ZyXEL P-660HW-TX User's Manual
Contents
1. Downstream This is the downstream speed of your ZyXEL Device Speed Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors This field displays the number of error packets on this port Tx B s This field displays the number of bytes transmitted in the last second Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up LAN Port Statistics Interface This field displays either Ethernet LAN ports or Wireless WLAN port Status For the LAN ports this field displays Down line is down or Up line is up or connected For the WLAN port it displays the transmission rate when WLAN is enabled or N A when WLAN is disabled TxPkts This field displays the number of packets transmitted on this interface RxPkts This field displays the number of packets received on this interface Collisions2. LABEL DESCRIPTION WLAN Information SSID This is the descriptive name used to identify the ZyXEL Device in a wireless LAN Click this to go to the screen where you can change it Channel This is the channel number used by the ZyXEL Device now Security This displays the type of security mode the ZyXEL Device is using in the wireless LAN WPS This displays whether WPS is activated Click this to go to the screen where you can configure the settings Status This displays whether WLAN is activated Security Firewall This displays whether or not the ZyXEL Device s firewall is activated Click this to go to the screen where you can change it can eni This displays whether or not the ZyXEL Device s content filtering is Filter activated Click this to go to the screen where you can change it System Status System This field displays how long the ZyXEL Device has been running since it Uptime last started up The ZyXEL Device starts up when you plug it in when you restart it Maintenance Tools Restart or when you reset it Current This field displays the current date and time in the ZyXEL Device You Date Time can change this in Maintenance gt System gt Time Setting System This displays whether the ZyXEL Device is functioning as a router or a Mode bridge CPU Usage __ This field displays what percentage of the ZyXEL Device s processing ability is currently used When this percentage is clos
3. Default User user Password Default Admin 1234 Password DHCP Server IP Pool 192 168 1 32 to 192 168 1 64 Static DHCP 10 Addresses Content Filtering Web page blocking by URL keyword Static Routes 16 Device Management Use the web configurator to easily configure the rich range of features on the ZyXEL Device Wireless Functionality wireless devices only Allow the IEEE 802 11b and or IEEE 802 11g wireless clients to connect to the ZyXEL Device wirelessly Enable wireless security WEP WPA 2 WPA 2 PSK and or MAC filtering to protect your wireless network Firmware Upgrade Download new firmware when available from the ZyXEL web site and use the web configurator an FTP or a TFTP tool to put it on the ZyXEL Device Note Only upload firmware for your specific model Configuration Backup amp Restoration Make a copy of the ZyXEL Device s configuration You can put it back on the ZyXEL Device later if you decide to revert back to an earlier configuration Network Address Translation NAT Each computer on your network must have its own unique IP address Use NAT to convert your public IP address es to multiple private IP addresses for the computers on your network Port Forwarding If you have a server mail or web server for example on your network you can use this feature to let people access it from the nternet DHCP Dynamic Host Configurat
4. Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup 6 3 The More Connections Screen The ZyXEL Device allows you to configure more than one Internet access connection To configure additional Internet access connections click Network gt WAN gt More Connections The screen differs by the encapsulation you select When you use the WAN Internet Access Setup screen to set up Internet access you are configuring the first WAN connection Figure 34 Network gt WAN gt More Connections FEUDUM Internet Connection 8 35 ENET ENCAP GR GR GR CH UH UA Ul E E E Eb E E B The following table describes the labels in this screen Table 21 Network WAN More Connections LABEL DESCRIPTION This is an index number indicating the number of the corresponding connection Active This field indicates whether the connection is active or not Clear the check box to disable the connection Select the check box to enable it Name This is the name you gave to the Internet connection VPI VCI This field displays the Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers configured for this WAN connection Encapsulation This field indicates the encapsulation method of the Internet
5. LABEL DESCRIPTION Gateway IP This option is available if you select ENET ENCAP in the address Encapsulation field Specify a gateway IP address supplied by your ISP Connection Nailed Up Connection Select Nailed Up Connection when you want your connection up all the time The ZyXEL Device will try to bring up the connection automatically if it is disconnected Connect on Demand Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in the Max Idle Timeout field Max Idle Timeout Specify an idle time out in the Max Idle Timeout field when you select Connect on Demand The default setting is 0 which means the Internet session will not timeout NAT SUA only is available only when you select Routing in the Mode field Select SUA Only if you have one public IP address and want to use NAT Click Edit Detail to go to the Port Forwarding screen to edit a server mapping set Otherwise select None to disable NAT Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings Advanced Setup Click this to display the More Connections Advanced Setup screen and edit more details of your WAN setup P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup 6 3 2 Configuring More Connections Advanced Setup Use this screen to edit yo
6. FireFTP Clear Private Data Ctrl Shift Del Tab Mix Plus Options Session Manager L Options I P 660HW Tx v3 Series User s Guide Appendix B Pop up Windows JavaScript and Java Permissions Click Content to show the screen below Select the check boxes as shown in the following screen Figure 186 Mozilla Firefox Content Security ua i3 Qa ag ww Mee Main Tabs Feeds Privacy Security Advanced w Block pop up windows Exceptions IV Load images automatically Exceptions IV Enable JavaScript Advanced IV Enable Java r Fonts amp Colors Default Font Times New Roman 7 Size 16 v Advanced Colors File Types Configure how Firefox handles certain types of Files Manage ee H Cancel Help P 660HW Tx v3 Series User s Guide 383 Appendix B Pop up Windows JavaScript and Java Permissions P 660HW Tx v3 Series User s Guide IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub net
7. ISP MTU MTU The Maximum Transmission Unit MTU defines the size of the largest packet allowed on an interface or connection Enter the MTU in this field For ENET ENCAP the MTU value is 1500 For PPPoE the MTU value is 1492 For PPPoA and RFC 1483 the MTU is 65535 Packet Filter Incoming Filter Sets P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 20 Network WAN Internet Access Setup Advanced Setup continued LABEL DESCRIPTION Protocol Filter Select the protocol filter s to control incoming traffic You may choose up to 4 sets of filters You can configure packet filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control incoming traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details Outgoing Filter Sets Protocol Filter Select the protocol filter s to control outgoing traffic You may choose up to 4 sets of filters You can configure protocol filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control outgoing traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details
8. P 660HW Tx v3 Series User s Guide Chapter 2 Introducing the Web Configurator 6 Select Go to Wizard setup and click Apply to display the wizard main screen Otherwise select Go to Advanced setup and click Apply to display the Status screen Figure 5 Replace Factory Default Certificate Screen Please select Wizard or Advanced mode The Wizard setup walks you through the most common configuration settings We suggest you use this mode if it is the first time you are setting up your router or if you need to make basic configuration changes Note For security reasons the ZyXEL Device automatically logs you out if you do not use the web configurator for five minutes default If this happens log in again 2 2 Web Configurator Main Screen Figure 6 Main Screen Status Refresh Interval Noe v Apply Device Information System Status Host Name System Uptime 0 56 25 Model Number P 660HW T1 v3 Current Date Time 01 01 2000 00 56 34 MAC Address 00 02 cf de ee 53 System Mode Routing Bridging ZyNOS Firmware Version V3 7 A 3 CPU Usage EN 1 33 74 DSL Firmware Version DMT FwVer 3 11 2 64 A TC Memory Usage HE 54 WAN Information DSL Mode Error IP Subnet Mask 0 0 0 0 Default Gateway 0 0 0 0 VPI VCI 8 35 LAN Information 0 kbps 0 kbps IP Address 192 168 1 1 IP Subnet Mask 255 255 25
9. Current Time Current Time Current Date Time and Date Setup 9 Manual New Time hh mm ss New Date yyyy mm dd 2 Get from Time Server Time Protocol Time Server Address Time Zone Setup Time Zone L1 Daylight Savings Start Date End Date GMT Greenwich Mean Time Dublin Edinburgh Lisbon London v of 2000 01 02 at o clock of 2000 01 02 at o clock Cancel The following table describes the fields in this screen Table 88 Maintenance gt System gt Time Setting LABEL DESCRIPTION Current Time Current Time This field displays the time of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the time with the time server Current Date This field displays the date of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the date with the time server Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date Time Zone and Daylight Saving at the same time the new time and date you entered has priority and the Time Zone and Daylight Saving settings do not affect it P 660HW Tx v3 Series User s Guide Chapter 20 System Settings Table 88 Maintenance System Time Setting continued LABEL DESCRIPTION New Time This field displays the last updated time from the time server or the last time configured manually
10. More No Log None Action Match Check Next Rule Action Not Match check Next Rule Apply Cancel The following table describes the labels in this screen Table 63 Security gt Packet Filter gt Edit Protocol Filter gt Edit Rule LABEL DESCRIPTION Active Select the check box to enable the filter rule Protocol Select ICMP TCP or UDP for the upper layer protocol IP Source Select the check box to apply the filter rule to packets with an IP source Route route option The majority of IP packets do not have source route Destination Enter the destination IP address of the packet you wish to filter This Address field is ignored if it is 0 0 0 0 Destination Enter the IP subnet mask for the destination IP address Subnet Netmask Destination Enter the destination port of the packets that you wish to filter The Port range of this field is O to 65535 This field is ignored if it is O 222 P 660HW Tx v3 Series User s Guide Chapter 12 Packet Filter Table 63 Security gt Packet Filter gt Edit Protocol Filter gt Edit Rule continued LABEL DESCRIPTION Port Compare Select the comparison to apply to the destination port in the packet against the value given in the Destination Port field Options are None Equal Not Equal Less and Greater Source Address Enter the source IP address of the packet you wish to filter This field is ignore
11. Use WAN IP Address C Dynamic DNS server auto detect IP Address C Use specified IP Address 0 0 0 0 Apply Cancel The following table describes the fields in this screen Table 80 Advanced Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Select this check box to use dynamic DNS Dynamic DNS Service This is the name of your Dynamic DNS service provider Provider Dynamic DNS Select the type of service that you are registered for from your Dynamic Type DNS service provider Host Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the password assigned to you 270 P 660HW Tx v3 Series User s Guide Chapter 17 Dynamic DNS Setup Table 80 Advanced Dynamic DNS continued LABEL DESCRIPTION Enable Select the check box to enable DynDNS Wildcard Wildcard Option Enable off line option This option is available when CustomDNS is selected in the DDNS Type field Check with your Dynamic DNS service provider to have traffic redirected to a URL that you can specify while you are off line P Address Update Policy Use WAN IP Select this option to update the IP address of the host name s to the Address WAN IP address Dynamic DNS Select this option only when there are one o
12. P 660HW Tx v3 Series User s Guide Universal Plug and Play UPnP 19 1 Overview Universal Plug and Play UPnP is a distributed open networking standard that uses TCP IP for simple peer to peer network connectivity between devices A UPnP device can dynamically join a network obtain an IP address convey its capabilities and learn about other devices on the network In turn a device can leave a network smoothly and automatically when it is no longer in use 19 1 1 What You Can Do in the UPnP Screen Use the UPnP screen Section 19 2 on page 283 to enable UPnP on the ZyXEL Device and allow UPnP enabled applications to automatically configure the ZyXEL Device 19 1 2 What You Need to Know About UPnP Identifying UPnP Devices UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions NAT traversal allows the following Dynamic port mapping Learning public IP addresses Assigning lease times to mappi
13. System Name Domain Name Administrator Inactivity Timer fo minutes 0 means no timeout Password User Password New Password i Retype to confirm C L 4l Admin Password Old Password li New Password Retype to confirm A Caution Please record your new password whenever you change it The system will lock you out if you have forgotten your password Apply Cancel P 660HW Tx v3 Series User s Guide Chapter 20 System Settings The following table describes the labels in this screen Table 87 Maintenance System General LABEL DESCRIPTION System Setup System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name The Domain Name entry is propagated to the DHCP clients on the LAN Administrator Type how many minutes a management session either via the web Inactivity configurator or telnet can be left idle before the session times out The Timer default is 5 minutes After it times out you have to log
14. ez eve E mez Apply Cancel The following table describes the labels in this screen Table 73 Advanced gt 802 1Q 1P gt Port Setting LABEL DESCRIPTION Ports This field displays the types of ports available to join the VLAN group 802 1Q PVID Assign a VLAN ID for the port The valid VID range is between 1 and 4094 The ZyXEL Device assigns the PVID to untagged frames or priority tagged frames received on this port 802 1P Priority Assign a priority for the traffic transmitted through the port Select Same if you do not want to modify the priority You may choose a priority level from 0 7 with O being the lowest level and 7 being the highest level Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Quality of Service QoS 16 1 Overview Use the QoS screens to set up your ZyXEL Device to use QoS for traffic management Quality of Service QoS refers to both a network s ability to deliver data with minimum delay and the networking methods used to control bandwidth QoS allows the ZyXEL Device to group and prioritize application traffic and fine tune network performance Without QoS all traffic data are equally likely to be dropped when the network is congested This can cause a reduction in network performance and make the network inadequate for time critical applications su
15. q Note respectively Your wireless client must match the security strength set on the router Please type exactly 5 or 13 characters MAC Filter Deny Association QoS Low Low Iv The different WEP key lengths configure different strength security 40 64 bit or 128 bit Please type exactly 10 or 26 characters using only the numbers 0 9 and the letters A F 6 Activate the wireless network groups and click Apply More AP Setup VIP WPA2 PSK BEP T Guest WEP 64Bit amp Ww ZyXELO4 None EP dj Camp een P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 4 4 Configuring the MAC Address Filter Thomas noticed that his daughter Josephine spends too much time surfing the web and downloading media files He decided to prevent Josephine from accessing the Internet so that she can concentrate on preparing for her final exams Josephine s computer connects wirelessly to the Internet through the ZyXEL Device Thomas can deny access to the wireless network using the MAC address of Josephine s computer Thomas 1 Click Network gt LAN gt Client List to open the following screen Look for the MAC address of J osephine s computer DHCP Client Table IP Address 0 0 0 0 MAC Address 00 00 00 00 00 00 UU LT AU O twpc13477 192 168 1 33 00 0F FE 32 84 12 2 Josephine PC 192 168 1 34 00 1E 52 C3 5C 1B P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials
16. Control Panel Home gt System and Maintenance User Accounts Classic View Allow a program through Windows Firewall Adjust screen resolution etwork and Internet P onnect to the Internet Clock Language and Region View network status and tasks ci Change keyboards or other input ay methods Set up file sharing Change display language 3 Click Network and Sharing Center Figure 157 Windows Vista Network And Internet CION P gt Control Panel Network and Internet v 4 Search 5 File Edit View Tools Help Control Panel Home EN Network and Sharing Center System and Maintenance View network status and tasks Connect to a network Security View network computers and devices Add a device to the network Set up file sharing Network and Internet x Er tt Internet Options Connect to the Internet Change yourhomepage Manage browser add ons Programs Delete browsing history and cookies Hardware and Sound P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 4 Click Manage network connections Figure 158 Windows Vista Network and Sharing Center EESEGE QU E Network and Internet Network and Sharing Center v 4 Search 5 File Edit View Tools Help e res Network and Sharing Center View computers and devices View full map Connect to a network Set up a connection or network A er d y Manage ne
17. Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click the Move icon to display the Move the rule to field Type a number in the Move the rule to field and click the Move button to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 197 Chapter 10 Firewalls 10 3 1 Configuring Firewall Rules Refer to Section 10 1 2 on page 190 for more information Use this screen to configure firewall rules In the Rules screen select an index number and click Add or click a rule s Edit icon to display this screen and refer to the following table for information on the labels Figure 79 Security gt Firewall gt Rules Edit Edit Rule 2 M Active Action for Matched Packets Permit Source Address Address Type any Address 7 Start IP boso Any Address wane Add gt gt End IP ENDTE TT enm Address Era Edis Subnet Mask 0 0 0 0 Delete Destination Address Address Type Any Address z Start IP kema
18. Table 19 Network gt WAN gt Internet Access Setup LABEL DESCRIPTION Line Modulation Select the modulation supported by your ISP Use Multi Mode if you are not sure which mode to choose from The ZyXEL Device dynamically diagnoses the mode supported by the ISP and selects the best compatible one for your connection Other options are ADSL G dmt ADSL2 ADSL2 ADSL2 AnnexM ADSL2 AnnexM READSL2 Mode ANSI T1 413 and ADSL G lite General Mode Select Routing default from the drop down list box if your ISP gives you one IP address only and you want multiple computers to share an Internet account Select Bridge when your ISP provides you more than one IP address and you want the connected computers to get individual IP address from ISP s DHCP server directly If you select Bridge you cannot use Firewall DHCP server and NAT on the ZyXEL Device Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password PPPoA an
19. r Eu E CAPA i lO N l p Eu What You Can Do in the Static Route Screens Use the Static Route screens Section 14 2 on page 240 to view and configure P 660HW Tx v3 Series User s Guide IP static routes on the ZyXEL Device Chapter 14 Static Route 14 2 The Static Route Screen Use this screen to view the static route rules Click Advanced Static Route to open the Static Route screen Figure 101 Ad vanced Static Route Static Route Static Route Rules OQ wo Un RON b 11 12 13 14 15 Lt active Name destination Gateway subnet Mask Modify 1 z z E E Wi Up Gp GU GG GRO C QUU B E E E E B E E E E E E ED E E G Apply Cancel The following table describes the labels in this screen Table 69 Adva nced Static Route LABEL DESCRIPTION This is the number of an individual static route Active This field indicates whether the rule is active or not Clear the check box to disable the rule Select the check box to enable it Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets
20. Exit P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard 3b The following screen displays if a PPPoE or PPPoA connection is detected Enter your Internet account information username password and or service name exactly as provided by your ISP Then click Next and see Section 5 3 on page 92 for wireless connection wizard setup Figure 15 Auto Detection PPPoE STEP 1 STFEP 2 fli Internet Configuration Connection Type PPP over Ethernet PPPoE ord given to you our Internet Service Provider here If enter it in the third User Name Password Service Name foptional Back Next gt Exit 3c The following screen appears if the ZyXEL device detects a connection but not the connection type Click Next and refer to Section 5 2 1 on page 86 on how to manually configure the ZyXEL Device for Internet access Figure 16 Auto Detection Failed STEP 1 STEP 2 ffi Internet Configuration Connection Type Li Note This wizard can only automatically detect PPP over Ethernet PPPoE PPP over ATM PPPoA or dynamically assigned Ethernet Internet connections Your Internet connection may use a Static IP address which cannot be detected automatically Back Next gt Exit P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard 5 2 1 Manual Configuration If the ZyXEL Device fails to detect your DSL connection type but the physical
21. LAN IP Use this screen to configure LAN TCP IP settings enable Any IP and other advanced properties DHCP Setup Use this screen to configure LAN DHCP settings Client List Use this screen to view current DHCP client information and to always assign specific IP addresses to individual MAC addresses and host names IP Alias Use this screen to partition your LAN interface into subnets 32 P 660HW Tx v3 Series User s Guide Chapter 2 Introducing the Web Configurator Table 3 Navigation Panel Summary LINK TAB FUNCTION Wireless LAN AP Use this screen to configure the wireless LAN settings and WLAN authentication security settings More AP Use this screen to configure multiple BSSs on the ZyXEL Device WPS Use this screen to configure WPS Wi Fi Protected Setup settings WPS Station Use this screen to set up a WPS wireless network WDS Use this screen to set up Wireless Distribution System links to other access points Scheduling Use this screen to configure the dates times to enable or disable the wireless LAN NAT General Use this screen to enable NAT Port Use this screen to make your local servers visible to the outside Forwarding world ALG Use this screen to enable or disable SIP ALG Security Firewall General Use this screen to activate deactivate the firewall and the default action to take on network traffic going in specific directions Rules Th
22. The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs a consistent single alphanumeric password to derive a PMK which is used to generate unique temporal encryption P 660HW Tx v3 Series User s Guide A
23. This field displays the type of algorithm that was used to generate the certificate s key pair the ZyXEL Device uses RSA encryption and the length of the key set in bits 1024 bits for example MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhanced Mail PEM format PEM uses 64 ASCII characters to convert the binary certificate into a printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Back Click this to return to the previous screen without saving Export Click this and then Save in the File Download screen The Save As Screen opens browse to the location that you want to use and click Save Apply Click this to sav
24. 119 det MONIO W mM 119 7 1 1 What You Can Do in the LAN Screens aissius innnan 119 7 1 2 What You Need To Know ADout LAN 2esdiiceeeottdiec ot Disi eren DTdek ba DUE DU pre DO Dd RE ERE DUE 120 LOBON YUBO eT 121 Jat T LIMIT OTE nne EE RIS rx RES tt rorr te ba o kMR an E GU nore rane re tr torrente tt rer 121 22 4 The Advanced LAN IP Sep SOOS cue cce etate rt rpta cq pee ePr cane ehe RR prac cba a 122 Ta Ne DACP Seip Set DN MIS 124 TA Thee Lel SPN rirerire a 126 To TM EP ANE aO D 127 7 5 1 Configuring the LAN IP Alias Sereen 2s uie icecantaeui re dana edb b aic Y apr dE naa 128 hs Mere NI SHE Dich eth Us Sco cet SEEUUTTT 129 7 6 1 LANs WANS and the ZyXEL Dewees sasiaessssasvinastapsinduvasaaestenessoansieliossasieesteaneentanss 129 P 660HW Tx v3 Series User s Guide 13 Table of Contents POO SA o PT abe ia lope M 130 ZB DNS Server deli ia ctu an badiroionsiwan wad dere ipm x dead cias rade aar ta dt Foe Un KE GUN 130 pu c M pe Vll MERE Mecareenete an T3 Fee PP es T ease epa dan pb ac Recta bn binas rs cbr M Erg Mela are 132 F CSORUI PICTUS ME 132 EROS WU e 133 Chapter 8 bg LAN Sr 137 D CIE aa uisum INIMICI PUOI IU 137 8 1 1 What You Can Do in the Wireless LAN Screens sssseeseseeeennnnne 137 8 1 2 What You Need to Know About Wireles
25. Address E AUR End IP sooo TUNE Address AUG ELE Subnet Mask 0 0 0 0 Delete Service Add gt gt Remove BGP TCP 179 x IH Edit Customized Services Schedule Day to Apply M Everyday I7 sun IV Mon V Tue V wed IV Thu IV Fri IV sat Time of Day to Apply 24 Hour Format M all day Log Log Packet Detail Information Alert Send Alert Message to Administrator When Matched Source Address List Destination Address List Available Services Selected Services Staro houjO minute End o houro minute Apply Cancel P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls The following table describes the labels in this screen Table 54 Security gt Firewall gt Rules Edit Matched Packet LABEL DESCRIPTION Edit Rule Active Select this option to enable this firewall rule Action for Use the drop down list box to select whether to discard Drop deny and send an ICMP destination unreachable message to the sender of Reject or allow the passage of Permit packets that match this rule Source Destination Address Address Type Do you want your rule to apply to packets with a particular single IP a range of IP addresses for instance 192 168 1 10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start IP Address
26. Edit Custornized Services Schedule Day to Apply M Everyday ML rcd 3e Click Apply 4 6 4 Testing the DDNS Setting Now you should be able to access the ZyXEL Device from the Internet To test this 1 Open a web browser on the computer using the IP address a b c d that is connected to the Internet 2 Type http zyxelrouter dyndns org and press Enter P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 3 The ZyXEL Device s login page should appear You can then log into the ZyXEL Device and manage it 4 7 Configuring Static Route for Routing to Another Network In order to extend your Intranet and control traffic flowing directions you may connect a router to the ZyXEL Device s LAN The router may be used to separate two department networks This tutorial shows how to configure a static routing rule for two network routings In the following figure router R is connected to the ZyXEL Device s LAN R connects to two networks N1 192 168 1 x 24 and N2 192 168 10 x 24 If you want to send traffic from computer A in N1 network to computer B in N2 network the traffic is sent to the ZyXEL Device s WAN default gateway by default In this case B will never receive the traffic P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials You need to specify a static routing rule on the ZyXEL Device to specify R as the router in charge of forwarding traffic to N2 In this case the
27. Ethernet p P as i o o N Channel A channel is the radio frequency ies used by wireless devices to transmit and receive data Channels available depend on your geographical area You may have a choice of channels for your region so you should use a channel different from an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or P 660HW Tx v3 Series User s Guide 397 Appendix D Wireless LANs wireless gateway but out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other Figure 193 RTS CTS RTS Range Wireless AP Muni m Station m AP Data zs Y Stations cannot 2 ACK ZU m ME ensi A _ gt hear
28. Figure 45 Any IP Example 192 168 1 1 The Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device s IP address Note You must enable NAT SUA to use the Any IP feature on the ZyXEL Device How Any IP Works Address Resolution Protocol ARP is a protocol for mapping an Internet Protocol address IP address to a physical machine address also known as a Media Access Control or MAC address on the local area network IP routing table is defined on IP Ethernet devices the ZyXEL Device to decide which hop to use to help forward data along to its specified destination The following lists out the steps taken when a computer tries to access the Internet for the first time through the ZyXEL Device When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway which is not the ZyXEL Device by looking at the MAC address in its ARP table When the computer cannot locate the default gateway an ARP request is broadcast on the LAN The ZyXEL Device receives the ARP request and replies to the computer with its own MAC address P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup 4 The computer updates the MAC address for the default gateway to the ARP table Once the ARP table is updated the computer is able to access the Internet through the ZyXEL Device 5 When
29. If you select OFF traffic which does not match a class is mapped to queue two Apply Click this to save your changes Cancel Click this to restore your previously saved settings 16 3 The Class Setup Screen Use this screen to add edit or delete classifiers A classifier groups traffic into data flows according to specific criteria such as the source address destination address source port number destination port number or incoming interface For example you can configure a classifier to select traffic from the same protocol port such as Telnet to form a flow Click Advanced gt QoS gt Class Setup to open the following screen Figure 113 Advanced QoS Class Setup Class Setup Class Setup Create anew Class Add CAECCA UM mmn 75808 c i 8 IV Default From LAN 2 Match any packets g 2 v exi From LAN 4 Source Address 192 168 1 99 24 g u 3 rz test From LAN 5 Service SP v S ft 4 Iv test From WLAN 3 Match any packets BW Apply Cancel P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS The following table describes the labels in this screen Table 75 Advanced gt QoS gt Class Setup LABEL DESCRIPTION Create a new Class Click this to create a new classifier No This is the number of each classifier The ordering of the classifiers is important as the classifiers are applied in turn Active Sele
30. P 660HW Tx v3 Series User s Guide 357 Appendix A Setting up Your Computer s IP Address Click OK when finished Figure 153 Windows XP Advanced TCP IP Properties Advanced TCP IP Settings IP Settings DNS WINS Options IP addresses IP address Subnet mask DHCP Enabled Default gateways Gateway Metric Automatic metric 7 Inthe Internet Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es f you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address If you have previously configured DNS servers click Advanced and then the DNS tab to order them Figure 154 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses 8 Click OK to close the Internet Protocol TCP IP Properties
31. Rules Firewall Rules Storage Space in Use 195 od 10095 Packet Direction WAN to WAN Router z Create a new rule after rule number 1 Add FS ee ST LEE gt BOOTP_CLIENT UDP 68 v Permit No No B DN Apply Cancel The Edit Rule screen opens Configure the screen using the following settings 3a Select Active 3b Select Permit for matched packets P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 3c In the Source Address section select Single Address and enter the IP address of the computer that you allow to access the ZyXEL Device from the Internet Click Add Select Any in the Source Address List and click Delete Note If the computer gets a different IP address this firewall rule will not work 3d In the Service section select HTTP TCP 80 in the Available Services field and click Add Select Any UDP and Any TCP and click Remove one by one to not include them Edit Rule 2 IV Active Action for Matched Packets Permit a b C d Source Address Source Address List Address Type Single Address 7 Start IP Address End IP Address Subnet Mask fo 1 0 Destination Address Address Type Any Address z Start IP loso qm Address Add gt gt End IP boso ENS Address LEdites Subnet Mask fo 1 0 6 Delete Service Available Services elected e Any AID p raean D Peo Any ICMP j AIMINEW ICQ TCP 5190 AUTH TCP 113 BGP TCP 178 zl
32. Select Mark to replace the 802 1 priority field and VLAN ID with the value you set in the fields below Select Add to treat all matched traffic untagged and add a second priority queue tag and VLAN Ethernet Select a priority level between 0 and 7 from the drop down list box Priority VLAN ID Specify a VLAN ID number between 2 and 4094 Filter Use the following fields to configure the criteria for traffic Configuration classification Source Address Select the check box and enter the source IP address in dotted decimal notation A blank source IP address means any source IP address Subnet Enter the source subnet mask Refer to the appendix for more Netmask information on IP subnetting Port Select the check box and enter the port number of the source 0 means any source port number See Appendix E on page 411 for some common services and port numbers MAC Select the check box and enter the source MAC address of the packet MAC Mask Type the mask for the specified MAC address to determine which bits a packet s MAC address should match Enter f for each bit of the specified source MAC address that the traffic s MAC address should match Enter 0 for the bit s of the matched traffic s MAC address which can be of any hexadecimal character s For example if you set the MAC address to 00 13 49 00 00 00 and the mask to ff ff ff 00 00 00 a packet with a MAC address of 00 13 49 12 34 56 matches this criteria Exclude Select this o
33. The following table describes the labels in this screen Table 41 Network Wireless LAN QoS LABEL DESCRIPTION Enable Select this box to activate wireless LAN scheduling on your ZyXEL Wireless LAN Device Scheduling WLAN status Select On or Off to enable or disable the wireless LAN Day Check the day s you want to turn the wireless LAN on or off The following Specify a time frame during which the schedule would apply sss For example if you set the time range from 12 00 to 23 00 the wireless LAN will be turned on only during this time period Apply Click this to save your changes Reset Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 155 Chapter 8 Wireless LAN 8 8 Wireless LAN Technical Reference This section discusses wireless LANs in depth For more information see the appendix 8 8 1 Wireless Network Overview Wireless networks consist of wireless clients access points and bridges A wireless client is a radio connected to a user s computer An access point is a radio with a wired connection to a network which can connect with numerous wireless clients and let them access the network A bridge is a radio that relays communications between access points and wireless clients extending a network s range Traditionally a wireless network operates in one of two ways An infrastructure type of network has one or more access points and one or mor
34. The following table lists some commonly used services and their associated protocols and port numbers Name This is a short descriptive name for the service You can use this one or create a different one if you like Protocol This is the type of IP protocol used by the service If this is TCP UDP then the service uses the same port number with TCP and UDP If this is USER DEFI NED the Port s is the IP protocol number not the port number Port s This value depends on the Protocol f the Protocol is TCP UDP or TCP UDP this is the IP port number f the Protocol is USER this is the IP protocol number Description This is a brief explanation of the applications that use this service or the situations in which this service is used P 660HW Tx v3 Series User s Guide Appendix E Services Table 135 Examples of Services NAME PROTOCOL PORT S DESCRIPTION AH User Defined 51 The IPSEC AH Authentication Header IPSEC_TUNNEL tunneling protocol uses this service AIM TCP 5190 AOL s Internet Messenger service AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP CLIENT UDP 68 DHCP Client BOOTP SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 A popular videoconferencing solution from White Pines Software TCP UDP 24032 DNS TCP UDP 53 Domain Name Server a service that ma
35. This is the index number of the rules in a filter set Active Use the check box to turn on or off a filter rule Filter Type This field displays whether the filter type is a protocol filter or generic filter Offset This field displays the offset value Length This field displays the length value Mask This field displays the mask value Value This field displays the value Modify Click the Edit icon to configure a filter rule Click the Remove icon to delete a filter rule Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 12 Packet Filter 12 2 4 Configuring Generic Packet Rules Use this screen to configure generic filter rules In the Edit Generic Filter screen click the Edit button from the Modify field to display the following screen Figure 94 Security gt Packet Filter gt Edit Generic Filter gt Edit Rule Edit Rule Active C Offset fo Length l Mask Value ai More No Log None Action Match Check Next Rule Action Not Match check Next Rule Back Apply Cancel The following table describes the labels in this screen Table 65 Security gt Packet Filter gt Edit Generic Filter gt Edit Rule LABEL DESCRIPTION Active Select the check box to enable the filter rule
36. What security options do the other wireless devices in your network support WPA PSK for example What is the strongest security option supported by all the devices in your network Do the other wireless devices in your network support WPS Wi Fi Protected Setup If so you can set up a well secured network very easily Even if some of your devices support WPS and some do not you can use WPS to set up your network and then add the non WPS devices manually although this is somewhat more complicated to do What advanced options do you want to configure if any If you want to configure advanced options such as Quality of Service ensure that you know precisely what you want to do If you do not want to configure advanced options leave them as they are 8 2 The AP Screen Use this screen to configure the wireless settings of your ZyXEL Device Click Network Wireless LAN to open the AP screen Figure 46 Network Wireless LAN AP Wireless Setup Active Wireless LAN Q Auto Scan Channel 9 Channel Selection Channel 06 2437MHz Common Setup Network Name SSID ZyXELO1 Hide ssiD Security Mode No Security a MAC Filter Deny Association QoS None None m P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following table describes the labels in this screen Table 29 Network Wireless LAN AP LABEL DESCRIPTION Wireless Setup Active Click
37. dynamic IP address P 660HW Tx v3 Series User s Guide EJ Chapter 2 Introducing the Web Configurator Table 3 Navigation Panel Summary LINK TAB FUNCTION Remote WWW Use this screen to configure through which interface s and from MGMT which IP address es users can use HTTP to manage the ZyXEL Device Telnet Use this screen to configure through which interface s and from which IP address es users can use Telnet to manage the ZyXEL Device FTP Use this screen to configure through which interface s and from which IP address es users can use FTP to access the ZyXEL Device DNS Use this screen to configure through which interface s and from which IP address es users can send DNS queries to the ZyXEL Device ICMP Use this screen to set whether or not your device will respond to pings and probes for services that you have not made available UPnP General Use this screen to turn UPnP on or off Maintenance System General Use this screen to configure your device s name domain name management inactivity timeout and password Time Setting Use this screen to change your ZyXEL Device s time and date Logs View Log Use this screen to display your device s logs Log Settings Use this screen to select which logs and or immediate alerts your device is to record You can also set it to e mail the logs to you Tools Firmware Use this screen to upload firmware to your device Conf
38. g m 6 g ou Back Apply Cancel The following table describes the labels in this screen Table 62 Security gt Packet Filter gt Edit Protocol Filter LABEL DESCRIPTION This is the index number of the rules in a filter set Active Use the check box to turn a filter rule on or off Filter Type This field displays whether the filter type is a protocol filter or generic filter Protocol This field displays the upper layer protocol SA This field displays the source IP address DA This field displays the destination IP address Modify Click the Edit icon to configure a filter rule Click the Remove icon to delete a filter rule Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 221 Chapter 12 Packet Filter 12 2 2 Configuring Protocol Filter Rules Use this screen to configure protocol filter rules In the Edit Protocol Filter screen click an Edit icon to display the following screen Figure 92 Security gt Packet Filter gt Edit Protocol Filter gt Edit Rule Edit Rule Active 7 Protocol icp IP Source Route E Destination Address 0 0 0 0 Destination Subnet 0 0 0 0 Netmask Destination Port o Port Compare None Source Address 0 0 0 0 Source Subnet noon Netmask 3 0 0 0 Source Port o Port Compare None TCP Estab N A w
39. 00 v hour 00 v min off on O sat 00 v hour 00 iv min 00 v hour 00 M min off on O sun 00 iv hour 00 iv min 00 v hour 00 v min q Note P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Configure the screen as follows Turn on the wireless network from Mondays to Fridays between 18 00 and 23 30 Turn on the wireless network all day on Saturdays and Sundays Click Apply Wireless LAN Scheduling V Enable wireless LAN Scheduling Sa Ths following nes 24 Hour Format off O on C Everyday o0 w hour oo v min o0 v hour oo v min off on Mon 18 v hour oo v min 23 w hour 30 v min off on Tue 18 v hour oo v min 23 v hour 30 v min O off on Wed 18 v hour 00 v min 23 v hour 20 v min O off on Thu 18 m hour 00 v min 23 v hour 20 v min Oof on Mri 18 v hour 00 v min 23 v hour 20 v min OOo Msat 00 v hour 00 v min 00 v hour 00 v min O oft 9 on v sun o0 w hour oo v min o0 v hour oo v min d oe Specify the same begin time and end time means the whole day schedule Goch e P 660HW Tx v3 Series User s Guide st Chapter 4 Tutorials 4 3 Setting Up Multiple Wireless Groups Company A wants to create different wireless network groups fo
40. 3600 In Seconds Group Key Update Timer Authentication Server IP Address Port Number Shared Secret Accounting Server optional IP Address Port Number Shared Secret 1800 In Seconds 0 0 0 0 1813 P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following table describes the wireless LAN security labels in this screen Table 33 Network Wireless LAN AP WPA 2 LABEL DESCRIPTION Security Mode Choose WPA or WPA2 from the drop down list box WPA Compatible This check box is available only when you select WPA2 PSK or WPA2 in the Security Mode field Select the check box to have both WPA PSK and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2 PSK or WPA2 ReAuthentication Timer Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3
41. Apply Cancel P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup The following table describes the labels in this screen Table 25 Network gt LAN gt IP Advanced Setup LABEL DESCRIPTION RIP amp Multicast Setup RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RI P 1 RI P 2B and RI P 2M Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports I GMP v1 I GMP v2 and I GMP v3 Select None to disable it Any IP Setup Select the Active check box to enable the Any IP feature This allows a computer to access the Internet via the ZyXEL Device without changing the network settings such as IP address and subnet mask of the computer even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet When you disable the Any IP feature only computers with dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device Note You must enable NAT SUA in the NAT screen to use the Any IP feature on the ZyXEL Device Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and commu
42. CMP ATM QoS IP Multicasting IGMP v1 v2 and v3 IGMP Proxy 802 1Q 1P Management Embedded Web Configurator CLI Command Line Interpreter Embedded FTP TFTP Server for firmware upgrade and configuration file backup and restore Telnet for remote management Remote Management Control Telnet FTP Web and DNS Remote Firmware Upgrade Syslog TR 069 F4 F5 OAM P 660HW Tx v3 Series User s Guide Chapter 25 Product Specifications 25 3 Wireless Features Table 117 Wireless Features External Antenna The ZyXEL Device is equipped with one fixed antenna to provide a clear radio signal between the wireless stations and the access points Wireless LAN MAC Address Your device can check the MAC addresses of wireless stations Filtering against a list of allowed or denied MAC addresses WEP Encryption WEP Wired Equivalent Privacy encrypts data frames before transmitting over the wireless network to help keep network communications private Wi Fi Protected Access Wi Fi Protected Access WPA is a subset of the IEEE 802 11i security standard Key differences between WPA and WEP are user authentication and improved data encryption WPA2 WPA 2 is a wireless security standard that defines stronger encryption authentication and key management than WPA WMM QoS WMM Wi Fi MultiMedia QoS Quality of Service allows you to prioritize wireless traffic according to the delivery requirements o
43. However you must run Windows XP to use it WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system The AP passes the wireless client s authentication request to the RADIUS server The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly A 256 bit Pairwise Master Key PMK is derived from the authentication process by the RADIUS server and the client P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs 4 The RADIUS server distributes the PMK to the AP The AP then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients Figure 194 WPA 2 with RADIUS Application Example WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the netwo
44. MAC MAC Mask Destination Address fo 0 0 0 Subnet Netmask 0 0 0 0 Port fo fo MAC MAC Mask Others Service FTP Protocol TCP M o F Exclude Packet Length o o Exclude D pscp o 0063 Exclude Ethernet Priority 0 5E z F Exclude VLAN ID 2 2 4094 Exclude Physical Port fi z Exclude Remote Node Exclude Apply Subnet Netmask 255 255 255 0 Exclude Exclude Exclude EN H Exclude Cancel P 660HW Tx v3 Series User s Guide 257 Chapter 16 Quality of Service QoS 16 2 The QoS General Screen Use this screen to enable or disable QoS and have the ZyXEL Device automatically assign priority to traffic according to the IEEE 802 1p priority level IP precedence and or packet length Click Advanced QoS to open the screen as shown next Figure 112 Advanced gt QoS gt General General Active Qos WAN Managed Bandwidth 1000 kbps Traffic priority will be automatically assigned by 1 Ethernet Priority OFF 2 IP Precedence OFF 3 Packet Length OFF Apply Cancel The following table describes the labels in this screen Table 74 Advanced gt QoS gt General LABEL DESCRIPTION Active QoS Select the check box to turn on QoS to improve your network performance You can give priority to traffic that the ZyXEL Device forwards out through the WAN interface Give high priority to voi
45. Offset Enter the starting byte of the data portion in the packet that you wish to compare The range for this field is from 0 to 255 Length Enter the byte count of the data portion in the packet that you wish to compare The range for this field is O to 8 Mask Enter the mask in hexadecimal notation to apply to the data portion before comparison Value Enter the value in hexadecimal notation to compare with the data portion More Select Yes to pass a matching packet to the next filter rule before an action is taken Select No to act upon the packet according to the action fields P 660HW Tx v3 Series User s Guide 225 Chapter 12 Packet Filter Table 65 Security gt Packet Filter gt Edit Generic Filter gt Edit Rule continued LABEL DESCRIPTION Log Select a logging option from the following None No packets will be logged Match Only packets that match the rule parameters will be logged Not Match Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Match Select the action for a matching packet Options are Check Next Rule Forward and Drop Action Not Match Select the action for a packet not matching the rule Options are Check Next Rule Forward and Drop Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously s
46. PART IV Security Firewalls 189 Content Filtering 211 Packet Filter 219 Certificates 229 187 188 Firewalls 10 1 Overview 10 1 1 This chapter shows you how to enable and configure the ZyXEL Device firewall Use these screens to enable and configure the firewall that protects your ZyXEL Device and network from attacks by hackers on the Internet and control access to it By default the firewall allows traffic that originates from your LAN computers to go to all other networks blocks traffic that originates on other networks from going to the LAN The following figure illustrates the default firewall action User A can initiate an IM Instant Messaging session from the LAN to the WAN 1 Return traffic for this session is also allowed 2 However other traffic initiated from the WAN is blocked 3 and 4 Figure 76 Default Firewall Action LAN WAN INTERNEJ What You Can Do in the Firewall Screens Use the General screen Section 10 2 on page 194 to enable firewall and or triangle route on the ZyXEL Device and set the default action that the firewall takes on packets that do not match any of the firewall rules Use the Rules screen Section 10 3 on page 196 to view the configured firewall P 660HW Tx v3 Series User s Guide rules and add edit or remove a firewall rule Chapter 10 Firewalls Usethe Threshold screen Section 10 4 on page 202 to set the thresholds that
