ZyXEL Communications AMG1312-T10D, User Manual

Page 1: ...1312 T10D Wireless 2x2 802 11n ADSL2 4 port Gateway with USB Version 1 14 Edition 1 12 2014 Copyright 2014 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 192 168 1 1 User Name admin Password 1234 ...

Page 2: ... book may differ slightly from your product due to differences in your product firmware or your computer operating system Every effort has been made to ensure that the information in this manual is accurate Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the Device and get up and running right away ...

Page 3: ...51 Home Networking 75 Static Route 101 Quality of Service QoS 105 Network Address Translation NAT 117 Port Binding 125 Dynamic DNS 131 Filter 133 Firewall 139 Parental Control 155 Certificates 159 System Monitor 167 User Account 173 TR 069 Client 175 System 177 Time Setting 179 Log Setting 181 Firmware Upgrade 185 Backup Restore 187 Remote Management 191 Diagnostic 203 Troubleshooting 207 ...

Page 4: ...Contents Overview AMG1312 T10D User s Guide 4 ...

Page 5: ...on 15 1 6 The RESET Button 16 1 6 1 Using the Reset Button 16 1 7 LEDs Lights 16 Chapter 2 Introducing the Web Configurator 19 2 1 Overview 19 2 1 1 Accessing the Web Configurator 19 2 2 The Web Configurator Layout 21 2 2 1 Title Bar 22 2 2 2 Main Window 22 Chapter 3 Quick Start 25 3 1 Overview 25 3 2 Quick Start Setup 25 Chapter 4 Connection Status and System Info 27 4 1 Overview 27 4 2 The Conne...

Page 6: ...1 What You Can Do in this Chapter 51 6 1 2 Wireless Network Overview 51 6 1 3 Before You Begin 53 6 2 Wireless General Screen 53 6 2 1 No Security 55 6 2 2 Basic Static WEP Shared WEP Encryption 55 6 2 3 More Secure WPA2 PSK 56 6 2 4 WPA2 Authentication 57 6 3 More AP Screen 59 6 3 1 Edit More AP 60 6 4 MAC Authentication Screen 61 6 5 The WPS Screen 62 6 6 The WDS Screen 64 6 7 The WMM Screen 65 ...

Page 7: ... Windows Example 92 7 11 Using UPnP in Windows XP Example 95 Chapter 8 Static Route 101 8 1 Overview 101 8 1 1 What You Can Do in this Chapter 101 8 2 Configuring Static Route 102 8 2 1 Add Edit Static Route 102 8 3 IPv6 Static Route 103 8 3 1 IPv6 Static Route Edit 104 Chapter 9 Quality of Service QoS 105 9 1 Overview 105 9 1 1 What You Can Do in this Chapter 105 9 1 2 What You Need to Know 105 9...

Page 8: ... 10 6 3 How NAT Works 123 Chapter 11 Port Binding 125 11 1 Overview 125 11 2 The Port Binding Screen 126 11 2 1 Port Binding Summary Screen 126 11 2 2 The Any Port Any Service Edit Screen 128 Chapter 12 Dynamic DNS 131 12 1 Overview 131 12 1 1 What You Need To Know 131 12 2 The Dynamic DNS Screen 131 Chapter 13 Filter 133 13 1 Overview 133 13 1 1 What You Can Do in the Filter Screens 133 13 2 The ...

Page 9: ...l Control 155 15 1 Overview 155 15 2 The Parental Control Screen 155 15 2 1 Add Edit a Parental Control Rule 156 Chapter 16 Certificates 159 16 1 Overview 159 16 1 1 What You Can Do in this Chapter 159 16 1 2 What You Need to Know 159 16 1 3 Verifying a Certificate 160 16 2 Local Certificates 161 16 3 Trusted CA 163 16 4 Trusted CA Import 163 16 5 View Certificate 164 Chapter 17 System Monitor 167...

Page 10: ... 1 Overview 181 22 2 The Log Setting Screen 181 Chapter 23 Firmware Upgrade 185 23 1 Overview 185 23 2 The Firmware Upgrade Screen 185 Chapter 24 Backup Restore 187 24 1 Overview 187 24 2 The Backup Restore Screen 187 24 3 The Reboot Screen 189 Chapter 25 Remote Management 191 25 1 Overview 191 25 1 1 What You Can Do in the Remote Management Screens 191 25 1 2 What You Need to Know About Remote Ma...

Page 11: ...verview 203 26 1 1 What You Can Do in the Diagnostic Screens 203 26 2 The Ping Screen 203 26 3 The DSL Line Screen 204 Chapter 27 Troubleshooting 207 27 1 Overview 207 27 2 Power Hardware Connections and LEDs 207 27 3 Device Access and Login 208 27 4 Internet Access 209 27 5 Wireless Internet Access 211 27 6 USB Device Connection 212 27 7 UPnP 212 Appendix A Legal Information 213 Index 219 ...

Page 12: ...Table of Contents AMG1312 T10D User s Guide 12 ...

Page 13: ...less card or share files via a USB memory stick or a USB hard drive The Device can also function as a print server with an USB printer connected Only use firmware for your Device s specific model Refer to the label on the bottom of your Device 1 2 Ways to Manage the Device Use any of the following methods to manage the Device Web Configurator Use a supported web browser to manage the Device FTP fo...

Page 14: ... and filtering features on the Device for secure Internet access Set the firewall to allow responses from the Internet for traffic initiated from your network and block traffic initiated from the Internet This blocks probes from the outside to your network but lets you safely browse the Internet and download files Use the filtering feature to block access to specific web sites or Internet applicat...

Page 15: ...5 seconds The WLAN WPS LED turns off Use the WLAN WPS button to quickly set up a secure wireless connection between the Device and a WPS compatible client by adding one device at a time To activate WPS 1 With the POWER LED on steady press the WLAN WPS button for 1 second and release it 2 Within two minutes press the WPS button on a WPS enabled client within range of the Device The WPS WLAN LED sho...

Page 16: ...at you will lose all configurations that you had previously and the user name and password will be reset to the default 1 6 1 Using the Reset Button With the POWER LED on steady press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defaults have been restored and the device restarts 1 7 LEDs Lights The following gra...

Page 17: ...PS connection Off The wireless network is not activated ETHERNET 1 4 Green On The Device has a successful 100 Mbps Ethernet connection with a device on the Local Area Network LAN Blinking The Device is sending or receiving data to from the LAN at 100 Mbps Off The Device does not have an Ethernet connection with the LAN INTERNET Green On The Device has an IP connection but no traffic Your device ha...

Page 18: ...Chapter 1 Introduction AMG1312 T10D User s Guide 18 ...

Page 19: ...u need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScript enabled by default Java permissions enabled by default 2 1 1 Accessing the Web Configurator 1 Make sure your Device hardware is properly connected refer to the Quick Start Guide 2 Launch your web browser 3 Type 192 168 1 1 as the URL 4 A password screen d...

Page 20: ...fault If this happens log in again 5 The following screen displays if you have not yet changed your password It is strongly recommended you change the default password Enter a new password retype it to confirm and click Apply alternatively click Skip to proceed to the main menu if you do not want to change the password now Figure 5 Change Password Screen 6 The Connection Status screen appears ...

Page 21: ...User s Guide 21 Figure 6 Connection Status 7 Click System Info to display the System Info screen where you can view the Device s interface and system information 2 2 The Web Configurator Layout Click Connection Status System Info to show the following screen ...

Page 22: ...e bar B main window C navigation panel 2 2 1 Title Bar The title bar shows the Wizard and Logout icons in the upper right corner Click the Wizard icon to configure basic initial settings Click the Logout icon to log out of the web configurator 2 2 2 Main Window The main window displays information and configuration fields It is discussed in the rest of this document B C A a b ...

