P-660 Series
Contents
1. delay inteval set the delay timer for sending first PPP packet after call answered 7 Bridge Related Command ie CO mode lt 1 0 gt turn on off 1 0 LAN e ee related to bridge local E E e E a a traffic display local LAN traffic table monitor onloff turn on off traffice monotor Default is off _ O set blt re init interval related to bridge route ooo P Disp ta o display brtdata brt data Ce o o reset brt data cnt related to bridge routing statistic table Disp display bridge route ee ee ee clear clear bridge route O ee o stat related to bridge packet a a Disp display bridge route O e S Clear clear bridge route disp display bridge source table 186 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 8 WLAN Related Commands Fd a O fe ono tony o tn C Ssa Y Stow acim it Load WLAN configuration into buffer Display ease WLAN a ee rr C hasa O fowl abeisable hidden SSID a a a O poo e o Rodas Seriesi rs vale Fragment lt Fragment threshold Set threshold fragmentation value gt value type lt nonel64l1281256 gt Set WEP key to 64 128 or 256 bits macfilter Action lt allowldeny gt When action match allow or A oa this mac Set lt Seti gt lt MAC lt Set gt lt MAC Address gt Set mac address Set mac address by set set Clear Clear all WLAN c Save Save WLAN confi2. 138 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2 55H Sentinel Policy Editor x security Policy Key Management Policy E Default t ag Pre PSec Filter F a Secured Connections aa Secured Networks H E Default Response H E Post IPSec Filter of TT Allow all traffic H30H0 HOILEN1MAA JTMH a Oh Remove Propeties piagne Description virtual private network i created when the local host establishes an PSec protected connection to a remote private network through a security gateway mea n n 7 Add VPN Connection window will pop out Press IP button besides Gateway Name box Enter Prestige s LAN IP address in Gateway IP address Add VPN Connection E SS 7 x Gateway IP address 192 168 1 lO Remote network any T Authentication key fe new preshared key Add YEN Connecton 4 Gateway IP address 192 168 1 1k Remote network arny te Authentication key e new preshared key Diagnostics Properties Cancel 139 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 9 Network Editor Window will pop out Press New button and Enter ZyWALL in Network name and 192 168 1 0 in IP address field and 0 0 0 0 in Subnet Mask field Then click OK to go back to Add VPN Connection window Network Editor 2 x Give
3. i Normal f ASCII Local Directory Filter i Anonymous Binary i Double f Anto Detect 3 To upload the firmware file we transfer the local ras file to overwrite the remote ras file To upload the configuration file we transfer the local rom 0 to overwrite the 164 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 66D series Support Notes remote rom 0 file EA Private 192 168 1 1 GlobalSCAFE CuteFTF 3 0 FTP esson Bookmarks Commands Queve View Directory Macro Window Help ua ganl all t 90 olea zala mx ea COMMANDOS LIST a 150 Opening data connection for IST STATUS gt Recerved 135 bytes Ok E STATUS gt Time 0 00 01 Efficiency 0 13 FGytes s 135 bytes s E CAPB 45 fw router Size Date Size Date gKB 0170702 10 56 aa ras g87 KkB 01707701 12 00 mye 1666 01 05 29 10 24 aa rorm 0 1666 01707701 12 00 rwr rw 4 The Prestige reboots automatically after the uploading is finished Please do not power off the router at this moment 165 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes CI Command Reference Command Syntax and General User Interface CI has the following command syntax command lt iface device gt subcommand param command subcommand param command help command subcommand help General user interface 1 Shows the following commands and all major sub
4. ll have an ion you wi d from corner of the room is the RF coverage area have not cover ice 1S require ded te as necessary upon complet As illustrated below 1 te survey f si 10n O ice area you nee 6 of survey on s All contents copyright 2005 ZyXEL Communications Corporation format In less serv step d You may need more than one access point Repeat the access point to this new spot as have already determine the farthest point of the 5 When you reach the farthest point of connection mark the spot Now you move 6 Repeat step 1 5 and now you should be able to mark an RF coverage area as access point installation spot if wireless serv illustrated in above picutre all the wire diagram an 7 8 ZyXEL P 660 series Support Notes HRA HHRMA REARS HMM MER MENERE SEE ERE ES EEE KEE REE ERE Rane E x somes xii HMHHMHHMHHMHH eee Pe LE 2 2 ee Be ee ed ee HH MHS PERTHE AIAOSA MADMOON H i MAAS REM AA RAS RAMEE tobcemeentesewean RAMAN MEEHAN RHE ee i x H SES EE E EEEE SESE ESSE SS PEHEE EEE o TEH a ne eee a X siiintemnniened Kien Bree kattta PREE htititetietiti titititi Hy HAANEN r r aa Soeateae nn nn MASS SEA utette titti ttt etter tetetetetr tet rete tet steer Shoe a Soon teae RKERER ER EER EREEXEX Hik X HEE REA AAA A REA moe ss ss ee woe tee woe BEE tetetetrtetetetetr t
5. p Min MTU Max MTU Sweep range of sizes a a x lt dest_addrldefault gt lt bits gt add route TE addiface lt dest_addrldefault gt lt bits gt add an entry to the ATO ee ee addprivate lt dest_addrldefault gt lt bits gt add private route D ee flush route table lookup lt addr gt find a route to the Sf errent g a routing statistic counters clear clear routing statistic counters status display ip statistic counters lt iface gt lt mss gt adjust the TCP mss of M r display udp status a f o Ee an entry from the RIP refuse list __fscivae a enable rip merge ono set RIP merge flag refuse lt gateway gt add an entry to the rip refuse list request lt addr gt port send rip request to some address and o TE eee tonto RIP Poisoned Reverse status display rip statistic 4 a a feae P enable enable debug rip trace rip trace mode _ kiface gt in mode _ kifarce gt out mode set rip out mode 177 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes dialin_user showlinloutlbothInone show dialin user rip direction Tu ENE ceiling value TCP maximum round trip time P floor st S sc value set tcp output window limit number Set the maximum number of TCP incomplete connection value TCP input MSS lt tcb gt reset tcb tcb lt interval gt display
6. 172 21 1 252 Before you continue please note that in this document we presume that you already complete the deployment of your Wireless LAN environment including configuration in both your WLAN station and Prestige WLAN If you have not complete them yet please go back to application notes for how to configure WLAN in Infrastructure Mode 1 Setup Sentinel 1 From Tool Tray of Windows system right click on your SSH Sentinel icon and then choose Run Policy Editor View Statistics LH Run Policy Editor Auditing User Key Agent Select Active Policy Select YPN E Bel Start Policy Manager F m AF Help Online Support Hide Trav ts le 6 06 PM I 2 Choose Key Management Select My Keys then press Add button 136 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes na SSH Sentinel Policy Editor Ea BET Security Policy Key Management F Trusted Policy Servers Trusted Certificates o H Certification Authorities H Remote Hosts G Director Services ede checkpoint certificate fee Add fen Add yy Remove Properties WEW Description The keys that are used for authenticating the local host cad oo 2 3 Select Create a preshared key and press Next New Authentication Key CE x This wizard guides you through the generation of a new authentication key What kind o
7. 73 All contents copyright 2005 ZyXEL Communications Corporation The packets need to be blocked are as follows Please configure two filter sets with 4 and 2 rules respectively based on the following packets in SMT menu 21 Filter Set 1 Rule 1 Destination port number 137 with protocol number 6 TCP Rule 2 Destination port number 137 with protocol number 17 UDP Rule 3 Destination port number 138 with protocol number 6 TCP Rule 4 Destination port number 138 with protocol number 17 UDP Rule 5 Destination port number 139 with protocol number 6 TCP Rule 6 Destination port number 139 with protocol number 17 UDP Filter Set 2 Rule 1 Source port number 137 Destination port number 53 with protocol number 6 TCP Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP Before starting to set the filter rules please enter a name for each filter set in the Comments field first Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 1 NetBIOS_WAN 7 2 NetBIOS_LAN 8 3 9 4 10 5 11 6 12 Enter Filter Set Number to Configure 1 Edit Comments Press ENTER to Confirm or ESC to Cancel Configure the first filter set NetBIOS_WAN by selecting the Filter Set number 1 74 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes e Rule 1 Destination port number 137 with protocol number 6 TCP Menu 21 1 1 TCP IP Filter R
8. ISP You must enter this IP address in the VPN Server dialog box for reaching the PPTP server After the VPN link is established you can start the network protocol application such as IP IPX and NetBEUI Connect To ki Ei Be VPN User name Jprte Paseward E Hell arn f 40 113 1 225 mea 5 Using Multi NAT What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the P 660 thus preventing intruders from probing your network The SUA feature that the P 660 supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The P 660 with ZyNOS V3 40 supports the most of the f
9. Setup enifO interface 93 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Edit IP Alias P 660 series Support Notes Toggle to Yes to enter menu 3 2 1 for setting up the second and third networks 2 Edit the second and third networks in menu 3 2 1 by configuring the P 660 s second and third LAN IP addresses Menu 3 2 1 IP Alias Setup IP Alias 1 Yes IP Address 192 168 2 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version RIP 1 Incoming protocol filters Outgoing protocol filters IP Alias 2 Yes IP Address 192 168 3 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version RIP 1 Incoming protocol filters Outgoing protocol filters Enter here to CONFIRM or ESC to CANCEL Key Settings IP Alias 1 IP Alias 2 Toggle to Yes and enter the second LAN IP address for the P 660 This will create the second route in the enif0 0 interface Toggle to Yes and enter the third LAN IP address for the P 660 This will create the third route in the enifO 1 interface 11 Using IP Policy Routing e What is IP Policy Routing PPR 94 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCCC C C C C C 660 series Support Notes Traditionally routing is based on the destination address only and the router takes the shortest path to forward a packet IP Policy Routing IPPR provides a mechanism to override the default routing behavior
10. command m ip nat server edit rule protocol Configure the protocol to be used TCP Menu 15 2 199 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Zz lt TCPIUDPIALL gt UDP or ALL it must be capital ee Set the index of filter set rule you may Menu 21 filter sys filter set index set rule apply this command first before you begin to configure the filter rules Menu 21 filter sets Menu 21 filter sys filter set type tcpip generic Set the type of filter rule sets l Menu 21 filter sys filter set enable Enable the rule sets Menu 21 filter sys filter set disable Disable the rule sets Menu 21 filter sys filter set protocol protocol Set the protocol ID of the rule i sets Menu 21 filter sys filter set sourceroute yeslno Set the sourceroute yes no i sets sys filter set destip address subnet Set the destination IP address and subnet Menu 21 filter sys filter set name set name Set the name of filter set mask mask of the rule sets Set the destination port and compare type Menu 21 filter sys filter set destport port compare type could be compare type O none l 1 equal l2 not nonelequallnotequalllesslgreater equal 3 less l4 greater sys filter set srcip address subnet Set the source IP address and subnet Menu 21 filter mask mask sets l Set the source port and compare type Menu 21 filter sys filter set srcpo
11. gt rule set to the firewall configuration set rule lt rule gt Insert a specified lt set gt rule in a set to the firewall configuration cli Display the choices of command list ee ee Cc O disp Display specific ACL set rule active lt yesino gt Active firewall or deactivate ee ie hr eee Display firewall log type and count 194 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL ee eee foe i P 660 series Support Notes Clear firewall log count Dump the 64 bytes of dropped packet by firewall TF anie Se ff ters a po st rst113 Set TCP reset sending for port 113 pf isp ty Display TCP reset sending setting icmp dos a a S display Display SMTP DoS defender ee a ignore Set if firewall ignore DoS in a ee eee triangle Set if firewall ignore triangle route in lan wan dmz wlan 13 SMT Related command fosbadgefonom __ Swgtembridge ontott Memi fogs outeip ponot __ setystem IP routing nfo Menu 1 feys hostname hostname __ seteystem name Memi l Display hostname routing bridge mode Display Menu 1 sys display l ee information in menu 1 Load All Default Settings Except LAN sys default and DHCP Save all the parameters which will include menul menu 3 2 LAN menu 4 FINE or menu 11 WAN menu 12 static route menu 15 NAT server set menu 21 filter sets menu 22 SNMP menu 24 11 remote management and 3 5 Wireless LAN l l Se
12. local rom rom 0 lt upload configurations cppwu faelinux cppwul tftp I 192 168 1 1 get ras local ras lt download firmware cppwu faelinux cppwul tftp I 192 168 1 1 put local ras ras lt upload firmware 3 Using FTP to Upload the Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TFTP client you can also upload the firmware and configuration files to the Prestige using FTP To use this feature your workstation must have a FTP client software There are two examples as shown below e Using FTP command in terminal e Using FTP client software Using FTP command in terminal Step 1 Use FTP client from your workstation to connect to the Prestige by entering 162 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes the IP address of the Prestige Press Enter key to ignore the username because the Prestige does not check the username Step 3 Enter the SMT password as the FTP login password the default is 1234 Step2 Step 4 Enter command bin to set the transfer type to binary Step 5 Use put command to transfer the file to the Prestige Note The remote file name for the firmware is ras and for the configuration file is rom 0 rom zero not capital o Example C temp gt ftp 192 168 1 1 Connected to 192 168 1 1 220 FTP version 1 0 ready at Thu Jan 1 00 02 09 1970 User 192 1
13. means connected speed xxxxx means Remote Call ID LO2 Tunnel Connected L2TP C02 OutCall Connected xxxx means connected speed xxxxx means Remote Call ID C02 CLID call refused LO2 Call Terminated C02 Call Terminated Example Feb 14 16 57 17 192 168 1 1 ZyXEL Communications Corp board O line 0 channel 0 call 18 C01 Incoming Call OK Feb 14 17 07 18 192 168 1 1 ZyXEL Communications Corp board O line 0 channel 0 call 18 C02 Call Terminated 2 Packet triggered log Format sdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Jul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Data 4500003c 100100001f010004c0a866 14ca849a7b08004a5c02000 1006 162636465666768696 a6b6c6d6e6f707 1727374 Jul 19 11 28 56 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 90 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Data 4500002c 1b014000 1 f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd 40000020405b4 3 Filter log This message is available when the Log is enabled in the filter rule setting The message consists of the packet header and the log of the filter rules Format sdcmdSyslogSend S YSLOG_FILLOG SYSLOG_NOTICE String Strin
14. policy lt full hourly daily weekly gt day lt sunday monday tuesday wednesday thursday friday saturday gt hour lt Q 23 gt minute lt 0 59 gt Subject lt mail P 660 series Support Notes Display current entries of a rule in a set Display all the attack alert settings in PNC Display all the e mail settings in PNC Display all the available sub commands Edit the mail server IP to send the alert Edit the mail address for returning an email alert Edit the mail address to send the alert Edit email schedule when log is full or per hour day week Edit the day to send the log when the email policy is set to Weekly Edit the hour to send the log when the email policy is set to daily or weekly Edit the minute to send to log when the email policy is set to daily or weekly Edit the email 189 All contents copyright 2005 ZyXEL Communications Corporation send alert lt yesIno gt block lt yesIno gt block minute lt 0 255 gt minute high lt 0Q 255 gt minute low lt 0 255 gt max incomplete hi gh lt Q 255 gt max incomplete lo w lt 0 255 gt tcp max incomplet e lt 0 255 gt ee P 660 series Support Notes Op p fpes o Activate or deactivate the firewall DoS attacks notification emails Yes Block the traffic when exceeds the tcp max incomplet e threshold No Delete the oldest half open sessio
15. st tink defaut to rotate a i e a EE Pf rotate OS rotate o o _set display link rotate link rotate sequence set display mp start sequence configure l e oo o compress foniott enable disable 184 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes po compress slots fstotnum select number of slots idcompress onloff enable disable slot id compress address onloff set display ip one address option atcp apple talk feature not anymore history lt count gt aaa stac history count check argv set display stac check mode reset lt mode gt set display stac reset mode _ fj pfc onloff SU pfc flag l ipcp r the ipcp status of the given iface lt iface gt ipxcp show the ipxcp status of the given iface Ss SS lt iface gt ccp the ccp status of the resetlskiplflush given iface show lt iface gt mp show the mp status of ee ee ee show lt channel gt show the ppp channel A e break num count set the fsm EE break flag N eo tear clear the sm CETTE data o isp display the fom log data filter mask set the fsm log filter _ a ee ee ar filter protocoll set ee fsm filter data 185 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes et fproto cota ae eof isp display the fsm data clear the fsm data Ste __ ump fsm data structure
16. 0 0 Zi 1723 1723 192 168 1 10 oF 0 0 0 0 0 0 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 re 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel When you have finished the above settings you can ping to the remote Win9x client from WinNT This ping command is used to demonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achievable you can place a VPN call from the remote Win9x client For example C ping 203 66 113 2 When a dial up connection to ISP is established a default gateway is assigned to the router traffic through that connection Therefore the output below shows the default gateway of the Win9x client after the dial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to P 660 router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet 40 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CCCC P660 series Support Notes IP address from PNC Monitor or SMT Menu 24 1 If the Internet IP address is a fixed IP address provided by ISP in SUA mode then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by
17. 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Action Matched Drop Action Not Matched Forward Log None Press ENTER to Confirm or ESC to Cancel After the first filter set is finished you will get the complete rules summary as below Menu 21 2 Filter Rules Summary Filter Rules Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 137 Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 137 Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 138 Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 138 Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 139 Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 139 NDN NDN NDN NDN NDN NDF Apply the first filter set NetBIOS_WAN to the Output Protocol Filter in the remote node setup Configure the second filter set NetBIOS_LAN by selecting the Filter Set number 2 78 All contents copyright 2005 ZyXEL Communications Corporation Rule 1 Source port number 137 Destination port number 53 with protocol number 6 TCP Menu 21 2 1 TCP IP Filter Rule Filter 2 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 1 Rule 2 Source port number 137 Destination port number 53 with protocol number 17 UDP Menu 21 2 2 TCP IP Filter Rul
18. 00 15 00 00 00 00 00 00 16 00 00 00 00 00 00 17 00 00 00 00 00 00 18 00 00 00 00 00 00 19 00 00 00 00 00 00 20 00 00 00 00 00 00 21 00 00 00 00 00 00 22 00 00 00 00 00 00 23 00 00 00 00 00 00 24 00 00 00 00 00 00 25 00 00 00 00 00 00 26 00 00 00 00 00 00 27 00 00 00 00 00 00 28 00 00 00 00 00 00 29 00 00 00 00 00 00 30 00 00 00 00 00 00 31 00 00 00 00 00 00 32 00 00 00 00 00 00 ENTER here to CONFIRM or ESC to CANCEL Key Settings Option Descriptions Allow or block association from MAC addresses contained in this list If Allow Association is selected in this field hosts with MAC addresses configured in this list will be allowed to Filter Action l l l oe l associate with AP If Deny Association is selected in this field hosts with MAC addresses configured in this list will be blocked MAC Address This field specifies those MAC Addresses that you want to add in the list 122 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes If you use WEB configuration the MAC Address Filter configuration are as shown below 1 Using a web browser login AP by giving the LAN IP address of AP in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 2 Click Advanced and click Wireless tab on the left 3 Click MAC Filter tab on the top and select Yes in the Active field to enable MAC Filter 4 Select the Filter Action to allo
19. 31 7 130 80 10 11883 650 ENETO R 0062 TCP 192 168 1 2 1109 gt 192 31 7 130 80 P 660 gt sys trcd parse lt 000 gt LAN Frame ENETO RECV Size 62 62 Time 12089 790 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 O NT NW NT A WO N me Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 Idetification 0x330B 13067 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3E71 15985 Source IP 0xC0A 80102 192 168 1 2 Destination IP 0xC01F0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number 0x00BD15A7 12391847 Ack Number 0x00000000 0 Header Length 28 154 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Flags 0x02 S Window Size 0x2000 8192 Checksum OxBEC3 48835 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 01 01 04 02 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 ic 0010 00 30 33 OB 40 00 80 06 3E 71 CO A8 01 02 CO IF 03 gt q 0020 07 82 04 5C 00 50 00 BD 15 A7 00 00 00 00 70 02 P p 0030 20 00 BE C3 00 00 02 04 05 B4 01 01 0402 aa
20. 50 replace the source IP address of the IPSec gateway to the router s WAN IP address However SUA should not change the source port of the UDP packets which are used for key managements Because the remote gateway checks this source port during connections the port thus is not allowed to be changed 12 How do I setup my P 660 for routing IPSec packets over SUA For outgoing IPSec tunnels no extra setting 1s required For forwarding the inbound IPSec ESP tunnel A Default server set in menu 15 2 1 is required It is because SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this server in Menu 15 Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the P 660 s WAN IP address So we have to configure the internal IPsec as a default server unspecified service port in menu 15 2 1 when it acts a server gateway 13 What is Traffic Shaping Traffic Shaping is a feature in the P 660 It allocates the bandwidth to WAN dynamically and aims at boosting the efficiency of the bandwidth If there are serveral VCs in the P 660 but only one VC activated at one time the P 660 allocates all the Bandwidth to the VC and the VC gets full bandwidth If another VCs are avtivated later the bandwidth is yield to other VCs
21. ACL firewall rules in P 660 There are two default ACLs pre configured in the P 660 one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets Configuration 1 How do I configure the firewall P 660 supports a embedded web server so that you can use the web browser to configure it from any OS platform 2 How do I prevent others from configuring my firewall There are several ways to protect others from touching the settings of your firewall 1 Change the default password since it is required when setting up the firewall using Telnet Console or Web browser 2 Limit who can Telnet to your router You can enter the IP address of the secured LAN host in SMT Menu 24 11 to allow Telnet to your P 660 The default value in this field 1s 0 0 0 0 which means you do not care which host is trying to Telnet your P 660 3 Can I use a browser to configure my P 660 Yes you can use a web browser to configure the P 660 4 Why can t I configure my router using Telnet over WAN There are five reasons that Telnet from WAN 1s blocked 21 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable Telnet from WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow Telnet connection from WAN The
22. ADSL CTRLE response command dyinggasp Send ADSL dyinggasp Test the ADSL F W available ping Download modem code but must reset first near Show ADSL near end noise margin 180 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Show ADSL far end noise an Jom P Open ADSL ine o o ADSL line opencmd Open ADSL line with specific E ae opmode PY Show the Show the operational mode mode perfdata Show performance information CRC FEC error ice rdata start length Read DSP CTRLE registers ee eee ee reset Reset ADSL modem and must reload the modem code 4 Op pf n loop test S E status ADSL status ex up down or wait for init utopia Show ADSL utopia information cellcnt O a aa ADSL cell counter S Taissay iu nu the counter of rate adaptive mechanism happening rateup Show real status that rate rateadap onloff Turn on off rate adaptive AT eee dumpcondition onloff Turn on off online debug information of rate adaptive mechanism sampletime mins Tune the sample time of rate adaptive mechanism noisegt dB if noise margin is 3db greater than before and rate is worse than before then system will do 1 shutdown RA3 default is 3db 181 All contents copyright 2005 ZyXEL Communications Corporation P 660 series Support Notes this value and rate is worse than before then system will do 1 shutdown RA
23. Comments 1 Block a client 7 2 8 3 9 4 10 5 11 6 12 Enter Filter Set Number to Configure 0 Edit Comments Press ENTER to Confirm or ESC to Cancel 68 All contents copyright 2005 ZyXEL Communications Corporation 2 One rule for blocking all packets from this client Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0Q IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None Source IP Addr 192 168 1 5 IP Mask 255 255 255 255 Port Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel Key Settings Source IP addr Enter the client IP in this field IP MiS Ke saaseccecteeaseesenttetes Here the IP mask is used to mask the bits of the IP address given in the Source IP Addr field for one workstation it is 255 255 255 255 Action Matched Set to Drop to drop all the packets from this client Action Not Matched Set to Forward to allow the packets from other clients 3 Apply the filter set number 1 to the Output Protocol Filter Set field in the remote node setup A filter for blocking a specific MAC address This configuration example shows you how to use a Generic Filter to block a specific MAC address of the LAN Before you Begin 69 All contents copyright 2005 ZyXEL Commun
24. Corporation ZyXEL P 660 series Support Notes edit type local start IP local end the ype is not nside server then IP global start IP global end IP the ype field will still need a dummy server set value like Type is 0 4 one to one many to one many to many overload many to many non overload inside server Example gt ip nat addrmap rule 1 edit 3 192 168 1 10 192 168 1 20 192 168 10 56 192 168 1 56 0 ip nat addrmap clear map rule Clear the selected rule of the set Menu 15 1 ip nat addrmap freememory Discard Changes fp nat addrmap disp Display nat set information Menu 15 1 Save settings Menu 15 1 Fin nat server toad sev Load tne server seis of NAT into baer Menu 152 isp 1 means to display the NAT server Menu 15 2 ip nat server disp 1 set in buffer if parameter is omitted then it will display all the server sets lipnatserversave sd Save the NAT server set buffer into flash Menu 15 2 Clear the server set set must ip nat server clear set use ave command to let it save into flash Activate the rule rule rule number is 1 Menu 15 2 to 24 the number 25 36 is for UPNP application ip nat server edit rule remotehost l i host Leave it to be default value if you lt start IP gt lt end IP gt l don need this command Configure the lease time Leave it tobe Menu 15 2 default value if you don want this to be default value if you don want this
