the ZyXEL Device make sure all wireless stations use the same SSID in order to access the network Channel Selection The range of radio frequencies used by IEEE 802 11b g wireless devices is called a channel Select a channel ID that is not already in use by a neighboring device Security Select Automatically assign a WPA...

Page 76: ...eters Figure 34 Manually assign a WEP key Table 17 Manually assign a WPA key LABEL DESCRIPTION Pre Shared Key Type from 8 to 63 case sensitive ASCII characters You can set up the most secure wireless connection by configuring WPA in the wireless LAN screens You need to configure an authentication server to do this Back Click Back to display the previous screen Next Click Next to proceed to the nex...

Page 77: ...to complete and save the wizard setup Table 18 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII characters or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit 128 bit or 256 bit WEP key respectively Back Click Back to display the pre...

Page 78: ... your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you cannot access the Internet open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct ...

Page 79: ...nformation based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser FTP File Transfer Program enables fast transfer of files including large files that may n...

Page 80: ...n application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is transported primarily over UDP but can also be transported over TCP using the default port number 5060 VoIP H 323 H 323 is an umbrella recommendation from the ITU T that defines the protocols to provide audio visual communication sessions on...

Page 81: ... the label in this screen Table 20 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device s WAN LAN or WLAN port Select Services Setup to allocate bandwidth based on the service requirements Back Click Back to display the previous screen Next Click Next to...

Page 82: ...yXEL Device use a priority for traffic that matches that service A service with High priority is given as much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated bandwidth after all specified services receive their bandwidth requirements If the rules set up in...

Page 83: ...ck Finish to complete the wizard setup and save your configuration Figure 41 Bandwidth Management Wizard Complete Apply Click Apply to save your changes back to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes Table 21 Bandwidth Management Wizard Configuration LABEL DESCRIPTION ...

Page 84: ...P 662H HW D Series User s Guide 84 Chapter 4 Bandwidth Management Wizard ...

Page 85: ...dress in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 5 1 1 2 PPP over Ethernet PPPoE Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial up services using PPP PPPoE is an IETF standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wirel...

Page 86: ... over a separate ATM virtual circuit VC based multiplexing Please refer to the RFC for more detailed information 5 1 2 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexing method required by your ISP 5 1 2 1 VC based Multiplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual cir...

Page 87: ...or dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the ZyXEL Device acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the ZyXEL Device 5 1 5 Nailed Up Connection PPP A nailed up connection is a dial up line w...

Page 88: ...traffic redirect route next In the same manner the ZyXEL Device uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traffic redirect route or even the normal route all you need to do is set the dial backup route s metric to 1 and the others to 2 or greater IP Policy Routing overrides the default routing behavior and ...

Page 89: ...nt CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate cells may be dropped Examples of connections that need CBR would be high resolution video and voice 5 3 1 2 Variable Bit Rate VBR The Variable Bit Rate VBR ATM traffic class is used with bursty con...

Page 90: ...le transfer 5 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and makes the necessary configuration changes In cases where additional account information such as an Internet account user name and password is required ...

Page 91: ...by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identif...

Page 92: ...ss PPPoE PPPoA and ENET ENCAP only Select this if you do not have a dynamic IP address IP Address Enter the static IP address provided by your ISP Subnet Mask ENET ENCAP only Enter the subnet mask provided by your ISP Gateway IP address ENET ENCAP only Enter the gateway IP address provided by your ISP Connection This section only appears if the Encapsulation is PPPoE and PPPoA Nailed Up Connection...

Page 93: ...ormats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they gener...

Page 94: ...licable available when you configure the ZyXEL Device to use a static WAN IP address or in bridge mode Select Yes to set the ZyXEL Device to automatically detect the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and make the necessary configuration changes Select No to disable this feature You must manually configure the ZyXEL Device for Interne...

Page 95: ...the connection Select the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of encapsulation used for this connection Modify The first ISP connection is read only in this screen Use the WAN Internet Connection screen to edit it Click the edit icon to go to the screen where yo...

Page 96: ...et account If you select Bridge the ZyXEL Device will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices are PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a...

Page 97: ...he IP Address field below If you use RFC 1483 enter the IP address given by your ISP in the IP Address field Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address Specify a gateway IP address supplied by your ISP Connection Nailed Up Connection Select Nailed Up Connection when you want you...

Page 98: ...2 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications Peak Cell Rate ...

Page 99: ...up gateway is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Apply Click ...

Page 100: ... Series User s Guide 100 Chapter 5 WAN Setup Figure 49 Traffic Redirect LAN Setup 5 8 Configuring WAN Backup To change your ZyXEL Device s WAN backup settings click WAN WAN Backup Setup The screen appears as shown ...

Page 101: ...te either traffic redirect or dial backup you must configure at least one IP address here When using a WAN backup connection the ZyXEL Device periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your ZyXEL Device may ping the IP addresses configured in the Check WAN...

Page 102: ... with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Backup Gateway Type the IP address of your backup gateway in dotted decimal notation The ZyXEL Device automatically forwards traffic to this IP address if the ZyXEL Device s Internet connection terminates Dial Backup Acti...

Page 103: ...the secondary phone number from the ISP for this remote node If the primary phone number is busy or does not answer your ZyXEL Device dials the secondary phone number if available Some areas require dialing the pound sign before the phone number for local calls Include a symbol at the beginning of the phone numbers as required Dial Backup Port Speed Use the drop down list box to select the speed o...

Page 104: ...t broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also RIP Direction RIP Routing Information Protocol allows a router to exchange routing information...

Page 105: ...Type the amount of time in minutes that the dial backup connection can be used during the time configured in the Period field Set an amount that is less than the time period configured in the Period field If you set the Allocated Budget to 0 you will not be able to use the dial backup connection Period Type the time period in hours for how often the budget should be reset For example to allow call...

Page 106: ...p the DTR Data Terminal Ready signal after the AT Command String Drop is sent out AT Response Strings CLID Type the keyword that precedes the CLID Calling Line Identification in the AT response string This lets the ZyXEL Device capture the CLID in the AT response string that comes from the WAN device CLID is required for CLID authentication Example NMBR Called ID Type the keyword preceding the dia...

Page 107: ...yXEL Device to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation Example 20 Call Back Delay Type a number of seconds for the ZyXEL Device to wait between dropping a callback request call and dialing the corresponding callback call Example 15 Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel Click Cancel to begi...

Page 108: ...P 662H HW D Series User s Guide 108 Chapter 5 WAN Setup ...

Page 109: ...e immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 6 3 on page 115 to configure the LAN screens 6 1 1 LANs WANs and the ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and...

Page 110: ...first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the connection is up If your ISP did ...

Page 111: ...their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Ad...

Page 112: ...ve For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 6 2 2 RIP Setup RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to Both the ZyXEL Device will ...

Page 113: ...onnected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the web configurator LAN WAN Select None to disable IP multicasting on these interfaces 6 2 4 Any IP Traditionally you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device...

Page 114: ...ecified destination The following lists out the steps taken when a computer tries to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway which is not the ZyXEL Device by looking at the MAC address in its ARP table 2 When the computer cannot locate the default g...

Page 115: ...nced LAN Setup To edit your ZyXEL Device s advanced LAN settings click the Advanced Setup button in the LAN IP screen The screen appears as shown Table 30 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example 192 168 1 1 factory default IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to...

Page 116: ...dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetB...

Page 117: ...d If set to Relay the ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server field in this case When DHCP is used the following items need to be set IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP addres...

Page 118: ... Client List The screen appears as shown Figure 58 LAN Client List Primary DNS Server Secondary DNS Server This field is not available when you set DHCP to Relay Enter the IP addresses of the DNS servers The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask If the fields are left as 0 0 0 0 the ZyXEL Device acts as a DNS proxy and forwards the DHCP client s D...

Page 119: ...ress of a computer on your LAN Add Click Add to add a static DHCP entry This is the index number of the static IP table entry row Status This field displays whether the client is connected to the ZyXEL Device Host Name This field displays the computer host name IP Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet addr...

Page 120: ...n Table 34 LAN IP Alias LABEL DESCRIPTION IP Alias 1 2 Select the check box to configure another LAN network for the ZyXEL Device IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Alternatively click the right mouse button to copy and or paste the IP address IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you ...

Page 121: ... RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicastin...

Page 122: ...P 662H HW D Series User s Guide 122 Chapter 6 LAN Setup ...

Page 123: ...n the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set IDentity If two wir...

Page 124: ...y written using twelve hexadecimal characters2 for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other documentation You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network If a device is allowed to use the wireless network it still ha...

Page 125: ...yption is like a secret code If you do not know the secret code you cannot understand the message The types of encryption you can choose depend on the type of authentication See Section 7 2 3 on page 124 for information about this For example if the wireless network has a RADIUS server you can choose IEEE 802 1x IEEE 802 1x Static WEP IEEE 802 1x Dynamic WEP WPA or WPA2 If users do not log in to t...

Page 126: ... information in the wireless network The longer the key the stronger the encryption Every device in the wireless network must have the same key 7 2 5 One Touch Intelligent Security Technology OTIST With ZyXEL s OTIST you set up the SSID and the encryption WEP or WPA PSK on the ZyXEL Device Then the ZyXEL Device transfers them to the devices in the wireless networks As a result you do not have to s...

Page 127: ...lower than the default value the wireless devices must sometimes get permission to send information to the ZyXEL Device The lower the value the more often the devices must get permission If this value is greater than the fragmentation threshold value see below then wireless devices never have to get permission to send information to the ZyXEL Device Preamble A preamble affects the timing in your w...

Page 128: ...XEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Hide SSID Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID th...