Page 23: ...nnection Status screen See Chapter 4 on page 28 for more information on the System Info and Connection Status screens Click Virtual Device on the System Info screen b in Figure 7 on page 22 to display a visual graphic showing the connection status of the Device s ports The connected ports are in color and disconnected ports are gray Figure 8 Virtual Device ...

Page 24: ...Chapter 2 Introducing the Web Configurator AMG1312 T10D User s Guide 24 ...

Page 25: ...res in this chapter 3 2 Quick Start Setup 1 The Quick Start Wizard appears automatically after login Or you can click the Start icon in the top right corner of the web configurator to open the quick start screens Select the time zone of the Device s location and click Next Figure 9 Time Zone 2 Enter your Internet connection information in this screen The screen and fields to enter may vary dependi...

Page 26: ...e Selection 3 Turn the wireless LAN on or off If you keep it on record the security settings so you can configure your wireless clients to connect to the Device Click Save Figure 11 Internet Connection 4 Your Device saves your settings and attempts to connect to the Internet ...

Page 27: ...counts If you click Virtual Device on the System Info screen a visual graphic appears showing the connection status of the Device s ports See Section 2 2 2 on page 22 for more information 4 2 The Connection Status Screen Use this screen to view the network connection status of the device and its clients A warning message appears if there is a connection problem You can configure how often you want...

Page 28: ...stem Info to open this screen Figure 14 System Info Screen Each field is described in the following table Table 2 System Info Screen LABEL DESCRIPTION Refresh Interval Select how often you want the Device to update this screen from the drop down list box Device Information Host Name This field displays the Device system name It is used for identification You can change this in the Maintenance Syst...

Page 29: ...one The Device is not providing any DHCP services to the LAN IPv6 Address This is the current IPv6 address of the Device in the LAN Link local IPv6 Address This is the current LAN IPv6 link local address of the Device IPv6 Prefix This is the current IPv6 prefix length in the LAN Preferred Valid Time sec This is the Preferred Lifetime and Valid Lifetime in the LAN DHCPv6 This field displays what DH...

Page 30: ...used When this percentage is close to 100 the Device is running at full load and the throughput is not going to improve anymore If you want some applications to have more throughput you should turn off other applications DSL Up Bandwidth Usage This field displays what percentage of the Device s upstream DSL bandwidth is currently used When this percentage is close to 100 the Device is running at f...

Page 31: ...that a computer in one location can communicate with computers in other locations Figure 15 LAN and WAN 3G third generation standards for the sending and receiving of voice video and data in a mobile environment You can attach a 3G wireless adapter to the USB port and set the Device to use this 3G connection as your WAN or a backup when the wired WAN connection fails Figure 16 3G WAN Connection 5 ...

Page 32: ...teway IP address if you use the Ethernet or ENET ENCAP encapsulation method Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just one IGMP Devices use the IGMP Internet Group Management Protocol network layer ...

Page 33: ... inside IPv6 encapsulation packets to the ISP s Address Family Transition Router AFTR in the graphic to connect to the IPv4 Internet The local network can also use IPv6 services The Device uses it s configured IPv6 WAN IP to route IPv6 traffic to the IPv6 Internet Figure 18 Dual Stack Lite 3G 3G Third Generation is a digital packet switched wireless technology Bandwidth usage is optimized as multi...

Page 34: ...5 5 on page 48 for technical background information on WAN 5 1 3 Before You Begin You need to know your Internet access settings such as encapsulation and WAN IP address Get this information from your ISP 5 2 The Internet Connection Screen Use this screen to change your Device s WAN settings Click Network Setting Broadband Internet Connection The screen differs by the mode and encapsulation you se...

Page 35: ...Chapter 5 WAN Setup AMG1312 T10D User s Guide 35 Figure 19 Network Setting Broadband Internet Connection ...

Page 36: ...pe the name of your PPPoE service here Multiplex This displays for an ADSL virtual channel Select the method of multiplexing used by your ISP from the drop down list Choices are VC Mux or LLC IPv6 IPv4 Dual Stack This is not available if you select PPPoA in the Encapsulation field Select IPv4 to have the Device use only IPv4 Select IPv4 IPv6 to let the Device connect to IPv4 and IPv6 networks and ...

Page 37: ... None the Device does not use the DNS server entry IPv6 Address Obtain an IP Address Automatically Select this option to have the Device use the IPv6 prefix from the connected router s Router Advertisement RA to generate an IPv6 address Static IP Address When you set the Encapsulation field to ENET ENCAP select the Static IP Address option if you have a fixed IPv6 address assigned by your ISP DHCP...

Page 38: ...fier to the IPv6 address prefix to create the routable global IPv6 address Select EUI64 to use the EUI 64 format to generate an interface ID from the MAC address of the WAN interface WAN Identifier If you selected Manual enter the WAN Identifier in this field The WAN identifier should be unique and 64 bits in hexadecimal form Every 16 bit block should be separated by a colon as in XXXX XXXX XXXX X...

Page 39: ... to one computer and broadcast packets packets sent to every computer Devices use the IGMP Internet Group Management Protocol network layer protocol to establish membership in a multicast group Select IGMP v1 IGMP v2 IGMP v3 Select None to disable it MLD Proxy Select the version of MLD proxy v1 or v2 to have the Device act as for this connection This allows the Device to get subscription informati...

Page 40: ...that system default is 0 cells sec Maximum Burst Size Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 PPPoE Passthrough If the encapsulation type is PPPoE select this to enable PPPoE Passthrough In addition to the Device s built in PPPoE client you can select this to allow hosts on the LAN to use PPPoE client soft...

Page 41: ... not This field is read only Node Name This is the name of the Internet connection VPI VCI This field displays the Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers configured for this WAN connection Encapsulation This field indicates the encapsulation method and multiplexing type the Internet connection uses Modify The first ISP connection is read only in this screen Use the ...

Page 42: ...e computers to share an Internet account If you select Bridge the Device will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation used by your ISP from the drop down list box This field is available if you select Router in the Mode field User Name PPPoA and PPPoE encapsulation only Enter the user name ex...

Page 43: ...his remote node CHAP Your Device accepts CHAP only PAP Your Device accepts PAP only VPI VCI VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more information IP Address You can use these options when you set the Mode field to Router and the IPv6 IPv4 Dual Stack field to IPv4 or IPv4 IPv6 Select Obtain an IP Address Automatically if t...

Page 44: ... IPv6 Default Gateway With Static IP Address enabled enter the IPv6 address of the default gateway IPv6 DNS Server1 With Static IP Address enabled enter the primary DNS server IPv6 address for the Device IPv6 DNS Server2 With Static IP Address enabled enter the secondary DNS server IPv6 address for the Device Connection Keep Alive Select Keep Alive when you want your connection up all the time The...

Page 45: ...for each multicast group It can reduce multicast traffic significantly Select None to turn off MLD proxy ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR With PCR Unspecified Bit Rate with Peak Cell Rate for applications that are non time sensitive such as e mail Select Non Realtime VBR Variable Bit Rate non Real Time or ...

Page 46: ...g the PPPoE the encapsulation type select this to enable PPPoE passthrough In addition to the Device s built in PPPoE client this allows hosts on the LAN to use PPPoE client software on their computers to connect to the ISP through the Device Each host can have a separate account and a public WAN IP address MTU MTU The Maximum Transmission Unit MTU defines the size of the largest packet allowed on...

Page 47: ... service provider Password Type the password of up to 70 ASCII printable characters associated with the user name above PIN A PIN Personal Identification Number code is a key to a 3G card Without the PIN code you cannot use the 3G card If your ISP enabled PIN code authentication enter the 4 digit PIN code 0000 for example provided by your ISP If you enter the PIN code incorrectly the 3G card may b...

Page 48: ...ntable characters Spaces are allowed Obtain an IP Address Automatically Select this option If your ISP did not assign you a fixed IP address Use the following static IP address Select this option If the ISP assigned a fixed IP address IP Address Enter your WAN IP address in this field if you selected Use the following static IP address Obtain DNS info dynamically Select this to have the Device get...