25. EEE ER ERE RRR REEREREREE DrSccisset cee e e i BUMMER MME RHEE RERREKME REE RREMREEERE RMR KER EREREEREEEERE RR RRR KRSR tag conceit ches et Me RE RE URES EER ERE EE RES RE Ee ESR RISSCIODEDTSMOn Kins K KKR hts these HH REE AHHH RHEE EH EEE HH HEHE HER HE EERE HRRMEM MEE EH MEE HE HHH RHEE HH RUE RH MHE HE EMRE REE KEREMEKEREKME KERN EREX EKER KEE EHR KERERREXERKEREX KIRURI THAR eE EE EE EEEE EE EREE EEEE HH RHEMM HU UMEHE MMM EM EMER RE MEM HME HE RMR MINM ER coke Seas SP ata ate at era ate ee ata titititi titititi PEPEE EEEE EEEE EEEE Messe mae Soeee ikii S E ea aa p n Fad Fad ese mae mae AIMO pi pi jk H X jini X MS AIMN PEE EEE EEEE EEEE EEEE EEEE EEEE x HRHEERESE Hittite seas RO RS a X 8 H ries ree MRE HEME HMEEM HEHEHE HERE HEERHEE WER EH EGER UE Ue Ue ERMAN AARNHNH RNN E EE EEEE EEE ARRIR Se Se HH UBUE HE HERE RH REE RHEE pe a x kettki i i X ine EE REEE EEE EEEE EEEE RHEE RE EEEE RM ANA HE EME RE AERER EEE mi HAREN ee eee ANM Sha aru ate the orn hm wna at wna ate wha ata atm at ae oP he wha an hm os ha oan arm aha ohm ate ohm atm hm an he as ah wha am wha a wha aPmahm wa ae oP aha atm an whe or aha orm at ora at wha ate wha ata hm on he oe ie HE tate a ae ao a Seer eee ee titt Stock Room with Metal Shelves s19 e4 1 524 90H 134
26. Encryption Advanced About Profile filet eoe oeae Activate Configuration service Set Identifier f pono SSID Transfer Rate Auto Rate Power Saving Mode Restore Defaults cp chences Cancel Help 3 Select Ad hoc from the operation mode pull down menu fill you an SSID and select a channel you want to use than press OK to apply 4 Since there is no DHCP server to give the host IP you must first designate a static IP for your station From Windows Start select Control Panel gt Network Connection gt Wireless Network Connection 113 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Wireless Network Connection Properties kl x General Authentication Advanced Connect using EJ EEESO2 116 WLAN PCI Card v3 0 This connection uses the following items El Client for Microsoft Networks ial File and Printer Sharing for Microsoft Networks Jal 0S Packet Scheduler ma nternet Protocol TLPYIP Inetall Description Transmission Control Protocols nternet Protocol The default Wide area network protocol that provides communication actos diverse interconnected networks Show icon in notification area when connected 5 From general tab select TCP IP and click property Internet Protocol TCP IP Properties _ General L You c
27. Server Setup not Set 1 Set 1 is used for SUA Only case Menu 15 2 2 NAT Server Setup Rule Start Port No End Port No IP Address Default Default 0 0 0 0 80 80 192 168 1 20 192 168 1 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Nn un hn un eS oo SS SSeS a 5 SSS SS e Press ENTER to Confirm or ESC to Cancel 4 Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this 58 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes User 1 ILAI 192 168 1 10 Prestige User 2 ILA2 1927 166 1 11 User 3 ILA3 192 1686 112 3 ILAs lt gt 3 IGAS 3 LAs map to 3 GAs using Many to Many No Overload or One to One One rule configured for using Many to Many No Overload mapping type is shown below Menu 15 1 1 1 Rule 1 Type Many to Many No Overload Local IP Start 192 168 1 10 End 192 168 1 12 Global IP Start Enter IGA1 End Enter IGA3 Press ENTER to Confirm or ESC to Cancel The three rules configured for using One to One mapping type is shown below Menu 15 1 1 1 Rule 1 Type One to One Local IP S
28. T E E A 136 Ze Set p Prestiee VPN eresse a a 144 7 onmeure 802 Ax and WP Anena ean deueniaahetetnasaees 146 What is WPA Functionality ccccccccccsssssssseeeccecceseeeessseeeeceeenaes 146 Configuration for ACCESS POIN ccceeccecccceeceeeesseseecececeeeaaeseseeeeees 147 Coniiecuration fOr yOu PC sud castrisckaentavatussiessudencbuseaseiasmnecteustuaetwe des 148 woh 0 06 i el A AN ean erie ne oe een ears Te Dn der eRe oY eee S 153 Te LAN WAN Packet Trace sicetspetaccanatrsces vera secanaeetieteaeneuune nce aatem ancien tcetanaets 153 Jol Wis TI a cater ner teat re met mine ne E ne amine er 153 OHNE TICE eser r E 158 2 Firmware Configurations Uploading and Downloading using TFTP 159 Using TREP Chent SOM Ware ena sos ackaccabeeuatisasdsuahentantes 159 Using TFTP command on Windows NT ccccccceeeesseeeeeeeeeeeeeaes 160 Using TFTP command on UNIX ceecccecccceceeeeeseeeeeeeeeeeeeaas 161 3 Using FTP to Upload the Firmware and Configuration Files 0 162 Using FTP command in terminal cc cseeeeseeceeeceeeeeeeeeeeeeeeeeenaas 162 Using FT Pchent SoftWare ay cise dectawSenaureneniXonr acne ERREA 163 CI Command Reference vinicrcmusi ita ete tiee ade yw Ghat ee aka eye 166 lesy em Renta Commands sitsccocnisti sites dem a nce eSatae naan 166 2 Exit Related Command S mesae whould tales oitdewlalveladiol 173 3 Ethernet Related Command Sorospen enacts eee ndaehateua
29. ZyXEL P 660 series Support Notes 2 Configuring Infrastructure mode e Infrastructure Introduction e Configure wireless access point to Infrastructure mode with SMT e Configure wireless access point to Infrastructure mode with Web configurator e Configure wireless station to Infrastructure mode Infrastructure Introduction What is Infrastructure mode Infrastructure mode sometimes referred to as Access Point mode is an operating mode of an 802 1 1b W1 Fi client unit In infrastructure mode the client unit can associate with an 802 1 1b Wi Fi Access Point and communicate with other clients in infrastructure mode through that access point RF signal RF signal T S eB Wireless Station Wireless Station Wireless Station Configure Wireless Access Point to Infrastructure mode using SMT To configure Infrastructure mode of your PO60HW T I wireless AP please follow the steps below 1 From the SMT main menu enter 3 to display Menu 3 LAN Setup 2 Enter 5 to display Menu 3 5 Wireless LAN Setup Menu 3 5 Wireless LAN Setup 117 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ESSID Wireless Hide ESSID No Channel ID CHO1 2412MHz RTS Threshold 0 Frag Threshold 2432 WEP Disable Default Key N A Keyl N A Key2 N A Key3 N A Key4 N A Edit MAC Address Filter No Press ENTER to Confirm or ESC to Cancel 3 Configure ESSID Channel ID WEP Default Key and
30. ZyXEL P 660 series Support Notes me display watchdog counts value 0 34463 promreset ff restore default romfile a a O a faces lt telnetlftplweblicmplsnmpldns gt lt value gt set server access type load load server information disp display server information ff port lt telnetlftplweblsnmp gt lt port gt lt port gt Save Save Server information pf lt telnetlftplweblicmplsnmpldns gt lt ip gt set server secure ip dump spt remote node data pop ser arp sptser data op stot dap spt stot data pf save Pf save spe data ef sie P isp ay spt recor size pf fete Pf tear spt dat po femr a O ee o o disp lt ch name gt show the connection trace of this channel clear lt ch name gt clear the connection trace of this channel cnt lt ch name gt show channel connection related counter socket display system socket information a clear clear filter statistic counter disp display filter statistic counters Pf sw fone onloff set filter status switch Ol le see display fitter rue 172 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes netbios disp EE netbios filter Status config lt 0 LAN to WAN 1 WAN to LAN config netbios filter 2 LAN to DMZ 3 IPSec passthrough Tone Dial gt lt onloff gt fo debug lt level gt enable disable ddns display lt iface name gt display ddns S ee restart lt ifac
31. address mt A virtual IF address is an address from tings the internal network Be Extended authentication The PN gateway may require IEE E Auth RADIOS or CHAF pethings Description Change Tune IKE proposal to Encryption algorithm as DES Integrity function as MDS IKE mode as main mode IKE group as MODP 768 group 1 and IPSec proposal to 141 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Encryption algorithm as DES Integrity funciton as HMAC MDS PFS group as none Proposal Parameters Fl x rs L gt Set the prefered value of each parameter of the IKE and IF5ec proposal IKE proposal Encrption algorithm DES Integrity function MDS IKE mode main mode IKE group MODF fhe group 7 PSec proposal Encryption algorithm DES Integrity function HMAC MD5 ad IPSec mode tunnel ka PFS group Cancel Press Apply to save all of the settings BE SSH Sentinel Policy Editor EE zjx mecurity Policy Eey Management Policy E Default I BE VEN Connections z BSE 192 168 1 1 ZyWALL HB Add S E Secured Connections 7 a i H a pecured Networks HEE Default Respons H a Post IPSec Filter i Allow all traffic T Add Remove l Description 142 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Initiate VPN con
32. attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP 20 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible 12 What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall 13 What are the default
33. be set to Not Match Match or Both The Reason column for the 22 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes default permit shown in the log will be default permit lt 1 00 gt or lt 2 00 gt Here lt 1 00 gt means the LAN to WAN default ACL set lt 2 00 gt means the WAN to LAN default ACL set 2 What does the log show to us The log supports up to 128 entries There are 2 rows and 5 columns for each entry Please see the example shown below Time Packet Information Reason Action 127 Mar 15 0 IFrom 192 168 1 34 To 202 132 155 93 Idefault permit forward 03 03 54IICMP type 00008 code 00000 I lt 1 00 gt Where lt X Y gt stands for lt Set number Rule number gt X 1 2 Y 00 10 There are two policy sets set 1 for rules checking connections from LAN to WAN and set 2 for rules checking connections from WAN to LAN So X 1 means set 1 and X 2 means set 2 Y means the rule in the set Because we can configure up to 10 rules in a set so Y can be from 1 to 10 If the rule number shows 00 it means the Default Rule 3 How do I view the firewall log The log keeps 128 entries the new entries will overwrite the old entries when the log has over 128 entries After V3 52 all logs generated in P 660 including firewall logs IPSec logs system logs are migrated to centralized logs So you can view firewall logs in Centralized logs Before you can vi
34. brief trace online by entering sys tred brief e Display the detailed trace online by entering sys tred parse Example P 660 gt sys trcp channel enet0 none P 660 gt sys trcp channel mpoa00 bothway P 660 gt sys trcp sw on P 660 gt sys trcl sw on P 660 gt sys tred brief 0 12367 680 MPOAO00 R 0070 UDP 202 132 155 95 520 gt 202 132 155 255 520 1 12370 980 MPOAO00 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 P 660 gt sys trcd parse lt 0000 gt LAN Frame MPOAO0 RECV Size 1181 96 Time 12387 260 sec Frame Type TCP 192 31 7 130 80 gt 202 132 155 97 10270 Ethernet Header Destination MAC Addr 00A0C5921312 Source MAC Addr 004A0C5012345 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x048B 1163 Idetification 0xB139 45369 Flags 0x02 Fragment Offset 0x00 Time to Live OxEE 238 All contents copyright 2005 ZyXEL Communications Corporation 157 ZyXEL P 660 series Support Notes Protocol 0x06 TCP Header Checksum OxA9AB 43435 Source IP 0xC01F0782 192 31 7 130 Destination IP OxCA849B61 202 132 155 97 TCP Header Source Port 0x0050 80 Destination Port 0x281E 10270 Sequence Number 0xD3E95985 3555285381 Ack Number 0x00C18F63 12685155 Header Length 20 Flags 0x19 AP F Window Size OxFAFO 66040 Checksum 0x3
35. c 1994 2005 ZyXEL Communications Corp Prestige 660 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter Set Configuration 2 WAN Backup Setup 22 SNMP Configuration 3 LAN Setup 23 System Password 4 Internet Access Setup 24 System Maintenance 25 IP Routing Policy Setup Advanced Applications 26 Schedule Setup 11 Remote Node Setup 12 Static Routing Setup 99 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 14 Dial in User Setup 99 Exit 15 NAT Setup Enter Menu Selection Number 2 Select a Schedule Set number and give it a name Menu 26 Schedule Setup Schedule Schedule Set Name Set Name 1 ZyXEL 7 2 8 3 9 4 10 5 11 6 12 Enter Schedule Set Number to Configure 1 Edit Name ZyXEL Press ENTER to Confirm or ESC to Cancel 3 The Menu 26 1 Schedule Set Setup is as follows Menu 26 1 Schedule Set Setup Active Yes Start Date yyyy mm dd 2002 01 01 How Often Once Once Date yyyy mm dd 2002 01 01 Weekdays Sunday N A Monday N A Tuesday N A Wednesday N A Thursday N A Friday N A Saturday N A Start Time hh mm 12 00 Duration hh mm 16 00 100 All contents copyright 2005 ZyXEL Communications Corporation ZyXEC 660 series Support Notes Action Enable Dial on demand Press ENTER to Confirm or ESC to Cancel Key Settings Start date of this schedule rule It can be unmatched with wee
36. classifying packets and control when to send out the classified packets Bandwidth Management of ZyXEL appliances operates on the IP layer The major step to configure BWM is defining filter rules by fields of IP header or TCP UDP port number Then specify the volume of bandwidth you want to allocate to the filtered traffic Class Tree e Using BWM Go to ADVANCED gt BW MGMT gt Summary activate bandwidth management on the interface you would like to manage We enable the BWM function on WAN 1 interface in this example Enter the total speed for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface s root class Select how you want the bandwidth to be allocated Priority Based means bandwidth is allocated via priority so the traffic with highest priority would be served first then the second priority is served secondly and so on If Fairness Based is chosen then the bandwidth is allocated by ratio Which means if A class needs 300 kbps B class needs 600 kbps then the ratio of A and B s actual bandwidth is 1 2 So if we get 450 kbps in total then A would get 150 kbps B would get 300 kbps Key Settings Check the box to enable BWM on the interface Note that if you would like to manage traffic from WAN to LAN you should apply BWM on LAN interface If pve you would like to management traffic from WAN to DMZ please apply BWM on DMZ interface Enter the total sp
37. cold boot immediately boot 2 bootModule oo mode restos ee resources E ne Pf clear P clear resources trace resources trace stdio second change terminal timeout value time hour min sec display set system time S trace onloff set display timer ae online Value starta timer a timer 170 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ogres a o o wh io online onloff set on off trace log ee ee level level set trace level of trace ae a gp Taig ng a ee ee cc fet isp ay cal event encapmask mask set display tracelog encapsulation mask On A create lt entry gt lt size gt create packet trace buffer destroy packet trace related commands channel lt name gt lt channel nonelincomingloutgoinglbothway name gt enet0 sdsl00 frO set packet trace direction for a given e aaa switch c turn on off the OR Doo a switch onloff set tracepacket upd switch parse start_ _ start_idx end_idx end_idx parse parse packet content content view sd lt filename gt lt filename gt view a text view a text file A ne trace to other system addr lt addr gt send trace packet to remote udp address port lt port gt set tracepacket udp pone ea brief display packet content briefly version display RAS code and oo version et e 171 All contents copyright 2005 ZyXEL Communications Corporation
38. commands 2 exit Returns to SMT 1 System Related Commands ch name enetO mpoa00 Command se S adjtime retrive EE and time e Internet C a display alflu pay cbuf a all f P ee e e eee m cbuf static S a E S C ea as ge console peed Q eas O p y E E or remove lt index gt remove entry from call history clear the counters in GUI status menu C eamyeods eouneyeodey O f set cot code C ee yemon OOOO sepa dae aomsimane T C a O ins ia 166 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes enhanced return OK if commands are supported for PWC purposes errctl level set the error control level Q crash no save not in debug mode default l crash no save in debug mode 2 crash save not in debug mode 3 crash save in debug mode display display tag flags information trace display system event cae 88 o o display Savy aot trace event ___ maintain extra C numbers for outcalls lt set 1 3 gt lt 1st phone num gt 2nd phone add extra phone num numbers display display extra phone numbers node lt num gt set all extend phone number to remote node lt num gt remove lt set 1 3 gt remove extra phone rrr a ee a display ISDN firmware type hostname hostname display system hostname qe a y isr EE display interrupt service routine 167 All contents copyright 2005 ZyXEL Communications Corporation ZyXE
39. included in the package WEP key secret key are available in two types 64 bits and 128 bits Many times you will see them referenced as 40 bits and 104 bits instead The reason for this misnomer is that the WEP key 40 104 bits is concatenated with the initialisation vector 24 bits resulting in a 64 128 bits total key size _ _____ Plaintext ______ Key Sequence RCA4 IV k Ciphertext lt lt Transmitted Data 124 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 66D series Support Notes WiFi Protected Access WPA is the new security standard adopted by the WiFi Alliance consortium WPA uses Temporal Key Integrity Protocol TKIP TKIP is designed to allow WEP to be upgraded This means that all the main building blocks of WEP are present but corrective measures have been added to address security problems WPA TKIP provides much stronger security than WEP addressing all the weaknesses and allowing compatibility and upgrades with older equipment 802 11 WEP uses IV and base key to generate streaming encryption keys for data encryption this includes weak IV which could be compromised by a cracker if he have collected enough transmitted data frame TKIP uses IV and base key to hash a new key for every packet POE Ee encrintinn inoonav hot Plaintext i ase Plaintext Dat e Data Wd Data Stream A Cipher haur Cipher The length of the IV has been
40. lt 001 gt LAN Frame ENETO XMIT Size 58 58 Time 12090 020 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1116 Ethernet Header Destination MAC Addr O0080C84CEA63 Source MAC Addr 0DOA0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x002C 44 Idetification 0x57F3 22515 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum OxAC8C 44172 Source IP 0xC0O1F0782 192 31 7 130 Destination IP 0xC0A 80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x045C 1116 Sequence Number 0x4AD1B57F 1255257471 Ack Number 0x00BD15A8 12391848 Header Length 24 Flags 0x12 A S Window Size OxFAFO 66040 Checksum 0xF877 63607 155 All contents copyright 2005 ZyXEL Communications Corporation 4yXttCCCCC C C C C 660 series Support Notes Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C CO 1F 07 82 CO A8 W 0020 01 02 00 50 04 5C 4A D1 B5 7F 00 BD 15 A8 60 12 PJ 0030 FA FO F8 77 00 00 02 04 05 B4 ee eee lt Q002 gt LAN Frame ENETO RECV_ Size 60 60 Time 12090 210 sec Frame Ty
41. set to the protocol filters field Even though SMT will prevent the inconsistency from being entered in ZyNOS it is unable to resolve the intermixing problems existing in the 64 All contents copyright 2005 ZyXEL Communications Corporation filter sets that were configured before Instead when ZyNOS translates the old configuration into the new format it will verify the filter rules and log the inconsistencies Please check the system log Menu 24 3 1 before putting your device into use In order to avoid operational problems later the P 660 will disable its routing bridging functions if there is an inconsistency among its filter rules Filter Examples 1 A filter for blocking the web service 2 A filter for blocking a specific client 3 A filter for blocking a specific MAC address 4 A filter for blocking the NetBIOS packets A filter for blocking the web service Configuration Before configuring a filter you need to know the following information 1 The outbound packet type protocol amp port number 2 The source IP address Generally the outbound packets for Web service could be as following a HTTP packet TCP 06 protocol with port number 80 b DNS packet TCP 06 protocol with port number 53 or c DNS packet UDP 17 protocol with port number 53 For all workstation on the LAN the source IP address will be 0 0 0 0 Otherwise you have to enter an IP Address for the workstation you want to block See the proced
42. system is going to restart warmstart the trap will be sent with the reason of restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot is done intentionally And traps with the message System reboot by user will be sent 11 For fatal error System has to reboot for some fatal errors And traps with the message of the fatal code will be sent 86 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Produets l poyeVariables Group pERT Variables Group pIPxVariables Group pAPTYariables Group pERSYariable Group pial Invariables Group pRemotetlodeYariables Group pRemoteUserYariables Group Zyxel Traps Figure 3 ASEL Private Mie Tree e Downloading ZyXEL s private MIB e Configure the P 660 for SNMP The SNMP related settings in P 660 are configured in menu 22 SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings Menu 22 SNMP Configuration SNMP 87 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Get Community public Set Community public Trusted Host 192 168 1 33 Trap Community public Destination 192 168 1 33 Press ENTER to Confirm or ESC to Cancel Key Settings Option Descriptions Get Enter the correct Get Community This Get Community must match the Get C
43. to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable 9 When do I need DDNS service When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service The DDNS server allows to alias a dynamic IP address to a static hostname Whenever the ISP assigns you a new IP the P 660 sends this IP to the DDNS server for its updates 13 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 10 What is DDNS wildcard Does the P 660 support DDNS wildcard Some DDNS servers support the wildcard feature which allows the hostname yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such as www yourhost dyndns org and still reach your hostname Yes the P 660 supports DDNS wildcard that http www dyndns org supports When using wildcard you simply enter yourhost dyndns org in the Host field in Menu 1 1 Configure Dynamic DNS 11 Can the P 660 s SUA handle IPSec packets sent by the IPSec gateway Yes the P 660 s SUA can handle IPSec ESP Tunneling mode We know when packets go through SUA SUA will change the source IP address and source port for the host To pass IPSec packets SUA must understand the ESP packet with protocol number
44. to check this IP address 4 What is the micro filter or splitter used for Generally the voice band uses the lower frequency ranging from 0 to 4KHz while ADSL data transmission uses the higher frequency The micro filter acts as a low pass filter for your telephone set to ensure that ADSL transmissions do not interfere with your voice transmissions For the details about how to connect the micro filter please refer to the user s manual 5 The P 660 supports Bridge and Router mode what s the difference between them When the ISP limits some specific computers to access Internet that means only the traffic to from these computers will be forwarded and the other will be filtered In this case we use bridge mode which works as an ADSL modem to connect to the ISP The ISP will generally give one Internet account and limit only one computer to access the Internet For most Internet users having multiple computers want to share an Internet account for Internet access they have to add another Internet sharing device like a router In 12 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes this case we use the router mode which works as a general Router plus an ADSL Modem 6 How do I know I am using PPPoE PPPoE requires a user account to login to the provider s server If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPP
45. wireless gateway and wireless client As long as the password match a client will be granted access toa WLAN Here comes WPA PSK Application example for your reference ry Internet v A Configuration for Access point The IEEE 802 1x standard outlines enhanced security methods for both the authentication of wireless stations and encryption key management Authentication cabn be done using local user database internal to the P662 authenticate up to 32 users or an external RADIUS server for an unlimited number of users 1 To change your P662 s authentication settings click the wireless Wireless link under Advanced 2 Select 802 1x WPA tab 3 choose Authentication Required from the Wireless Port Control 4 Select the WAP PSK in the Key Management Protocol field 147 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P66 series Support Notes 5 Type the Pre Shared Key in the Pre Shared Key field 6 select TKIP in the Group Data Privavy 7 Click Apply to finish WIRELESS LAN Wireless MAC Filter 802 1X Authentication Configuration for your PC 1 Double click on your wireless utility icon here is the Centrion on Windows XP in your windows task bar the utility will pop up on your windows screen 2 Select the wireless card that you want to configure 3 Select on from the Switch Radio 148 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 66D seri
46. 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Saving to ROM Please wait Protocol and device rule cannot be active together To separate the device and protocol filter categories two new menus Menu 11 5 and Menu 13 1 have been added as well as some changes made to the Menu 3 1 Menu 11 1 and Menu 13 The new fields are shown below 63 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CC C_ 660 series Support Notes Menu 3 1 Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters Menu 11 1 Menu 11 1 Remote Node Profile Rem Node Name LAN Route IP Active Yes Bridge No Encapsulation PPP Edit PPP Options No Incoming Rem IP Addr Rem Login test Edit IP IPX Bridge No Rem Password 7 7 7 287 Outgoing Session Options My Login testt Edit Filter Sets Yes My Password Authen CHAP PAP Press ENTER to Confirm or ESC to Cancel Menu 11 5 Menu 11 5 Remote Node Filter Input Filter Sets protocol filters device filters Output Filter Sets protocol filters device filters SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3 1 11 5 or entering a device filter
47. 0 series Support Notes Criteria IP Protocol 6 Type of Service Don t Care Packet length 0 Precedence Don t Care Len Comp N A Source addr start 192 168 1 2 end 192 168 1 20 port start 0 end N A Destination addr start 0 0 0 0 end N A port start 80 end 80 Action Matched Gateway addr 192 168 1 254 Log No Type of Service No Change Precedence No Change Press ENTER to Confirm or ESC to Cancel This policy example forces the Web packets originated from the clients with IP addresses from 192 168 1 2 to 192 168 1 20 be routed to the remote LAN via the gateway 192 168 1 254 4 A summary for this set is shown in menu 25 1 Menu 25 1 IP Routing Policy Setup A Criteria Action 1 Y SA 192 168 1 2 192 168 1 20 DP 80 80 P 6 IGW 192 168 1 254 2N 3N 4N SN 6N Enter Policy Rule Number 1 6 to Configure 97 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb 660 series Support Notes 4 There are two interfaces to apply the policy set they are the LAN interface menu 3 2 and WAN interface menu 11 3 It depends where the gateway specified in the policy rule is located If the gateway you specified is located on the local LAN you apply the policy set in menu 3 2 LAN interface If the gateway you specified is located on the remote WAN site you apply the policy set in menu 11 3 WAN interface Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Startin
48. 034 to 1023 WAN protocol input filter sets LAN device and protocol output filter sets Protocol Filter Device Filter Sets 203 205 115 6 4054 LAN Fiker Sets 192 166 1 33 1025 203 205 115 6 405 G 192 168 1 33 1025 Figure 1 Packet Loge Flow in yH OS Generic and TCP IP and IPX filter rules are in different filter sets The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21 In the following example you will receive an error message Protocol and device filter rules cannot be active together if you try to activate a TCP IP or IPX filter rule in a filter set that has already had one or more active Generic filter rules You will receive the same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP IP or IPX filter rules Menu 21 1 1 62 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 660 series Support Notes Menu 21 1 1 Generic Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Menu 21 1 2 Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 0 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None Source IP Addr 0 0 0
49. 1 Generic Filter Rule Filter 1 1 Filter Type Generic Filter Rule Active Yes Offset 6 Length 6 Mask ffffffffttff Value 0080c84cea63 71 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb CC C_ 660 series Support Notes More No Log None Action Matched Drop Action Not Matched Forward Key Settings Generic Filter Ruls Set the Filter Type to Generic Filter Rule Active Turn Active to Yes Offset in bytes Set to 6 since the source MAC address starts at 7th octets we need to skip the first octets of the destination MAC address Length in bytes Set to 6 since MAC address has 6 octets Mask in hexadecimal Specify the value that the P 660 will logically qualify logical AND the data in the packet Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers In this case we intent to set to Tffftfffffit to mask the incoming source MAC address 00 80 c8 4c ea 63 Value in hexadecimal Specify the MAC address 00 80 c8 4c ea 63 that the P 660 should use to compare with the masked packet If the result from the masked packet matches the Value then the packet is considered matched Action Matched Enter the action you want if the masked packet matches the Value In this case we will drop it Action Not Matched Enter the action you want if the masked packet does not match the Value In this case we will forwar