47. Sending Log logs Time for Enter the time of the day in 24 hour format for example 23 00 equals Sending Log 11 00 pm to send the logs Clear log after Select the checkbox to delete all the logs after the ZyXEL Device sends an sending mail E mail of the logs Syslog The ZyXEL Device sends a log to an external syslog server Logging Active Click Active to enable syslog logging Syslog IP Enter the server name or IP address of the syslog server that will log the Address selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the syslog server manual for more information Active Log and Alert Log Select the categories of logs that you want to record P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 90 Maintenance gt Logs gt Log Settings LABEL DESCRIPTION Send Select log categories for which you want the ZyXEL Device to send E mail Immediate alerts immediately Alert Apply Click this to save your customized settings and exit this screen Cancel Click this to restore your previously saved settings 21 4 SMTP Error Messages If there are difficulties in sending e mail the following error message appears SMTP action request failed ret The are described in the following table Table 91 SMTP Error M
48. Tuesday Wednesday Thursday Friday Saturday Sunday E o ho min o ndo min r1 0 ndo min 0 bro min r o ho min o ho min O o hdo min 0 hio min 0 hdo min fo hdo min O o hdo min o hdo min L o ndo min 0 hdo min Apply Cancel P 660HW Tx v3 Series User s Guide Chapter 11 Content Filtering The following table describes the labels in this screen Table 59 Security gt Content Filter Schedule LABEL DESCRIPTION Schedule Select Block Everyday to make the content filtering active everyday Otherwise select Edit Daily to Block and configure which days of the week or everyday and which time of the day you want the content filtering to be active Active Select the check box to have the content filtering to be active on the selected day Start Tl me Enter the time when you want the content filtering to take effect in hour minute format End Time Enter the time when you want the content filtering to stop in hour minute format Apply Click this to save your changes Cancel Click this to restore your previously saved settings 11 4 The Trusted Screen Use this screen to exclude a range of users on the LAN from content filtering on your ZyXEL Device Click Security gt Content Filter gt Trusted The screen appears as shown Figure 89 Security gt Content Filter Trusted Trusted User IP Range Start IP Address 0 0 0 0 End IP Address 0 0 0
49. Use the IP Alias screen Section 7 5 on page 127 to change your ZyXEL Device s IP alias settings P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup 7 1 2 What You Need To Know About LAN IP Address IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Subnet Mask Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub networks DHCP A DHCP Dynamic Host Configuration Protocol server can assign your ZyXEL Device an IP address subnet mask DNS and other routing information when it s turned on RIP RIP Routing Information Protocol allows a router to exchange routing information with other routers Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just 1 IGMP IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data There are three versions of IGMP IGMP version 2 and 3 are improvements over version 1 but IGMP version 1 is still in wide us
50. hh mm ss When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date This field displays the last updated date from the time server or the last date configured manually yyyy mm dd When you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server sends when you turn on the ZyXEL Device Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Time Server Address Enter the IP address or URL up to 20 extended ASCII characters in length of your time server Check with your ISP network administrator if you are unsure of this information Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Daylight saving is a period from late s
51. the router blocked access to a web site that the user requested Table 95 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack the TCP incomplete count is per destination host Exceed TCP MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold the TCP incomplete count is per destination host Note Refer to TCP Maximum Incomplete in the Firewall Attack Alerts screen Peer TCP state out of order sent TCP RST The router sent a TCP reset packet when a TCP connection state was out of order Note The firewall refers to RFC793 Figure 6 to check the TCP state Firewall session time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out Default timeout values ICMP idle timeout s 60UDP idle timeout s 60TCP connection three way handshaking timeout s 30TCP FI N wait timeout s 60TCP idle established timeout s 3600 P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 95 TCP Reset Logs continued LOG MESSAGE DESCRIPTION Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count i
52. x ak DRRR BEF A S BOT LZ STRE E Zi E TSHR E E T BE e RE Appendix F Legal Information ARDIEN FES ER ER SE MET BERBER PSE PILI WD FEMI aes 2H E HT Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz network throughout the EC region and Switzerland with restrictions in France Ce produit est concu pour les bandes de fr quences 2 4 GHz et ou 5 GHz conform ment la l gislation Europ enne En France m tropolitaine suivant les d cisions n 03 908 et 03 909 de l ARCEP la puissance d mission ne devra pas d passer 10 mW 10 dB dans le cadre d une installation WiFi en ext rieur pour les fr quences comprises entre 2454 MHz et 2483 5 MHz This Class B digital apparatus complies with Canadian I CES 003 Cet appareil num rique de la classe B est conforme la norme NMB 003 du Canada Viewing Certifications 1 Goto http www zyxel com 2 Select your product on the ZyXEL home page to go to that product s page 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product is free from any defects in materials or workmanship for a period of up
53. 00 00 02 Use this screen to change your ZyXEL Device s static DHCP settings Click Network gt LAN gt Client List to open the following screen Figure 41 Network LAN Client List DHCP Client Table e 2 3 e IP Address fisz 168 1 66 CS E RN ER REN Client List MAC Address AA BB CC EE EE EE Add IBM1 192 168 1 33 11 22 33 44 55 66 192 168 1 34 AA BB CC DD EE FF iv HP 192 168 1 99 AA BB CC KK FF GG Apply Cancel Refresh The following table describes the labels in this screen Table 27 Network gt LAN gt Client List LABEL DESCRIPTION IP Address Enter the IP address that you want to assign to the computer on your LAN with the MAC address that you will also specify MAC Address Enter the MAC address of a computer on your LAN Add Click this to add a static DHCP entry This is the index number of the static IP table entry row Status This field displays whether the client is connected to the ZyXEL Device Host Name This field displays the computer host name IP Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory This address follows an i
54. 105 112 117 VBR RT 105 112 117 VCI 102 109 114 Virtual Channel Identifier see VCI Virtual Local Area Network see VLAN Virtual Path Identifier see VPI VLAN 243 802 1P priority 243 252 activation 249 example 245 group settings 250 management group 249 port settings 252 PVC 244 PVID 252 tagging frames 244 251 VPI 102 109 114 W WAN 99 ATM QoS 105 112 117 DNS 103 encapsulation 99 102 109 IGMP 100 IP address 100 103 109 115 mode 102 109 modulation 102 MTU 105 112 multicast 100 105 111 multiplexing 102 109 114 nailed up connection 103 110 115 NAT 110 packet filter 105 112 RIP 104 111 setup 101 status 36 traffic shaping 116 example 116 VCI 102 109 114 VPI 102 109 114 warranty 417 note 418 WDS 153 163 compatibility 153 example 163 web configurator 23 29 login 29 passwords 29 30 WEP 142 161 key 142 Wide Area Network see WAN Wi Fi Protected Access 404 WiFi Protected Setup see WPS wireless client WPA supplicants 406 Wireless Distribution System see WDS wireless LAN 137 156 activation 140 authentication 158 160 BSS 161 example 162 channel 157 configuration 139 encryption 140 160 example 156 fragmentation threshold 146 158 P 660HW Tx v3 Series User s Guide Index limitations 161 MAC address filter 138 140 147 148 159 MBSSID 162 preamble 146 158 RADIUS server 160 RTS CTS threshold 146 158 scheduling 155 security 158 SSID 138 140 150 159 activati
55. 123 Back Apply Cancel Delete 7 Select Any in the Destination Address List box and then click Delete 8 Configure the destination address screen as follows and click Add Edit Rule 1 Active Action for Matched Packets Permit iv Source Address Source Address List Address Type Any Address M Start IP A Any Address g End IP Address Subnet Mask Destination Address Destination Address List Address Type Range Address Start IP A Start IP 10 0 0 10 End IP PEE 10 0 0 15 Subnet Mask 192 P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 9 Usethe Add gt gt and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rules list box Edit Rule 1 Active Action for Matched Packets Permit Source Address Source Address List Address Type Any Address peso id End IP Address Subnet Mask Destination Address s Destination Address List Address Type Range Address M Start IP s 10 0 0 10 10 0 0 15 Adress 10 0 0 10 Add 2 End IP S pilos 10 0 0 15 Subnet Mask Service Available Services Selected Services Any All MyService TCP UDP 123 Any ICMP si AIM NEW ICQ TCP 5190 AUTH TCP 113 BGP TCP 179 Edit Cu
56. 192 168 2 1 192 168 2 24 Interface C 192 168 3 1 192 168 3 24 P 660HW Tx v3 Series User s Guide 1 27 Chapter 7 LAN Setup 7 5 1 Configuring the LAN IP Alias Screen Use this screen to change your ZyXEL Device s IP alias settings Click Network gt LAN gt IP Alias to open the following screen Figure 43 Network LAN IP Alias IP Alias 1 IP Alias 1 IP Address RIP Direction RIP Version IP Alias 2 TIP Alias 2 IP Address RIP Direction RIP Version IP Subnet Mask 0 0 0 0 IP Subnet Mask 0 0 0 0 0 0 0 0 None 7 nia z Cancel The following table describes the labels in this screen Table 28 Network gt LAN gt IP Alias LABEL DESCRIPTION IP Alias 1 2 Select the check box to configure another LAN network for the ZyXEL Device IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Alternatively click the right mouse button to copy and or paste the IP address IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyXEL Device RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both
57. 2 Click Network gt Wireless LAN to open the AP screen Click the Edit button in the MAC Filter field EM More AP WPS WPS Station WDS Scheduling Wireless Setup Active Wireless LAN Auto Scan Channel 9 Channel Selection Channel 01 2412MHz v Common Setup Network Name SSID Example Chide ssib Security Mode WPA PSK Iv Pre Shared Key DoNotStealMyWirelessNetwork ReAuthentication Timer 1800 In Seconds Idle Timeout 3600 In Seconds Group Key Update Timer 1800 In Seconda MAC Filter Deny Associatio QoS None None v appv cancel Advanced Setup 3 Select Active MAC Filter and Deny Filter Action Enter the MAC address you found in the Client List screen Click Apply MAC Filter Active MAC Filter Filter Action Allow Deny 00 1E 52 C3 5C 18 00 00 00 00 00 00 2 00 00 00 00 00 00 4 00 00 00 00 00 00 6 8 poU SO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7 on uU oU me 00 00 00 00 00 00 00 00 00 00 00 00 31 00 00 00 00 00 00 32 00 00 00 00 00 00 Josephine will no longer be able to access the Internet through the ZyXEL Device P 660HW Tx v3 Series User s Guide 57 Chapter 4 Tutorials 4 5 Setting Up NAT Port Forwarding Thomas recently received an Xbox 360 as his birthday gift His friends invited him to play online games with them on Xbox LIVE In order to communica
58. 4 10 1 Configuring Multiple PVCs and ATM QoS This section shows you how to configure two PVCs and specify a proper ATM QoS type for each PVC 1 Click Network gt WAN gt Internet Access Setup configure the settings you ISP want to provide to the subscriber for general data transmission This tutorial uses the following example settings Internet Access Setup Line Modulation Multi Mode Mode Routing Encapsulation PPPoE User Name PPPoEuser1 Password 1234 PVC LLC 0 35 Line Modulation Multi Mode x General Mode Encapsulation User Name Password Service Name Multiplexing Virtual Circuit ID IP Address Obtain an IP Address Automatically C static IP Address IP Address 0 0 0 0 DNS server First DNS Server Obtained From ISP 0 0 0 0 Second DNS Server Obtained From ISP yf 0 0 0 Third DNS Server Obtained From ISP 7 0 0 0 0 Connection C Nailed Up Connection Connect on Demand Max Idle Timeout 0 sec Cancel Advanced Setup Leave the other settings as their defaults and click Apply P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Click the Advanced Setup button to display the following options Select UBR in the ATM QoS Type field RIP amp Multicast Setup RIP Direction Both x RIP Version RIP 4 7 Multicast None z ATM Qos ATM QoS Type uen 7 Peak Cell Rate 0 cell sec Sustain Cell Rate o cell sec Maximum Burst Size o cell PPPoE Passthro
59. 6 WAN Setup packet used within one network to a different IP address known within another network 6 5 Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network This agreement helps eliminate congestion which is important for transmission of real time data such as audio and video connections Peak Cell Rate PCR is the maximum rate at which the sender can send cells This parameter may be lower but not higher than the maximum line speed 1 ATM cell is 53 bytes 424 bits so a maximum speed of 832Kbps gives a maximum PCR of 1962 cells sec This rate is not guaranteed because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of each bursty traffic source It specifies the maximum average rate at which cells can be sent over the virtual connection SCR may not be greater than the PCR Maximum Burst Size MBS is the maximum number of cells that can be sent at the PCR After MBS is reached cell rates fall below SCR until cell rate averages to the SCR again At this time more cells up to the MBS can be sent at the PCR again If the PCR SCR or MBS is set to the default of 0 the system will assign a maximum value that correlates to your upstream line rate The following figure illustrates the relationship between PCR SCR and MBS Figure 37 Example of Traffic Shaping lt
60. 70 BJZ 0 b2 12 19 2008 CPU Usage i 38 62 DSL Firmware Version DMT FwVer 3 11 2 64 A TC Memory Usage 62 WAN Information DSL Mode Error IP Address 0 0 0 0 Interface Status IP Subnet Mask 0 0 0 0 Default Gateway 0 0 0 0 E veyvct 8 35 LAN Information DSL Down 0 kbps 0 kbps E IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 100M Full Duplex DHCP Server 54M WLAN Information SSID ZyXEL01 Channel 6 Security Disable Summary WPS Unconfigured Status On Client List AnyIP Table Security WLAN Status Packet Statistics Firewall Enabled Content Filter Disable P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens Each field is described in the following table Table4 Status Screen LABEL DESCRIPTION Refresh Interval Select how often you want the ZyXEL Device to update this screen Apply Click this to update this screen immediately Device Information Host Name This field displays the ZyXEL Device system name It is used for identification You can change this in the Maintenance System General screen s System Name field Model This is the model name of your device Number MAC This is the MAC Media Access Control or Ethernet address unique to Address your ZyXEL Device ZyNOS This is the current version of the firmware inside the device It also Firmware shows
61. 8 3 1 SSID Normally the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area You can hide the SSID instead in which case the ZyXEL Device does not broadcast the SSID In addition you should change the default SSID to something that is difficult to guess This type of security is fairly weak however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the information that is sent in the wireless network 8 8 3 2 MAC Address Filter Every device that can use a wireless network has a unique identification number called a MAC address A MAC address is usually written using twelve hexadecimal characters for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other documentation 1 Some wireless devices such as scanners can detect wireless networks but cannot use wireless networks These kinds of wireless devices might not have MAC addresses 2 Hexadecimal characters are 0 1 2 3 4 5 6 7 8 9 A B C D E and F P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network If a device is allowed to use the wireless network it still has to have the correct information SSID channel and security
62. Active Network Address Translation and SUA Only Click Apply NAT Setup Active Network Address Translation NAT 9 SUA Only Full Feature Max NAT Firewall Session Per User ut un N 3 Click Network gt NAT to open the General screen Enter the Xbox 360 s IP address in the Default Server field Click Apply Default Server Setup Default Server 192 168 1 34 Port Forwarding Service Name WWW Server IP Address 0 0 0 0 Add See cera ame er nese eee ary 4 5 2 Port Forwarding If the default server is already assigned to another server configure the ports for Xbox 360 1 Click Network gt NAT to open the General screen Select Active Network Address Translation and SUA Only Click Apply NAT Setup Active Network Address Translation NAT SUA Only O Full Feature Max NAT Firewall Session Per User 5 t N apply cancel P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Click Network gt NAT gt Port Forwarding to open the following screen Select User define from the Service Name field Port Forwarding Service Name WAA WWW ERES FTP E mail SMTP E mail POP3 Telnet NetMeeting VoIP SIP TFTP General Port Forwarding ALG Default Server Setup Default Server 0 0 0 0 Server IP Address 0 0 0 0 o000 Edd a E E Hy 3 Configure the screen as follows to open TCP UDP port 53 for Xbox 360 C
63. Apply Cancel 194 P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls The following table describes the labels in this screen Table 52 Security gt Firewall gt General LABEL DESCRIPTION Active Firewall Select this check box to activate the firewall The ZyXEL Device performs access control and protects against Denial of Service DoS attacks when the firewall is activated Bypass Triangle Route If an alternate gateway on the LAN has an IP address in the same subnet as the ZyXEL Device s LAN IP address return traffic may not go through the ZyXEL Device This is called an asymmetrical or triangle route This causes the ZyXEL Device to reset the connection as the connection has not been acknowledged Select this check box to have the ZyXEL Device permit the use of asymmetrical route topology on the network not reset the connection Note Allowing asymmetrical routes may let traffic from the WAN go directly to the LAN without passing through the ZyXEL Device A better solution is to use IP alias to put the ZyXEL Device and the backup gateway on separate subnets See Section 10 5 4 1 on page 208 for an example Packet Direction This is the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets t
64. Chapter 1 Introducing the ZyXEL Device 1 5 LEDs Lights The following graphic displays the labels of the LEDs Figure 2 LEDs on the Top of the Device ZyXEL P 600 series POWER ice 4 WPS WLAN DSL INTERNET ti L3 EH f 3 EB f LS LE L3 L_ _ None of the LEDs are on if the ZyXEL Device is not receiving power Table 1 LED Descriptions LED COLO STATUS DESCRIPTION POWER Green On The ZyXEL Device is receiving power and ready for use Blinking The ZyXEL Device is self testing Red On The ZyXEL Device detected an error while self testing or there is a device malfunction Off The ZyXEL Device is not receiving power ETHERNET Green On The ZyXEL Device has an Ethernet connection with a 1 4 device on the Local Area Network LAN Blinking The ZyXEL Device is sending receiving data to from the LAN Off The ZyXEL Device does not have an Ethernet connection with the LAN WPS Green On The wireless network is activated pon Blinking The ZyXEL Device is communicating with other wireless clients Orange Blinking The ZyXEL Device is setting up a WPS connection Off The wireless network is not activated DSL Green On The DSL line is up Blinking The ZyXEL Device is initializing the DSL line Off The DSL line is down P 660HW Tx v3 Series User s Guide Chapter 1 Introducing the ZyXEL Device T
65. Enter the single IP address or the starting IP address in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable Selected Services Add gt gt Click Add gt gt to add a new address to the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit lt lt To edit an existing source or destination address select it from the box and click Edit lt lt Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it Services Available Please see Appendix E on page 411 for more information on services available Highlight a service from the Available Services box on the left then click Add gt gt to add it to the Selected Services box on the right To remove a service highlight it in the Selected Services box on the right then click Remove Edit Customized Service Click the Edit Customized Services link to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Schedule Day to Apply Select everyday or the day s of the week to apply the rule Time of Day to Apply 24 Hour Format Select All Day or enter the start and end times in the hour minute format to apply the rule Log Log Packet Detail Information
66. Firewalls 10 5 2 10 11 12 WAN to WAN Router By default the ZyXEL Device stops computers on the WAN from managing the ZyXEL Device or using the ZyXEL Device as a gateway to communicate with other computers on the WAN You could configure one of these rules to allow a WAN computer to manage the ZyXEL Device Note You also need to configure the remote management settings to allow a WAN computer to manage the ZyXEL Device You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the source IP address destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyXEL Device s default rules Guidelines For Enhancing Security With Your Firewall Change the default password via web configurator Think about access control before you connect to the network in any way Limit who can access your router Don t
67. If you have a static IP then you only need to fill in the IP Address field and not the Gateway IP Address field IP Assignment with RFC 1483 Encapsulation In this case the IP address assignment must be static IP Assignment with ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP For a static IP you must fill in all the IP Address and Gateway IP Address fields as supplied by your ISP However for a dynamic IP the ZyXEL Device acts as a DHCP client on the WAN port and so the IP Address and Gateway IP Address fields are not applicable N A as the DHCP server assigns them to the ZyXEL Device 6 4 5 Nailed Up Connection PPP A nailed up connection is a dial up line where the connection is always up regardless of traffic demand The ZyXEL Device does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern 6 4 6 NAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing P 660HW Tx v3 Series User s Guide 115 Chapter
68. In Only Out Only None When set to Both or Out Only the ZyXEL Device will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup Table 28 Network LAN IP Alias LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RI P 2M sends the routing data in RIP 2 format the difference being that RI P 2B uses subnet broadcasting while RI P 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also By default RIP direction is set to Both and the Version set to RI P 1 Apply Click this to save your changes Cancel Click this to restore your previously saved settings 7 6 LAN Technical Reference This section provides some technical background information abou
69. In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address Click OK when finished Figure 162 Windows Vista Advanced TCP IP Properties Advanced TCP IP Settings EAA IP Settings pns wis IP addresses IP address Subnet mask DHCP Enabled Default gateways Gateway Metric J Automatic metric EN 9 Inthe Internet Protocol Version 4 TCP IPv4 Properties window the General tab Click Obtain DNS server address automatically if you do not know your DNS server IP address es f you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address If you have previ
70. Laye Mapper 1 0 Driver M a Link Layer Topology Discovery Responder Install Uninstall C Properties Description Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks l OK Cancel 7 The Internet Protocol Version 4 TCP IPv4 Properties window opens the General tab f you have a dynamic IP address click Obtain an I P address automatically f you have a static IP address click Use the following I P address and fill in the IP address Subnet mask and Default gateway fields P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address Click Advanced Figure 161 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 TCP IPv4 Properties EAA General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses Advanced J cmd 8 If you do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK Do one or more of the following if you want to configure additional IP addresses
71. Multicast Protocol see IGMP IP address 100 103 109 115 120 131 default server 174 176 ping 329 private 131 IP alias 127 configuration 128 NAT applications 184 IP precedence 266 L LAN 119 Any IP 123 133 example 133 client list 126 DHCP 120 125 130 DNS 120 125 130 IGMP 120 133 P address 120 121 131 IP alias 127 configuration 128 MAC address 126 multicast 120 123 132 NetBIOS 123 packet filter 123 RIP 120 123 128 132 status 36 subnet mask 120 121 131 LEDs 26 limitations FTP 317 wireless LAN 161 WPS 169 Local Area Network see LAN login 29 passwords 29 30 logs 301 alerts 301 e mail 304 error messages 305 example 305 firewalls 199 generic filters 226 protocol filters 223 schedules 304 settings 303 ARP 134 P 660HW Tx v3 Series User s Guide Index MAC address 126 148 filter 138 140 147 159 MAC address filter activation 148 management VLAN 249 mapping address 178 rules 179 types 179 180 184 Maximum Burst Size see MBS maximum incomplete 204 Maximum Transmission Unit see MTU MBS 105 112 116 MBSSID 162 MD5 fingerprint 234 monitor QoS 265 MTU 105 112 multicast 100 105 111 120 123 132 IGMPInternet Group Multicast Protocol see IGMP Multiple BSS see MBSSID multiplexing 102 109 114 LLC based 114 VC based 114 N nailed up connection 103 110 115 NAT 110 171 172 181 182 393 activation 173 address mapping 178 rules 179 types 179 180 184 ap
72. NAT that supports two types of mapping Many to One and Server The ZyXEL Device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 51 on page 185 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device Finding Out More See Section 9 6 on page 181 for advanced technical information on NAT P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT 9 2 The NAT General Setup Screen Use this screen to activate NAT Click Network NAT to open the following screen Note You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the ZyXEL Device Figure 67 Network NAT General NAT Setup M Active Network Address Translation NAT sua Only C Full Feature Max NAT Firewall Session Per User 512 Apply Cancel The following table describes the labels in this screen Table 44 Network gt NAT gt General LABEL DESCRIPTION Active Network Select this check box to enable NAT Address Translation NAT SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device Full Feature Select this radio button if you have mul
73. Network Connections LAN or High Speed Internet Network Tasks ocal Area Connection E Create a new nabled connection standard PCI Fast Ethernet Adapte f Set up a home or small Disable office network a Disable this network 3 i device Repair EN Repair this connection Bridge Connections mij Rename this connection View status of this connection Change settings of this connection Create Shortcut 4 Select Internet Protocol TCP I P under the General tab in Win XP and then click Properties Figure 151 Windows XP Local Area Connection Properties Local Area Connection Properties General Authentication Advanced Connect using B Accton EN1207D TX PCI Fast Ethernet Adapter This connection uses the following items r2 E Client for Microsoft Networks B File and Printer Sharing for Microsoft Networks Internet Protocol TCP IP Description Transmission Control Protocol Intermet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected 5 Thelnternet Protocol TCP IP Properties window opens the General tab in Windows XP P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address f you have a dynamic IP address click Obtain an I P address automatically f you have a static IP address click
74. Nia 137 Network Address Translation XT 2 usesaasensnc esaet om Duarte Rd setae abt aa a 171 e led asy E m 187 EUIS ONT TT T er eo 189 Content FINGIN e 211 mu 50g Pentre ee ree P 219 oiv c M E 229 Lor Mem 237 end dlc t T 239 PR aper RP 243 CANE gr OFEN E A E euo E E stoma ee EE baton ka Cebu E D 253 TS UL ub Esto rpm c em 269 PRE UVES PSAP AN TIVELY m re 273 Universal Plug and Play TLE arysirna ianiai ta ut aae EE Ud 281 Ll n di 293 ISI MERCI ESI E OO OO Oo SOOO LOSS 295 LOGS pe MM 301 Hrs EEEE PAE A E HD TIC HR I HUI RUNE ronan ort ets A A E een oe MEIN 315 EI rper me E T 329 Troubleshooting and Specifications eeeeeeeeeeeeeeeeee essen ener 333 RUSS VIN e e UU T m Lm 335 P 660HW Tx v3 Series User s Guide 9 Contents Overview m lues rp eg qe 341 Appendices and Index P 660HW Tx v3 Series User s Guide Table of Contents Table of Contents FOE es OIE NI m es ere m c I I 3 Document SONY CIO INS TETTE 5 Salety WANIMI essien erai raea uS raia a Aaaa S E 7 GCOnTenis OUBIURI eio oii De oS So DD Dm eee TEAOR 9 Table OFCOM ES oco e codd ei EI UI UE M M C I ELI 11 Part I Introductio
75. P 660HW Tx v3 Series User s Guide 802 1QAP 15 1 Overview This chapter describes how to configure the 802 1Q 1P settings A Virtual Local Area Network VLAN allows a physical network to be partitioned into multiple logical networks A VLAN group can be treated as an individual device Each group can have its own rules about where and how to forward traffic You can assign any ports on the ZyXEL Device to a VLAN group and configure the settings for the group You may also set the priority level for traffic trasmitted through the ports Figure 103 802 1Q 1P 802 1Q 802 1P VLAN Groups Priority Levels 15 1 1 What You Can Do in the 802 1Q 1P Screens Use the Group Setting screen Section 15 2 on page 249 to activate 802 1Q 1P specify the management VLAN group display the VLAN groups and configure the settings for each VLAN group Use the Port Setting screen Section 15 3 on page 252 to configure the PVID and assign traffic priority for each port 15 1 2 What You Need to Know About 802 1Q 1P IEEE 802 1P Priority IEEE 802 1P specifies the user priority field and defines up to eight separate traffic types by inserting a tag into a MAC layer frame that contains bits to define class of service P 660HW Tx v3 Series User s Guide Chapter 15 802 1QAP IEEE 802 1Q Tagged VLAN Tagged VLAN uses an explicit tag VLAN ID in the MAC header to identify the VLAN member
76. Ping Click this to ping the IP address that you entered 23 3 The DSL Line Diagnostic Screen Use this screen to view the DSL line statistics and reset the ADSL line Click Maintenance gt Diagnostic gt DSL Line to open the screen shown next Figure 144 Maintenance Diagnostic DSL Line DSL Line SAR Driver Counters Display inPkts 0x00000000 inDiscards 0x00000000 outPkts 0x00000000 outDiscards Oxo0000000 inF4Pkts xOO0000000 outF4Pkts Oxoo0000000 inF5Pkts 0x00000000 outF5Pkts 0x00000000 openChan 0x00000001 closeChan 0x00000000 txRate Bps 0 rxRate Bps 0 ATM Status ATM Loopback Test DSL Line Status Reset ADSL Line Capture All Logs P 660HW Tx v3 Series User s Guide Chapter 23 Diagnostic The following table describes the fields in this screen Table 114 Maintenance gt Diagnostic gt DSL Line LABEL DESCRIPTION ATM Status Click this to view your DSL connection s Asynchronous Transfer Mode ATM statistics ATM is a networking technology that provides high speed data transfer ATM uses fixed size packets of information called cells With ATM a high QoS Quality of Service can be guaranteed The Segmentation and Reassembly SAR driver translates packets into ATM cells It also receives ATM cells and reassembles them into packets These counters are set back to zero whenever the device starts up inPkts is the number of good ATM ce
77. S ff BO New Edit Copy Delete Devices Hardware DNS Hosts Et You may configure the system s hostname domain H name servers and search domain Name servers are used to look up other hosts on the network Hostname Primary DNS Secondary DNS Tertiary DNS DNS Search Path Active Profile Common modified 5 Click the Devices tab 370 P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 171 Red Hat 9 0 KDE Network Configuration Activate redhat config network You have made some changes in your configuration To activate the network device ethO the changes have to be saved Do you want to continue 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address 1 Assuming that you have only one network card on the computer locate the ifconfig etho configuration file where etho is the name of the Ethernet card Open the configuration file with any plain text editor f you have a dynamic IP address enter dhcp in the BooTPROTO field The following figure shows an example Figure 1
78. SP Service Pack 2 JavaScript enabled by default Java permissions enabled by default See Appendix B on page 375 if you need to make sure these functions are allowed in Internet Explorer 2 1 1 Accessing the Web Configurator 1 Make sure your ZyXEL Device hardware is properly connected refer to the Quick Start Guide 2 Launch your web browser 3 Type 192 168 1 1 as the URL 4 A password screen displays The ZyXEL Device has a dual login system The default non readable characters represents the user password user by default Clicking Login without entering any password brings you to the system s status screen To access the administrative web configurator and manage the P 660HW Tx v3 Series User s Guide Chapter 2 Introducing the Web Configurator ZyXEL Device type the admin password 1234 by default in the password screen and click Login Click Cancel to revert to the default user password in the password field If you have changed the password enter your password and click Login Figure 3 Password Screen 5 The following screen displays if you have not yet changed your password It is strongly recommended you change the default password Enter a new password retype it to confirm and click Apply alternatively click I gnore to proceed to the main menu if you do not want to change the password now Figure 4 Change Password Screen
79. Subnet Planning NosT ES OWED SUBNET MASK NO SUBNETS NO HOSTS PER 1 255 255 255 128 25 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 The following table is a summary for subnet planning on a network with a 16 bit network number Table 130 16 bit Network Number Subnet Planning NO PORROWED SUBNET MASK NO SUBNETS NOST S PER 1 255 255 128 0 17 32766 2 255 255 192 0 18 16382 3 255 255 224 0 19 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explici
80. Telnet access and from which IP address the access can 276 come Click Advanced gt Remote MGMT gt Telnet tab to display the screen as shown Figure 119 Advanced gt Remote Management gt Telnet Note Telnet Port 23 Access Status ALL v Secured Client IP Al O Selected 0 0 0 0 You may also need to create a Firewall rule P 660HW Tx v3 Series User s Guide Chapter 18 Remote Management The following table describes the labels in this screen Table 82 Advanced gt Remote Management gt Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click this to save your changes Cancel Click this to restore your previously saved settings 18 4 The FTP Screen You can use FTP File Transfer Protocol to upload and download the ZyXEL Device s firmware a
81. This is the number of collisions on this interfaces Poll Interval s Type the time interval for the browser to refresh system statistics Set Interval Click this to apply the new poll interval you entered in the Poll Interval field above Stop Click this to halt the refreshing of the system statistics P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens P 660HW Tx v3 Series User s Guide Tutorials 4 1 Overview This chapter shows you how to use the ZyXEL Device s various features Setting Up a Secure Wireless Network see page 43 Setting Up Multiple Wireless Groups see page 52 Configuring the MAC Address Filter see page 56 Setting Up NAT Port Forwarding see page 58 Access the ZyXEL Device Using DDNS see page 61 Configuring Static Route for Routing to Another Network see page 65 Multiple Public and Private IP Address Mappings see page 67 Multiple WAN Connections Example see page 71 Multiple PVCs with QoS see page 72 4 2 Setting Up a Secure Wireless Network Thomas wants to set up a wireless network so that he can use his notebook to access the Internet In this wireless network the ZyXEL Device serves as an access point AP and the notebook is the wireless client The wireless client can access the Internet through the AP Thomas has to configure the wireless network settings on the ZyXEL Device Then he can set up a wireless network using WPS Section 4 2 2 on pag
82. Thresholds One Minute Low so Sessions per Minute One Minute High fico Sessions per Minute Maximum Incomplete Low so Sessions Maximum Incomplete High fico Sessions TCP Maximum Incomplete Ro Sessions Action taken when TCP Maximum Incomplete reached threshold Delete the Oldest Half Open Session when New Connection Request Comes C Deny New Connection Request for fi 0 Minutes 1 255 Cancel The following table describes the labels in this screen Table 57 Security gt Firewall gt Threshold LABEL DESCRIPTION Denial of Service The ZyXEL Device measures both the total number of existing half Thresholds open sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute One Minute Low This is the rate of new half open sessions per minute that causes the firewall to stop deleting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls Table 57 Security gt Firewall gt Threshold continued LABEL DESCRIPTION One Minute High This is the rate of new half open sessions per minute that causes the firewall to start deleting half open sessions When the rate of new connecti
83. Use the following I P Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced Figure 152 Windows XP Internet Protocol TCP IP Properties Internet uendere i Properties General Altemate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address Obtain DNS server address automatically C Use the following DNS server addresses Advanced If you do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK Do one or more of the following if you want to configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add
84. User s Guide for how to find the WPS PIN for the ZyXEL Device see Section 8 4 on page 151 4 Enter the client s PIN in the AP s configuration interface 5 If the client device s configuration interface has an area for entering another device s PIN you can either enter the client s PIN in the AP or enter the AP s PIN in the client it does not matter which 6 Start WPS on both devices within two minutes 7 Use the configuration utility to activate WPS not the push button on the device itself 8 On a computer connected to the wireless client try to connect to the Internet If you can connect WPS was successful If you cannot connect check the list of associated wireless clients in the AP s configuration utility If you see the wireless client in the list WPS was successful P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following figure shows a WPS enabled wireless client installed in a notebook computer connecting to the WPS enabled AP via the PIN method Figure 62 Example WPS Process PIN Method ENROLLEE REGISTRAR WITHIN 2 MINUTES Ww _ SSID WPA 2 PSK COMMUNICATION SN SECURE EAP TUNNEL 8 8 8 3 How WPS Works When two WPS enabled devices connect each device must assume a specific role One device acts as the registrar the device that supplies network and security settings and the other device acts as the enrollee the device that receives network and security settings Th
85. V i Service Protocol CP fo Exclude Packet Length c m fo Exclude O DscP fo 063 Exclude Ethernet Priority oE zl Exclude VLAN ID B 24094 Exclude v Physical Port 4 exclude Remote Node Exclude Apply Cancel Click Apply P 660HW Tx v3 Series User s Guide TT Chapter 4 Tutorials 3 The Class Setup screen appears Click Add to create another QoS classifier rule for general data Class Setup Create a new Class Po Active Name Interface Priority Filter Content Modify 1 iv VoIP From LAN 7 Service SIP z g ww Apply Cancel 4 Configure this rule using the following example settings Class Configuration Select Active Enter a descriptive name for this rule For example General Data Interface From LAN Priority 2 Default Routing Policy To WAN Index WAN Index 1 Filter Configuration P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials Physical Port 1 3 means to exclude port 4 Calss Configuration v Active Name Interface Priority Routing Policy WAN Index Gateway Address Order Tag Configuration DSCP Value 802 1Q Tag Ethernet Priority VLAN ID Filter Configuration General Data From LAN rx 2x sme 0 53 Same 0 BE E 294094 Source Address 0 0 0 0 Subnet Netmask o 0 0 0 Port fo o MAC MAC Mask Destination Addr
86. ZyXEL Device rather than individual computers the computers on the LAN do not need PPPoE software installed P 660HW Tx v3 Series User s Guide 113 Chapter 6 WAN Setup since the ZyXEL Device does that part of the task Furthermore with NAT all of the LANs computers will have access 6 4 1 3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 AAL5 A PPPoA connection functions like a dial up Internet connection The ZyXEL Device encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC Permanent Virtual Circuit to the Internet Service Provider s ISP DSLAM Digital Subscriber Line DSL Access Multiplexer Please refer to RFC 2364 for more information on PPPoA Refer to RFC 1661 for more information on PPP 6 4 1 4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 AAL5 The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protocol is carried over a separate ATM virtual circuit VC based multiplexing Please refer to RFC 1483 for more detailed information 6 4 2 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexing method required by your ISP VC based Multiplexing In this case by prior mutual agreement each protocol is assigned to
87. ZyXEL Device checks the source IP address destination IP address and IP protocol type of network traffic against the firewall rules in the order you list them When the traffic matches a rule the ZyXEL Device takes the action specified in the rule Firewall rules are grouped based on the direction of travel of packets to which they apply LAN to LAN Router WAN to LAN LAN to WAN WAN to WAN Router Note The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router These rules specify which computers on the LAN can manage the ZyXEL Device remote management and communicate between networks or subnets connected to the LAN interface IP alias Note You can also configure the remote management settings to allow only a specific computer to manage the ZyXEL Device LAN to WAN These rules specify which computers on the LAN can access which computers or services on the WAN By default the ZyXEL Device s stateful packet inspection drops packets traveling in the following directions WAN to LAN These rules specify which computers on the WAN can access which computers or services on the LAN Note You also need to configure NAT port forwarding or full featured NAT address mapping rules to allow computers on the WAN to access devices on the LAN P 660HW Tx v3 Series User s Guide Chapter 10
88. addresses listed are allowed or denied to access the ZyXEL Device using this SSID Edit Click this to go to the MAC Filter screen to configure MAC filter settings See Section 8 2 6 on page 147 for more details QoS This shows whether QoS Quality of Service is activated or the priority level for wireless traffic with this SSID Select a priority level from the drop down list box Choices are None Default Highest High Middle and Low Select None to disable QoS Select Default to have the ZyXEL Device automatically give traffic a priority level according to the ToS value in the IP header of packets it sends WMM QoS Wifi MultiMedia Quality of Service gives high priority to voice and video which makes them run more smoothly Highest Typically used for voice or video that should be high quality High Typically used for voice or video that can be medium quality Middle Typically used for applications that do not fit into another priority For example Internet surfing Low Typically used for non critical background applications such as large file transfers and print jobs that should not affect other applications Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 4 The WPS Screen Use
89. be created per host setNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings readNetBIOSFilter calloc error The router failed to allocate memory for the NetBIOS filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface P 660HW Tx v3 Series User s Guide 307 Chapter 21 Logs Table 94 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy Packet Direction TCP UDP IGMP ESP GRE OSPF Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE Packet Direction lt rule d gt Attempted TCP UDP IGMP ESP GRE OSPF access osPF matched or did not match a configured firewall rule denoted by its number and was blocked or forwarded according to the rule Triangle route packet forwarded TCP UDP IGMP ESP GRE OSPF The firewall allowed a triangle route session to pass through ESP GRE OSPF Packet without a NAT table entry blocked TCP UDP IGMP The router blocked a packet that didn t have a corresponding NAT table entry message TCP Router sent blocked web site The router sent a message to notify a user that
90. by grouping similar types of traffic together and treating each type as a class You can use CoS to give different priorities to different packet types CoS technologies include I EEE 802 1p layer 2 tagging and Differentiated Services DiffServ or DS IEEE 802 1p tagging makes use of three bits in the packet header while DiffServ is a new protocol and defines a new DS field which replaces the eight bit Type of Service ToS field in the IP header Tagging and Marking In a QoS class you can configure whether to add or change the DiffServ Code Point DSCP value IEEE 802 1p priority level and VLAN ID number in a matched packet When the packet passes through a compatible network the networking device such as a backbone switch can provide specific treatment or service based on the tag or marker Finding Out More See Section 16 5 on page 266 for advanced technical information on QoS 16 1 3 QoS Class Setup Example In the following figure your Internet connection has an upstream transmission speed of 50 Mbps You configure a classifier to assign the highest priority queue 6 to VoIP traffic from the LAN interface so that voice traffic would not get delayed when there is network congestion Traffic from the boss s IP address 192 168 1 23 for example is mapped to queue 5 Traffic that does not match P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS these two classes are assigned priority queue based o
91. connect to the ZyXEL Device and log in Because TFTP does not have any security checks the ZyXEL Device records the IP address of the telnet client and accepts TFTP requests only from this address Enter command sys stdio 0 to disable the management idle timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute management idle timeout default when the file transfer is complete Launch the TFTP client on your computer and connect to the ZyXEL Device Set the transfer mode to binary before starting data transfer Use the TFTP client see the example below to transfer files between the ZyXEL Device and the computer The file name for the configuration file is rom 0 rom zero not capital o Note that the telnet connection must be active before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNI X use get to transfer from the ZyXEL Device to the computer and binary to set binary transfer mode TFTP Command Configuration Backup Example The following is an example TFTP command tftp i host get rom 0 config rom where i specifies binary image transfer mode use this mode when transferring binary files host is the ZyXEL Device IP address get transfers the file source on the ZyXEL Device rom 0 name of the configuration file on the ZyXEL Device to the file dest
92. connection Modify The first ISP connection is read only in this screen Use the WAN I nternet Access Setup screen to edit it Click the Edit icon to edit the Internet connection settings Click this icon on an empty configuration to add a new Internet access setup Click the Remove icon to delete the Internet access setup from your connection list Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 1 07 Chapter 6 WAN Setup 6 3 4 More Connections Edit Use this screen to configure a connection Click the edit icon in the More Connections screen to display the following screen Figure 35 Network gt WAN gt More Connections Edit General M Active Name Mode Encapsulation User Name Password Service Name Multiplexing VPI VCI IP Address IP Address Subnet Mask Connection Max Idle time NAT None C sua Only Obtain an IP Address Automatically Static IP Address Gateway IP Address e Nailed Up Connection Connect on Demand out Edit Detail ChangeMe Routing PPPOE I sec Apply Cancel Advanced Setup The following table describes the labels in this screen Table 22 Network gt WAN gt More Connections Edit LABEL DESCRIPTION General Active Select the check box to activate or clear the check box to d
93. default when the firewall is activated all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN The firewall supports TCP UDP inspection DoS detection and prevention real time alerts reports and logs Content Filtering Content filtering allows you to block access to Internet web sites that contain key words that you specify in the URL You can also schedule when to perform the filtering and give trusted LAN IP addresses unfiltered Internet access QoS Quality of Service You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and or to particular computers Remote Management This allows you to decide whether a service HTTP or FTP traffic for example from a computer on a network LAN or WAN for example can access the ZyXEL Device Any IP The Any IP feature allows a computer to access the Internet and the ZyXEL Device without changing the network settings such as IP address and subnet mask of the computer when the IP addresses of the computer and the ZyXEL Device are not in the same subnet PPPoE Support RFC2516 PPPoE Point to Point Protocol over Ethernet emulates a dial up connection It allows your ISP to use their existing network configuration with newer broadband technologies such as ADSL The PPPoE driver on your device is transparent to the computers on the LAN which see only Ethernet a
94. devices on the network support and to provide more reliable communications in busy wireless networks Use short preamble if you are sure all wireless devices on the network support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyXEL Device uses long preamble Note The wireless devices MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or lower depending on range IEEE 802 11g has P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs several intermediate rate steps between the maximum and minimum data rates The IEEE 802 11g data rate and modulation are as follows Table 131 IEEE 802 119 MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5 11 CCK Complementary Code Keying 6 9 12 18 24 36 OFDM Orthogonal Frequency Division Multiplexing 48 54 Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients access points and the wired network Wireless security methods available on the ZyXEL Device are dat