Page 49: ...based on RFC 1483 and sends it through an ATM PVC Permanent Virtual Circuit to the Internet Service Provider s ISP DSLAM Digital Subscriber Line DSL Access Multiplexer Please refer to RFC 2364 for more information on PPPoA Refer to RFC 1661 for more information on PPP 5 5 1 4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 AAL5 The first method a...

Page 50: ...assigned influences your choices for IP address and ENET ENCAP gateway IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and Gateway IP Address fields are not applicable N A If you have a Static IP Address assigned by your ISP then they should also assign you a Subnet Mask and a Gateway IP Address IP Assignment with RFC 1483 Encapsulation In this case the...

Page 51: ...sure quality of service in wireless networks for multimedia applications Section 6 7 on page 65 Use the Scheduling screen to schedule a time period for the wireless LAN to operate each day Section 6 8 on page 66 Use the Advanced screen to configure advanced wireless features Section 6 9 on page 67 You don t necessarily need to use all these screens to set up your wireless connection For example yo...

Page 52: ... name of the wireless network It stands for Service Set IDentifier If two wireless networks overlap they should use a different channel Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every device in the same wireless network must use security compatible with the AP Security stops unauthorized devices from using ...

Page 53: ...ces support WPS and some do not you can use WPS to set up your network and then add the non WPS devices manually although this is somewhat more complicated to do What advanced options do you want to configure if any If you want to configure advanced options ensure that you know precisely what you want to do If you do not want to configure advanced options leave them alone 6 2 Wireless General Scre...

Page 54: ...associated Wireless devices associating to the access point AP must have the same SSID Enter a descriptive name up to 32 English keyboard characters for the wireless LAN Hide SSID Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool Client Isolation Select this to keep the wireless clients in this SSID fro...

Page 55: ...rom any channels used by neighboring APs as possible The channel number which the Device is currently using then displays in the Operating Channel field Scan Click this button to have the Device immediately scan for and select a channel which is not used by another device whenever the device reboots or the wireless setting is changed Operating Channel This is the channel currently being used by yo...

Page 56: ... 28 Wireless General Basic Static WEP Shared WEP The following table describes the labels in this screen 6 2 3 More Secure WPA2 PSK The WPA2 PSK security mode provides both improved data encryption and user authentication over WEP Using a Pre Shared Key PSK both the Device and the connecting client share a common Table 11 Wireless General Basic Static WEP Shared WEP LABEL DESCRIPTION Security Leve...

Page 57: ...m the drop down list box Pre Shared Key The encryption mechanisms used for WPA2 and WPA2 PSK are the same The only difference between the two is that WPA2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters or 64 hexidecimal digits more hide more Click more to show more fields in this section Click hide more to h...

Page 58: ...mber is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up to 128 alphanumeric characters as the key to be shared between the external authentication server and the Device The key must be the same on the external authentication server and your Device The key is not sent over the network more hid...

Page 59: ...o enable Advanced Encryption System AES security on your wireless network AES provides superior security to TKIP If the security mode is WPA2 and WPA PSK Compatible is enabled the encryption mode also allows you to select TKIPAES MIX to allow both TKIP and AES types of security in your wireless network Table 13 Wireless General More Secure WPA2 continued LABEL DESCRIPTION Table 14 Network Settings...

Page 60: ...ssociated Wireless devices associating to the access point AP must have the same SSID Enter a descriptive name up to 32 English keyboard characters for the wireless LAN Hide SSID Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool Client Isolation Select this to keep the wireless clients in this SSID from...

Page 61: ...wireless network Wireless clients must use the same wireless security settings as the Device to connect to the wireless LAN After you select to use security additional options appears in this screen Or you can select No Security to allow any client to connect to this network without any data encryption or authentication See Section 6 2 1 on page 55 through Section 6 2 4 on page 57 for more details...

Page 62: ... click Apply to activate the WPS function Then you can configure the WPS settings in this screen Add new MAC address Click this if you want to add a new MAC address entry to the MAC filter list below Enter the MAC addresses of the wireless devices that are allowed or denied access to the Device in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecimal ch...

Page 63: ... network This button may either be a physical button on the outside of device or a menu button similar to the WPS button on this screen Note You must press the other wireless device s WPS button within two minutes of pressing this button Method 2 PIN Use this section to set up a WPS wireless network by entering the PIN Personal Identification Number of the client into the Device Register Enter the...

Page 64: ... you use WPS push button method Click the Generate New PIN button to have the Device create a new PIN Status This displays Configured when the Device has connected to a wireless network using WPS or Enable WPS is selected and wireless or wireless security settings have been changed The current wireless and wireless security settings also appear in the screen This displays Not Configured when there...

Page 65: ...n you set the security mode to WPA2 or WPA2 PSK in the Wireless General screen TKIP Select this to use TKIP Temporal Key Integrity Protocol encryption AES Select this to use AES Advanced Encryption Standard encryption This is the index number of the individual WDS link Active Select this to activate the link between the Device and the peer device to which this entry refers When you do not select t...

Page 66: ...evice to automatically give a service a priority level according to the ToS value in the IP header of packets it sends WMM QoS Wifi MultiMedia Quality of Service gives high priority to voice and video which makes them run more smoothly Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Table 20 Network Setting Wireless Scheduling LABEL DESCRIPTION ...

Page 67: ... format the rule turns the wireless LAN back on Security This field indicates the security mode of the SSID profile Modify Click the Edit icon to configure the scheduling rule Click the Delete icon to remove the scheduling rule Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Table 20 Network Setting Wireless Scheduling continued LABEL DESCRIPTIO...

Page 68: ...t 802 11n to allow only IEEE 802 11n compliant WLAN devices to associate with the Device Select 802 11g n to allow either IEEE 802 11g or IEEE 802 11n compliant WLAN devices to associate with the Device The transmission rate of the Device might be reduced when an 802 11g wireless client is associated with it Select 802 11b g n to allow IEEE 802 11b IEEE 802 11g or IEEE 802 11n compliant WLAN devic...

Page 69: ...l not keep a determined attacker out Other security standards are secure in themselves but can be broken if a user does not use them properly For example the WPA2 PSK security standard is very secure if you use a long key which is difficult for an attacker s software to guess for example a twenty letter long string of apparently random numbers and letters but it is not very secure if you use a sho...

Page 70: ... security is fairly weak however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the information that is sent in the wireless network 6 10 2 2 User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network You can make every user log in to the wireless n...

Page 71: ...pending on the type of wireless network login and select the WPA compatible option in the Device Many types of encryption use a key to protect the information in the wireless network The longer the key the stronger the encryption Every device in the wireless network must have the same key 6 10 3 Signal Problems Because wireless networks are radio networks their signals are subject to limitations o...

Page 72: ...ity modes to different SSIDs Wireless devices can use different BSSIDs to associate with the same AP 6 10 5 1 Notes on Multiple BSSs A maximum of eight BSSs are allowed on one AP simultaneously You must use different keys for different BSSs If two wireless devices have different BSSIDs they are in different BSSs but have the same keys they may hear each other s communications but not communicate w...

Page 73: ...owing figure illustrates how WDS link works between APs Notebook computer A is a wireless client connecting to access point AP 1 AP 1 has no wired Internet connection but it can establish a WDS link with access point AP 2 which has a wired Internet connection When AP 1 has a WDS link with AP 2 the notebook computer can access the Internet through AP 2 Figure 42 WDS Link Example WDS AP 2 AP 1 A ...

Page 74: ...Chapter 6 Wireless AMG1312 T10D User s Guide 74 ...