50. 1 Can the P 660 s SUA handle IPSec packets sent by the IPSec gateway 14 12 How do I setup my P 660 for routing IPSec packets over SUA 4 14 135 Whatis Trane SDapn 7 tess oe tue a tees ee al dessins 14 14 What do the parameters PCR SCR MBS mean ccccccccssseeeeeeeeees 15 15 Why do we perform traffic shaping in the P 660 10 0 cccecccccccceceeseeeeeeeeeees 15 741 hy Dag tbs arenes en a a a a a a 16 1 How does ADSL compare to Cable modems 0 00 0 eeeeeeseeeceeeeeaeeeeeeeeeeees 16 2 What 1S the expected thronus hput persiani 16 l All contents copyright 2005 ZyXEL Communications Corporation ZyXEL ZyXEL P660 series Support Notes Sa W hatis Ne muchO Titer used Tor eenaa i E A OE 16 4 How do I know the ADSL line is Up sssssssseenessssssssseerssssssssserressssssseeerrssssss 16 5 How does the P 660 work on a noisy ADSL seossssssssenesssssssssceresssssssseeeees 16 6 Does the VC based multiplexing perform better than the LLC based MUDIE aa E a trae TS 17 7 How do I know the details of my ADSL line statistics 0 eeeeeeeeeeeeeees 17 8 What are the possible reasons when the ADSL link is down 0 0 eee 17 9 What are the signaling pins of the ADSL connector ccccccccessseeeeeeeeees 17 Firewall FAQ For P 660 H HW Only 0 ccc eecccccccceeseeecceeeaeeeeceeeeaneees 18 CCT e I E EE eens E A A E A TAEA A IN A E E 18 l Whats a NetWOrk rewal oeaan surabina
51. 2 Remote Management OFPnFP oS Lote i BUY Manager Logout P 660 series Support Notes See the VPN rule screen shot VPN IKE IPSec Setup M Active Name IPSec Key Mode Negotiation Mode Encapsulation Mode DNS Server for IPSec VPN Local Local Address Type IPF Address Start End Subnet Mask Remote Flemote Address Type IPF Address Start End Subnet Mask Address Information Local ID Type Content My IP Address Peer ID Type Content Secure Gateway Address SITE MAP HEL Keep Alive i IKE Main Tunnel 0 0 0 0 Subnet 0 0 0 0 0 0 0 0 Single 0 0 0 0 0 0 0 0 IF Prestige LAN IF Set IKE Phase 1 and Phase 2 parameters 145 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ZyXEL usu a TOTAL INTERNET ACCESS SOLUTION VPN IKE Advanced Setup hain Meny VPN IKE Advanced Setup Protocol o Password Enable Replay Detection NO LAN Local Start Port jo End ja Wireless LAN Remote Start Port jo End fo WAN gt MAT Phase Dynamic DHS o Time And Date Negotiation Mode Main e Firewall Pre Shared Key 12345678 aami Fe Encryption Algorithm DES e VPN i Authentication Algorithm MD5 Remote Management j SIRS SA Life Time Seconds 28800 _ Logs Key Group DH Ee E _ Phase2 Logout Active Protocal ESP Encryption Algori
52. 2 lt gt IGA2 ILA3 lt gt IGA3 ILA4 lt gt IGA4 Server P lt gt IGA1 Server 2 P lt gt IGA1 16 How many network users can the SUA NAT support The Prestige does not limit the number of the users but the number of the sessions The P 660 supports 1024 2048 sessions that you can use the ip nat iface wanif0 st command in menu 24 8 to view the current active sessions All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 17 What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group 18 Why can t I configure device filters or protocol filters In ZyNOS you can not mix different filter groups in the same filter set 19 How can I protect against IP spoofing attacks The Prestige s filter sets provide a means to protect against IP spoofing attacks The basic scheme is as follows For the input data filter e Deny packets from the outside that claim to be from the inside e Allow everything that is not spoofing us Filter rule setup e Filter type TCP IP Filter Rule e Active Yes e Source IP Addr a b c d e Source IP Mask w x y z e Action Matched Drop e Action Not Matched Forward W
53. 3 default is 8db when the adaptive condition is matched system will continue to monitor the time period ersisttime before doing 1 shutdown RA3 default is 30 seconds timeinterval mins when 1 shutdown RA37is done twice and still can reach the max rate which system recorded it will delay a time period that the period base time is imeinterval before starting again The time based default is 2 hrs defectcheck onloff Turn on off detect table txgain value Set the CTRLE register Oxc3 the value is from Oxfa to 0x06 targetnoise value Set the CTRLE register Oxc4 the value is from Oxfa to 0x06 maxtonelimit value Set the CTRLE register Oxc5 the value is from Oxfa to 0x06 rxgain value Set the CTRLE register Oxc6 the value is from Oxfa to 0x06 txoutputpwr value Set the CTRLE register Oxc7 the value is from Oxfa to 0x06 rxoutputpwr value Set the CTRLE register Oxc8 the value is from Oxfa to 0x06 maxoutputpwr value Set the CTRLE register Oxc9 the value is from Oxfa to 0x06 sendes Send current error second information immediately 182 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes a a dygasprecover level value By default is 100 after receiving 100 dying gasp system will reboot a dygasprecover active onloffl Turn on off this mechanism rsploss 110 Turn on means to response signal loss of CTRLE immed
54. 6 What is the difference between the log and alert A log entry is just added to the log inside the P 660 and e mailed together with all other log entries at the scheduled time as configured An alert is e mailed immediately after an attacked is detected 24 All contents copyright 2005 ZyXEL Communications Corporation 4yXFtCCCCCC_ P660 series Support Notes General Application Notes 1 Internet Access Using P 660 under Bridge mode e Setup your workstation e Setup your P 660 under bridge mode If the ISP limits some specific computers to access Internet that means only the traffic to from these computers will be forwarded and the other will be filtered In this case we use P 660 which works as an ADSL bridge modem to connect to the ISP The ISP will generally give one Internet account and limit only one computer to access the Internet See the figure below for this setup SOHO Network Ll Prestige Internet Ee Cross over Ethernet Cable Figure Internet Access Using Modem Mode Set up your workstation 1 Ethernet connection To connect your computer to the P 660 s LAN port the computer must have an Ethernet adapter card installed For connecting a single computer to the P 660 we use a cross over Ethernet cable 2 TCP IP configuration In most cases the IP address of the computer is assigned by the ISP dynamically so you have to configure the computer as a DHCP client which obtains the IP from the ISP using DH
55. 64 bits with characters WEP key Key 1 2e3f4 Key2 5y7js Key3 24fg7 Key4 98jui 64 bits with hexadecimal digits WEP key Key1l 123456789A Key2 23456789AB Key3 3456789ABC Key4 456789ABCD 5 Site Survey e Site survey introduction e Preparation e Survey on site Introduction What is Site Survey An REF site survey is a MAP to RF contour of RF coverage in a particular facility With wireless system it is very difficult to predict the propagation of radio waves and detect the presence of interfering signals Walls doors elevator shafts and other obstacles offer different degree of attenuation This will cause the RF coverage pattern be irregular and hard to predict Site survey can help us overcome these problem and even provide us a map of RF coverage of the facility Preparation Below are the steps to complete a simple site survey with simple tools 1 First you will need to obtain a facility diagram such as blueprints This is for you to mark and take record on 132 All contents copyright 2005 ZyXEL Communications Corporation 2 Visually inspect the facility walk through the facility to verify the accuracy of the diagram and mark down any large obstacle you see that may effect the RF signal such as metal shelf metal desk etc on the diagram 3 Identify user s area when doing so ask a question where is wireless coverage needed and where does not and note and take note on the diagram this is informa
56. 68 1 1 none lt Enter gt 331 Enter PASS command Password ftp gt put prestige bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 924512 bytes sent in 4 83Seconds 191 41 Kbytes sec ftp gt Here the prestige bin is the local file and ras is the remote file that will be saved in the Prestige The Prestige reboots automatically after the uploading is finished Using FTP client software R i Rename the local firmware and configuration files to ras and rom 0 because we can not specify the tep remote file name in the FTP client software R gt Use FTP client from your workstation to connect to the Prestige by entering the IP address of the te P Prestige Step 3 Enter the SMT password as the FTP login password The default is 1234 Step 4 Press OK key to ignore the username because the Prestige does not check the username 163 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Example 1 Connect to the Prestige by entering the Prestige s IP and SMT password in the FTP software Set the transfer type to Auto Detect or Binary Edit Host General Advanced mite Label Host Twpe Prestige Anto Detect Host Address Intal Remote Directo 192 168 1 1 User ID Faswornd Remote Directory Filter p M Local Filtering Login type Transfer type Initial Local Directory j
57. 735 14133 Urgent Ptr 0x0000 0 TCP Data Length 1127 Captured 42 0000 DF 33 AF 62 58 37 52 3D 79 99 A5 3C 2B 59 E2 78 3 b6X7R y lt Y x 0010 A7 98 8F 3F A9 09 E4 OF 26 14 9C 58 3E 95 3E E7 amp X gt gt 0020 FC 2A 4C 2F FB BE 2F FE EF DO Ea RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 01 23 45 08 00 45 00 aaan TEE 0010 04 8B B1 39 40 00 EE 06 A9 AB CO IF 07 82 CA 84 9 0020 9B 61 00 50 28 1E D3 E9 59 85 00 C1 8F 6350 19 a PC Y cP 0030 FA FO 37 35 00 00 DF 33 AF 62 58 37 52 3D 79 99__ 75 3 bX7R y 0040 A5 3C 2B 59 E2 78 A7 98 8F 3F A9 09 E4 OF 26 14 lt Y x amp 0050 9C 58 3E 95 3E E7 FC 2A 4C 2F FB BE 2F FE EF D0 X gt gt L Offline Trace e Disable the capture of the WAN packet by entering sys trep channel mpoa00 none e Enable the capture of the LAN packet by entering sys trep channel enet0 bothway e Enable the trace log by entering sys trep sw on amp sys trel sw on e Wait for packet passing through the Prestige over LAN e Disable the trace log by entering sys trep sw off amp sys trel sw off e Display the trace briefly by entering sys trep brief e Display specific packets by using sys trep parse lt from_index gt lt to_index gt 158 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2 Firmware Configurations Uploading and Downloading using TF TP e Using TFTP client software e Using TFTP com
58. 8 1 1 ZyXEL Communications Corp ppp LCP Closing Jul 19 11 44 05 192 168 1 1 ZyXEL Communications Corp ppp IPCP Closing Jul 19 11 44 09 192 168 1 1 ZyXEL Communications Corp ppp CCP Closing Jul 19 11 44 14 192 168 1 1 ZyXEL Communications Corp ppp BACP Closing 10 Using IP Alias e What is IP Alias In a typical environment a LAN router is required to connect two local networks The P 660 can connect three local networks to the ISP or a remote node we call this function as IP Alias In this case an internal router is not required For example the network manager can divide the local network into three networks and connect them to the Internet using P 660 s single user account See the figure below LANI 192 168 1 0 24 LANZ 192 168 2 0 24 ISP LAN3 192 168 3 0 24 The Prestige s IP Alias connects three local networks to the Internet The P 660 supports three virtual LAN interfaces via its single physical Ethernet interface The first network can be configured in menu 3 2 as usual The second and third networks that we call IP Alias 1 and IP Alias 2 can be configured in menu 3 2 1 IP Alias Setup There are three internal virtual LAN interfaces for the P 660 to route the packets from to the three networks correctly They are enif0 for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the P 660 as shown below when the three networks are configured If th
59. A F 0x33333344444455555566667777888899990000AAAABBBBCCCCDDDDFFFF Key4 0x4444445555556666667777888899990000AAAABBBBCCCCDDDDEEEEFFFF Select one of the WEP key as default Key to encrypt wireless data transmission The receiver will use the corresponding key to decrypt the data For example if access point use Key 3 to encrypt data then station will use Key 3 to decrypt data So the Key 3 of station has to equal to the Key 3 of access point Though access point use Key 3 as default key but the station can use the other Key as its default key to encrypt wireless data transmission Access Point encrypt data by Key 3 gt Station decrypt data by Key 3 Access Point decrypt data by Key 2 lt Station encrypt data by Key 2 In this case access point transmits data to station which encrypt data by Key 3 of access point The station will decrypt the data by its Key 3 At the same time when the station transmits data to access point which encrypt data by Key 2 The access point will decrypt the data by its Key 2 Setting up the Access Point with Web configurator 128 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ZyXEL TOTAL WTERNET ACCESS SOLUTION Wireless LAN Wireless Enable Wireless LAN ESSID PBBOHVY T1 Advanced Setup Hide ESSID No t Password Channel ID Channel05 2432MHz RTS CTS Threshold 0 0 2432 C Fragmen
60. App a Coa the speed you would like to allocate to this class Budget a Enter a number between 0 and 7 to set the priority of this class The higher the nory number the higher the priority The default setting is 3 Check this box if you would like to let this class to borrow bandwidth from it s l parents when the required bandwidth is higher than the configured amount Do PA inot check this if you want to limit the bandwidth of this class at the configured PONOVI value Please note that you should also disable Maximize Bandwidth Usage on the interface to meat the condition Enable Bandwidth Check this to specify the traffic types via IP addresses Port numbers Filter 106 All contents copyright 2005 ZyXEL Communications Corporation Destination Enter the IP address of destination that meats this class IP Address Destination a Enter the destination subnet mask Subnet Mask Destination a l Enter the destination port number of the traffic Port S IP Enter the IP address of source that meats this class Note that for traffic from ource Add LAN to WAN since BWM is before NAT you should use the IP address ress before NAT processing Source Sa Enter the destination subnet mask Subnet Mask Source Port Enter the source port number of the traffic Protocol ID Enter the protocol number for the traffic 1 for ICMP 6 for TCP or 17 for UDP After configuration BWM you can check current bandwidth of the configured traffic in A
61. CP protocol The ISP may also provide the gateway DNS via DHCP if they are available Otherwise please enter the static IP addresses for all that the ISP gives to you in the network TCP IP settings For Windows we check the option Obtain an IP address automatically in its TCP IP setup please see the example shown below 25 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes TCP IP Properties Bindings Advanced NetBIOS DNS Configuration Gateway WINS Configuration IP Address An F addres can be automatically assigned to this computer IF your network does not automatically assign IP addresses ask your network administrator for an address and then type itin the space below Setup your P 660 under bridge mode The following procedure shows you how to configure your P 660 as an ADSL Modem for bridging traffic We will use SMT menu to guide you through the related menu You can use console or Telnet for finishing these configurations 1 Configure P 660 as bridge mode in Menu 1 General Setup Menu 1 General setup System name P 660 Location Contact Person s Name Domain Name Edit Dynamic DNS No Route IP No Bridge Yes 2 Configure a LAN IP for the P 660 and turn off DHCP Server in Menu 3 2 TCP IP Ethernet Setup We use 192 168 1 1 in this case 26 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Menu 3 2 TCP IP and DHC
62. DP TCP etc destination address and 95 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb 660 series Support Notes port TOS and precedence fields in the IP header and length The inclusion of length criterion 1s to differentiate between interactive and bulk traffic Interactive applications e g Telnet tend to have short packets while bulk traffic e g file transfer tends to have large packets The actions that can be taken include routing the packet to a different gateway and hence the outgoing interface and the TOS and precedence fields in the IP header IPPR follows the existing packet filtering facility of ZyNOS in style and in implementation The policies are divided into sets where related policies are grouped together A use defines the policies before applying them to an interface or a remote node in the same fashion as the filters There are 12 policy sets with 6 policies in each set e Setup the IP Policy Routing 1 Create a routing policy set in menu 25 Menu 25 IP Routing Policy Setup Policy Policy Set Name Set Name 1 7 2 8 3 9 4 10 5 11 6 12 Enter Policy Set Number to Configure 1 Edit Name policy1 Press ENTER to Confirm or ESC to Cancel 2 Edit a rule or more for this set in menu 25 1 1 See an example below Menu 25 1 1 IP Routing Policy Policy Set Name First Active Yes 96 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 66
63. DVANCED gt BWM MGMT gt Monitor The values in the column of Current usage kbps would display the actually number 15 Using Zero Configuration e Zero Configuration and VC auto hunting Zero Configure feature can help customer to reduce the burden of setting efforts Whenever system ADSL links up system will send out some probing patterns system will analyze the packets returned from ISP and decide which services the ISP may provide Because ADSL is based on a ATM network so system have to pre configured a VPI VCI hunting pool before Auto Configure function begins to work The Zero Configuration feature can hunt the encapsulation and VPI VCI value and system will automatically configure itself if the hunting result 1s successfully This feature has two constraints 1 It supports the ISP provides one kind of service PPPoE PPPOA etc only otherwise the hunting will get confusing and failed 2 VC auto hunting only supports dynamic WAN IP address If the router is set a static WAN IP address VC auto hunting function will be disabled The entry of hunting pool must also contain the VPI VCI and which kinds of hunting patterns you wish to send Whenever system send out all the probing patterns with specific VPI VCI system will wait for 5 10 seconds and get the response from ISP the response patterns will decide which kinds of ADSL services of the line will be 107 All contents copyright 2005 ZyXEL Communications Corporation
64. Generally SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users However some applications such as Cu SeeMe and ICQ will need to connect to the local user behind the P 660 In such case a SUA server must be entered in menu 15 2 1 to forward the incoming packets to the true destination behind SUA Generally we do not need extra settings of menu 15 2 1 for an outgoing connection But for some applications we need to configure the menu 15 2 1 to make the outgoing connection work After the required menu 15 2 1 settings are completed the internal server or client applications can be accessed by using the P 660 s WAN IP address SUA Supporting Table The following are the required menu 15 2 1 settings for the various applications running SUA mode ZyXEL SUA Supporting Table None 80 client IP None 21 client IP None 23 client IP and remove Telnet filter in WAN port POP3 None 110 client IP SMTP None 25 client IP None for Chat mIRC For DCC please set Default Client IP 33 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Windows PPTP ICQ 99a ICQ 2000b ICQ Phone 2000b Cornell 1 1 Cu SeeMe White Pine 3 1 2 Cu SeeMe White Pine 4 0 Cu SeeMe Microsoft NetMeeting 2 1 amp 3 01 Cisco IP TV 2 0 0 RealPlayer G2 VDOLive Quake 067 QuakelI2 30 QuakelII1 05 beta StartCraft Quick Time 4 0 pcAnywhere 8 0 IPsec ESP tunnel
65. Global Start IP Global End IP Type ete ee ee ae a a p Action Edit select Rule 0 Press ENTER to Confirm or ESC to Cancel We will just look at the differences from the previous menu Note that this screen is not read only so we have extra Action and Select Rule fields Not also that the in the Set Name field means that this is a required field and you must enter a name for the set The description of the other fields is as described above The Type Local and Global Start End IPs are configured in Menu 15 1 1 described later and the values are displayed here Field Description Option Enter a name for this set of rules This is a required field Please Set Name a i i f Rulel note that if this field is left blank the entire set will be deleted They are 4 actions The default is Edit Edit means you want to edit a selected rule see following field Insert Before means to insert a new rule before the rule selected The rule after the selected rule will Insert Before Delete Save Set advanced one rule Save Set means to save the whole set note when Action then be moved down by one rule Delete means to delete the selected rule and then all the rules after the selected one will be you choose this action the Select Rule item will be disabled When you choose Edit Insert Before or Save Set in the previous Select Rule field the cursor jumps to this field to allow you to select the rule to 1 apply the actio
66. Keys as you desire Configure Wireless Access Point to Infrastructure mode using Web configurator To configure Infrastructure mode of your PoO6OHW T 1 wireless AP please follow the steps below 1 From the web configurator main menu click advanced gt Wireless Lanto display Wireless LAN Wireless LAN Wireless Main Menu Enable Wireless LAN ed ESSID PeBOHYY Advanced Setup Hide ESSID No Password Channel ID Channel 2437MHz LAN DMZ LJ RTSICTS Threshold 0 2432 r Wireless LAN CO Fragmentation Threshold 256 2432 WAN NAT WEP Encryption Disable Dynamic DNS 64 bit WEP Enter 5 characters or 10 hexadecimal digits 0 9 A F preceded by Ox for each Key 1 4 128 bi WEP Enter 13 characters or 26 hexadecimal digts 0 9 A F preceded by Ox for each Key 1 4 Time and Date 256 bit WEF Enter 29 characters or 58 hexadecimal digits 0 9 A F preceded by Ox tor each Key 1 4 r Firewall Content Access Control Key2 And Views O Key3 XON Keyd Remote Management UPnP Logs Media Bandwidth Mgnt Apply Cancel Logout 2 Configure the desired configuration on PO60HW T1 118 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 3 Finished Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please follow the following steps 1 Double click on the utility icon in
67. L P 660 series Support Notes a A E a A category access O none 1 log record the access a ee attack O none 1 log 2 alert 3 both record and alert the Oe ee display display the category ee ee ee error O none 1 log 2 alert 3 both record and alert the T ipsec O none 1 log record the access ee Tod mten 0 none 1 log record the system ee ee ea a ee upnp 0 none 1 log record upnp logs urlblocked 0 none 1 log 2 alert 3 both record and alert the ene Stings urlforward O none 1 log record web forward p ees ieee o owr display display all logs O fe S e disp clear log error i display display mail setting logAddr mail address send logs to this mail address pf I schedule display display mail schedule schedule hour 0 23 hour time to send the logs schedule minute 0 59 minute time to send schedule policy O full 1 hourly 2 daily 3 weekly 4 none All contents copyright 2005 ZyXEL Communications Corporation online turn on off error log online display load load the log setting buffer mail alertAddr mail address send alerts to this mail address the logs mail schedule policy 168 ZyXEL P 660 series Support Notes schedule week O sun 1 mon 2 tue 3 wed 4 thu 5 fri 6 sat the logs server domainName IP mail server to send the logs P stbject mail subject save save the log setting buffer a ae active 0 no 1 yes active to enable unix ae ff aispicy displa
68. N Card gt IEEE802 11b WLAN Card 2 Select the Encryption tab Select encryption type corresponding with access point Set up 4 Keys which correspond with the WEP Keys of access point And select on WEP key as default key to encrypt wireless data transmission 130 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 2 yAIR B 320 Utility Link Info Configuration Site Survey Security advanced About Encryption 64 Bit m MEF Key Entry C Creatre With PassPhrase PassPhase Manual Entry Key Type f HEX f ASCH 0 Key Key 2 C Key 3 Restore Defaults Undo Changes Apply Changes OK Cancel Help 2 fyAIR G 320 Utility Link Info Configuration Site Survey Security advanced About Encryption 6 4 Bit sa WEF Key Entry Creatre vith PassPhrase PassPhase PO enn Manual Entry Key Type f HEX f ASCII fe Key 5 peenes i Key pi oo i Key 3 lasaaaaanee C Key 4 Restore Defaults Undo Changes Apply Changes OK Cancel Help Key settings P 660 series Support Notes The WEP Encryption type of station has to equal to the access point 131 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Check ASCII field for characters WEP key or uncheck ASCII field for Hexadecimal digits WEP key Hexadecimal digits don t need to preceded by Ox For example
69. P 660 Series Support Notes For P 660R H HW T1 T3 T7 P 660H D1 D3 D7 Version3 40 Sep 2005 ZyXEL Unleash Networking Power ZyXEL P 660 series Support Notes INDE X cna E E 5 TE INO PAO e T EEE AO OOE EN 5 le aye om is Zy NOS ennnen ennn EEEE 5 2 How do I access the Prestige SMT menu ssssnnesssessssseerrssssssssseersssssssseeeeees 5 3 What is the default console port baud rate Moreover how do I change it 5 4 How do I update the firmware and configuration file ee eeeeccceeeeeeeeeeeeees 5 5 How do I upload the ZyNOS firmware code via console cceeeeseeeeeeeeeees 5 6 How do I upgrade backup the ZyNOS firmware by using TFTP client program VELAN a E ee cnr eae A Oene enna Aan TD eae ner 6 7 How do I upload ROMFILE via console port ceecccccccceeeeeeeseeeeeeeeeeeeeaas 6 8 How do I restore SMT configurations by using TFTP client program via DAN Ma etardalsoteaea i eniadaiseue dat stouedituielath aiiidsasiuetialeiouasteouetanenaictuseuetaaredeuinieouetethens 6 9 What should I do 1f I forget the system password cccccccceceesseeeeseeeeseeeeaes 6 10 How tose the Reset DUTON siccdemcsuscauessvcmasessustasndswiadaeenusewsesiuomuvedsuaterhieetadeneale 7 11 Whatis SUA Whenshould Tuse SUA 2 acs tersictereeicenec NAT 7 12 What is the difference between SUA and Multi NAT oneee 7 13 Is it possible to access a server running behind SUA from the outside Internet Li possible NOW 7 ts
70. P Setup DHCP Setup DHCP None P 660 series Support Notes Client IP Pool Starting Address N A Size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction None Version N A Multicast None IP Policies Edit IP Alias No 3 Configure for Internet setup in Menu 11 Remote Node Profile Menu 11 1 Remote Node Profile Rem Node Name Bridge Active Yes Encapsulation RFC 1483 Multiplexing LLC based Service Name N A Incoming Rem Login N A Rem Password N A Outgoing My Login N A My Password N A Authen N A Key Settings Option Description Encapsulation 1483 Multiplexing Router Bridge Route None Bridge Yes Edit IP Bridge No Edit ATM Options No Edit Advance Options No Telco Option Allocated Budget min N A Period hr N A Schedule Sets N A Nailed Up Connection N A Session Options Edit Filter Sets No Idle Timeout sec N A Select the correct Encapsulation type that your ISP supports For example RFC Select the correct Multiplexing type that your ISP supports For example LLC Disable routing mode and enable bridge mode Bridge Yes 27 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 4 Configure ATM setting in Menu 1 6 Remote Node ATM Layer Options In Menu 11 1 setup Edit ATM Options Y
71. P name Enable the name of wan node Menu 11 1 wan node enable Enable the wan profile Menu 11 1 wan node disable Disable the wan profile wan node encap 1483lpppoalpppoelenet wan node mux velllc Set the wan multiplex Menu 11 1 Set PPP authentication type wan node service name Set PPPoE service name Set the wan bridge mode Menu 11 1 wan node bridge onloff Set the wan IP routing mode Menu 11 1 wan node routeip onloff wan node callsch Set call schedule set set number 0 means Menu 11 1 setl set2 set3 set4 empty wan node nailedup onloff Set nailed up connection on off Menu 11 1 wan node vpi num Set the wan vpi Range 0 255 Menu 11 6 wan node vci num si Set the wan vci Range 32 65535 Menu 11 6 Set the wan QOS type to be UBR or Menu 11 6 wan node qos ubrlcbr Set the wan protocol Ls wan node pcr num Set the wan PCR value Menu 11 6 Lo wan node mbs num Set the wan MBS value Menu 11 6 197 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes wan node wanip staticldynamic Menu 11 3 Set the wan IP address address wan node remoteip address subnet Set the remote gateway IP address and Menu 11 3 mask subnet mask wan node nat off sua full address Set type wan NAT mode to be off or Menu 11 3 mapping SUA or Full feature wan node rip nonelinloutlboth l Menu 11 3 eats Set the wan RIP mode and RIP version rip Llrip2bl