Page 129: ...able describes the labels in this screen 7 5 2 WEP Encryption Screen In order to configure and enable WEP encryption click Network Wireless LAN to display the General screen Select Static WEP from the Security Mode list Table 38 Wireless No Security LABEL DESCRIPTION Security Mode Choose No Security from the drop down list box Apply Click Apply to save your changes back to the ZyXEL Device Cancel ...

Page 130: ... a Passphrase up to 32 printable characters and click Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission If you want to manually set the WEP key enter any 5 13 or 29 characters ASCII string or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit ...

Page 131: ... the two is that WPA 2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Timer In Seconds Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interva...

Page 132: ...ing WPA 2 key management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA 2 PSK mode The ZyXEL Device default is 1800 seconds 30 minutes Apply Click Apply to save your changes back to the ZyXEL Device Can...

Page 133: ... changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA 2 PSK mode The ZyXEL Device default is 1800 seconds 30 minutes Authentication Server IP Address Enter the IP address of the external authentication server in dotted decimal notation Port Number Enter the port number of the external authentication server The ...

Page 134: ... grayed out and the ZyXEL Device uses 4096 automatically Fragmentation Threshold It is the maximum data fragment size that can be sent Enter a value between 256 and 2432 If you select the Enable 802 11g mode checkbox this field is grayed out and the ZyXEL Device uses 4096 automatically Output Power Set the output power of the ZyXEL Device in this field This control changes the strength of the ZyXE...

Page 135: ... the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select Mixed to allow either IEEE802 11b or IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Enable 802 11g mode Select Enable 802 11g mode checkbox to allow any ZyXEL WLAN devices that support th...

Page 136: ...ing screen displays Figure 68 OTIST The following table describes the labels in this screen Table 43 OTIST LABEL DESCRIPTION Setup Key Type an OTIST Setup Key of exactly eight ASCII characters in length The default OTIST setup key is 01234567 Note If you change the OTIST setup key here you must also make the same change on the wireless client s ...

Page 137: ... checkbox in the OTIST screen If you want OTIST to automatically generate a WPA PSK you must Change your security to No Security in the Wireless General screen Select the Yes checkbox in the OTIST screen and click Start The wireless screen displays an auto generated WPA PSK and is now in WPA PSK security mode The WPA PSK security settings are assigned to the wireless client when you start OTIST St...

Page 138: ...lick OK Figure 70 Security Key 2 This screen appears while OTIST settings are being transferred It closes when the transfer is complete In the wireless client you see this screen if it can t find an OTIST enabled AP with the same Setup key Click OK to go back to the ZyXEL utility main screen Figure 73 No AP with OTIST Found If there is more than one OTIST enabled AP within range you see a screen a...

Page 139: ...ed to run OTIST again or enter them manually in the wireless client s 5 If you configure OTIST to generate a WPA PSK key this key changes each time you run OTIST Therefore if a new wireless client joins your wireless network you need to run OTIST on the AP and ALL wireless clients again 7 7 MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to ...

Page 140: ...not listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of the MAC address MAC Address Enter the MAC addresses of the wireless station that are allowed or denied access to the ZyXEL Device in these address fields Enter the MAC addresses in a valid MAC addr...

Page 141: ...ent applications This prevents reductions in data transmission for applications that are sensitive 7 8 2 WMM QoS Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless network Table 45 WMM QoS Priorities PRIORITY LEVELS Highest Typically used for voice traffic or video that is especially sensitive to jitter variations in de...

Page 142: ...0 for further information about port numbers Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the DNS service UDP TCP 53 means UDP port 53 and TCP port 53 ...

Page 143: ...PSEC_TUNNEL AH 0 The IPSEC AH Authentication Header tunneling protocol uses this service IPSEC_TUNNEL ESP 0 The IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sen...

Page 144: ...ple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midra...

Page 145: ...splay a table of application names services ports and priorities to which you want to apply WMM QoS This is the number of an individual application entry Name This field displays a description given to an application entry Service This field displays either FTP WWW E mail or a User Defined service to which you want to apply WMM QoS Dest Port This field displays the destination port number to which...

Page 146: ...cation Priority Configuration The following table describes the fields in this screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Table 47 Wireless LAN QoS LABEL DESCRIPTION Table 48 Application Priority Configuration LABEL DESCRIPTION Application Priority Configuration Name Type a description of the appli...

Page 147: ...work to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 WWW The World Wide Web is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the In...

Page 148: ...nformation on the command structure and how to access the CLI Command Line Interface on the ZyXEL Device 7 10 1 Multiple SSID Commands Use the wlan mssid commands to configure multiple SSID on the ZyXEL Device The commands must be entered in the following syntax wlan mssid guestssid ssid wlan mssid mode 0 disable guestssid 1 enable guestssid 0 disable intranet blocking 1 enable intranet blocking w...

Page 149: ...cifies the security mode for the guest wireless network Type one of the following 0 to disable security on the guest wireless network 1 to enable 64 bit WEP key encryption 2 to enable 128 bit WEP key encryption 3 256 bit WEP key encryption setprivacy wepkey 1 4 Key String This command allows you to create up to four WEP keys Enter 1 2 3 or 4 to specify which WEP key you are creating followed by an...

Page 150: ...d temporarily ras wlan mssid mode 1 1 Note the wireless connection will be disconnected temporarily Enable GuestSSID GuestSSID with Intranet Blocking TFTP Client Start ras wlan mssid setprivacy type 1 Privacy Setting is WEP64 Note the wireless connection will be disconnected temporarily TFTP Client Start ras wlan mssid setprivacy wepkey 1 abcde Note the wireless connection will be disconnected tem...

Page 151: ...s can have access to host servers on the DMZ but no access to the LAN unless special filter rules allowing access were configured by the administrator or the user is an authorized remote user It is highly recommended that you connect all of your public servers to the DMZ port If you have more than one public server connect a hub to the DMZ port It is also highly recommended that you keep all sensi...

Page 152: ...te the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received Both is the default RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is pro...

Page 153: ...Select this check box to forward NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN If your firewall is enabled with the default policy set to block DMZ to LAN traffic you also need to enable the default DMZ to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN Allow between DM...

Page 154: ... and connected computers A through C use private IP addresses that are in one subnet The DMZ port and server F use private IP addresses that are in one subnet The private IP addresses of the LAN and DMZ are on separate subnets The DMZ port and connected servers D and E use public IP addresses that are in one subnet The public IP addresses of the DMZ and WAN are on separate subnets Configure both D...

Page 155: ...P 662H HW D Series User s Guide Chapter 8 DMZ 155 Figure 81 DMZ Private and Public Address Example ...

Page 156: ...P 662H HW D Series User s Guide 156 Chapter 8 DMZ ...

Page 157: ...ss refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet ...

Page 158: ... the additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA...

Page 159: ...IP address to one global IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the ZyXEL Device maps th...

Page 160: ...ng mapping types as outlined in Table 53 on page 160 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device 9 3 NAT General Setup You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the ZyXEL Device Click Network NAT to...

Page 161: ...plications such as file sharing applications they need to establish NAT sessions If you do not limit the number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may not be able to access the Internet Each NAT session establishes a corresponding firewall session Use this...

Page 162: ...tion to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen Note If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup 9 4 2 Port Forwarding Services and Port Numbers Use the Port...

Page 163: ...signs the WAN IP address The NAT network appears as a single host on the Internet Figure 85 Multiple Servers Behind NAT Example 9 5 Configuring Port Forwarding Note The Port Forwarding screen is available only when you select SUA Only in the NAT General screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in...

Page 164: ...ied here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Click this button to add a rule to the table below This is the rule index number read only Active Click this check box to enable the rule Service Name This is a service s name Start Port This is the f...

Page 165: ... 6 and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT Address Mapping to open the following screen Table 57 Port Forwarding Rule Setup LABEL DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter the p...

Page 166: ...he ending Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXE...

Page 167: ...verload mode maps multiple local IP addresses to shared global IP addresses Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A...

Page 168: ...orwarding screen to edit a server mapping set that you have selected in the Server Mapping Set field Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Table 59 Edit Address Mapping Rule continued LABEL DESCRIPTION ...

Page 169: ...ld never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself Refer to Section 11 5 on page 184 to configure default firewall settings Refer to Section 11 6 on page 185 to vie...

Page 170: ...irewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access control or cach...

Page 171: ...ed to automatically detect and thwart all known DoS attacks 10 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffi...

Page 172: ...t Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates...

Page 173: ...ack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 7 A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly floo...

Page 174: ...l NetBIOS commands are the following all others are illegal All SMTP commands are illegal except for those displayed in the following tables Table 61 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 62 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE VE RETARGET KEEPALIVE Table 63 Legal SMTP Commands AUTH DATA E...

Page 175: ...lowed through the router or firewall The ZyXEL Device blocks all IP Spoofing attempts 10 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This rememberi...

Page 176: ...list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected 5 The outbound packet is forwarded out through the interface 6 Later an inbound packet reaches the interface This packet is part of the connection previously established w...

Page 177: ...tiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets are dropped and logged If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of...

Page 178: ...ion must be allowed to pass through even though a connection from the Internet would normally be rejected In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipated data connection This can be done safely since the PORT command contains address and port inform...

Page 179: ...r Internet Explorer 3 02 or better or Netscape 3 0 or better If a web site uses a secure connection it is safe to submit information Secure web transactions are quite difficult to crack Never reveal your IP address or other system networking information to people outside your company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include ...

Page 180: ... layer The firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance t...