Page 75: ...een to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses Section 7 3 on page 80 Use the IP Alias screen Section 7 4 on page 81 to configure another logical network in the physical LAN network Use the UPnP screen to enable UPnP Section 7 5 on page 82 Use the UPnP Rule screen to Use the IPv6 LAN Setup screen Section 7 6 on page 82 to configure the IPv6 sett...

Page 76: ...server addresses you enter when you set up DHCP are passed to the client machines along with the assigned IP address and subnet mask 7 1 2 2 About UPnP How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow ...

Page 77: ...fferent operating systems such as Windows or Linux have different file systems The file sharing feature on your Device supports FAT16 FAT32 NTFS EXT2 and EXT3 Common Internet File System The Device uses Common Internet File System CIFS protocol for its file sharing functions CIFS compatible computers can access the USB file storage devices connected to the Device CIFS protocol is supported on Micr...

Page 78: ... TCP IP ports for printing and be compatible with the RAW port 9100 protocol The following OSs support Device s printer sharing feature Microsoft Windows 95 Windows 98 SE Second Edition Windows Me Windows NT 4 0 Windows 2000 Windows XP or Macintosh OS X 7 2 The LAN Setup Screen Click Network Setting Home Networking to open the LAN Setup screen Use this screen to set the Local Area Network IP addre...

Page 79: ...d to deactivate it DHCP Server State DHCP Select Enable to have your Device assign IP addresses an IP default gateway and DNS servers to LAN computers and other devices that are DHCP clients If you select Disable you need to manually configure the IP addresses of the computers and other devices on your LAN When DHCP is used the following fields need to be set IP Addressing Values IP Pool Starting ...

Page 80: ...CRIPTION Add new static lease Click this to add a new static DHCP entry This is the index number of the entry Status This field displays whether the client is connected to the Device Host Name This field displays the client host name MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interf...

Page 81: ... change your Device s IP alias settings Click Network Setting Home Networking IP Alias to open the following screen Figure 46 Network Setting Home Networking IP Alias The following table describes the labels in this screen Table 27 Static DHCP Add LABEL DESCRIPTION MAC Address Enter the MAC address of a computer on your LAN IP Address Enter the IP address that you want to assign to the computer on...

Page 82: ...able describes the labels in this screen 7 6 The IPv6 LAN Setup Screen Use this screen to configure the IPv6 settings for your Device s LAN interface Subnet Mask Your Device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the Device Apply Click this to save your changes Cancel Click this to ...

Page 83: ...Chapter 7 Home Networking AMG1312 T10D User s Guide 83 Figure 48 Network Setting Home Networking IPv6 LAN Setup ...

Page 84: ... If you selected Manual enter the LAN Identifier in this field The LAN identifier should be unique and 64 bits in hexadecimal form Every 16 bit block should be separated by a colon as in XXXX XXXX XXXX XXXX where X is a hexadecimal character Blocks of zeros can be represented with double colons as in XXXX XXXX XXXX IPv6 ULA Address Type A unique local address ULA is a unique IPv6 address for use i...

Page 85: ... either through router advertisements or through DHCPv6 DHCPv6 DHCPv6 Server Use this field to Enable or Disable DHCPv6 server on the Device DNSv6 Mode Select the DNS role Proxy or Relay that you want the Device to act in the IPv6 LAN network Alternatively select Manual and specify the DNS servers IPv6 address in the fields below Primary DNS This field is available if you choose Manual as the DNSv...

Page 86: ...rding an IPv6 packet IPv6 routers are required to decrease the Hop Limit by 1 and to discard the IPv6 packet when the Hop Limit is 0 Possible value for this field are 0 255 Router Lifetime Enter the time in seconds that hosts should consider the Device to be the default router Possible values for this field are 0 9000 Router Preference Select the router preference Low Medium or High for the Device...

Page 87: ... administrator 7 7 1 Before You Begin Make sure the Device is connected to your network and turned on 1 Connect the USB device to one of the Device s USB ports Make sure the Device is connected to your network 2 The Device detects the USB device and makes its contents available for browsing If you are connecting a USB hard drive that comes with an external power supply make sure it is connected to...

Page 88: ...Access Level Select Public to allow all LAN users to access the shared folders Select Security to allow only the users added and activated in the Account Management section below to access the shared folders Account Management This is the index number of the file sharing user account Status This shows whether or not the file sharing user account is activated User Name This field displays the user ...

Page 89: ...n the Device and then configuring a TCP IP port on the computers connected to your network Table 32 File Sharing Add Edit LABEL DESCRIPTION Active Select this to activate the file sharing user account User Name Type the user name for the account New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After yo...

Page 90: ...ufacturers instructions on how to install the printer software on your computer Note Your printer s installation instructions may ask that you connect the printer to your computer Connect your printer to the Device instead Use this screen to enable or disable sharing of a USB printer via your Device To access this screen click Network Setting Home Networking Printer Server Figure 53 Network Settin...

Page 91: ... can configure the Device as a DHCP server or disable it When configured as a server the Device provides the TCP IP configuration for the clients If you turn DHCP service off you must have another DHCP server on your LAN or else the computer must be manually configured IP Pool Setup The Device is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specificatio...

Page 92: ...number portion of an IP address Your Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch...

Page 93: ... the Windows Setup tab and select Communication in the Components selection box Click Details Figure 55 Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 56 Add Remove Programs Windows Setup Communication Components ...

Page 94: ...tall the UPnP in Windows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 57 Network Connections 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Details Figure 58 Windows Opt...

Page 95: ... UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Device Make sure the computer is connected to a LAN port of the Device Turn on your computer and the Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon di...

Page 96: ...Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figure 61 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings ...

Page 97: ...es Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray Figure 64 System Tray Icon 7 Double click on the icon to display your current Internet connection status ...

Page 98: ...based configurator on the Device without finding out the IP address of the Device first This comes helpful if you do not know the IP address of the Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places Figure 66 Network Connections ...

Page 99: ...Right click on the icon for your Device and select Invoke The web configurator login screen displays Figure 67 Network Connections My Network Places 6 Right click on the icon for your Device and select Properties A properties window displays with basic information about the Device Figure 68 Network Connections My Network Places Properties Example ...

Page 100: ...Chapter 7 Home Networking AMG1312 T10D User s Guide 100 ...

Page 101: ...traffic from A to the Internet through the Device s default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a router R3 connected to the LAN Figure 69 Example of Static Routing Topology 8 1 1 What You Can Do in this Chapter Use the Static Route screens Section 8 2 on pag...

Page 102: ...ew Static Route Click this to set up a new static route on the Device This is the number of an individual static route Destination IP This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway...

Page 103: ...r destinations Bound Interface You can decide if you want to forward packets to a gateway IP address or a bound interface If you want to configure Bound Interface select the check box and choose an interface through which the traffic is sent You must have the WAN interfaces already configured in the Broadband screen Metric Enter the cost of transmission for routing purposes IP routing uses hop cou...

Page 104: ... Static Route Add Edit LABEL DESCRIPTION Destination IPv6 Address This parameter specifies the IP network address of the final destination Routing is always based on network number If you need to specify a route to a single host use a prefix length of 128 in the prefix length field to force the network number to be identical to the host ID IPv6 Prefix Length Enter the address prefix to specify how...

Page 105: ...elay such as Internet gaming and those for which jitter alone is a problem such as Internet radio or streaming video 9 1 1 What You Can Do in this Chapter Use the General screen to enable QoS set the bandwidth and allow the Device to automatically assign priority to upstream traffic according to the IP precedence or packet length Section 9 2 on page 106 Use the Queue Setup screen to configure QoS ...

Page 106: ...ur network performance You can give priority to traffic that the Device forwards out through the WAN interface Give high priority to voice and video to make them run more smoothly Similarly give low priority to many large file downloads so that they do not reduce the quality of other applications Traffic priority will be automatically assigned by Select how the Device assigns priorities to various...