72. SUA The port number of the PPTP has to be entered in the SMT Menu 15 for P 660 to forward to the appropriate private IP address of Windows NT server Prestige PPTP Client PPTP Server Example The following example shows how to dial to an ISP via the P 660 and then establish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PPTP server WinNT PPTP client Win9x and the P 660 1 PPTP server setup WinNT e Add the VPN service from Control Panel gt Network e Add an user account for PPTP logged on user e Enable RAS port e Select the network protocols from RAS such as IPX TCP IP NetBEUI e Set the Internet gateway to P 660 2 PPTP client setup Win9x e Add one VPN connection from Dial Up Networking by entering the correct username amp password and the IP address of the P 660 s Internet IP address for logging to NT RAS server e Set the Internet gateway to the router that is connecting to ISP 3 P 660 router setup 39 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes e Before making a VPN connection from Win9x to WinNT server you need to connect P 660 router to your ISP first e Enter the IP address of the PPTP server WinNT server and the port number for PPTP as shown below Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0
73. SUA VERSUS NA Teenringen E 43 SMEM MS zasenn E E 44 NAT SOV Se aeia a a ata atuaeme aly daudaseuaannd 50 6 About Pilter amp Fiter Example S enra E E E 60 How does ZyXEL filter Work cern EN 60 PEREMO Pee Pear nn PE ert ret One een yen en ere eTOCs ey ae 65 7 Usine the Dynamic DNS DDNS Jcesersera a a 80 8 Network Management Using SNMP uu ecceeeeecceeeceeeeeeeeeeeeeeeeeeaeeeneees 82 D NI SUVS SY SUO E EEE E E E E 88 FOO OS CUD saasr eh scns sagerne ras tutors eaten sense saguesteaetodestsaeieers tiadacaneateseass 88 UNIX SeU a a a 89 TV XE Syslog Message Format arssiierini onin an a E 89 O Usmo IPAS caa a tied eee vente tiawad tens 92 Tie A sine TP Ponty ROUN Taesenunuien un i asset herein tas 94 12 Usine CalkScheduln iinan a a 99 PS Usmo TEMOU CaS ea a a a EAS 102 14 Using Bandwidth Managemenhl cccccccsssssseccececccaeeeeseeecceeeeeeaeeesseeeeeees 104 19 sine Zero Coni eura Oee A halen auwehisehalee anual 107 Wireless Application Notes For P 660HW Only 0 cc cceeeceececeeeeeees 112 1 Configure a Wireless Client to Ad hoc mode uu ceseeeeeeeeeeeeeeeeseeeeeeeeees 112 PAGO TUE OG UCU OD sist cms sacsstic ew cctrata S 112 Configuration for Wireless Station A ssssseeessssssssseeressssssssseersssss 112 Configuration for Wireless Station Bo eseeeseseceeeceeeeeeeeeeeeeees 115 2 Contieuring Intrastructure MOde vicc sei ois atlieeid TE 117 Infrastructure Introduction siccccac
74. Subnet Mask 0 0 0 0 103 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CCCCCC P660 series Support Notes My WAN Addr 0 0 0 0 NAT None Address Mapping Set N A Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies Enter here to CONFIRM or ESC to CANCEL Key Settings Multicast IGMP v1 for IGMP version 1 IGMP v2 for IGMP version 2 14 Using Bandwidth Management e Why Bandwidth Management BWM Nowadays we have many different traffic types for Internet applications Some traffic may consume high bandwidth such as FTP File Transfer Protocol if you are downloading or uploading files with large size Some other traffic may not require high bandwidth but they requires stable supply of bandwidth such as VolP traffic The VoIP quality would not be good if all of the outgoing bandwidth is occupied via FTP Additionally chances are that you would like to grant higher bandwidth for some body special who is using specific IP address in your network All of these are reasons why we need bandwidth management FTP 10 Mbps WEB 10 Mbps Mail 5 Mbps VoIP 128 kbps WEB 500 kbps L e er A i ai gt Internet IT T55 E WEB 200 kbps 104 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCCC C C C C 660 series Support Notes e How Bandwidth Management in Prestige P662 achieves BWM by
75. TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 4 Rule 3 for c DNS packet UDP 17 Port number 53 Menu 21 1 2 TCP IP Filter Rule Filter 1 3 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel 67 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 5 After the three rules are completed you will see the rule summary in Menu 21 Menu 21 1 Filter Rules Summary A Type Filter Rules Mmn 1 YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 80 NDN 2YIP Pr 6 SA 0 0 0 0 DA 0 0 0 0 DP 53 NDN 3 YIP Pr 17 SA 0 0 0 0 DA 0 0 0 0 DP 53 NDF 6 Apply the filter set to the Output Protocol Filter Set in the remote node setup A filter for blocking a specific client Configuration 1 Create a filter set in Menu 21 e g set 1 Menu 21 Filter Set Configuration Filter Filter Set Comments Set
76. TCP statistic counters syndata onloff TCP syndata piggyback trace onloff turn on off trace for debugging window tcb TCP input window size samenet lt ifacel gt lt iface2 gt display the ifaces that in the same net Ce a S ff support I primiftfptissupport pf stats I asp tay trp stats O xparent o ec fein jon ace face group break lt iface gt break iface to leave ipxparent group antiprobe fs lt OI1 gt 1 yes O no set ip anti probe flag pfigme a a level set igmp debug level forwardall onloff turn on off igmp forward to all interfaces flag querier onloff turn on off igmp stop query flag CO emma ei timeout S interval intervais stamp avery interval 178 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes a lt iface gt leave lt group gt leave a group on iface iftce gt query send query on iface lt iface gt rsptime time set igmp response time lt iface gt stop turn off of igmp on iface _ kiface gt tt thresholds set tl threshold lt iface gt vlcompat onloff turn on off vlcompat on iface robustness lt num gt set igmp robustness variable status dump igmp status pr clear clear ip pr table counter a information disp dump ip pr table counter information switch turn on off ip pr table counter flag a a a A eo gt timeout set nat gre timeout value pf iat trimeou set nat iamt ti
77. Use Add Wizard Filter Types and SUA Conceptually there are two categories of filter rules device and protocol The Generic filter rules belong to the device category they act on the raw data from to LAN and WAN The IP and IPX filter rules belong to the protocol category they act on the IP and IPX packets In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections the TCP IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets But at the same time the Generic filter rules must be applied at the point when the P 660 is receiving and sending the packets 1 e the ISDN interface So the execution sequence has to be changed The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN 1s e LAN device and protocol input filter sets e WAN protocol call and output filter sets e If SUA is enabled SUA converts the source IP address from 192 168 1 33 to 203 205 115 6 and port number from 1023 to 4034 61 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes e WAN device output and call filter sets The sequence of the logic flow for the packet from WAN to LAN 1s WAN device input filter sets If SUA is enabled SUA converts the destination IP address from 203 205 115 6 to 92 168 1 33 and port number from 4
78. WAN to LAN ACL summary will look like as shown below Source IP Telnet host Destination IP router WAN IP Service TCP 23 Action Forward You have disabled Telnet service in Menu 24 11 Telnet service is enabled but your host IP is not the secured host entered in Menu 24 11 In this case the error message Client IP is not allowed is appeared on the Telnet screen The default filter rule 3 Telnet_FTP_WAN is applied in the Input Protocol field in menu 11 5 The console port is in use 5 Why can t I upload the firmware and configuration file using FTP over WAN 1 When the firewall is turned on all connections from WAN to LAN are blocked by the default ACL rule To enable FTP from WAN you must turn the firewall off Menu 21 2 or create a firewall rule to allow FTP connection from WAN The WAN to LAN ACL summary will look like as shown below Source IP FTP host Destination IP P 660 s WAN IP Service FTP TCP 21 TCP 20 Action Forward You have disabled FTP service in Menu 24 11 The default filter rule 3 Telnet_FTP_WAN is applied in the Input Protocol field in menu 11 5 Log and Alert 1 When does the P 660 generate the firewall log The P 660 generates the log immediately when the packet match doesn t match or both a firewall rule The log for Default Permit LAN to WAN WAN to LAN is generated automatically To generate the log for custom rules the Log option in Web Configurator must
79. ZyXEL P 660 series Support Notes After that system will save back the correct VPI VCI and also services encapsulation type into profile of WAN interface e Configure the VC auto hunting preconfigured table 1 Display auto haunting preconfigured table by using CI command from menu 24 8 wan atm vchunt disp cas wan atm vchunt disp 1 Configure Buffer 2 RemoteNode Read Only RN VPI VPI 3 VC Hunt Table User setting agqs Active 1l1 YOI serv 8 35 400H 0 101 3fH 0 0 OH 2 Add items to the auto haunting preconfigured table by useing CI commands wan atm vchunt add lt remoteNodeIndex gt lt vpi gt lt vci gt lt service bit hex gt wan atm vchunt save Note lt remote node gt input the remote node index 1 8 lt vpi gt vpi value lt vci gt vci value lt service gt it s a hex value bit0 PPPoE VC 1 bitl PPPoE LLC 2 bit2 PPPoA VC 4 bit3 PPPoA LLC 8 bit4 Enet VC 16 bit5 Enet LLC 32 For examples If you need service PPPoE LLC and Enet LLC then the service bits will be 2 32 34 decimal 22 hex you must input 22 If you want to enable all service for VC hunting the service bits will be 14 2 4 8 16 32 63 decimal 3f hex you must input 3f Need to perform save after this command 108 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes wan atm vchunt add i atm vchunt re Wan atm vchunt display Configure Butt
80. acket is dropped or allowed when it matches this rule active lt yesIno gt Edit whether a rule is enabled or not protocol lt Q 255 gt Edit the protocol number for a rule 191 All contents copyright 2005 ZyXEL Communications Corporation P 660 series Support Notes Sending a log fora rule when the packet nonelmatchesInot matchlboth the rule Activate or deactivate the notification when a DoS attack occurs or there is a violation of any alert settings In case of such instances the function will send an email to the SMTP destination address and log an alert srcaddr single lt ip address gt Select and edit a source address of a packet which complies to this rule srcaddr subnet lt ip Select and edit a address gt lt subnet mask gt source address and subnet mask if a packet which complies to this rule srcaddr range lt start 1p Select and edit a address gt lt end ip address gt source address range of a packet which complies to this rule destaddr single lt ip Select and edit a address gt destination address of a packet which to this P estatr suib net lt ip Select and edit a 192 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes address gt lt subnet mask gt destaddr range lt start ip address gt lt end ip address gt tcp destport single lt port gt tcp destport range lt start port gt lt end
81. after ward 14 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 14 What do the parameters PCR SCR MBS mean Traffic shaping parameters PCR SCR MBS can be set in Menu 4 and Menu 11 6 and is valid for both incoming and outgoing direction since G shdsl is symmetric Peak Cell Rate PCR The maximum bandwidth allocated to this connection The VC connection throughput is limited by PCR Sustainable Cell Rate SCR The least guaranteed bandwidth of a VC When there are multi VCs on the same line the VC throughput is guaranteed by SCR Maximum Burst Size MBS The amount of cells transmitted through this VC at the Peak Cell Rate before yielding to other VCs Total bandwidth of the line is dedicated to single VC if there is only one VC on the line However as the other VC asking the bandwidth the MBS defines the maximum number of cells transmitted via this VC with Peak Cell rate before yielding to other VCs The P 660 holds the parameters for shaping the traffic among its virtual channels If you do not need traffic shaping please set SCR 0 MBS 0 and PCR as the maximum value according to the line rate for example 2 3 Mbps line rate will result PCR as 5424 cell sec 15 Why do we perform traffic shaping in the P 660 The P 660 must manage traffic fairly and provide bandwidth allocation for different sorts of applications such as voice video and data All applications have the
82. an get IF settings assigned automatically if your network supports this capability Otherwise You need to ask your network administrator for the appropriate IF settings Obtain an IP address automatically Q ise the following IP address IF address 192 168 1 1 Subnet mask 255 255 255 0 Use the following DNS server addresses Preferred OMS server rar a Alternate QMS server a an 6 Fill in your network IP address and subnet mask and click OK to finish 114 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Configuration for Wireless Station B To configure Ad hoc mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please follow the following step 1 Double click on the utility icon in your windows task bar the utility will pop up on your windows screen 2 Select configuration tab IEEE802 11b WLAN PCI Card Utility Link Info Configuration Site Survey Encryption Advanced About Protile a Ts eroe Oeae Achat Configuration service Set Identifier 6200 SSID Transter Aate Auto Rate kd Power Saving Mode Restore Defaults A Cancel Help 3 Select Ad hoc from the operation mode pull down menu fill you an SSID and select a channel you want to use than press OK to apply 4 Since there is no DHCP server to give the host IP you must first designate a static IP for your station From Windows Start select Cont
83. an unsuspecting system Systems may crash hang or reboot 8 What is Teardrop attack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original packet except that it contains an offset field The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 9 What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SY N ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users 10 What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 11 What is Brute force
84. and alter the packet forwarding based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Network administrators can use IPPR to distribute traffic among multiple paths For example if a network has both the Internet and remote node connections we can route the Web packets to the Internet using one policy and route the FTP packets to the remote LAN using another policy See the figure below Prestige Internet Remote LAN Router Use IPPR to distribute traffic among multiple paths e Benefits Source Based Routing Network administrators can use policy based routing to direct traffic from different users through different connections Quality of Service QoS Organizations can differentiate traffic by setting the precedence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traffic on high bandwidth high cost path while using low path for batch traffic Load Sharing Network administrators can use IPPR to distribute traffic among multiple paths e How does the IPPR work A policy defines the matching criteria and the action to take when a packet meets the criteria The action is taken only when all the criteria are met The criteria include the source address and port IP protocol CMP U
85. asctnassnsathoeibiscs aasnncaenduanseeesseatabc tu nndeeaden EEEa 8 l4 Whenedo Tnecd M NA TAr a N a 8 15 What IP Port mapping does Multi NAT support ccccccccsssseeeeeeeeeeeeeees 8 16 How many network users can the SUA NAT support cc eeeeeeeeeeeeeeeees 9 17 What are Device filters and Protocol filters cece eccceeeeeeeeceeeeeeeeeeeeaaeees 10 18 Why can t I configure device filters or protocol filters 0 0 eee 10 19 How can I protect against IP spoofing attacks i eeeccceccceecceeesseeeeeeeeees 10 5 12 6 FAO Ra ern ar ae E O er 12 lL How can Dinanage P 600 erursan e aei 12 2 What is the default user name and password to loging web configurator 12 3 How do I know the P 660 s WAN IP address assigned by the ISP 12 4 What is the micro filter or splitter used for sseessssoennssssssssseeressssssseserrssss 12 5 The P 660 supports Bridge and Router mode what s the difference between AoE 1 E retry tree E trey Cee ere tet ore E sere eee er Erte rere oer ste tere 12 6 How do l know Lam using PPPOE iccissetsicadesetwctaraapiuctsiaresisanaiielemienaanes 13 a Wiy does my provider use PPEOE h cecccasn arate tdi en E a 13 Be Whatis DDINS 7 sicscncsensactcdecasismeeist cnsineailendente a 13 9 When do lneed DDNS SEnviCe ecsshot sishceeieaiaecesieserice rect staatabaeieaueeseereteleteeses 13 10 What is DDNS wildcard Does the P 660 support DDNS wildcard 14 1
86. ase we need to configure Address Mapping Set from Menu 15 1 Address Mapping Sets Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11 3 and assign IGA3 to P 660 WAN IP Address 54 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCC C C C 6600 series Support Notes Menu 4 Internet Access Setup ISP s Name CHT Encapsulation PPPoE Multiplexing LLC based VPI 0 VCI 33 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login N A My Password N A ENET ENCAP Gateway N A IP Address Assignment Static IP Address IGA3 Network Address Translation Full Feature Address Mapping Set 1 Press ENTER to Confirm or ESC to Cancel Step 2 Go to menu 15 1 and choose not 255 SUA this time to begin configuring this new set Enter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGA1 Menu 15 1 1 1 Rule 1 Type One to One Local IP Start 192 168 1 10 End N A Global IP Start Enter IGA1 End N A Press ENTER to Confirm or ESC to Cancel 33 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CC CCCCCC P660 series Support Notes Rule 2 Setup Selecting One to One type t
87. contents copyright 2005 ZyXEL Communications Corporation ZyXEL 660 series Support Notes Configuring NAT To configure NAT enter 15 from the Main Menu to bring up the following screen Menu 15 NAT Setup 1 Address Mapping Sets 2 NAT Server Sets Address Mapping Sets and NAT Server Sets Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients Each remote node must specify which NAT Address Mapping Set to use The P 660 has 8 remote nodes and so allows you to configure 8 NAT Address Mapping Set You can see nine NAT Address Mapping sets in Menu 15 1 You can only configure from Set to Set 8 Set 255 is used for SUA When you select Full Feature in menu 4 or 11 3 you must enter correct NAT Set as well When you select SUA Only the SMT will use Set 255 The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the P 660 a server rule must be set up inside the NAT Address Mapping set Please see NAT Server Sets for further information on these menus Enter 1 to bring up Menu 15 1 Address Mapping Sets Menu 15 1 Address Mapping Sets of Se ee ee ee 8 255 SUA Read Only Enter Set Number to Edit 46 All contents copyright 2005 ZyXEL Communications Corporation Let s first look at Option 255 Option 255 is equivalent to SUA in previous ZyXEL routers The fields in this menu cannot be changed Ente
88. ct WPA PSK from the Network Authentication field 9 Select TKIP from the Data Encryption field 10 Type the Pre Share Key 8 63 character in the Pass phrase field 11 Click Finish to exit the Profile Wizard screen 150 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 66D series Support Notes Profile Wizard Step 2 of 2 Security Settings ee Network Authentication Data Encryption PPA Pie Sind Rey sai S a Encrphonbevel 9 64bit i v Set Manual Ken ESEE Revie 15 12345674 Use hes key 64 hexadecimal values required Ken E Oe ae co 802 16 Settings aie a n T Fe eee ae eas are a FA peA mae a 8 o 02 14 Enabled Authentication Type hare ae Configuie gt gt E Enable Auto Import 12 After you finished the profile settings choose the profile you configured Then click Connect button to associate with the Access Point T Intel R PROSet File Action Tools Help E0 Network Components oo PRO Wireless LAN 2100 3B Mini PCI Adapter General Networks Adapter Troubleshooting Profiles list El Automatically connect to available networks in specified order of the profile list Frofile Name gt Add Delete Edt Advanced M Show the tray icon Cancel Apply Help 151 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 13 Click the General option we will see the follo
89. d it If you want to configure more rules please select Check Next Rule to start configuring the next new rule However please note that the Filter Type must be also Generic Filter Rule but not others Because the Generic and TCPIP IPX filter rules must be in different filter sets 72 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Menu 21 1 2 Generic Filter Rule Filter 1 2 Filter Type Generic Filter Rule Active Yes Offset 6 Length 6 Mask fffftttttttt Value 0080c810234a More No Log None Action Matched Drop Action Not Matched Forward You can now apply it to the General Ethernet Setup in Menu 3 1 Please note that the Generic Filter can only be applied to the Device Filter but not the Protocol Filter that is used for configuring the TCPIP and IPX filters Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters device filters 1 Output Filter Sets protocol filters device filters A filter for blocking the NetBIOS packets Introduction The NETBIOS protocol is used to share a Microsoft comupter of a workgroup For the security concern the NetBIOS connection to a outside host is blocked by P 660 router as factory defaults Users can remove the filter sets applied to menu 3 1 and menu 4 1 for activating the NetBIOS services The details of the filter settings are described as follows Configuration
90. d on the LAN for outside access In previous ZyNOS versions that supported SUA visible 43 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 660 series Support Notes servers had to be of different types The P 660 supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 660 supports 8 sets since there are 8 remote node The default SUA Read Only Set in menu 15 1 is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions SMT Menus Applying NAT in the SMT Menus You apply NAT via menus 4 and 11 3 as displayed next The next figure how you apply NAT for Internet access in menu 4 Enter 4 from the Main Menu to go to Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name CHT Encapsulation PPPoE Multiplexing LLC based VPI 0 VCI 33 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login cso hinet net My Password k Idle Timeout sec 0 IP Address Assignment Static IP Address 200 1 2 1 Network Address Translation Full Feature Address Mapping Set 1 Press ENTER to Confirm or ESC to Cancel The following figure shows how you apply NAT to the remote node in menu 11 3 Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Addre
91. e Filter 2 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 53 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal TCP Estab N A More No Log None 79 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Action Matched Drop Action Not Matched Forward Press ENTER to Confirm or ESC to Cancel 2 After the first filter set 1s finished you will get the complete rules summary as below Menu 21 2 Filter Rules Summary A Type Filter Rules Mmn 1 YIP Pr 6 SA 0 0 0 0 SP 137 DA 0 0 0 0 DP 53 NDN 2 Y IP Pr 17 SA 0 0 0 0 SP 137 DA 0 0 0 0 DP 53 NDF 3 Apply the filter set NetBIOS_LAN in the Input protocol filters in the Menu 3 for blocking the packets from LAN Menu 3 1 General Ethernet Setup Input Filter Sets protocol filters 2 device filters Output Filter Sets protocol filters device filters 7 Using the Dynamic DNS DDNS e What is DDNS The DDNS service an IP Registry provides a public central database where information such as email addresses hostnames IPs etc can be stored and retrieved This solves the problems if your DNS server uses an IP associated with dynamic IPs 80 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Without DDNS we always tell t
92. e sys snmp get community Set the community string of get Menu 22 SNMP sys snmp set community Set the community string of set Menu 22 SNMP sys snmp trusthost IP address Set the IP address of trusted host Menu 22 SNMP sys snmp trap community l Menu 22 SNMP l Set the community string of trap community sys snmp trap destination IP address Set the destination address of trap Menu 22 SNMP sys snmp discard Discard changes i Set the SNMP parameters Set system password save immediately password Index 12 3 will be 38400 19200 9600 Menu 24 2 2 57600 115200 bps save immediately console speed sys baud 1 5 sys server access ftpltelnetlweb Set the server access type to be 0 ALL access type 1 None 2 LAN only 3 WAN only sys server port ftpltelnetlweb port Set the server port number sys server secureip ftpltelnetlweb address l Display server settings 1 means sys server disp 1 l display buffer pyssoversne Save the embedded server remote sys server save management parameters Load system parameters into working Menu 3 5 for wlan load buffer Wireless LAN 201 Set the server security IP address All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Menu 3 5 for wlan disp Display the working buffer l Wireless LAN Menu 3 5 for wlan essid name Set the wireless ESSID wireless LAN Set to hide ESSID or not wlan hideessid onloff wlan
93. e P 660 s DHCP is also enabled the IP pool for the clients can be any of the three networks Copyright c 1994 2005 ZyXEL Communications Corp 92 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCC C C C C 660 series Support Notes ras gt ip ro st Dest FF Len Interface Gateway Metric stat Timer Use 192 168 3 0 0024 enif0 1 192 168 3 1 1 O041b0 O 192 168 2 0 0024 enif0 0 192 168 2 1 1 04Iib0 O 192 168 1 0 0024 enifO 192 168 1 1 1 O41b0 O ras gt Two new protocol filter interfaces in menu 3 2 1 allow you to accept or deny LAN packets from to the IP alias 1 and IP alias 2 go through the P 660 The filter set in menu 3 1 is used for main network configured in menu 3 2 e IP Alias Setup 1 Edit the first network in menu 3 2 by configuring the P 660 s first LAN IP address Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 6 Primary DNS Server 168 95 1 1 Secondary DNS Server 168 95 192 1 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies Edit IP Alias Yes Press ENTER to Confirm or ESC to Cancel Key Settings DHCP If the P 660 s DHCP server is enabled the IP pool for the clients can be any of the Setup three networks TCP IP Enter the first LAN IP address for the P 660 This will create the first route in the
94. e Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 e Run the TFTP client software e To download the SMT configuration please get the remote file rom 0 from the Prestige e To upload the SMT configuration please save the remote file as rom 0 in the Prestige An example re TFTP32 File Options Help Host 192 168 1 1 Port 69 Timeout ho Send timeout to Server Block Size Send Fetch 51 Z ae Local File prestige rom Match Files T Binary I Remote File Jrom O Abort Press F1 tor Help 16 46 06 The 192 168 1 1 is the IP address of the Prestige The local file is the source file of your configuration file that is available in your hard disk The remote file is the file name that will be saved in Prestige Check the port number 69 and 512 Octet blocks for TFTP Check Binary mode for file transfering Using TFTP command on Windows NT Before you begin 1 TELNET to your Prestige first before using TFTP command 2 Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 160 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes e Download ZyNOS via LAN c tftp 1 PrestigeIP get ras localfile e Upload SMT configurations via LAN c tftp 1 PrestigeIP put localfile rom 0 e Download SMT configurations via LAN c t
95. e name gt restart ddns logout lt iface name gt logout ddns display display CPU utilization 2 Exit Related Commands Command Description exit exit smt menu 3 Ethernet Related Commands lt ch name gt enetO mpoa00 Command Description a config display LAN configuration information pS ativer a a a a ee pf isp lt name gt display ether driver counters clear lt name gt clear ether driver counters ie lt chuname gt lt num gt send driveriface lt ch_name gt Useless in this stage lt ch_name gt display LAN hardware related registers 173 All contents copyright 2005 ZyXEL Communications Corporation P 660 series Support Notes mode 1 turn off receiving 2 receive only packets of this interface 3 mode 2 broadcast 5 mode 2 multicast 6 all packets pkttest a packet lt level gt set ether test packet display level event lt ch gt onloff turn on off ether test event a sap ch mame name send sap send sap packet si 1 DO lt ch_name gt lt ip addr gt send arp packet to ip addr mm lt addr gt lt data gt type write memory data in address test lt ch_id gt lt test_id gt arg3 do LAN test ae pneconfig lt chmame gt oo name gt do pne do pne config si mac lt src_ch gt lt dest_ch gt fake mac address lt ipaddr gt 4 IP Related Commands lt hostid gt format xxx xxx xxx xxx ip Addres
96. eatures of the NAT based on RFC 1631 and 41 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 The IP Network Address Translator NAT How NAT works If we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA see the following figure The term inside refers to the set of networks that are subject to translation NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers and then forwards each packet to the Internet ISP thus making them appear as if they had come from the NAT system itself e g the P 660 router The P 660 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored ISP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses Figure1 Local Global IP Addresses NAT Mapping Types NAT supports five types of IP port mapping They are One to One In One to One mode the P 660 maps one ILA to one IGA Many to One In Many to One mode the P 660 maps multiple ILA to one IGA This is equivalent to SUA 1 e PAT port address translation ZyXEL s Single User Account feature that previou