Page 181: ...n of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN DMZ to WAN By default the ZyXEL Device s stateful packet inspection blocks packets traveling in the following directions WAN to LAN WAN to WAN Router This prevents computers on the WAN from using the ZyXEL Device as a gateway to communicate with other computers on the WAN and or managing the ZyXEL Devic...

Page 182: ...view Note Study these points carefully before configuring rules 11 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server 1 Is the intent of the rule to forward or block traffic 2 What direction of traffic does the rule apply to 3 Wha...

Page 183: ... box If the service is not listed it is necessary to first define it See Section 11 8 on page 195 for more information on predefined services 11 3 3 3 Source Address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet 11 3 3 4 Destination Address What is the connection s destination address is it on the LAN or WAN Is it a single IP a range o...

Page 184: ...AN you will need to create custom rules to allow it 11 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is matched in the Edit Rule screen see Figure 97 on page 188 When an event generates an alert a message can be immediately sent to an e mail account that you specify in the Log Settings screen Refer...

Page 185: ...s problem Packet Direction This is the direction of travel of packets Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyXEL Device or the ZyXEL Device itself Default Action Use the drop down list boxes to se...

Page 186: ...lowing read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn Active This field displays whether a f...

Page 187: ... No Log This field shows you whether a log is created when packets match this rule Yes or not No Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click...

Page 188: ...P 662H HW D Series User s Guide 188 Chapter 11 Firewall Configuration Figure 97 Firewall Edit Rule ...

Page 189: ...o the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it Services Available Selected Services Please see Section 11 8 on...

Page 190: ...l Customized Services The following table describes the labels in this screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 66 Firewall Edit Rule continued LABEL DESCRIPTION Table 67 Customized Services LABEL DESCRIPTION No This is the number of your customized port Click a rule s number of a service to go to a ...

Page 191: ...rom the Internet 1 Click Security Firewall Rules 2 Select WAN to LAN in the Packet Direction field Table 68 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Rang...

Page 192: ...s one becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 101 Edit Custom Port Example 7 Select Any in the Destination Address box and then...

Page 193: ...Example Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rules list box ...

Page 194: ... Firewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN ...

Page 195: ... entries are supported Custom service ports may also be configured using the Edit Customized Services function discussed previously Table 69 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AOL s Internet Messenger service used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Client BOOTP_S...

Page 196: ...test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of d...

Page 197: ... Probing to display the screen as shown Figure 105 Firewall Anti Probing SSDP UDP 1900 Simole Service Discovery Protocol SSDP is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900 SSH TCP UDP 22 Secure Shell Remote Login Program STRMWORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send sy...

Page 198: ...d be reduced Table 70 Firewall Anti Probing LABEL DESCRIPTION Respond to PING on The ZyXEL Device does not respond to any incoming ping requests when Disable is selected Select the interface which you want to reply to incoming ping requests Do Not Respond to Requests for Unauthorized Services Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports If you sel...

Page 199: ... When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts deleting half open sessions as required to accommodate new connection requests The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last...

Page 200: ...deleting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the ZyXEL Device del...

Page 201: ...leting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule you should choose a smaller number for ...

Page 202: ...P 662H HW D Series User s Guide 202 Chapter 11 Firewall Configuration ...

Page 203: ...ignatures for known viruses and a scanning engine Signatures are byte patterns that are unique to a particular virus These signatures are stored in a pattern file The scanning engine compares the files with the signatures in the pattern file Table 72 Common Computer Virus Types TYPE DESCRIPTION File Infector This is a small program that embeds itself in a legitimate program A file infector is able...

Page 204: ...computers can grow exponentially 5 To prevent the spread of viruses you need to install host based anti virus software on a computer or buy an anti virus system 12 3 Introduction to the ZyXEL Device Anti virus Packet Scan The ZyXEL Device has an integrated signature based anti virus packet scan Set up the ZyXEL Device between your local network and the Internet This way the ZyXEL Device can scan i...

Page 205: ...s SYN ACK and FIN the ZyXEL Device records the sequence of the packets 3 The scanning engine scans the content of the packet for virus 4 If a virus pattern is matched the ZyXEL Device cleans the virus by deleting the infected packet and alerts the intended computer user s Note Since the ZyXEL Device destroys a file by deleting the infected portion of the file content you cannot open the file 12 3 ...

Page 206: ...ing e mail content for viruses FTP Select this option to scan FTP traffic for viruses HTTP Select this option to scan HTTP traffic for viruses Default action when session overflow Select whether to allow passage of Forward Packet or silently discard Block Packet the packets of new connections when the maximum number of opened connections is reached default is 300 connections at a time Packet Scan ...

Page 207: ...configure a schedule for the ZyXEL Device to automatically update the virus pattern file in this screen Click Anti Virus Registration Virus Information Update to display the screen as shown Note The ZyXEL Device automatically restarts after the virus scan update is complete Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previously saved setting...

Page 208: ...e 496 appendix for more information Activation After you have successfully registered for the anti virus service click Activate to enable and start using the anti virus feature This also sets the ZyXEL Device to automatically update the pattern file Virus Information Update Set the fields below to configure the ZyXEL Device to automatically update the pattern file Update Schedule This drop down me...

Page 209: ... the ZyXEL Device while the virus scan update is in progress 1 In the Registration and Virus Information Update screen click Update Now An update progress screen displays as shown Figure 110 Virus Scan Update in Progress 2 After the virus scan update is successful a screen displays as shown Figure 111 Virus Scan Update Successful The ZyXEL Device automatically restarts after the virus scan update ...

Page 210: ...P 662H HW D Series User s Guide 210 Chapter 12 Anti Virus Packet Scan ...

Page 211: ...hen the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 13 2 Configuring Keyword Blocking Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the ZyXEL Device blocks all sites containing this keyword including the URL http www websit...

Page 212: ... list of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 127 characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this pr...

Page 213: ... box to have the content filtering to be active on the selected day Start TIme Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time when you want the content filtering to stop in hour minute format Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings Table 77 Content Filter Trusted...

Page 214: ...P 662H HW D Series User s Guide 214 Chapter 13 Content Filtering ...

Page 215: ...stem before they can gain access to the Internet 14 1 1 Content Access Control WLAN Application You can control LAN user Internet access by having an administrator configure Content Access Control on the ZyXEL Device The administrator must create user groups and accounts each person user on the network Each person must log into the system before they can gain access to the Internet Each user group...

Page 216: ...ent Access Control Select the check box to allow the LAN administrator to have control over a LAN user s Internet access Idle Timeout Type the time in minutes that elapses before the ZyXEL Device automatically terminates the Internet session The default time is 10 minutes Group List These groups are used in conjunction with content filtering to decide which web pages cannot be accessed by the user...

Page 217: ...ng using an external database You can use a trial application or register your iCard s PIN Refer to the web site s on line help for details Note Refer to the Section on page 496 appendix on more information on device and service registration You can also manage your registration status or view content filtering reports after you register this device in the service registration web site Note The we...

Page 218: ...day s that you do not want any time restrictions for user Internet access Time Budget Left Type the number of hours 0 to 23 and minutes 0 to 59 to allow Internet access of unblocked sites Note If you want to allow twenty four hour access you should select the Unlimited check box Start Time Select from the drop down list box a time during the day when a user can begin accessing unblocked sites End ...

Page 219: ... blocked according to the settings you configure in Time Scheduling screen Blocked Services This box shows all the services that you want to block during the specified time for the user group Click the button to remove a service from the box Customized Services A customized service is a service that is not available in the pre defined Available Services list and you must define using the next two ...

Page 220: ...servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Client BOOTP_SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 24032 A popular videoconferencing solution from White Pines Software DNS UDP TCP 53 Domain Name Server a service that matches web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is l...

Page 221: ...Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Managemen...

Page 222: ...tent Access Control General Web Site Filter LABEL DESCRIPTION Pre defined Web Content Categories Enable Pre defined Web Content Categories to have the ZyXEL Device check an external database to find to which category a requested web page belongs The ZyXEL Device then blocks or forwards access to the web page depending on the configuration of the rest of this page Enable This field is applicable wh...

Page 223: ...aturist pages that contain pictures of nude individuals Alcohol Tobacco Selecting this category excludes pages that promote or offer the sale alcohol tobacco products or provide the means to create them It also includes pages that glorify tout or otherwise encourage the consumption of alcohol tobacco It does not include pages that sell alcohol or tobacco as a subset of other products Illegal Quest...

Page 224: ...y excludes pages sponsored by cultural institutions or those that provide information about museums galleries and theaters not movie theaters It includes groups such as 4H and the Boy Scouts of America Financial Services Selecting this category excludes pages that provide or advertise banking services online or offline or other types of financial information such as loans It does not include pages...

Page 225: ...that can be rated in other categories Personals Dating Selecting this category excludes pages that promote interpersonal relationships Reference Selecting this category excludes pages containing personal professional or educational reference including online dictionaries maps census almanacs library catalogues genealogy related pages and scientific information Chat Instant Messaging Selecting this...

Page 226: ...s fun etc This may include pages containing jokes of adult or mature nature Pages containing humorous Adult Mature content also have an Adult Mature category rating Streaming Media MP3 Selecting this category excludes pages that sell deliver or stream music or video content in any format including pages that provide downloads for such viewers Software Downloads Selecting this category excludes pag...

Page 227: ...dd a keyword to the list of keywords The list of keywords that will be inaccessible to computers on your LAN once you enable URL keyword blocking Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previously saved settings Table 82 Content Access Control General Web Site Filter continued LABEL DESCRI...

Page 228: ... The following table describes the labels in this screen Table 84 Content Access Control User Profiles LABEL DESCRIPTION Index This field displays the index number Username Enter the user name for this account Password Enter a password associated to the user name above Category Select a user group from the drop down list box to associate this user account to the user group The drop down list box d...