95. each other 7 B CTS Range They can hear the AP When station A sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If the RTS CTS value is greater than the Fragmentation Threshold value
96. filtering 211 activation 214 example 212 keywords 214 schedules 215 trusted IP addresses 216 URL 211 copyright 415 CoS 254 DiffServ 267 creation classifiers 260 CTS Clear to Send 398 CTS threshold 146 158 customized services 199 200 201 D data fragment threshold 146 158 default server NAT 174 176 Denials of Service see DoS DHCP 120 125 130 295 diagnostic 329 Differentiated Services see DiffServ DiffServ 267 DiffServ Code Point see DSCP disclaimer 415 DNS 103 120 125 130 278 Domain Name System see DNS DoS 190 three way handshake 202 thresholds 190 202 203 DSCP 262 264 267 P 660HW Tx v3 Series User s Guide Index DSL connections status 332 dynamic DNS 269 activation 270 wildcard 269 activation 271 Dynamic Host Configuration Protocol see DHCP dynamic WEP key exchange 404 DYNDNS wildcard 269 activation 271 E EAP Authentication 402 e mail logs 304 encapsulation 99 102 109 ENET ENCAP 113 PPPoA 114 PPPoE 113 RFC 1483 114 encryption 140 160 405 WEP 142 key 142 WPA 144 authentication 145 reauthentication 143 145 WPA PSK 143 pre shared key 143 ENET ENCAP 102 109 113 ESS 396 exporting trusted CA 234 Extended Service Set See ESS 396 F FCC interference statement 415 filters content 211 activation 214 example 212 keywords 214 schedules 215 trusted IP addresses 216 URL 211 MAC address 147 159 activation 148 packets 219 configuration 222
97. filters You can configure protocol filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control outgoing traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings 7 3 The DHCP Setup Screen Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN Click Network DHCP Setup to open this screen Figure 40 Network LAN DHCP Setup DHCP Setup DHCP Pool Size DNS Server DHCP Setup IP Pool Starting Address 192 168 1 33 Remote DHCP Server 0 0 0 DNS Servers Assigned by DHCP Server First DNS Server Obtained From ISP x 0 0 0 0 Second DNS Server Obtained From ISP 0 0 0 0 Third DNS Server obtained From ISP x 0 0 0 0 Cancel P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup The following table describes the labels in this screen Table 26 Network LAN DHCP Setup LABEL DESCRIPTION DHCP Setup DHCP If set to Server your ZyXEL Device can assign IP addresses an IP default gateway and DNS servers to Windows 95 Windows NT an
98. for a full list of features 1 2 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device Web Configurator This is recommended for everyday management of the ZyXEL Device using a supported web browser Command Line Interface Line commands are mostly used for troubleshooting by service engineers P 660HW Tx v3 Series User s Guide 23 Chapter 1 Introducing the ZyXEL Device FTP for firmware upgrades and configuration backup restore TR 069 This is an auto configuration server used to remotely configure your device 1 3 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage the ZyXEL Device more effectively Change the password Use a password that s not easy to guess and that consists of different types of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the ZyXEL Device to its factory default settings If you backed up an earlier configuration file you would not have to totally re configure the ZyXEL Device You could simply restore your last configuration 1 4 Applications for the ZyXEL Device Here are some example uses for
99. gt gt Time P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup 6 5 1 ATM Traffic Classes These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4 0 Specification Constant Bit Rate CBR Constant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate cells may be dropped Examples of connections that need CBR would be high resolution video and voice Variable Bit Rate VBR The Variable Bit Rate VBR ATM traffic class is used with bursty connections Connections that use the Variable Bit Rate VBR traffic class can be grouped into real time VBR RT or non real time VBR nRT connections The VBR RT real time Variable Bit Rate type is used with bursty connections that require closely controlled delay and delay variation It also provides a fixed amount of bandwidth a PCR is specified but is only available when data is being sent An example of an VBR RT connection would be video conferencing Video conferencing requires real time data transfers and the bandwidth requirement varies in proportion to the video image s changing dynamics The VBR nRT non real time Variable Bit Rate type is used with bursty connections that do not require closely
100. in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the computer is connected to a LAN port of the ZyXEL Device Turn on your computer and the ZyXEL Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon displays under Internet Gateway P 660HW Tx v3 Series User s Guide 287 Chapter 19 Universal Plug and Play UPnP 288 2 Right click the icon and select Properties 3 Network Connections File Edit View Favorites Tools Advanced Help ie BEN Pi P Search Folders Fit e Network Connections EE Internet Gateway Internet Connection nabled Internet Connection Network Tasks Create a new connection Set up a home or small office network Disable this network device Disable LANorH Status Create Shortcut i Rename this connection view status of this connection 7 Change settings of this connection E m Rename Properties In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Internet Connection Properties Connect to the Internet using amp J Intenet Connection This connection allows you to connect to the Internet through a shared connection on another computer Show icon in notification area when conn
101. in order to access the network Channel Selection The range of radio frequencies used by IEEE 802 11b g wireless devices is called a channel Select a channel ID that is not already in use by a neighboring device Security Select Manually assign a WPA PSK key to configure a Pre Shared Key WPA PSK Choose this option only if your wireless clients support WPA See Section 5 3 1 on page 94 for more information Select Manually assign a WEP key to configure a WEP Key See Section 5 3 2 on page 95 for more information Select Disable wireless security to have no wireless LAN security configured and your network is accessible to any wireless networking device that is within range Back Click this to return to the previous screen without saving P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard Table 16 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Next Click this to continue to the next wizard screen Exit Click this to close the wizard screen without saving Note The wireless stations and ZyXEL Device must use the same SSID channel ID and WEP encryption key if WEP is enabled WPA PSK if WPA PSK is enabled for wireless communication 4 This screen varies depending on the security mode you selected in the previous screen Fill in the field if available and click Next 5 3 1 Manually Assign a WPA PSK key Choose Manually assign a WPA PSK
102. in the Encapsulation field Enter a subnet mask in dotted decimal notation Gateway IP This option is available if you select ENET ENCAP in the address Encapsulation field Specify a gateway IP address supplied by your ISP DNS Server First DNS Server Select Obtained From ISP if your ISP dynamically assigns DNS server information and the ZyXEL Device s WAN IP address and you ae DNS select Obtain an IP Address Automatically erver Select User Defined if you have the IP address of a DNS server Third DNS Server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select None if you do not want to configure DNS servers You must have another DNS server on your LAN or else the computers must have their DNS server addresses manually configured If you do not configure a DNS server you must know the IP address of a computer in order to access it Connection PPPoA and PPPoE encapsulation only Nailed Up Select Nailed Up Connection when you want your connection up all Connection the time The ZyXEL Device will try to bring up the connection automatically if it is disconnected Connect on Select Connect on Demand when you don t want the conn
103. in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how long it has been left idle not recommended Password User Password New Type your new user password up to 30 characters Note that as you Password type a password the screen displays a for each character you type After you change the password use the new password to access the ZyXEL Device Retype to Type the new password again for confirmation confirm Admin Password Old Type the default password or the existing password you use to access the Password system in this field New Type your new system password up to 30 characters Note that as you Password type a password the screen displays a for each character you type After you change the password use the new password to access the ZyXEL Device Retype to Type the new password again for confirmation confirm Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 297 Chapter 20 System Settings 20 3 The Time Setting Screen Use this screen to configure the ZyXEL Device s time based on your local time zone To change your ZyXEL Device s time and date click Maintenance System gt Time Setting The screen appears as shown Figure 125 Maintenance System Time Setting oor ee
104. or the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point requesting authentication e Access Reject Sent by a RADIUS server rejecting access Access Accept Sent by a RADIUS server allowing access P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Respon
105. otineep ancanetataeeee 34 Chapter 3 SIUS SOTONE oi oro EUER V Hei in aieo ca si i leu E M ee E e El IM 35 P 660HW Tx v3 Series User s Guide Table of Contents LADEN TL C NUI T MUNI 35 Sew Eu icri REOR NT uU enon 35 RO EI IH qe a on ckleie Sa wciinds E E cade toate aed E ecaceds 38 nd WEPRPISSEUE Lieb pu percer et ans f nint Mae cb cc Seat Mt aac ony cae Rare 39 Spe p Blei per EDEN 39 ey PACS deris Ae I 40 Chapter 4 uU OUU 43 AE EE NETT TD TT TO PDT 43 4 2 Setting Up a Secure Wireless MODWOINK 2iiuuesici totis terree tamcn pae cora pn buc ss ek p Dncuk d cS EL uer Des 43 4 2 1 Configuring the Wireless Network Settings essssseeeeeenennenne 44 22 c HDsihnd PS oosssendecphtesiie i i eteuiN D ulada aD ap eeu UNE Diog dob Aet des Eme UP eCSs 45 Aa A O cH Ed 50 4 2 4 Setting Up Wireless Network Scheduling sse 50 4 3 Seating Up Multiple Wireless GODS coordinate cue Feed in Y Lg aa ted aa esas 52 4 4 Configuring the MAC Address Filter esssssesssssssseeenennne entree 56 A eine Ub NAT Port FODRFOIGE 2isssicpcidpen sous cnni canc dadas rd ea dub d Kandi eg 58 LEONIS IN uer r c E 58 4 52 POL PO WERE aspicctsiurieter Dc ebore esa yeaa ad ve PPP de pp esq nrc epp c HM mI 59 46 Access the ZyXEL Device Using DDNS iiseescicisest evddet te res aae prr Id Ic as tes didier iia
106. pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable Pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 177 Pop up Blocker Mail and News Pop up Blocker Manage Add ons Synchronize Windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab P 660HW Tx v3 Series User s Guide 375 Appendix B Pop up Windows JavaScript and Java Permissions 1 In Internet Explorer select Tools Internet Options Privacy 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 178 Internet Options Privacy Internet Options PIR General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Internet zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing _ Block pop ups 3
107. real time Variable Bit Rate type for applications with bursty connections that require closely controlled delay and delay variation Select VBR nRT non real time Variable Bit Rate type for connections that do not require closely controlled delay and delay variation Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell The Sustain Cell Rate SCR sets the average cell rate long term Rate that can be transmitted Type the SCR which must be less than the PCR Note that system default is O cells sec Maximum Maximum Burst Size MBS refers to the maximum number of cells Burst Size that can be sent at the peak rate Type the MBS which is less than 65535 PPPoE This field is available when you select PPPoE encapsulation Passthrough f now PPPoE In addition to the ZyXEL Device s built in PPPoE client you can enable encapsulation PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE only client software on their computers to connect to the ISP via the ZyXEL Device Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for application where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the
108. s configuration utility Go to the WPS settings and select the PIN method to get a PIN number Enter the PIN number in the PIN field in the Network gt Wireless LAN gt WPS Station screen on the ZyXEL Device Add Station by WPS Click the below Push Button to add WPS stations to wireless network Push Button q Note 1 The Push Button Configuration requires pressing a button on both the station and AP within 120 seconds 2 You may find the PIN number in the station s utility Click the Start buttons or the button next to the PIN field on both the wireless client utility screen and the ZyXEL Device s WPS Station screen within two minutes The ZyXEL Device authenticates the wireless client and sends the proper configuration settings to the wireless client This may take up to two minutes The wireless client is then able to communicate with the ZyXEL Device securely P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials The following figure shows you how to set up a wireless network and its security on a ZyXEL Device and a wireless client by using PIN method ZyXEL Device Add Station by WPS Click the below Push Button to add WPS stations Push Button Or input station s PIN numba Ud Note aute E le Continuous Access Mode zl PIN 7 Manual Input WITHIN 2 MINUTES D Authentication by PIN nnnnnnnnnnmnnnn C SECURITY I
109. see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Note Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode other wireless
110. stage is opening ppp IPCP The PPP connection s Internet Protocol Control Protocol stage is Starting starting ppp IPCP Opening The PPP connection s Internet Protocol Control Protocol stage is opening ppp LCP Closing The PPP connection s Link Control Protocol stage is closing ppp IPCP Closing The PPP connection s Internet Protocol Control Protocol stage is closing Table 100 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall Table 101 Content Filtering Logs LOG MESSAGE DESCRIPTION s block keyword The content of a requested web page matched a user defined keyword The system forwarded web content P 660HW Tx v3 Series User s Guide oe 0 Chapter 21 Logs For type and code details see Table 105 on page 312 Table 102 Attack Logs LOG MESSAGE DESCRIPTION attack TCP UDP IGMP The firewall detected a TCP UDP I GMP ESP GRE OSPF ESP GRE OSPF attack attack ICMP type d The firewall detected an ICMP attack code d land TCP UDP IGMP The firewall detected a TCP UDP I GMP ESP GRE OSPF ESP GRE OSPF land attack land ICMP type d The firewall detected an ICMP land attack code Sd ip spoofing WAN TCP The firewall detected an IP spoofing attack on the WAN UDP IGMP ESP GRE port OSPF ip spo
111. store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 13 3 2 Private Public Certificates When using public key cryptology for authentication each host has two keys One key is public and can be made openly available The other key is private and must be kept secure These keys work like a handwritten signature in fact certificates are often referred to as digital signatures Only you can write your signature exactly as it should look When people know what your signature looks like they can verify whether something was signed by you or by someone else In the same way your private key writes your digital signature and your public key allows people to verify whether data was signed by you or by someone else This process works as follows P 660HW Tx v3 Series User s Guide 235 Chapter 13 Certificates Tim wants to send a message to Jenny He needs her to be sure that it comes from him and that the message content has not been altered by anyone else along the way Tim generates a public key pair one public key and one private key Tim keeps the private key and makes the public key openly available This means that anyone who receives a message seeming to come from Tim can read it and verify whether it is
112. text box above then displays the progress and results of this operation for example Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully Capture All Logs Click this to display information and statistics about your ZyXEL Device s ATM statistics DSL connection statistics DHCP settings firmware version WAN and gateway IP address VPI VCI and LAN IP address P 660HW Tx v3 Series User s Guide PART VII Troubleshooting Troubleshooting This chapter offers some suggestions to solve problems you might encounter The potential problems are divided into the following categories Power Hardware Connections and LEDs ZyXEL Device Access and Login nternet Access 24 1 Power Hardware Connections and LEDs The ZyXEL Device does not turn on None of the LEDs turn on 1 Make sure the ZyXEL Device is turned on 2 Make sure you are using the power adaptor or cord included with the ZyXEL Device 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the ZyXEL Device off and on 5 Ifthe problem continues contact the vendor One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of the LED See Section 1 5 on page 26 P 660HW Tx v3 Series User s Guide 335 Chapter 24 Troubleshooting
113. the Edit icon on a new rule era Address Mapping Address Mapping Rules Local Start 1P Local End IP Global Start IP Global End TP Modify 1 z 3 p z T a 2 m lt 7 m it 4 Configure two rules for the one to one mappings Rule 1 This maps the public IP address 172 16 1 253 to the private IP address 192 168 1 2 Type One to One Local Start IP 192 168 1 2 Global Start IP 172 16 1 253 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials Rule 2 This maps the public IP address 172 16 1 254 to the private IP address 192 168 1 3 Type One to One Local Start IP 192 168 1 3 Global Start IP 172 16 1 254 Edit Address Mapping Rule2 Type One to One Local Start IP 192 168 1 3 z x N A Edit Address Mapping Rule1 Type wemoe 1 EERE Local Start IP 192 168 1 2 N A Local End IP N A 2 j Edit Details Global Start IP 172 16 1 253 Apply Cancel Global End IP N A Server Mapping Set z Edit Details Apply Cancel Click Apply on each of the screens 4 9 Multiple WAN Connections Example This example shows an application for multiple WAN connections Your ISP may configure more than one WAN connection on the ZyXEL Device to record traffic statistics or calculate service charges In Figure 11 three WAN connections are configured over the ADSL line The connection with VPI VCI 0 33 is dedicated for Media On Demand MOD service The connectio
114. the date the firmware version was created Click this to go to the Version screen where you can change it DSL This is the current version of the device s DSL modem code Firmware Version WAN Information DSL Mode This is the DSL standard that your ZyXEL Device is using IP Address This is the current IP address of the ZyXEL Device in the WAN Click this to go to the screen where you can change it IP Subnet This is the current subnet mask in the WAN Mask Default This is the IP address of the default gateway if applicable Gateway VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the wizard or WAN screen LAN Information IP Address This is the current IP address of the ZyXEL Device in the LAN Click this to go to the screen where you can change it IP Subnet This is the current subnet mask in the LAN Mask DHCP This field displays what DHCP services the ZyXEL Device is providing to the LAN Choices are Server The ZyXEL Device is a DHCP server in the LAN It assigns IP addresses to other computers in the LAN Relay The ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients None The ZyXEL Device is not providing any DHCP services to the LAN Click this to go to the screen where you can change it P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens Table4 Status Screen
115. the network number and which bits are part of the host ID using a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal Table 120 Subnet Masks 1ST 2ND 3RD ATH OCTET OCTET OCTET OCTET 192 168 1 2 IP Address Binary 11000000 10101000 00000001 00000010 Subnet Mask Binary 11111111 11111111 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of the network number part the bits with a 1 value For example an 8 bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes Subnet masks are expressed in dotted decimal notation just like IP addresses The following examples show the binary and decimal no
116. this to add another WPS enabled wireless device within wireless range of the ZyXEL Device to your wireless network This button may either be a physical button on the outside of device or a menu button similar to the Push Button on this screen Note You must press the other wireless device s WPS button within two minutes of pressing this button Or input Enter the PIN of the device that you are setting up a WPS connection station s PIN with and click Start to authenticate and add the wireless device to your number wireless network You can find the PIN either on the outside of the device or by checking the device s settings Note You must also activate WPS on that device within two minutes to have it present its PIN to the ZyXEL Device 8 6 The WDS Screen An AP using the Wireless Distribution System WDS can function as a wireless network bridge allowing you to wirelessly connect two wired network segments The WDS screen allows you to configure the ZyXEL Device to connect to two or more APs wirelessly when WDS is enabled Use this screen to set up your WDS Wireless Distribution System links between the ZyXEL Device and other wireless APs You need to know the MAC address of the peer device Once the security settings of peer sides match one another the connection between devices is made Note WDS security is independent of the security settings between the ZyXEL Device and any wireless clients Note At t
117. to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionally equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions P 660HW Tx v3 Series User s Guide 41 7 Appendix F Legal Information Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It is recommended that the unit be insured when shipped Any returned products without proof of pur
118. which the ZyXEL Device is well suited P 660HW Tx v3 Series User s Guide Chapter 1 Introducing the ZyXEL Device 1 4 1 Internet Access Your ZyXEL Device provides shared Internet access by connecting the DSL port to the DSL or MODEM jack on a splitter or your telephone jack Computers can connect to the ZyXEL Device s LAN ports or wirelessly Figure 1 ZyXEL Device s Router Features You can also configure firewall and content filtering on the ZyXEL Device for secure Internet access When the firewall is on all incoming traffic from the Internet to your network is blocked unless it is initiated from your network This means that probes from the outside to your network are not allowed but you can safely browse the Internet and download files Use content filtering to block access to specific web sites with URL s containing keywords that you specify You can define time periods and days during which content filtering is enabled and include or exclude particular computers on your network from content filtering For example you could block access to certain web sites for the kids Use QoS to efficiently manage traffic on your network by giving priority to certain types of traffic and or to particular computers For example you could make sure that the ZyXEL Device gives voice over Internet calls high priority and or limit bandwidth devoted to the boss s excessive file downloading P 660HW Tx v3 Series User s Guide 25
119. window 9 Click Close OK in Windows 2000 NT to close the Local Area Connection Properties window 10 Close the Network Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Windows Vista This section shows screens from Windows Vista Enterprise Version 6 0 P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 1 Click the Start icon Control Panel Figure 155 Windows Vista Start Menu Dr eye 7 0 Professional Connect To g Media Player Classic gt AllPrograms Help and Support bor Seorch o gt NM NL Default Pro tomize the appearance and functionality of your computer add E or remove programs and set up network connections and user accounts 2 Inthe Control Panel double click Network and Internet Figure 156 Windows Vista Control Panel GOo Control Panel vy p I p File Edit View Tools Help Get started with Windows Change account type Back up your computer gany i Appearance and Check e ANA lo Personalization Change desktop background Change the color scheme
120. your ZyXEL Device Use the instructions in this chapter to change the device s configuration file or upgrade its firmware After you configure your device you can backup the configuration file to a computer That way if you later misconfigure the device you can upload the backed up configuration file to return to your previous settings You can alternately upload the factory default configuration file if you want to return the device to the original default settings The firmware determines the device s available features and functionality You can download new firmware releases from your nearest ZyXEL FTP site or www zyxel com to use to upgrade your device s performance Only use firmware for your device s specific model Refer to the label on the bottom of your ZyXEL Device 22 1 1 What You Can Do in the Tool Screens Use the Firmware Upgrade screen Section 22 2 on page 323 to upload firmware to your device Use the Configuration screen Section 22 3 on page 325 to backup and restore device configurations You can also reset your device settings back to the factory default Use the Restart screen Section 22 4 on page 328 to restart your ZyXEL device P 660HW Tx v3 Series User s Guide 315 Chapter 22 Tools 22 1 2 What You Need To Know About Tools Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as password DHCP Setup
121. 0 Apply Cancel The following table describes the labels in this screen Table 60 Security gt Content Filter Trusted LABEL DESCRIPTION Start IP Address Type the IP address of a computer or the beginning IP address of a specific range of computers on the LAN that you want to exclude from content filtering End IP Address Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering Leave this field blank if you want to exclude an individual computer P 660HW Tx v3 Series User s Guide Chapter 11 Content Filtering Table 60 Security gt Content Filter Trusted continued LABEL DESCRIPTION Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 217 Chapter 11 Content Filtering P 660HW Tx v3 Series User s Guide Packet Filter 12 1 Overview Your ZyXEL Device uses filters to decide whether to allow passage of traffic This chapter discusses how to create and apply filters 12 1 1 What You Can Do in the Packet Filter Screen Use the Packet Filter screens Section 12 2 on page 220 to display the filter sets and configure the rules for protocol and generic filters 12 1 2 What You Need to Know About the Packet Filter Filters Your ZyXEL Device uses filters to decide whether to allow passage of a da
122. 0 or 26 hexadecimal characters 0 9 A F for a 64 bit or 128 bit WEP key respectively Back Click this to return to the previous screen without saving Next Click this to continue to the next wizard screen Exit Click this to close the wizard screen without saving 5 Click Apply to save your wireless LAN settings Figure 29 Wireless LAN Setup 3 STEP STEP2 fa Wireless LAN Please Click the Apply Button to re the W LAN settings N Note If you are currently using a Wireless PC card to access this router AND you made changes to the SSID then you will need to make the same changes to your Wireless PC card AFTER you click the Apply Button Once the changes have been made to the Wireless PC card you will be able to connect back to the router and continue the configuration process Back Apply Exit P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard 6 Use the read only summary table to check whether what you have configured is correct Click Finish to complete and save the wizard setup Note No wireless LAN settings display if you chose not to configure wireless LAN settings Figure 30 Internet Access and WLAN Wizard Setup Complete CONGRATULATIONS The Internet Wireless Setup configuration is complete Here is your current settings Mode Routing Encapsulation ENET ENCAP Multiplexi LLC PI CI Network Name SSID ZyXELO1 Channel Se
123. 0520 xx eo 1 68 1 255 match forward port 00520 lt 1 02 gt This section provides descriptions of example log messages Table 92 System Maintenance Logs LOG MESSAGE DESCRIPTION successful Time calibration is The router has adjusted its time based on information from the time server Time calibration failed The router failed to get information from the time server WAN interface gets IP s A WAN interface got a new IP address from the DHCP PPPoE or dial up server DHCP client IP expired A DHCP client s IP address has expired DHCP server assigns s The DHCP server assigned an IP address to a client Successful WEB login Someone has logged on to the router s web configurator interface WEB login failed Someone has failed to log on to the router s web configurator interface Successful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 92 System Maintenance Logs continued LOG MESSAGE DESCRIPTION FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Sta
124. 181 3 ROS Class Sep EXQIUDG eain aa 254 16 2 The QoS General Sereen 1 5 eseeeceksk kc ananena XR R0 Aaa ae ad sse ERAN aaa 258 Df 3h Gliss ane gcc ED EUNT 259 163 1 The Glass Configuration SGEE quuisoacaiepeocd e repo dap E eec a a tra pora Ga 261 15 4 The COS Montor DODGE grinos a dk ikcua dnd esa co dicc sai Dua xa Dc aD E A 265 sens NE E eR S 266 1595 1 IEEE SUZ TG BRE cenis ieri ont os ee re prr da e Ve D CREE 266 165 2 IP PRS COCO iiis epia t tI iH pente um die ene ou tiet ent idTepa tue tart uod centu pM UG S ET ep PNE 266 REN s gcol Me T HR HEN 267 16 5 4 Automatic Priority Queue Assignment cease neasadekee nianu kt bua 267 Chapter 17 ii dtp CYCCOu0 I 269 ITE E c ERE UT t ce Ip 269 17 1 1 What You Can Do in the DDNS Screen sssssssssssseeeere eene 269 17 1 2 What You Need To Know About DDNS cccccccsececcceeceeeeessessseeaeceeeeeeeeseneees 269 152 The Eunamic DNG GOGGI sce acd sacs oe na docte m tete con i 270 Chapter 18 Remote MIAN AGCINO ON oiic coc secsaveccccsaytetacscanetwmscenensesuckeduetacdosncsvanicusnitay aiaa a aay a ENa aaa aas 273 jube 25 E AANE T E E EA NT AAA IE AE tro EO 273 18 1 1 What You Can Do in the Remote Management Screens ssssssss 274 18 1 2 What You Need to Know About Remote Management esses 274 Ml He UU ACU IN ussteadithn tbe irte psit is tele e
125. 189 10 1 1 What You Can Do in the Firewall Screens sssessseeen 189 10 1 2 What You Need to Know About Firewall 1 ccn temen orat nnn tte pep genes 190 101 3 Firewall Rule Setup Example eos ette geo adici oen aene aa a narra 191 10 2 The Firewall Goperal Soroen aniria S o 00S LS 194 TGS The Five Cibi er rp m 196 Qum ES eM RR S E 198 jlicpopem ior oic xc M Rm 200 10 3 3 Gonflguring a Customized Service Lausssesax i p ra Rh nr a go a UR ba 201 10 4 Ihe Firewall Threshold GEBET Lasse conii peat ai aiani a a ru band zu 202 jT MEI umor qe m 202 104 2 Goniidudbpg Firewall Thresholds 2i ande dea Re T HG M riGe d ebria RR pr EE de 203 10 5 Firewall Technical Fag M TN TS 205 105 1 Firewall Rules CUVOPVIgW oconnori aa aar aaia 205 10 5 2 Guidelines For Enhancing Security With Your Firewall sessssss 206 105 3 Security Considerations meet R 207 patr EnO RO E 207 Chapter 11 n at uli il E E E E S 211 NER Ue reme 211 11 1 1 What You Can Do in the Content Filter Screens ssesssssssee 211 11 1 2 What You Need to Know About Content Filtering sess 211 DEBES EID ER CIE o UT 211 THX 4 Content Feri EXDIIIDIB grunnserien oaa Fan Rd S ge a pta aan an ne 212 P 660HW Tx v3 Series User s Guide 15 Table of Contents Me ont ROUTE EE ai st pr prado hast dr opa aie hae ado and debo d 214 Ta Theseus OB sudsacuipiaxsbuxtibtssDibdaeta
126. 2 Check the hardware connections 3 Inspect your cables for damage Contact the vendor to replace any damaged cables 4 Turn the ZyXEL Device off and on 5 Ifthe problem continues contact the vendor 24 2 ZyXEL Device Access and Login forgot the IP address for the ZyXEL Device 1 The default IP address is 192 168 1 1 2 Ifyou changed the IP address and have forgotten it you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer To do this in most Windows computers click Start Run enter cmd and then enter ipconfig The IP address of the Default Gateway might be the IP address of the ZyXEL Device it depends on the network so enter this IP address in your Internet browser 3 If this does not work you have to reset the device to its factory defaults See Section 1 6 on page 27 forgot the password 1 The default admin password is 1234 and the default user password is user 2 If this does not work you have to reset the device to its factory defaults See Section 1 6 on page 27 cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 P 660HW Tx v3 Series User s Guide Chapter 24 Troubleshooting f you changed the IP address Section 7 2 on page 121 use the new IP address f you changed the IP address and have forgo
127. 225 firewalls 227 generic filters 223 logs 223 226 NAT 226 protocol filters 221 structure 219 types 220 226 firewalls 189 actions 199 activation 195 address types 199 alerts 200 anti probing 190 asymmetrical routes 195 configuration 194 198 203 customized services 199 200 201 default action 195 DoS 190 thresholds 190 202 203 example 191 half open sessions 204 ICMP 190 logs 199 maximum incomplete 204 P2P 203 packet direction 195 packet filtering 227 rules 196 205 schedules 199 security 206 status 37 three way handshake 202 triangle route 195 207 208 solutions 208 firmware 316 323 upgrading 318 version 36 forwarding ports 172 174 activation 177 configuration 175 example 175 rules 177 fragmentation threshold 146 158 399 FTP 24 277 backing up configuration 320 P 660HW Tx v3 Series User s Guide Index limitations 317 QoS 264 restoring configuration 317 318 upgrading firmware 318 319 G generic filters 223 226 activation 224 length 225 logs 226 mask 225 offset 225 H half open sessions 204 hidden node 397 IANA 393 Internet Assigned Numbers Authority see IANA IBSS 395 ICMP 190 279 IEEE 802 11g 399 IGA 182 IGMP 100 120 123 133 ILA 182 importing trusted CA 231 Independent Basic Service Set See IBSS 395 initialization vector IV 405 Inside Global Address see IGA Inside Local Address see ILA Internet Control Message Protocol see ICMP Internet Group
128. 3 Series User s Guide Chapter 25 Product Specifications Table 118 Standards Supported continued STANDARD DESCRIPTION Microsoft PPTP MS PPTP Microsoft s implementation of Point to Point Tunneling Protocol MBM v2 Media Bandwidth Management v2 RFC 2383 ST2 over ATM Protocol Specification UNI 3 1 Version TR 069 TR 069 DSL Forum Standard for CPE Wan Management 1 363 5 Compliant AAL5 SAR Segmentation And Re assembly 25 4 Power Adaptor Specifications Table 119 ZyXEL Device Series Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model 12V 1A SOCB PA Input Power AC 120Volts 60Hz Output Power DC 12Volts 1 0A Power Consumption 7 7 Watt max Safety Standards ANSI UL 60950 1 CSA 60950 1 EUROPEAN PLUG STANDARDS AC Power Adapter Model Input Power AC 230Volts 50Hz Output Power DC 12Volts 1 0A Power Consumption 8 3 Watt max Safety Standards CE GS or TUV EN60950 1 P 660HW Tx v3 Series User s Guide 347 Chapter 25 Product Specifications P 660HW Tx v3 Series User s Guide PART VIII Appendices and Index Note The appendices provide general information Some details may not apply to your ZyXEL Device Setting up Your Computer s IP Address 351 Pop up Windows JavaScripts and Java Permissions 375 IP Addresses and Subnetting 385 Wireless LA
129. 46 for more details 8 2 1 No Security In the Network gt Wireless LAN gt AP screen select No Security from the Security Mode list to allow wireless devices to communicate with the ZyXEL Device without any data encryption or authentication Note If you do not enable any wireless security on your ZyXEL Device your network is accessible to any wireless networking device that is within range Figure 47 Network gt Wireless LAN gt AP No Security Common Setup Network Name SSID ZyXELO1 Cl Hide ss1D Security Mode No Security M The following table describes the labels in this screen Table 30 Network gt Wireless LAN gt AP No Security LABEL DESCRIPTION Security Mode Choose No Security from the drop down list box P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 2 2 WEP Encryption Use this screen to configure and enable WEP encryption Click Network gt Wireless LAN to display the AP screen Select Static WEP from the Security Mode list Note WEP is extremely insecure Its encryption can be broken by an attacker using widely available software It is strongly recommended that you use a more effective security mechanism Use the strongest security mechanism that all the wireless devices in your network support For example use WPA PSK or WPA2 PSK if all your wireless devices support it or use WPA or WPA2 if your wireless devices support it and you
130. 5 0 100M Full Duplex DHCP Server WLAN Information SSID Channel Security WPS ms Client List AnyIP Table Security WLAN Status Packet Statistics Firewall Enabled Content Filter Disable P 660HW Tx v3 Series User s Guide Chapter 2 Introducing the Web Configurator As illustrated above the main screen is divided into these parts A title bar B navigation panel C main window D status bar 2 2 1 Title Bar The title bar provides some icons in the upper right corner The icons provide the following functions Table 2 Web Configurator Icons in the Title Bar ICON DESCRIPTION Wizards Click this icon to go to the configuration wizards See Chapter 5 on page 83 for more information EJ Logout Click this icon to log out of the web configurator 2 2 2 Navigation Panel Use the menu items on the navigation panel to open screens to configure ZyXEL Device features The following tables describe each menu item Table 3 Navigation Panel Summary LINK TAB FUNCTION Status This screen shows the ZyXEL Device s general device and network status information Use this screen to access the statistics and client list Network WAN Internet Use this screen to configure ISP parameters WAN IP address Access Setup assignment DNS servers and other advanced properties More Use this screen to configure additional WAN connections Connections
131. 53 192 168 1 34 1196 En 4 p aa none UDP 192 168 1 1 53 192 168 1 34 1195 mentees does WEB Login Successfully User user The following table describes the fields in this screen Table 89 Maintenance gt Logs gt View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Email Log Now Click this to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in the E mail Log Settings fields in Log Settings Refresh Click this to renew the log screen Clear Log Click this to delete all the logs This field is a sequential value and is not associated with a specific entry Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 89 Maintenance gt Logs gt View Log LABEL DESCRIPTION Destination This field lists the destination IP address and the port number of the incoming packet Notes This field displays additional information about the log entry 21 3 The Log Settings Screen U
132. 600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP if using WPA 2 PSK key management or RADI US server if using WPA 2 key management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Authentication Server IP Address Enter the IP address of the external authentication server in dotted decimal notation Port Number Enter the port number of the external authentication server You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on the external authentication server and your ZyXEL Device The key is not sent over the network Accounting Server optional IP Address Enter the IP address of the external accounting server in dotted decimal notation P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN Table 33 Network Wireless LAN AP WPA 2 LABEL DESCRIPTION Port Number Enter the port number of the external accounting server You need not change this value unless your network administrator instructs you to do so with
133. 72 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting P 660HW Tx v3 Series User s Guide Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration BSS The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless adapters A B C Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc w
134. 72 Red Hat 9 0 Dynamic IP Address Setting in ifconfig ethO EVICE eth0 BOOT yes OOTPROTO dhcp SERCTL no EERDNS yes YPE Ethernet HdH udtugou P 660HW Tx v3 Series User s Guide 371 Appendix A Setting up Your Computer s IP Address f you have a static IP address enter static in the BOOTPROTO field Type IPADDR followed by the IP address in dotted decimal notation and type NETMASK followed by the subnet mask The following example shows an example where the static IP address is 192 168 1 10 and the subnet mask is 255 255 255 0 Figure 173 Red Hat 9 0 Static IP Address Setting in ifconfig ethO DEVICE eth0 ONBOOT yes BOOTPROTO static IPADDR 192 168 1 10 NETMASK 255 255 255 0 USERCTL no PEERDNS yes TYPE Ethernet 2 Ifyou know your DNS server IP address es enter the DNS server information in the resolv conf file in the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 174 Red Hat 9 0 DNS Settings in resolv conf nameserver 172 23 5 1 nameserver 172 23 5 2 3 After you edit and save the configuration files you must restart the network card Enter network restart in the etc rc d init d directory The following figure shows an example Figure 175 Red Hat 9 0 Restart Ethernet Card root localhost init d network restart Shutting down i
135. 9 4 The Address Mapping Screen 178 Note The Address Mapping screen is available only when you select Full Feature in the NAT General screen Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify When a rule matches the current packet the ZyXEL Device takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by that number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT gt Address Mapping to open the following screen Figure 71 Network NAT Address Mapping Address Mapping Address Mapping Rules B Local Start IP Local End IP Global StartIP Global End IP Type Modify 1 5 T R C R E R N R N EP EP E E E E ED ED E E The following table describes the fields in this screen Table 47 Network NAT Address Mapping LABEL DESCRIPTION This is the rule index number Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapp
136. Click Apply to save this setting Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 376 P 660HW Tx v3 Series User s Guide Appendix B Pop up Windows JavaScript and Java Permissions 2 Select Settings to open the Pop up Blocker Settings screen Figure 179 Internet Options Privacy Internet Options General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Internet zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable LJ information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing i 3 Typethe IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 P 660HW Tx v3 Series User s Guide 377 378 Appendix B Pop up Windows JavaScript and Java Permissions 4 Click Add to move the IP address to the list of Allowed sites Figure 180 Pop up Blocker Settings Pop up Blocker Settings Exceptions Pop ups are currently block
137. ENDOS C usus SUE E EEUU EE E 411 Appendix F Legal idi ci CR E 415 MN A M OO O0 419 P 660HW Tx v3 Series User s Guide Table of Contents P 660HW Tx v3 Series User s Guide PART I Introduction Introducing the ZyXEL Device 23 Introducing the Web Configurator 29 Status Screens 35 Tutorials 43 Introducing the ZyXEL Device This chapter introduces the main applications and features of the ZyXEL Device It also introduces the ways you can manage the ZyXEL Device 1 1 Overview The P 660HW Tx v3 is an ADSL2 router By integrating DSL and NAT you are provided with ease of installation and high speed shared Internet access The P 660HW Tx v3 is also a complete security solution with a robust firewall and content filtering Please refer to the following description of the product name format H denotes an integrated 4 port hub switch Models ending in 1 for example P 660HW T1 denote a device that works over the analog telephone system POTS Plain Old Telephone Service Models ending in 3 denote a device that works over ISDN Integrated Services Digital Network or T ISDN UR 2 Only use firmware for your ZyXEL Device s specific model Refer to the label on the bottom of your ZyXEL Device Note All screens displayed in this user s guide are from the P 660HW T1 v3 model See the product specifications
138. ForCompanyOnly 3600 In Seconds 1800 In Seconds Click Network gt Wireless LAN gt More AP to open the following screen Click the Edit icon to configure the second wireless network group More AP More AP Setup ZyXELO2 2 F ZyXELO3 s RF ZyXEL04 IPS Station rj um Sean Modify 2 2 IY None fit None EP f None EP f r P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 3 Configure the screen using the provided parameters and click Apply Common Setup Network Name SSID L Hide ssio Security Mode WPA Compatible Pre Shared Key ReAuthentication Timer Idle Timeout Group Key Update Timer MAC Filter QoS VIP WPA2 PSK vw ForvIPOnly 1800 _ In Seconds 3600 In Seconds 1800 In Seconds Deny Association None Highest v 4 Inthe More AP screen click the Edit icon to configure the third wireless network group LAP More AP WPS WPS Station wps Scheduling More AP Setup 2 Fl 3 active ssp Security Modify 33 Fj VIP ZyXELO3 ZyXELO4 odify WPA2 PSK B t Q None None g Tj apelu canes P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 5 Configure the screen using the provided parameters and click Apply Common Setup Network Name SSID Guest Chide ssiD Security Mode Static WEP v Passphrase WEP Key Guest
139. From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected P 660HW Tx v3 Series User s Guide Appendix B Pop up Windows JavaScript and Java Permissions 3 Click OK to close the window Figure 184 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling s HTTP 1 1 settings v Use HTTP 1 1 O Use HTTP 1 1 through proxy connections 2 Java E d Use Java 2 141 07 fr copo equites eii 2 v1 4 1 07 for d Use Java 2 141 07 fr copo equites eii requires restart 5 Microso se Java m enabled requires restart O Java logging enabled JIT compiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Automatic Image Resizing Fa gt Restore Defaults Mozilla Firefox Mozilla Firefox 2 0 screens are used here Screens for other versions may vary You can enable Java Javascript and pop ups in one screen Click Tools then click Options in the screen that appears Figure 185 Mozilla Firefox Tools gt Options IEEE Help Web Search Ctrl K Downloads Ctr J Add ons Web Developer Error Console Adblock Plus Ctrl Shift 4 Page Info
140. Help Address Local Network Network Tasks ZyXEL Prestige 650R 31 Internet Sharing Gateway Invoke gd Add a network place View network connections Set up a home or small office network 3 View workgroup computers Create Shortcut Rename Properties Other Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device ZyXEL Internet Sharing Gateway General m ZEL Internet Sharing Gateway Manufacturer ZyXEL Model Name ZyXEL Intemet Sharing Gateway Model Number Description ZyXEL Internet Sharing Gateway Device Address http 192 158 1 1 Close Cance P 660HW Tx v3 Series User s Guide PART VI Maintenance System Settings 295 Logs 301 Tools 315 Diagnostic 329 20 1 20 1 1 20 1 2 System Settings Overview This chapter shows you how to configure system related settings such as system time password name the domain name and the inactivity timeout interval What You Can Do in the System Settings Screens Use the General screen Section 20 2 on page 296 to configure system settings Use the Time Setting screen Section 20 3 on page 298 to set the system time What You Need to Know About System Settings DHCP DHCP Dynamic Host Configuration Protocol is a method of allocating IP addresses to dev
141. If a device is not allowed to use the wireless network it does not matter if it has the correct information This type of security does not protect the information that is sent in the wireless network Furthermore there are ways for unauthorized wireless devices to get the MAC address of an authorized device Then they can use that MAC address to use the wireless network 8 8 3 3 User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network You can make every user log in to the wireless network before using it However every device in the wireless network has to support IEEE 802 1x to do this For wireless networks you can store the user names and passwords for each user in a RADIUS server This is a server used in businesses more than in homes If you do not have a RADIUS server you cannot set up user names and passwords for your users Unauthorized wireless devices can still see the information that is sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network 8 8 3 4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network Encryption is like a secret code If you do not know the secret code you cannot understand the mess
142. LAN jv Active lt Back Next gt Exit The following table describes the labels in this screen Table 15 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Active Select the check box to turn on the wireless LAN Back Click this to return to the previous screen without saving P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard Table 15 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Next Click this to continue to the next wizard screen Exit Click this to close the wizard screen without saving 3 Configure your wireless settings in this screen Click Next Figure 26 Wireless LAN fa Wireless LAN Network Name SSID ZyXELO1 Give your network a name You will search for this name from your wireless clients Channel Selection Channel 06 2437MHz Y can use one of channels You should use the default channel unless other tworks nearby ame channel Security Manually assign a APA PSK key option if you would prefer to create your own key WPA is stronger than WEP but not all s are compatible with WPA The following table describes the labels in this screen Table 16 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Name SSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN If you change this field on the ZyXEL Device make sure all wireless stations use the same SSID