Page 107: ...the index number of this entry Status This indicates whether the queue is active or not A yellow bulb signifies that this queue is active A gray bulb signifies that this queue is not active Name This shows the descriptive name of this queue Interface This shows the name of the Device s interface through which traffic in this queue passes Priority This shows the priority of this queue Weight This s...

Page 108: ...ot reduce the quality of other applications Click Network Setting QoS Class Setup to open the following screen Table 40 Queue Setup Edit LABEL DESCRIPTION Active Select to enable or disable this queue Name Enter the descriptive name of this queue Interface Select the interface of this queue Priority Select the priority level from 1 to 7 of this queue The lower the number the higher the priority le...

Page 109: ...y bulb signifies that this classifier is not active From Interface If the classifier applies to traffic coming in through a specific interface it displays here Classification Criteria This shows criteria specified in this classifier for example the interface from which traffic of this class should come and the source MAC address of traffic that matches this classifier DSCP Traffic Class Mark This ...

Page 110: ...his screen Table 42 Class Setup Add Edit LABEL DESCRIPTION Rule Index Select the order number of this rule Class Configuration Active Select to enable this classifier Ether Type Select the Ether type IPv4 IPv6 ARP or IEEE 802 1Q to which this rule applies Interface Select whether to apply this class to traffic from the LAN or from the WAN ...

Page 111: ... 00 00 and the mask to ff ff ff 00 00 00 a packet with a MAC address of 00 13 49 12 34 56 matches this criteria Exclude Select this option to exclude the packets that match the specified criteria from this classifier Destination IP Address Select the check box and enter the destination IP address in dotted decimal notation A blank source IP address means any source IP address IP Subnet Mask Enter ...

Page 112: ...ghest Type of Service Select a type of service from the drop down list box DSCP Range 0 63 Select this option and specify a DSCP DiffServ Code Point number between 0 and 63 in the field provided 802 1P Select this option and select a priority level between 0 and 7 from the drop down list box 0 is the lowest priority level and 7 is the highest VLAN ID Select this option and enter the source VLAN ID...

Page 113: ...y level and VLAN ID that you specify in the Ethernet Priority and VLAN ID fields If you select Same the Device keep the Ethernet Priority and VLAN ID in the packets To configure the Ethernet Priority you can either select a priority number in the first drop down list box 7 is the highest and 0 is the lowest priority or select an application from the second drop down list box which automatically ma...

Page 114: ...n Table 43 Network Setting QoS Policer Setup continued LABEL DESCRIPTION Table 44 Policer Setup Add Edit LABEL DESCRIPTION Active Select the check box to activate this policer Name Enter the descriptive name of this policer Meter Type This shows the traffic metering algorithm used in this policer The Simple Token Bucket algorithm uses tokens in a bucket to control when traffic can be transmitted E...

Page 115: ...the DSCP mark value of the packets Enter the DSCP mark value to use Non Conforming Action Specify what the Device does for packets that exceed the excess burst size or peak rate and burst size red marked packets Drop Discard the packets DSCP Mark Change the DSCP mark value of the packets Enter the DSCP mark value to use The packets may be dropped if there is congestion on the network Available Cla...

Page 116: ...ending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going DSCP and Per Hop Behavior DiffServ defines a new DS Differentiated Services field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit ...

Page 117: ...o Know The following terms and concepts may help as you read this chapter Inside Outside and Global Local Inside outside denotes where a host is located relative to the Device for example the computers of your subscribers are the inside hosts while the web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router for ex...

Page 118: ...oming service requests to the servers on your local network You may enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and...

Page 119: ...lnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 10 0 0 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 83 Multiple Servers Behind NAT Example 10 3 1 The Port Forwarding Screen Click Network Setting NAT to open the ...

Page 120: ...ber that identifies a service External End Port This is the last external port number that identifies a service Internal Start Port This is the first internal port number that identifies a service Internal End Port This is the last internal port number that identifies a service Server IP Address This is the server s IP address Modify Click the Edit icon to edit the port forwarding rule Click the D...

Page 121: ...ange To forward only one port enter the port number in the External Start Port field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the External Start Port field above Server IP Address Enter the inside IP address of the virtual server here Protocol Select the protocol supported by this virtual ser...

Page 122: ...s screen 10 6 Technical Reference This section provides some technical background information about the topics covered in this chapter Table 49 Network Setting NAT DMZ LABEL DESCRIPTION WAN Interface Select the WAN interface for which to configure a default server Default Server Address Enter the IP address of the default server which receives packets from ports that are not specified in the Port ...

Page 123: ... to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a Telnet server on your local network and make them accessible to the outside world If you do not define any servers NA...

Page 124: ...have their original values restored The following figure illustrates this Figure 88 How NAT Works 192 168 1 13 192 168 1 10 192 168 1 11 192 168 1 12 SA 192 168 1 10 SA IGA1 Inside Local IP Address 192 168 1 10 192 168 1 11 192 168 1 12 192 168 1 13 Inside Global IP Address IGA 1 IGA 2 IGA 3 IGA 4 NAT Table WAN LAN Inside Local Address ILA Inside Global Address IGA ...

Page 125: ...ports not belonging to a port binding group the Device forwards traffic according to the routing table Additionally specify ATM QoS settings for an ADSL virtual channel PVC to satisfy the bandwidth requirements of the traffic the PVC carries For example create two port binding groups on the device R1 for two different WAN ATM PVC connections The first PVC PVC1 handles non time sensitive data traff...

Page 126: ...hen a port is assigned to a port binding group traffic will be forwarded to the other ports in the group but not to ports in other groups If a port is not included in any groups traffic will be forwarded according to the routing table ATM VCs Select the ATM VC PVC to include in the port binding group Each ATM VC can only be bound to one group Ethernet Select the Ethernet Eth ports to include in th...

Page 127: ...Port Any Service feature select Enable Any Port Any Service The Device binds a LAN port with WAN interface per source MAC or DHCP options from the LAN host dynamically You can configure up to 5 dynamic port binding groups Figure 92 Network Setting Port Binding Any Port Any Service Table 53 Network Setting Port Binding Port Binding Summary LABEL DESCRIPTION Group ID This field displays the group in...

Page 128: ...LABEL DESCRIPTION Index This is the index number for the port binding group Option60 This is the Vendor Class Identifier of the matched traffic Option61 This is the device identity of the matched traffic Option77 This is the User Class Identifier of the matched traffic Option125 This is the vendor specific information of the matched traffic MAC Mask This is the source MAC address and MAC mask of t...

Page 129: ...ds in the Vendor Class Identifier configured for DHCP option 60 DHCP option61 Select this and enter the device identity of the matched traffic IAID Enter the Identity Association Identifier IAID of the device for example the WAN connection index number DUID type Select DUID LLT DUID Based on Link layer Address Plus Time to enter the hardware type a time value and the MAC address of the device Sele...

Page 130: ...pter 11 Port Binding AMG1312 T10D User s Guide 130 It is suggested to reboot the Device after you have changed the port binding settings or WAN encapsulation Figure 94 Network Setting Port Binding Disable ...

Page 131: ...w your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 12 1 1 What You Need To Know DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be a...

Page 132: ... Dynamic DNS provider Username Type your user name for the Dynamic DNS service provider Password Type your password for the Dynamic DNS service provider Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Dynamic DNS Status User Authentication Result This field displays the results of the Device s attempt to authenticate with the Dynamic DNS service...

Page 133: ...s 13 1 1 What You Can Do in the Filter Screens Use the IP MAC Filter screen Section 13 2 on page 133 to create IPv4 MAC filter rules Use the IPv6 MAC Filter screen Section 13 3 on page 135 to create IPv6 MAC filter rules 13 2 The IP MAC Filter Screen Use this screen to create and apply IPv4 MAC filters Click Security Filter to display the screen as shown Figure 96 Security Filter ...