Page 229: ...lays the amount of time that you have before the ZyXEL Device logs you out and terminates your Internet access This time depends on the time allowance configured in Time Scheduling screen By using the or buttons the administrator can increase or decrease the time left in 15 minute increments without re configuring the time allowances On Line This field displays Yes if a user is currently on line T...

Page 230: ...r login name and password the ZyXEL Device checks the access profile and begins enforcing the access control restriction as defined by the administrator 4 The access privileges remain in force until you log out 5 After a successful login the system launches a small pop up window that displays the remaining budget time and a logout button Figure 124 Content Access Control User Logout Screen There a...

Page 231: ... Login The administrator can log into the system The administrator opens their browser and is directed to the ZyXEL Device user login page this is the same as the user login The administrator enters admin as the username and the system password The system administrator main menu screen opens ...

Page 232: ...P 662H HW D Series User s Guide 232 Chapter 14 Content Access Control ...

Page 233: ...ons for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 15 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 15 1 3 O...

Page 234: ...ollowing VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a public LAN se...

Page 235: ...g implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Please see Section 16 2 on page 239for more information 15 2 2 Key Management Key management allows you ...

Page 236: ...ded forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 15 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This ...

Page 237: ...NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authenticati...

Page 238: ...P 662H HW D Series User s Guide 238 Chapter 15 Introduction to IPSec ...

Page 239: ...r integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verifi...

Page 240: ...bit block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of DES SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data AES Advanced Encryption Standard is a newer method of data ...

Page 241: ...pdated with the remote gateway s new WAN IP address 16 4 1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the secure gateway s address In this case only the remote secure gateway can initiate SAs This may be useful for telecommuters initiating a VPN tunnel to the company network see Section 16 18 on page 262 for confi...

Page 242: ...displays the identification name for this VPN policy Local Address This is the IP address es of computer s on your local network behind your ZyXEL Device The same static IP address is displayed twice when the Local Address Type field in the VPN IKE or VPN Manual Key screen is configured to Single The beginning and ending static IP addresses in a range of computers are displayed when the Local Addr...

Page 243: ...field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Single The beginning and ending static IP addresses in a range of computers are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configur...

Page 244: ...IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet The NAT router forwards the IPSec packet with the UDP port 500 header unchanged In Figure 130 on page 244 when IPSec router A tries to establish an IKE SA IPSec router B checks the UDP port 500 head...

Page 245: ...server feature for VPN does not work with Windows 2000 or Windows XP Figure 131 VPN Host using Intranet DNS Server Example If you do not specify an Intranet DNS server on the remote network then the VPN host must use IP addresses to access the computers on the remote network 16 9 ID Type and Content With aggressive negotiation mode see Section 16 12 1 on page 253 the ZyXEL Device identifies incomi...

Page 246: ...NTENT IP Type the IP address of your computer or leave the field blank to have the ZyXEL Device automatically use its own IP address DNS Type a domain name up to 31 characters by which to identify this ZyXEL Device E mail Type an e mail address up to 31 characters by which to identify this ZyXEL Device The domain name or e mail address that you use in the Content field is used for identification p...

Page 247: ...because you have to share it with another party before you can communicate with them over a secure connection 16 11 Editing VPN Policies Click an Edit icon in the VPN Setup Screen to edit VPN policies Table 92 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type E mail Local ID type IP Local ID content tom yourcompany com Local ID content 1 1 1 2 Peer ID t...

Page 248: ... this check box to activate this VPN policy This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select Yes to have the ZyXEL Device automatically reinitiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this ...

Page 249: ...igured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you ...

Page 250: ...al ID Type This field is read only when Certificate is selected Select IP to identify this ZyXEL Device by its IP address Select DNS to identify this ZyXEL Device by a domain name Select E mail to identify this ZyXEL Device by an e mail address Content This field is read only when Certificate is selected When you select IP in the Local ID Type field type the IP address of your computer in the loca...

Page 251: ...f the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 Security Protocol VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP...

Page 252: ...S that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Algorithm Select SHA1 or MD5 from the drop down...

Page 253: ...ere is traffic when the IPSec SA lifetime period expires The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic 16 12 1 Negotiation Mode The phase 1 Negotiation Mode you select determines how the Secur...

Page 254: ...y is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for dat...

Page 255: ... or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field If Local Start Port is left at 0 End will also remain at 0...

Page 256: ...tion Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in t...

Page 257: ...re Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increase...

Page 258: ...e Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box Manual is a useful option for troubleshooting if you have problems using IKE key management SPI Type a number base 10 from 1 to 999999 for the Security Parameter Index Encapsulation Mode Select T...

Page 259: ...Local Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is a subnet mask on the LAN behind your ZyXEL Device Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have t...

Page 260: ...hm and Authentication Algorithm fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a ...

Page 261: ...n 16 17 Configuring Global Setting To change your ZyXEL Device s global settings click VPN and then Global Setting The screen appears as shown Figure 137 VPN Global Setting Table 97 VPN SA Monitor LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Al...

Page 262: ...ommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses should not overlap Figure 138 Telecommuters Sharing One VPN Rule Example Table 98 VPN Global Setting LABEL DESCRIPTION Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are T...

Page 263: ...ollowing table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located at headquarters The ZyXEL Device at headquarters HQ in the figure identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyXEL Device at headquarters can also initiate VPN connections ...

Page 264: ...om Telecommuter A telecommutera dydns org Headquarters ZyXEL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192 168 2 12 Telecommuter B telecommuterb dydns org Headquarters ZyXEL Device Rule 2 Local ID Type DNS Peer ID Type DNS Local ID Content telecommut...

Page 265: ... key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encry...

Page 266: ... the following benefits The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 17 2 Self signed Certificates Until public key infrastructure becomes more mature i...

Page 267: ...ar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use The bar turns from green to red when the maximum is being approached When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates Replace This button displays when the ZyXEL Device has the factory default certificate The factory default certificate is ...

Page 268: ...te that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You ...

Page 269: ...t 17 5 1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a s...

Page 270: ...signed certificate enroll a certificate with a certification authority or generate a certification request Figure 143 My Certificate Create Table 102 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Apply Click Apply to save the certifica...

Page 271: ...ice drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to h...

Page 272: ...evice Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineerin...

Page 273: ...P 662H HW D Series User s Guide Chapter 17 Certificates 273 Figure 144 My Certificate Details ...

Page 274: ...lay the certification path Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was ...

Page 275: ...uthority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced...

Page 276: ...anizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate ...

Page 277: ...table describes the labels in this screen Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyXEL Device Refresh Click this button to display the current validity status of the certificates Table 105 Trusted CAs continued LABEL DESCRIPTION Table 106 Trusted CA Import LABEL DESCRIPTION File Path Type in the ...

Page 278: ...con to open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 147 Trusted CA Details ...

Page 279: ...ut the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key cer...

Page 280: ...rs with Lists of revoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this ...

Page 281: ...formation about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicab...

Page 282: ...ote Host Certificate Fingerprints A certificate s fingerprints are message digests calculated using the MD5 or SHA1 algorithms The following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file name...

Page 283: ...ou can import it Figure 151 Trusted Remote Host Import The following table describes the labels in this screen 17 14 Trusted Remote Host Certificate Details Click Security Certificates Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s...

Page 284: ...P 662H HW D Series User s Guide 284 Chapter 17 Certificates Figure 152 Trusted Remote Host Details ...

Page 285: ... information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the default self signed certificate on the ZyXEL Device that the ZyXEL Device uses to sign the trusted remote host certificates Signature Algorithm This field displays the type of algorithm that the ZyXEL Devic...

Page 286: ...SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote hosts actual certificate See Section 17 12 on page 282 for how to verify a remote ...

Page 287: ...ng expired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This fi...

Page 288: ...s in dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyXEL...

Page 289: ... beyond For instance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes Figure 155 Examp...

Page 290: ...te is active Yes or not No Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their d...

Page 291: ...tion Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or...

Page 292: ...P 662H HW D Series User s Guide 292 Chapter 18 Static Route ...

Page 293: ...ol the bandwidth of traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management The sum of the bandwidth allotments that apply to any interface must be less than or equal to the speed allo...

Page 294: ...s The ZyXEL Device has two types of scheduler fairness based and priority based 19 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes The larger a bandwidth class s priority number is the higher the priority Assign real time applications like those using audio o...

Page 295: ...nbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra bandwidth to that class When multiple classes require more bandwidth the ZyXEL Device gives the highest priority classes the available bandwidth first as much as they require if there is enough availa...

Page 296: ...d Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth b...

Page 297: ...can apply to traffic that the ZyXEL Device forwards out through an interface 19 7 Configuring Summary Click Advanced Bandwidth MGMT to open the screen as shown next Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface Table 118 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class 10240 kbps A...

Page 298: ...nagement This appears as the bandwidth budget of the interface s root class The recommendation is to set this speed to match what the interface s connection can handle For example set the WAN interface speed to 10000 kbps if the DSL connection has an upstream speed of 10Mbps Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priority...

Page 299: ...oose High Mid or Low Bandwidtht kbps Specify the maximum bandwidth allowed for the rule in kbps The recommendation is a setting between 20 kbps and 20000 kbps for an individual rule Add Click this button to add a rule to the following table This is the number of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device a...

Page 300: ...e specific amounts of bandwidth capacity bandwidth budgets to specific applications and or subnets Figure 161 Bandwidth Management Rule Configuration Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delete an existing rule Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Ta...

Page 301: ...plication you do not configure the rest of the bandwidth filter fields other than enabling or disabling the filter SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging and other VoIP Voice over IP applications Select SIP from the drop down list box to configure this bandwidth filter for traffic that uses SIP File Transfer Protocol FTP is an Internet ...