143. LAN computers using UPnP 2 You may also need to create a Firewall rule 4 6 Access the ZyXEL Device Using DDNS If you connect your ZyXEL Device to the Internet and it uses a dynamic WAN IP address it is inconvenient for you to manage the device from the Internet The ZyXEL Device s WAN IP address changes dynamically Dynamic DNS DDNS allows you to access the ZyXEL Device using a domain name http zyxelrouter dyndns org d D E To use this feature you have to apply for DDNS service at www dyndns org This tutorial shows you how to Registering a DDNS Account on www dyndns org Configuring DDNS on Your ZyXEL Device P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials Adding a Firewall Rule for Remote Management Testing the DDNS Setting Note If you have a private WAN IP address then you cannot use DDNS 4 6 1 Registering a DDNS Account on www dyndns org 1 Open a browser and type http www dyndns org 2 Apply for a user account This tutorial uses UserNamel1 and 12345 as the username and password 3 Log into www dyndns org using your account 4 Add a new DDNS host name This tutorial uses the following settings as an example Hostname zyxelrouter dyndns org Service Type Host with IP address P Address Enter the WAN IP address that your ZyXEL Device is currently using You can find the IP address on the ZyXEL Device s Web Configurator Status page Then
144. NFO 3 COMMUNICATION amp P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 4 2 3 Without WPS Use the wireless adapter s utility installed on the notebook to search for the Example SSID Then enter the DoNotStealMyWirelessNetwork pre shared key to establish an wireless Internet connection Note The ZyXEL Device supports IEEE 802 11b and IEEE 802 11g wireless clients Make sure that your notebook or computer s wireless adapter supports one of these standards 4 2 4 Setting Up Wireless Network Scheduling Thomas mostly uses his notebook to access the Internet on weekends occasionally he uses it at night on weekdays Here is how Thomas can set up a schedule to turn on the wireless network at specific time and days Click Network gt Wireless Network gt Scheduling to open the following screen Wireless LAN Scheduling Cl Enable Wireless LAN Scheduling ee The following times _ 24 Hour Format Specify the same begin time and end time means the whole day schedule off on L Everyday 00 M hour 00 iv min 00 iv hour 00 M min off on L men 00 v hour 00 v min 00 v hour 00 iv min off on O Tue 00 v hour 00 iv min 00 v hour 00 min off on L wed 00 v hour 00 v min 00 hour 00 min O oft 9 on L Thu 00 v hour 00 iv min 00 v hour 00 M min O off on O rri 00 hour 00 min
145. Network LAN IP LABEL DESCRIPTION IP Address Enter the LAN IP address you want to assign to your ZyXEL Device in dotted decimal notation for example 192 168 1 1 factory default IP Subnet Mask Type the subnet mask of your network in dotted decimal notation for example 255 255 255 0 factory default Your ZyXEL Device automatically computes the subnet mask based on the IP Address you enter so do not change this field unless you are instructed to do so Apply Click this to save your changes Cancel Click this to restore your previously saved settings Advanced Setup Click this to display the Advanced LAN Setup screen and edit more details of your LAN setup 7 2 1 The Advanced LAN IP Setup Screen Use this screen to edit your ZyXEL Device s RIP multicast Any IP and Windows Networking settings Click the Advanced Setup button in the LAN IP screen The screen appears as shown Figure 39 Network gt LAN gt IP Advanced Setup RIP Direction RIP Version Multicast Any IP Setup Active Packet Filter RIP amp Multicast Setup Windows Networking NetBIOS over TCP IP M Allow between LAN and WAN Incoming Filter Sets Protocol Filter Generic Filter Outgoing Filter Sets Protocol Filter Generic Filter None None None None None None None None None v None nene None None v None v None None
146. Ns 395 Services 411 Legal Information 415 Index 419 Setting up Your Computer s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP IP installed Windows 95 98 Me NT 2000 XP Vista Macintosh OS 7 and later operating systems and all versions of UNIX LINUX include the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device s LAN port P 660HW Tx v3 Series User s Guide 351 Appendix A Setting up Your Computer s IP Address Windows 95 98 Me Click Start Settings Control Panel and double click the Network icon to open the Network window Figure 145 Windows 95 98 Me Network Configuration rk LPR for TCP IP Printing 3Com EtherLink 10 100 PCI TX NIC 39058 TX Dial Up Adapter Client for Microsoft Networks q Installing Components The Network window Configuration tab displays a list of installed components You need a network adapter the TCP IP protocol
147. P 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers Does this rule conflict with any existing rules Once these questions have been answered adding rules is simply a matter of entering the information into the correct fields in the web configurator screens Triangle Route When the firewall is on your ZyXEL Device acts as a secure gateway between your LAN and the Internet In an ideal network topology all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks Figure 84 Ideal Firewall Setup LAN WAN INTERNE P 660HW Tx v3 Series User s Guide 207 Chapter 10 Firewalls 10 5 4 1 The Triangle Route Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices You may have more than one connection to the Internet through one or more ISPs If an alternate gateway is on the LAN and its IP address is in the same subnet as the ZyXEL Device s LAN IP address the triangle route also called asymmetrical route problem may occur The steps below describe the triangle route problem A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the WAN The reply from the WAN goes directly to the computer on the LAN without going thr
148. P 660HW Tx v3 Series 802 119 Wireless ADSL2 4 port Gateway Default Login Details IP Address http 192 168 1 1 Admin 1234 Password User user Password Firmware Version 3 70 Edition 2 10 2010 ZyXEL Copyright 2010 ZyXEL Communications Corporation www zyxel com About This User s Guide About This User s Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator You should have at least a basic knowledge of TCP IP networking concepts and topology Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains information on setting up your network and configuring for Internet access Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Note It is recommended you use the web configurator to configure the ZyXEL Device Support Disc Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Tai
149. P should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To transfer the firmware and the configuration file follow the procedure shown next 1 Usetelnet from your computer to connect to the device and log in Because TFTP does not have any security checks the device records the IP address of the telnet client and accepts TFTP requests only from this address 2 Enter the command sys stdio 0 to disable the management idle timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute management idle timeout default when the file transfer is complete 3 Launch the TFTP client on your computer and connect to the device Set the transfer mode to binary before starting data transfer 4 Usethe TFTP client see the example below to transfer files between the device and the computer The file name for the firmware is ras Note that the telnet connection must be active and the device in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For P 660HW Tx v3 Series User s Guide Chapter 22 Tools UNI X use get to transfer from the device to the computer put the other way around and binary to set binary transfer mode TFTP Upload Command Example The following is an example TFTP command tftp i host p
150. PS button on the registrar and the first enrollee for example then check that it successfully enrolled then set up the second device in the same way WPS works only with other WPS enabled devices However you can still add non WPS devices to a network you already set up using WPS WPS works by automatically issuing a randomly generated WPA PSK or WPA2 PSK pre shared key from the registrar device to the enrollee devices Whether the network uses WPA PSK or WPA2 PSK depends on the device You can check the configuration interface of the registrar device to discover the key the network is using if the device supports this feature Then you can enter the key into the non WPS device and join the network as normal the non WPS device must also support WPA PSK or WPA2 PSK P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 170 When you use the PBC method there is a short period from the moment you press the button on one device to the moment you press the button on the other device when any WPS enabled device could join the network This is because the registrar has no way of identifying the correct enrollee and cannot differentiate between your enrollee and a rogue device This is a possible way for a hacker to gain access to a network You can easily check to see if this has happened WPS works between only two devices simultaneously so if another device has enrolled your device will be unable to enroll and wil
151. PTION lt Facility 8 Severity gt Mon dd This message is sent by the system RAS hr mm ss hostname displays as the system name if you haven t src lt srcIP srcPort gt configured one when the router generates a dst lt dstIP dstPort gt syslog The facility is defined in the web MAIN msg msg note lt note gt MENU gt LOGS gt Log Settings page The severity is devID lt mac address last three the log s syslog class The definition of messages numbers cat lt category gt and notes are defined in the various log charts throughout this appendix The devi D is the last three characters of the MAC address of the router s LAN port The cat is the same as the category in the router s logs P 660HW Tx v3 Series User s Guide 313 Chapter 21 Logs The following table shows RFC 2408 ISAKMP payload types that the log displays Please refer to RFC 2408 for detailed information on each type Table 107 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identification CER Certificate CER REQ Certificate Request HASH Hash SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID P 660HW Tx v3 Series User s Guide Tools 22 1 Overview This chapter explains how to upload new firmware manage configuration files and restart
152. S devices is unconfigured This means that it is not part of an existing network and can act as either enrollee or registrar if it supports both functions If the registrar is unconfigured the security settings it transmits to the enrollee are randomly generated Once a WPS enabled device has connected to another device using WPS it becomes configured A configured wireless client can still act as enrollee or registrar in subsequent WPS connections but a configured access point can no longer act as enrollee It will be the registrar in all subsequent WPS connections in which it is involved If you want a configured AP to act as an enrollee you must reset it to its factory defaults P 660HW Tx v3 Series User s Guide 167 Chapter 8 Wireless LAN 8 8 8 4 Example WPS Network Setup This section shows how security settings are distributed in an example WPS setup The following figure shows an example network In step 1 both AP1 and Client 1 are unconfigured When WPS is activated on both they perform the handshake In this example AP1 is the registrar and Client 1 is the enrollee The registrar randomly generates the security information to set up the network since it is unconfigured and has no existing information Figure 64 WPS Example Network Step 1 ENROLLEE REGISTRAR SECURITY INFO CLIENT 1 AP1 In step 2 you add another wireless client to the network You know that Client 1 supports registrar mode but it is
153. SUA SIP ALG 181 264 activation 181 SSID 138 140 150 159 activation 149 MBSSID 162 static route 239 activation 240 configuration 241 example 239 status 32 35 38 Any IP 39 ATM 331 DSL connections 332 firewalls 37 firmware version 36 LAN 36 packet statistics 40 WAN 36 wireless LAN 37 WLAN 39 WPS 151 SUA 172 173 subnet 385 subnet mask 120 131 386 subnetting 388 Sustain Cell Rate see SCR syntax conventions 5 system 296 backing up configuration 321 backup configuration 320 firmware 316 323 upgrading 318 version 36 LED 26 name 297 passwords 29 30 administrator 297 users 297 reset 27 restoring configuration 317 status 32 35 firewalls 37 LAN 36 WAN 36 wireless LAN 37 time 298 T tagging frames 244 251 Telnet 276 TFTP 321 backing up configuration 321 upgrading firmware 319 three way handshake 202 thresholds data fragment 146 158 DoS 190 202 203 P2P 203 RTS CTS 146 158 time 298 TR 069 24 trademarks 415 traffic priority 243 252 traffic shaping 116 example 116 triangle route 195 207 208 solutions 208 trusted CA 230 233 P 660HW Tx v3 Series User s Guide Index algorithm 234 exporting 234 importing 231 MD5 fingerprint 234 PEM 234 SHA1 fingerprint 234 U UBR 105 112 117 unicast 100 Universal Plug and Play see UPnP upgrading firmware 318 323 UPnP 281 activation 283 cautions 282 example 284 installation 284 NAT traversal 281 URL 211 V VBR 117 VBR nRT
154. Saving Time ends in the United States on the first Sunday of November Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday November and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday October The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 21 1 21 1 1 21 1 2 Logs Overview This chapter contains information about configuring general log settings and viewing the ZyXEL Device s logs The web configurator allows you to choose which categories of events and or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator as e mail or to a syslog server What You Can Do in the Log Screens Use the View Log screen Section 21 2 on page 302 to see the logs for the categories that you selected in the Log Settings screen Use The Log Settings screen Section 21 3 on pag
155. Setting up Your Computer s IP Address Windows 2000 NT XP The following example figures use the default Windows XP GUI theme 1 Click start Start in Windows 2000 NT Settings Control Panel Figure 148 Windows XP Start Menu Internet Explorer e My Documents S Outlook Express V Paint 88 Files and Settings Transfer W hb ERY Command Prompt LJ My Music e My Pictures 2 My Recent Documents gt Acrobat Reader 4 0 Ws My Computer Tour Windows xP aQ Windows Movie Maker E Control Panel ka Printers and Q9 Help and Support 99 Search All Programs gt W Run P Log Off 0 Turn OFF Computer 5 untitled Paint 2 Inthe Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 149 Windows XP Control Panel amp Control Panel Edit View Favorites Tools Help File Q 8 o B JO Search Folders Ez Address G Control Panel Vg Control Panel e Qe Switch to Category view See Also A Windows Update Game Controllers P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 3 Right click Local Area Connection and then click Properties Figure 150 Windows XP Control Panel Network Connections Properties s Network Connections File Edit View Favorites Tools Advanced Help Q e amp Search lie Folders E Address
156. TCP IP Setup etc It arrives from ZyXEL with a rom filename extension Once you have customized the ZyXEL Device s settings they can be saved back to your computer under a filename of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension Find this firmware at www zyxel com With many FTP and TFTP clients the filenames are similar to those seen next ftp put firmware bin ras This is a sample FTP session showing the transfer of the computer file firmware bin to the ZyXEL Device ftp get rom 0 config cfg This is a sample FTP session saving the current configuration to the computer file config cfg If your T FTP client does not allow you to have a destination filename different than the source you will need to rename them as the ZyXEL Device only recognizes rom 0 and ras Be sure you keep unaltered copies of both files for later use The following table is a summary Please note that the internal filename refers to the filename on the ZyXEL Device and the external filename refers to the filename not on the ZyXEL Device that is on your computer local network or FTP site and so the name but not the extension may vary After uploading new firmware see the Status screen to confirm that you have uploaded the correct firmware version Table 108 Filename Conventions INTERNAL NAME Configuration Rom 0 This is the co
157. The router filters packets as they pass through the router s interface according to the filter rules you designed Packet filtering is a powerful tool yet can be complex to configure and maintain especially if you need a chain of rules to filter a service Packet filtering only checks the header portion of an IP packet When To Use Filtering To block allow LAN packets by their MAC addresses To block allow special IP packets which are neither TCP nor UDP nor ICMP packets To block allow both inbound WAN to LAN and outbound LAN to WAN traffic between the specific inside host network A and outside host network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters cannot distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route Firewall The firewall inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer IP headers up to the application layer P 660HW Tx v3 Series User s Guide 227 Chapter 12 Packet Filter The firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and all
158. This example shows how to configure the 802 1Q 1P settings on the ZyXEL Device P 660HW Tx DAN VolP Network Internet PPPoE E Internet PPPoE E E E LAN1 and LAN2 are connected to ATAs Analogue Telephone Adapters and used for VoIP traffic You want to create high priority for this type of traffic so you want to group these ports into one VLAN VLAN2 and then to a PVC PVC1 where the priority is set to high level of service You would start with the following steps 1 Click Advanced gt 802 1Q 1P gt Group Setting and then click the Edit button to display the following screen 2 Inthe Name field type VoIP to identify the group 3 Inthe VLAN ID field type in 2 to identify the VLAN group 4 Select PVC1 from the Default Gateway drop down list box 5 Inthe Control field select Fixed for LAN1 LAN2 and PVC1 to be permanent members of the VLAN group P 660HW Tx v3 Series User s Guide Chapter 15 802 1Q 1P 6 Click Apply cur 0 Name voIP VLAN ID fz Default Gateway ever Ports __control tx Tag LAN1 Fixed C Forbidden Tx Tagging LAN2 Fixed C Forbidden D Tx Tagging LAN3 C Fixed Forbidden Tx Tagging LAN4 C Fixed Forbidden Tx Tagging SSID1 C Fixed Forbidden I Tx Tagging SSID2 C Fixed Forbidden Tx Tagging SSID3 C Fixed Forbidden I Tx Tag
159. This field determines if a log for packets that match the rule is created or not Go to the Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs Alert P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls Table 54 Security gt Firewall gt Rules Edit continued Administrator When Matched LABEL DESCRIPTION Send Alert Select the check box to have the ZyXEL Device generate an alert when Message to the rule is matched Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings 10 3 2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device For a comprehensive list of port numbers and services visit the ANA Internet Assigned Number Authority website See Appendix E on page 411 for some examples Click the Edit Customized Services link while editing a firewall rule to configure a custom service port This displays the following screen Figure 80 Security gt Firewall gt Rules Edit Edit Customized Services S mo i Ist je fon e deo Iro e Customized Services D Back The following table describes the labels in this screen Table 55 Security gt Firewall gt Rules Edit Edit Customized Services LABEL DESCRIPTION No This
160. WLAN is enabled or InActive when WLAN is disabled Rate For the LAN interface this displays the port speed and duplex setting For the DSL interface it displays the downstream and upstream transmission rate For the WLAN interface it displays the maximum transmission rate when WLAN is enabled or N A when WLAN is disabled Summary Client List Click this link to view current DHCP client information See Section 7 4 on page 126 AnyI P Table Click this link to view a list of IP addresses and MAC addresses of computers which are not in the same subnet as the ZyXEL Device See Section 3 3 on page 38 WLAN Status Click this link to display the MAC address es of the wireless stations that are currently associating with the ZyXEL Device See Section 3 4 on page 39 Packet Statistics Click this link to view port status and packet specific statistics See Section 3 6 on page 40 See Section 7 4 on page 126 for information on this screen P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens 3 4 WLAN Status Use this screen to view the wireless stations that are currently associated to the ZyXEL Device Click Status WLAN Status to access this screen Figure 8 WLAN Status Wireless LAN Association List a 001 00 12 0e Sa bi df 04 54 10 2000 01 01 The following table describes the labels in this screen Table 5 WLAN Status LABEL DESCRIPTION This
161. XEL routers supported only Many to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local IP addresses then enter 0 0 0 0 as the Local Start I P address and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start This is the starting global IP address IGA Enter 0 0 0 0 here if you have IP a dynamic IP address from your ISP Global End IP This is the ending global IP address IGA This field is N A for One to One Many to One and Server mapping types Server Only available when Type is set to Server Mapping Set Select a number from the drop down menu to choose a port forwarding set Edit Details Click this link to go to the Port Forwarding screen to edit a port forwarding set that you have selected in the Server Mapping Set field Back Click this to return to the previous screen without saving Apply Click this to save your changes C
162. You Can Do in the Lag SCIONS erre rii raa Ri a ror cda aguanta es 301 21 1 2 What You Need To Know About LOGS iss estates so cdaa ri nta aa nada ki mda 301 21 2 The View Log DOGEN iscir eane Lectt nba b N sio ires aoe 302 21 3 The Log Seb SEO cessi e geh Ode Git Ebo od E nU ED PLE e e Ra 303 PIS SRIF EO GBS AS qussisticeiqate duque estara IURE npc Ddet tese aM e ese laa EP hee duU ier SO ERU 305 HAE NETIIUS JS xuribSo ce 305 2ko Log I e ci Me 306 Chapter 22 OU COOO OY i rm 315 come nl pe 315 22 1 1 What You Can Do inthe Tool Screens 1 rd rrr oem tr ae aa t 315 22 1 2 What You Need To Know About Tools 11 esas ttteee tian rb eee Dine Hed aian 316 221 9 Baloe TE m 317 VLA CM Tav E uec en C saautde sadesoutetaplunardesnsnsuedeialeauutesen 317 zoo WEN TRANS OE aa terrd caaece BRUM pesce laptop QR tu P IREE CE UR ER EE IA 323 223 Pe WONT SOBRE dria a a pho pct nau as pda tu eed a ub pop HR 325 2223 IHSISSI DO BE uuisnizoxsaiecbusani ias cda tadaib dauid dr on iuda rn E usd ON cau cu E 328 P 660HW Tx v3 Series User s Guide Table of Contents Chapter 23 lp n 329 EXON EEUU oU seta tise RR RT T ETIN 329 23 1 1 What You Can Do in the Diagnostig Sereng uiuos co ette e cepto Rub mtus ceu EE Rtui 329 29 8 The General DISOGOSUG SOOO uuiuss
163. ZyXEL Device routes traffic from A to R and then R routes the traffic to B This tutorial uses the following example IP settings Table 8 IP Settings in this Tutorial DEVICE COMPUTER IP ADDRESS The ZyXEL Device s WAN 172 16 1 1 The ZyXEL Device s LAN 192 168 1 1 A 192 168 1 34 R s N1 192 168 1 253 R s N2 192 168 10 2 B 192 168 10 33 To configure a static route to route traffic from N1 to N2 1 Log into the ZyXEL Device s Web Configurator in advanced mode 2 Click Advanced Static Route 3 Click Edit on a new rule in the Static Route screen Static Route Static Route Rules Fa a E A S 1 z z 2 3 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 4 Configure the Static Route Setup screen using the following settings 4a Select Active 4b Specify a descriptive name for this routing rule 4c Type 192 168 10 0 and subnet mask 255 255 255 0 for the destination N2 4d Select Gateway Address for the gateway type 4e Type 192 168 1 253 R s N1 address in the Gateway IP Address field Static Route Setup M Active Route Name Few Destination IP Address 192 168 10 0 IP Subnet Mask 255 255 255 0 Gateway Type Gateway Address v Gateway IP Address i21681 253 Gateway Node vs el Apply Cancel 4a Click Apply Now B should be able to receive traffic from A You may need to additionally configure B s firewall settings t
164. a Only Full Feature Max NAT Firewall Session Per User 512 Apply Cancel 3 Click the Address Mapping tab and then click the Edit icon on a new rule General Address Mapping Address Mapping Rules 1 Local Start 1P Local End IP Global Start IP Global End IP Modify 2 EK ul iit a 4 Configure the rule using the following settings Type Many to Many No Overload Local IP addresses 192 168 1 2 192 168 1 3 Global IP addresses 172 16 1 253 172 16 1 254 Edit Address Mapping Rulet Type Many to Many No Overload Local Start IP 192 168 1 2 Local End IP 192 168 1 3 Global Start IP 172 16 1 253 Global End IP 172 16 1 254 Server Mapping Set 10 z Edit Details Apply Cancel Then click Apply P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 4 8 2 Full Feature NAT One to One Mapping Use this setting if your applications must use fixed public IP addresses and the applications can be initiated either from the Intranet computers A and B or the Internet computer C For example gaming application To configure this setting 1 Click Network gt NAT 2 Select Active Network Address Translation NAT and Full Feature in the General screen Click Apply General NAT Setup M Active Network Address Translation NAT C SUA Only Full Feature Max NAT Firewall Session Per User 512 Apply Cancel 3 Click the Address Mapping tab click
165. a encryption wireless client authentication restricting access by device MAC address and hiding the ZyXEL Device identity The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device Table 132 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption EEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA WPA2 Most Secure Note You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point
166. a specific virtual circuit for example VCI carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultaneous VCs 6 4 3 VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers assigned to you The valid range for the VPI is O to 255 P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup and for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Please see the appendix for more information 6 4 4 IP Address Assignment A static IP is a fixed IP that your ISP gives you A dynamic IP is not fixed the ISP assigns you a different one each time The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and Gateway IP Address fields are not applicable N A
167. able 1 LED Descriptions LED OR STATUS DESCRIPTION INTERNET Green On The ZyXEL Device has an IP connection but no traffic Your device has a WAN IP address either static or assigned by a DHCP server PPP negotiation was successfully completed if used and the DSL connection is up Blinking The ZyXEL Device is sending or receiving IP traffic Red On The ZyXEL Device attempted to make an IP connection but failed Possible causes are no response from a DHCP server no PPPoE response PPPoE authentication failed Off The ZyXEL Device does not have an IP connection Refer to the Quick Start Guide for information on hardware connections 1 6 The RESET Button If you forget your password or cannot access the web configurator you will need to use the RESET button at the back of the device to reload the factory default configuration file This means that you will lose all configurations that you had previously and the password will be reset to 1234 You can also use the 1 6 1 Using the Reset Button 1 Make sure the POWER LED is on not blinking 2 To set the device back to the factory default settings press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defaults have been restored and the device restarts 1 7 The WPS WLAN Button You can use the WPS WLAN ON OFF button on the back of the device to turn th
168. additional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the ZyXEL Device The key must be the same on the external accounting server and your ZyXEL Device The key is not sent over the network 8 2 5 Wireless LAN Advanced Setup Use this screen to configure advanced wireless settings Click the Advanced Setup button in the AP screen The screen appears as shown See Section 8 8 2 on page 158 for detailed definitions of the terms listed in this screen Figure 51 Network gt Wireless LAN gt AP Advanced Setup Wireless Advanced Setup RTS CTS Threshold 2346 0 2432 Fragmentation Threshold 2346 Output Power Preamble 802 11 Mode Maximum e Long v Mixed vi Back Apply Cancel The following table describes the labels in this screen Table 34 Network gt Wireless LAN gt AP Advanced Setup LABEL DESCRIPTION RTS CTS Enter a value between 0 and 2432 Threshold Fragmentation This is the maximum data fragment size that can be sent Enter a value Threshold between 256 and 2432 Output Power Set the output power of the ZyXEL Device If there is a high density of APs in an area decrease the output power to reduce interference with other APs Select one of the following Maximum Middle or Minimum Preamble Select a preamble type from the drop down list menu Ch
169. age The types of encryption you can choose depend on the type of authentication See Section 8 8 3 3 on page 160 for information about this Table 43 Types of Encryption for Each Type of Authentication NO AUTHENTICATION RADIUS SERVER Weakest No Security WPA Static WEP t WPA PSK Strongest WPA2 PSK WPA2 P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN For example if the wireless network has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest encryption that every device in the wireless network supports For example suppose you have a wireless network with the ZyXEL Device and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A only supports WEP and device B supports WEP and WPA Therefore you should set up Static WEP in the wireless network Note It is recommended that wireless networks use WPA PSK WPA or stronger encryption The other types of encryption are better than none at all but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly When you select WPA2 or WPA2 PSK in your ZyXEL Device you can also select an option WPA compatible to support WPA as well In this case if some of the devices suppor
170. ags 263 266 activation 258 bandwidth 258 classifiers 259 activation 260 configuration 261 creation 260 priority 262 CoS 254 DiffServ 267 DSCP 262 264 267 example 254 FTP 264 IP precedence 266 monitor 265 priority queue 267 remote node 264 routing policy 262 SIP 264 Quality of Service see QoS R RADIUS 401 message types 401 messages 401 shared secret key 402 RADIUS server 160 reauthentication WPA 143 145 registration product 418 related documentation 3 remote management 273 DNS 278 FTP 277 ICMP 279 limitations 274 NAT 275 Telnet 276 WWW 275 remote node 264 reset 27 328 restart 328 restoring configuration 317 326 restrictions FTP 317 RFC 1483 102 109 114 RIP 104 111 120 123 128 132 Routing Information Protocol see RIP routing policy 262 RTS Request To Send 398 threshold 397 398 RTS threshold 146 158 rules port forwarding 177 S safety warnings 7 schedules content filtering 215 P 660HW Tx v3 Series User s Guide Index firewalls 199 logs 304 wireless LAN 155 SCR 105 112 116 security network 206 wireless LAN 140 158 Service Set IDentifier see SSID Session Initiation Protocol see SIP setup 325 classifiers 261 DHCP 125 firewalls 194 198 203 IP alias 128 logs 303 packet filtering 222 225 port forwarding 175 static route 241 WAN 101 wireless LAN 139 wizard 86 SHA1 fingerprint 234 shaping traffic 116 Single User Account see
171. ails Windows Optional Networking Components Wizard Windows Components You can add or remove components of Windows XP To add or remove a component click the checkbox A shaded box means that only part of the component will be installed To see what s included in a component click Details Components rx Management and Monitoring Tools eZ ina 5 i e Other Network File and Print Services Description Contains a variety of specialized network related services and protocols Total disk space required 0 0 MB Space available on disk 260 9 MB 286 P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 5 Inthe Networking Services window select the Universal Plug and Play check box Networking Services To add or remove a component click the check box amp shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Networking Services C JB RIP Listener 0 0MB E A Simple TCP IP Services 0 0 MB Universal Plug and Play Description Allows your computer to discover and control Universal Plug and Play devices Total disk space required 0 0 MB Space available on disk 260 8 MB 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 19 4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature
172. ancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT 9 5 The SIP ALG Screen Some NAT routers may include a SIP Application Layer Gateway ALG A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream When the ZyXEL Device registers with the SIP register server the SIP ALG translates the ZyXEL Device s private IP address inside the SIP data stream to a public IP address You do not need to use STUN or an outbound proxy if your ZyXEL Device is behind a SIP ALG Use this screen to enable and disable the SIP VoIP ALG in the ZyXEL Device To access this screen click Network gt NAT gt ALG Figure 73 Network gt NAT gt ALG ALG ALG Settings Enable SIP ALG Apply Reset The following table describes the fields in this screen Table 49 Network gt NAT gt ALG LABEL DESCRIPTION Enable SIP ALG Select this to make sure SIP VoIP works correctly with port forwarding and address mapping rules Apply Click this to save your changes Reset Click this to restore your previously saved settings 9 6 NAT Technical Reference This chapter contains more information regarding NAT 9 6 1 NAT Definitions Inside outside denotes where a host is located relative to the ZyXEL Device for example the computers of your subscriber
173. and Client for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 352 P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select Microsoft from the list of manufacturers 4 Select Client for Microsoft Networks from the list of network clients and then click OK 5 Restart your computer so the changes you made take effect Configuring 1 Inthe Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab f your IP address is dynamic select Obtain an IP address automatically f you have a static IP address select Specify an I P address and type your information into the IP Address and Subnet Mask fields Figure 146 Windows 95 98 Me TCP IP Properties IP Address TCP IP Properties ER 2 xi Bindings Advanced Netblos DNS Configuration Gateway WINS Configuration IP Address An IP address can be automatically assigned to this computer I
174. angs for example Click Maintenance gt Tools gt Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 142 Maintenance gt Tools gt Restart System Reboot Click Restart to have the device perform a software restart The SYS or PWR LED blinks as the device restarts and then stays steady on if the restart is successful Wait a minute before logging into the device again Restart P 660HW Tx v3 Series User s Guide Diagnostic 23 1 Overview These read only screens display information to help you identify problems with the ZyXEL Device 23 1 1 What You Can Do in the Diagnostic Screens Use the General Diagnostic screen Section 23 2 on page 329 to ping an IP address Use the DSL Line Diagnostic screen Section 23 3 on page 330 to view the DSL line statistics and reset the ADSL line 23 2 The General Diagnostic Screen Use this screen to ping an IP address Click Maintenance Diagnostic to open the screen shown next Figure 143 Maintenance Diagnostic General General TCP IP Address Ping P 660HW Tx v3 Series User s Guide Chapter 23 Diagnostic The following table describes the fields in this screen Table 113 Maintenance gt Diagnostic gt General LABEL DESCRIPTION TCP IP Type the IP address of a computer that you want to ping in order to test a Address connection
175. ar a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device Do NOT open the device or unit Opening or removing covers can expose you to dangerous high voltage points or other risks ONLY qualified service personnel should service or disassemble this device Please contact your vendor for further information Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution f the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the
176. ard These fields are case sensitive so make sure Caps Lock is not on 3 If you are trying to access the Internet wirelessly make sure the wireless settings in the wireless client are the same as the settings in the AP 4 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 5 If the problem continues contact your ISP P 660HW Tx v3 Series User s Guide Chapter 24 Troubleshooting cannot access the Internet anymore had access to the Internet with the ZyXEL Device but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 26 2 Turn the ZyXEL Device off and on 3 Ifthe problem continues contact your ISP The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 5 on page 26 If the ZyXEL Device is sending or receiving a lot of information try closing some programs that use the Internet especially peer to peer applications 2 Check the signal strength If the signal strength is low try moving your computer closer to the ZyXEL Device if possible and look around to see if there are any devices that might be interfering with the wireless network for example microwaves other wireless networks and so on 3 Turn the ZyXEL Device off and on 4 I
177. ault time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN Table 32 Network gt Wireless LAN gt AP WPA 2 PSK LABEL DESCRIPTION Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity The wireless station needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key Update Timer The Group Key Update Timer is the rate at which the AP if using WPA 2 PSK key management or RADI US server if using WPA 2 key management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis 8 2 4 WPA 2 Authentication Use this screen to configure and enable WPA or WPA2 authentication Click the Wireless LAN link under Network to display the AP screen Select WPA WPA2 or WPAMixed from the Security Mode list Figure 50 Network gt Wireless LAN gt AP WPA 2 Common Setup Network Name SSID Hide ssiD Security Mode Cl wea Compatible ReAuthentication Timer Idle Timeout ZyXELO1 WPA2 v 1800 In Seconds
178. aved settings 12 3 Packet Filter Technical Reference 12 3 1 This section provides some technical background information about the topics covered in this chapter Filter Types and NAT There are two classes of filter rules generic filter rules and protocol filter rules Generic filter rules act on the raw data from to LAN and WAN Protocol filter rules act on the IP packets When NAT Network Address Translation is enabled the inside IP address and port number are replaced on a connection by connection basis which makes it impossible to know the exact address and port on the wire Therefore the ZyXEL Device applies the protocol filters to the native IP address and port number before NAT for outgoing packets and after NAT for incoming packets On the other hand the generic filters are applied to the raw packets that appear on the wire They are applied at the point when the ZyXEL Device is P 660HW Tx v3 Series User s Guide Chapter 12 Packet Filter 12 3 2 receiving and sending the packets that is the interface The interface can be an Ethernet port or any other hardware port The following diagram illustrates this Figure 95 Protocol and Generic Filter Sets Route Incoming Generic Filters Protocol Filters NAT Outgoing Firewall Versus Filters Below are some comparisons between the ZyXEL Device s filtering and firewall functions Packet Filtering
179. b based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 3 Select My Network Places under Other Places Network Connections File Edit View Favorites Tools Advanced Help Q Back 5d J2 Search lie Folders Gz e Network Connections Network Tasks Internet Connection 5 Create a new connection Disabled Set up a home or small C m Internet Connection office network LAN or High Speed Internet See Also Local Area Connection 4 Network Troubleshooter Enabled B E a Accton EN1207D TX PCI Fast Other Places Control Panel My Network Places 1 3 My Documents 3 My Computer Details Network Connections System Folder Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 5 Right click on the icon for your ZyXEL Device and select Invoke The web configurator login screen displays T My Network Places File 1 Bact 5d pe Search i Folders Ei a My Network Places Edit View Favorites Tools
180. better to use AP1 for the WPS handshake with the new client since you must connect to the access point anyway in order to use the network In this case AP1 must be the registrar since it is configured it already has security information for the network AP1 supplies the existing security information to Client 2 Figure 65 WPS Example Network Step 2 REGISTRAR EXISTING CONNECTION S CLIENT 1 P 9 AP1 v wee ENROLLEE o ye eo Ke AJ CLIENT 2 In step 3 you add another access point AP2 to your network AP2 is out of range of AP1 so you cannot use AP1 for the WPS handshake with the new access P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN point However you know that Client 2 supports the registrar function so you use it to perform the WPS handshake instead Figure 66 WPS Example Network Step 3 EXISTING CONNECTION CLIENT 1 AP1 REGISTRAR P n AJ AS CLIENT 2 S ENROLLEE LY UR m mo Say AP2 8 8 8 5 Limitations of WPS WPS has some limitations of which you should be aware WPS works in Infrastructure networks only where an AP and a wireless client communicate It does not work in Ad Hoc networks where there is no AP When you use WPS it works between two devices only You cannot enroll multiple devices simultaneously you must enroll one after the other For instance if you have two enrollees and one registrar you must set up the first enrollee by pressing the W
181. ble mode than the ZyXEL Device does it cannot communicate with the ZyXEL Device Authentication The process of verifying whether a wireless device is allowed to use the wireless network Fragmentation A small fragmentation threshold is recommended for busy networks Threshold while a larger threshold provides faster performance if the network is not very busy 8 8 3 Wireless Security Overview By their nature radio communications are simple to intercept For wireless data networks this means that anyone within range of a wireless network without security can not only read the data passing over the airwaves but also join the network Once an unauthorized person has access to the network he or she can steal information or introduce malware malicious software intended to compromise the network For these reasons a variety of security systems have been developed to ensure that only authorized people can use a wireless data network or understand the data carried on it These security standards do two things First they authenticate This means that only people presenting the right credentials often a username and password or a key phrase can access the network Second they encrypt This means that the information sent over the air is encoded Only people with the code key can understand the information and only people who have been authenticated are given the code key P 660HW Tx v3 Series User s Guide Chapt
182. c1 B pr S Y EX MP X EE RE e SS SS SS cen r T EE ee ee m 1 5 1 2 E ET REI RUSO UR RR OR RC ER n RR ive d e Hea ee ea a a d ntn Cancel The following table describes the labels in this screen Table 71 Advanced gt 802 1Q 1P gt Group Setting LABEL DESCRIPTION 802 1Q 1P Active Select this check box to activate the 802 1P 1Q feature Management Vlan Enter the ID number of a VLAN group All interfaces ports SSIDs and ID PVCs are in the management VLAN by default If you disable the management VLAN you will not be able to access the ZyXEL Device Summary This field displays the index number of the VLAN group P 660HW Tx v3 Series User s Guide Chapter 15 802 1QAP Table 71 Advanced 802 1Q 1P Group Setting continued port is marked as T an untagged LABEL DESCRIPTION Name This field displays the name of the VLAN group VID This field displays the ID number of the VLAN group Port Number These columns display the VLAN s settings for each port A tagged participating in a VLAN are marked as port is marked as U and ports not u u Modify Click the Edit button to configure the the ports in the VLAN group Click the Remove button to delete the VLAN group Apply Click this to save your changes Cancel Click this to restore your previously saved setting
183. ce and video to make them run more smoothly Similarly give low priority to many large file downloads so that they do not reduce the quality of other applications WAN Managed Bandwidth Enter the amount of bandwidth for the WAN interface that you want to allocate using QoS The recommendation is to set this speed to match the interface s actual transmission speed For example set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps You can set this number higher than the interface s actual transmission speed This will stop lower priority traffic from being sent if higher priority traffic uses all of the actual bandwidth You can also set this number lower than the interface s actual transmission speed This will cause the ZyXEL Device to not use some of the interface s available bandwidth P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS Table 74 Advanced QoS General LABEL DESCRIPTION Traffic priority These fields are ignored if traffic matches a class you configured in the will be Class Setup screen automatically assigned by If you select ON and traffic does not match a class configured in the Class Setup screen the ZyXEL Device assigns priority to unmatched traffic based on the IEEE 802 1p priority level IP precedence and or packet length See Section 16 5 4 on page 267 for more information
184. cense to use However wireless networking is different from that of most traditional radio communications in that there a number of wireless networking standards available with different methods of data encryption SSID Each network must have a name referred to as the SSID Service Set IDentifier The service set is the network so the service set identifier is the network s name This helps you identify your wireless network when wireless networks coverage areas overlap and you have a variety of networks to choose from MAC Address Filter Every Ethernet device has a unique MAC Media Access Control address The MAC address consists of twelve hexadecimal characters 0 9 and A to F and it is usually written in the following format 0A A0 00 BB CC DD The MAC address filter controls access to the wireless network You can use the MAC address of each wireless client to allow or deny access to the wireless network Finding Out More See Section 8 8 on page 156 for advanced technical information on wireless networks 8 1 3 Before You Start Before you start using these screens ask yourself the following questions See Section 8 1 2 on page 138 if some of the terms used here are not familiar to you P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN What wireless standards do the other wireless devices in your network support IEEE 802 11g for example What is the most appropriate standard to use
185. cess the web configurator select Go to Wizard setup and click Apply Otherwise click the wizard icon ad in the top right corner of the web configurator to go to the wizards Figure 12 Select a Mode P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard 2 Click INTERNET WI RELESS SETUP to configure the system for Internet access and wireless connection Figure 13 Wizard Welcome Welcome to the ZyXEL Wizard Setup 3 Your ZyXEL device attempts to detect your DSL connection and your connection type 3a The following screen appears if a connection is not detected Check your hardware connections and click Restart the INTERNET WIRELESS SETUP Wizard to return to the wizard welcome screen If you still cannot connect click Manually configure your Internet connection Follow the directions in the wizard and enter your Internet setup information as provided to you by your ISP See Section 5 2 1 on page 86 for more details If you would like to skip your Internet setup and configure the wireless LAN settings leave Yes selected and click Next Figure 14 Auto Detection No DSL Connection STEP 1 sTEP 2 f Internet Configuration Your router has not established a DS o your local exchange e DSL light on the router will blink while if hr Restart the Internet Wireless Setup Wizard Manually confiqure your Internet connection Continue to Wireless Setup wizard Yes No Next gt
186. cessfully Drop This shows how many packets mapped to this priority queue are dropped Poll Interval s Enter the time interval for refreshing statistics in this field Set Interval Click this to apply the new poll interval you entered in the Poll I nterval s field Stop Click this to stop refreshing statistics P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS 16 5 QoS Technical Reference 16 5 1 This section provides some technical background information about the topics covered in this chapter IEEE 802 1Q Tag The IEEE 802 1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges A VLAN tag includes the 12 bit VLAN ID and 3 bit user priority The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network IEEE 802 1p specifies the user priority field and defines up to eight separate traffic types The following table describes the traffic types defined in the IEEE 802 1d standard which incorporates the 802 1p Table 78 IEEE 802 1p Priority Level and Traffic Type PRIORITY LEVEL TRAFFIC TYPE Level 7 Typically used for network control traffic such as router configuration messages Level 6 Typically used for voice traffic that is especially sensitive to jitter jitter is the variations in delay Level 5 Typ
187. ch as video on demand The ZyXEL Device assigns each packet a priority and then queues the packet accordingly Packets assigned with a high priority are processed more quickly than those with low priorities if there is congestion allowing time sensitive applications to flow more smoothly Time sensitive applications include both those that require a low level of latency delay and a low level of jitter variations in delay such as Voice over IP Vol P or Internet gaming and those for which jitter alone is a problem such as Internet radio or streaming video 16 1 1 What You Can Do in the QoS Screens Use the General screen Section 16 2 on page 258 to enable QoS on the ZyXEL Device decide allowable bandwidth using QoS and configure priority mapping settings for traffic that does not match a custom class Use the Class Setup screen Section 16 3 on page 259 to set up classifiers to sort traffic into different flows and assign priority and define actions to be performed for a classified traffic flow Use the Monitor screen Section 16 4 on page 265 to view the ZyXEL Device s QoS related packet statistics P 660HW Tx v3 Series User s Guide 253 Chapter 16 Quality of Service QoS 16 1 2 What You Need to Know About QoS QoS versus Cos QoS is used to prioritize source to destination traffic flows All packets in the same flow are given the same priority Class of Service CoS is a way of managing traffic in a network
188. chase or those with an out dated warranty will be repaired or replaced at the discretion of ZyXEL and the customer will be billed for parts and labor All repaired or replaced products will be shipped by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products P 660HW Tx v3 Series User s Guide Index Numerics 802 1Q 1P 243 activation 249 example 245 group settings 250 management VLAN 249 port settings 252 priority 243 252 PVC 244 PVID 252 tagging frames 244 251 A activation 802 1Q 1P 249 Any IP 123 classifiers 260 content filtering 214 dynamic DNS 270 DYNDNS wildcard 271 firewalls 195 generic filters 224 MAC address filter 148 NAT 173 port forwarding 177 protocol filters 221 QoS 258 SIP ALG 181 SSID 149 static route 240 UPnP 283 wireless LAN 140 scheduling 155 WPS 151 address mapping 178 rules 179 types 179 180 184 Address Resolution Protocol see ARP administrator password 30 297 Index alerts 301 firewalls 200 algorithm certificates 234 MD5 fingerprint 234 SHA1 fingerprint 234 alternative subnet mask notation 388 antenna directional 410 gain 409 omni directional 410 anti probi