97. ed read only Many to One mapping set All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions 13 Is it possible to access a server running behind SUA from the outside Internet If possible how Yes it is possible because P 660 delivers the packet to the local server by looking up to a SUA server table Therefore to make a local server accessible to the outside users the port number and the inside IP address of the server must be configured in Menu 15 2 1 NAT Server Setup 14 When do I need Multi NAT e Make local server accessible from outside Internet When NAT is enabled the local computers are not accessible from outside You can use Multi NAT to make an internal server accessible from outside e Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address Thus users on the same network can not login to the same server simultaneously In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address 15 What IP Port mapping does Multi NAT support NAT supports five types of IP port mapping They are One to One Many to One Many to Many Overload Many to Many No Overload and Ser
98. eed to manage on this interface This value is the budget of the st class tree s root Choose the principle to allocate bandwidth on this interface Priority Based Scheduler allocates bandwidth via priority Fairness Based allocates bandwidth by ratio Maximize Check this box if you would like to give residuary bandwidth from Interface to the 105 All contents copyright 2005 ZyXEL Communications Corporation P 660 series Support Notes classes who need more bandwidth than configured amount Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the bandwidth of each class at the configured value Please note that to meat the second condition you should also disable bandwidth borrowing on the class Go to ADVANCED gt BW MGMT gt Class Setup select the interface on which you would like to setup the Class tree Click the radio button besides the Root Class then press Add Sub Class Class Configuration Class Name Bandwidth Budget Priority App 300 Kops b 0 7 Borrow bandwidth from parent class Filter Configuration Enable Bandwidth Filter Destination IP Address 21 ok ee Dg Destination Subnet Mask 255 255 255 D Destination Port 2121 Source IP Address 192 168 1 D Source Subnet Mask 255 255 255 0 Source Port 0 lo Protocol ID Cancel Key Settings Class Name Givetisclassa name for example
99. eeene 173 4o AEP RAGE COTM Sa cei a cre estes ses dalua eaten i 174 53 WANIRelate G C Oman Seene trornct ati oosi ata ices ie arsed 180 6 PPP Related Command iesaista A tate totacesds 183 7 DEOSe Related Command ssig cancer orice E aan E 186 8 WLAN Related Commands cc ceccessccccccccceeeseeeeeececeeaeeeseeeeeeeeesaaaeenees 187 9 Radius Related Command ssis aiaeierinhkes iieani asinine 188 10 502 Ix Rehd Command ensi valewielsatad anal waieeiantes 188 11 Configuration Related Command esssnassinne 188 12 Pirewall Related Command esis tencistts tasetuaciaden suetvededeaatetala devalued eaten suacasetadesces 194 DSM Related COmmmand aieas Aiea terete alee Mier eer ctesss 195 4 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ZyNOS FAQ 1 What is ZyNOS ZyNOS is ZyXEL s proprietary Network Operating System It is the platform on all Prestige routers that delivers network services and applications It is designed in a modular fashion so it is easy for developers to add new features New ZyNOS software upgrades can be easily downloaded from our FTP sites as they become available 2 How do I access the Prestige SMT menu The SMT interface is a menu driven interface which can be accessed via a RS232 console or a Telnet connection To access the Prestige via SMT console port a computer equipped with communication software such as HyperTerminal must be configured with the follo
100. elow Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address Default Default 0 0 0 0 21 21 192 168 1 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 SS SS SoS eee Se GS SS Se Ss SS Press ENTER to Confirm or ESC to Cancel 53 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CCCC P660 series Support Notes 3 Using Multiple Global IP addresses for clients and servers One to One Many to 0ne Server Set mapping types are used General Server 192 168 120 Other Clients 192 168 1 Prestige FIP Server 1 192 168 1 10 3 IGAs Assigned by ISP FIP Server 2 192 168 1 11 Mapping Multiple GAs for clients and servers In this case we have 3 IGAs IGA1 IGA2 and IGA3 from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules e Rule 1 One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGAI e Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 e Rule 3 Many to One type to map the other clients to IGA3 e Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN Step I In this c
101. er RemoteNode Read Only VPI VCI RN VPI ser setting 3 Delete items from the auto haunting preconfigured table by useing CI command wan atm vchunt remove lt remote node gt lt vpi gt lt vci gt Wan atm vchunt remove wan atm vchunt display Configure Buffer RemoteNode Read Only VPI CI RN VPI ser setting 400H 3 fH 5 The usage command argument is listed below suggest to use 3f which include all PPP possiblities Add lt remoteNodeIndex gt Add a entry to hunting pool lt vpi gt lt vci gt lt service bit hex gt lt remote node gt input the remote node index 1 8 lt vpi gt vpi value lt vci gt vci value lt service gt it s a hex value bitO PPPoE VC 1 bit PPPoE LLC 2 bit2 PPPoA VC 4 bit3 PPPoA LLC 8 109 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Remove lt removeNodeld gt lt vpi gt lt vci gt Active lt yesIno gt display Clear Save timer Send result e Using Zero configuration P 660 series Support Notes bit4 Enet VC 16 bit5 Enet LLC 32 For examples If you need service PPPoE LLC and Enet LLC then the service bits will be 2 32 34 decimal 22 hex you must input 22 Need to perform save after this command Input remote node ID and vpi vci value to remove the specific entry System will save automatically Enable VC auto hunting featurer Display the hunt pool Clear
102. er with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool It then recomputes the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP When reply packets from the external Internet are received by Prestige the original IP source address and TCP UDP source port numbers are written into the destination fields of the packet since it is now moving in the opposite direction the checksums are recomputed and the packet is delivered to its true destination This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it 12 What is the difference between SUA and Multi NAT SUA Single User Account in previous ZyNOS versions is a NAT set with 2 rules Many to One and Server The P 660 now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowed on the LAN for outside access In previous ZyNOS versions that supported SUA visible servers had to be of different types The P 660 supports NAT sets on a remote node basis They are reusable but only one set is allowed for each remote node The P 660 supports 8 sets since there are 8 remote node The default SUA Read Only Set in menu 15 1 255 is a convenient pre configur
103. es to enter Menu 11 6 sub Menu Menu 11 6 Remote Node ATM Layer Options VPI 0 VCI 33 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 Key Settings Option Description VPI amp VCI Specify a VPI Virtual Path Identifier and a VCI Virtual Channel Identifier number given to you by your ISP 2 Internet Access Using P 660 under Router mode For most Internet users having multiple computers want to share an Internet account for Internet access they have to install an Internet sharing device like a router In this case we use the P 660 which works as a general Router plus an ADSL Modem See the figure below for this setup SOHO Network Prestige Internet Set up your workstation 1 Ethernet connection 28 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCC C C C C C C 660 series Support Notes Connect the LAN ports of all computers and the P 660 to a HUB using a straight Ethernet cable 2 TCP IP configuration Since the P 660 is set to DHCP server as default so you need only to configure the workstations as the DHCP clients in the networking settings In this case the IP address of the computer is assigned by the P 660 The P 660 can also provide the DNS to the clients via DHCP if it is available For this setup in Windows we check the option Obtain an IP address automatically in its TCP IP setup Please see the example s
104. es Support Notes Y Intel R PROSet Slee File Action Tools Help Network Components PRO Wireless LAN 2100 38 Mini PCI Adapter ne 4 Networks Adapter Troubleshooting Signal Quality Go Radio switched off Network Name SSID CSOG1000 Profile Marne Mo profile Mode lt Radio off gt Security Radio off gt Speed Radio off gt Band Frequency Radio off gt Channel lt Riadio off gt 802 1 Protocol Disabled W Show the tray icon 4 choose Network option 5 Add a new wireless profile T Intel R PROSet File Action Tools Help Fl Network Components i PRO Wireless LAN 2100 3B Mini PCI Adapter Profiles list Automatically connect to available networks in specified order of the profile list Profile Hame Metwork Hame Edit Advanced Available Networks View all networks within range of your k wireless adapter acan M Show the tray icon Cancel Apply Help 149 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 66D series Support Notes 6 Type the Profile Name and Network Name SSID in the field 7 Click Next button Profile Wizard Step 1 of General Settings T Operating Mode O Infrastructure Connect to an Access Point Ad hoc Connect directly to other computers Password protect this profile Advanced Network Settings Mandatory AP Enable Cisco Client etensions Enable Auto Inport 8 Sele
105. et eete tet te et ie deede SPEDE BD SoD SAS ce Ded SA MI Se D On oe x x better rete rete AAHAS SE x BEARER eae ERE KAKAA AXLXKX tett trE tH oH SSeS Sen MS Sao eS San aD SE SED REDS sht ota ata ota ta ate ofa ate ofa ata ota ata oP ofa ate aha ate oe SESS DS fa pe EEEE HHHEEH MEE EEH EE HES s etree tre eter tititi titt SESS ES ON A ttrt SSSA SAS SE SAS SOA AS SS OA ORS Se eee te eee rel EEEE EEEE SED HEED SED SEED SEED SOR LSSE TEES ISE Led Ps E Sere AE En E AA S RRA EE EEEE EEE RE HEE RE EEE RE ERE RE RE ET EEE Erer P EEEE EEEE PREECE TER EEE eee Eee erate sic TEEL X RE RU eg ee HH MH NHNHAHE HEH EEEE EEEE SERSEEISS LESSEE SMES IANH SURIIISCISREII SCLIN SMES CEES TS HH MMEMEMMMERNEEX HEKREHEKR ERE RE ERE XEN EKREREREEREXEX ee ee Spectr peer ete teeter te TE HERR HRERE SREREXE KR ERE EERE ER EX EKER ERE REERE REX sre URS EEMSL IES Se aee sources x HEHE HEH MEEHAN EH HHH HHH RH EMEMEHEENENE HMM HH ERA RHHE ERMA eet er etre ret ret terete et ters fa ni x pad ma SANAN EER AAR AAEM RE X X x x x x aie ak aie x x HERE RARER ERR RRR RRR e x x x one eee His one XN one x x BRE MAAR ES tH eects f E EEE a EE E E ketti kpi PAEA h eee pE EE HE EEE ou P HHH REHM HNHE HMNGH HME HIER MEME EEE s HER ER EME RE ERE ER ERE ERE ERE REERE RE REE RE REE RE EEX ttetitr
106. ew firewall logs there are two steps you need to do 1 Enable log function in Centralized logs setup via either one of the following methods e Web configuration Advanced Logs Log Settings check Access Control and Attacks options depending on your real situation e CI command sys logs category access attack 2 Enable log function in firewall default policy or in firewall rules After the above two steps you can view firewall logs via 1 Web Configurator Advanced Logs 23 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2 View the log by CI command sys logs disp You can also view Centralized logs via mail or syslog please configure mail server or Unix Syslog server in Advanced Logs Log Settings 4 When does the P 660 generate the firewall alert The P 660 generates the alert when an attack is detected by the firewall and sends it via Email So to send the alert you must configure the mail server and Email address using Web Configurator You can also specify how frequently you want to receive the alert via Web Configurator 5 What does the alert show to us The alert shown in the Email is actually the evens of the attack So the Reason column shows Attack and the attack type Please see the example shown below Time Packet Information Reason Action 127 Mar 15 0 From 192 168 1 1 To 192 168 1 1 lattack block 103 04 54IICMP type 00008 code 00000 Iland
107. f an authentication key would you like to create Create an authentication key pair and a certificate Enroll fora certificate Create a preshared key 4 Give this preshared key a name ZYWALL And then enter the preshared key 12345678 in both Shared secret and Confirm shared secret fields Finally press Finish 137 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Create Preshared Key Type in the shared secret Give the preshared key a name that is for your reterence only Type the shared secret twice to avoid typos Use the fingerprint to verify the secret with the other party involved in the communication without revealing the actual secret Preshared key Mame Zya LL Shared secret frm Confirm shared secret per Fingerprint SH amp 1 fc 2the 5 Press Apply in Main menu to save the above settings for latter use 5 55H Sentinel Policy Editor Security Policy Key Management H E Trusted Policy Servers Trusted Certificates cE a Certification Authorities o H Remote Hosts F a Directory Services J F My Keys host key fg checkpoint certificate em Add ee ZyWALL Ay Add Remove Properties WEW Description The keys that are used for authenticating the local host OF Cancel Ke ts 6 Switch to Security Policy tab Choose VPN connections and then press Add
108. field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Go to Advanced gt VPN Select Negotiation Mode to Main as we configured in Sentinel Local IP Address Type is Subnet Address Start is 0 0 0 0 End Subnet Mask is 0 0 0 0 Remote IP leave the field as defalut My IP Addr is the LAN IP of Prestige Secure Gateway IP Addr is 0 0 0 0 Select Encapsulation Mode to Tunnel Check the ESP check box AH can not be used in SUA NAT case Select Encryption Algorithm to DES and Authentication Algorithm to MD5 as we configured in Sentinel Enter the key string 12345678 in the Preshared Key text box and click Apply Press Advanced button to set IKE phase 1 and phase 2 parameters Telnet or console connect to Prestige SMT menu 24 8 and then issue this command ipsec route lan on Please note that if you simply issue this command in Menu 24 8 this will be lose efficacy after rebooting to make it function all the time please save this command into Prestige by the following CI command in Menu 24 8 a please type sys edit autoexec net b press 1 then type Ipsec route lan on c press x to save the configuration 144 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL ZyXEL TOTAL INTERNET ACCESS SOLUTION Main Menu Advanced Setup C Password 2 LAN Wireless LAM WAN WAT 2 Dynamic DNS Time And Date E Firewall content Fiter e YPN
109. ftp 1 PrestigeIP get rom O localfile Using TFTP command on UNIX Before you begin 1 TELNET to your Prestige first before using TFTP command 2 Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 Example cppwu faelinux cppwu telnet 192 168 1 1 Trying 192 168 1 1 Connected to 192 168 1 1 Escape character is J Password Copyright c 1994 2005 ZyXEL Communications Corp Prestige 660 Main Menu Getting Started Advanced Management 1 General Setup 21 Filter Set Configuration 3 Ethernet Setup 22 SNMP Configuration 4 Internet Access Setup 23 System Password 24 System Maintenance Advanced Applications 11 Remote Node Setup 12 Static Routing Setup 15 SUA Server Setup 99 Exit Enter Menu Selection Number 24 161 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Menu 24 System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Firmware Update COs TO GN Bs Boo a a Command Interpreter Mode Enter Menu Selection Number 8 Copyright c 1994 2005 ZyXEL Communications Corp ras gt sys stdio 0 Open a new window cppwu faelinux cppwul tftp I 192 168 1 1 get rom 0 local rom lt change to binary mode lt download configurations cppwu faelinux cppwu tftp I 192 168 1 1 put
110. g IP Src xx xx xx xx Dst xx xx xx xx prot spo xxxx dpo xxxx S04 gt RO1mD IP is the packet header and SO4 gt RO1mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination port Example Jul 19 14 44 09 192 168 1 1 ZyXEL Communications Corp IP Src 202 132 154 1 Dst 192 168 1 33 UDP spo 0035 dpo 05d4 S03 gt RO1mF Jul 19 14 44 13 192 168 1 1 ZyXEL Communications Corp IP Src 192 168 1 33 Dst 202 132 154 1 ICMP SO03 gt RO1mF 4 PPP Log Format sdcmdSyslogSend SYSLOG_PPPLOG SYSLOG_NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Example Jul 19 11 43 25 192 168 1 1 ZyXEL Communications Corp ppp LCP Starting Jul 19 11 43 29 192 168 1 1 ZyXEL Communications Corp ppp IPCP Starting Jul 19 11 43 34 192 168 1 1 ZyXEL Communications Corp ppp CCP Starting Jul 19 11 43 38 192 168 1 1 ZyXEL Communications Corp ppp BACP Starting 91 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCC C C C C C 660 series Support Notes Jul 19 11 43 43 192 168 1 1 ZyXEL Communications Corp ppp IPCP Opening Jul 19 11 43 51 192 168 1 1 ZyXEL Communications Corp ppp CCP Opening Jul 19 11 43 55 192 168 1 1 ZyXEL Communications Corp ppp BACP Opening Jul 19 11 44 00 192 16
111. g Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies 1 Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options Rem IP Addr Ethernet Addr Timeout min N A Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT None Address Mapping Set N A 98 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb_ 660 series Support Notes Metric 2 Private No RIP Direction Both Version RIP 2B Multicast IGMP v2 IP Policies 1 Enter here to CONFIRM or ESC to CANCEL 12 Using Call Scheduling e What is Call Scheduling Call scheduling enables the mechanism for the P 660 to run the remote node connection according to the pre defined schedule This feature is just like the scheduler ina video recorder which records the program according to the specified time Users can apply at most 4 schedule sets in Menu 11 Remote Node Setup and configure each schedule in Menu 26 Schedule Setup The remote node configured with the schedule set could be Forced On Forced Down Enable Dial On Demand or Disable Dial On Demand on specified date and time e SMT Menu for Call Scheduling 1 Edit the Schedule sets in menu 26 Copyright
112. ght 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Wireless Application Notes For P 660HW Only 1 Configure a Wireless Client to Ad hoc mode e Ad hoc Introduction e Configuration for wireless station A e Configuration for wireless station B Ad hoc Introduction What is Ad Hoc mode Ad hoc mode is a wireless network consists of a number of stations without access points Without using an access point or any connection to a wired network a client unit in Ad hoc operation mode can communicate directly to other client units just as using a cross over Ethernet cable connecting 2 host together via a NIC card for direct connection when configured in Ad hoc mode without an access point being present Ad hoc operation is ideal for small networks of no more than 2 4 computers Larger networks would require the use of one or perhaps several access points Wireless qy__ less NIC RF signal amp pn Wireless Station A Wireless Station B Configuration for Wireless Station A To configure Ad hoc mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please follow the following step 1 Double click on the utility icon in your windows task bar the utility will pop up on your windows screen 112 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2 Select configuration tab IEEEBO 11b WLAN PCI Card Utility Link Info Configuration Site Survey
113. guration i ee Power 1 19dbm 2 18dbm Change TX power level 3 16dbm 4 15dbm 5 14dbm chg_dot1l Imode Set WLAN state to mix DO show_rxDesc Show number of Rx host P S ia 187 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes o ow Show acx run time statistics 9 Radius Related Command Command Description rads auth show current radius authentication server configuration show current radius accounting server configuration 10 8021x Related Command 8021x debug level debug level set ieee802 1x debug message D b a Le trace show all supplications in the a a a username show the specified user status in a a ee ee 11 Configuration Related Command The parameters of config are listed below edit firewal active Activate or lt yeslno deactivate the gt saved firewall settings retriev firewal Retrieve current e l saved firewall settings save firewal Save the current a ed a E displa firewal Displays all the a a Fe set Display current lt set gt entries of a set configuration including timeout values name default permit and number of rules in 188 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL rule lt rule gt lt set gt attack e mail e mail mail server lt mail server IP gt return addr lt e mail address gt e mail to lt e mail address gt
114. hcp mac table table o S e C l sam reae ipad o mame O o aO enable ans debug vame FT rae hostnames meou revolve name to ipaddr 175 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes eff tate display dns query table rere rma econ hi stats efter clear dns statistics disp display dns statistics pe ae ff aisptay dns table a a ff debug tonto sethttp debug flag _ iemp S echo onloff set icmp echo response flag O status display icmp statistic counter trace onloff turn on off trace for debugging discovery lt iface gt onloff set icmp router discovery flag ifconfig iface ipaddr broadcast configure network lt addr gt Imtu interface lt value gt Idynamic Tring fd S ost lt hostid gt lt size gt pong remote host lt time interval gt e OO aged dS t Continue to send ECHO_REQ until Ctrl C input LL d Data Data pattern The maximum length of data is 255 characters i seor ee A l Data size Datagram size in bytes with 28 bytes Header pong v TOS value Specify the value of TOS a a ee n Repeat value The number of times to re ee ee w Timeout value Specify the value of AFO TO P a S o IP address IFace To specify one IP address 176 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes or interface to be the a ee
115. he log SHOW to UsS esssssssssseeessssssssserrssssssssseresssssssses 23 3 How do view hetre wall log sinense te acaeeiies 23 4 When does the P 660 generate the firewall alert 24 5 What does the alert SHOW 10 US 7 sincsssevsdaetassieuisredeactaumevaeesaniee eee 24 6 What is the difference between the log and alert ee eeeeeee 24 General Application Notes 0000eo0eesosoeoeeeeeennesssssssssssssssseeteererersssssssssssssssesees 25 1 Internet Access Using P 660 under Bridge m0de cc ceeecccccecceeesseeeeeeeeees 25 Setup vour WOLK SLALOM ai eara e A EE iene 25 Setup your P 660 under bridge mode ssssnoeeesssssssseeerssssssssseerssssss 26 2 Internet Access Using P 660 under Router m0de cc eeecccccccecceeesseeeeeeeeees 28 Sel Up VOUF Workstation sedasi i E 28 2 All contents copyright 2005 ZyXEL Communications Corporation Del UP Ol POOO E taken O 29 3 Setup the P 660 as a DHCP Ray sesiesvevesuesesnadsasdenedsnsadedsiandenteueacinedsindersduenatiads 31 To OA NO ar T eae te 32 Tested SUA NAT Applications ccccccssssssssseeeececeeeeeesseeeeeeeeenaes 32 Configure an Internal Server Behind SUA ce cccceeseseeeeeeeees 36 Configure a PPTP server behind SUA ecccccccceeeeeeeeeeeseeeeeees 37 Da Sime IVA NA Desene tee ene teeta ania er des 4 Whats Muli NAT renano a a 4 DN Ade EADS EY OCS ashe cats ete sansa der wa arden E det emwtineuteaeccennns 42
116. he users to use the WAN IP of the P 660 to access the internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 660 you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the P 660 When the ISP assigns the P 660 a new IP the P 660 must inform the DDNS server the change of this IP so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable The DDNS server stores password protected email addresses with IPs and hostnames and accepts queries based on email addresses So there must be an email entry in the P 660 menu 1 The DDNS servers the P 660 supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to e Setup the DDNS 1 Before configuring the DDNS settings in the P 660 you must register an account from the DDNS server such aa WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server 2 Toggle Configure Dynamic DNS option to Yes and press ENTER for configuring the settings of the DDNS in menu 1 1 Menu 1 General Setup System Name P 660 Location Contact Person s Name Domain Name Edit Dyna
117. here a b c d is an IP address on your local network and w x y z is your netmask For the output data filters e Deny bounceback packet e Allow packets that originate from us Filter rule setup e Filter Type TCP IP Filter Rule e Active Yes e Destination IP Addr a b c d e Destination IP Mask w x y z e Action Matched Drop e Action No Matched Forward 10 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Where a b c d is an IP address on your local network and w x y z is your netmask 11 All contents copyright 2005 ZyXEL Communications Corporation 4yXttCCCCCC C C 660 series Support Notes General FAQ 1 How can I manage P 660 Menu driven user interface for easy network management Local and remote console management Web configurator Telnet remote management TFTP Trivial File Transfer Protocol and FTP firmware upgrade and configuration backup and restore 2 What is the default user name and password to loging web configurator The default user name is admin and password is 1234 You can change the password when login to web configurator in the Advanced Setup gt Password menu Please record your new password whenever you change it The system will lock you out if you have forgotten your password 3 How do I know the P 660 s WAN IP address assigned by the ISP You can view My WAN IP lt from ISP gt 200 1 1 1 shown in menu 24 1
118. here all our LAs map to one IGA assigned by the ISP See the following figure 51 All contents copyright 2005 ZyXEL Communications Corporation Client 1 ILAI Client 2 ILA2Z Client 3 ILA3 N IGA Assigned by ISP Client 4 ILA4 Internet Access Using NAT Many tc Menu 4 Internet Access Setup ISP s Name CHT Encapsulation PPPoE Multiplexing LLC based VPI 0 VCI 33 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login cso hinet net My Password kk Idle Timeout sec 0 IP Address Assignment Dynamic IP Address N A Network Address Translation SUA Only Address Mapping Set N A Press ENTER to Confirm or ESC to Cancel From Menu 4 shown above simply choose the SUA Only option from the NAT field This is the Many to One mapping discussed earlier The SUA read only option from the NAT field in menu 4 and 11 3 1s specifically pre configured to handle this case 52 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2 Internet Access with an Internal Server Client 1 ILA Client 2 ILAZ Prestige Client 3 ILA3 N IGA Assigned by ISP FTP Server ILA4 In this case we do exactly as above use the convenient pre configured SUA Only set and also go to Menu 15 2 1 NAT Server Setup Used for SUA Only to specify the Internet Server behind the NAT as shown in the NAT as shown b
119. hosts group and 224 0 0 2 is assigned to the multicast routers group 102 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes IGMP Internet Group Management Protocol is the protocol used to support multicast groups The latest version is version 2 see RFC2236 IP hosts use IGMP to report their multicast group membership to any immediate neighbor multicast routers so the multicast routers can decide if a multicast packet needs to be forwarded At start up the P 660 queries all directly connected networks to gather group membership After that the P 660 updates the information by periodic queries The P 660 implementation of IGMP is also compatible with version 1 The multicast setting can be turned on or off on Ethernet and remote nodes e IP Multicast Setup Enable IGMP in P 660 s LAN in menu 3 2 Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast IGMP v2 IP Policies Edit IP Alias No Press ENTER to Confirm or ESC to Cancel Enable IGMP in P 660 s remote node in menu 11 3 Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options Rem IP Addr Ethernet Addr Timeout min N A Rem
120. hown below TCP IP Properties El x Bindings Advanced NetBIOS DNS Configuration Gateway WINS Configuration IP Address An F address can be automatically assigned to this computer IF your network does not automatically assign IF addresses ack your network administrator for an address and then type it in the space below Specify an IP address Set up your P 660 The following procedure shows you how to configure your P 660 as Router mode for routing traffic We will use SMT menu to guide you through the related menu You can use console or Telnet for finishing these configurations 1 Configure P 660 as router mode in Menu General Setup Menu 1 General Setup System Name P 660 Location 29 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Contact Person s Name Domain Name Edit Dynamic DNS No Route IP Yes Bridge No 2 Configure a LAN IP for the P 660 and the DHCP settings in Menu 3 2 TCP IP Ethernet Setup The settings except of the DNS addresses shown below are the pre configured defaults Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 6 Primary DNS Server 168 95 1 1 Secondary DNS Server 168 95 192 1 Remote DHCP Server N A TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Po