Page 302: ...rce Address Refer to the appendices for more information on IP subnetting A blank source port means any source port number Source Port Enter the port number of the source See Table 123 on page 302 for some common services and port numbers Protocol Select the protocol TCP or UDP or select User defined and enter the protocol service type number ID 0 means any protocol number Back Click Back to go to...

Page 303: ...P 662H HW D Series User s Guide Chapter 19 Bandwidth Management 303 Figure 162 Bandwidth Management Monitor ...

Page 304: ...P 662H HW D Series User s Guide 304 Chapter 19 Bandwidth Management ...

Page 305: ...en if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 20 1 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be ali...

Page 306: ...Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the password assigned to you Enable Wildcard Option Select the check box to enable DynDNS Wildcard Enable off line option This option is available when Custom DNS is selected in the DDNS Type field Ch...

Page 307: ...IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server Use specified IP Address Type the IP address of the host name s Use this if you have a static IP address Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to beg...

Page 308: ...P 662H HW D Series User s Guide 308 Chapter 20 Dynamic DNS Setup ...

Page 309: ...on via Internet WAN only ALL LAN and WAN LAN only Neither Disable Note When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Access Status field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects a remote management sessio...

Page 310: ...1 1 2 Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP address when configuring from the WAN Use the ZyXEL Device s LAN IP address when configuring from the LAN 21 1 3 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The ZyXEL Device automatically logs you out if the management session remains idle for longer than thi...

Page 311: ... may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All...

Page 312: ...elnet LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Devi...

Page 313: ... is only available if TCP IP is configured Table 127 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is ...

Page 314: ...nt Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the age...

Page 315: ... 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally f...

Page 316: ...he ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which ...

Page 317: ... screen 21 8 Configuring ICMP To change your ZyXEL Device s security settings click Advanced Remote MGMT ICMP The screen appears as shown Table 130 Remote Management DNS LABEL DESCRIPTION Port The DNS service port number is 53 and cannot be changed here Access Status Select the interface s through which a computer may send DNS queries to the ZyXEL Device Secured Client IP A secured client is a tru...

Page 318: ...ply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports If you select this option the ZyXEL Device will not respond to port request s for unused ports thus leaving the unused ports and the ZyXEL D...

Page 319: ...r IP address or domain name See Table 132 on page 319for detailed descriptions of the commands Figure 172 Enabling TR 069 The following table gives a description of TR 069 commands ras wan tr069 load ras wan tr069 acsUrl a b c d Auto Configuration Server URL http a b c d ras wan tr069 periodicEnable 1 ras wan tr069 informInterval 2400 TR069 Informinterval 2400 ras wan tr069 active 1 ras wan tr069 ...

Page 320: ...lue to 1 in order for the ZyXEL Device to send information to CNM Access informInterval sec The duration in seconds of the interval for which the device MUST attempt to connect with CNM Access to send information and check for configuration updates Enter a value between 30 and 2147483647 seconds save Save the TR 069 settings to your ZyXEL Device Table 132 TR 069 Commands Root Command or Subdirecto...

Page 321: ...1 How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 22 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application t...

Page 322: ...ssage For security reasons the ZyXEL Device allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 22 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports Internet Gate...

Page 323: ...out entering the ZyXEL Device s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device for example by using NAT traversal UPnP applications automatically reserv...

Page 324: ...Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 175 Add Remove Programs Windows Setup Communication Components 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 325: ...ions 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 176 Network Connections 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Details Figure 177 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Univer...

Page 326: ...n shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the computer is connected to a LAN port of the ZyXEL Device Turn on your computer and the ZyXEL Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon displays under Internet...

Page 327: ...hapter 22 Universal Plug and Play UPnP 327 Figure 179 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figure 180 Internet Connection Properties ...

Page 328: ...appings Figure 181 Internet Connection Properties Advanced Settings Figure 182 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray ...

Page 329: ... Status Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places unde...

Page 330: ...ersal Plug and Play UPnP Figure 185 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select Invoke The web configurator login screen displays ...

Page 331: ...PnP 331 Figure 186 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device Figure 187 Network Connections My Network Places Properties Example ...

Page 332: ...P 662H HW D Series User s Guide 332 Chapter 22 Universal Plug and Play UPnP ...

Page 333: ...em Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the ZyX...

Page 334: ...ain name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or CLI Command Line Interpreter can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how l...

Page 335: ...n the ZyXEL Device Old Password Type the default administrator password 1234 or the existing password you use to access the system for configuring advanced features in this field New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After you change the password use the new password to access the ZyXEL Devi...

Page 336: ... set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator...

Page 337: ...me zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the last Sunday of October Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the ...

Page 338: ...P 662H HW D Series User s Guide 338 Chapter 23 System ...

Page 339: ... of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black 24 2 Viewing the Logs Click Maintenance Logs to open the View Log screen Use the...

Page 340: ...n display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the d...

Page 341: ...s The following table describes the fields in this screen Table 137 Log Settings LABEL DESCRIPTION E mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via E mail Mail Subject Type a title that you want to be in the subject line of the log e mail messa...

Page 342: ...u select Weekly or Daily specify a time of day when the E mail should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Ente...

Page 343: ...means RCPT TO fail 7 means DATA fail 8 means mail data send fail Subject Firewall Alert From ZyXEL Device Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP src port 00520 dest port 00520 1 00 2 Apr 7 00 From 192 168 1 131 To 192 168 1 255 default policy forward 09 54 17 UDP src port 00520 dest port 0...

Page 344: ...P 662H HW D Series User s Guide 344 Chapter 24 Logs ...

Page 345: ...o minutes After a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware screen Follow the instructions in this screen to upload firmware to your ZyXEL Device Figure 193 Firmware Upgrade The following table describes the labels in this screen Table 139 Firmware Upgrade ...

Page 346: ...ing systems you may see the following icon on your desktop Figure 195 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click Return to go back to the Firmware screen Browse Click Browse to find the bin file you want to upload Remember that you must decompress co...

Page 347: ... 2 1 Backup Configuration Backup configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous setti...

Page 348: ... the following icon on your desktop Figure 199 Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address 192 168 1 1 See the appendix for details on how to set up your computer s IP address If the upload was not successful the following screen will appear Cli...

Page 349: ...aults You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device Refer to the chapter about introducing the web configurator for more information on the RESET button 25 3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off Click Maintenance Tools Restart Click Restart to have the ZyXEL Device reboot This does not ...

Page 350: ...P 662H HW D Series User s Guide 350 Chapter 25 Tools ...

Page 351: ...6 1 General Diagnostic Click Maintenance Diagnostic to open the screen shown next Figure 202 Diagnostic General The following table describes the fields in this screen Table 141 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered ...

Page 352: ...VPIs VCIs before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network DSL Line Status Click this button to view the DSL port s line operating values and line bit allocation Reset ADSL Line Click this button to reinitialize ...

Page 353: ... appropriate power source Make sure that the ZyXEL Device and the power source are both turned on Turn the ZyXEL Device off and on If the error persists you may have a hardware problem In this case you should contact your vendor Table 144 Troubleshooting the LAN PROBLEM CORRECTIVE ACTION The LAN LEDs do not turn on Check your Ethernet cable connections refer to the Quick Start Guide for details Ch...

Page 354: ... Authentication may be through the user name and password the MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the correct casing Refer to the WAN Setup chapter I cannot access the Internet Make sure the ZyXEL Device is turned on and connected to the netw...

Page 355: ...user password is user and admin password is 1234 The Password field is case sensitive Make sure that you enter the correct password using the proper case If you have changed the password and have now forgotten it you will need to upload the default configuration file This restores all of the factory defaults including the password I cannot access the web configurator Make sure that there is not a ...

Page 356: ...pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 205 Internet Options 3 Click Apply to save this setting 27 4 1 1 2 Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Priv...

Page 357: ...oubleshooting 357 Figure 206 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP address to the list of Allowed sites ...

Page 358: ...ngs 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting 27 4 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab ...

Page 359: ...gure 208 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Click OK to close the window ...

Page 360: ...ttings Java Scripting 27 4 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window ...

Page 361: ...ng 361 Figure 210 Security Settings Java 27 4 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 211 Java Sun ...

Page 362: ...s for Internet Explorer 6 are shown Steps may vary depending on your version of Internet Explorer 1 In Internet Explorer click Tools Internet Options and then the Security tab 2 In the Internet Options window click Custom Level Figure 212 Internet Options Security 3 Scroll down to ActiveX controls and plug ins 4 Under Download signed ActiveX controls select the Prompt radio button 5 Under Run Acti...

Page 363: ...P 662H HW D Series User s Guide Chapter 27 Troubleshooting 363 Figure 213 Security Setting ActiveX Controls ...

Page 364: ...P 662H HW D Series User s Guide 364 Chapter 27 Troubleshooting ...

Page 365: ...68 1 1 Default Subnet Mask 255 255 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 32 to 192 168 1 64 Dimensions 180 W x 128 D x 36 H mm Weight P 662HW 350g P 662H 325g Power Specification 12V AC 1A Detachable Antenna Reverse SMA 5dBi Built in Switch Four auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports Operation Temperature 0º C 40º C Storage Temperature 20º 60º C Operatio...

Page 366: ...mpliant auto configuration using ILMI Other Protocol Support PPP Point to Point Protocol link layer protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Management Embedded Multilingual Web Configurator CLI Command Line Interpreter Remote M...