189. computer that is connected to a ETHERNET port can see the Login screen but cannot log in to the ZyXEL Device 1 Make sure you have entered the password correctly The default admin password is 1234 and the default user password is user The field is case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using Telnet to access the ZyXEL Device Log out of the ZyXEL Device in the other session or ask the person who is logged in to log out P 660HW Tx v3 Series User s Guide 337 Chapter 24 Troubleshooting 3 Turn the ZyXEL Device off and on 4 Ifthis does not work you have to reset the device to its factory defaults See Section 24 1 on page 335 cannot Telnet to the ZyXEL Device See the troubleshooting suggestions for cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser cannot use FTP to upload download the configuration file cannot use FTP to upload new firmware See the troubleshooting suggestions for cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser 24 3 Internet Access cannot access the Internet 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 26 2 Make sure you entered your ISP account information correctly in the wiz
190. configure and enable WPA 2 PSK authentication Click Network gt Wireless LAN to display the AP screen Select WPA PSK or WPA2 PSK from the Security Mode list Figure 49 Network gt Wireless LAN gt AP WPA 2 PSK Common Setup Network Name SSID ZyXELO1 C hide ss1D Security Mode WPA PSK M Pre Shared Key ReAuthentication Timer 1800 In Seconds Idle Timeout 3600 In Seconds Group Key Update Timer 1800 In Seconds The following table describes the wireless LAN security labels in this screen Table 32 Network gt Wireless LAN gt AP WPA 2 PSK LABEL DESCRIPTION Security Mode Choose WPA PSK or WPA2 PSK from the drop down list box WPA Compatible This check box is available only when you select WPA2 PSK or WPA2 in the Security Mode field Select the check box to have both WPA PSK and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2 PSK or WPA2 Pre Shared Key The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Specify how often wireless stations have to resend usernames and Timer passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The def
191. connections are indoors There is a remote risk of electric shock from lightning Do NOT obstruct the device ventilation slots as insufficient airflow may harm your device Use only No 26 AWG American Wire Gauge or larger telecommunication line cord Antenna Warning This device meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s This device is for indoor use only utilisation int rieure exclusivement i Ne stands for Waste Electronics and Electrical Equipment It means that used electrical w and electronic products should not be mixed with general waste Used electrical and nes electronic equipment should be treated separately Your product is marked with this symbol which is known as the WEEE mark WEEE H P 660HW Tx v3 Series User s Guide Safety Warnings P 660HW Tx v3 Series User s Guide Contents Overview Contents Overview no A5 21 nisse DINDICEUS P d 2E 29 Introduce ihe Web Configurator sossarna ani unaia a dad i OQ ap ccu rei 29 crier e E T A T E N E E S 35 TOO i E A A OA EATA 43 aaa E A 81 internet and Wireless Setup Wizard auem cc a a UB a ei ra en b Jon LR LR ODER nd 83 Lii 97 AN ec rs RU UE uU Daca ch gas 99 Erb ipe 119 QUL o B aa a A Naoee
192. controlled delay and delay variation It is commonly used for bursty traffic typical on LANs PCR and MBS define the burst levels SCR defines the minimum level An example of an VBR nRT connection would be non time sensitive data file transfers Unspecified Bit Rate UBR The Unspecified Bit Rate UBR ATM traffic class is for bursty data transfers However UBR doesn t guarantee any bandwidth and only delivers traffic when the network has spare bandwidth An example application is background file transfer P 660HW Tx v3 Series User s Guide 11 7 Chapter 6 WAN Setup P 660HW Tx v3 Series User s Guide LAN Setup 7 1 Overview A Local Area Network LAN is a shared communication system to which many networking devices are connected It is usually located in one immediate area such as a building or floor of a building Use the LAN screens to help you configure a LAN DHCP server and manage IP addresses 7 1 1 What You Can Do in the LAN Screens Use the LAN IP screen Section 7 2 on page 121 to set the LAN IP address and subnet mask of your ZyXEL device You can also edit your ZyXEL Device s RIP multicast any IP and Windows Networking settings from this screen Use the DHCP Setup screen Section 7 3 on page 124 to configure the ZyXEL Device s DHCP settings Use the Client List screen Section 7 4 on page 126 to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses
193. cs about the DSL connections noise margin downstream is the signal to noise ratio for the downstream part of the connection coming into the ZyXEL Device from the ISP It is measured in decibels The higher the number the more signal and less noise there is output power upstream is the amount of power in decibels that the ZyXEL Device is using to transmit to the ISP attenuation downstream is the reduction in amplitude in decibels of the DSL signal coming into the ZyXEL Device from the ISP Discrete Multi Tone DMT modulation divides up a line s bandwidth into sub carriers sub channels of 4 3125 KHz each called tones The rest of the display is the line s bit allocation This is displayed as the number in hexadecimal format of bits transmitted for each tone This can be used to determine the quality of the connection whether a given sub carrier loop has sufficient margins to support certain ADSL transmission rates and possibly to determine whether particular specific types of interference or line attenuation exist Refer to the ITU T G 992 1 recommendation for more information on DMT The better or shorter the line the higher the number of bits transmitted for a DMT tone The maximum number of bits that can be transmitted per DMT tone is 15 There will be some tones without any bits as there has to be space between the upstream and downstream channels Reset ADSL Line Click this to reinitialize the ADSL line The large
194. ct either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard Table 10 Internet Access Wizard Setup ISP Parameters LABEL DESCRIPTION Multiplexing Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a ID virtual circuit Refer to the appendix for more information VPI Enter the VPI assigned to you This field may already be configured VCI Enter the VCI assigned to you This field may already be configured Back Click this to return to the previous screen without saving Next Click this to continue to the next wizard screen The next wizard screen you see depends on what protocol you chose above Exit Click this to close the wizard screen without saving 2 The next wizard screen varies depending on what mode and encapsulation type you use All screens shown are with routing mode Configure the fields and click Next to continue See Section 5 3 on page 92 for wireless connection wizard setup Figure 18 Internet Connection with PPPoE fa Internet Configuration Please enter the Us ea vord given to you by your Internet Service Provider here If your ISP gave you lt ce Nam iter it in the th
195. ct the check box to enable this classifier Name This is the name of the classifier Interface This shows the interface from which traffic of this classifier should come Priority This is the priority assigned to traffic of this classifier Filter Content This shows criteria specified in this classifier Modify Click the Edit icon to go to the screen where you can edit the classifier Click the Remove icon to delete an existing classifier Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS 16 3 1 The Class Configuration Screen Use this screen to configure a classifier Click the Add button or the Edit icon in the Modify field to display the following screen Figure 114 Advanced gt QoS gt Class Setup Edit Calss Configuration v Active Name Defaut Interface FromLan Priority 2 Detaut Routing Policy By Routing Table v WAN Index Gateway Address Order Tag Configuration DSCP Value Same z p 1 063 802 1Q Tag Same 7 Ethernet Priority 0 5E z VLAN ID 2 2 4094 Filter Configuration Source Address oo 0 0 Subnet Netmask 0 0 0 0 F Exclude Port o o F Exclude D mac MAC Mask F Exclude Destination Address 0 0 0 6 F exclude Port o o F Exclude m mac MAC Ma
196. d other systems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server field in this case When DHCP is used the following items need to be set IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Pool Size This field specifies the size or count of the IP address pool Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here DNS Server DNS Servers Assigned by DHCP Server The ZyXEL Device passes a DNS Domain Name System server IP address to the DHCP clients First DNS Server Second DNS Server Third DNS Server Select Obtained From ISP if your ISP dynamically assigns DNS server information and the ZyXEL Device s WAN IP address Select User Defined if you have the IP address of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Selec
197. d the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 29 2 or 62 hosts for each subnet a host ID of all zeroes is the subnet itself all ones is the subnet s broadcast address Table 124 Subnet 1 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address Decimal 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 1 192 168 1 0 Broadcast Address Highest Host ID 192 168 1 62 192 168 1 63 Table 125 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 65 192 168 1 64 Broadcast Address Highest Host ID 192 168 1 126 192 168 1 127 P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnet
198. d PPPoE encapsulation only Enter the password associated with the user name above Service Name PPPoE only Type the name of your PPPoE service here Multiplexing Select the method of multiplexing used by your ISP from the drop down list Choices are VC or LLC This field is not available if you set the WAN type to Ethernet Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more information These fields are not available if you set the WAN type to Ethernet VPI The valid range for the VPI is O to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 19 Network gt WAN gt Internet Access Setup continued LABEL DESCRIPTION P Address This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Select Obtain an IP Address Automatically if you have a dynamic IP address otherwise select Static I P Address and type your ISP assigned IP address in the I P Address field below Subnet Mask This option is available if you select ENET ENCAP
199. d for Transmitting PPP Over Ethernet PPPoE RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 2766 Network Address Translation Protocol IEEE 802 11 Also known by the brand Wi Fi denotes a set of Wireless LAN WLAN standards developed by working group 11 of the IEEE LAN MAN Standards Committee IEEE 802 IEEE 802 11b Uses the 2 4 gigahertz GHz band IEEE 802 11g Uses the 2 4 gigahertz GHz band IEEE 802 11g Turbo and Super G modes IEEE 802 11d Standard for Local and Metropolitan Area Networks Media Access Control MAC Bridges IEEE 802 11x Port Based Network Access Control IEEE 802 11e QoS IEEE 802 11 e Wireless LAN for Quality of Service ANSI T1 413 Issue 2 Asymmetric Digital Subscriber Line ADSL standard G dmt G 992 1 G 992 1 Asymmetrical Digital Subscriber Line ADSL Transceivers ITU G 992 1 G DMT ITU standard for ADSL using discrete multitone modulation ITU G 992 2 G Lite ITU standard for ADSL using discrete multitone modulation ITU G 992 3 ITU standard also referred to as ADSL2 that extends the G dmt bis capability of basic ADSL in data rates ITU G 992 4 ITU standard also referred to as ADSL2 that extends the G lite bis capability of basic ADSL in data rates ITU G 992 5 ADSL2 ITU standard also referred to as ADSL2 that extends the capability of basic ADSL by doubling the number of downstream bits P 660HW Tx v
200. d if it is 0 0 0 0 Source Subnet Enter the IP subnet mask for the source IP address Netmask Source Port Enter the source port of the packets that you wish to filter The range of this field is 0 to 65535 This field is ignored if it is O Port Compare Select the comparison to apply to the source port in the packet against the value given in the Source Port field Options are None Equal Not Equal Less and Greater TCP Estab This field is only available when you select TCP in the Protocol field Select Yes to have the rule match packets that want to establish a TCP connection This field is ignored if you select No More Select Yes to pass a matching packet to the next filter rule before an action is taken Select No to act upon the packet according to the action fields Log Select a logging option from the following None No packets will be logged Match Only packets that match the rule parameters will be logged Not Match Only packets that do not match the rule parameters will be logged Both All packets will be logged Action Match Select the action for a matching packet Options are Check Next Rule Forward and Drop Action Not Select the action for a packet not matching the rule an Options are Check Next Rule Forward and Drop Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previo
201. d okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Configuration Backup Using GUI based FTP Clients The following table describes some of the commands that you may see in GUI based FTP clients Table 109 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server Login Type Anonymous This is when a user I D and password is automatically supplied to the server for anonymous access Anonymous logins will work only if your ISP or service administrator has enabled this option Normal The server requires a unique User ID and Password to login Transfer Type Transfer files in either ASCII plain text format or in binary mode Initial Remote Specify the default remote directory path Directory Initial Local Directory Specify the default local directory path Backup Configuration Using TFTP The ZyXEL Device supports the up downloading of the firmware and the configuration file using TFTP Trivial File Transfer Protocol over LAN Although TFTP should work over WAN as well it is not recommended To use TFTP your computer must have both telnet and TFTP clients To backup the configuration file follow the procedure shown next P 660HW Tx v3 Series User s Guide 321 Chapter 22 Tools 1 Use telnet from your computer to
202. d subnet mask There are two ways that an ISP disseminates the DNS server addresses The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses enter them in the DNS Server fields in the DHCP Setup screen Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP IP Control Protocol after the connection is up If your ISP did not give you explicit DNS servers chances are the DNS servers are conveyed through IPCP negotiation The ZyXEL Device supports the IPCP DNS server extensions through the DNS proxy feature If the DNS Server fields in the DHCP Setup screen are set to DNS Relay the ZyXEL Device tells the DHCP clients that it itself is the DNS server When a computer sends a DNS query to the ZyXEL Device the ZyXEL Device acts as a DNS proxy and forwards the query to the real DNS server learned through IPCP and relays the response back to the computer Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances If your ISP gives you explicit DNS servers make sure that you enter their IP addresses in the DHCP Setup screen P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup 7 6 4 LAN TCP IP The ZyXEL Device has built in DHCP server capability that assigns IP addresses a
203. de servers of different services behind the NAT to be accessible to the outside world Modify Click the edit icon to go to the screen where you can edit the address mapping rule Click the delete icon to delete an existing address mapping rule Note that subsequent address mapping rules move up by one when you take this action 9 4 1 The Address Mapping Rule Edit Screen Use this screen to edit an address mapping rule Click the rule s edit icon in the Address Mapping screen to display the screen shown next Figure 72 Network NAT Address Mapping Edit Tvpe Edit Address Mapping Rule1 Local Start IP 0 0 0 0 Local End IP N A Global Start IP 0 0 0 0 Global End IP N A Server Mapping Set 2 z Edit Details One to One Apply Cancel P 660HW Tx v3 Series User s Guide 179 Chapter 9 Network Address Translation NAT The following table describes the fields in this screen Table 48 Network gt NAT gt Address Mapping Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following One to One One to One mode maps one local IP address to one global IP address Note that port numbers do not change for One to one NAT mapping type Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous Zy
204. defined application When you select a predefined application you do not configure the rest of the filter fields SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging and other VoIP Voice over IP applications Select the check box and select Vol P SI P from the drop down list box to configure this classifier for traffic that uses SIP File Transfer Protocol FTP is an Internet file transfer service that operates on the Internet and over TCP IP networks A system running the FTP server accepts commands from a system running an FTP client The service allows users to send commands to the server for uploading and downloading files Select the check box and select FTP from the drop down list box to configure this classifier for FTP traffic Protocol Select this option and select the protocol TCP or UDP or select User defined and enter the protocol service type number 0 means any protocol number Packet Length Select this option and enter the minimum and maximum packet length from 28 to 1500 in the fields provided DSCP Select this option and specify a DSCP DiffServ Code Point number between 0 and 63 in the field provided Ethernet Priority Select this option and select a priority level between 0 and 7 from the drop down list box 0 is the lowest priority level and 7 is the highest VLAN ID Select this option and specify a VLAN ID number betwee
205. disabled on the ZyXEL Device LAN and or WAN interfaces in the web configurator LAN WAN Select None to disable IP multicasting on these interfaces 7 6 7 Any IP Traditionally you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device to be in the same subnet to allow the computer to access the Internet through the ZyXEL Device In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to access the Internet via the ZyXEL Device With the Any IP feature and NAT enabled the ZyXEL Device allows a computer to access the Internet without changing the network settings such as IP address and subnet mask of the computer when the IP addresses of the computer and the ZyXEL Device are not in the same subnet Whether a computer is set to use a dynamic or static fixed IP address you can simply connect the computer to the ZyXEL Device and access the Internet The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a ZyXEL Device is installed you can still use the computer to access the Internet P 660HW Tx v3 Series User s Guide 133 Chapter 7 LAN Setup 3 without changing the network settings even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet
206. dress of your ZyXEL Device in the Router address box Close the TCP I P Control Panel Click Save if prompted to save changes to your configuration Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window P 660HW Tx v3 Series User s Guide 367 Appendix A Setting up Your Computer s IP Address Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 166 Macintosh OS X Apple Menu r1 Grab File Edit Capt About This Mac Get Mac OS X Software System Preferences SSS ee n Doc Location 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 167 Macintosh OS X Network 680 Network aog Show All Displays Network Startup Disk Location Automatic m Show Built in Ethernet AppleTalk Proxies Configure Using DHCP Domain Name Servers Optional IP Address 192 168 11 12 168 95 1 1 Provided by DHCP Server Subnet Mask 255 255 254 0 Router 192 168 10 11 Search Domains Optional DHCP Client ID Optional Example apple com earthlink net Ethernet Address 00 05 02 43 93 ff a Click the lock to prevent further chan
207. e Apply Click this to save your changes Cancel Click this to restore your previously saved settings 18 5 The DNS Screen 278 Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa Refer to Chapter 7 on page 119 for background information Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device s DNS settings This feature is not available when the ZyXEL Device is set to bridge mode Click Advanced gt Remote MGMT gt DNS to change your ZyXEL Device s DNS settings Figure 121 Advanced gt Remote Management gt DNS DNS Port Access Status ALL v Secured Client IP all O Selected 0 0 0 0 Note You may also need to create a Firewall rule P 660HW Tx v3 Series User s Guide Chapter 18 Remote Management The following table describes the labels in this screen Table 84 Advanced gt Remote Management gt DNS LABEL DESCRIPTION Port The DNS service port number is 53 and cannot be changed here Access Status Select the interface s through which a computer may send DNS queries to the ZyXEL Device Secured Client A secured client is a trusted computer that is allowed to send DNS IP queries to the ZyXEL Device Select All to allow any computer to send DNS queries to the ZyXEL Device Choose Selected to just allow the c
208. e DNS DNS Domain Name System is for mapping a domain name to its corresponding P address and vice versa The DNS server is extremely important because without it you must know the IP address of a networking device before you can access it P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup Finding Out More See Section 7 6 on page 129 for technical background information on LANs 7 1 3 Before You Begin Find out the MAC addresses of your network devices if you intend to add them to the DHCP Client List screen 7T 2 The LAN IP Screen Use this screen to set the Local Area Network IP address and subnet mask of your ZyXEL Device Click Network gt LAN to open the IP screen Follow these steps to configure your LAN settings 1 Enter an IP address into the IP Address field The IP address must be in dotted decimal notation This will become the IP address of your ZyXEL Device 2 Enter the IP subnet mask into the IP Subnet Mask field Unless instructed otherwise it is best to leave this alone the configurator will automatically compute a subnet mask based upon the IP address you entered 3 Click Apply to save your settings Figure 38 Network LAN IP LAN TCP IP IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 Apply Cancel Advanced Setup P 660HW Tx v3 Series User s Guide 121 Chapter 7 LAN Setup The following table describes the fields in this screen Table 24
209. e 303 to configure the mail server the syslog server when to send logs and what logs to send What You Need To Know About Logs Alerts An alert is a message that is enabled as soon as the event occurs They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Logs A log is a message about an event that occurred on your ZyXEL Device For example when someone logs in to the ZyXEL Device you can set a schedule for how often logs should be enabled or sent to a syslog server P 660HW Tx v3 Series User s Guide Chapter 21 Logs 21 2 The View Log Screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 21 3 on page 303 Click Maintenance Logs to open the View Log screen Entries in red indicate alerts The log wraps around and deletes the old entries after it fills Click a column heading to sort the entries A triangle indicates ascending or descending sort order Figure 126 Maintenance Logs View Log Yiew Log View Logs Display At Logs Email Log Now Refresh Clear Log NETT WEB Login Successfully User admin 2 oa eono none UDP 192 168 1 1 53 192 168 1 34 1197 Pu m 3 jp weg none UDP 192 168 1 1
210. e 45 or manual configuration Section 4 2 3 on page 50 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 4 2 1 Configuring the Wireless Network Settings This example uses the following parameters to set up a wireless network SSID Example Security Mode WPA PSK Pre Shared Key DoNotStealMyWirelessNetwork 802 11 Mode Mixed 1 Click Network gt Wireless LAN to open the AP screen Configure the screen using the provided parameters see page 44 Click Apply Wireless Setup Active Wireless LAN Auto Scan Channel 9 Channel Selection Common Setup Network Name SSID Cl hide ssib Security Mode Pre Shared Key ReAuthentication Timer 1800 In Seconds Idle Timeout 3600 In Seconds Group Key Update Timer 1800 In Seconds MAC Filter Deny Association QoS None None M Channel 01 2412MHz M Scan Example WPA PSK iv DoNotStealMyWirelessNetwork Apply Cancel Advanced Setup P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Click the Advanced Setup button and select Mixed in the 802 11 Mode field Click Apply Wireless Advanced Setup RTS CTS Threshold 2346 0 2432 Fragmentation Threshold 2346 256 2432 Output Power Maximum e Preamble Long v Thomas can now use the WPS feature to establish a wireless connection between his notebook and the ZyXEL Device see Section 4 2 2 on page 45 He can also use the notebook s wireless c
211. e Section 22 1 4 on page 317 for upgrading firmware using FTP TFTP commands Do NOT turn off the ZyXEL Device while firmware upload is in progress Figure 132 Maintenance gt Tools gt Firmware Firmware Upgrade To upgrade the internal device firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure Current Firmware Version v3 70 BJZ 0 b3 1 21 2009 File Path Browse Upload The following table describes the labels in this screen Table 111 Maintenance Tools Firmware LABEL DESCRIPTION Current This is the present Firmware version and the date created Firmware Version File Path Type in the location of the file you want to upload in this field or click Browse to find it P 660HW Tx v3 Series User s Guide 323 Chapter 22 Tools Table 111 Maintenance Tools Firmware continued LABEL DESCRIPTION Browse Click this to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click this to begin the upload process This process may take up to two minutes After you see the Firmware Upload in Progress screen wait two minutes before logging into the ZyXEL Dev
212. e has its own PIN Personal Identification Number This may either be static it cannot be changed or dynamic in some devices you can generate a new PIN by clicking on a button in the configuration interface Use the PIN method instead of the push button configuration PBC method if you want to ensure that the connection is established between the devices you specify not just the first two devices to activate WPS in range of each other However you need to log into the configuration interfaces of both devices to use the PIN method When you use the PIN method you must enter the PIN from one device usually the wireless client into the second device usually the Access Point or wireless router Then when WPS is activated on the first device it presents its PIN to the second device If the PIN matches one device sends the network and security information to the other allowing it to join the network P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN Take the following steps to set up a WPS connection between an access point or wireless router referred to here as the AP and a client device using the PIN method 1 Ensure WPS is enabled on both devices 2 Access the WPS section of the AP s configuration interface See the device s User s Guide for how to do this 3 Look for the client s WPS PIN it will be displayed either on the device or in the WPS section of the client s configuration interface see the device s
213. e location of the certificate file to be imported The certificate file must be in one of the following formats e Binary X 509 e PEM Base 64 encoded X 509 File Path Back Apply Cancel The following table describes the labels in this screen Table 67 Trusted CA Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click this to find the certificate file you want to upload Back Click this to return to the previous screen without saving Apply Click this to save the certificate on the ZyXEL Device Cancel Click this to restore your previously saved settings 232 P 660HW Tx v3 Series User s Guide Chapter 13 Certificates 13 2 2 Trusted CA Details Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Click Security gt Certificates gt Trusted CAs to open the Trusted CAs screen Click the details icon to open the Trusted CA Details screen Figure 99 Trusted CA Details Certificates Trusted CAs Details Certificate Name 1 cer Certificate Informations Type Self signed X 509 Certificate Version v3 Serial Number 0 Signatu
214. e registrar creates a secure EAP Extensible Authentication Protocol tunnel and sends the network name SSID and the WPA PSK or WPA2 PSK pre shared key to the enrollee Whether WPA PSK or WPA2 PSK is used depends on the standards supported by the devices If the registrar is already part of a network it sends the existing information If not it generates the SSID and WPA 2 PSK randomly P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following figure shows a WPS enabled client installed in a notebook computer connecting to a WPS enabled access point Figure 63 How WPS works ACTIVATE ACTIVATE WPS WPS WITHIN 2 MINUTES oO WPS HANDSHAKE K M J WY Ne a REGISTRAR E SECURE TUNNEL A SECURITY INFO bw COMMUNICATION AN Q 3 A The roles of registrar and enrollee last only as long as the WPS setup process is active two minutes The next time you use WPS a different device can be the registrar if necessary The WPS connection process is like a handshake only two devices participate in each WPS transaction If you want to add more devices you should repeat the process with one of the existing networked devices and the new device Note that the access point AP is not always the registrar and the wireless client is not always the enrollee All WPS certified APs can be a registrar and so can some WPS enabled wireless clients By default a WP
215. e to 10096 the ZyXEL Device is running at full load and the throughput is not going to improve anymore If you want some applications to have more throughput you should turn off other applications for example using QoS see Chapter 16 on page 253 Memory This field displays what percentage of the ZyXEL Device s memory is Usage currently used Usually this percentage should not increase much If memory usage does get close to 10096 the ZyXEL Device is probably becoming unstable and you should restart the device See Section 22 4 on page 328 or turn off the device unplug the power for a few seconds Interface Status Interface This column displays each interface the ZyXEL Device has P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens 3 3 Client List Table4 Status Screen LABEL DESCRIPTION Status This field indicates whether or not the ZyXEL Device is using the interface For the DSL interface this field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation For the LAN interface this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface For the WLAN interface it displays Active when
216. e to your security requirements Finding Out More See Section 10 1 3 on page 191 for an example of setting up a firewall See Section 10 5 on page 205 for advanced technical information on firewall P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 1 3 Firewall Rule Setup Example The following Internet firewall rule example allows a hypothetical MyService connection from the Internet Click Security gt Firewall gt Rules Select WAN to LAN in the Packet Direction field Lo RI Rules Firewall Rules Storage Space in Use 395 ovi 100 Packet Direction WaN to LAN 7 Create a new rule after rule number o x Add xm emm Li emi pem meret en emer Em Apply Cancel In the Rules screen select the index number after that you want to add the rule For example if you select 6 your new rule becomes number 7 and the previous rule 7 if there is one becomes rule 8 Click Add to display the firewall rule configuration screen In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Config Service Name MyService Service Type TcPAUDP Port Configuration Type Single Port Range Port Number From 123 To
217. e two devices connect and set up a secure network by themselves P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 8 8 1 8 8 8 2 Push Button Configuration WPS Push Button Configuration PBC is initiated by pressing a button on each WPS enabled device and allowing them to connect automatically You do not need to enter any information Not every WPS enabled device has a physical WPS button Some may have a WPS PBC button in their configuration utilities instead of or in addition to the physical button Take the following steps to set up WPS using the button Ensure that the two devices you want to set up are within wireless range of one another Look for a WPS button on each device If the device does not have one log into its configuration utility and locate the button see the device s User s Guide for how to do this for the ZyXEL Device see Section 8 5 on page 152 Press the button on one of the devices it doesn t matter which For the ZyXEL Device you must press the WPS button for more than three seconds Within two minutes press the button on the other device The registrar sends the network name SSID and security key through an secure connection to the enrollee If you need to make sure that WPS worked check the list of associated wireless clients in the AP s configuration utility If you see the wireless client in the list WPS was successful PIN Configuration Each WPS enabled devic
218. e wireless LAN off or on You can also use it to activate WPS in order to quickly set up a wireless network with strong security P 660HW Tx v3 Series User s Guide Chapter 1 Introducing the ZyXEL Device 1 7 1 Turn the Wireless LAN Off or On 1 Make sure the POWER LED is on not blinking 2 Press the WPS WLAN ON OFF button for less than five seconds and release it The WLAN WPS LED should change from on to off or vice versa 1 7 2 Activate WPS 1 Make sure the POWER LED is on not blinking 2 Press the WPS WLAN ON OFF button for five to ten seconds and release it Press the WPS button on another WPS enabled device within range of the ZyXEL Device The WLAN WPS LED should flash while the ZyXEL Device sets up a WPS connection with the wireless device Note You must activate WPS in the ZyXEL Device and in another wireless device within two minutes of each other See Section 8 8 8 on page 163 for more information P 660HW Tx v3 Series User s Guide Introducing the Web Configurator 2 1 Overview The web configurator is an HTML based management interface that allows easy device setup and management via Internet browser Use Internet Explorer 6 0 and later or Netscape Navigator 7 0 and later versions The recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP
219. e wireless clients The wireless clients connect to the access points An ad hoc type of network is one in which there is no access point Wireless clients connect to one another in order to exchange information The following figure provides an example of a wireless network Figure 59 Example of a Wireless Network PETT DEEI saa T7 o P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The wireless network is the part in the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set Dentifier f two wireless networks overlap they should use a different channel Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information Every device in the same wireless network must use security compatible with the AP Security stops unauthorized devices from using the wireless network It can also protect the information that is sent in the wireless network Radio Channels In the radio spectrum there are certain frequency bands allocated for unlicensed ci
220. e your changes You can only change the name and or set whether or not you want the ZyXEL Device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 13 Certificates 13 3 Certificates Technical Reference This section provides technical background information about the topics covered in this chapter 13 3 1 Certificates Overview The ZyXEL Device can use certificates also called digital IDs to authenticate users Certificates are based on public private key pairs A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication The ZyXEL Device uses certificates based on public key cryptology to authenticate users attempting to establish a connection not to encrypt the data that you send after establishing a connection The method used to secure the data that you send through an established connection depends on the type of connection For example a VPN tunnel might use the triple DES encryption algorithm The certification authority uses its private key to sign certificates Anyone can then use the certification authority s public key to verify the certificates Advantages of Certificates Certificates offer the following benefits The ZyXEL Device only has to
221. eactivate this connection Name Enter a unique descriptive name of up to 13 ASCII characters for this connection P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 22 Network gt WAN gt More Connections Edit continued LABEL DESCRIPTION Mode Select Routing from the drop down list box if your ISP allows multiple computers to share an Internet account If you select Bridge the ZyXEL Device will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password PPPoA and PPPoE encapsulation only Enter the password associated with the user name above Service Name PPPoE only Type the name of your PPPoE service here Multiplexing Select the method of multiplexing used by your ISP from the drop down list Choices are VC or LLC By prior agreement a protocol is assigned a specific
222. ected P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 4 You may edit or delete the port mappings or click Add to manually add port mappings Advanced Settings Services Select the sarvices uninig an pour relh that Intemmel gelt cani aoo Services Ei marisa 792 168 1 658618 1660S TEF e merece 192 1581 BR 9858 2717171 UDP mamace 192 168 1 91 7281 26007 UDF Ie mme 00132 1 EB 1 20 2810 21 0711 TEP Service Settings Description of service Test Name or IP address for example 192 168 0 12 of the computer hosting this service on your network 192 168 1 11 External Port number for this service 143 TCP UDP Internal Port number for this service 143 Cancel 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray 4 Internet Connection is now connected Click here For more information Y internet Connection Status General Internet Gateway Status Connected Duration 00 00 56 Speed 100 0 Mbps Activity Internet Internet Gateway My Computer wd j Packets Sent 8 Received 5 943 Web Configurator Easy Access With UPnP you can access the we
223. ection up Demand all the time and specify an idle time out in the Max Idle Timeout field Max Idle Timeout Specify an idle time out in the Max Idle Timeout field when you select Connect on Demand The default setting is 0 which means the Internet session will not timeout Apply Click this to save your changes Cancel Click this to restore your previously saved settings Advanced Setup Click this to display the Advanced WAN Setup screen and edit more details of your WAN setup P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup 6 2 1 Advanced Internet Access Setup Use this screen to edit your ZyXEL Device s advanced WAN settings Click the Advanced Setup button in the Internet Access Setup screen The screen appears as shown Figure 33 Network WAN Internet Access Setup Advanced Setup RIP amp Multicast Setup RIP Direction None 7 RIP Version N A z Multicast Mone ATM Qos ATM QoS Type UBR Y Peak Cell Rate o cell sec Sustain Cell Rate o cell sec Maximum Burst Size 0 cell MTU MTU 1500 Packet Filter Incoming Filter Sets Protocol Filter None None v None None Generic Filter None None None None Outgoing Filter Sets Protocol Filter None None None None z Generic Filter None Nene None None z Apply Cancel The following table describes the labels in this screen Table 20 Networ
224. ed You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 192 168 1 1 Allowed sites Notifications and Filter Level Play a sound when a pop up is blocked Show Information Bar when a pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAQ 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScript If pages of the web configurator do not display properly in Internet Explorer check that JavaScript are allowed P 660HW Tx v3 Series User s Guide Appendix B Pop up Windows JavaScript and Java Permissions 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 181 Internet Options Security AE General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings 4 wa o Internet Local intranet Trusted sites Restricted sites This zone contains all Web sites you BE haven t placed in other zones m Security level for this zone Move the slider to set the security level for this zone 5 Medium Safe browsing and still functional Prompts before downloading potentially unsafe content Unsigned ActiveX controls will not be downloaded Appropriate for most Internet sites C Custom Level Default Level OK Cancel Appl
225. een as shown next Figure 136 Maintenance gt Tools gt Configuration Configuration Backup Configuration Click Backup to save the current configuration to you computer Backup Restore Configuration To restore a previously saved configuration file on your computer to the Prestige please type a location for storing the configuration file or click Browse to look for one and then click Upload File Path Browse Upload Reset to Factory Default Settings Click Reset to clear all user entered configuration and return the Prestige to the factory default settings The following default settings would become effective after click Reset Password 1234 Lan IP 192 168 1 1 DHCP Server Reset P 660HW Tx v3 Series User s Guide Chapter 22 Tools Backup Configuration Backup Configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Click Backup to save the ZyXEL Device s current configuration to your computer Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device Table 112 Rest
226. eless security changes on the ZyXEL Device or you click Release_ Configuration to remove the configured wireless and wireless security settings P 660HW Tx v3 Series User s Guide 151 Chapter 8 Wireless LAN Table 38 Network Wireless LAN WPS LABEL DESCRIPTION Release Co This button is available when the WPS status is Configured nfiguration Click this button to remove all configured wireless and wireless security settings for WPS connections on the ZyXEL Device Apply Click this to save your changes Refresh Click this to restore your previously saved settings 8 5 The WPS Station Screen Use this screen to set up a WPS wireless network using either Push Button Configuration PBC or PIN Configuration Click Network gt Wireless LAN gt WPS Station The following screen displays Figure 56 Network gt Wireless LAN gt WPS Station Add Station by WPS Click the below Push Button to add WPS stations to wireless network Or input station s PIN number q Note 1 The Push Button Configuration requires pressing a button on both the station and AP within 120 seconds 2 You may find the PIN number in the station s utility 152 P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following table describes the labels in this screen Table 39 Network gt Wireless LAN gt WPS Station LABEL DESCRIPTION Push Button Click
227. emet P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 169 Red Hat 9 0 KDE Ethernet Device General Ethernet Device General Route Hardware Device Nickname ethO Activate device when computer starts Allow all users to enable and disable the device Automatically obtain IP address settings with dhcp DHCP Settings Hostname optional Automatically obtain DNS information from provider Statically set IP addresses Manual IP Address Settings Address Subnet Mask Default Gateway Address 3 Cancel f you have a dynamic IP address click Automatically obtain I P address settings with and select dhcp from the drop down list f you have a static IP address click Statically set IP Addresses and fill in the Address Subnet mask and Default Gateway Address fields 3 Click OK to save the changes and close the Ethernet Device General screen 4 If you know your DNS server IP address es click the DNS tab in the Network Configuration screen Enter the DNS server information in the fields provided Figure 170 Red Hat 9 0 KDE Network Configuration DNS hi Network Configuration File Profile Help S amp
228. emote MGMT to display the WWW screen Figure 118 Advanced gt Remote Management gt WWW WWW co Port 0 v r Access Status Secured Client IF AI O Selected 0 0 0 0 q Note 1 For UPnP to function normally the HTTP service must be available for LAN computers using UPnP 2 You may also need to create a Firewall rule P 660HW Tx v3 Series User s Guide 275 Chapter 18 Remote Management The following table describes the labels in this screen Table 81 Advanced gt Remote Management gt WWW LABEL DESCRIPTION Port You may change the server port number for a service if needed However you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click this to save your changes Cancel Click this to restore your previously saved settings 18 3 The Telnet Screen You can use Telnet to access the ZyXEL Device s command line interface Specify which interfaces allow
229. enable any local service such as telnet or FTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces Protect against IP spoofing by making sure the firewall is active Keep the firewall in a secured locked room P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 5 3 10 5 4 Security Considerations Note Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyXEL Device and your protected network Use caution when creating or deleting firewall rules and test your rules after you configure them Consider these security ramifications before creating a rule Does this rule stop LAN users from accessing critical resources on the Internet For example if IRC is blocked are there users that require this service Is it possible to modify the rule to be more specific For example if IRC is blocked for all users will a rule that blocks just certain users be more effective Does a rule that allows Internet users access to resources on the LAN create a security vulnerability For example if FTP ports TC
230. enger TCP 1863 Microsoft Networks messenger service uses this protocol NetBIOS TCP UDP 137 The Network Basic Input Output System is used for communication TCP UDP 138 between computers in a LAN TCP UDP 139 TCP UDP 445 NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet I Nternet Groper is a protocol that sends out I CMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other POP3S TCP 995 This is a more secure version of POP3 that runs over SSL PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP TUNNEL User Defined 47 PPTP Point to Point Tunneling GRE Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login ROADRUNNER TCP UDP 1026 This is an ISP
231. entication server sends a challenge to the wireless client The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs However MD5 authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encryption keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management o
232. er Control Panels T Favorites Key Caps Network Browser G Recent Applications D Recent Documents cif Remote Access Status Scrapbook P Sherlock 2 Jj Speakable Items ADSL Control and Status Appearance Apple Menu Options AppleTalk ColorSync Control Strip Date amp Time DialAssist Energy Saver Extensions Manager File Exchange File Sharing General Controls Internet Keyboard Keychain Access Launcher Location Manager Memory Modem Monitors Mouse Multiple Users Numbers QuickTime Settings Remote Access Software Update Sound USB Printer Sharing P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address 2 Select Ethernet built in from the Connect via list Figure 165 Macintosh OS 8 9 TCP IP mE TCP IP comert via Ethernet TS Configure Using DHCP Server DHCP Client ID IP Address lt will be supplied by server 7 Setup Subnet mask lt will be supplied by server gt Router address lt will be supplied by server gt Search domans Name server addr x will be supplied by server el For dynamically assigned settings select Using DHCP Server from the Configure list For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP ad
233. er Please check the RADIUS Server timeout expired User logout because of session The router logged out a user whose session expired P 660HW Tx v3 Series User s Guide su Chapter 21 Logs Table 103 802 1X Logs continued LOG MESSAGE DESCRIPTION authentication response from user User logout because of user The router logged out a user who ended the deassociation session User logout because of no The router logged out a user from which there was no authentication response User logout because of idle timeout expired The router logged out a user whose idle timeout period expired User logout because of user request A user logged out o response from RADIUS Pls check RADIUS Server There is no response message from the RADIUS server please check the RADIUS server Use RADIUS to authenticate user The RADIUS server is operating as the authentication server o Server to authenticate user There is no authentication server to authenticate a user Table 104 ACL Setting Notes ia DIRECTION DESCRIPTION L to W LAN to WAN ACL set for packets traveling from the LAN to the WAN W to L WAN to LAN ACL set for packets traveling from the WAN to the LAN L to L ZyXEL LAN to LAN ACL set for packets traveling from the LAN to the Device ZyXEL Device LAN or t
234. er 8 Wireless LAN These security standards vary in effectiveness Some can be broken such as the old Wired Equivalent Protocol WEP Using WEP is better than using no security at all but it will not keep a determined attacker out Other security standards are secure in themselves but can be broken if a user does not use them properly For example the WPA PSK security standard is very secure if you use a long key which is difficult for an attacker s software to guess for example a twenty letter long string of apparently random numbers and letters but it is not very secure if you use a short key which is very easy to guess for example a three letter word from the dictionary Because of the damage that can be done by a malicious attacker it s not just people who have sensitive information on their network who should use security Everybody who uses any wireless network should ensure that effective security is in place A good way to come up with effective security keys passwords and so on is to use obscure information that you personally will easily remember and to enter it in a way that appears random and does not include real words For example if your mother owns a 1970 Dodge Challenger and her favorite movie is Vanishing Point which you know was made in 1971 you could use 70dodchal71vanpoi as your security key The following sections introduce different types of wireless security you can set up in the wireless network 8