Page 134: ...t is 0 0 0 0 Subnet Mask Enter the IP subnet mask for the destination IP address Port Number Enter the destination port of the packets that you wish to filter The range of this field is 0 to 65535 This field is ignored if it is 0 Protocol Select ICMP TCP or UDP for the upper layer protocol Source MAC Address This field is only available when you select MAC in the Rule Type field Enter the MAC addr...

Page 135: ... create a filter rule that blocks traffic IPv6 MAC Filter Rule Editing IPv6 MAC Filter Rule Index Select the index number of the filter rule Active Use this field to enable or disable the rule Interface Select the interface to which to apply the filter Direction Apply the filter to Incoming or Outgoing traffic direction Rule Type Select IP to filter traffic by IP addresses Select MAC to filter tra...

Page 136: ...t 135 Neighbor Solicitation 136 Neighbor Advertisement 137 Redirect Redirect message Protocol This is the upper layer protocol that defines the service to which this rule applies By default it is ICMPv6 Source MAC Address This field is only available when you select MAC in the Rule Type field Enter the MAC address of the packets you wish to filter IPv6 MAC Filter Listing IPv6 MAC Filter Rule Index...

Page 137: ...r s Guide 137 Delete Click this to remove the filter rule selected in the IPv6 MAC Filter Rule Index field Cancel Click this to restore your previously saved settings Table 58 Security Filter IPv6 MAC Filter continued LABEL DESCRIPTION ...

Page 138: ...Chapter 13 Filter AMG1312 T10D User s Guide 138 ...

Page 139: ...or disabled The following figure illustrates the firewall action User A can initiate an IM Instant Messaging session from the LAN to the WAN 1 Return traffic for this session is also allowed 2 However other traffic initiated from the WAN is blocked 3 and 4 Figure 98 Default Firewall Action 14 1 1 What You Can Do in the Firewall Screens Use the General screen Section 14 2 on page 141 to select the ...

Page 140: ... pre configured to automatically detect and thwart all known DoS attacks DDoS A Distributed DoS DDoS attack is one in which multiple compromised systems attack a single target thereby causing denial of service for users of the targeted system LAND Attack In a Local Area Network Denial LAND attack hackers flood SYN packets into the network with a spoofed source IP address of the target system This ...

Page 141: ...probed ICMP Internet Control Message Protocol ICMP is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user DoS Thresholds For DoS attacks the Device uses thresholds to determine when to drop sessions that do not b...

Page 142: ...t blocks anyone from the Internet from accessing any services on your local network Low This setting allows traffic to the Internet and also allows someone from the Internet to access services on your local network This would be used with Port Forwarding Default Server Custom This setting allows the customer to create and edit individual firewall rules Firewall rules can be created in the Default ...

Page 143: ...wn list boxes to select the default action that the firewall is to take on packets that are traveling in the selected direction and do not match any of the firewall rules Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP des...

Page 144: ...ank source or destination address is equivalent to Any Destination IP Address This column displays the destination addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Service This column displays the services to which this firewall rule applies Action This field displays whether the firewall silently disca...

Page 145: ...iscard Drop deny and send an ICMP destination unreachable message to the sender of Reject or allow the passage of Permit packets that match this rule IP Version Type Select the IP version IPv4 or IPv6 to apply this firewall rule to Rate Limit Set a maximum number of packets per second minute or hour to limit the throughput of traffic that matches this rule Maximum Burst Number Set the maximum numb...

Page 146: ...ress Address Type Do you want your rule to apply to packets with a particular single IP a range of IP addresses for instance 192 168 1 10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address Enter the single IP address or the starting IP address in a range here End IP Addre...

Page 147: ...es LABEL DESCRIPTION This is the number of your customized port Name This is the name of your customized service Protocol This shows the IP protocol TCP or UDP that defines your customized service Port Type This is the port number or range that defines your customized service Start Port This is a single port number or the starting port number of a range that defines your customized service End Por...

Page 148: ...es Add Edit LABEL DESCRIPTION Config Service Name Type a unique name for your custom port Service Type Choose the IP port TCP or UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Port Range to specify a span of ports that define your customized service Port Number Type a single port number or the range of port numbers...

Page 149: ...affic An unusually high number or arrival rate of half open sessions could indicate a DOS attack 14 5 1 1 Threshold Values If everything is working properly you probably do not need to change the threshold settings as the default threshold values should work for most small offices Tune these parameters when you believe the Device has been receiving DoS attacks that are not recorded in the logs or ...

Page 150: ...lf open sessions When the rate of new connection attempts rises above this number the Device deletes half open sessions as required to accommodate new connection attempts UDP Packet Count This is the rate of new UDP half open sessions per second that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the Device deletes half ope...

Page 151: ...packets traveling in the following directions LAN to Router These rules specify which computers on the LAN can manage the Device remote management Note You can also configure the remote management settings to allow only a specific computer to manage the Device LAN to WAN These rules specify which computers on the LAN can access which computers or services on the WAN By default the Device s statefu...

Page 152: ... customized rules take precedence and override the Device s default rules 14 6 2 Guidelines For Enhancing Security With Your Firewall 1 Change the default password via web configurator 2 Think about access control before you connect to the network in any way 3 Limit who can access your router 4 Don t enable any local service such as telnet or FTP that you don t use Any enabled service could presen...

Page 153: ...l is on your Device acts as a secure gateway between your LAN and the Internet In an ideal network topology all incoming and outgoing network traffic passes through the Device to protect your LAN against attacks Figure 108 Ideal Firewall Setup 14 6 4 1 The Triangle Route Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices You may have more than one ...

Page 154: ...th the Device being the gateway for each logical network It s like having multiple LAN networks that actually use the same physical cables and ports By putting your LAN and Gateway A in different subnets all returning network traffic must pass through the Device to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a rece...

Page 155: ...creen Table 67 Parental Control Parental Control LABEL DESCRIPTION Parental Control Select Enable to activate parental control Add new PCP Click this if you want to configure a new parental control rule This shows the index number of the rule Status This indicates whether the rule is active or not A yellow bulb signifies that this rule is active A gray bulb signifies that this rule is not active P...

Page 156: ... on your network from accessing certain web sites Figure 112 Add Edit Parental Control Rule Website Blocked This shows whether the website block is configured If not None will be shown Modify Click the Edit icon to go to the screen where you can edit the rule Click the Delete icon to delete an existing rule Add Click Add to create a new schedule Apply Click Apply to save your changes back to the D...

Page 157: ... the time that the LAN user is allowed access Network Service Network Service Setting If you select Block the Device prohibits the users from viewing the Web sites with the URLs listed below If you select Access the Device blocks access to all URLs except ones listed below Add new service Click this to show a screen in which you can add a new service rule You can configure the Service Name Protoco...

Page 158: ...Chapter 15 Parental Control AMG1312 T10D User s Guide 158 ...

Page 159: ...uthorities A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities Public and Private Keys When using public key cryptology for authentication each host has two keys One key is public and can be made openly available the other key is pri...

Page 160: ...is called PKI public key infrastructure Advantages of Certificates Certificates offer the following benefits The Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys Cert...

Page 161: ...he Thumbprint Algorithm and Thumbprint fields The secure method may very based on your situation Possible examples would be over the telephone or through an HTTPS connection 16 2 Local Certificates Use this screen to view the Device s summary list of certificates and certification requests You can import the following certificates to your Device Web Server This certificate secures HTTP connections...

Page 162: ... field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Cert Click this button and ...

Page 163: ... from the certificate s filename before you can import the certificate Table 70 Security Certificates Trusted CA LABEL DESCRIPTION Import Certificate Click this button to open a screen where you can save the certificate of a certification authority that you trust to the Device Name This field displays the name used to identify this certificate Subject This field displays information that identifie...

Page 164: ... revoked certificates before trusting a certificate issued by the certification authority Click Security Certificates Trusted CA to open the Trusted CA screen Click the View icon to open the View Certificate screen Table 71 Security Certificates Trusted CA Import LABEL DESCRIPTION Certificate File Path Type in the location of the file you want to upload in this field or click Browse to find it Bro...