Page 367: ...tabase Multiple ESSID External RADIUS server using EAP MD5 TLS TTLS Firewall Stateful Packet Inspection Prevent Denial of Service attacks such as Ping of Death SYN Flood LAND Smurf etc Real time E mail alerts Reports and logs NAT SUA Port Forwarding 1024 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN passthrough VPN 20 IPSec tunnels Content Filteri...

Page 368: ...P 662H HW D Series User s Guide 368 Product Specifications ...

Page 369: ...oaded than uploaded For example a simple button click in a web browser can start an extended download that includes graphics and text As data rates increase the carrying distance decreases That means that users who are beyond a certain distance from the telephone company s central office may not be able to obtain the higher speeds A DSL connection is a point to point dedicated circuit meaning that...

Page 370: ...ect at your service provider are not affected by other users With cable modems transmission speeds drop significantly as more users go on line because the line is shared 3 ADSL can be always on connected This means that there is no time wasted dialing up the service several times a day and waiting to be connected ADSL is on standby ready for use whenever you need it ...

Page 371: ...etween the centers of the holes matches what is listed in the product specifications appendix Note Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not screw the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screws and the wall 4 Make sure the screws are snugly fastened to the wall They need t...

Page 372: ...P 662H HW D Series User s Guide 372 Appendix C Wall mounting Instructions ...

Page 373: ... 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that ...

Page 374: ... for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then clic...

Page 375: ...rk adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 216 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS infor...

Page 376: ...lose the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and def...

Page 377: ...omputer s IP Address 377 Figure 218 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 219 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 378: ... Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 221 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 379: ...nfigure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the def...

Page 380: ...ow the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 381: ...twork Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support...

Page 382: ...Setting up Your Computer s IP Address Figure 225 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 226 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list ...

Page 383: ... Click Save if prompted to save changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 227 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automati...

Page 384: ... mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file loc...

Page 385: ...eps below to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 229 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 230 Red Hat 9 0 KDE Ethernet Device General ...

Page 386: ...our DNS server IP address es click the DNS tab in the Network Configuration screen Enter the DNS server information in the fields provided Figure 231 Red Hat 9 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 232 Red Hat 9 0 KDE Network Configuration Activate 7 ...

Page 387: ...owing example shows an example where the static IP address is 192 168 1 10 and the subnet mask is 255 255 255 0 Figure 234 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 2 If you know your DNS server IP address es enter the DNS server information in the resolv conf file in the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 235 Red...

Page 388: ...tting down loopback interface OK Setting network parameters OK Bringing up loopback interface OK Bringing up interface eth0 OK root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 o...

Page 389: ...t binary number Therefore each octet has a possible range of 00000000 to 11111111 in binary or 0 to 255 in decimal There are several classes of IP addresses The first network number 192 in the above example defines the class of IP address These are defined as follows Class A 0 to 127 Class B 128 to 191 Class C 192 to 223 Class D 224 to 239 Class E 240 to 255 IP Address Classes and Hosts The class ...

Page 390: ...most bit Class B addresses have a 1 in the leftmost bit and a 0 in the next leftmost bit Class C addresses start with 1 1 0 in the first three leftmost bits Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting which is used to send information to groups of computers There is also a class E It is reserved for future use The following table shows the allowed ranges for th...

Page 391: ...to network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask is always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the num...

Page 392: ...ed last octet bit values indicate host ID bits borrowed to make network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet 255 255 255 240 28 1111 0000 240 255 255 255 248 29 1111 1000 248 255 255 255 252 30 1111 1100 252 Table 152 Alternative Subne...

Page 393: ...you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all zeroes is the subnet itself all ones is the broadcast address on the subnet Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192...

Page 394: ...ss 192 168 1 127 Highest Host ID 192 168 1 126 Table 158 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 159 Subnet 4 IP SUBNET ...

Page 395: ...ID octets available for subnetting and a class A address has three host ID octets see Table 149 on page 390 available for subnetting Table 160 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 161 Class C Subnet Planning NO BORROWED HO...

Page 396: ...SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 ...

Page 397: ...etwork or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 238 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra B...

Page 398: ...s wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless stations within t...

Page 399: ...ally overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within ...

Page 400: ... transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than...

Page 401: ... long preamble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP and the wireless stations and to provide more reliable communication in noisy networks Select Dynamic to have the AP automatically use short preamble when all wireless stations support it otherwise the...

Page 402: ... the wireless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to ...

Page 403: ...s appendix discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP The type of authentication you use depends on the RADIUS server or the AP Consult your network administrator for more information EAP MD5 Message Digest Algorithm 5 MD5 authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless station The wire...

Page 404: ...tion thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding c...

Page 405: ...rd entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA...

Page 406: ...S it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessin...

Page 407: ...e security features Table 165 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTION METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP AES ...

Page 408: ...P 662H HW D Series User s Guide 408 Appendix F Wireless LANs ...

Page 409: ...creen to do this Figure 242 Security Certificate Importing the ZyXEL Device s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the ZyXEL Device simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a ZyXEL Device certificate issued by a certificate authority import th...

Page 410: ...In Internet Explorer double click the lock shown in the following screen Figure 243 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 244 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 411: ...x G Importing Certificates 411 Figure 245 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 246 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 412: ...62H HW D Series User s Guide 412 Appendix G Importing Certificates Figure 247 Certificate Import Wizard 3 6 Click Yes to add the ZyXEL Device certificate to the root store Figure 248 Root Certificate Store ...

Page 413: ...rtificate if Authenticate Client Certificates is selected on the ZyXEL Device You must have imported at least one trusted CA to the ZyXEL Device in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the ZyXEL Device see the ZyXEL Device s Trusted CA web configurator screen...

Page 414: ...e CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 251 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix ...

Page 415: ...ersonal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 252 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 253 Personal Certificate Import Wizard 2 3 ...

Page 416: ... Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 255 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 417: ...tificate When Accessing the ZyXEL Device Example Use the following procedure to access the ZyXEL Device via HTTPS 1 Enter https ZyXEL Device IP Address in your browser s web address field Figure 258 Access the ZyXEL Device Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyXEL Device the following screen asks you to select a personal certificate to send to the ZyXEL Device This...

Page 418: ...P 662H HW D Series User s Guide 418 Appendix G Importing Certificates Figure 259 SSL Client Authentication 3 You next see the ZyXEL Device login screen Figure 260 ZyXEL Device Secure Login Screen ...

Page 419: ...he line above The symbol means or For example sys filter netbios config type on off means that you must specify the type of netbios filter and whether to turn it on or off Access via Telnet Use the following steps to telnet into your ZyXEL Device 1 Make sure that your computer is physically connected to one of the LAN ports 2 Make sure your computer IP address and the switch IP address are on the ...

Page 420: ...P 662H HW D Series User s Guide 420 Appendix H Command Interpreter ...

Page 421: ...lment name specifies a descriptive name for the generated certification request subject specifies a subject name required and alternative name required The format is subject name dn ip dns email value If the name contains spaces please put it in quotes key size specifies the key size It has to be an integer from 512 to 2048 The default is 1024 bits create scep_enroll name CA addr CA cert auth key ...

Page 422: ...riptive name is not specified for the imported certificate the certificate will adopt the descriptive name of the certification request export name Export the PEM encoded certificate to stdout for user to copy and paste name specifies the name of the certificate to be exported view name View the information of the specified local host certificate name specifies the name of the certificate to be vi...

Page 423: ...ll trusted CA certificate names and basic information rename old name new name Rename the specified trusted CA certificate old name specifies the name of the certificate to be renamed new name specifies the new name as which the certificate is to be saved crl_issuer name on off Specify whether or not the specified CA issues CRL name specifies the name of the CA certificate on off specifies whether...

Page 424: ...ssword if required The format is login password delete name Delete the specified directory service name specifies the name of the directory server to be deleted view name View the specified directory service name specifies the name of the directory server to be viewed edit name addr port login pswd Edit the specified directory service name specifies the name of the directory server to be edited ad...

Page 425: ...e ZyXEL Device boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in the list of numbers that follows for example ATBA3 will give a console port speed of 9 6 Kbps ATSE displays the seed that is used to generate a password to turn on the debug flag in the f...

Page 426: ... ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program at addr x or boot router ATGR boot router ATGT run Hardware Test Program ATRTw x y z RAM test level w from address x to y z iterations ATSH dump manufacturer related data in ROM ATDOx y downlo...

Page 427: ...ommand shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears config display firewall set set rule rule This command shows the current entries of ...

Page 428: ... e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyXEL Device is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyXEL Device is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send a...

Page 429: ... with the same destination where the ZyXEL Device starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall se...

Page 430: ...r ICMP Config edit firewall set set rule rule log none match not match both This command sets the ZyXEL Device to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the ZyXEL Device sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rul...

Page 431: ...command to enter various non consecutive port numbers config edit firewall set set rule rule TCP destport range start port end port This command sets a rule to have the ZyXEL Device check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyXEL Device check for UDP traffic with this destination ...

Page 432: ...er s Guide 432 Appendix K Firewall Commands config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set Table 167 Firewall Commands continued FUNCTION COMMAND DESCRIPTION ...

Page 433: ...AN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from the WAN to the DMZ and from the DMZ to the WAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate calls Display NetBIOS Filter Settings...

Page 434: ...rigger dial This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 1 Between LAN and DMZ 2 Between WAN and DMZ 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and block Net...

Page 435: ...es User s Guide Appendix L NetBIOS Filter Commands 435 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls ...

Page 436: ...P 662H HW D Series User s Guide 436 Appendix L NetBIOS Filter Commands ...

Page 437: ...ification number field name parameter values allowed input where input is your input conforming to parameter values allowed The figure shown next is an example of an Internal SPTGEN text file Figure 263 Configuration Text File Format Column Descriptions Note DO NOT alter or delete any field except parameters in the Input column For more text file examples refer to the Example Internal SPTGEN Scree...