121. iately default is off Jam test oo fixlrandlperiodloamlloopback Generate ATM traffic hwsar disp Display hwsar packets incoming outgoing information ae i hwsar packets 6 PPP Related Command remote a a aa remote bod er Pf teset ss es resetbod status lt wan_iface gt emoet wan port bod EA C dda lt wan_ lt wan_iface gt clear wan clear wan port bod data _ bod data lt node gt lt dir gt config the statistic method for remote node bod traffic data P feeb lono show bod debug flag a ee ee ee po itisp show bod state po tear clear bod state onloff epay dial in ccp je eee acfc onloff set address control field A a a E onloff set protocol field A S 183 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes onloff set incoming call MP ae set bandwidth control anna ea lt retry_count gt Es retry count to send echo request time lt interval gt set display time interval o send echo qre __ connection on ppp interface lt iface gt show ipcp state timeout value set timeout interval when waiting for response from remote configure value eae fsm try ge failure value set display fsm try ee ee ee terminate value set display fsm try terminate idcompress set display slot id D a E address onloff set display 1 p one ee a a default show link default SE po Pf rotate
122. ications Corporation 4yXftCCCC C C C C C 660 series Support Notes Before you configure the filter you need to know the MAC address of the client first The MAC address can be provided by the NICs If there is the LAN packet passing through the P 660 you can identify the uninteresting MAC address from the P 660 s LAN packet trace Please have a look at the following example to know the trace of the LAN packets ras gt sys trcp channel enetO bothway ras gt sys trcp sw on Now a client on the LAN is trying to ping Prestige ras gt sys trcp sw off ras gt sys trcp disp TIME 37c060 enet0 RECV len 74 call 0 0000 00 a0 c5 01 23 45 00 80 c8 4c ea 63 08 00 45 00 0010 00 3c eb Oc 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 TIME 37c060 enetO XMIT len 74 call 0 0000 00 80 c8 4c ea 63 00 a0 c5 01 23 45 08 00 45 00 0010 00 3c 00 07 00 00 fe 01 f0 ef ca 84 9b 63 ca 84 0020 9b 5d 00 00 4d 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 The detailed format of the Ethernet Version II Ethernet Version II Address 00 80 C8 4C EA 63 Source MAC gt 00 A0 C5 23 45 Destination MAC Ethernet II Protocol Type IP Internet Protocol Version MSB 4 bits 4 Header length LSB 4 bits 5 Ser
123. increased from 24bits to 48bits Rollover of the counter is eliminated Reuse of keys is less likely Temporal Key Phase 1 i key mixing WEP seed s A e as P IV RC4 key TTAK Key Phase 2 if TSC key mixing MIC Key WEP Ciphertext Encapsulation PDUis Plaintext Plaintext MPDU s Da MSDU MIC l SA DA priority Fragment s Plaintext MSDU MIC Data 125 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Setting up the Access Point RF signal RF signal T D v Wireless Station Wireless Station Wireless Station Most access points and clients have the ability to hold up to 4 WEP keys simultaneously You need to specify one of the 4 keys as default Key for data encryption To set up the Access Point you will need to set the one of the following parameters 64 bit WEP key secret key with 5 characters 64 bit WEP key secret key with 10 hexadecimal digits 128 bit WEP key secret key with 13 characters 128 bit WEP key secret key with 26 hexadecimal digits 256 bit WEP key secret key with 29 characters 256 bit WEP key secret key with 58 hexadecimal digits O O O O O You can set up the Access Point by SMT or Web configurator e Setting up the Access Point from SMT Menu 3 5 P660HW T1 hold up to 4 WEP Keys You have to specify one of the 4 keys as default Key which be used to encrypt wireless data transmission For example 126 All con
124. ing mode Microsoft Messenger Service 3 0 Microsoft Messenger Service 4 6 4 7 5 0 none UPnP Net2Phone Network Time Protocol NTP Win2k Terminal Server Remote Anything P 660 series Support Notes None None for Chat For DCC please set ICQ gt preference gt connections gt firewall and set the firewall time out to 0 seconds in firewall setting None for Chat None None 7648 chient IP amp 24032 chient IP 7648 client IP amp 24032 client IP None None None None None None None 6112 chient IP None None None one client only 6901 client IP None for Chat File transfer Video and Voice None None None None 1723 chient IP Default client IP None for Chat 6701 client IP 7648 client IP Default client IP Default client IP 1720 chient IP 1503 client IP Default client IP Default client IP 563 1 client IP 5632 client IP 22 client IP Default Client 6901 client IP None for Chat File transfer Video and Voice 6701 client IP 123 server IP 3389 server IP 3996 4000 client IP 34 All contents copyright 2005 ZyXEL Communications Corporation Virtual Network Computing et Hp VNC None PREA IP 5900 client IP AIM AOL Instant Messenger None for Chat and IM None for Chat and IM e Donkey None 4661 4662 client IP A None Default client IP IVISTA 4 1 None 80 server IP Microsoft Xbox Live None N A Since SUA enables y
125. ir own natural bit rate Large data transactions have a fluctuating natural bit rate The P 660 is able to support variable traffic among different virtual connections Certain traffic may be discarded if the virtual connection experiences congestion Traffic shaping defines a set of actions taken by the P 660 to avoid congestion traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections 15 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes ADSL FAQ 1 How does ADSL compare to Cable modems ADSL provides a dedicated service over a single telephone line cable modems offer a dedicated service over a shared media While cable modems have greater downstream bandwidth capabilities up to 30 Mbps that bandwidth is shared among all users on a line and will therefore vary perhaps dramatically as more users in a neighborhood get online at the same time Cable modem upstream traffic will in many cases be slower than ADSL either because the particular cable modem is inherently slower or because of rate reductions caused by contention for upstream bandwidth slots The big difference between ADSL and cable modems however is the number of lines available to each There are no more than 12 million homes passed today that can support two way cable modem transmissions and while the figure also grows steadily it will not catch up
126. kday setting For Start Date example if Start Date 1s 2000 10 02 Monday but Monday setting in weekday can be No If once is selected all weekday settings will ne marked as N A After the rule How Often Ls is completely it will be deleted automatically The node will always keep up during the setting period It is equivalent to Forced On diable the idel timeout The node will always keep doen during the setting period The connected Forced Down remote node will be dropped Enable The remote node accepts Dial on demand during this period Dial On Demand Disable The remote node denies any demand dial during the period For the existing Dial On Demand connected nodes it will be dropped after idle timeout and no triggered up Start Time Duration Start Time and Duration of this schedule e Apply the schedule to the Remote node Multiple scheduling rules can program in a Remote node and they have priority For example if we program the sets as 1 2 3 4 in remote node then the set 1 will override set 2 3 4 set 2 will override 3 4 and so on Menu 11 1 Remote Node Profile Rem Node Name CHT Route IP Active Yes Bridge No Encapsulation PPPoE Edit IP Bridge No Multiplexing LLC based Edit ATM Options No Service Name N A Edit Advance Options No Incoming Telco Option Rem Login N A Allocated Budget min 0 Rem Password N A Period hr 0 Outgoing Schedule Sets 1 2 3 4 My Login cso hinet net Nai
127. l IP address IGA If you have a ar Global dynamic IP enter 0 0 0 0 as the Global Start IP IP e This is the ending global IP address IGA This field is N A for One to One Many to One and Server types 0 0 0 0 200 1 1 64 Note For all Local and Global IPs the End IP address must begin after the IP Start address 1 e you cannot have an End IP address beginning before the Start IP address 49 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes NAT Server Sets The NAT Server Set is a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish you can make inside servers for different services e g Web or FTP visible to the outside users even though NAT makes your network appears as a single machine to the outside world A server is identified by the port number e g Web service is on port 80 and FTP on port 21 As an example see the following figure if you have a Web server at 192 168 1 36 and a FTP server at 192 168 1 33 then you need to specify for port 80 Web the server at IP address 192 168 1 36 and for port 21 FTP another at IP address 192 168 1 33 FTP Server 192 168 1 33 Web Server 192 168 1 36 eke Global IP assigned by the ISP Please note that a server can support more than one service e g a server can provide both FTP and Mail service while another provides only Web service The following p
128. led Up Connection No My Password 7 Session Options 101 All contents copyright 2005 ZyXEL Communications Corporation Authen N A Edit Filter Sets No Idle Timeout sec 0 e Time Service in P 660 There is no RTC Real Time Clock chip so the P 660 should launch a mechanism to get current time and date from external server in boot time Time service is implemented by the Daytime protocol RFC 867 Time protocol RFC 868 and NTP protocol RFC 1305 You have to assign an IP address of a time server and then the P 660 will get the date time and time zone information from this server Menu 24 10 System Maintenance Time and Date Setting Use Time Server when Bootup Daytime RFC 867 Time Server IP Address 202 132 154 1 Current Time 00 11 38 New Time hh mm ss 00 11 36 Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT 0800 Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 Press ENTER to Confirm or ESC to Cancel 13 Using IP Multicast e What is IP Multicast Traditionally IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses 1 e those with 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP
129. licies Edit IP Alias No 3 Configure for Internet setup in Menu 4 Internet Access Setup Menu 4 Internet Access Setup ISP s Name CHT Encapsulation PPPoE Multiplexing LLC based VPI 0 VCI 33 ATM QoS Type CBR Peak Cell Rate PCR 0 Sustain Cell Rate SCR 0 Maximum Burst Size MBS 0 My Login cso hinet net 30 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Key Settings Option Encapsulation Multiplexing VPI amp VCI number Single User Account IP Address Assignment IP Address P 660 series Support Notes My Password 444 Idle Timeout sec 0 IP Address Assignment Dynamic IP Address N A Network Address Translation SUA Only Address Mapping Set N A Press ENTER to Confirm or ESC to Cancel Description Select the correct Encapsulation type that your ISP supports For example RFC 1483 Select the correct Multiplexing type that your ISP supports For example LLC Specify a VPI Virtual Path Identifier and a VCI Virtual Channel Identifier given to you by your ISP Set to Yes if you only have a single IP account for sharing with local computers Set to Dynamic if the ISP provides the IP for the P 660 dynamically Otherwise set to Static and enter the IP in the following IP Address field This field can not be configured if the ISP provides the IP for the P 660 dynamically Otherwise enter the IP that the ISP gives to you 3 Se
130. list to allow or block association from STAs The filter set allows users to input 12 entries in the list If Allow Association is selected all other STAs which are not on the list will be denied Otherwise if Deny Association is selected all other STAs which are not on the list will be allowed for association Users can choose either way to configure their filter rule Configure the WLAN MAC Filter The MAC Filter related settings in ZyXEL APs are configured in menu 3 5 1 WLAN MAC Address Filter Configuration Before you configure the MAC filter you need to know the MAC address of the client first If not knowing what your MAC address 1s 121 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes please enter a command ipconfig all after DOS prompt to get the MAC physical address of your wireless client If you use SMT management the MAC Address Filter configurations are as shown below Enter the MAC Addresses of wireless cards in the filter set to allow or deny association from these cards Menu 3 5 1 WLAN MAC Address Filter Active Yes Filter Action Allowed Association 1 11 11 11 11 11 11 2 00 00 00 00 00 00 3 00 00 00 00 00 00 4 00 00 00 00 00 00 5 00 00 00 00 00 00 6 00 00 00 00 00 00 7 00 00 00 00 00 00 8 00 00 00 00 00 00 9 00 00 00 00 00 00 10 00 00 00 00 00 00 1 1 00 00 00 00 00 00 12 00 00 00 00 00 00 13 00 00 00 00 00 00 14 00 00 00 00 00
131. mand on Windows NT e Using TFTP command on UNIX Using TFTP client software e Upload download ZyNOS via LAN e Upload download SMT configurations via LAN Using TFTP to upload download ZyNOS via LAN e TELNET to your Prestige first before running the TFTP software e Type the CI command sys stdio 0 to disable console idle timeout in Menu 24 8 and stay in Menu 24 8 e Run the TFTP client software e Enter the IP address of the Prestige e To upload the firmware please save the remote file as ras to Prestige After the transfer is complete the Prestige will program the upgraded firmware into FLASH ROM and reboot itself An example re TFTP32 File Options Help Host 192 168 1 1 Port 69 Timeout fio Send timeout to Server Block Size Send Fetch 51 Z bi Local File prestige bin Match Files Binary W Remote File ras Abort Press F1 tor Help 16 44 18 The 192 168 1 1 is the IP address of the Prestige The local file is the source file of the ZyNOS firmware that is available in your hard disk The remote file is the file name that will be saved in Prestige Check the port number 69 and 512 Octet blocks for TFTP Check Binary mode for file transfering 159 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Using TFTP to upload download SMT configurations via LAN e TELNET to your Prestige first before running the TFTP software
132. meout value generic timeout set nat generic timeout value _ reset timeout set nat reset timeout value ff ter timeout set nat tep timeout value set nat tcp other timeout value create nat system information from spSysParam iamt display nat iamt information iface lt iface gt show nat status of an interface o foda lt rule set gt set gt display nat lookup rule new lookup lt rule set gt display new nat lookup D ee loopback onloff turn on off nat loopback A a a esete lt iface gt sd reset nat table of an iface Pf server Pf itisp display nat server table 179 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes load lt set id gt load nat server information from ROM save save nat server information to ROM clear lt set id gt clear nat server information edit active lt yesIno gt set nat server edit active flag edit svrport lt start port gt end set nat server server port port edit intport lt start port gt end set nat server forward port port set nat server remote host ip ip Le edit leasetime time set nat server lease time edit rulename name set nat server rule name a E a D S E E T resetport reset all nat server table entries incikeport onloff turn on off increase ike port flag 5 WAN Related Commands ADSL ber ADSL channel data line rate Close ADSL line ADSL standard current
133. mic DNS Yes Route IP Yes Bridge No 81 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Menu 1 1 Configure Dynamic DNS Service Provider WWW DynDNS ORG Active Yes Host the local server s host name EMAIL your email address User Password 33 Enable Wildcard No Key Settings for using DDNS function Option Service Provider Active Host EMAIL User Password Enable Wildcard Description Enter the DDNS server in this field Currently we support WWW DYNDNS ORG Toggle to Yes Enter the hostname you subscribe from the above DDNS server For example zyxel com tw Enter the email address you give to the DDNS server Enter the user name that Enter the password that the DDNS server gives to you Enter the hostname for the wildcard function that the WWW DYNDNS ORG supports Note that Wildcard option is available only when the provider is http www dyndns org 8 Network Management Using SNMP e SNMP Overview The Simple Network Management Protocol SNMP is an applications layer protocol used to exchange the management information between network devices e g routers By using SNMP network administrators can more easily manage network performance find and solve network problems The SNMP is a member of the TCP IP protocol suite it uses the UDP to exchange messages between a management Client and an Agent residing in a net
134. n in question Note Save Set in the Action field means to save the whole set You must do this if you make any changes to the set including deleting a rule No changes to the set take 48 All contents copyright 2005 ZyXEL Communications Corporation place until this action is taken Be careful when ordering your rules as each rule is executed in turn beginning from the first rule Selecting Edit in the Action field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs displayed in Menu 15 1 1 Menu 15 1 1 1 Rule 1 Type One to One Local IP Start 0 0 0 0 End N A Global IP Start 0 0 0 0 End N A Press ENTER to Confirm or ESC to Cancel The following table describes the fields in this screen Field Description Option Example One to One Many to One Press SPACEBAR to toggle through a total of 5 types l Many to Many Overload Type These are the mapping types discussed above plus a server l Many to Many No type Some examples follow to clarify these a little more Overload Server Start This is the starting local IP address ILA 0 0 0 0 Local This is the ending local IP address ILA If the rule is for IP End all local IPs then put the Start IP as 0 0 0 0 and the End IP 255 255 255 255 as 255 255 255 255 This field is N A for One to One type Siar This is the starting globa
135. n when exceeds the tcp max incomplet e threshold Only valid when sets Block to yes The unit is minute The threshold to start to delete the old half opened sessions to minute low The threshold to stop deleting the old half opened session The threshold to start to delete the old half opened sessions to max incomplete lo W The threshold to stop deleting the half opened session The threshold to start executing the block field Edit the name for a 190 All contents copyright 2005 ZyXEL Communications Corporation default permit lt forwardlblock gt icmp timeout lt seconds gt udp idle timeout lt seconds gt connection timeout lt seconds gt fin wait timeout lt seconds gt tcp idle timeout lt seconds gt EER n P 660 series Support Notes permit lt forwardlblock gt Edit whether a packet is dropped or allowed when it does not match the default set Edit the timeout for an idle ICMP session before it is terminated Edit the timeout for an idle UDP session before it is terminated Edit the wait time for the SYN TCP sessions before it is terminated Edit the wait time for FIN in concluding a TCP session before it is terminated Edit the timeout for an idle TCP session before it is terminated PNC is allowed when yes is set even there is a rule to block PNC Switch on off sending the log for matching the default permit Edit whether a p
136. nection from Sentinel by selecting your VPN connection from Select VPN item Note A When building VPN between Sentinel and Prestige the tunnel can t be initiated from Prestige side Please always initiate the tunnel from Sentinel B VPN tunnel on Sentinel can t be initiated by triggered packets Such as ping ftp telnet HTTP etc You can only initiate VPN tunnel by choosing Select VPN from SSH Sentinel tray iew Statistics Run Policy Editor Auditing User Key Agent Select Active Policy 172 21 1 252 ZYWALL Select VPN I Online Support al P abont Hide Tray 4 vperSnap Ds NOTE Please check your Prestige s release note if your current firmware version doesn t support Mega Bytes as SA lifetime You have to Zero your Mega Bytes setting in SA life time Switch to Security Policy the configuration page is in lt Your VPN connection gt Properties Advanced Tab Settings 143 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Security Association Lifetimes m ax Ei The settings affect this connection rule only IRE secunty association Lifetime in minutes Te errr Lifetime in megabytes IPSec security association Lifetime in minutes Lifetime in megabytes _ _ zm 0 ME Defaults ok Cancel 2 Setup Prestige VPN Using a web browser login Prestige by giving the LAN IP address of Prestige in URL
137. networks and subnetworks custom names You can later use the names when creatine moles Defined networks IP address New Network name ZyWALL IF addres subnet mask Add YEN Connection 4 Gateway IP addyess 192 168 1 1 Remote network Z WALL z 7 Authentication key dean certificate b dean certificate g pew preshared key Diasnostics Properties c SAMHNA In SSH Sentinel Policy Editor you will get a new VPN connection 192 168 1 1 ZyWALL choose this item and then press Properties button 140 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 8 SSH Sentinel Policy Editor e zjx security Policy Eey Management Folicy E Default Fl Pre PSec Filter E a VEN Connections So 192 168 1 1 fary 2 O AD Add E Secured Connections 7 ia Secured Networks a EE Default Response z 9 Post IPSec Filter M F Allow all traffic L Add Remove Properties p Diagnostics Description Choose Settings button in Remote endpoint section Please uncheck the boxes of Acquire virtual IP address and Extended authentication Rule Properties 3x General Advanced Remote endpoint Security gateway 1923 168 1 1 H Ea Remote network ZyWALL wf IFsec IEE proposal 2 2 gt Authentication key e new preshared key gt Proposal template normal aj Acquire virtual IF
138. o map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Menu 15 1 1 2 Rule 2 Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Press ENTER to Confirm or ESC to Cancel Rule 3 Setup Select Many to One type to map the other clients to IGA3 Menu 15 1 1 3 Rule 3 Type Many to One Local IP Start 0 0 0 0 End 255 255 255 255 Global IP Start Enter IGA3 End N A Press ENTER to Confirm or ESC to Cancel Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 56 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Menu 15 1 1 4 Rule 4 Type Server Local IP Start N A End N A Global IP Start Enter IGA3 End N A Press ENTER to Confirm or ESC to Cancel When we have configured all four rules Menu 15 1 1 should look as follows Menu 15 1 1 Address Mapping Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 IGA1 1 1 2 192 168 1 11 IGA2 1 1 3 0 0 0 0 255 255 255 255 IGA3 M 1 4 IGA3 Server 5 6 7 8 9 10 Press ESC or RETURN to Exit 57 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Step 3 Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15 2 2 NAT
139. oE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the P 660 if the ISP uses PPPoE 7 Why does my provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Besides PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management 8 What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your computer to be more easily accessed from various locations on the Internet To use the service you must first apply an account from several free Web servers such as http www dyndns org Without DDNS we always tell the users to use the WAN IP of the P 660 to reach our internal server It is inconvenient for the users if this IP is dynamic With DDNS supported by the P 660 you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the P 660 When the ISP assigns the P 660 a new IP the P 660 updates this IP to DDNS server so that the server can update its IP to DNS entry Once the IP
140. ocol device and the filter set lan filter incomingloutgoing could be 1 12 0 means empty tcpiplgeneric set 1 set 2 set 3 Example Lan filter incoming tcpip 1000 Set DHCP mode to Menu 3 2 lan dhcp mode serverlrelaylnone be erver elay one o p gt lan dhcp server dnsserver pri dns Set primary and secondary LAN DNS Menu 3 2 sec dns server lan dhcp server pool start address Uo N Set DHCP start address and pool size num a lan dhcp server gateway IP address Set DHCP gateway Menu 3 2 lan dhcp server netmask subnet O N Set DHCP subnet mask mask 196 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes a lan dhcp server leasetime second Set DHCP lease time Tian dep server renewaltime second Set DHCP renew time Menu 32 lan dhcp server rebindtime second Set DHCP rebind time Menu 3 2 fan aep rely server IP address Set IP address of DHCP reay server Menu 32 lan display Display LAN or IP alias parameters Display Menu 3 Set the node pointer to specific wan profile If you want to set WAN profile please use this command first system wan node index 1 8 will use the index number for pointing to specific PVC remote node and for consequent commands reference if index means it ISP node Clear the parameters of the temporary Menu 11 1 wan node clear l WAN profile wan node ispname IS
141. ommunity and GetNext community requested from the NMS The default is public Set Enter the correct Set Community This Set Community must match the Community Set community requested from the NMS The default is public Enter the IP address of the NMS The P 660 will only respond to SNMP Trusted Host messages coming from this IP address If 0 0 0 0 is entered the P 660 will respond to all NMS managers Trap Enter the community name in each sent trap to the NMS This Trap Community Community must match what the NMS is expecting The default is public Trap Enter the IP address of the NMS that you wish to send the traps to If 0 0 0 0 is Destination entered the P 660 will not send trap any NMS manager 9 Using syslog e P 660 Setup e UNIX Setup e ZyXEL Syslog Message Format P 660 Setup Menu 24 3 2 System Maintenance UNIX Syslog and Accounting UNIX Syslog Active Yes Syslog IP Address 192 168 1 33 88 All contents copyright 2005 ZyXEL Communications Corporation Log Facility Local 1 Types CDR No Packet triggered No Filter log No PPP log No Configuration 1 Active use the space bar to turn on the syslog option 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility use the space bar to toggle between the 7 different local options 4 Types use the space bar to toggle the logs we are going to record UNIX Setup 1 Make su
142. on operating Cu SeeMe has an IP of 192 168 1 34 then the default SUA server must be set to 192 168 1 34 The peer Cu SeeMe user can reach this workstation by using P 660 s WAN IP address which can be obtained from menu 24 1 Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 192 168 1 34 35 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 2A 0 0 0 0 0 0 z 0 0 0 0 0 0 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 T 0 0 0 0 0 0 8 0 0 0 0 0 0 2 0 0 0 0 0 0 10 0 0 0 0 0 0 Configure an Internal Server Behind SUA Prestige Remote client Web Server Introduction If you wish you can make internal servers e g Web ftp or mail server accessible for outside users even though SUA makes your LAN appear as a single machine to the outside world A service is identified by the port number Also since you need to specify the IP address of a server in the P 660 a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request is simply discarded Configuration To make a server visible to the outside w
143. orld specify the port number of the service and the inside address of the server in Menu 15 2 1 Multiple Server Configuration 36 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes The outside users can access the local server using the P 660 s WAN IP address which can be obtained from menu 24 1 For example Configuring an internal Web server for outside access Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 2 80 80 192 168 1 10 3 0 0 0 0 0 0 4 0 0 0 0 0 0 3 0 0 0 0 0 0 6 0 0 0 0 0 0 T 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel Port numbers for some services Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 Configure a PPTP server behind SUA Introduction 37 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself In order to run the Windows 9x PPTP client you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server Windows Dial Up Net