Page 165: ...ou may use any character not including spaces Certificate Detail This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text...

Page 166: ...Chapter 16 Certificates AMG1312 T10D User s Guide 166 ...

Page 167: ...ol and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Syslog Overview The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages A syslog enabl...

Page 168: ...tinued CODE SEVERITY Table 74 System Monitor Log LABEL DESCRIPTION Level Select a severity level from the drop down list box This filters search results according to the severity level you have selected When you select a severity the Device searches through all logs of that severity or higher Refresh Click this to renew the log screen Clear Logs Click this to delete all the logs Export Click this ...

Page 169: ...received through the WAN interface of the Device Refresh Interval Specify how often you want the Device to update this screen and click Set Interval to apply the change Click Stop to halt updating of the screen Connected Interface This shows the name of the WAN interface that is currently connected Packets Sent Data This indicates the number of transmitted packets on this interface Error This indi...

Page 170: ...e screen Interface This shows the LAN or WLAN interface Bytes Sent This indicates the number of bytes transmitted on this interface Bytes Received This indicates the number of bytes received on this interface Interface This shows the LAN or WLAN interface Sent Packet Data This indicates the number of transmitted packets on this interface Error This indicates the number of frames with errors transm...

Page 171: ...y how often you want the Device to update this screen and click Set Interval to apply the change Click Stop to halt updating of the screen Device Name This shows the name of the client IP Address This shows the IP address of the client MAC Address This shows the MAC address of the client No of Open Session This shows the number of NAT sessions used by the client Total This shows the total number o...

Page 172: ...Chapter 17 System Monitor AMG1312 T10D User s Guide 172 ...

Page 173: ...nance User Account LABEL DESCRIPTION User Name You can configure the password for the admin account Old Password Type the default password or the existing password you use to access the system in this field New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After you change the password use the new passw...

Page 174: ...Chapter 18 User Account AMG1312 T10D User s Guide 174 ...

Page 175: ...cedure Calls RPCs between an ACS and a client device RPCs are sent in Extensible Markup Language XML format over HTTP or HTTPS An administrator can use an ACS to remotely set up the Device modify settings perform firmware upgrades as well as monitor and diagnose the Device You have to enable the device to be managed by the ACS and specify the ACS IP address or domain name and username and password...

Page 176: ...r is the HTTP port port 80 If you change it make sure it does not conflict with another port on your network and it is recommended to use a port number above 1024 not a commonly used port The management server should use this port to connect to the Device You may need to alter your NAT port forwarding rules if they were already configured Connection Request User Name Enter the connection request u...

Page 177: ...escribes the labels in this screen Table 80 Maintenance System LABEL DESCRIPTION Administrator Inactivity Timer Type how many minutes a management session either via the web configurator can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management...

Page 178: ...Chapter 20 System AMG1312 T10D User s Guide 178 ...

Page 179: ...this screen to configure the Device s time based on your local time zone Figure 126 Maintenance Time Setting The following table describes the fields in this screen Table 81 Maintenance System Time Setting LABEL DESCRIPTION Current Date Time Current Time This field displays the time of your Device Current Date This field displays the date of your Device Time and Date Setup Manual Select this to en...

Page 180: ...uropean Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Conf...

Page 181: ...verview You can configure where the Device sends logs and which logs and or immediate alerts the Device records in the Log Setting screen 22 2 The Log Setting Screen To change your Device s log settings click Maintenance Log Setting The screen appears as shown ...

Page 182: ...ct the Active check box to enable syslog logging Mode Select Local File to have the Device save the log file locally Select Local File and Remote to have the Device save the log file locally and send it to an external syslog server Syslog Server IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Syslog Server UDP Port Enter the port nu...

Page 183: ...ord associated with the user name above Log Schedule Specify the schedule for sending log Specify days and times for sending logs in the following fields Day For Sending Log Specify the day for sending log Time for Sending Log Specify the time for sending log Clear log after sending mail Select this to delete all the logs after the Device sends an E mail of the logs E mail Alarm Log Settings Send ...

Page 184: ...Chapter 22 Log Setting AMG1312 T10D User s Guide 184 ...

Page 185: ...o three minutes After a successful upload the system will reboot Do NOT turn off the Device while firmware upload is in progress Figure 128 Maintenance Firmware Upgrade The following table describes the labels in this screen Table 83 Maintenance Firmware Upgrade LABEL DESCRIPTION Upgrade Firmware Use these fields to upload firmware to the Device Current Firmware Version This is the present firmwar...

Page 186: ...cally restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 130 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful an error screen will appear Click OK to go back to the Firmware Upgrade screen Figure 131 Error...

Page 187: ...oring configuration appears in this screen as shown next Figure 132 Maintenance Backup Restore Backup Configuration Backup Configuration allows you to back up save the Device s current configuration to a file on your computer Once your Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup confi...

Page 188: ...to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 If the upload was not successful an error screen will appear Click OK to go back to the Configuration screen Reset to Factory Defaults Click the Reset button to clear all user entered configuration information and return the Device to its factory defaults The following warning sc...

Page 189: ... of your Device Refer to Section 1 6 on page 16 for more information on the RESET button 24 3 The Reboot Screen System restart allows you to reboot the Device remotely without turning the power off You may need to do this if the Device hangs for example Click Maintenance Reboot Click the Reboot button to have the Device reboot This does not affect the Device s configuration ...

Page 190: ...Chapter 24 Backup Restore AMG1312 T10D User s Guide 190 ...

Page 191: ...emote location via Internet WAN only LAN only LAN and WAN None Disable To disable remote management of a service select Disable in the corresponding Service Access field 25 1 1 What You Can Do in the Remote Management Screens Use the WWW screen Section 25 2 on page 192 to configure through which interfaces and from which IP addresses users can use HTTP to manage the Device Use the Telnet screen Se...

Page 192: ...rom which IP addresses users can use SSH to manage the Device 25 1 2 What You Need to Know About Remote Management Remote Management Limitations Remote management does not work when You have not enabled that service on the interface in the corresponding remote management screen You have disabled that service in one of the remote management screens The IP address in the Secured Client IP Address fi...

Page 193: ...ice Note It is recommended if you are allowing WAN access even temporarily to change the default password in Maintenance User Account To allow access from the WAN you will need to configure a WAN to Router firewall rule Secured Client IP Address A secured client is a trusted computer that is allowed to communicate with the Device using this service Select All to allow any computer to access the De...

Page 194: ...his displays the service port number for accessing the Device If the number is grayed out it is not editable Server Access Select the interfaces through which a computer may access the Device using this service Note It is recommended if you are allowing WAN access even temporarily to change the default password in Maintenance User Account To allow access from the WAN you will need to configure a W...

Page 195: ...evice supports SNMP version one SNMPv1 and version two SNMPv2c The next figure illustrates an SNMP management operation Table 87 Maintenance Remote MGMT FTP LABEL DESCRIPTION Server Port This displays the service port number for accessing the Device If the number is grayed out it is not editable Server Access Select the interfaces through which a computer may access the Device using this service S...

Page 196: ...administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objec...

Page 197: ...gent Choose Range to just allow the computers with an IP address in the range that you specify to access the Device using this service Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests fro...

Page 198: ...ice Cancel Click Cancel to begin configuring this screen afresh Table 88 Maintenance Remote MGMT SNMP continued LABEL DESCRIPTION Table 89 Maintenance Remote MGMT DNS LABEL DESCRIPTION Server Port This displays the service port number for accessing the Device If the number is grayed out it is not editable Access Status Select the interfaces through which a computer may send DNS queries to the Devi...