235. ess oo 0 0 Subnet Netmask 0 0 0 0 Port fo o MAC MAC Mask 00 00 00 00 00 00 Others Service FTP X I Protocol TCP Y fo M Exclude PacketLength 0 o F exclude D pscP fo 0 63 exclude Ethernet Priority oE z7 I exclude I VLAN ID B 24094 exclude IV Physical Port 4 z M Exclude Remote Node want zl F exclude Click Apply Back Apply Cancel E DH EH Exclude Exclude Exclude Exclude Exclude Exclude P 660HW Tx v3 Series User s Guide 79 Chapter 4 Tutorials 5 Click the General tab Then select Active QoS and click Apply General General M active Qos WAN Managed Bandwidth 100000 kbps Traffic priority will be automatically assigned by 1 Ethernet Priority OFF 2 IP Precedence OFF 3 Packet Length OFF Apply Cancel Now you can connect a VoIP phone to the ZyXEL Device s LAN port 4 and computers to port 1 3 The ZyXEL Device classifies and prioritizes voice traffic to optimize voice quality P 660HW Tx v3 Series User s Guide PART Il Wizard Internet and Wireless Setup Wizard 83 Internet and Wireless Setup Wizard 5 1 Overview Use the wizard setup screens to configure your system for Internet access with the information given to you by your ISP Note See the advanced menu chapters for background information on these fields 5 2 Internet Access Wizard Setup 1 After you enter the password to ac
236. essages 1 means ZyXEL Device out of socket 2 means tcp SYN fail 3 means smtp server OK fail 4 means HELO fail 5 means MAIL FROM fail 6 means RCPT TO fail 7 means DATA fail 8 means mail data send fail 21 4 1 Example E mail Log An End of Log message displays for each mail in which a complete log has been sent The following is an example of a log sent by e mail You may edit the subject title P 660HW Tx v3 Series User s Guide Chapter 21 Logs End of Log message shows that a complete log has been sent Figure 128 E mail Log Example Subject Firewall Alert From Date Fri From 128 End 21 5 Log Descriptions Apr 10 user zyxel com user zyxel com 7 254 205 00 03 UDP 00 17 UDP 00 19 UDP 00 00 UDP 00 17 UDP 00 30 UDP of Firewall Log 07 Apr 2000 10 05 42 From 192 168 1 1 Src port 00520 dest From 192 168 1 131 Src port 00520 dest From 192 168 1 6 src port 03516 dest port 00053 From 192 168 1 1 src port 00520 dest From 192 168 1 131 src port 00520 dest From 192 168 1 1 src port 00520 dest To 192 To 192 To 192 To 192 To 192 4169 142255 default policy forward port 00520 lt 1 00 gt 168 1 255 default policy forward port 00520 1 00 To 10 10 10 10 match forward 1 01 168 1 255 match forward port 00520 lt 1 02 gt 168 1 255 match forward port 0
237. etween devices is made At the time of writing WDS security is compatible with other ZyXEL access points only Refer to your other access point s documentation for details The following figure illustrates how WDS link works between APs Notebook computer A is a wireless client connecting to access point AP 1 AP 1 has no wired Internet connection but it can establish a WDS link with access point AP 2 which has a wired Internet connection When AP 1 has a WDS link with AP 2 the notebook computer can access the Internet through AP 2 Figure 61 WDS Link Example gt MS 3 l T TER i ay AP 1 AP 2 8 8 8 WiFi Protected Setup WPS Your ZyXEL Device supports WiFi Protected Setup WPS which is an easy way to set up a secure wireless network WPS is an industry standard specification defined by the WiFi Alliance WPS allows you to quickly set up a wireless network with strong security without having to configure security settings manually Each WPS connection works between two devices Both devices must support WPS check each device s documentation to make sure Depending on the devices you have you can either press a button on the device itself or in its configuration utility or enter a PIN a unique Personal Identification Number that allows one device to authenticate the other in each of the two devices When WPS is activated on a device it has two minutes to find another device that also has WPS activated Then th
238. evice Name ZyXEL P 660HW T1 v3 Internet Sharing Gateway Cl Active the Universal Plug and Play UPnP Feature Allow users to make configuration changes through UPnP Note For UPnP to function normally the HTT service must be available for LAN computers using UPnP The following table describes the fields in this screen Table 86 Advanced gt UPnP gt General LABEL DESCRIPTION Active the Universal Plug Select this check box to activate UPnP Be aware that anyone and Play UPnP Feature could use a UPnP application to open the web configurator s login screen without entering the ZyXEL Device s IP address although you must still enter the password to access the web configurator Allow users to make Select this check box to allow UPnP enabled applications to configuration changes automatically configure the ZyXEL Device so that they can through UPnP communicate through the ZyXEL Device for example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 19 3 Installing UPnP in Windows Example This section shows how t
239. ext Click this to continue to the next wizard screen Exit Click this to close the wizard screen without saving Figure 20 Internet Connection with ENET ENCAP fi Internet Configuration ssigns you 4 dynamic DHCP IP information your IS a Obtain an IP Address Automatically O Static IP Address IP Address 0 0 0 0 Subnet Mask 0 0 0 0 First DNS Server 0 0 0 0 Gateway IP address UANAWRY Second DNS Server 0 0 0 0 P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard The following table describes the fields in this screen Table 13 Internet Connection with ENET ENCAP LABEL DESCRIPTION Obtain an IP A static IP address is a fixed IP that your ISP gives you A dynamic IP Address address is not fixed the ISP assigns you a different one each time you Automatically connect to the Internet Select Obtain an I P Address Automatically if you have a dynamic IP address Static IP Select Static I P Address if your ISP gave you an IP address to use Address IP Address Enter your ISP assigned IP address Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendix to calculate a subnet mask If you are implementing subnetting Gateway IP You must specify a gateway IP address supplied by your ISP when you address use ENET ENCAP in the Encapsulation field in the previous screen First DNS Enter the IP add
240. ey certificates and explains how to use them A certificate contains the certificate owner s identity and public key Certificates provide a way to exchange public keys for use in authentication Figure 96 Certificates Example Authentication E In the figure above the ZyXEL Device Z checks the identity of the notebook A using a certificate before granting it access to the network 13 1 1 What You Can Do in the Certificates Screens Use the Trusted CAs screens Section 13 2 on page 230 to save CA certificates to the ZyXEL Device 13 1 2 What You Need to Know About Certificates Certification Authority A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certification authorities You can use the ZyXEL Device to generate certification requests that contain identifying P 660HW Tx v3 Series User s Guide Chapter 13 Certificates information and public keys and then send the certification requests to a certification authority Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses lowercase letters uppercase letters and numerals to c
241. eyword LABEL DESCRIPTION Active Keyword Select this check box to enable this feature Blocking Block Websites that This box contains the list of all the keywords that you have contain these keywords configured the ZyXEL Device to block in the URL Delete Highlight a keyword in the box and click this to remove it Clear All Click this to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 127 characters Wildcards are not allowed P 660HW Tx v3 Series User s Guide Chapter 11 Content Filtering Table 58 Security gt Content Filtering gt Keyword continued LABEL DESCRIPTION Add Keyword Click this after you have typed a keyword Repeat this procedure to add other keywords Up to 64 keywords are allowed When you try to access a web page containing a keyword you will get a message telling you that the content filter is blocking this request Apply Click this to save your changes Cancel Click this to restore your previously saved settings 11 3 The Schedule Screen Use this screen to set the days and times for the ZyXEL Device to perform content filtering Click Security gt Content Filter gt Schedule The screen appears as shown Figure 88 Security gt Content Filter gt Schedule Schedule Loos MIZLM Block Everyday Iv Edit Daily to Block SS e Monday
242. f individual services Other Wireless Features IEEE 802 11n Compliance Frequency Range 2 4 GHz ISM Band Auto channel selection Advanced Orthogonal Frequency Division Multiplexing OFDM Data Rates 54Mbps 11Mbps 5 5Mbps 2Mbps and 1 Mbps Auto Fallback WPA2 WMM IEEE 802 11i IEEE 802 11e Wired Equivalent Privacy WEP Data Encryption 64 128 256 bit WLAN bridge to LAN Up to 32 MAC Address filters IEEE 802 1x Store up to 32 built in user profiles using EAP MD5 Local User Database External RADIUS server using EAP MD5 TLS TTLS Wireless scheduling P 660HW Tx v3 Series User s Guide Chapter 25 Product Specifications The following list which is not exhaustive illustrates the standards supported in the ZyXEL Device Table 118 Standards Supported STANDARD DESCRIPTION RFC 867 Daytime Protocol RFC 868 Time Protocol RFC 1058 RIP 1 Routing Information Protocol RFC 1112 IGMP v1 RFC 1305 Network Time Protocol NTP version 3 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator NAT RFC 1661 The Point to Point Protocol PPP RFC 1723 RIP 2 Routing Information Protocol RFC 2236 Internet Group Management Protocol Version 2 RFC 2364 PPP over AAL5 PPP over ATM over ADSL RFC 2408 Internet Security Association and Key Management Protocol ISAKMP RFC 2516 A Metho
243. f your network does not automatically assign IP addresses ask your network administrator for an address and then type it in the space below JV Detect connection to network media Cancel P 660HW Tx v3 Series User s Guide 353 Appendix A Setting up Your Computer s IP Address 3 Click the DNS Configuration tab f you do not know your DNS information select Disable DNS f you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in Figure 147 Windows 95 98 Me TCP IP Properties DNS Configuration Bindings Advanced NetBloS DNS Configuration Gateway WINS Configuration IP Address Cancel Click the Gateway tab f you do not know your gateway s IP address remove previously installed gateways f you have a gateway IP address type it in the New gateway field and click Add Click OK to save and close the TCP I P Properties window Click OK to close the Network window Insert the Windows CD if prompted Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings Click Start and then Run In the Run window type winipcfg and then click OK to open the IP Configuration window Select your network adapter You should see your computer s IP address subnet mask and default gateway P 660HW Tx v3 Series User s Guide Appendix A
244. fferent outgoing PVCs that the traffic should go In this tutorial voice traffic sent from port 4 should be transmitted to PVC PVC for Vol P with WAN index 2 General data traffic sent from port 1 3 should be transmitted to PVC I nternet Connection with WAN index 1 Click Advanced gt QoS gt Class Setup and then click Add co ae Class Setup Create a new Class sa No Active Name interface Priority FilterContent_ Modify Apply Cancel Create a QoS classifier rule using the following example settings Class Configuration Select Active Enter a descriptive name for this rule For example Vol P Interface From LAN Priority 7 Highest Routing Policy To WAN Index WAN Index 2 Filter Configuration Service Vol P SI P Physical Port 4 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials rp Calss Configuration v Active Name vore Interface From LAN z Priority 7 Highest Routing Policy To WAN Index WAN Index 2 Gateway Address fo 0 0 0 Order fi 7 Tag Configuration DSCP Value Same 7 jo 0 63 802 19 Tag Same 7 Ethernet Priority 0E z VLAN ID E 2 4094 Filter Configuration Source Address o 0 0 0 Subnet Netmask a 0 0 0 F Exclude Port 0 Exclude M MAC MAC Mask Exclude Destination Address 0 0 0 0 Subnet Netmask o 0 0 F exclude Port F Exclude m mac MAC Mask F Exclude Others
245. ffic blocking is enabled wireless station A and B can still access the wired network but cannot communicate with each other Figure 60 Basic Service set 8 8 6 MBSSID Traditionally you need to use different APs to configure different Basic Service Sets BSSs As well as the cost of buying extra APs there is also the possibility of channel interference The ZyXEL Device s MBSSID Multiple Basic Service Set IDentifier function allows you to use one access point to provide several BSSs simultaneously You can then assign varying QoS priorities and or security modes to different SSIDs Wireless devices can use different BSSIDs to associate with the same AP 8 8 6 1 Notes on Multiple BSSs A maximum of eight BSSs are allowed on one AP simultaneously You must use different keys for different BSSs If two wireless devices have different BSSIDs they are in different BSSs but have the same keys they may hear each other s communications but not communicate with each other MBSSID should not replace but rather be used in conjunction with 802 1x security P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 8 7 Wireless Distribution System WDS The ZyXEL Device can act as a wireless network bridge and establish WDS Wireless Distribution System links with other APs You need to know the MAC addresses of the APs you want to link to Once the security settings of peer sides match one another the connection b
246. fic You may choose up to 4 sets of filters You can configure packet filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control incoming traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details Outgoing Filter Sets Protocol Filter Select the protocol filter s to control outgoing traffic You may choose up to 4 sets of filters You can configure protocol filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control outgoing traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details Back Click this to return to the previous screen without saving P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 23 Network WAN More Connections Edit Advanced Setup continued LABEL DESCRIPTION Apply Click this to save your changes Cancel Click this to restore your previously saved settings 6 4 WAN Technical Reference This section provides some technical background information about the topics covered in this chapter 6 4 14 Encapsulation Be sure to use the encapsulation method required by your ISP The Z
247. fthe problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions Check the settings for QoS If it is disabled you might consider activating it If it is enabled you might consider raising or lowering the priority for some applications P 660HW Tx v3 Series User s Guide Chapter 24 Troubleshooting P 660HW Tx v3 Series User s Guide Product Specifications The following tables summarize the ZyXEL Device s hardware and firmware features 25 1 Hardware Specifications Table 115 Hardware Specifications Dimensions 362 W x 200 D x 110 H mm Weight 365 g Power Specification 12VDC 1A Built in Switch Four auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports ADSL Port 1 RJ 11 FXS POTS port RESET Button Restores factory defaults Antenna One fixed external antenna 2dBi WPS Button 1 5 seconds turn on or off WLAN 5 10 seconds enable WPS Wi Fi Protected Setup Operation 02e C 409 C Temperature Storage Temperature 202 609 C Operation Humidity 20 90 RH Storage Humidity 20 90 RH 25 2 Firmware Specifications Table 116 Firmware Specifications Default IP Address 192 168 1 1 Default Subnet Mask 255 255 255 0 24 bits P 660HW Tx v3 Series User s Guide Chapter 25 Product Specifications Table 116 Firmware Specifications continued
248. ges 4 For statically assigned settings do the following P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location may vary depending on your Linux distribution and release version Note Make sure you are logged in as the root administrator Using the K Desktop Environment KDE Follow the steps below to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 168 Red Hat 9 0 KDE Network Configuration Devices File Profile Help 9 44 5 89 2 New Edit Copy Delete Activate Deactivate Devices Hardware DNS Hosts jac You may configure network devices associated with 3 o physical hardware here Multiple logical devices can be T associated with a single piece of hardware Profile Status Device Nickname Type A Inactive ethO ethO Eth
249. ging SSID4 C Fixed Forbidden Tx Tagging PVC1 Fixed C Forbidden Tx Tagging P C2 C Fixed Forbidden Tx Tagging PVC3 C Fixed Forbidden Tx Tagging PVC4 C Fixed Forbidden Tx Tagging PVC5 C Fixed Forbidden Tx Tagging P YC6 C Fixed Forbidden Tx Tagging PVC7 C Fixed Forbidden Tx Tagging PVC8 C Fixed Forbidden Tx Tagging To set a high priority for VoIP traffic follow these steps 1 Click Advanced gt 802 1Q 1P gt Port Setting to display the following screen 2 Type2inthe 802 1Q PVID column for LAN1 LAN2 and PVC1 3 Select 7 from the 802 1P Priority drop down list box for LAN1 LAN2 and PVC1 P 660HW Tx v3 Series User s Guide Chapter 15 802 1Q 1P 4 Click Apply soup Setting MAUI Crer enzun pv onzi Paoa LAN1 iz zl LAN2 1 x LAN3 fr same gt LAN4 Same SSID1 It same SSID2 IE same v SSID3 I same v SSID4 same gt PVCI Hmm zl PYC2 Same v PVC3 I Same gt PYC4 Same PVC5 z Same PYC6 Same PYC7 same v PVC8 LI Same v Cancel Ports 3 and 4 are connected to desktop computers and are used for Internet traffic You want to create low priority for this type of traffic so you want to group these ports and PVC2 into one VLAN VLAN3 PVC2 priority is set to low level of service SSID1 and SSID2 are two wireless networks You want to create medium pr
250. hapter 6 WAN Setup Table 23 Network WAN More Connections Edit Advanced Setup continued LABEL DESCRIPTION ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Type the SCR which must be less than the PCR Note that system default is O cells sec Maximum Burst Size Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 MTU MTU The Maximum Transmission Unit MTU defines the size of the largest packet allowed on an interface or connection Enter the MTU in this field For ENET ENCAP the MTU value is 1500 For PPPoE the MTU value is 1492 For PPPoA and RFC the MTU is 65535 Packet Filter Incoming Filter Sets Protocol Filter Select the protocol filter s to control incoming traf
251. have a RADIUS server If your wireless devices support nothing stronger than WEP use the highest encryption level available Figure 48 Network gt Wireless LAN gt AP Static WEP WEP Key q Note Common Setup Network Name SSID ZyXELO1 Cl Hide ssip Security Mode Passphrase The different WEP key lengths configure different strength security 40 64 bit or 128 bit respectively Your wireless client must match the security strength set on the router Please type exactly 5 or 13 characters Please type exactly 10 or 26 characters using only the numbers 0 9 and the letters A F Static WEP Generate The following table describes the wireless LAN security labels in this screen Table 31 Network gt Wireless LAN gt AP Static WEP LABEL DESCRIPTION Security Mode Choose Static WEP from the drop down list box Passphrase Enter a passphrase up to 32 printable characters and click Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP key is used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission If you want to manually set the WEP key enter any 5 or 13 characters ASCII string or 10 or 26 hexadecimal characters 0 9 A F for a 64 bit or 128 bit WEP key respectively P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 2 3 WPA 2 PSK Use this screen to
252. he specified PVC This option is available only when the WAN type is ADSL Select To Gateway Address to route the matched packets to the router or switch you specified in the Gateway Address field WAN Index Select a PVC index number Gateway Enter the IP address of the gateway which should be a router or Address switch on the same segment as the ZyXEL Device s interface s that can forward the packet to the destination Order This shows the ordering number of this classifier Select an existing number for where you want to put this classifier and click Apply to move the classifier to the number you selected For example if you select 2 the classifier you are moving becomes number 2 and the previous classifier 2 gets pushed down one Tag Configuration DSCP Value Select Same to keep the DSCP fields in the packets Select Auto to map the DSCP value to 802 1 priority level automatically Select Mark to set the DSCP field with the value you configure in the field provided P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS Table 76 Advanced QoS Class Setup Edit continued LABEL DESCRIPTION 802 1Q Tag Select Same to keep the priority setting and VLAN ID of the frames Select Auto to map the 802 1 priority level to the DSCP value automatically Select Remove to delete the priority queue tag and VLAN ID of the frames
253. he ZyXEL Device W to W ZyXEL WAN to WAN ACL set for packets traveling from the WAN to the Device ZyXEL Device WAN or the ZyXEL Device Table 105 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 105 ICMP Notes continued TYPE CODE DESCRIPTION 4 Source Quench 0 A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message ig Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded 12 Parameter Problem 0 Pointer indicates the error 13 Timestamp 0 Timestamp request message 14 Timestamp Reply 0 Timestamp reply message 15 Information Request 0 Information request message 16 Information Reply 0 Information reply message Table 106 Syslog Logs LOG MESSAGE DESCRI
254. he below Push Button to add WPS stations to wireless network Or input station s PIN number q Note 1 The Push Button Configuration requires pressing a button on both the station and AP within 120 seconds 2 You may find the PIN number in the station s utility Note Your ZyXEL Device has a WPS button located on its rear panel as well as a WPS button in its configuration utility Both buttons have exactly the same function you can use one or the other Note It doesn t matter which button is pressed first You must press the second button within two minutes of pressing the first one The ZyXEL Device sends the proper configuration settings to the wireless client This may take up to two minutes The wireless client is then able to communicate with the ZyXEL Device securely P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials The following figure shows you an example of how to set up a wireless network and its security by pressing a button on both ZyXEL Device and wireless client Wireless Client ZyXEL Device WITHIN 2 MINUTES D f Press and hold for more than 5 seconds SECURITY INFO nummmmmmmmmmmm COMMUNICATION K a P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials PIN Configuration When you use the PIN configuration method you need to use both the ZyXEL Device s web configurator and the wireless client s utility Launch your wireless client
255. he time of writing WDS is compatible with other ZyXEL APs only Not all models support WDS links Check your other AP s documentation P 660HW Tx v3 Series User s Guide 153 Chapter 8 Wireless LAN Click Network gt Wireless LAN gt WDS The following screen displays Figure 57 Network gt Wireless LAN gt WDS Link Setup TKIP O AES ERN er ao I 2 3 4 Enable WDS Security ZyAIR Series Compatible 0 00 00 00 00 00 09010 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 The following table describes the labels in this screen Table 40 Network gt Wireless LAN gt WDS LABEL DESCRIPTION Enable WDS Select this option and the type of the key used to encrypt data between Security APs All the wireless APs including the ZyXEL Device must use the same pre shared key for data transmission If you de select this option the data sent between APs is not encrypted Anyone can read it TKIP Select this to use TKIP Temporal Key Integrity Protocol encryption AES Select this to use AES Advanced Encryption Standard encryption This is the index number of the individual WDS link Active Select this to activate the link between the ZyXEL Device and the peer device to which this entry refers When you do not select the check box this link is down Remote Bridge MAC Address Type the MAC address of the peer device in a valid MAC address format s
256. his field blank to delete this static route Destination IP This parameter specifies the IP network address of the final destination Address Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Enter the IP subnet mask here Mask Gateway Type Use either Gateway Address or Gateway Node to configure a static route P 660HW Tx v3 Series User s Guide Chapter 14 Static Route Table 70 Advanced Static Route Edit LABEL DESCRIPTION Gateway IP This field is available when you select Gateway Address from Gateway Address Type Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Gateway Node This field is available when you select Gateway Node from Gateway Type Select a remote node to set the static route A remote note is a connection point outside of the local area network One example of a remote node is your connection to your ISP See Section 6 3 on page 107 for details on configuring a remote node Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings
257. iai 61 4 6 1 Registering a DDNS Account on www dyndns org eseeseeeeerenes 62 4 6 2 Configuring DDNES on Yo r ZyXEL DeVvieis ii ue iik rdbase iaaa anaana 62 4 6 3 Adding a Firewall Rule for Remote Management sese 63 ADA Testing the DONS Sa dicus andi i ona RH da rtp i dua a TAA Uds 64 4 7 Configuring Static Route for Routing to Another Network see 65 4 8 Multiple Public and Private IP Address Mappings eeeeeem 67 4 8 1 Full Feature NAT Many to Many No Overload Mapping esee 68 4 8 2 Full Feature NAT One to One Mapping eesssseseseeeeeeen nnne 70 4 9 Multiple WAN Connections EXamplg 24e eerte rra an Evers ee aan E LR ERE Ene dan 71 MIS oo uei ji ER ER TEN 72 4 10 1 Configuring Multiple PVCs and ATM Q0S sse nnns 73 4 10 2 Gonigurng Trafiie DESSENIBEB docsdaspeonset ano ket adeo dose ecd acra Rees 76 4 d r eee 81 Chapter 5 Internet and Wireless Setup Wizard eeseeeeeeeeeeeeeeee eene ee nennen nnne 83 CM RI SI eee E SOMME Te Eee DEED IS 83 52 neme Access Wizard SEUD em 83 zT Mamia Omi URGE aoa ebria aN ord oec EAE 86 12 P 660HW Tx v3 Series User s Guide Table of Contents 5 3 Wireless Connection Wizard SAUD eai erri pa rep a mani ecc a a bn d o RO agp RR e 92 5 3 1 Manually Assign a WPA PSK Key uiuis er iaside
258. ically base on the IEEE 802 1p priority level IP precedence and or packet length to assign priority to traffic which does not match a class The following table shows you the internal layer 2 and layer 3 QoS mapping on the ZyXEL Device On the ZyXEL Device traffic assigned to higher priority queues P 660HW Tx v3 Series User s Guide 267 Chapter 16 Quality of Service QoS gets through faster while traffic in lower index queues is dropped if the network is congested Table 79 Internal Layer2 and Layer3 QoS Mapping LAYER 2 LAYER 3 PRIORITY IEEE 802 1P QUEUE USER PRIORITY TOS IP DSCP IP PACKET ETHERNET PRECEDENCE LENGTH BYTE PRIORITY 0 1 0 000000 1 2 2 0 0 000000 gt 1100 3 3 1 001110 250 1100 001100 001010 001000 4 4 2 010110 010100 010010 010000 5 5 3 011110 lt 250 011100 011010 011000 6 6 4 100110 100100 100010 100000 5 101110 101000 7 7 6 110000 7 111000 P 660HW Tx v3 Series User s Guide Dynamic DNS Setup 17 1 Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you in NetMeeting CU SeeMe etc You can also access your FTP server or Web site on your own computer using a domain name for instance myhost dhs org where myhost is a name of your choice that will never change instead of using an IP address that changes each time you reconnect Y
259. ically used for video that consumes high bandwidth and is sensitive to jitter Level 4 Typically used for controlled load latency sensitive traffic such as SNA Systems Network Architecture transactions Level 3 Typically used for excellent effort or better than best effort and would include important business traffic that can tolerate some delay Level 2 This is for spare bandwidth Level 1 This is typically used for non critical background traffic such as bulk transfers that are allowed but that should not affect other applications and users Level 0 Typically used for best effort traffic 16 5 2 IP Precedence Similar to IEEE 802 1p prioritization at layer 2 you can use IP precedence to prioritize packets in a layer 3 network IP precedence uses three bits of the eight bit ToS Type of Service field in the IP header There are eight classes of services ranging from zero to seven in IP precedence Zero is the lowest priority level and seven is the highest P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS 16 5 3 DiffServ QoS is used to prioritize source to destination traffic flows All packets in the flow are given the same priority You can use CoS class of service to give different priorities to different packet types Differentiated Services DiffServ is a Class of Service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant
260. ice again Figure 133 Firmware Upload In Progress Firmware Upload In Progress Do not Turn Off the Device Please Wait Please wait for the device to finish restarting PWR LED is on steady This should take about two minutes To access the device after a successful firmware upload you need to log in again Check your new firmware version in the system status menu The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 134 Network Temporarily Disconnected D Local Area Connection Network cable unplugged After two minutes log in again and check your new firmware version in the Status screen P 660HW Tx v3 Series User s Guide Chapter 22 Tools If the upload was not successful the following screen will appear Click Return to go back to the Firmware screen Figure 135 Error Message System Upload Firmware upload error The uploaded file was not accepted by the device Please return to the previous page and select a valid upgrade file Click Help for more information Return 22 3 The Configuration Screen See Section 22 1 4 on page 317 for transferring configuration files using FTP TFTP commands Click Maintenance gt Tools gt Configuration Information related to factory defaults backup configuration and restoring configuration appears in this scr
261. ices on a network from a DHCP Server Often your ISP or a router on your network performs this function LAN A LAN local area network is typically a network which covers a small area made up of computers and other devices which share resources such as Internet access printers etc P 660HW Tx v3 Series User s Guide Chapter 20 System Settings 20 2 The General Screen Use this screen to configure system settings such as the system and domain name inactivity timeout interval and system password The System Name is for identification purposes However because some ISPs check this name you should enter your computer s Computer Name Find the system name of your Windows computer by following one of the steps below n Windows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name n Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name Click Maintenance System to open the General screen Figure 124 Maintenance System General System Setup
262. iguration Use this screen to backup and restore your device s configuration settings or reset the factory default settings Restart This screen allows you to reboot the ZyXEL Device without turning the power off Diagnostic General Use this screen to test the connections to other devices DSL Line These screen displays information to help you identify problems with the DSL connection 2 2 3 Main Window The main window displays information and configuration fields It is discussed in the rest of this document Right after you log in the Status screen is displayed See Chapter 3 on page 35 for more information about the Status screen 2 2 4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration has been updated P 660HW Tx v3 Series User s Guide Status Screens 3 1 Overview Use the Status screens to look at the current status of the device system resources and interfaces LAN and WAN The Status screen also provides detailed information from Any IP and DHCP and statistics from bandwidth management and traffic 3 2 The Status Screen Use this screen to view the status of the ZyXEL Device Click Status to open this screen Figure 7 Status Screen Refresh Interval None v Host Name System Uptime 0 10 01 Model Number P 660HW T1 v3 Current Date Time 01 01 2000 01 13 42 MAC Address 00 02 cf de ee 53 System Mode Routing Sridging ZyNOS Firmware Version V3
263. in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn Active This field displays whether a firewall is turned on or not Select the check box to enable the rule Clear the check box to disable the rule Source IP This drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls Table 53 Security gt Firewall gt Rules continued LABEL DESCRIPTION Destination IP This drop down list box displays the destination addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Service This drop down list box displays the services to which this firewall rule applies See Appendix E on page 411 for more information Action This field displays whether the firewall silently discards packets Drop discards packets and sends a TCP reset packet or an CMP destination unreachable message to the sender Reject or allows the passage of packets Permit Schedule This field tells you whether a schedule is specified Yes or not No Log This field shows you whether a log is created when packets match this rule Yes or not No
264. ination on the computer and renames it config rom Configuration Backup Using GUI based TFTP Clients The following table describes some of the fields that you may see in GUI based TFTP clients Table 110 General Commands for GUI based TFTP Clients COMMAN DESCRIPTION Host Enter the IP address of the ZyXEL Device 192 168 1 1 is the ZyXEL Device s default IP address when shipped Send Use Send to upload the file to the ZyXEL Device and Fetch to back up the Fetch file on your computer Local File Enter the path and name of the firmware file bin extension or configuration file rom extension on your computer Remote This is the filename on the ZyXEL Device The filename for the firmware is File ras and for the configuration file is rom 0 P 660HW Tx v3 Series User s Guide Chapter 22 Tools Table 110 General Commands for GUI based TFTP Clients continued COMMAN DESCRIPTION Binary Transfer the file in binary mode Abort Stop transfer of the file Refer to Section 22 1 2 on page 316 to read about configurations that disallow TFTP and FTP over WAN 22 2 The Firmware Screen Click Maintenance gt Tools to open the Firmware screen Follow the instructions in this screen to upload firmware to your ZyXEL Device The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot Se
265. ing Local End IP This is the end Inside Local IP Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to one and Server mapping types Global Start This is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if IP you have a dynamic IP address from your ISP You can only do this for Many to One and Server mapping types P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT Table 47 Network NAT Address Mapping continued LABEL DESCRIPTION Global End IP This is the ending Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each local P address to unique global IP addresses Server This type allows you to specify insi
266. ing your current computer configuration to your device since FTP is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE your device When the Restore Configuration process is complete the device automatically restarts P 660HW Tx v3 Series User s Guide 317 Chapter 22 Tools Restore Using FTP Session Example Figure 129 Restore Using FTP Session Example ftp put config rom rom 0 200 Port command okay 150 Opening data connection for STOR rom 0 226 File received OK 221 Goodbye for writing flash ftp 16384 bytes sent in 0 06Seconds 273 07Kbytes sec ftp quit Refer to Section 22 1 2 on page 316 to read about configurations that disallow TFTP and FTP over WAN FTP and TFTP Firmware and Configuration File Uploads These examples show you how to upload firmware and configuration files Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE your device FTP is the preferred method for uploading the firmware and configuration To use this feature your computer must have an FTP client The following sections give examples of how to upload the firmware and the configuration files FTP File Upload Command from the DOS Prompt Example Launch the FTP client on your computer Enter open followed by a space and the IP address of your device Press ENTER
267. ion Use this feature to have the ZyXEL Device assign IP addresses an IP default gateway and DNS servers to computers on your Protocol network Your device can also act as a surrogate DHCP server DHCP Relay where it relays IP address assignment from the actual real DHCP server to the clients Dynamic DNS With Dynamic DNS Domain Name System support you can use Support a fixed URL www zyxel com for example with a dynamic IP address You must register for this service with a Dynamic DNS service provider P Multicast IP multicast is used to send traffic to a specific group of computers The ZyXEL Device supports versions 1 and 2 of IGMP Internet Group Management Protocol used to join multicast groups see RFC 2236 Time and Date Get the current time and date from an external server when you turn on your ZyXEL Device You can also set the time manually These dates and times are then used in logs Logs Use logs for troubleshooting You can send logs from the ZyXEL Device to an external syslog server P 660HW Tx v3 Series User s Guide Chapter 25 Product Specifications Table 116 Firmware Specifications continued Universal Plug and A UPnP enabled device can dynamically join a network obtain an Play UPnP IP address and convey its capabilities to other devices on the network Firewall Your device has a stateful inspection firewall with DoS Denial of Service protection By
268. iority for this type of traffic so you want to group these ports and PVC3 into one VLAN VLANA PVC3 priority is set to medium level of service P 660HW Tx v3 Series User s Guide 247 Chapter 15 802 1Q 1P Follow the same steps as in VLAN2 to configure the settings for VLAN3 and VLANA The summary screen should then display as follows Group Setting Port Setting 802 10 1P Active ri Management Vlan ID fi Summary LAN2 LAN4 1 Default 1 H M u u 2 VoIP 2 E u 3 Data 3 M 4 Wireless 4 5 6 Port Number PVC1 PYC3 PYCS PYC PYC2 PYC4 PVC6 PYC8 u u u u u u u u g T ge ii s s F gu E i ws EP w g Ou EP Ou BP ui x wf EP Ou EP ui EP u Cancel This completes the 802 1Q 1P setup P 660HW Tx v3 Series User s Guide Chapter 15 802 1Q 1P 15 2 The 802 1Q 1P Group Setting Screen Use this screen to activate 802 1Q 1P and display the VLAN groups Click Advanced 802 1Q 1P to display the following screen Figure 104 Advanced gt 802 1Q 1P gt Group Setting Group Setting Port Setting 802 10 1P Active 1 Management Vlan ID Ro Summary Port Number LANL m LANS SSID1 SSID3 I PVC1 lp PYC3 PVCS PVC7 GM LONE i SSID4 lp wc IP A TUE T ps4 Apply 1 Default Lupus B t gt w s 5 g a EEEE ed er ES P I ba a a a a ve 5 a ao F ao B ou i I2
269. ird field User Name Password Service Name optional Note Device is automatically configured to obtain an IP address automatically The ISP will assigns you a different one each time you connect to the Internet Eum P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard The following table describes the fields in this screen Table 11 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the user name above Service Type the name of your PPPoE service here Name Back Click this to return to the previous screen without saving Apply Click this to save your changes Exit Click this to close the wizard screen without saving Figure 19 Internet Connection with RFC 1483 ffi Internet Configuration IP Address P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard The following table describes the fields in this screen Table 12 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Back Click this to return to the previous screen without saving N
270. ireless LAN Figure 190 Peer to Peer Communication in an Ad hoc Network A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless clients in the BSS When Intra BSS is enabled wireless client A and B can access the wired network and communicate P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs with each other When Intra BSS is disabled wireless client A and B can still access the wired network but cannot communicate with each other Figure 191 Basic Service Set BSS i RG i Ff b A 1 ESS An Extended Service Set ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate Figure 192 Infrastructure WLAN
271. irewall rules Note the order in which the rules are listed Figure 78 Security gt Firewall gt Rules Rules owi Firewall Rules Storage Space in Use 1 Packet Direction Create a new rule after rule number o Add Active source Te Destination 1 service Action fechedula Log Modify onder 100 Jian to LAN Router Apply Cancel The following table describes the labels in this screen Table 53 Security gt Firewall gt Rules Space in Use LABEL DESCRIPTION Firewall Rules This read only bar shows how much of the ZyXEL Device s memory for Storage recording firewall rules it is currently using When you are using 80 or less of the storage space the bar is green When the amount of space used is over 80 the bar is red Packet Direction Use the drop down list box to select a direction of travel of packets for which you want to configure firewall rules Create a new rule after rule number Select an index number and click Add to add a new firewall rule after the selected index number For example if you select 6 your new rule becomes number 7 and the previous rule 7 if there is one becomes rule 8 The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings
272. is screen shows a summary of the firewall rules and allows you to edit add a firewall rule Threshold Use this screen to configure the thresholds for determining when to drop sessions that do not become fully established Content Filter Keyword Use this screen to block access to web sites containing certain keywords in the URL Schedule Use this screen to set the days and times for your device to perform content filtering Trusted Use this screen to exclude a range of users on the LAN from content filtering Packet Filter Use this screen to configure the rules for protocol and generic filter sets Certificates Trusted CAs Use this screen to save CA certificates to the ZyXEL Device Advanced Static Route Use this screen to configure IP static routes to tell your device about networks beyond the directly connected remote nodes 802 1Q 1P Group Setting Use this screen to activate 802 1Q 1P specify the management VLAN group display the VLAN groups and configure the settings for each VLAN group Port Setting Use this screen to configure the PVID and assign traffic priority for each port Qos General Use this screen to enable QoS and traffic prioritizing and configure bandwidth management on the WAN Class Setup Use this screen to define a classifier Monitor Use this screen to view each queue s statistics Dynamic DNS This screen allows you to use a static hostname alias for a
273. is the index number of an associated wireless station MAC Address This field displays the MAC Media Access Control address of an associated wireless station Association This field displays the time a wireless station first associated with the Time ZyXEL Device Refresh Click this to reload this screen 3 5 Any IP Table Click Status gt AnyIP Table to access this screen Use this screen to view the IP address and MAC address of each computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL Device Figure 9 Any IP Table AnyIP Table a OO aP adaress O ERR address Refresh P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens Each field is described in the following table Table 6 Any IP Table LABEL DESCRIPTION This field is a sequential value It is not associated with a specific entry IP Address This field displays the IP address of each computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL Device MAC Address This field displays the MAC address of the computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL Device Refresh Click this to update this screen 3 6 Packet Statistics Read only information here includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configu
274. is the number of your customized port Click a rule s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service Name This is the name of your customized service Protocol This shows the IP protocol TCP UDP or TCP UDP that defines your customized service Port This is the port number or range that defines your customized service Back Click this to return to the Firewall Edit Rule screen P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 3 3 Configuring a Customized Service Use this screen to add a customized rule or edit an existing rule Click a rule number in the Firewall Customized Services screen to display the following screen Figure 81 Security Firewall Rules Edit Edit Customized Services Config Config Service Name Service Type Port Configuration Type Port Number Back SSS TCP UDP single Port Range From 0 To o Apply Cancel Delete The following table describes the labels in this screen Table 56 Security gt Firewall gt Rules Edit Edit Customized Services Config LABEL DESCRIPTION Config Service Type a unique name for your custom port Name Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Range t
275. ity Content Filter to display the following screen Select Active Keyword Blocking In the Keyword field type keywords to identify websites to be blocked Click Add Keyword for each keyword to be entered Click Apply Keyword M Active Keyword Blocking Block Websites that contain these keywords in the URL Delete Delete Clear All Keyword hacking Add Keyword Apply Cancel Bob s son arrives home from school at four while his parents arrive later at about 7pm So keyword blocking is enabled for these times on weekdays and not on the weekend when the parents are at home Click Security gt Content Filter gt Schedule Click Edit Daily to Block and select all weekdays Under Start Time and End Time type the times for blocking to begin and end 4pm 7pm in this example P 660HW Tx v3 Series User s Guide Chapter 11 Content Filtering 4 Click Apply Schedule Block Everyday Iv Edit Daily to Block a acies st Time Monday Vv 16 ndo min i9 ndo min Tuesday Vv 16 ndo min 19 to min Wednesday iv 16 ho min i9 h0 min Thursday Vv 16 ndo min iS ho min Friday iv t6 no min 19 ndo min Saturday 1 fo ho min o ho min Sunday E 0 hdo min jo ho min Apply Cancel The children can access the family computer in the living room while only the parents use another computer in the study room So keyword blocking is only needed on the family computer and the
276. ix hexadecimal character pairs for example 12 34 56 78 9a bc PSK Enter a Pre Shared Key PSK from 8 to 63 case sensitive ASCII characters including spaces and symbols Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN 8 7 The Scheduling Screen Use the wireless LAN scheduling to configure the days you want to enable or disable the wireless LAN Click Network gt Wireless LAN gt Scheduling The following screen displays Figure 58 Network Wireless LAN Scheduling Deen Wireless LAN Scheduling Cl Enable Wireless LAN Scheduling WLAN status Day The following times_ 24 Hour Format O oft 9 on O Everyday 00 m hour o0 fai min 00 v hour 00 m min O off on C mon 00 hour 00s min 00 hour 00 m min Oof on Cte 00 hour 00s min 00 fae hour 00 m min Oof on Owed 00 m Chour 00 at min 00 v hour 00 v min O off on O thu 00 hour 00 x min 00 fae hour 00 i min O off on O rri 00 hour 00 s min 00 hour 00 m min O off on O sat 00 at hour 00 fa min 00 hour 00 v min off on L sun 00 hour 00 min 00 hour 90 min q NUS Sjey Me ni pep aul amd nenien heda
277. k gt WAN gt Internet Access Setup Advanced Setup LABEL DESCRIPTION RIP amp Multicast This section is not available when you configure the ZyXEL Device to Setup be in bridge mode RIP Direction RIP Routing Information Protocol allows a router to exchange routing information with other routers Use this field to control how much routing information the ZyXEL Device sends and receives on the subnet Select the RIP direction from None Both In Only and Out Only RIP Version This field is not configurable if you select None in the RIP Direction field Select the RIP version from RI P 1 RI P 2B and RI P 2M P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 20 Network WAN Internet Access Setup Advanced Setup continued LABEL DESCRIPTION Multicast Multicast packets are sent to a group of computers on the LAN and are an alternative to unicast packets packets sent to one computer and broadcast packets packets sent to every computer Internet Group Multicast Protocol IGMP is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports I GMP v1 I GMP v2 and IGMP v3 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR RT
278. kets to a group of hosts on the network not everybody and not just 1 132 P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use IGMP version 3 supports source filtering reporting or ignoring traffic from specific source address to a particular host on the network If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5 of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to the permanent group of all IP hosts including gateways All hosts must join the 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The ZyXEL Device supports IGMP version 1 IGMP v1 IGMP version 2 I GMP v2 and IGMP version 3 I GMP v3 At start up the ZyXEL Device queries all directly connected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled
279. key in the Wireless LAN setup screen to set up a Pre Shared Key Figure 27 Manually Assign a WPA PSK key fa Wireless LAN Pre Shared Key 12345578 Pre Shared Key to authentic made up t the password you u se Ned gt es The following table describes the labels in this screen Table 17 Manually Assign a WPA PSK key LABEL DESCRIPTION Pre Shared Type from 8 to 63 case sensitive ASCII characters You can set up the most Key secure wireless connection by configuring WPA in the wireless LAN screens You need to configure an authentication server to do this Back Click this to return to the previous screen without saving Next Click this to continue to the next wizard screen Exit Click this to close the wizard screen without saving P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard 5 3 2 Manually Assign a WEP Key Choose Manually assign a WEP key to setup WEP Encryption parameters Figure 28 Manually Assign a WEP key On the last page of the Wireless Setup wizard you will have a chance write down this key and your network settings for safekeeping The following table describes the labels in this screen Table 18 Manually Assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 or 13 ASCII characters or 1