Page 438: ...Example The ZyXEL Device will display the following if you enter parameter s that are valid Figure 265 Valid Parameter Entered Command Line Example Internal SPTGEN FTP Download Example 1 Launch your FTP application 2 Enter bin The command bin sets the transfer mode to binary 3 Get rom t file The command get transfers files from the ZyXEL Device to your computer The name rom t is the configuration ...

Page 439: ...Internal SPTGEN FTP Upload Example Example Internal SPTGEN Screens This section covers ZyXEL Device Internal SPTGEN screens c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom t ftp bye c edit rom t edit the rom t text file by a text editor and save it c ftp 192 168 1 1 220 ...

Page 440: ... No 1 Yes 1 10000006 Bridge 0 No 1 Yes 0 Table 171 Menu 3 SMT Menu 3 Menu 3 1 General Ethernet Setup SMT menu 3 1 FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256 30100003 Input Protocol filters Set 3 256 30100004 Input Protocol filters Set 4 256 30100005 Input device filters Set 1 256 30100006 Input device filters Set 2 256 30100007 Input device f...

Page 441: ... Both 2 In Only 3 Out Only 0 30200011 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12 256 30200016 IP Policies Set 4 1 12 256 Menu 3 2 1 IP Alias Setup SMT Menu 3 2 1 FIN FN PVA INPUT 30201001 IP Alias 1 0 No 1 Yes 0 30201002 IP Address 0 0 0 0 30201003 IP Sub...

Page 442: ...h 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alias 2 Incoming protocol filters Set 3 256 30201022 IP Alias 2 Incoming protocol filters Set 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2 Outgoing protocol filters Set ...

Page 443: ...1 Enable 0 MENU 3 5 1 WLAN MAC ADDRESS FILTER SMT MENU 3 5 1 FIN FN PVA INPUT 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 0 0 00 30501004 Address 2 00 00 00 00 0 0 00 30501005 Address 3 00 00 00 00 0 0 00 Continued 30501034 Address 32 00 00 00 00 0 0 00 Table 171 Menu 3 SMT Menu 3 continued Table 172 Menu 4 Internet Access Setup SM...

Page 444: ...et mask 0 40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP outgoing protocol filter set 4 256 40000024...

Page 445: ...0 No 1 Yes 0 Menu 12 1 2 IP Static Route Setup SMT Menu 12 1 2 FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destination IP address 0 0 0 0 120102004 IP Static Route set 2 Destination IP subnetmask 0 120102005 IP Static Route set 2 Gateway 0 0 0 0 120102006 IP Static Route set 2 Metric 0 120102007 IP Static...

Page 446: ...n IP subnetmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 120105006 IP Static Route set 5 Metric 0 120105007 IP Static Route set 5 Private 0 No 1 Yes 0 Menu 12 1 6 IP Static Route Setup SMT Menu 12 1 6 FIN FN PVA INPUT 120106001 IP Static Route set 6 Name Str 120106002 IP Static Route set 6 Active 0 No 1 Yes 0 120106003 IP Static Route set 6 Destination IP address 0 0 0 0 120106004 IP Stat...

Page 447: ... IP Static Route set 9 Destination IP address 0 0 0 0 120109004 IP Static Route set 9 Destination IP subnetmask 0 120109005 IP Static Route set 9 Gateway 0 0 0 0 120109006 IP Static Route set 9 Metric 0 120109007 IP Static Route set 9 Private 0 No 1 Yes 0 Menu 12 1 10 IP Static Route Setup SMT Menu 12 1 10 FIN FN PVA INPUT 120110001 IP Static Route set 10 Name 120110002 IP Static Route set 10 Acti...

Page 448: ...N PVA INPUT 120113001 IP Static Route set 13 Name Str 120113002 IP Static Route set 13 Active 0 No 1 Yes 0 120113003 IP Static Route set 13 Destination IP address 0 0 0 0 120113004 IP Static Route set 13 Destination IP subnetmask 0 120113005 IP Static Route set 13 Gateway 0 0 0 0 120113006 IP Static Route set 13 Metric 0 120113007 IP Static Route set 13 Private 0 No 1 Yes 0 Menu 12 1 14 IP Static ...

Page 449: ...k 0 120116005 IP Static Route set 16 Gateway 0 0 0 0 120116006 IP Static Route set 16 Metric 0 120116007 IP Static Route set 16 Private 0 No 1 Yes 0 Table 173 Menu 12 SMT Menu 12 continued Table 174 Menu 15 SUA Server Setup SMT Menu 15 Menu 15 SUA Server Setup SMT Menu 15 FIN FN PVA INPUT 150000001 SUA Server IP address for default port 0 0 0 0 150000002 SUA Server 2 Active 0 No 1 Yes 0 150000003 ...

Page 450: ...ll 6 TCP 17 U DP 0 0 0 0 150000029 SUA Server 7 Port Start 0 150000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA Server 8 Protocol 0 All 6 TCP 17 U DP 0 150000034 SUA Server 8 Port Start 0 150000035 SUA Server 8 Port End 0 150000036 SUA Server 8 Local IP address 0 0 0 0 150000037 SUA Server 9 Active 0 No 1 Yes 0...

Page 451: ... 21 1 1 1 set 1 rule 1 SMT Menu 21 1 1 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filter Set 1 Rule 1 Active 0 No 1 Yes 1 210101003 IP Filter Set 1 Rule 1 Protocol 6 210101004 IP Filter Set 1 Rule 1 Dest IP address 0 0 0 0 210101005 IP Filter Set 1 Rule 1 Dest Subnet Mask 0 210101006 IP Filter Set 1 Rule 1 Dest Port 137 210101007 IP Filter Set 1 Rule 1 Dest Po...

Page 452: ...t equal 3 less 4 greater 0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set 1 rule 3 SMT Menu 21 1 1 3 FIN FN PVA INPUT 210103001 IP Filter Set 1 Rule 3 Type 2 TCP IP 2 210103002 IP Filter Set 1 Rule 3 Active 0 No 1 Yes 1 210103003 IP Filter Set 1 Rule 3 Protocol 6 210103004 I...

Page 453: ...s 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 0 210104013 IP Filter Set 1 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210104014 IP Filter Set 1 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 5 set 1 rule 5 SMT Menu 21 1 1 5 FIN...

Page 454: ...lter Set 1 Rule 6 Dest IP address 0 0 0 0 210106005 IP Filter Set 1 Rule 6 Dest Subnet Mask 0 210106006 IP Filter Set 1 Rule 6 Dest Port 139 210106007 IP Filter Set 1 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210106008 IP Filter Set 1 Rule 6 Src IP address 0 0 0 0 210106009 IP Filter Set 1 Rule 6 Src Subnet Mask 0 210106010 IP Filter Set 1 Rule 6 Src Port 0 210106011 IP F...

Page 455: ...ter Set 2 Rule 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210201014 IP Filter Set 2 Rule 1 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 2 Filter set 2 rule 2 SMT Menu 21 1 2 2 FIN FN PVA INPUT 210202001 IP Filter Set 2 Rule 2 Type 0 none 2 TCP IP 2...

Page 456: ...210203004 IP Filter Set 2 Rule 3 Dest IP address 0 0 0 0 210203005 IP Filter Set 2 Rule 3 Dest Subnet Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210203008 IP Filter Set 2 Rule 3 Src IP address 0 0 0 0 210203009 IP Filter Set 2 Rule 3 Src Subnet Mask 0 210203010 IP Filter Set 2 Rule 3 Src Port ...

Page 457: ... gr eater 0 210204013 IP Filter Set 2 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210204014 IP Filter Set 2 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 5 Filter set 2 rule 5 SMT Menu 21 1 2 5 FIN FN PVA INPUT 210205001 IP Filter Set 2 Rule 5 Type 0 none 2 TCP IP 2 210205002 IP Filter Set 2 Rule 5 Active 0 No 1 Yes 1 210205003 IP Filter Set 2 Rule 5 Protocol 17 210205004 I...

Page 458: ...ask 0 210206006 IP Filter Set 2 Rule 6 Dest Port 139 210206007 IP Filter Set 2 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210206008 IP Filter Set 2 Rule 6 Src IP address 0 0 0 0 210206009 IP Filter Set 2 Rule 6 Src Subnet Mask 0 210206010 IP Filter Set 2 Rule 6 Src Port 0 210206011 IP Filter Set 2 Rule 6 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 2102060...

Page 459: ...11 230200006 Accounting Server Configured 0 No 1 Yes 1 230200007 Accounting Server Active 0 No 1 Yes 1 230200008 Accounting Server IP Address 192 168 1 44 230200009 Accounting Server Port 1823 230200010 Accounting Server Shared Secret 1234 Menu 23 4 System security IEEE 802 1x SMT Menu 23 4 FIN FN PVA INPUT 230400001 Wireless Port Control 0 Authentication Required 1 No Access Allowed 2 No Authenti...

Page 460: ...1 Menu 24 11 Remote Management Control SMT Menu 24 11 FIN FN PVA INPUT 241100001 TELNET Server Port 23 241100002 TELNET Server Access 0 all 1 none 2 L an 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0 0 241100004 FTP Server Port 21 241100005 FTP Server Access 0 all 1 none 2 L an 3 Wan 0 241100006 FTP Server Secured IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Acce...

Page 461: ...P 662H HW D Series User s Guide Appendix M Internal SPTGEN 461 FIN FN PVA INPUT 990000001 ADSL OPMD 0 etsi 1 normal 2 gdmt 3 multimo de 3 Table 179 Command Examples continued FIN FN PVA INPUT ...