Page 199: ...access the Device s command line interface Specify which interfaces allow SSH access and from which IP address the access can come SSH is a secure communication protocol that combines authentication and data encryption to provide secure encrypted communication between two hosts over an unsecured network Table 90 Maintenance Remote MGMT ICMP LABEL DESCRIPTION Respond to Ping on The Device will not ...

Page 200: ...mber for accessing the Device If the number is grayed out it is not editable Server Access Select the interfaces through which a computer may access the Device using this service Note It is recommended if you are allowing WAN access even temporarily to change the default password in Maintenance User Account To allow access from the WAN you will need to configure a WAN to Router firewall rule Secur...

Page 201: ...mote Management AMG1312 T10D User s Guide 201 2 A window displays prompting you to store the host key in your computer Click Yes to continue 3 Enter your user name and password 4 The command line interface displays ...

Page 202: ...Chapter 25 Remote Management AMG1312 T10D User s Guide 202 ...

Page 203: ...view the DSL line statistics and reset the ADSL line 26 2 The Ping Screen Ping and traceroute help check availability of remote hosts and also help troubleshoot network or Internet connections Click Maintenance Diagnostic to open the Ping screen shown next Figure 145 Maintenance Diagnostic Ping The following table describes the fields in this screen Table 92 Maintenance Diagnostic Ping LABEL DESCR...

Page 204: ...DSL connections If your WAN connection is ADSL the screen is as shown next Figure 146 Maintenance Diagnostic DSL Line ADSL TracerouteV6 Click this to show the path that packets take from the system to the IPv6 address that you entered TraceRouteV4 Click this button to perform the traceroute function This determines the path a packet takes to the specified host Table 92 Maintenance Diagnostic Ping ...

Page 205: ... and then returns it loops it back to the Device The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network DSL Line Status Click this to view statistics about the DSL connections noise margin downstream is the signal to noise ratio for the downstream part of the connection coming into the Device from the ISP It is measured in decibels The higher the number the mor...

Page 206: ...Chapter 26 Diagnostic AMG1312 T10D User s Guide 206 ...

Page 207: ...LEDs turn on 1 Make sure the Device is turned on 2 Make sure you are using the power adaptor or cord included with the Device 3 Make sure the power adaptor or cord is connected to the Device and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the Device off and on 5 If the problem continues contact the vendor One of the LEDs does not behave as expected 1 Ma...

Page 208: ...not work you have to reset the device to its factory defaults See Section 1 6 on page 16 I forgot the password 1 The default admin password is 1234 and the default user password is 1234 2 If you can t remember the password you have to reset the device to its factory defaults See Section 1 6 on page 16 I cannot see or access the Login screen in the web configurator 1 Make sure you are using the cor...

Page 209: ... is admin These fields are case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using Telnet to access the Device Log out of the Device in the other session or ask the person who is logged in to log out 3 Turn the Device off and on 4 If this does not work you have to reset the device to its factory defaults See Section 27 2 on page 207 I cann...

Page 210: ...t your ISP I cannot access the Internet anymore I had access to the Internet with the Device but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 7 on page 16 2 Turn the Device off and on 3 If the problem continues contact your ISP The Internet connection is slow or intermittent ...

Page 211: ...s that use the Internet especially peer to peer applications If the wireless client is sending or receiving a lot of information it may have too many programs open that use the Internet What wireless security modes does my Device support Wireless security is vital to your network It protects communications between wireless stations access points and the wired network The available security modes i...

Page 212: ... connect your USB device to the Device 27 7 UPnP When using UPnP and the Device reboots my computer cannot detect UPnP and refresh My Network Places Local Network 1 Disconnect the Ethernet cable from the Device s LAN port or from your computer 2 Re connect the Ethernet cable The Local Area Connection icon for UPnP disappears in the screen Restart your computer I cannot open special applications su...

Page 213: ...mful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiv...

Page 214: ... please contact your vendor or ZyXEL Technical Support at support zyxel com tw Regulatory Information European Union The following information applies if you use the product within the European Union Declaration of Conformity with Regard to EU Directive 1999 5 EC R TTE Directive Compliance Information for Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999 5 EC...

Page 215: ...pour de plus amples détails Denmark France For 2 4 GHz the output power is restricted to 10 mW EIRP when the product is used outdoors in the band 2454 2483 5 MHz There are no restrictions when used indoors or in other parts of the 2 4 GHz band Check http www arcep fr for more details Pour la bande 2 4 GHz la puissance est limitée à 10 mW en p i r e pour les équipements utilisés en extérieur dans l...

Page 216: ...us high voltage points or other risks ONLY qualified service personnel should service or disassemble this device Please contact your vendor for further information Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an app...

Page 217: ...uring an electrical storm There may be a remote risk of electric shock from lightning Do not use the telephone to report a gas leak in the vicinity of the leak Your product is marked with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and Electrical Equipment It means that used electrical and electronic products should not be mixed with general waste Used electrical ...

Page 218: ...Appendix A Legal Information AMG1312 T10D User s Guide 218 Environmental Product Declaration ...

Page 219: ...e 72 C CA 159 CBR 39 45 certificate factory default 162 certificates 159 CA 159 replacing 162 storage space 162 thumbprint algorithms 161 thumbprints 161 trusted CAs 163 verifying fingerprints 160 Certification Authority see CA certifications 213 notices 213 viewing 214 channel scan 55 channel wireless LAN 52 CLI 13 client list 80 Command Line Interface see CLI compatibility WDS 64 configuration 9...

Page 220: ...PPPoA 49 PPPoE 49 RFC 1483 49 encryption 70 ENET ENCAP 36 42 48 Extended Service Set IDentification 54 60 F FCC interference statement 213 File Sharing 87 filters 133 IP MAC 133 135 IP MAC filter configuration 134 135 MAC address 61 firewalls 139 actions 145 address types 146 anti probing 141 customized services 146 148 DDoS 140 default action 143 DoS 140 thresholds 141 149 ICMP 141 LAND attack 14...

Page 221: ...TCP IP 91 LAND attack 140 limitations wireless LAN 71 Local Area Network see LAN login passwords 19 logout 20 automatic 20 logs 181 firewalls 145 M MAC 29 30 MAC address 62 80 filter 61 MAC authentication 61 Management Information Base MIB 196 Maximum Burst Size see MBS Maximum Transmission Unit see MTU MBS 40 45 MBSSID 72 Media Access Control see MAC Address model name 28 MTU 40 multicast 32 39 7...

Page 222: ...P 194 ICMP 199 NAT 192 TR 069 175 WWW 192 Remote Procedure Calls see RPCs 175 reset 16 188 restart 189 restoring configuration 188 RFC 1483 36 42 49 RFC 1631 117 RFC 3164 167 RIP 39 Routing Information Protocol see RIP RPPCs 175 RTS threshold 69 S scan 55 scheduling wireless LAN 66 SCR 40 45 security network 152 wireless LAN 69 Security Parameter Index see SPI Service Set 54 60 setup IP alias 81 I...

Page 223: ...m 76 security issues 76 V VBR nRT 39 45 VBR RT 39 45 VCI 36 43 50 version firmware version 29 Virtual Channel Identifier see VCI Virtual Path Identifier see VPI VPI 36 43 50 W WAN 31 ATM QoS 39 45 encapsulation 32 36 42 IGMP 32 IP address 32 44 50 mode 36 42 MTU 40 multicast 32 39 multiplexing 36 43 49 nailed up connection 38 44 NAT 44 RIP 39 setup 34 VCI 36 43 50 VPI 36 43 50 warranty 214 note 21...

Page 224: ...rver 70 RTS CTS threshold 69 scheduling 66 security 69 SSID 70 activation 59 WDS 64 72 compatibility 64 example 73 WEP 71 WPA 71 WPA PSK 71 WPS push button 15 wireless network example 51 wizard setup Internet 25 WLAN 51 auto scan channel 55 scheduling 66 see also wireless WPA 71 WPA PSK 71 WPS push button 15 ...