144. our LAN to appear as a single computer to the Internet it is not possible to configure similar servers on the same LAN behind SUA Because White Pine Cu SeeMe uses dedicate ports port 7648 amp port 24032 to transmit and receive data therefore only one local Cu SeeMe is allowed within the same LAN In SUA mode only one local NetMeeting user is allowed because the outsiders can not distinguish between local users using the same internet IP Certain Quake servers do not allow multiple users to login using the same unique IP so only one Quake user will be allowed in this case Moreover when a Quake server is configured behind SUA P 660 will not be able to provide information of that server on the internet 2 Quake II has the same limitations as that of Quake I P 660 support MSN Messenger 4 6 4 7 5 0 video voice pass through NAT since new firmware version In addition for the Windows OS supported UPnP Universal Plug and Play such as Windows XP and Windows ME UPnP supported in P 660 is an alternative solution to pass through MSN Messenger video voice traffic For more detail please refer to UPnP application note P 660 support Microsoft Xbox Live since the new firmware version If your P 660 firmware is too old to support such function you may have a work around solution please refer to ZyXEL website gt Support gt Xbox Live service http www zyxel com support xbox htm Configurations For example if the workstati
145. pe TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0028 40 Idetification 0x350B 13579 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3C79 15481 Source IP 0xC0A 80102 192 168 1 2 Destination IP 0xC01F0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number 0x00BD15A8 12391848 Ack Number 0x4AD1B580 1255257472 Header Length 20 Flags 0x10 A Window Size 0x2238 8760 Checksum OxE8ED 59629 Urgent Ptr 0x0000 0 TCP Data Length 6 Captured 6 156 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb 660 series Support Notes 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 Ing 0010 00 28 35 OB 40 00 80 06 3C 79 CO A8 01 02 COIF 6 lt y 0020 07 82 04 5C 00 50 00 BD 15 A8 4A D1 B5 8050 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 Oke 2 Trace WAN packet e Disable the capture of the LAN packet by entering sys trep channel enet0 none e Enable to capture the WAN packet by entering sys trep channel mpoa00 bothway e Enable the trace log by entering sys trep sw on amp sys trel sw on e Display the
146. plementation ZyXEL currently includes SNMP support in some P 660 routers It is implemented based on the SNMPv1 so it will be able to communicate with SNMPv1 NMSs Further users can also add ZyXEL s private MIB in the NMS to monitor and control additional system variables The ZyXEL s private MIB tree is shown in figure 3 For 85 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes SNMPvI operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps are sent to the SNMP manager when anyone of the following events happens 1 coldStart defined in RFC 1215 If the machine coldstarts the trap will be sent after booting 1 warmStart defined in RFC 1215 If the machine warmstarts the trap will be sent after booting 2 linkDown defined in RFC 1215 If any link of IDSL or WAN is down the trap will be sent with the port number The port number is its interface index under the interface group 3 linkUp defined in RFC 1215 If any link of IDSL or WAN is up the trap will be sent with the port number The port number is its interface index under the interface group 4 authenticationFailure defined in RFC 1215 When receiving any SNMP get or set requirement with wrong community this trap is sent to the manager 5 whyReboot defined in ZY XEL MIB When the
147. port gt udp destport single lt port gt udp destport range lt start port gt lt end port gt destination address and subnet mask if a packet which complies to this rule Select and edit a destination address range of a packet which complies to this rule Select and edit the destination port of a packet which comply to this rule For non consecutive port numbers the user may repeat this command line to enter the multiple port numbers Select and edit a destination port range of a packet which comply to this rule Select and edit the destination port of a packet which comply to this rule For non consecutive port numbers users may repeat this command line to enter the multiple port numbers Select and edit a destination port range of a packet which comply to 193 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Tie desport custom lt desired Type in the desired custom port name gt custom port name delete firewal e mail Remove all email l alert settings attack Reset all alert set lt set gt configuration set rule lt rule gt Remove a lt set gt specified rule in a set from the firewall configuration settings to defaults Remove a specified set from the firewall insert firewal e mail Insert email alert l settings attack Insert attack alert settings set Insert a specified lt set
148. pport Notes ZyXEL RHE KEREEMEEXEREE ee ee ee ee ere eer See eee re ee ee ed See ee ee te BE A a Se eee eee eee SHS SH Sar Dar aE aE Se eS Se Sa SAS ttt aD Sa aD eS Sa SaaS aD ee ee eee et ee eee ere terete ete eee ettette ttit tittet ttt ttrt Sen SP SPE cS cru at ata ate ena at aha ata ate ora he ohm at atm a he oa aaa tet eee ee er eee ee ee eee Se ee ee ret rte eee he ee eee et er eee PREM HEHEHE RN MEM RHHEHEHEH HARARE ARR sacks EMEKHEKEREEXH HEEKHEKEREEK Sie TEE TEE os SE titititi Sineceaeceaneeae Mes ee ete EMEKERKEKEEX HHEMHEREEEREEE SSS ASSMANN ERE EEEE EEE hteti era ate ha ate eee ate ee a eee eee eee eee eee eee eee eee eee ee rere eee Boece ix KKK ERERE KERR RE ERE KEE KERR RREER ER EE KR E RE KEE KEKE MER EER RE RE KEE PGR ER ee ee RR RK KEE RAKE REA ARRAR RMA ER IS HHREERE RREN REE RHEEEH HM HREM HME HER MERH SSMS SPS SRE gS SP aha ata ata aha ate ora at aha at he oc he am ae eae a IXREREREREKEH RuMEAREKREN EE ERRKEREEEX iRHMHE HH HHH MH HEHE HE A AAAA ene eae Pere eee eter pete eee eee HAH HH HHH HMHNHN HHH H IMMEME RHR ME HME RAE MEME Mx RRR RKRE EMR KARE KREEREX HRRRE ERE REEE ERE RH RUERE RE RREKEEKERXEMEREEEEERER EE HH DE DE pe DED DE HERE MERE RE pe MESE EDE ME 3 HHH EERE HER REH AR RAR MAAR EE ERNRURN ATEZ ERRAN INEEN REE M EER EM RER EM EMER ERRER ERE EMER EER ER EREM EME EER ERR EERE E MIIMISRI GMTIME a a aa i HEE REERER ERE RE ERERRERER ERERE ER
149. rd describes the communication that occurs in wireless LANs The Wired Equivalent Privacy WEP algorithm is used to protect wireless communication from eavesdropping because wireless transmissions are easier to intercept than transmissions over wired networks and wireless is a shared medium everything that is transmitted or received over a wireless network can be intercepted WEP relies on a secret key that is shared between a mobile station e g a laptop with a wireless Ethernet card and an access point 1 e a base station The secret key is used to encrypt packets before they are transmitted and an integrity check is used to ensure that packages are not modified during the transition The standard does not discuss how the shared key is established In practice most installations use a single key that is shared between all mobile stations and access points APs WEP employs the key encryption algorithm Ron s Code 4 Pseudo Random Number Generator RC4 PRNG The same key is used to encrypt and decrypt the data itializat IV 24 bits initialization Vector IV III Seed res FO Sequence Secret key k D Cipher Message M text C P MIICRC Transmitted T WEP has defensed against this attack To avoid encrypting two cipher texts with the same key stream an Initialisation Vector IV is used to augment the shared WEP key secret key and produce a different RC4 key for each packets the IV is also
150. re that your syslog starts with r argument r this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services The default setting is not enabled 2 Edit the file etc syslog conf by adding the following line at the end of the etc syslog conf file locall var log zyxel log Where var log zyxel log is the full path of the log file 3 Restart syslogd ZyXEL Syslog Message Format CDR Call Detail Record CDR logs all data phone line activity if set to Yes Packet The first 48 bytes or octets and protocol type of the triggering packet is sent to triggered the UNIX syslog server when this field is set to Yes Filter log pe filters are logged when this field is set to ar a with the individual filter Log field set to Yes are logged when this field is set to Yes PPP log PPP events are logged when this field is set to Yes 89 All contents copyright 2005 ZyXEL Communications Corporation 1 CDR log call messages Format sdcmdSyslogSend SYSLOG_CDR SYSLOG_INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID in a board channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str COI Outgoing Call dev xx ch xx dev device No ch channel No CO1 Incoming Call xxxxBps xxxxx L2TP xxxxx means Remote Call ID CO1 Incoming Call xxxx
151. ring 255 brings up this screen Menu 15 1 255 Address Mapping Rules Set Name SUA Read Only Idx Local Start IP Local End IP Global Start IP Global End IP Type 0 0 0 0 255 255 255 255 0 0 0 0 M 1 0 0 0 0 Serve The following table explains the fields in this screen Please note that the fields in this menu are read only Field Description Option Example This is the name of the set you selected in Menu 15 1 or Set Name SUA enter the name of a new set you want to create Idx This is the index or rule number 1 Local Start o 0 0 0 0 for the This is the starting local IP address ILA IP Many to One type This is the starting local IP address ILA If the rule is for Local End IP all local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 255 255 255 255 Global Start This is the starting global IP address IGA If you have a 0 0 0 0 IP dynamic IP enter 0 0 0 0 as the Global Start IP Global End NN l IP This is the ending global IP address IGA N A Type This is the NAT mapping types Many to One and Server Please note that the fields in this menu are read only However the settings of the server set can be modified in menu 15 2 1 47 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Now let s look at Option 1 in Menu 15 1 Enter 1 to bring up this menu Menu 15 1 1 Address Mapping Rules Set Name Idx Local Start IP Local End IP
152. rip2m wan node multicast l Menu 11 3 l l Set the wan IP multicast mode nonelgmpv 1 ligmpv2 wan node filter incomingloutgoing I l i Menu 11 5 Set WAN filter incoming or outgoing tcpipl tepiplgeneric can be specified and filter set can be 1 12 value 0 means empty set 1 set 2 set 3 set 4 Save the related parameters of WAN wan node save node l Display WAN profile configurationin Display Menu wan node display buffer 11 ip route addrom index Rule Select a Static Route index 1 16 to edit Menu 12 1 ip route addrom name Name Set Rule Name Menu 12 1 ip route addrom active onloff Set Active or Inactive Flag Menu 12 1 Z aw _ NO Set IP static route ip route addrom set dest address Example mask bits gateway metric gt ip ro addrom set 192 168 1 33 24 192 168 1 1 2 ip route addrom private yesIno Set Private Flag Menu 12 1 l l Display both working buffer and Editing Menu 12 1 ip route addrom disp Ent ntry ip route addrom freememory Discard all changes Menu 12 1 ip route addrom save Save edited settings Menu 12 1 ip route addrom clear Index Clear Static Route Index Menu 12 1 Select NAT address mapping set and set Menu 15 1 mapping set name but set name is ip nat addrmap map map set name ip nat addrmap rule rule insert Set NAT address mapping rule If Menu 15 1 19 OO All contents copyright 2005 ZyXEL Communications
153. rocedures show how to configure a server behind NAT Step 1 Enter 15 in the Main Menu to go to Menu 15 NAT Setup Step 2 Enter 2 to go to Menu 15 2 1 NAT Server Setup Step 3 Enter the service port number in the Port field and the inside IP address of the server in the IP Address field Step 4 Press SPACEBAR at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at any time to cancel Menu 15 2 1 NAT Server Setup Used for SUA Only Rule Start Port No End Port No IP Address 1 Default Default 0 0 0 0 21 21 192 168 1 33 3 80 80 192 168 1 36 50 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 4 0 0 0 0 0 0 5 0 0 0 0 0 0 6 0 0 0 0 0 0 T 0 0 0 0 0 0 8 0 0 0 0 0 0 9 0 0 0 0 0 0 10 0 0 0 0 0 0 11 0 0 0 0 0 0 12 0 0 0 0 0 0 Press ENTER to Confirm or ESC to Cancel The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 PPTP Point to Point Tunneling 1723 Protocol Examples e Internet Access Only e Internet Access with an Internal Server e Using Multiple Global IP addresses for clients and servers e Support Non NAT Friendly Applications 1 Internet Access Only In our Internet Access example we only need one rule w
154. rol Panel gt Network Connection gt Wireless Network Connection 115 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes l Wireless Network Connection Properties fx General Authentication Advanced Connect uzing Eg EEES02 116 WLAN PCI Card v3 0 Thi connection uses the following items El Client for Microsoft Networks File and Printer Sharing for Microsoft Networks a QoS Packet Scheduler Internet Protocol TCP IP Install Description Transmission Control ProtocolInternet Protocol The default Wide area network protocol that provides communication actos diverse interconnected networks Show icon in notification area when connected 5 From general tab select TCP IP and click property Internet Protocol TCP IP Properties fx f ae General You can get F settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IF settings O Obtain an IF address automatically Ouse the following IP address IF address Subnet mask 255 255 255 0 Use the following ONS server addresses Preferred ONS server Saas Alternate ONS server eee 6 Fill in your network IP address and subnet mask and click OK to finish 7 Station A now are able to connect to Station B All contents copyright 2005 ZyXEL Communications Corporation 116
155. rt port compare compare type could be sets type nonelequallnot O none I1 equal 2 not equalllesslgreater i F equal 3 less l4 greater sys filter set tcpEstab yeslIno Set TCP establish option i l l Menu 21 filter sys filter set more yeslno Set the more option to yes no i sets sys filter set log type 0 3 none Set the log type it could be 0 3 none Menu 21 filter matchl notmatch both match not match both sets sys filter set actmatch type 0 2 Menu 21 filter Set the action for match checknext forward drop sets sys filter set actnomatch type 0 2 l Menu 21 filter Set the action for not match checknext forward drop sets Menu 21 it for sys filter set offset Set offset for the generic rule generic filter Menu 21 it for sys filter set length Set the length for generic rule S generic filter Menu 21 it for sys filter set mask Set the mask for generic rule a generic filter 200 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes sys filter set value depend on length l Menu 21 it for l Set the value for generic rule KS in hex generic filter sys filter set clear Clear the current filter set Lt sys filter set save Save the filter set parameters Display Filter set information W o sys filter set display set rule parameter it will display buffer information sys filter set freememory Discard Changes e
156. s lt ether addr gt format XX XX XX XX XX XX lt iface gt enifO wanifO lt gw gt gateway ip address LC E s re oaa eIPI gt PO O Set pack address C pis o fass O o eais fe o S Op p e ayap CE ea estas eer ceteris add ap information resolve lt hostid gt resolve ip addr S trop lt hostid gt hardware drop arp 174 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes dhcp lt iface gt o o Jaw o o O release release DHCP client IP Oooo o oew renew DHCP client IP o mde lt serverlrelaylnonelclient gt set dhcp mode relay server lt serverIP gt set dicp relay server E addr a rest ST reset reset dhcp table table w o OO e o probecount lt num gt set dhep probe count pf __ esee PAs set dns server ip addr winsserver lt winsIP1 gt set wins server 1p addr lt winsIP2 gt hostname lt hostname gt set hostname initialize fills in DHCP parameters and initializes for PWC purposes leasetime lt period gt set dhcp leasetime pf netmask netmask set dhep netmask pf ot lt starttP gt lt numiP gt set dhep ip pool pf _ rene waltime lt period gt set dhep renew time DE lt period gt set dhcp rebind time server lt serverIP gt set dhcp server ip for relay dnsorder routerlisp set dhcp dns order G o o a M show dhcp status Go o e e e delete lt num gt lall delete static dhcp mac table display display static d
157. s ZyNOS routers supported the SUA only option in today s routers Many to Many Overload In Many to Many Overload mode the P 660 maps the multiple ILA to shared IGA 42 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Many to Many No Overload In Many to Many No Overload mode the P 660 maps each ILA to unique IGA Server In Server mode the P 660 maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types Mapping NAT T IP M ype apping Direction One to One ILA1 lt gt IGA1 Both ILA1 gt IGA 1 Many to One ILA2 gt IGA1 Out SUA PAT a utgomg ILA1 gt IGA1 ILA2 gt IGA2 Many to M O W y ii ILA3 gt IGA1 Outgoing ILA4 gt IGA2 ILA1 gt IGA1 Many to Many No ILA 2 gt IGA3 Overload T ILA3 gt IGA2 Outgoing oe ILA4 gt IGA4 Connections Server 1 Server AeA Incomin K Server 2 8 IP lt IGA 1 SUA Versus NAT SUA Single User Account in previous ZyNOS versions is a NAT set with 2 rules Many to One and Server The P 660 now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowe
158. s based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to 18 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes adapt to dynamic protocols The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency however they may lack the granular application level access control or caching that some proxies support 4 What kind of firewall is the P 660 1 The P 660 s firewall inspects packets contents and IP headers It 1s applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The P 660 s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The P 660 s firewall uses session filtering 1 e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The P 660 s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The P 660 s firewall provides email service to notif
159. ss Assignment Dynamic 44 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL Step 1 Enter 11 from the Main Menu Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr N A NAT Full Feature Address Mapping Set 1 Metric 2 Private No RIP Direction None Version RIP 1 Multicast None IP Policies P 660 series Support Notes Enter here to CONFIRM or ESC to CANCEL Step 2 Move the cursor to the Edit IP field press the SPACEBAR to toggle the default No to Yes then press ENTER to bring up Menu 11 3 Remote Node Network Layer Options The following table describes the options for Network Address Translation Field Options Full Feature None Network Address Translation SUA Only Description When you select this option the SMT will use Address Mapping Set 1 Menu 15 1 see later for further discussion NAT is disabled when you select this option When you select this option the SMT will use Address Mapping Set 255 Menu 15 1 see later for further discussion This option use basically Many to One Overload mapping Select Full Feature when you require other mapping types It is aconvenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions Note that there is also a Server type whose IGA is 0 0 0 0 in this set Table Applying NAT in Menu 4 and Menu 11 3 45 All
160. ssnstssssnensisaedesorsersvanccaccsnannasedendseedeseere 117 Configure Wireless Access Point to Infrastructure mode using SMT scons E T AEE EE T EA E E T E TEO 117 Configure Wireless Access Point to Infrastructure mode using Web cOnN UN AVON eran NN 118 Configuration Wireless Station to Infrastructure mode 119 Fam B24 Goal FE eerie mere nee teem ee mn rere nie emer Tre err cen ee er eee eee eer 121 MAC SB iter ON Ci VIC Wires decticcnmcuetocseudiemedesuwncedestcannanetcteeieadenwMentacies 121 ZyXEL MAC Filter Implementation ce ecceccccccceeseeeeeeeeeeeeeeaes 121 Contigure the WLAN MAC Piltersst sccindeeuritatsinieatedehteiieain 121 4 Setup WEP Wired Equivalent Privacy ccccccccssssssssecceceeeeeesesseecceeeeeeaas 123 3 All contents copyright 2005 ZyXEL Communications Corporation HOO OEE A rc tert pnt ey Sieerre manne ytenter Pure re Sure opment ete 124 Setting Up the ACCESS POM ius do eassaseadsondewedienntadiiendeetecaavecdlendeenderaets 126 De Ce Up he ALON saasitct festa aeatseaosa E 129 Jole SUV EY acini Ucn eaietion ti cenbaias teint baleaia lant ennal wanna nd wisleakaD ened nual nue tl 132 Modu UON remmmertneteee tee ne emer ttn vacate irre Dreutre inrren osc nt Mrmr renee 132 Prepari Oi eera ais nteudedeae ste selec dtetalla Bo eouasmeas eens 132 SUVO Ol Ile imation ete ine torah doen a 133 6 Usine VPN over Wireless LAN iin it wn antoiet e a A 135 Pee UENO ML E E E E E E E A
161. store the SMT configurations use the TFTP client program to put your configuration in file rom 0 in the Prestige 9 What should I do if I forget the system password In case you forget the system password you can erase the current configuration and restore factory defaults in three way All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes a Use the Web Configurator b Use the RESET button on the rear panel of P 660 to reset the router After the router is reset the LAN IP address and the SMT password will be reset to 192 168 1 1 and 1234 So now you can reach the router through console port or telnet again c Upload the default ROMFILE via console port to reset the SMT to factory default After uploading ROMFILE the default system password is 1234 10 How to use the Reset button a Turn your Prestige off and then on Make sure the SYS led is on not blinking b Press the RESET button for five seconds and then release it If the SYS LED begins to blink the defaults have been restored and the Prestige restarts 11 What is SUA When should I use SUA SUA Single User Account is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account When Prestige acting as SUA receives a packet from a local client destined for the outside Internet it replaces the source address in the IP packet head
162. t of variables that each node supports is called the Management Information Base MIB The MIB is made up of several parts including the Standard MIB specified as part of SNMP and Enterprise Specific MIB which are defined by different manufacturer for hardware specific management The current Internet standard MIB MIB II is defined in RFC 1213 and contains 171 objects These objects are grouped by protocol including TCP IP UDP SNMP and other categories including system and interface The Internet Management Model is as shown in figure 1 Interactions between the NMS and managed devices can be any of four different types of commands Reads Read is used to monitor the managed devices NMSs read variables that are maintained by the devices Writes Write is used to control the managed devices NMSs write variables that are stored in the managed devices 83 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Traversal operations NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables such as IP routing table in managed devices Traps The managed devices to asynchronously report certain events to NMSs use User Trterface trap Agent Managed Wanaged Wanaged device device device Figure 1 SNMP Management Model e SNMPv1 Operations SNMP itself is a simple req
163. t wan backup mechanism to DSL link Menu 2 wan backup mechanism dsl icmp or ICMP _ presencia ie van backup tolerance number Set keepalve fail toleranse wan backup recovery interval sec wan backup timeout number All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes S wan backup display Display wan backup configurations wan tredir active onloff Set traffic redirect on off Menu 2 1 po wan tredir ip IP addr Set traffic redirect gateway IP address Menu 2 1 S NO a wan tredir metric number Set traffic redirect metric Save traffic redirect related parameters Menu 2 1 wan tredir save Have to apply an backup save command thereafter wan tredir display Display traffic redirect configurations Menu 2 1 O a N Select a LAN interface to edit 2 Select IP Alias 1 3 Select IP Alias 2 lan active onloff Turn on or off on IP Alias Interface Menu 3 2 1 Set LAN IP address and subnet mask lan ipaddr address subnet mask Example gt lan ipaddr 192 168 1 1 255 255 255 0 Set LAN IP RIP mode and RIP version if you choose none in the first parameter l l Menu 3 2 lan rip nonelinloutlboth rip1lrip2blrip2m l the second parameter is also necessary lan multicast noneligmpvlligmpv2 Set LAN IP multicast mode Set LAN filter to be incoming outgoing Menu 3 1 z lt S Lo Lo N N or prot
164. tart 192 168 1 10 End N A Global IP Start Enter IGA1 End N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 2 Rule 2 59 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Type One to One Local IP Start 192 168 1 11 End N A Global IP Start Enter IGA2 End N A Press ENTER to Confirm or ESC to Cancel Menu 15 1 1 3 Rule 3 Type One to One Local IP Start 192 168 1 12 End N A Global IP Start Enter IGA3 End N A Press ENTER to Confirm or ESC to Cancel 6 About Filter amp Filter Examples How does ZyXEL filter work Filter Structure The P 660 allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port The following diagram illustrates the logic flow when executing a filter rule 60 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes WIN2K to ZyWALL Properties q 3x Rules General Securty rules for communicating with other computers IP Secunty Rules IF Filter List Authentication Tu WINE to ZpwALL WIN2E to Zyra LL Kerberos Pres 17 O 0 FATT Detault Response Kerberos 4 Edt Remove
165. tation Threshold 24 256 2432 t NAT Dynamic DNS WEP Encryption Disable ai r Time and Date 64 bit WEP Enter 5 characters or 10 hexadecimal digits 0 9 4 F preceded by Ox for each Key 1 4 128 bit VVEP Enter 13 characters or 26 hexadecimal digits 0 9 4 F preceded by Ox for each Key 1 4 Firewall 256 bit WEP Enter 29 characters or 58 hexadecimal digits 0 9 4 F preceded by Ox for each Key 1 4 Content Fitter C Remote Management Key UPnP O Key2 Logs O Key3 O Key4 Key settings Select one WEP key as default key to encrypt wireless data transmission Setting up the Station 1 Double click on the utility icon in your windows task bar or right click the utility icon then select Show Config Utility i Exit E View Available Network About ix k 7 i The utility will pop up on your windows screen 129 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 4 yAIR B 320 Utility Link Info Configuration Site Survey Security Advanced About Device ZyAIR 5 320 IEEE 802 116 PEI Adapter Current Channel 5 Re Connect Current Transfer Rate 44 Mbps Current Service Set Identifier MIC MAC Address on ao C5 B48C 79 Tats Frame Transmitted Received 263 255 Link ualty Excellent 66 Cancel Help Note If the utility icon doesn t exist in your task bar click Start gt Programs gt IEEE802 11b WLA
166. tents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCC C C C 660 series Support Notes Menu 3 5 Wireless LAN Setup ESSID P660HW T1 Hide ESSID No Channel ID CH01 2412MHz RTS Threshold 0 Frag Threshold 2432 WEP 64 bit WEP Default Key 3 Key 1 0x123456789A Key2 0x23456789AB Key3 0x3456789ABC Key4 0x456789ABCD Edit MAC Address Filter No Key settings Hexadecimal digits have to preceded by Ox WEP Key type Example Key1l 2e3f4 64 bit WEP with 5 Key2 5y7js characters Key3 24fg7 Key4 98jui 64 bit WEP with Keyl 0x123456789A 10 hexadecimal Key2 0x23456789AB digits Key3 0x3456789ABC 0 9 A F Key4 0x456789ABCD Key 1 2e3f4w345ytre 128 bit WEP with Key2 5y7jse8r4i038 13 characters Key3 24fg700kx3fr7 Key4 98jui2wss35u4 128 bit WEP with Keyl 0x112233445566778899AABBCDEF 26 hexadecimal Key2 0x2233445566778899AABBCCDDEE digits Key3 0x3344556677889900AABBCCDDFF 0 9 A F Key4 0x44556677889900AABBCCDDEEFF Key l 2e3f4w345ytre1me56f45jh45ce34 256 bit WEP with Key2 5y7jse8r410381k7812415k9876b1 Key3 24fg700kx3fr7kjhg6vf1 2lazti nt 29 characters 127 All contents copyright 2005 ZyXEL Communications Corporation Key 98jui2wss35u456cty12k519800f5 Keyl 0x1111112222223333444455556666777788889999AAAABBBBCCCDDDEEFFF 128 bit WEP with Key2 58 hexadecimal 0x2222223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFFF digits Key3 0 9
167. tetetittetitetetettetettetetittetet ee MER MAR A A RK Se DAE SBE SAS Se Se a San Sa a SA a a Se aS etree tree tet teeter ed SES SSE SS AOA ASS SO OS SO tt Pacis cis cae Hise icra tan unasaatadeaiieujaaead tag sie ine bel eine Dea eT Pee Peete SH MH RH MEM RH EME EH MER ERR AMAR tet er eter MI MADD terete tetris tere ter i n a e he herb e e bch che Note If there are more than one access point is needed be sure to make the adjacent access point service area over lap one another So the wireless station are able to roam For more information please refer to roaming at 6 Using VPN over Wireless LAN 1 Setup Sentinel 2 Setup Prestige VPN You can use IPsec to improve the security for your wireless connections This document guides you how it works and how to configure VPN rules in both Prestige and your wireless station The following diagram depicts the scenario We can protect the wireless connection between the laptop and Prestige So that all traffic between your Wireless LAN station and AP are encrypted and thus get you free from eavesdropping in Wireless LAN environment But for authentication purpose please use 802 1x which is also provided in Prestige wireless solutions 135 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes IPSec Tunnel PC with SSH installed The IP addresses we use in this example are as shown below LAN 192 168 1 1 192 168 1 33 WAN