Page 462: ...P 662H HW D Series User s Guide 462 Appendix M Internal SPTGEN ...

Page 463: ...ed by telephone sets Install the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Figure 268 Connecting a POTS Splitter 1 Connect the side labeled Phone to your telephone 2 Connect the side labeled Modem DSL to your ZyXEL Device 3 Connect the side labeled Line to the telephone wall jack Telephone Microfilters Telephone voice transmissions t...

Page 464: ... 3 Connect another cable from the double jack end of the Y Connector to the ZyXEL Device 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Figure 269 Connecting a Microfilter ZyXEL Device With ISDN This section relates to people who use their ZyXEL Device with ADSL over ISDN digital telephone service only The following is an example installation for the...

Page 465: ...ia telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Connectivity Monitor Starting Connectivity Monitor Time initialized by Daytime Server The router got the time and date from the Daytim...

Page 466: ...interface Table 182 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP UDP IGMP ESP GRE OSPF access matched or ...

Page 467: ...t 3 minutes UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 minutes TCP reset timeout 10 seconds Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured thres...

Page 468: ...n ICMP reply packet to the sender Table 186 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the reference count number of the call dev is the device type 3 is for dial up 6 is for PPPoE 10 is for PPTP channel or ch is the call channel ID For example board 0 line 0 channel 0 call 3 C01 Ou...

Page 469: ...The content filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache but does not know the category type s s cache hit The syste...

Page 470: ...e firewall detected an ICMP echo attack For type and code details see Table 197 on page 477 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack ...

Page 471: ...on failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match IKE Packet Retransmit The router retransmitted the last packet sent because there was no response from the peer Failed to send IKE Packet An Ethernet error stopped th...

Page 472: ...outer s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Type Phase 1 ID content mismatch This router s Peer ID Content is different from the peer IPSec router s Local ID Content No known phase 1 ID type found The router could not find a known phase...

Page 473: ...en the router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase 2 perfect forward secret pfs setting did not match between the router and the peer Rule d Phase 1 ID mismatch The listed rule s IKE phase 1 ID did not match between the router and the peer ...

Page 474: ...a cert subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject name The router received a user certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd CRL size issuer name The route...

Page 475: ...TION 1 Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5 Certificate is not valid 6 Certificate signature was not verified correctly 7 Certificate was revoked by a CRL 8 Certificate was not added to the cache 9 Certificate decoding failed 10 Cert...

Page 476: ...ssion expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which there was no authentication response User logout because of idle timeout expired The router logged out a user whose idle timeout period expired User logout because of user request A user logged...

Page 477: ...L Device ACL set for packets traveling from the WAN to the WAN or the ZyXEL Device D to D DMZ to DMZ ZyXEL Device ACL set for packets traveling from the DMZ to the DMZ or the ZyXEL Device Table 197 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmen...

Page 478: ... srcPort dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined in the various lo...

Page 479: ...tegory followed by a log category to display the parameters that are available for the category Figure 272 Displaying Log Parameters Example 4 Use sys logs category followed by a log category and a parameter to decide what to record SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Table 199 RFC 2408 ISAKMP Payload Types continued LOG DISPLAY PAYLOAD TYPE Copyright c 1994 2004 ...

Page 480: ... logs clear command to erase all of the ZyXEL Device s logs Log Command Example This example shows how to set the ZyXEL Device to record the access logs and alerts and then view the results ras sys logs load ras sys logs category access 3 ras sys logs save ras sys logs display access time source destination notes message 0 06 08 2004 05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default p...

Page 481: ...iving data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the SYN packe...

Page 482: ...s with the ZyXEL Device being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyXEL Device to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the packet to Gateway B ...

Page 483: ...AN Side A second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your ZyXEL Device to your LAN Therefore your LAN is protected Figure 276 Gateways on the WAN Side ...

Page 484: ...P 662H HW D Series User s Guide 484 Appendix P Triangle Route ...

Page 485: ...i virus scan packet types 205 Any IP 42 113 How it works 114 note 114 Any IP Setup 116 AP access point 399 applicaions Internet access 46 Application level Firewalls 170 ATM Adaptation Layer 5 AAL5 86 Attack Alert 200 Attack Types 174 Authentication Header 239 Available Services 220 B Backup 347 Backup Type 101 Bandwidth Management 293 Bandwidth Manager Class Configuration 299 Bandwidth Manager Mo...

Page 486: ...trator Login 231 Application 215 configuration steps 215 Content Filtering Service 217 create user groups 216 Customize services 219 Diagnose 227 diagnose sequence 227 Idle Timeout 216 log out 230 online status 229 test web site access privileges 227 Time Left 229 Time schedule 217 Unlimited time schedule 218 User Account 228 user accounts 215 User groups 216 user groups 215 User Login 230 User Pr...

Page 487: ...umber 345 DH 254 DHCP 44 110 111 305 333 DHCP client 44 DHCP relay 44 DHCP server 44 diagnostic 351 Diffie Hellman Key Groups 254 DMZ 151 366 DNS 317 DNS Server For VPN Host 245 Domain Name 111 162 333 Domain Name System 110 DoS 171 Basics 171 Types 172 DoS Denial of Service 42 151 366 DoS attacks types of 172 DSL Digital Subscriber Line 369 DSL line reinitialize 352 DSLAM Digital Subscriber Line ...

Page 488: ...98 Extended Service Set IDentification 128 Extended wireless security 75 F Fairness based Scheduler 295 FCC 4 FCC Rules 4 Federal Communications Commission 4 File infector 203 Finger 162 Firewall Access Methods 181 Address Type 189 Alerts 184 Anti Probing 197 Creating Editing Rules 187 Custom Ports 190 Enabling 184 Firewall Vs Filters 179 Guidelines For Enhancing Security 178 Introduction 170 LAN ...

Page 489: ...ow ZyXEL Device virus scan works 205 HTTP 162 170 171 172 HTTP Hypertext Transfer Protocol 345 I IANA 112 IANA Internet Assigned Number Authority 190 IBSS 397 ICMP echo 173 ID Type and Content 245 IEEE 802 11g 45 401 IEEE 802 11i 45 IGMP 113 IKE Phases 252 Independent Basic Service Set 397 initialization vector IV 406 Inside Header 236 Install UPnP 323 Windows Me 323 Windows XP 325 Integrated Serv...

Page 490: ...signment 87 ENET ENCAP 87 PPPoA or PPPoE 87 RFC 1483 87 IP alias 44 IP Policy Routing IPPR 44 IP Pool 117 IP Pool Setup 110 IP protocol type 195 IP Spoofing 172 175 IPSec 233 IPSec Algorithms 235 239 IPSec and NAT 236 IPSec Architecture 235 IPSec standard 43 IPSec VPN Capability 43 ISDN Integrated Services Digital Network 41 K Keep Alive 243 Key Fields For Configuring Rules 183 L LAN Setup 85 109 ...

Page 491: ...lticast 113 Multiplexing 86 multiplexing 86 LLC based 86 VC based 86 Multiprotocol Encapsulation 86 My IP Address 240 N Nailed Up Connection 87 NAT 111 162 163 Address mapping rule 167 Application 159 Definitions 157 How it works 158 Mapping Types 159 What it does 158 What NAT does 158 NAT Network Address Translation 157 NAT mode 161 NAT Traversal 321 NAT traversal 244 navigating the web configura...

Page 492: ...o Point Tunneling Protocol 162 POP3 162 171 172 PPPoE 85 Benefits 85 PPPoE Point to Point Protocol over Ethernet 43 PPTP 162 Preamble Mode 401 Pre defined Web Content Categories 222 Pre Shared Key 247 Priorities 141 297 Priority 299 Priority based Scheduler 294 protocol type 220 Q Quick Start Guide 39 R RADIUS 402 Shared Secret Key 403 RADIUS Message Types 402 RADIUS Messages 402 reinitialize the ...

Page 493: ...arnings 6 Saving the State 175 Scanning engine 203 Scheduler 294 Secure Gateway Address 241 Security Association 233 Security In General 179 Security Parameter Index 257 Security Parameters 407 Security Ramifications 182 Server 159 160 336 Service 183 Service Set 128 Service Type 191 354 Services 162 Signature 203 Signature based 203 Signature based virus scan 203 SMTP 162 SMTP Error Messages 343 ...

Page 494: ...Parameter Table Generator 437 System Timeout 310 T TCP Maximum Incomplete 199 200 TCP Security 177 TCP IP 171 172 Teardrop 172 Telnet 311 Temporal Key Integrity Protocol TKIP 405 Text File Format 437 TFTP Restrictions 309 The DeMilitarized Zone DMZ 151 Three Way Handshake 172 Threshold Values 198 Traceroute 175 Traffic Redirect 99 100 Traffic redirect 99 102 traffic redirect 43 Traffic shaping 88 ...

Page 495: ...rtual Path Identifier VPI 86 Virtual Private Network 43 233 Virus attack 203 Virus life cycle 204 VPI VCI 86 VPN 233 VPN Applications 234 W WAN Wide Area Network 85 WAN backup 100 102 WAN to LAN Rules 184 Web 310 Web Configurator 49 52 178 183 web configurator screen summary 53 Web Site Filters 222 WEP Wired Equivalent Privacy 45 WEP Encryption 131 Wi Fi Multimedia QoS 141 Wi Fi Protected Access 4...

Page 496: ...W D Series User s Guide 496 Index WPA2 PSK 405 WPA PSK 405 Z Zero Configuration Internet Access 42 Zero configuration Internet access 90 ZyXEL Device anti virus packet scan 204 ZyXEL_s Firewall Introduction 170 ...