168. the AP you want to associated with Z fyAIR B 320 Utility Link Info Configuration Site Survey Security Advanced About Device ZyAIRB 320 IEEE 802116 PCI Adapter Current Channel 2 Re Connect Current Transfer Rate 41 Mbps Current Service Set identifier pego MIC MAC Address oq a0 C5 84 8C 79 Tele Frame Transmitted Received 263 Link Quality Excellent 66 6 After the client have associated with the selected AP The linked AP s channel current linkup rate SSID link quality and signal strength will show on the Link Info page You now successfully associate with the selected AP with Infrastructure Mode 120 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 3 MAC Filter e MAC Filter Overview e ZyXEL MAC Filter Implementation e Configure the WLAN MAC Filter MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs ZyXEL s APs provide the capability for checking MAC address of the station before allowing it to connect to the network This provides an additional layer of control layer in that only stations with registered MAC addresses can connect This approach requires that the list of MAC addresses be configured So pee OO a ome pi mac F ilter List MAC Access Policy ZyXEL MAC Filter Implementation ZyXEL s MAC Filter Implementation allows users to define a
169. the configure buffer Save current setting into ROM file The waiting time before checking the hunting table result Send VC hunt pattern again Check the result of VC auto hunting 1 After configure the auto haunting preconfigured table You just need a PC connected to the device LAN Ethernet port with the DSL sync up 2 Open your web browser to access a Web site It should prompt and request for your username password of your ISP account if your ISP provide PPPoE or PPPoA service 3 After key in the correct info it will than test the connection If it is successful it will than close the browser and you can open a new browser to surf the Internet If the connection test fail 1t will go back to the page ask for user name and password The user name or password are incorrect You need to keyin again to retry 1 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Basically the zero configuration only work on the VC that was preconigured in the auto haunting preconfigured table Web Configurator Microsoft Internet Explorer RB File Edit wiew Favorites Tools Help a sack F gt x B A Search SP Favorites A media 4 A Address B http 192 168 1 1 2CFgPPPOE html Enter the username and passord exactly as your ISP assigned them User Name 85111279 hinetnet SSSSSSSSSS Password eneeseee AD Internet 111 All contents copyri
170. thm DES Authentication Algorithm MLDS SA Life Time Seconds 28800 Encapsulation Tunnel Perfect Forward Secrecy PFS NONE 7 Configure 802 1x and WPA What is the WPA Functionality Configuration for Access Point Configuration for your PC What is WPA Functionality Wi Fi Protected Access WPA is a subset of the IEEE 802 111 security specification draft Key differences between WAP and WEP are user authentication and improved data encryption WAP applies IEEE 802 1x Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database You can not use the 662 s local user database for WPA authentication purpose since the local user database uses MD5 EAP which can not to generate keys WPA improves data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check and IEEE 802 1x Temporal Key Integrity Protocol uses 128 bits keys that are dynamically generated and distributed by the authentication 146 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes server It includes a per packet key mixing function a Message Integrity Check MIC named Michael an extend initialization vector IV with sequencing rules and a re keying mechanism If you do not have an external RADIUS server you should use WPA PSK WPA Pre Share Key that only requires a single identical password entered into each access point
171. threshold rts value Set the RTS threshold value wlan threshold fragment value Set fragment threshold Set the wep type to be none 64bit or Menu 3 5 for wlan wep type nonel641128 128bits wireless LAN wlan wep key set key set 1 4 key Menu 3 5 for Set wep key value l value wireless LAN Menu 3 5 for wlan wep key default key set 1 4 Set default key set value l wireless LAN wlan macfilter enable Enable mac filter Menu 3 5 1 for wlan macfilter disable Disable mac filter wireless LAN l Menu 3 5 1 for wlan macfilter action allowldeny Set the action type of filter l wireless LAN wlan macfilter set set 1 12 mac Menu 3 5 1 for Set the mac address of filter o Se a LAN wlanclear sid clear Clear Clear Working Buffer Buffer Save wireless MAC filter parameters 202 All contents copyright 2005 ZyXEL Communications Corporation
172. thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The P 660supports Network Address Translation NAT which translates the private local addresses to one or multiple public addresses This adds a level of security since the clients on the private LAN are invisible to the Internet 3 What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These headers information include the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance Stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make access control decision
173. tion is needed to determine the number of AP required 4 Determine the preliminary access point location on the facility diagram base on the service area needed obstacles power wall jack considerations Survey on Site 1 With the diagram with all information you gathered in the preparation phase Now you are ready to make the survey 2 Install an access point at the preliminary location 3 Use a notebook with wireless client installed and run it s utility An utility will provide information such as connection speed current used channel associated rate link quality signal strength and etc information as shown in utility below IEEE802 11b WLAN PCI Card Utility Link Info Configuration Site Survey Encryption Advanced About State Connected BS5SID 00 40 C5 4F FE 38 Current Channel fi Current Transter Aate A Mbps Curent Service Set identifier PKS Throughput Bytes Second Transmitted Recewed Link Quality Excellent 100 4 TTT TTT TTT Signal Strength Excellent 1002 TTT TIT TT TT TTTITTT iy L iy OF Cancel Help 4 It s always a good idea to start with putting the access point at the corner of the room and walk away from the access point in a systematic manner Record down the changes at point where transfer rate drop and the link quality and signal strength information on the diagram as you go alone 133 All contents copyright 2005 ZyXEL Communications Corporation P 660 series Su
174. tup the P 660 as a DHCP Relay What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P 660 supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it is configured as DHCP relay it is responsible for forwarding the requests and responses negotiating between the DHCP clients and the server See figure 1 31 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes DHEP Server Prestige DHCP Client Figure1 Prestige as a DHCP Relay Setup the P 660 as a DHCP Client 1 Toggle the DHCP to Relay in menu 3 2 and enter the IP address of the DHCP server in the Relay Server Address field Menu 3 2 TCP IP and DHCP Ethernet Setup DHCP Setup DHCP Relay Client IP Pool Starting Address N A Size of Client IP Pool N A Primary DNS Server N A Secondary DNS Server N A Relay Server Address 192 168 1 2 TCP IP Setup IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 RIP Direction Both Version RIP 1 Multicast None IP Policies Edit IP Alias No Press ENTER to Confirm or ESC to Cancel 4 SUA Notes Tested SUA NAT Applications e g Cu SeeMe ICQ NetMeeting 32 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Prestige Cu seeMe Player 4 Cu peeMe Player Introduction
175. ucveneadepiiaaieonitel 18 2 What makes P 060 secure Mosurniciinii n E 18 3 What are the basic types of firewalls nnnennsssssssseeresssssssserrsssss 18 4 What kind of firewall is the P 660 000 0 eccccccccccecessseeeeeeeeeeeeeees 19 5 Why do you need a firewall when your router has packet filtering ana NA POU Im aoon E a 19 6 What is Denials of Service DoS attack 0 ceccceesceeeeeeees 19 7 What is Ping of Death attack cccccccccccsssssseeceeeeceeeeeeeeeeeeeeeeenaas 20 3 Whati Teardrop Attack ionien a a iukea aie eae ee 20 9 Whats SYN Floodattack horasan ea E 20 TO What1s LAND taek xe scscnctes icecmorstns n a miata 20 11 Whats Brute 1orce attack ss isssvacceouwcissteees nce ie 20 12 What 1s IP Spoofing attack Pensassian ver eniharrasttants 21 13 What are the default ACL firewall rules in P 660 0 21 COD SU AO fee pert eee hte neater ea eee dase hime t oe a a a ene 21 1 How do I configure the firewall cc cceeeseecceeceeeeeeeeeeeeeeeeeaaas 21 2 How do I prevent others from configuring my firewall 21 3 Can I use a browser to configure my P 660 ccceeseeeeeeeeeees 21 4 Why can t I configure my router using Telnet over WAN 21 5 Why can t I upload the firmware and configuration file using FTP NV AN sare heed E aa ca E eet 22 Lor nmd Al ee E a a N antennae 22 1 When does the P 660 generate the firewall log ee 22 2 What does t
176. uest response protocol 4 SNMPvI operations are defined as below e Get Allows the NMS to retrieve an object variable from the agent e GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table 84 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes from an agent it initiates a Get operation followed bya of GetNext operations e Set Allows the NMS to set values for object variables within an agent e Trap Used by the agent to inform the NMS of some events The SNMPvI messages contains two part The first part contains a version and a community name The second part contains the actual SNMP protocol data unit PDU specifying the operation to be performed Get Set and so on and the object values involved in the operation The following figure shows the SNMPv1 message format SU SNAAPV1L Message ____ Error Error O bj ect a bj ect 3 Status Index Value 1 2 Value 3 Variable Bindings Figure 2 oNMPyl Message Format The SNMP PDU contains the following fields e PDU type Specifies the type of PDU e Request ID Associates requests with responses e Error status Indicates an error and an error type e Errorindex Associates the error with a particular object variable e Variable bindings Associates particular object with their value e ZyXEL SNMP Im
177. ule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule e Rule 2 Destination port number 137 with protocol number 17 UDP Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 137 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop 75 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 660 series Support Notes Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 3 Destination port number 138 with protocol number 6 TCP Menu 21 1 3 TCP IP Filter Rule Filter 1 3 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 4 Destination port number 138
178. ure for configuring this filter below 1 Create a filter set in Menu 21 e g set 1 2 Create three filter rules in Menu 21 1 1 Menu 21 1 2 Menu 21 1 3 Rule 1 block the HTTP packet TCP 06 protocol with port number 80 Rule 2 block the DNS packet TCP 06 protocol with port number 53 Rule 3 block the DNS packet UDP 17 protocol with port number 53 oS Apply the filter set in menu 4 65 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 1 Create a filter set in Menu 21 Menu 21 Filter Set Configuration Filter Filter Set Comments Set Comments 1 Web Request 7 2 3 4 10 5 11 6 12 Enter Filter Set Number to Configure 1 Edit Comments Press ENTER to Confirm or ESC to Cancel 2 Rule 1 for a http packet TCP 06 Port number 80 Menu 21 1 1 TCP IP Filter Rule Filter 1 1 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 80 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 3 Rule 2 for b DNS request TCP 06 Port number 53 66 All contents copyright 2005 ZyXEL Communications Corporation 4yXPb 660 series Support Notes Menu 21 1 2 TCP IP Filter Rule Filter 1 2 Filter Type
179. ure the trace first and display later The details for capturing the trace in SMT menu 24 8 are as follows Online Trace e Trace LAN packet e Trace WAN packet 1 Trace LAN packet e Disable to capture the WAN packet by entering sys trep channel mpoa00 none e Enable to capture the LAN packet by entering sys trep channel enet0 bothway e Enable the trace log by entering sys trep sw on amp sys trel sw on e Display the brief trace online by entering sys tred brief e Display the detailed trace online by entering sys tred parse Example P 660 gt sys trep channel mpoa00 none P 660 gt sys trcp channel enetO bothway 153 All contents copyright 2005 ZyXEL Communications Corporation 4yXftCCCCCC C C C C P 660 series Support Notes P 660 gt sys trcp sw on P 660 gt sys trcl sw on P 660 gt sys tred brief O 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 100 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 330 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 340 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 340 ENETO R 0339 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 610 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 620 ENETO T 0102 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 630 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 11883 630 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 11883 650 ENETO R 0060 TCP 192 168 1 2 1108 gt 192
180. ver The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA 1 One to One In One to One mode the P 660 maps one ILA to one IGA 2 Many to One In Many to One mode the P 660 maps multiple ILA to one IGA This is equivalent to SUA 1 e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA only option in today s routers All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 3 Many to Many Overload P 660 series Support Notes In Many to Many Overload mode the P 660 maps the multiple ILA to shared IGA 4 Many One to One In Many One to One mode the P 660 maps each ILA to unique IGA 5 Server In Server mode the P 660 maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types NAT Type One to One Many to One SUA PAT Many to Many Overload Many One to One Server IP Mapping ILA1 lt gt IGA1 ILA 1 lt gt IGA1 ILA2 lt gt IGA1 ILA 1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA1 ILA4 lt gt IGA2 ILA 1 lt gt IGA1 ILA
181. vice type Precd Routine Delay Normal Thrput Normal Reli Normal Total length 60 Octets Fragment ID 60172 70 All contents copyright 2005 ZyXEL Communications Corporation 4yXttCCCCCC C C C C C P 6600 series Support Notes Flags May be fragmented Last fragment Offset 0 0x00 Time to live 32 seconds hops IP protocol type ICMP 0x01 Checksum OxE3EA IP address 202 132 155 93 Source IP address gt 202 132 155 99 Destination IP address No option Internet Control Message Protocol Type 8 Echo Request Code 0 Checksum 0x455C Identifier 768 Sequence Number 1280 Optional Data 32 bytes Configurations From the above first trace we know a client is trying to ping request the P 660 router And from the second trace we know the P 660 router will send a reply to the client accordingly The following sample filter will utilize the Generic Filter Rule to block the MAC address 00 80 c8 4c ea 63 1 First from the incoming LAN packet we know the uninteresting source MAC address starts at the 7th Octet TIME 37c060 enet0 RECV len 74 call 0 0000 00 a0 c5 01 23 45 00 80 c8 4c ea 63 08 00 45 00 0010 00 3c eb Oc 00 00 20 01 e3 ea ca 84 9b 5d ca 84 0020 9b 63 08 00 45 5c 03 00 05 00 61 62 63 64 65 66 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 0040 77 61 62 63 64 65 66 67 68 69 2 We are now ready to configure the Generic Filter Rule as below Menu 21 1
182. w or deny association from hosts in the list 5 Enter the MAC Addresses which you may want to apply the filter to allow or block associations from 6 Click Apply to make your setting work ZyXEL TOTAL INTERNET ACCESS SOLUTION Wireless LAN MAC Filter Main Menu Active ves AAN E Action Allow Association Adwanced Setup Password l MAC Address LAN iii o0 00 00 00 00 00 Wireless LAN i i o0 00 00 00 00 00 00 00 00 00 00 00 _ WAN e NAT o0 00 00 00 00 00 o0 00 00 00 00 00 Dynamic DNS 00 00 00 00 00 00 00 00 00 00 00 00 Time one o0 00 00 00 00 00 fo0 00 00 00 00 00 Firewall _ Content Fitter E o0 00 00 00 00 00 00 00 00 00 00 00 POSENT 00 00 00 00 00 00 00 00 00 00 00 00 pe a 00 00 00 00 00 00 00 00 00 00 00 00 UPnP J 00 00 00 00 00 00 00 00 00 00 00 00 i Logs 7 fo0 00 00 00 00 00 o0 00 00 00 00 00 Lagat o0 00 00 00 00 00 00 00 00 00 00 00 o0 00 00 00 00 00 00 00 00 00 00 00 oon An Annn nn Annn annn Ane 4 4 Setup WEP Wired Equivalent Privacy e Introduction e Setting up the Access Point e Setting up the Station 123 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL CCCCCC P660 series Support Notes Introduction The 802 11 standa
183. wing information that means the PC associated and authenticated with AP successfully T Intel R PROSet File Action Tools Help E J Network Components gt PRO Wireless LAM 2100 3B Mini PCI Adapter General Metworks Adapter Troubleshooting Signal Quality g u uml Excellent lt 4 ssociated And Authenticated with E Network Name SSID BT Profile Name BT Mode Infrastructure AF Security TEIP Speed 11 Mbps Band Frequency a02 11b 2 4GHz Channel 11 802 1 Protocal Enabled Hardware radio switch On Switch radia f On M Show the tray icon cL ok Cancel Apply Help 152 All contents copyright 2005 ZyXEL Communications Corporation Support Tool 1 LAN WAN Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet O 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 gt 192 31 7 130 80 index timer second channel receive transmit length protocol sourceIP port destIP port There are two ways to dump the trace e Online Trace display the trace real time on screen e Offline Trace capt
184. wing parameters e VT100 terminal emulation e 9600bps baud rate e N81 data format No Parity 8 data bits 1 stop bit The default console port baud rate is 9600bps you can change it to 115200bps in Menu 24 2 2 to speed up the SMT access 3 What is the default console port baud rate Moreover how do I change it The default console port baud rate is 95600bps When configuring the SMT please make sure the terminal baud rate is also 9 600bps You can change the console baud rate from 9600bps to 115200bps in SMT menu 24 2 2 4 How do I update the firmware and configuration file You can upload the firmware and configuration file to Prestige using console port FTP or TFTP client software You CAN NOT upload the firmware and configuration file via Telnet because the Telnet connection will be dropped during uploading the firmware Please do not power off the router right after the FTP or TFTP uploading is finished the router will upload the firmware to its flash at this moment 5 How do I upload the ZyNOS firmware code via console The procedure for uploading ZyNOS via console is as follows All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Enter debug mode when powering on the Prestige using a terminal emulator Enter ATUR to start the uploading Use X modem protocol to transfer the ZyNOS code Enter ATGO to restart the Prestige a C 9 6 How do I upgrade backup the Z
185. with protocol number 17 UDP Menu 21 1 4 TCP IP Filter Rule Filter 1 4 Filter Type TCP IP Filter Rule 76 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL 660 series Support Notes Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 138 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab N A More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel e Rule 5 Destination port number 139 with protocol number 6 TCP Menu 21 1 5 TCP IP Filter Rule Filter 1 5 Filter Type TCP IP Filter Rule Active Yes IP Protocol 6 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 0 Port Comp None TCP Estab No More No Log None Action Matched Drop Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel 77 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes e Rule 6 Destination port number 139 with protocol number 17 UDP Menu 21 1 6 TCP IP Filter Rule Filter 1 6 Filter Type TCP IP Filter Rule Active Yes IP Protocol 17 IP Source Route No Destination IP Addr 0 0 0 0 IP Mask 0 0 0 0 Port 139 Port Comp Equal Source IP Addr 0 0 0 0 IP Mask
186. with telephone lines for many years Additionally many of the older cable networks are not capable of offering a return channel consequently such networks will need significant upgrading before they can offer high bandwidth Services 2 What is the expected throughput In our test we can get about 1 6Mbps data rate on 15Kft using the 26AWG loop The shorter the loop the better the throughput Besides please do not stay in menu 24 1 it will slow down the throughput 3 What is the micro filter used for Generally the voice band uses the lower frequency ranging from 0 to 4KHz while ADSL data transmission uses the higher frequency The micro filter acts as a low pass filter for your telephone set to ensure that ADSL transmissions do not interfere with your voice transmissions For the details about how to connect the micro filter please refer to the user s manual 4 How do I know the ADSL line is up You can see the DSL LED on the P 660 s front panel is on when the ADSL physical layer is up 5 How does the P 660 work on a noisy ADSL Depending on the line quality the P 660 uses Fall Back and Fall Forward to automatically adjust the date rate 16 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 6 Does the VC based multiplexing perform better than the LLC based multiplexing Though the LLC based multiplexing can carry multiple protocols over a single VC it requires e
187. work node 82 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes There are two versions of SNMP Version and Version 2 ZyXEL supports SNMPv1 Most of the changes introduced in Version 2 increase SNMP s security capabilities SNMP encompasses three main areas 1 A small set of management operations 2 Definitions of management variables 3 Data representation The operations allowed are Get GetNext Set and Trap These functions operates on variables that exist in network nodes Examples of variables include statistic counters node port status and so on All of the SNMP management functions are carried out through these simple operations No action operations are available but these can be simulated by the setting of flag variables For example to reset a node a counter variable named time to reset could be set to a value causing the node to reset after the time had elapsed SNMP variables are defined using the OSI Abstract Syntax Notation One ASN 1 ASN 1 specifies how a variable is encoded in a transmitted data frame it is very powerful because the encoded data is self defining For example the encoding of a text string includes an indication that the data unit is a string along with its length and value ASN 1 is a flexible way of defining protocols especially for network management protocols where nodes may support different sets of manageable variables The ne
188. working uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security is preserved even across the Internet RAS HT RAS wan i Client r Serer Window98 PPTP Client Internet NT RAS Server Protocol Stack PPTP appears as new modem type Virtual Private Networking Adapter that can be selected when setting up a connection in the Dial Up Networking folder The VPN Adapter type does not appear elsewhere in the system Since PPTP encapsulates its data stream in the PPP protocol the VPN requires a second dial up adapter This second dial up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade 38 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Configuration This application note explains how to establish a PPTP connection with a remote private network in the P 660 SUA case In ZyNOS all PPTP packets can be forwarded to the internal PPTP Server WinNT server behind
189. xtra header information to identify the protocol being carried on the virtual circuit VC The VC based multiplexing needs a separate VC for carrying each protocol but it does not need the extra headers Therefore the VC based multiplexing is more efficient 7 How do I know the details of my ADSL line statistics You can use the following CI commands to check the ADSL line statistics CI gt wan adsl perfdata CI gt wan adsl status CI gt sys log disp CI gt wan adsl linedata far CI gt wan adsl linedata near 8 What are the possible reasons when the ADSL link is down The physical ADSL line may not be up if 1 The DSLAM is not Alcatel 2 If itis Alcatel the firmware version should be above 3 1 9 What are the signaling pins of the ADSL connector The signaling pins on the P 660 s ADSL connector are pin 3 and pin 4 The middle two pins for a RJ11 cable 17 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Firewall FAQ For P 660H HW Only General 1 What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic 2 What makes P 660 secure The P 660 is pre configured to automatically detect and
190. y syslog setting facility Local ID 1 7 log the messages to different files server domainName IP syslog server to send weekly time to send the logs s e disp display system mbuf q Ee e clear clear system mbuf D a O Pf tink ink list list system mbuf link mbuf link pool lt id gt type list system mbuf pool status display system mbuf Status A a memory lt address gt lt length gt display memory pe oe ie memwrite lt address gt lt len gt data list write some data to e ee aae memwl lt address gt write long word to DO ian ee memrl lt address gt read long word at S S S memutil usage e a memory allocate and heap status mqueue lt address gt lt len gt display memory Poe pes e mcell mid flu display memory cells a a ae a 169 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes msecs alflu display memory ooon o mta E lt n mcell gt start amoy test mtalloc lt size gt n aa N memory for testing fmf lt start idx gt end idx free the test memory display server model o o fpo J __ all process information stack tag display process s stack by a give TAG pstatus display process s status E a give TAG queue a maaa start end e queue by given status and range numbers ndisp qid display a queue by a given number quit quit CI command mode reboot code reboot system code 0
191. y you for routine reports and when alerts occur 5 Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although packet filter and NAT restrict access to particular computers and networks however for the other companies this security may be insufficient because packets filters typically cannot maintain session state Thus for greater security a firewall is considered 6 What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks 1 Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 3 Brute force attacks that flood a network with useless data such as Smurf attack 19 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes 4 IP Spoofing 7 What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to
192. yNOS firmware by using TF TP client program via LAN The Prestige allows you to transfer the firmware to Prestige by using TFTP program via LAN The procedure for uploading ZyNOS via TFTP is as follows a Use the TELNET client program in your PC to login to your Prestige b Enter CI command sys stdio 0 in menu 24 8 to disable console idle timeout c To upgrade firmware use TFTP client program to put firmware in file ras in the Prestige After data transfer is finished the Prestige will program the upgraded firmware into FLASH ROM and reboot itself d To backup your firmware use the TFTP client program to get file ras from the Prestige 7 How do I upload ROMFILE via console port In some situations you may need to upload the ROMFILE such as losing the system password or the need of resetting SMT to factory default The procedure for uploading ROMFILE via the console port is as follows Enter debug mode when powering on the Prestige using a terminal emulator Enter ATLC to start the uploading Use X modem protocol to transfer ROMFILE Enter ATGO to restart the Prestige a oO Fo 8 How do I restore SMT configurations by using TF TP client program via LAN a Use the TELNET client program in your PC to login to your Prestige b Enter CI command sys stdio 0 in menu 24 8 to disable console idle timeout c To backup the SMT configurations use TFTP client program to get file rom 0 from the Prestige d To re
193. your windows task bar the utility will pop up on your windows screen 2 Select configuration tab IEEESO 11b WLAN PCI Card Utility Link Info Configuratior Site Survey Encryption Advanced About Protile ira gt Femove crests _Aotva Configuration SSID Transfer Rate Auto Rate Channel Power Saving Mode Disabled Restore Defaults Undo Changes Apply Changes Cancel Help 3 Select Infrastructure from the operation mode pull down menu fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect 4 Click on Site Survey tab and press search all the available AP will be listed 119 All contents copyright 2005 ZyXEL Communications Corporation ZyXEL P 660 series Support Notes Z yAIR B 320 Utility Link Info Configuration Site Survey Security Advanced About The list contains available Access Points and their features To Update the list click Search button you can select a desired Access Paint from the list and click Connect button to the specified Access PaBOHYY DON S49 00 0 53 OO AD CS 010A 00 A0 c00 AREL OO ADCS O00 Wireless 00 1 3 49 98 2 kate test 00A CARAS APBOO OO ADCE BST APBOO4 OO AU CS EF 8 Wireless OO AD CS SFE AEOS 00 A0 ca 00 0 AMAA oo oe ER a od Gd a G E Ea lt ye Search Connect OK Cancel Help 5 Double click on
Download Pdf Manuals
Related Search