280. l not have access to the network If this happens open the access point s configuration interface and look at the list of associated clients usually displayed by MAC address It does not matter if the access point is the WPS registrar the enrollee or was not involved in the WPS handshake a rogue device must still associate with the access point to gain access to the network Check the MAC addresses of your wireless clients usually printed on a label on the bottom of the device If there is an unknown MAC address you can remove it or reset the AP P 660HW Tx v3 Series User s Guide Network Address Translation NAT 9 1 Overview This chapter discusses how to configure NAT on the ZyXEL Device NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a different IP address known within another network 9 1 1 What You Can Do in the NAT Screens Use the NAT General Setup screen Section 9 2 on page 173 to configure the NAT setup settings Use the Port Forwarding screen Section 9 3 on page 174 to configure forward incoming service requests to the server s on your local network Use the Address Mapping screen Section 9 4 on page 178 to change your ZyXEL Device s address mapping settings Use the SIP ALG screen Section 9 5 on page 181 to enable and disable the SIP VoIP ALG in the Z
281. ld displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the Edit icon to open a screen with an in depth list of information about the certificate Click the Remove icon to remove the certificate A window displays asking you to confirm that you want to delete the certificates Note that subsequent certificates move up by one when you take this action Import Click this to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyXEL Device Refresh Click this to display the current validity status of the certificates P 660HW Tx v3 Series User s Guide Chapter 13 Certificates 13 2 1 Trusted CA Import Follow the instructions in this screen to save a trusted certification authority s certificate to the ZyXEL Device Click Security gt Certificates to open the Trusted CAs screen and then click Import to open the Trusted CA I mport screen Note You must remove any spaces from the certificate s filename before you can import the certificate Figure 98 Trusted CA Import Import Please specify th
282. lection Security Disable wire security Press Finish button to close this wizard or click the following link to open other pages Return to Wizard Main Page Go to Advanced Setup page 7 Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you cannot access the Internet open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct P 660HW Tx v3 Series User s Guide PART Ill Network WAN Setup 99 LAN Setup 119 Wireless LAN 137 Network Address Translation NAT 171 WAN Setup 6 1 Overview This chapter describes how to configure WAN settings from the WAN screens Use these screens to configure your ZyXEL Device for Internet access A WAN Wide Area Network connection is an outside connection to another network or the Internet It connects your private networks such as a LAN Local Area Network and other networks so that a computer in one location can communicate with computers in other locations Figure 31 LAN and WAN 6 1 1 What You Can Do in the WAN Screens Use the Internet Access Setup screen Section 6 2 on page 101 to configure the WAN settings on the ZyXEL Device for Internet access Use the More Connections screen Section 6 3 on page 107 to set up additional Internet acce
283. lick Apply Rule Setup v Active Service Name Start Port End Port Server IP Address Xbox 360 53 53 192 168 1 34 Back Apply cancel 4 Repeat steps 2 and 3 to open the rest of the ports for Xbox 360 The port forwarding settings you configured are listed in the Port Forwarding screen Default Server Setup Default Server Port Forwarding s s S s U N mM 0 0 0 0 Service Name Xbox 360 Xbox 360 Xbox 360 Xbox 360 Server IP Address 0 0 0 0 Add Start Port End Port Server IP Address 192 168 1 34 80 80 192 168 1 34 BG 88 88 192 168 1 34 g 3074 3074 192 168 1 34 EP d Apply cancel P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials Thomas can then connect his Xbox 360 to the Internet and play online games with his friends In this tutorial all port 80 traffic is forwarded to Xbox 360 but port 80 is also the default listening port for remote management via WWW If Thomas also wants to manage the ZyXEL Device from the Internet he has to assign an unused port to WWW remote access Click Advanced gt Remote MGMT to open the WWW screen Enter an unused port in the Port field this example uses 81 Click Apply WWW Port 81 Access Status v Secured Client IP AI O Selected 0 0 0 0 Note 1 For UPn to function normally the HTTP service must be available for
284. lient to search for the ZyXEL Device see Section 4 2 3 on page 50 4 2 2 Using WPS This section shows you how to set up a wireless network using WPS It uses the ZyXEL Device as the AP and ZyXEL NWD210N as the wireless client which connects to the notebook Note The wireless client must be a WPS aware device for example a WPS USB adapter or PCMCIA card There are two WPS methods to set up the wireless client settings Push Button Configuration PBC simply press a button This is the easier of the two methods PIN Configuration configure a Personal Identification Number PIN on the ZyXEL Device A wireless client must also use the same PIN in order to download the wireless network settings from the ZyXEL Device Push Button Configuration PBC 1 Make sure that your ZyXEL Device is turned on and your notebook is within the cover range of the wireless signal 2 Make sure that you have installed the wireless client driver and utility in your notebook P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 3 In the wireless client utility go to the WPS setting page Enable WPS and press the WPS button Start or WPS button Push and hold the WPS button located on the ZyXEL Device s rear panel for more than 5 seconds Alternatively you may log into ZyXEL Device s web configurator and click the Push Button in the Network gt Wireless LAN gt WPS Station screen Add Station by WPS Click t
285. line is connected enter your Internet access information in the wizard screen exactly as your service provider gave it to you Leave the defaults in any fields for which you were not given information Figure 17 Internet Access Wizard Setup ISP Parameters ffi Internet Configuration uting default if your ISP allows multiple computers to share an Internet account select Bridge mode Encapsulation E t the encapsulation method used by your ISP Your ISP may list ENET ENCAP as Static IP 0 ynamic IP Multiplexing Select the multiplexing type used by your ISP Virtual Circuit ID VPI channel Identifier used by your ISP The The following table describes the fields in this screen Table 10 Internet Access Wizard Setup ISP Parameters LABEL DESCRIPTION Mode Select Routing default from the drop down list box if your ISP give you one IP address only and you want multiple computers to share an Internet account Select Bridge when your ISP provides you more than one IP address and you want the connected computers to get individual IP address from ISP s DHCP server directly If you select Bridge you cannot use Firewall DHCP server and NAT on the ZyXEL Device Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field sele
286. ll be installed To see what s included in a component click Details Components dB NetMeeting y Phone Dialer 0 2 MB Universal Plug and Play 0 4 MB s Virtual Private Networking 0 0 MB Space used by installed components 42 4 MB Space required 0 0 MB Space available on disk 866 3 MB Description Universal Plug and Play enables seamless connectivity and communication between Windows and intelligent appliances Details 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click Start and Control Panel 2 Double click Network Connections P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 3 Inthe Network Connections window click Advanced in the main menu and select Optional Networking Components s Network Connections File Edit View Favorites Tools ESSE Help gt Operator Assisted Dialing Q Back PF d 2 5 Dial up Preferences Address e Network Connections Network Identification Bridge Connections Network Tasks Advanced Settings Optional Networking Components IE Aasta nau rannactian 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Det
287. lls that have been received inDiscards is the number of received ATM cells that were rejected outPkts is the number of ATM cells that have been sent outDiscards is the number of ATM cells sent that were rejected inF4Pkts is the number of ATM Operations Administration and Management OAM F4 cells that have been received See ITU recommendation 1 610 for more on OAM for ATM outF4Pkts is the number of ATM OAM F4 cells that have been sent inF5Pkts is the number of ATM OAM F5 cells that have been received outF5Pkts is the number of ATM OAM F5 cells that have been sent openChan is the number of times that the ZyXEL Device has opened a logical DSL channel closeChan is the number of times that the ZyXEL Device has closed a logical DSL channel txRate is the number of bytes transmitted per second rxRate is the number of bytes received per second ATM Loopback Test Click this to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCls before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network P 660HW Tx v3 Series User s Guide Chapter 23 Diagnostic Table 114 Maintenance Diagnostic DSL Line continued LABEL DESCRIPTION DSL Line Status Click this to view statisti
288. lobal IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the ZyXEL Device maps the multiple local IP addresses to shared global IP addresses Many to Many No Overload In Many to Many No Overload mode the ZyXEL Device maps each local IP address to a unique global IP address Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT Port numbers do NOT change for One to One and Many to Many No Overload NAT mapping types The following table summarizes these types Table 51 NAT Mapping Types TYPE IP MAPPING One to One ILAL gt IGA1 Many to One SUA PAT ILA1 2 IGA1 ILA2 2 IGA1 Many to Many Overload ILA1 2 IGA1 ILA2 2 IGA2 ILA3 2 IGA1 ILA4 IGA2 Many to Many No Overload ILA1 2 IGA1 ILA2 2 IGA2 ILA3 2 I1GA3 Server Server 1 IP 2 IGA1 Server 2 IP 2 IGA1 Server 3 IP 2 IGA1 P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT P 660HW Tx v3 Series User s Guide
289. lowing table describes the labels in this screen Table 61 Security Packet Filter LABEL DESCRIPTION This field displays the index number of the filter set Name Enter a name for the filter set The text may consist of up to 16 letters numerals and any printable character found on a typical English language keyboard Filter Type Select Protocol Filter or Generic Filter for your filter set Protocol filter rules are used to filter IP packets while generic filter rules allow filtering of non IP packets Modify Click the Edit button to configure a filter set Click the Remove button to delete a filter set Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 12 Packet Filter 12 2 1 Editing Protocol Filters Use this screen to display a protocol filter set on your ZyXEL Device Protocol rules allow you to base the rule on the fields in the IP and the upper layer protocol for example UDP and TCP headers In the Packet Filter screen select Protocol Filter from the Filter Type field Then click the Edit button from the Modify field to display the following screen Figure 91 Security gt Packet Filter gt Edit Protocol Filter e Active Filter Type Protocol sa pa Modify 1 Iv Protocol Filter TCP 0 0 0 0 0 0 0 0 S 2 g uw 3 g dl 4 g i 5
290. lt server A default server receives packets from ports that are not specified in this screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Enter the IP address of the server for the specified service Address Add Click this button to add a rule to the table below This is the rule index number read only Active This field indicates whether the rule is active or not Clear the check box to disable the rule Select the check box to enable it Service Name This is a service s name Start Port This is the first port number that identifies a service End Port This is the last port number that identifies a service Server IP This is the server s IP address Address Modify Click the edit icon to go to the screen where you can edit the port forwarding rule Click the delete icon to delete an existing port forwarding rule Note that subsequent address mapping rules move up by one when you take this action Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT 9 3 2 The Port Forwarding Rule Edit Screen Use this screen to edit a
291. ly saved settings 8 3 1 More AP Edit Use this screen to edit an SSID profile Click the Edit icon next to an SSID in the More AP screen The following screen displays Figure 54 Network gt Wireless LAN gt More AP Edit Common Setup Hide SSID Security Mode MAC Filter QoS Network Name SSID ZyXEL02 No Security M Deny Association None None M P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following table describes the fields in this screen Table 37 Network Wireless LAN More AP Edit LABEL DESCRIPTION Network Name SSID The SSID Service Set IDentity identifies the service set with which a wireless device is associated Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Hide SSID Select this check box to hide the SSID in the outgoing beacon frame So a station cannot obtain the SSID through scanning using a site survey tool Security Mode See Section 8 2 on page 139 for more details about this field MAC Filter This shows whether the wireless devices with the MAC
292. m aat umane dH a 275 18 21 OTN the WWW GOGON carisimo r E rE aia 275 toa Mme lene SEE asas aE Ee 276 Past The FIF Soron conia a a 277 IB Ihe Es SSIBEIL iua Des D n E ene iin rit t n HP EE 278 18 6 The ICMP SGEE D a a DT 279 P 660HW Tx v3 Series User s Guide Table of Contents Chapter 19 Universal Plug and Play CUP aeniaiiat uin onna sa taPkh ble RaxaSk PME x SuUER ro raa R Ft Ru ix N PUN NAM m iPM E EUM AE EOS 281 SEE o REUS RUNE NI RT PARISIENS OD Tenet renee 281 19 1 1 What You Can Do in The UR MP SO BO iuc paccco petto PURI I onei 281 19 1 2 What You Need to Know About UPNP 12a cdusdensessusss ska sd cenas ninna 281 18s Ms UPIP SONG a ecc vh Ses tas RE EDU RD EDI QUR DRM EDI Od Det te edUU UIN PUN CE DEP CR NOR dipes EOS d npe 283 19 3 Installing UPnP in Windows Example soccer sen ione Kec a 284 19 4 Using UPnP in Windows XP Example 1 aee anrea anoa anaana a 287 Fait VE MainienaN ene eee ee eee 293 Chapter 20 ye LL is el ee UE ee eS eee ee E ee ee ee eee eee 295 CINES Jc T 295 20 1 1 What You Can Do in the System Settings Screens sss 295 20 1 2 What You Need to Know About System Settings sssssssssssssess 295 20 2 The General SOrEGN e Ra 296 20 9 The Time Soling SCIEN Ariasin nnan AA A SANE AE a 298 Chapter 21 Fr fe 301 CANC I PETS 301 21 11 What
293. n 1eeeseeeeeeeeee esee nene nnn nnnnn namen aura aua a nui 21 Chapter 1 Introd cindg the ZyXEL DEVICE sirisser RR CERE ER ERU SA PRES R Sa YE EE EE AOA TEENS 23 NES OPI ERR E UT NEC E 23 1 2 Ways to Manage fne ZyXEL Desvibs uusconesctekn e prrxua ce bed ERR ber REC Get Sp o PIE o EE URS 23 1 3 Good Habits for Managing the ZyXEL Device enn nnn sonent nn tna 24 1 4 Applications for the ZyXEL DEVICE iiu cou ko rindaae d ns casae ca c dat eoe dap cid Fat a Ra 24 Tl T Inte lel ACCESS actuetatiasdite iced ioci Dax cot ed ae cesdo Ue Feo Sob ep Etude Mise ocu a ta EE Pega 25 Te LEDS LOHE MT 26 15 Thes RESET BUDE orara a LED De esie 27 1 6 1 Using Me Roset BURON M 27 1 7 The WPS WLAN BHEEOHL 2i ene task pe temet Reza aua nua kits a at i carnea d me cob tta dc 27 dafal Turn the Wireless LAM OF or ON eee deis esee Qi pae eos deis Dee vues a EIA 28 lof Aqu UPS oot e te OR UM CDM EL C ODE MULT AE EY 28 Chapter 2 Introducing the Web Configurator eeeeeeeeee eese esee esee eene nn nnne nennen nannten nnns 29 C ILREPIME eee cu LE IUS Mu E i E 29 ZiT MOCEESING he Web TQM M E 29 2 2 Web Configurator MAN Sree ETE OO ST 31 od RROD A aaa ctatuanet anatase seosntonee uolet oese tbe tuoacen bid besos lat dsdesau n 32 CEA AVIATION PING T 32 zc TN UNICI UE quse ivexudstus EENT AIE ra dst o Fa inesd artes em E n EE Casa ap A db So 34 POBRE EVE Ric T TO T o eet eave Meant sear
294. n 2 and 4094 Physical Port Select this option and select a LAN port Remote Node Select this option and select a remote node from the drop down list box When the WAN type is Ethernet in the WAN Internet Access Setup screen you can select WAN1 only Exclude Select this option to exclude the packets that match the specified criteria from this classifier Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS 16 4 The QoS Monitor Screen Use this screen to view the ZyXEL Device s QoS packet statistics Click Advanced gt QoS gt Monitor The screen appears as shown Figure 115 Advanced gt QoS gt Monitor QoS Monitor nia Queue M Ov Q1 4 une 0 bps D bps 0 bps D bps 0 bps 0 bps D bps 0 bps 3 kbps 0 bps 0 bps 0 bps 0 bps 0 bps 0 bps 0 bps s Set Interval Stop The following table describes the labels in this screen Table 77 Advanced QoS Monitor LABEL DESCRIPTION Priority Queue This shows the priority queue number Traffic assigned to higher index queues gets through faster while traffic in lower index queues is dropped if the network is congested Pass This shows how many packets mapped to this priority queue are transmitted suc
295. n the internal QoS mapping table on the ZyXEL Device Figure 107 QoS Example VoIP Queue 6 Boss Queue 5 IP 192 168 1 23 Figure 108 QoS Class Example VoIP 1 Calss Configuration V Active Name Ex vorP Interface FromLAN Priority Routing Policy WAN Index Gateway Address Order Tag Configuration P 660HW Tx v3 Series User s Guide 255 Chapter 16 Quality of Service QoS Figure 109 QoS Class Example VoIP 2 Source Address fo 0 0 0 Subnet Netmask 0 0 0 0 F Exclude Port fo o F Exclude MAC MAC Mask F exclude Destination Address 0 0 0 6 Subnet Netmask 0 0 0 0 F Exclude l Tl Port fo si Exclude 7 MAC MAC Mask Exclude Others V Service voiecsiP x I Protocol TCP o Exclude Packet Length o a Exclude O pscp o 0 63 Exclude Ethernet Priority 0 BE Exclude I VLAN ID 2 24094 Exclude Physical Port fi z Exclude Remote Node F Exclude Apply Cancel Figure 110 QoS Class Example Boss 1 Calss Configuration v Active Name Ex Boss Interface From LAN Priority outing Poncy WAN Index Gateway Address 0 0 0 6 Order 2 7 Tag Configuration P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS Figure 111 QoS Class Example Boss 2 Source 192 1681 23 v Address
296. n this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e e g is a shorthand for for instance and i e means that is or in other words P 660HW Tx v3 Series User s Guide 5 Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer Notebook computer Server Firewall Router Switch 6 P 660HW Tx v3 Series User s Guide Safety Warnings Safety Warnings Do NOT use this product near water for example in a wet basement or ne
297. n with VPI VCI 0 34 is dedicated for VoIP service P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials e The connection with VPI VCI 0 35 is dedicated for general data transmission Figure 11 Example for Multiple WAN Connections Ls fact Name verver encapsulation Mody Internet Connection 0 33 ENET ENCAP Iv VoIP 0 34 ENET ENCAP Vv Data 0 35 ENET ENCAP on Ook WON GR GY GAY GAY GY CRY GY ED EP Eb E E E B Apply Cancel 4 10 Multiple PVCs with QoS This tutorial is only applicable for an ISP engineer An ISP may configure multiple PVCs for seperating different subscriber application traffic This helps to record traffic statistics or calculate service charges In addition the ISP can also apply different QoS according to the application importance and whether the application is time sensitive or not In the following figure the ZyXEL Device is configured to transmit two types of traffic VoIP using SIP and general data using 0 33 and 0 35 PVCs respectively Because voice traffic is considered to transmit continuously but not for general data this tutorial uses Constant Bit Rate CBR for VolP and Unspecified Bit Rate UBR for general data ATM QoS setting p Ld DI ens Voice mumm General Data This tutorial also dedicates the ZyXEL Device LAN port 4 for voice and ports 1 3 for general data traffic P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials
298. nd DNS servers to systems that support DHCP client capability IP Address and Subnet Mask Similar to the way houses on a street share a common street name so too do computers on a LAN share one common network number Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the ZyXEL Device The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyXEL Device but make su
299. nd are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers Other PPPoE Features PPPoE idle time out PPPoE dial on demand Multiple PVC Permanent Virtual Circuits Support Your device supports up to 8 Permanent Virtual Circuits PVCs IP Alias IP alias allows you to partition a physical network into logical networks over the same Ethernet interface Your device supports three logical LAN interfaces via its single physical Ethernet interface with the your device itself as the gateway for each LAN network Packet Filters Your device s packet filtering function allows added network security and management P 660HW Tx v3 Series User s Guide Chapter 25 Product Specifications Table 116 Firmware Specifications continued ADSL Standards ANSI T1 413 Issue 2 G dmt G 992 1 ADSL2 G dmt bis G 992 3 ADSL2 G 992 5 Reach Extended ADSL RE ADSL SRA Seamless Rate Adaptation Auto negotiating rate adaptation ADSL physical connection ATM AAL5 ATM Adaptation Layer type 5 Multi protocol over AAL5 RFC2684 1483 PPP over ATM AAL5 RFC2364 PPP over Ethernet for DSL connection RFC2516 VC based and LLC based multiplexing 1 610 F4 F5 OAM Annex L M TR 067 TR 100 Other Protocol Support PPP Point to Point Protocol link layer protocol IP routing Transparent bridging for unsupported network layer protocols RIP I RIP Il
300. nd configuration files Please see the User s Guide chapter on firmware and configuration file maintenance for details To use this feature your computer must have an FTP client Use this screen to specify which interfaces allow FTP access and from which IP address the access can come To change your ZyXEL Device s FTP settings click Advanced gt Remote MGMT gt FTP The screen appears as shown Figure 120 Advanced gt Remote Management gt FTP FIP FTP Port Note Access Status ALL v Secured Client IP You may also need to create a Firewall rule all O Selected 0 0 0 0 P 660HW Tx v3 Series User s Guide 277 Chapter 18 Remote Management The following table describes the labels in this screen Table 83 Advanced Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed However you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client A secured client is a trusted computer that is allowed to communicate IP with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this servic
301. ndustry standard that ensures no other adapter has a similar address P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup Table 27 Network LAN Client List LABEL DESCRIPTION Reserve Select the check box in the heading row to automatically select all check boxes or select the check box es in each entry to have the ZyXEL Device always assign the selected entry ies s IP address es to the corresponding MAC address es and host name s You can select up to 10 entries in this table Modify Click the modify icon to have the IP address field editable and change it Apply Click this to save your changes Cancel Click this to restore your previously saved settings Refresh Click this to reload the DHCP table 7 5 The IP Alias Screen IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Note Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 42 Physical Network amp Partitioned Logical Networks A 192 168 1 1 192 168 1 24 Ethernet B
302. network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow In addition applications do not have to request a particular service or give advanced notice of where the traffic is going DSCP and Per Hop Behavior DiffServ defines a new Differentiated Services DS field to replace the Type of Service TOS field in the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following figure illustrates the DS field DSCP is backward compatible with the three precedence bits in the ToS octet so that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping DSCP 6 bits Unused 2 bits The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different kinds of forwarding Resources can then be allocated according to the DSCP values and the configured policies 16 5 4 Automatic Priority Queue Assignment If you enable QoS on the ZyXEL Device the ZyXEL Device can automat
303. nfiguration filename on the rom File ZyXEL Device Uploading the rom 0 file replaces the entire ROM file system including your ZyXEL Device configurations system related data including the default password the error log and the trace log FILE TYPE EXTERNAL NAME Doe He Firmware Ras This is the generic name for the ZyNOS bin firmware on the ZyXEL Device P 660HW Tx v3 Series User s Guide Chapter 22 Tools 22 1 3 22 1 4 FTP Restrictions FTP will not work when The firewall is active turn the firewall off or create a firewall rule to allow access from the WAN You have disabled the FTP service in the Remote Management screen The IP you entered in the Secured Client IP field does not match the client IP If it does not match the device will disallow the FTP session Before You Begin Ensure you have either created a firewall rule to allow access from the WAN or turned the firewall off otherwise the FTP will not function Make sure the FTP service has not been disabled in the Remote Management screen Tool Examples Using FTP or TFTP to Restore Configuration This example shows you how to restore a previously saved configuration Note that this function erases the current configuration before restoring a previous back up configuration please do not attempt to restore unless you have a backup configuration file stored on disk FTP is the preferred method for restor
304. ng 190 Any IP 123 133 ARP 134 example 133 status 39 AP access point 397 applications NAT 184 ARP 134 asymmetrical routes 195 Asynchronous Transfer Mode see ATM ATM 331 MBS 105 112 PCR 105 112 QoS 105 112 117 SCR 105 112 status 331 authentication 158 160 RADIUS server 160 WPA 145 backup configuration 320 321 326 bandwidth management 258 Basic Service Set See BSS 395 Basic Service Set see BSS broadcast 100 BSS 161 395 example 162 P 660HW Tx v3 Series User s Guide Index C CA 229 403 algorithm 234 trusted 230 233 CBR 105 112 117 Certificate Authority See CA certificates 229 235 advantages 235 algorithm 234 CA 229 trusted 230 233 example 229 exporting 234 formats 230 PEM 234 Certification Authority see CA certifications 415 notices 417 viewing 417 channel 397 interference 397 channel wireless LAN 157 Class of Service see CoS classifiers 259 802 1Q tags 263 activation 260 configuration 261 creation 260 DSCP 262 264 FTP 264 priority 262 remote node 264 routing policy 262 SIP 264 CLI 23 client list 126 Command Line Interface see CLI compatibility WDS 153 configuration 325 backup 320 321 326 classifiers 261 DHCP 125 file 316 firewalls 194 198 203 IP alias 128 logs 303 packet filtering 222 225 port forwarding 175 reset 328 restoring 317 326 static route 241 WAN 101 wireless LAN 139 wizard 86 connection nailed up 110 115 on demand 110 content
305. ngs P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP Windows Messenger is an example of an application that supports NAT traversal and UPnP See the NAT chapter for more information on NAT Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues Network information and configuration may also be obtained and modified by users in some network environments When a UPnP device joins a network it announces its presence with a multicast message For security reasons the ZyXEL Device allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports Internet Gateway Device IGD 1 0 See the following sections for examples of installing and using UPnP P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 19 2 The UPnP Screen Use the following screen to configure the UPnP settings on your ZyXEL Device Click Advanced UPnP to display the screen shown next See Section 19 1 on page 281 for more information Figure 123 Advanced gt UPnP gt General UPnP Setup D
306. nicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN Packet Filter Incoming Filter Sets Protocol Filter Select the protocol filter s to control incoming traffic You may choose up to 4 sets of filters You can configure packet filters in the Packet Filter screen See Chapter 12 on page 219 for more details Generic Filter Select the generic filter s to control incoming traffic You may choose up to 4 sets of filters You can configure generic filters in the Packet Filter screen See Chapter 12 on page 219 for more details Outgoing Filter Sets P 660HW Tx v3 Series User s Guide LE Chapter 7 LAN Setup Table 25 Network gt LAN gt IP Advanced Setup LABEL DESCRIPTION Protocol Filter Select the protocol filter s to control outgoing traffic You may choose up to 4 sets of
307. nterface eth0 Shutting down loopback interface Setting network parameters Bringing up loopback interface Bringing up interface eth0 oOoOoooOo ROR ROR N 372 P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address Verifying Settings Enter ifconfig in a terminal screen to check your TCP IP properties Figure 176 Red Hat 9 0 Checking TCP IP Properties root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0x1000 root localhost P 660HW Tx v3 Series User s Guide 373 Appendix A Setting up Your Computer s IP Address 374 P 660HW Tx v3 Series User s Guide Pop up Windows JavaScript and Java Permissions In order to use the web configurator you need to allow Web browser pop up windows from your device JavaScript enabled by default Java permissions enabled by default Note Internet Explorer 6 screens are used here Screens for other Internet Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable
308. o allow specific traffic to pass through 4 8 Multiple Public and Private IP Address Mappings If your ISP gives you more than one static IP address for your Internet access you can map each IP address for a specific service This tutorial assumes you are given two static public IP addresses You want to map them to two servers A and B P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials This tutorial uses the following example settings Table9 IP Settings in this Tutorial DEVICE COMPUTER IP ADDRESS The ZyXEL Device s WAN 172 16 1 253 IP 1 172 16 1 254 IP 2 The ZyXEL Device s LAN 192 168 1 1 A 192 168 1 2 B 192 168 1 3 C a b c d To do this you can use either of the following settings Full Feature NAT with many to many no overload mapping Full Feature NAT with one to one mapping 4 8 1 Full Feature NAT Many to Many No Overload Mapping Use this setting if your applications can use random public IP addresses and the applications are initiated from the Intranet computers A and B For example VoIP application See Section 4 8 2 on page 70 if it is not To configure this 1 Click Network gt NAT P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Select Active Network Address Translation NAT and Full Feature in the General screen Click Apply General Address Mapping NAT Setup M Active Network Address Translation NAT C su
309. o forward incoming service requests to the server s on your local network You may enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports The most often used port numbers and services are shown in Appendix E on page 411 Please refer to RFC 1700 for further information about port numbers Note Many residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP Default Server IP Address In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen Note If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup 1 74 P 660HW Tx v3 Series User s Guide Chap
310. o go to the MAC Filter screen to configure MAC filter settings See Section 8 2 6 on page 147 for more details P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN Table 29 Network Wireless LAN AP LABEL DESCRIPTION QoS This shows whether Quality of Service QoS is activated or the priority level for wireless traffic with this SSID Select a priority level from the drop down list box Choices are None Default Highest High Middle and Low Select None to disable QoS Select Default to have the ZyXEL Device automatically give traffic a priority level according to the ToS value in the IP header of packets it sends Wifi MultiMedia Quality of Service WMM QoS gives high priority to voice and video which makes them run more smoothly Highest Typically used for voice or video that should be high quality High Typically used for voice or video that can be medium quality Middle Typically used for applications that do not fit into another priority For example Internet surfing Low Typically used for non critical background applications such as large file transfers and print jobs that should not affect other applications Apply Click this to save your changes Cancel Click this to restore your previously saved settings Advanced Setup Click this to display the Wireless Advanced Setup screen and edit more details of your WLAN setup See Section 8 2 5 on page 1
311. o install UPnP in Windows Me and Windows XP Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me 1 Click Start and Control Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select Communication in the Components selection box Click Details Add Remove Programs Properties 31 xl Install Uninstall Windows Setup Startup Disk To add or remove a component select or clear the check box If the check box is shaded only part of the component will be installed To see what s included in a component click Details Components G Address Book amp Communications 5 6 MB RG Desktop Themes 0 0 MB v i Games 10 1 MB O E Multilanguage Support 0 0 MB x Space used by installed components 42 4 MB Space required 0 0 MB Space available on disk 855 3 MB Description Includes accessories to help you connect to other computers and online services 5 of 10 components selected Details Have Disk Cancel Apply P 660HW Tx v3 Series User s Guide Chapter 19 Universal Plug and Play UPnP 3 Inthe Communications window select the Universal Plug and Play check box in the Components selection box Communications x To install a component select the check box next to the component name or clear the check box if you do not want to install it amp shaded box means that only part of the component wi
312. o specify a span of ports that define your customized service Port Number Type a single port number or the range of port numbers that define your customized service Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings Delete Click this to delete the current rule P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 4 The Firewall Threshold Screen 10 4 1 For DoS attacks the ZyXEL Device uses thresholds to determine when to start dropping sessions that do not become fully established half open sessions These thresholds apply globally to all sessions For TCP half open means that the session has not reached the established state the TCP three way handshake has not yet been completed Under normal circumstances the application that initiates a session sends a SYN synchronize packet to the receiving server The receiver sends back an ACK acknowledgment packet and its own SYN and then the initiator responds with an ACK acknowledgment After this handshake a connection is established Figure 82 Three Way Handshake Client Server SYN ACK ACK ium LT For UDP half open means that the firewall has detected no return traffic An unusually high number or arrival rate of half open sessions could indicate a DOS attack Threshold Values If everything is working
313. o0 00 00 00 00 00 16 p0 00 00 00 00 00 17 00 00 00 00 00 00 18 o0 00 00 00 00 00 19 p0 00 00 00 00 00 20 n0 00 00 00 00 00 21 p0 00 00 00 00 00 22 p0 00 00 00 00 00 23 00 00 00 00 00 00 24 p0 00 00 00 00 00 25 p0 00 00 00 00 00 26 o0 00 00 00 00 00 27 p0 00 00 00 00 00 28 00 00 00 00 00 00 29 p0 00 00 00 00 00 30 50 00 00 00 00 00 31 o0 00 00 00 00 00 32 o0 00 00 00 00 00 _Back Apply Cancel P 660HW Tx v3 Series User s Guide 1 47 Chapter 8 Wireless LAN The following table describes the labels in this screen Table 35 Network gt Wireless LAN gt AP MAC Address Filter LABEL DESCRIPTION Active MAC Select the check box to enable MAC address filtering Filter Filter Action Define the filter action for the list of MAC addresses in the MAC Address table Select Deny to block access to the ZyXEL Device MAC addresses not listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of the MAC address MAC Enter the MAC addresses of the wireless devices that are allowed or denied Address access to the ZyXEL Device in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc Back Click this to return to the previous screen without sa
314. ofing WAN ICMP The firewall detected an ICMP IP spoofing attack on the type d code d WAN port icmp echo ICMP The firewall detected an ICMP echo attack type d code d syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack teardrop TCP The firewall detected a TCP teardrop attack teardrop UDP The firewall detected an UDP teardrop attack teardrop ICMP code d type Sd The firewall detected an ICMP teardrop attack illegal command TCP The firewall detected a TCP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry TCP UDP IGMP ESP GRE OSPF The firewall classified a packet with no source routing entry as an IP spoofing attack ip spoofing no routing entry ICMP type d code d The firewall classified an ICMP packet with no source routing entry as an IP spoofing attack vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP code d type d The firewall detected an I CMP traceroute attack Table 103 802 1X Logs LOG MESSAGE DESCRIPTION RADIUS accepts user A user was authenticated by the RADIUS Server RADIUS rejects user RADIUS Server Pls check A user was not authenticated by the RADIUS Serv
315. oices are Long Short or Dynamic The default setting is Long See the appendix for more information P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN Table 34 Network gt Wireless LAN gt AP Advanced Setup LABEL DESCRIPTION 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select Mixed to allow either IEEE 802 11b or IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings 8 2 6 MAC Filter Use this screen to change your ZyXEL Device s MAC filter settings Click the Edit button in the AP screen The screen appears as shown Figure 52 Network gt Wireless LAN gt AP MAC Address Filter MAC Filter M Active MAC Filter Filter Action Allow Deny a 00 30 5 01 23 45 00 00 00 00 00 00 3 00 00 00 00 00 00 4 p0 00 00 00 00 00 5 p0 00 00 00 00 00 6 00 00 00 00 00 00 7 00 00 00 00 00 00 8 p0 00 00 00 00 00 9 00 00 00 00 00 00 10 p0 00 00 00 00 00 11 p0 00 00 00 00 00 12 n0 00 00 00 00 00 13 p0 00 00 00 00 00 14 p0 00 00 00 00 00 15
316. omputer with the IP address that you specify to send DNS queries to the ZyXEL Device Apply Click this to save your changes Cancel Click this to restore your previously saved settings 18 6 The ICMP Screen To change your ZyXEL Device s security settings click Advanced gt Remote MGMT gt ICMP The screen appears as shown If an outside user attempts to probe an unsupported port on your ZyXEL Device an ICMP response packet is automatically returned This allows the outside user to know the ZyXEL Device exists Your ZyXEL Device supports anti probing which prevents the ICMP response packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed Note If you want your device to respond to pings and requests for unauthorized services you may also need to configure the firewall anti probing settings to match Figure 122 Advanced gt Remote Management gt ICMP ICMP ICMP Respond to Ping on ALL v C Do not respond to requests for unauthorized services P 660HW Tx v3 Series User s Guide 279 Chapter 18 Remote Management The following table describes the labels in this screen Table 85 Advanced gt Remote Management gt ICMP LABEL DESCRIPTION CMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP da
317. on 149 status 37 WDS 153 163 compatibility 153 example 163 WEP 142 161 key 142 wizard 92 WPA 144 161 authentication 145 reauthentication 143 145 WPA PSK 143 161 pre shared key 143 WPS 151 163 166 activation 151 adding stations 153 example 168 limitations 169 PIN 151 153 164 push button 27 153 164 status 151 wireless security 400 Wireless tutorial 45 wizard 83 configuration 86 wireless LAN 92 WLAN interference 397 security parameters 408 WPA 144 161 404 authentication 145 key caching 406 pre authentication 406 reauthentication 143 145 user authentication 406 vs WPA PSK 405 wireless client supplicant 406 with RADIUS application example 406 WPA2 404 user authentication 406 vs WPA2 PSK 405 wireless client supplicant 406 with RADIUS application example 406 WPA2 Pre Shared Key 404 WPA2 PSK 404 405 application example 407 WPA PSK 143 161 405 application example 407 pre shared key 143 WPS 151 163 166 activation 151 adding stations 153 example 168 limitations 169 PIN 151 153 164 example 166 push button 27 153 164 status 151 P 660HW Tx v3 Series User s Guide 427 Index P 660HW Tx v3 Series User s Guide
318. on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 7 6 5 RIP Setup RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to Both the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP information that it receives n Only the ZyXEL Device will not send any RIP packets but will accept all RIP packets received Out Only the ZyXEL Device will send out RIP packets but will not accept any RIP packets received None the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting 7 6 6 Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP pac
319. on attempts rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection attempts For example if you set the one minute high to 100 the ZyXEL Device starts deleting half open sessions when more than 100 session establishment attempts have been detected in the last minute It stops deleting half open sessions when the number of session establishment attempts detected in a minute goes below the number set as the one minute low Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The ZyXEL Device continues to delete half open requests as necessary until the number of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open sessions rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum I ncomplete Low number For example if you set the maximum incomplete high to 100 the ZyXEL Device starts deleting half open sessions when the number of existing half open sessions rises above 100 It stops deleting half open sessions when the number of existing half open sessions drops below the number set as the ma
320. onvert a binary X 509 certificate into a printable form Finding Out More See Section 13 3 on page 235 for technical background information on certificates 13 2 The Trusted CAs Screen This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL Device to accept as trusted The ZyXEL Device accepts any valid certificate signed by a certification authority on this list as being trustworthy thus you do not need to import any certificate that is signed by one of these certification authorities Click Security gt Certificates to open the Trusted CAs screen Figure 97 Trusted CAs Trusted CAs Trusted CAs PKI Storage Space in Use 1 Trusted CA Setting a a coca P 660HW Tx v3 Series User s Guide Chapter 13 Certificates The following table describes the labels in this screen Table 66 Trusted CAs LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use The bar turns from blue to red when the maximum is being approached When the bar is red you should consider deleting expired or unnecessary certificates before adding more certificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Valid From This fie
321. ore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click this to find the file you want to upload Remember that you must decompress compressed ZIP files before you can upload them Upload Click this to begin the upload process Do not turn off the ZyXEL Device while configuration file upload is in progress After you see a restore configuration successful screen you must then wait one minute before logging into the ZyXEL Device again Figure 137 Configuration Upload Successful Restore Configuration successful The Router Is Rebooting Now Please Wait The router will now reboot As there will be no indication of when the process is complete please wait for one minute before attempting to access the router again P 660HW Tx v3 Series User s Guide Chapter 22 Tools The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 138 Network Temporarily Disconnected D Local Area Connection Network cable unplugged Y Ze 10 44 If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See Appendix A on page 351 for details on how to set up
322. ost Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP UDP 7000 user defined A videoconferencing solution The UDP port number is specified in the application P 660HW Tx v3 Series User s Guide Legal Information Copyright Copyright 2010 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL fur
323. ough the ZyXEL Device As a result the ZyXEL Device resets the connection as the connection has not been acknowledged Figure 85 Triangle Route Problem LAN WAN 10 5 4 2 Solving the Triangle Route Problem If you have the ZyXEL Device allow triangle route sessions traffic from the WAN can go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection Another solution is to use IP alias IP alias allows you to partition your network into logical sections over the same Ethernet interface Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls It s like having multiple LAN networks that actually use the same physical cables and ports By putting your LAN and Gateway A in different subnets all returning network traffic must pass through the ZyXEL Device to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the packet to Gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyXEL Device 4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1 Figure 86 IP Alias LAN Subnet 1 WAN Subnet 2 P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls P 660HW Tx v3 Series U
324. our friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 17 1 1 What You Can Do in the DDNS Screen Use the Dynamic DNS screen Section 17 2 on page 270 to enable DDNS and configure the DDNS settings on the ZyXEL Device 17 1 2 What You Need To Know About DDNS DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname If you have a private WAN IP address then you cannot use Dynamic DNS P 660HW Tx v3 Series User s Guide Chapter 17 Dynamic DNS Setup 17 2 The Dynamic DNS Screen Use this screen to change your ZyXEL Device s DDNS Click Advanced Dynamic DNS The screen appears as shown Figure 116 Advanced gt Dynamic DNS Dynamic DNS Dynamic DNS Setup Active Dynamic DNS Service Provider WWW DynDNS ORG v Dynamic DNS Type Dynamic ONS Host Name ps User Name MEE Password S LS Enable Wildcard Option Enable off line option Only applies to custom DNS IP Address Update Policy
325. ously configured DNS servers click Advanced and then the DNS tab to order them Figure 163 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 ICP IPv4 Properties Hx General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator For the appropriate IP settings Use the Following IP address Obtain DNS server address automatically Use the Following DNS server addresses Advanced EM 10 Click OK to close the Internet Protocol Version 4 TCP IPv4 Properties window 11 Click Close to close the Local Area Connection Properties window 12 Close the Network Connections window 13 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Click Start All Programs Accessories and then Command Prompt In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab P 660HW Tx v3 Series User s Guide Appendix A Setting up Your Computer s IP Address Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP I P to open the TCP I P Control Panel About This Computer Figure 164 Macintosh OS 8 9 Apple Menu D Apple System Profiler E calculator gt Choos
326. owed in Conversely an incoming packet masquerading as a response to a non existent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur When To Use The Firewall To prevent DoS attacks and prevent hackers cracking your network A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required To selectively block allow inbound or outbound traffic between inside host networks and outside host networks Remember that filters cannot distinguish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur The firewall can block specific URL traffic that might occur in the future The URL can be saved in an Access Control List ACL database P 660HW Tx v3 Series User s Guide 13 1 Certificates Overview This chapter describes how your ZyXEL Device can use certificates as a means of authenticating wireless clients It gives background information about public k
327. plications 184 IP alias 184 default server IP address 174 176 example 183 global 182 IGA 182 ILA 182 inside 182 local 182 outside 182 P2P 173 packet filtering 226 port forwarding 172 174 activation 177 configuration 175 example 175 rules 177 remote management 275 SIP ALG 181 activation 181 SUA 172 173 NetBIOS 123 Network Address Translation see NAT Network Address Translation see NAT Network Basic Input Output System P P2P 173 203 packet direction 195 packet filter LAN 123 structure 219 WAN 105 112 packet filtering 219 configuration 222 225 firewalls 227 generic filters 223 NAT 226 protocol filters 221 types 220 226 packet filters logs 223 226 packet statistics 40 Pairwise Master Key PMK 405 407 passthrough PPPoE 105 passwords 29 30 administrator 297 users 297 PBC 164 PCR 105 112 116 Peak Cell Rate see PCR PEM 234 PIN WPS 151 153 164 example 166 P 660HW Tx v3 Series User s Guide Index port forwarding 172 174 activation 177 configuration 175 example 175 rules 177 PPPoA 102 109 114 PPPoE 102 109 113 passthrough 105 preamble 146 158 preamble mode 399 pre shared key 143 private IP address 131 probing firewalls 190 product registration 418 protocol filters 221 226 activation 221 logs 223 PSK 405 public private key pairs 235 push button 27 153 Push Button Configuration see PBC push button WPS 164 PVC 244 PVID 252 Q QoS 253 802 1Q t
328. port forwarding rule Click the rule s edit icon in the Port Forwarding screen to display the screen shown next Figure 70 Network gt NAT gt Port Forwarding Edit Rule Setup M Active Service Name Start Port End Port Server IP Address 10 10 1 2 WW B Eo Back Apply Cancel The following table describes the fields in this screen Table 46 Network gt NAT gt Port Forwarding Edit LABEL DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter the port number again in the End Port field To forward a series of ports enter the start port number here and the end port number in the End Port field End Port Enter a port number in this field To forward only one port enter the port number again in the Start Port field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the Start Port field above Server IP Enter the inside IP address of the server here Address Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 177 Chapter 9 Network Address Translation NAT
329. ppendix D Wireless LANs keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a network Other WPA2 authentication features that are different from WPA include key caching and pre authentication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again Pre authentication enables fast roaming by allowing the wireless client already connecting to an AP to perform IEEE 802 1x authentication with another AP before connecting to it Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client
330. pring to early fall when many Savings countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select Second Sunday March and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one P 660HW Tx v3 Series User s Guide hour ahead of GMT or UTC GMT 1 Chapter 20 System Settings Table 88 Maintenance System Time Setting continued LABEL DESCRIPTION End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight
331. properly you probably do not need to change the threshold settings as the default threshold values should work for most small offices Tune these parameters when you believe the ZyXEL Device has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyXEL Device is classifying normal traffic as DoS attacks Factors influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LAN network Network bandwidth P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 5 Type of traffic for certain servers Reduce the threshold values if your network is slower than average for any of these factors especially if you have servers that are slow or handle many tasks and are often busy f you often use P2P applications such as file sharing with eMule or eDonkey it s recommended that you increase the threshold values since lots of sessions will be established during a small period of time and the ZyXEL Device may classify them as DoS attacks 10 4 2 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click Firewall gt Threshold to bring up the next screen Figure 83 Security Firewall Threshold Threshold Denial of Service
332. ption to exclude the packets that match the specified criteria from this classifier Destination Address Select the check box and enter the destination IP address in dotted decimal notation Subnet Enter the destination subnet mask Refer to the appendix for more Netmask information on IP subnetting Port Select the check box and enter the port number of the destination O means any source port number See Appendix E on page 411 for some common services and port numbers MAC Select the check box and enter the destination MAC address of the packet P 660HW Tx v3 Series User s Guide Chapter 16 Quality of Service QoS Table 76 Advanced QoS Class Setup Edit continued LABEL DESCRIPTION MAC Mask Type the mask for the specified MAC address to determine which bits a packet s MAC address should match Enter f for each bit of the specified destination MAC address that the traffic s MAC address should match Enter 0 for the bit s of the matched traffic s MAC address which can be of any hexadecimal character s For example if you set the MAC address to 00 13 49 00 00 00 and the mask to ff ff ff 00 00 00 a packet with a MAC address of 00 13 49 12 34 56 matches this criteria Exclude Select this option to exclude the packets that match the specified criteria from this classifier Others Service This field simplifies classifier configuration by allowing you to select a pre
333. r the inside local address to another the inside global address before forwarding the packet to the WAN side When the response comes back NAT translates the destination address the inside global address back to the inside local address before forwarding it to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers for Many to One and Many to Many Overload mapping see Table 51 on page 185 NAT offers the additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT 9 6 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA i
334. r 18 Remote Management 18 1 1 18 1 2 To disable remote management of a service select Disable in the corresponding Access Status field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows Telnet HTTP What You Can Do in the Remote Management Screens Use the WWW screen Section 18 2 on page 275 to configure through which interface s and from which IP address es users can use HTTP to manage the ZyXEL Device Use the Telnet screen Section 18 3 on page 276 to configure through which interface s and from which IP address es users can use Telnet to manage the ZyXEL Device Use the FTP screen Section 18 4 on page 277 to configure through which interface s and from which IP address es users can use FTP to access the ZyXEL Device Use the DNS screen Section 18 5 on page 278 to configure through which interface s and from which IP address es users can send DNS queries to the ZyXEL Device Use the ICMP screen Section 18 6 on page 279 to set whether or not your ZyXEL Device will respond to pings and probes for services that you have not made available What You Need to Know About Remote Management Remote Management Limitations Remote management does no
335. r different types of users as shown in the following figure Each group has its own SSID security mode and QoS control aa e e om o 97 r A 9 i I Fi Company Ne l s s I T I A i i I VIP 5 r Guest V fF V 4 s 4 sS 4 x I x jig Ld 9 gt see omm m ocm UT Employees in Company A will use a general Company wireless network group Higher management level and important visitors will use the VIP group which has the highest QoS control Visiting guests will use the Guest group which has a lower security mode and QoS control Company A will use the following parameters to set up the wireless network groups COMPANY VIP GUEST SSID Company VIP Guest Security Mode WPA2 PSK WPA2 PSK Static WEP Pre Shared Key ForCompanyOnly ForVI POnly Guest QoS Default High Low 52 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials Click Network gt Wireless LAN to open the AP screen Use this screen to set up the company s general wireless network group Configure the screen using the provided parameters and click Apply Wireless Setup Active Wireless LAN Auto Scan Channel 9 Channel Selection Common Setup Network Name SSID Chide ss10 Security Mode WPA Compatible Pre Shared Key Idle Timeout Group Key Update Timer QoS None Default v Channel01 2412MHz vw Company WPA2 PSK vw
336. r more NAT routers between server auto the ZyXEL Device and the DDNS server This feature has the DDNS detect IP server automatically detect and use the IP address of the NAT router Address that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server Use specified Type the IP address of the host name s Use this if you have a static IP IP Address address Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide 271 Chapter 17 Dynamic DNS Setup 272 P 660HW Tx v3 Series User s Guide Remote Management 18 1 Overview Remote management allows you to determine which services protocols can access which ZyXEL Device interface if any from which computers The following figure shows remote management of the ZyXEL Device coming in from the WAN Figure 117 Remote Management From the WAN LAN WAN INTERNEJ Note When you configure remote management to allow management from the WAN you still need to configure a firewall rule to allow access You may manage your ZyXEL Device from a remote location via Internet WAN only LAN only WLAN only LAN and WAN LAN and WLAN WLAN and WAN ALL WAN LAN and WLAN None Disable P 660HW Tx v3 Series User s Guide 273 Chapte
337. rable Click Status Packet Statistics to access this screen Figure 10 Packet Statistics System Monitor System up Time 4 05 57 Current Date Time 01 01 2000 05 09 29 CPU Usage 26 22 Memory Usage 62 WAN Port Statistics Link Status Down WAN IP Address 0 0 0 0 Upstream Speed 0 kbps Downstream Speed 0 kbps ode tink stats aris ears errors 9 5 8 5 lur one 1 ENET 0 0 0 00 00 2 es 0 0 0 00 00 3 N A 0 0 0 0 0 0 00 00 ES N A 0 0 0 0 0 0 00 00 5 N A 0 0 0 0 0 0 00 00 6 N A 0 0 0 0 0 0 00 00 7 N A 0 0 0 0 0 0 00 00 8 N A 0 0 0 0 0 0 00 00 LAN Port Statistics a a a eo l conson Ethernet 100M Full Duplex 4658 2640 Wireless 54M 463 1538 r Poll Interval s EE sec Setinterval op P 660HW Tx v3 Series User s Guide Chapter 3 Status Screens The following table describes the fields in this screen Table 7 Packet Statistics LABEL DESCRIPTION System Monitor System up Time This is the elapsed time the system has been up Current Date This field displays your ZyXEL Device s present date and time Time CPU Usage This field specifies the percentage of CPU utilization Memory Usage This field specifies the percentage of memory utilization WAN Port Statistics Link Status This is the status of your WAN link WAN IP Address This is the IP address of the ZyXEL Device s WAN port Upstream Speed This is the upstream speed of your ZyXEL Device
338. raveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyXEL Device or the ZyXEL Device itself Default Action Use the drop down list boxes to select the default action that the firewall is to take on packets that are traveling in the selected direction and do not match any of the firewall rules Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Log Select the check box to create a log when the above action is taken for packets that are traveling in the selected direction and do not match any of your customized rules Expand Click this to display more information Basic Click this to display less information Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 3 The Firewall Rule Screen Note The ordering of your rules is very important as rules are applied in turn Refer to Section 10 5 on page 205 for more information Click Security Firewall Rules to bring up the following screen This screen displays a list of the configured f
339. re Algorithm rsa pkcs1 md5 Valid From 2007 Jun 18th 09 20 01 GMT Valid To 2017 Jun 15th 09 20 01 GMT Key Algorithm rsaEncryption 1024 bits MD5 Fingerprint 9f f8 e2 d5 71 20 e7 03 ca df 2f 7f 1e 9e 21 46 SHA1 Fingerprint 0d 6f f2 bd e1 db 07 cb 63 79 76 60 31 14 a9 08 0b 1b 6f d3 Certificate in PEM Base 64 Encoded Format MIIDZTCCAs6g wIBAgIBADANBgkgqhkiG9SwOBAQOFADCBhDELMAKGA1UEBhMCQO4x EDAOBgNVBAgTB ppYWS5nU3UxDTALBGNVBACTBFdieGkxD jAMBgNVBAOTBVpS5WEVM HQwwCgYDVOOLEwNzdzIxEjAQBgGNVBAMTCWxvYZFsaG9zdDEiMCAGCSqGsIb3DQEJ ARYTcZVsaWShLnNibkB6eXhlbC5jbjAieFwOwNzAZMTqgwOTIwMDFaFwOxNzA2MTUw OTIvMDFaMIGEMOswCOYDVOOGEwvJDTjEOMA4GA1UECBMHSmlhbmdTdTENMASGA1UE BxMEVSV4aTEOMAwGAIUEChMFUnlYRUVXDDAKBgNVBASTA3N3MjESMBAGA1UEAxMJ hG9jYWUxob3NOMSIvIAYJKozIhvcNAOKBFhNzZzWxpbmEuc3VuQHp5eGVsLmNuMIGf MAOGCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC 2 wBNMTNYYwRrmGLz1 J3 YTZ 3OCB yOg2JtkQDflj3FFuvVTMvvLJTKTEhKuQ7F7 XKJ75iFUmwTLZvROnsUIVX3f6Z27Eh v Export Apply Cancel The following table describes the labels in this screen Table 68 Trusted CA Details LABEL DESCRIPTION Certificate Name This field displays the identifying name of this certificate If you want to change the name type up to 31 characters to identify this key certificate You may use any character not including spaces Certificate These read only fields display detailed information about the Information certificate Type This field displays general information abou
340. re that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 P 660HW Tx v3 Series User s Guide 131 Chapter 7 LAN Setup 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information
341. really from him or not Tim uses his private key to sign the message and sends it to Jenny Jenny receives the message and uses Tim s public key to verify it Jenny knows that the message is from Tim and that although other people may have been able to read the message no one can have altered it because they cannot re sign the message with Tim s private key Additionally Jenny uses her own private key to sign a message and Tim uses Jenny s public key to verify the message P 660HW Tx v3 Series User s Guide PART V Advanced Static Route 239 802 1Q 1P 243 Quality of Service QoS 253 Dynamic DNS Setup 269 Remote Management 273 Universal Plug and Play UPnP 281 237 Static Route 14 1 Overview 14 1 1 The ZyXEL Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet To have the ZyXEL Device send data to devices not reachable through the default gateway use static routes For example the next figure shows a computer A connected to the ZyXEL Device s LAN interface The ZyXEL Device routes most traffic from A to the Internet through the ZyXEL Device s default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a router R3 connected to the LAN Figure 100 Example of Static Routing Topology _ o
342. resses of the DNS servers The DNS servers are passed to Server the DHCP clients along with the IP address and the subnet mask Second DNS As above Server Back Click this to return to the previous screen without saving Apply Click this to save your changes Exit Click this to close the wizard screen without saving Figure 21 Internet Connection with PPPoA STEP E STEP 2 ffi Internet Configuration Please enter the User Name and Password given to you by your Internet Service Provider here User Name Password Note Device is automatically configured to obtain an IP address automatically The ISP will assigns you a different one each time you connect to the Internet Beck aee et P 660HW Tx v3 Series User s Guide Chapter 5 Internet and Wireless Setup Wizard The following table describes the fields in this screen Table 14 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the password associated with the user name above Back Click this to return to the previous screen without saving Apply Click this to save your changes Exit Click this to close the wizard screen without saving f the user name and or password you entered for PPPoE or PPPoA connection are not correct the screen displays as shown next Click Back to Username and Password setup to go back to the screen where you can modif
343. rk only if the password matches 3 The AP and wireless clients generate a common PMK Pairwise Master Key The key itself is not sent over the network but is derived from the PSK and the SSID P 660HW Tx v3 Series User s Guide 407 Appendix D Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process the PMK and information exchanged in a handshake to create temporal encryption keys They use these keys to encrypt data exchanged between them Figure 195 WPA 2 PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 134 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY ENCRYPTIO ENTER IEEE 802 1X MANAGEMENT N METHOD MANUAL KEY i PROTOCOL Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKI P AES No Enable WPA PSK TKI P AES Yes Disable WPA2 TKI P AES No Enable WPA2 PSK TKI P AES Yes Disable 408 P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs Antenna Overview An antenna couples RF signals on
344. rotected GIU VIP isise e remet ira Neier eeiieceed 163 Chapter 9 Network Address Translation NAT ecce Leeeeeeeeeeeeee uses enne nane ansa aan aa na 171 UAE I DIC MR REMO UU UE M TNT OE 171 9 1 1 What You Can Do in the NAT Screens ccccccceeeseseccaceaececeeseeeeesseseseeseeaaceaseeeees 171 902 What You Need To Know About NAT 1e npe nima RE Ha LE er eara i epa 171 8 2 The NAT Gereral Setup SCHON uisus nu ke eope lus e Loo ode iani ner dae Fab ADR Ko n M vaga 173 93 The Fort Forwarding GOGGI R 174 P 660HW Tx v3 Series User s Guide Table of Contents 9 3 1 Configuring the Port Forwarding Screen cccccccsscecesseeeseeceeceseeeeeaaeeseeeeseeaaeeenenees 175 9 3 2 The Port Forwarding Rule Edit SOBEN i c iaesac aimer pesas neca dascra i i ada nung 177 94 The Address Mapping SOMOS m 178 9 4 1 The Address Mapping Rule Edit Screen ssnsiisisisoivisarsisierinniniininnninesnassn isian 179 CEST Da BLISS o MT 181 9 6 NAT Technical Rolaren e M 181 SUELE SM ESI ciu METTE 181 Se TRAT DOCS aan 182 Do PON MAT PROCS pia pH Rae XR MF Rn VE EE RU eR Oda nbus Ro DSSE CRI d TOR MUA 183 MLB GENET POC cisci ccne beant d upeReuU an kcx ti EY Ro cina Ei Qo daU Y ia CaL DUI Eee aDu iad neues GR MER de 184 065 NAT Mapping TYPOS eu 184 Pait IV SOCUPIY 187 Chapter 10 Firewall Soressi aA 189 TO TONOA eaa A
345. rship in a Multicast group it is not used to carry user data There are three versions of IGMP IGMP version 2 and 3 are improvements over version 1 but IGMP version 1 is still in wide use Finding Out More See Section 6 4 on page 113 for technical background information on WAN 6 1 3 Before You Begin You need to know your Internet access settings such as encapsulation and WAN IP address Get this information from your ISP P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup 6 2 The Internet Access Setup Screen Use this screen to change your ZyXEL Device s WAN settings Click Network gt WAN gt Internet Access Setup The screen differs by the WAN type and encapsulation you select Figure 32 Network gt WAN Internet Access Setup PPPoE Line Modulation General Mode Encapsulation User Name Password Service Name Multiplexing Virtual Circuit ID VPI VCI IP Address 9 Obtain an IP Address Automatically O Static IP Address IP Address DNS server First DNS Server Second DNS Server Third ONS Server Connection O Nailed Up Connection 9 Connect on Demand ADSL G lite iM Routing v PPPoE v LEELEE LLC co lJ unt Obtained From ISP m Obtained From ISP Obtained From ISP a Max Idle Timeout 0 Cancel Advanced Setup sec P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup The following table describes the labels in this screen
346. rting Connectivity Monitor Starting Connectivity Monitor Time initialized by Daytime Server The router got the time and date from the Daytime server Time initialized by Time server The router got the time and date from the time server Time initialized by NTP server The router got the time and date from the NTP server Connect to Daytime server fail The router was not able to connect to the Daytime server Connect to Time server fail The router was not able to connect to the Time server Connect to NTP server fail The router was not able to connect to the NTP server Too large ICMP packet has been dropped The router dropped an ICMP packet that was too large Configuration Change PC Ox x Task ID Ox x The router is saving configuration changes Successful SSH login Someone has logged on to the router s SSH server SSH login failed Someone has failed to log on to the router s SSH server Successful HTTPS login Someone has logged on to the router s web configurator interface using HTTPS protocol HTTPS login failed Someone has failed to log on to the router s web configurator interface using HTTPS protocol Table 93 System Error Logs LOG MESSAGE DESCRIPTION s exceeds the max number of session per host This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to
347. s cccccccccecceceeeeeesesaeaeaesessseeeeeeeeseseees 138 H1 Boine You SIT aucuiseeu peste qiie DEMON Moa NN eee UDIN RD MIN RN 138 ANTE E NR Eu DTI 139 Ec EE epis MED E UL UM MM 141 Nb NEF IV IIT Or RO ISDEM 142 Bond WIP ALP Oly neni ium A bas SEED GR Re OR Cae OG Gp nC Kat 143 ERR Rud waP pnus MT C sands 144 8 2 5 Wireless LAN Advanced SATU ocrasce e eee leen Ee Foe LER Er ete sontes Put SE e aiaa 146 BCRNENGTHBE ucssnedasi eb i einn ne o LO en GRE R De B aim ER ER eee 147 5 3 The ere AP CHIEN e uediodisteisi iio ndteta toe ata tidie cT Er I deuten toit Nd detteomatentes 148 PaT NOG AF c pde Mer 149 om culices E BTE E A T EN EMT 151 8 5 The WPS Sialan SOFBBT onasan eaaa tid MEDIEN UE 152 sO The NDO SB aain apre DD Mud e Rb RU EMT ate 153 a e sre ve c RN T OTT 155 8 8 Wireless LAN Technical Referenge erminea ea p E cie ck EEr 156 8 8 1 Wireless Network OVSIVIBW rtt hne Er op daas trea dk n Eaa 156 8 8 2 Additional Wireless Teig scccacidiesadeceicoscdecd vondvaaduess bv vdde bbc ioddact Eo Ide dene dU dide bE Ld dat EcL UN 158 9 5 3 Wireless Doch UOUVIDM code cca dtaedader eec dea eese aule cama cid ea Een cot e bue a 158 S ga cuna PIODIBITIB s connu eh cc cob Erden ecol Rn nme mere renter mn Qc ER 161 te hho gene en ert pan Pide PPR cimo M mE E A M EE enim eii LM EL D EE AE 161 CERES cool s MT o t 162 8 8 7 Wireless Dietiibution System WDS sies dein nbl radar dava ada 163 9 85 8 WIF P
348. s 15 2 1 Editing 802 1Q 1P Group Setting Use this screen to configure the settings for each VLAN group In the 802 1Q 1P screen click the Edit button the following screen from the Modify filed to display Figure 105 Advanced gt 802 1Q 1P gt Group Setting gt Edit Name Default VLAN ID fa Default Gateway Detaut Fixed C Forbidden Tx Tagging Fixed C Forbidden I Tx Tagging Fixed C Forbidden Tx Tagging Fixed Forbidden Tx Tagging SSID1 Fixed C Forbidden F Tx Tagging i r E N SSID2 Fixed C Forbidden Tx Tagging SSID3 Fixed C Forbidden V Tx Tagging SSID4 Fixed C Forbidden T Tx Tagging PYC1 Fixed C Forbidden I Tx Tagging P C2 Fixed C Forbidden I Tx Tagging Fixed C Forbidden Tx Tagging Fixed C Forbidden Tx Tagging Fixed C Forbidden Tx Tagging Fixed C Forbidden T Tx Tagging Fixed C Forbidden Tx Tagging Fixed C Forbidden Tx Tagging Back Apply v tv c ojoj jo a eh v lt a n i v lt eo e Cancel P 660HW Tx v3 Series User s Guide Chapter 15 802 1Q 1P The following table describes the labels in this screen Table 72 Advanced 802 1Q 1P Group Setting Edit LABEL DESCRIPTION Name Enter a descriptive name for the VLAN group for identification purposes The text may consist of up to 8 letter
349. s numerals and VLAN ID Assign a VLAN ID for the VLAN group The valid VID range is between 1 and 4094 Default Select the default gateway for the VLAN group Gateway Ports This field displays the types of ports available to join the VLAN group Control Select Fixed for the port to be a permanent member of the VLAN group Select Forbidden if you want to prohibit the port from joining the VLAN group Tx Tag Select Tx Tagging if you want the port to tag all outgoing traffic trasmitted through this VLAN You select this if you want to create VLANs across different devices and not just the ZyXEL Device Back Click this to return to the previous screen without saving Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 15 802 1QAP 15 3 The 802 1Q 1P Port Setting Screen Use this screen to configure the PVID and assign traffic priority for each port Click Advanced gt 802 1Q 1P gt Port Setting to display the following screen Figure 106 Advanced gt 802 1Q 1P gt Port Setting Ports 8021 0 PVID 802 1P Priority uw fp seve zd tanz ft Same tana E Te LAN4 h 7 Same v SSID1 n Same SSID2 fi Same SSID4 Ee same gt PVC1 i Same v prez ft sel pea ft same v PVC5 I Same v PYC6 R Sme eyez
350. s the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored The following figure illustrates this Figure 74 How NAT Works NAT Table LAN Inside Local Inside Global IP Address IP Address WAN 192 168 1 10 IGA 1 192 168 1 13 192 168 1 11 IGA2 r 318 192 168 1 12 IGA 3 192 168 1 13 IGA 4 192 168 1 12 Y VEL 3 demum e SIN EST Inside Local Inside Global Address ILA Address IGA 192 168 1 11 195 1681 10 P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT 9 6 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP alias behind the ZyXEL Device can communicate with three distinct WAN networks Figure 75 NAT Application With IP Alias A LAN1 192 168 1 X IP 1 IGA 1 192 168 1 1 IP 3 IGA 3 LAN3 192 168 3 X 9 6 5 NAT Mapping Types NAT supports five types of IP port mapping They are One to One n One to One mode the ZyXEL Device maps one local IP address to one g
351. s Guide Appendix C IP Addresses and Subnetting The following figure shows the company network before subnetting Figure 188 Subnetting Example Before Subnetting Quem m um um EM EM EM KM EM NM EM EM EN UN amp 192 168 1 0 24 am um us EE EM EM EN EE REED ED END E Um Ea You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either O or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the company network after subnetting There are now two sub networks A and B Figure 189 Subnetting Example After Subnetting ws i Hm I E x ii D E I E i B li I El I 4 192 168 1 0 25 4A 192 168 1 128 25 am um um um um um um um um PF fe m um m m m mw d P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting In a 25 bit subnet the host ID has 7 bits so each sub network has a maximum of 2 2 or 126 possible hosts a host ID of all zeroes is the subnet s address itself all ones is the subnet s broadcast address 192 168 1 0 with mask 255 255 255 128 is subnet A itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that can be assigned to an actual host for subnet A is 192 168 1 1 an
352. s are the inside hosts while the web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router for example the local address refers to the IP address of a host when the P 660HW Tx v3 Series User s Guide Chapter 9 Network Address Translation NAT packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the local network while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 50 NAT Definitions ITEM DESCRIPTION Inside This refers to the host on the LAN Outside This refers to the host on the WAN Local This refers to the packet address source or destination as the packet travels on the LAN Global This refers to the packet address source or destination as the packet travels on the WAN NAT never changes the IP address either local or global of an outside host 9 6 2 What NAT Does In the simplest form NAT changes the source IP address in a packet received from a subscribe
353. s ecu dapes ouk bea uaa cii beca nr ad 94 5 3 2 Manually ASSIGN a WEP KEY Liiiicceccconeret emere ren becb rnnt cte e ue cr pore cpi eee dcs 95 x 14M ol lj 97 Chapter 6 p 99 SHESU S SE rr noe oR 99 8 1 1 What You Can Do in the WAN SCIeberg essere tantur ed nba e a dra nana 99 56 1 2 What You Need fo Know About WAN 1 iccciseuer cei retten reor cer er preter nk cR Ec 99 OLOBO TUBON e ET 100 6 2 The Internet Access Setup Screen sissies csceccesissacescssuseseeoesssceue ieina aiia 101 56 2 1 Advanced nemel Access SetU iiciin n e e eiaa 104 Ga The More Connections CPO ascidian asst aad s eiue don ia unian a DEANNA A ld 107 NM ane Connections Et eet ETT 108 6 3 2 Configuring More Connections Advanced Setup sse 111 6 4 WAN Technical FOIGIGNIOG iiie cesta nits cece ol nee naani en N ctun adus ec cubeis Pop R uaaE ER NUR Dubia aed 113 GEM ENGANS ATOM pe 113 ecd gus lis Tr EAE 114 pL VP SI VOL siadessussdiesintdbeetii N Let D dd S Dre PQUN Re dd 114 EM IP Address cie e tied eskareaa EaR iE 115 45 Nailed Up Connection PPPI irenismo a akea 115 BOLD aiaiga 115 o Wae SDa 8j MT T EE 116 Eo ATE E AGB T A A A deo niiu esi erede idi N E dpa aet nu sande 117 Chapter 7 ii
354. s for all TCP and UDP connections through the firewall Note When the number of incomplete connections TCP UDP gt Maximum Incomplete High the router sends TCP RST packets for TCP connections and destroys TOS firewall dynamic sessions until incomplete connections Maximum Incomplete Low Access block sent TCP RST The router sends a TCP RST packet and generates this log if you turn on the firewall TCP reset mechanism via CI command sys firewall tcprst Table 96 Packet Filter Logs LOG MESSAGE DESCRIPTION TCP UDP ICMP IGMP Generic packet filter matched set d rule d Attempted access matched a configured filter rule denoted by its set and rule number and was blocked or forwarded according to the rule For type and code details see Table 105 on page 312 Table 97 ICMP Logs LOG MESSAGE DESCRIPTION Packet Direction lt rule d gt type d lt code d gt Firewall default policy ICMP CMP access matched the default policy and was Packet Direction lt type d gt blocked or forwarded according to the user s code d gt setting Firewall rule NOT match ICMP ICMP access matched or didn t match a firewall rule denoted by its number and was blocked or forwarded according to the rule Triangle route packet forwarded ICMP The firewall allowed a triangle route session to pass through Packet withou
355. screen You may still configure and store keys but they will not be used while dynamic WEP is enabled Note EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair is more practical The following table is a comparison of the features of authentication types Table 133 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity No No Yes Yes No Protection WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 11i standard WPA2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADI US server use WPA2 for stronger data encryption If you don t have an external RADIUS server
356. se Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of EAP Authentication This section discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using EAP to interact with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate also called digital IDs can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner EAP MD5 Message Digest Algorithm 5 MD5 authentication is the simplest one way authentication method The auth
357. se the Log Settings screen to configure the mail server the syslog server when to send logs and what logs to send To change your ZyXEL Device s log settings click Maintenance gt Logs gt Log Settings The screen appears as shown Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full Selecting many alert and or log categories especially Access Control may result in many e mails being sent Figure 127 Maintenance Logs Log Settings E mail Log Settings MailServer hutM SMTP Server Name or IP Mail Subject Send Log to E Mail Address Send Alerts to E Mail Address Log Schedule when Log is Full Day for Sending Log Monday z Time for Sending Log o hourjfo minute I Clear log after sending mail Syslog Logging Active Syslog IP Address 0 0 0 0 Server Name or IP Address Log Facility Local 1 7 Active Log and Alert Log Send Immediate Alert System Maintenance O System Errors 1 System Errors O Access Control Access Control Blocked Web Sites upnp Attacks Forward Web Sites pk T Blocked Web Sites attacks any IP NETS I 802 1x Apply Cancel P 660HW Tx v3 Series User s Guide 303 Chapter 21 Logs The following table describes the fields in this screen Table 90 Maintenance gt Logs gt Log Settings LABEL DESCRIPTION E mail Log Sett ings Mail Ser
358. ser s Guide Content Filtering 11 1 Overview Internet content filtering allows you to block web sites based on keywords in the URL See Section 11 1 4 on page 212 for an example of setting up content filtering 11 1 1 What You Can Do in the Content Filter Screens Use the Keyword screen Section 11 2 on page 214 to block web sites based on a keyword in the URL Use the Schedule screen Section 11 3 on page 215 to specify the days and times keyword blocking is active Use the Trusted screen Section 11 4 on page 216 to exclude computers and other devices on your LAN from the keyword blocking filter 11 1 2 What You Need to Know About Content Filtering URL The URL Uniform Resource Locator identifies and helps locates resources on a network On the Internet the URL is the web address that you type in the address bar of your Internet browser for example http www zyxel com 11 1 3 Before You Begin To use the Trusted screen you need the IP addresses of devices on your network See the LAN section Section 11 4 on page 216 for more information P 660HW Tx v3 Series User s Guide 29 Chapter 11 Content Filtering 11 1 4 Content Filtering Example The following shows the steps required for a parent Bob to set up content filtering on a home network in order to limit his children s access to certain web sites In the following example all URLs containing the word bad are blocked Click Secur
359. ship of a frame across bridges they are not confined to the device on which they were created The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network PVC A virtual circuit is a logical point to point circuit between customer sites Permanent means that the circuit is preprogrammed by the carrier as a path through the network It does not need to be set up or torn down for each session Forwarding Tagged and Untagged Frames Each port on the device is capable of passing tagged or untagged frames To forward a frame from an 802 1Q VLAN aware device to an 802 1Q VLAN unaware device the ZyXEL Device first decides where to forward the frame and then strips off the VLAN tag To forward a frame from an 802 1Q VLAN unaware device to an 802 1Q VLAN aware switch the ZyXEL Device first decides where to forward the frame and then inserts a VLAN tag reflecting the ingress port s default VID The default PVID is VLAN 1 for all ports but this can be changed Whether to tag an outgoing frame depends on the setting of the egress port on a per VLAN per port basis recall that a port can belong to multiple VLANs If the tagging on the egress port is enabled for the VID of a frame then the frame is transmitted as a tagged frame otherwise it is transmitted as an untagged frame P 660HW Tx v3 Series User s Guide Chapter 15 802 1Q 1P 15 1 3 802 1Q 1P Example
360. sk Exclude Others Service rre z Protocol TCP o i F Exclude I Packettengh p fo Exclude DscP 0 0 63 Exclude Ethernet Priority 0 5E Exclude VLAN ID E 2 4094 I Exclude Physical Port ga Exclude Remote Node F Exclude Apply Cancel P 660HW Tx v3 Series User s Guide 261 Chapter 16 Quality of Service QoS See Appendix E on page 411 for a list of commonly used services The following table describes the labels in this screen Table 76 Advanced gt QoS gt Class Setup Edit LABEL DESCRIPTION Class Configuration Active Select the check box to enable this classifier Name The text may consist of up to 20 letters numerals and any printable character found on a typical English language keyboard Interface Select from which interface traffic of this class should come Priority Select a priority level between 0 and 7 or select Auto to have the ZyXEL Device map the matched traffic to a queue according to the internal QoS mapping table See Section 16 5 4 on page 267 for more information 0 is the lowest priority level and 7 is the highest Routing Policy Select the next hop to which traffic of this class should be forwarded Select By Routing Table to have the ZyXEL Device use the routing table to find a next hop and forward the matched packets automatically Select To WAN Index to route the matched packets through t
361. ss LAN applications P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus shaped like a donut which makes these antennas ideal for a room environment With a wide coverage area it is possible to make circular overlapping coverage areas with multiple access points Directional antennas concentrate the RF signal in a beam like a flashlight does with the light from its bulb The angle of the beam determines the width of the coverage pattern Angles typically range from 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications Positioning Antennas In general antennas should be mounted as high as practically possible and free of obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area P 660HW Tx v3 Series User s Guide Services
362. ss connections 6 1 2 What You Need to Know About WAN Encapsulation Method Encapsulation is used to include data from an upper layer protocol into a lower layer protocol To set up a WAN connection to the Internet you need to use the same encapsulation method used by your ISP Internet Service Provider If your ISP offers a dial up Internet connection using PPPoE PPP over Ethernet or PPPoA P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup they should also provide a username and password and service name for user authentication WAN IP Address The WAN IP address is an IP address for the ZyXEL Device which makes it accessible from an outside network It is used by the ZyXEL Device to communicate with other devices in other networks It can be static fixed or dynamically assigned by the ISP each time the ZyXEL Device tries to access the Internet If your ISP assigns you a static WAN IP address they should also assign you the subnet mask and DNS server IP address es and a gateway IP address if you use the Ethernet or ENET ENCAP encapsulation method Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just one IGMP IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membe
363. ssi reo a niri e D ae xia Red Ese Eso ER Y aa E adit 235 13 3 2 Privale Public Certificates eesinsh TES R enrian 235 xu l4 237 Chapter 14 etc BOB eoa E ER ta isc iveces REGRHI XIII E Hu PIG AEN ADR RIT DN EE 239 QE i c NN E LEM 239 14 1 1 What You Can Do in the Static Route Screens essen 239 14 2 The Static Roule SW ase css ssh eo rete te ixdego tieu de bp Thon dae dadas DUE 240 TET SIRE DONIS EIE 3 terutesupres io dad ba cis ee co a avisa beds estetico sion R dus 241 Chapter 15 BUS TID IP oet IE EMI DELL DU MM EI UE DNI UM JI ME 243 P 660HW Tx v3 Series User s Guide Table of Contents poXye HE RENE 243 15 1 1 What You Can Do in the 802 1Q 1P Screens esee eese 243 15 1 2 What You Need to Know About 802 TO IP eise etin ent eun kr eR Rbd dau Raacd 243 15 8 BO NSFP Exaile assist Eon on COH EARS Pine RC CRDA HERE Rn EA E 245 15 2 The 802 TOHP Group Seting SOSEN eei aee sessacseetcnaneeaneeccatangth bx dta sen i da ER AR 249 15 2 1 Eding 802 1011F OUP SENT eiecit ce ien anaE 250 15 9 The COZ TOE UP POR Seting SEGN auod cadera acti auxi deba adiac anode angu 252 Chapter 16 Quality of Savice 00S RTT Tn 253 AEE I E EE AEE DRE I NEN 253 16 1 1 What You Can Do in the QoS Screens o cceeceesessececceeeeeeceeesesseeaesceseeseceseseseesees 253 16 1 2 What You Need to Know About QoS sescscccccnnasssccasnnssiecedannnradcdadiubnieddinasnadedannnonds 254
364. ssoussetadoncix bob innan Race Ua radar cable uaria dr ada 329 29 3 The DSL Line Disgnastio Solet 1 oboe Rege Pe tO dist etel det Et etu oe o est dd d bt Ta dabis oe QUod denen 330 Part VII Troubleshooting and Specifications 333 Chapter 24 9 9 335 24 1 Power Hardware Connections and LEDS 1 1 esiscecesnxc en rnt era nina kr axi ki kien 335 24 2 ZYXEL Device Access and Login 2uusecu sace dtiuc u exp asninn ERR cuu Rae Ue cda 336 Ae FODUBB eie seat ipie oe E elu dI ee rtia Medi buudte docu QN ee eiui 338 Chapter 25 lit cb li O O A 7X O 341 end Hardware Oper fca lg usas abes opcra abit e boc a boD n rre a d a ra Rh 341 ems Pire opp cB IOS aoeesa tud beer ti dedi el v adab ber Un rcuta MU are Qa dd een legib d ads bes dnd DEREN 341 CIEEUIILCONI DQMI OM 345 254 Power Adspler SoBCIHOSlGNg iusucssascaceiaac ur pur kao tubth Eat suec kr sua uk Ru Eod 347 Part VIII Appendices and Index eene 349 Appendix A Setting up Your Computer s IP Address ssseeeene 351 Appendix B Pop up Windows Javascript and Java Permissions sssssssse 375 Appendix C IP Addresses and Subnetting ie ceseeieiccisie ierant etatis etri cicius 385 torch EFE 99 RR 395 Append E S
365. stomized Services Schedule Day to Apply Everyday Sun Mon _ Tue _ Wed _ Thu _ Fri _ Sat Time of Day te Apply 24 Hour Format All day Start hour minute End hour minute Log Cl Log Packet Detail Information Alert Cl Send Alert Message to Administrator When Matched P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN General Ihreshold Rules Firewall Rules Storage Space in Use 395 ov i 100 Packet Direction wiaN to LAN Create a new rule after rule number fi 7 Add DTTUNCTTUTNNNCTONNN NETTE 1 v any l 100010 10 0 0415 z MyService TCP UDP 123 Permit No No E fw pN Apply Cancel 10 2 The Firewall General Screen Use this screen to configure the firewall settings Click Security gt Firewall to display the following screen Figure 77 Security gt Firewall gt General General Rules Threshold General IV Active Firewall iv Bypass Triangle Route A Caution When Bypass Triangle Route is checked all LAN to LAN and WAN to WAN packets will bypass the Firewall check WAN to LAN Drop Vv LAN to WAN Permit 2 WAN to WAN Router pop v LAN to LAN Router Permit a Basic
366. study computer can be excluded from keyword blocking Bob s home network is on the domain 192 168 1 xxx Bob gave his home computer a static IP address of 192 168 1 2 and the study computer a static IP address of 192 168 1 3 To exclude the study computer from keyword blocking he follows these steps 1 Click Security gt Content Filter gt Trusted 2 Inthe Start IP Address and End IP Address fields type 192 168 1 3 3 Click Apply Trusted User IP Range Start IP Address 192 168 1 3 End IP Address 192 168 1 3 Cancel That finishes setting up keyword blocking on the home computer P 660HW Tx v3 Series User s Guide 213 Chapter 11 Content Filtering 11 2 The Keyword Screen Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the ZyXEL Device blocks all sites containing this keyword including the URL http www website com bad html To have your ZyXEL Device block websites containing keywords in their URLs click Security gt Content Filter The screen appears as shown Figure 87 Security gt Content Filtering gt Keyword Keyword Keyword M Active Keyword Blocking Block Websites that contain these keywords in the URL bad Delete Clear All Keyword Add Keyword Apply Cancel The following table describes the labels in this screen Table 58 Security gt Content Filtering gt K
367. t DNS Relay to have the ZyXEL Device act as a DNS proxy only when the ISP uses IPCP DNS server extensions The ZyXEL Device s LAN IP address displays in the field to the right read only The ZyXEL Device tells the DHCP clients on the LAN that the ZyXEL Device itself is the DNS server When a computer on the LAN sends a DNS query to the ZyXEL Device the ZyXEL Device forwards the query to the real DNS server learned through I PCP and relays the response back to the computer You can only select DNS Relay for one of the three servers if you select DNS Relay for a second or third DNS server that choice changes to None after you click Apply Select None if you do not want to configure DNS servers You must have another DHCP sever on your LAN or else the computers must have their DNS server addresses manually configured If you do not configure a DNS server you must know the IP address of a computer in order to access it Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide E Chapter 7 LAN Setup 7 4 The Client List Screen This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5
368. t WPA and some support WPA2 you should set up WPA2 PSK or WPA2 depending on the type of wireless network login and select the WPA compatible option in the ZyXEL Device Many types of encryption use a key to protect the information in the wireless network The longer the key the stronger the encryption Every device in the wireless network must have the same key 8 8 4 Signal Problems Because wireless networks are radio networks their signals are subject to limitations of distance interference and absorption Problems with distance occur when the two radios are too far apart Problems with interference occur when other radio waves interrupt the data signal Interference may come from other radio transmissions such as military or air traffic control communications or from machines that are coincidental emitters such as electric motors or microwaves Problems with absorption occur when physical objects such as thick walls are between the two radios muffling the signal 8 8 5 BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN and communicate with each other When Intra BSS tra
369. t a NAT table entry blocked ICMP The router blocked a packet that didn t have a corresponding NAT table entry Unsupported out of order ICMP ICMP The firewall does not support this kind of ICMP packets or the I CMP packets are out of order Router reply ICMP packet ICMP The router sent an ICMP reply packet to the sender P 660HW Tx v3 Series User s Guide Chapter 21 Logs Table 98 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d The router received the setup requirements for a call call d s C01 Outgoing Call call is the reference count number of the call dev x ch x s dev is the device type 3 is for dial up 6 is for PPPoE 10 is for PPTP channel or ch is the call channel ID For example board 0 line 0 channel 0 call 3 C01 Outgoing Call dev 6 ch 0 Means the router has dialed to the PPPoE server 3 times board d line d channel d The PPPOE PPTP or dial up call is connected call d s C02 OutCall Connected d s board d line d channel d The PPPoE PPTP or dial up call was disconnected call d s C02 Call Terminated Table 99 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connection s Link Control Protocol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol
370. t the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates P 660HW Tx v3 Series User s Guide Chapter 13 Certificates Table 68 Trusted CA Details continued LABEL DESCRIPTION Version This field displays the X 509 version number Serial Number This field displays the certificate s identification number given by the certification authority Signature Algorithm This field displays the type of algorithm that was used to sign the certificate Some certification authorities use rsa pkcs1 shal RSA public private key encryption algorithm and the SHA1 hash algorithm Other certification authorities may use rsa pkcs1 md5 RSA public private key encryption algorithm and the MD5 hash algorithm Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Key Algorithm
371. t the topics covered in this chapter 7 6 1 LANs WANs and the ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and the other outside the WAN network as shown next Figure 44 LAN and WAN IP Addresses P 660HW Tx v3 Series User s Guide Chapter 7 LAN Setup 7 6 2 DHCP Setup DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 allows individual clients to obtain TCP IP configuration at start up from a server You can configure the ZyXEL Device as a DHCP server or disable it When configured as a server the ZyXEL Device provides the TCP IP configuration for the clients If you turn DHCP service off you must have another DHCP server on your LAN or else the computer must be manually configured IP Pool Setup The ZyXEL Device is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addresses from the DHCP pool to your LAN computers 7 6 3 DNS Server Addresses DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it The DNS server addresses you enter when you set up DHCP are passed to the client machines along with the assigned IP address an
372. t up multiple wireless networks on your ZyXEL Device Use the WPS screen see Section 8 4 on page 151 to enable or disable WPS generate a security PIN Personal Identification Number and see information about the ZyXEL Device s WPS status Use the WPS Station see Section 8 5 on page 152 screen to set up WPS by pressing a button or using a PIN Use the WDS screen see Section 8 6 on page 153 to set up a Wireless Distribution System in which the ZyXEL Device acts as a bridge with other ZyXEL access points Use the Scheduling screen see Section 8 7 on page 155 to configure the dates times to enable or disable the wireless LAN P 660HW Tx v3 Series User s Guide 1 37 Chapter 8 Wireless LAN You don t necessarily need to use all these screens to set up your wireless connection For example you may just want to set up a network name a wireless radio channel and security in the AP screen 8 1 2 What You Need to Know About Wireless Wireless Basics Wireless is essentially radio communication In the same way that walkie talkie radios send and receive information over the airwaves wireless networking devices exchange information with one another A wireless networking device is just like a radio that lets your computer exchange information with radios attached to other computers Like walkie talkies most wireless networking devices operate at radio frequency bands that are open to the public and do not require a li
373. t work when You have not enabled that service on the interface in the corresponding remote management screen You have disabled that service in one of the remote management screens The IP address in the Secured Client IP field does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately There is already another remote management session with an equal or higher priority running You may only have one remote management session running at one time 274 P 660HW Tx v3 Series User s Guide Chapter 18 Remote Management There is a firewall rule that blocks it Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP address when configuring from the WAN Use the ZyXEL Device s LAN IP address when configuring from the LAN System Timeout There is a default system management idle timeout of five minutes three hundred seconds The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling 18 2 The WWW Screen Use this screen to specify how to connect to the ZyXEL Device from a web browser such as Internet Explorer Note If you disable the WWW service in the Remote MGMT WWW screen then the ZyXEL Device blocks all HTTP connection attempts 18 2 1 Configuring the WWW Screen Click Advanced R
374. ta packet Filters are subdivided into generic and protocol filters Generic filter rules act on the raw data from to LAN and WAN Protocol filter rules act on IP packets Filter Structure A filter set consists of one or more filter rules The ZyXEL Device allows you to configure up to twelve filter sets with six rules in each set for a total of 72 filter rules in the system You cannot mix generic filter rules and protocol filter rules within the same set You can apply up to four filter sets to a particular port to block multiple types of packets With each filter set having up to six rules you can have a maximum of 24 rules active for a single port Finding Out More See Section 12 3 on page 226 for technical background information on packet filters P 660HW Tx v3 Series User s Guide Chapter 12 Packet Filter 12 2 The Packet Filter Screen Use this screen to set up packet filters on your ZyXEL Device Click Security gt Packet Filter to display the following screen Figure 90 Security gt Packet Filter Packet Filter Filter Sets 1 O ow O oH amp WO N E E Protocol Fiter E A ea 3 Protocol Fiter Eu 1 Protocol Fiter y m es Protocol Fiter z y neee ProtocotFter g a E uU Protoca Fiter 7A J Protocol Fiter Eu REN Frtoca Fer v m oo Praoca Fier s ya N Protocorriter Eu Bac Protocol Fiter E m ee Protocal Fiter z y Apply Cancel The fol
375. tagrams but the messages are processed by the TCP IP software and directly apparent to the application user Respond to The ZyXEL Device will not respond to any incoming Ping requests when Ping on Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN amp WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports If you select this option the ZyXEL Device will not respond to port request s for unused ports thus leaving the unused ports and the ZyXEL Device unseen If this option is not selected the ZyXEL Device will reply with an ICMP port unreachable packet for a port probe on its unused UDP ports and a TCP reset packet for a port probe on its unused TCP ports Note that the probing packets must first traverse the ZyXEL Device s firewall rule checks before reaching this anti probing mechanism Therefore if a firewall rule stops a probing packet the ZyXEL Device reacts based on the firewall rule to either send a TCP reset packet for a blocked TCP packet or an ICMP port unreachable packet for a blocked UDP packets or just drop the packets without sending a response packet Apply Click this to save your changes Cancel Click this to restore your previously saved settings
376. tation for 8 bit 16 bit 24 bit and 29 bit subnet masks Table 121 Subnet Masks BINARY 1ST 2ND 3RD 4TH DECIMAL OCTET OCTET OCTET OCTET 8 bit mask 11111111 00000000 00000000 00000000 255 0 0 0 16 bit 11111111 11111111 00000000 00000000 255 255 0 0 mask 24 bit 11111111 11111111 11111111 00000000 255 255 255 0 mask 29 bit 11111111 11111111 11111111 11111000 255 255 255 24 mask 8 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones is the broadcast address for that network 192 168 1 255 with a 24 bit subnet mask for example As these two IP addresses cannot be used for individual hosts calculate the maximum number of possible hosts in a network as follows Table 122 Maximum Host Numbers SUBNET MASK HOST ID SIZE MAIS LEON EROR 8 bits 255 0 0 0 24 bits gt 9 16777214 16 bits 255 255 0 0 16 bits 215 2 65534 24 bits 255 255 255 0 8 bits 28 2 254 29 bits 255 255 255 2 3 bits 23 2 6 48 P 660HW Tx v3 Series User s Guide 387 Appendix C IP Addresses and Subnetting Nota
377. tches web names for instance www zyxel com to IP numbers ESP User Defined 50 The IPSEC ESP Encapsulation IPSEC TUNNEL Security Protocol tunneling protocol uses this service FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 File Transfer Protocol a program to enable fast transfer of files including TCP 21 large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICMP User Defined 1 Internet Control Message Protocol is often used for diagnostic purposes ICQ UDP 4000 This is a popular Internet chat program IGMP User Defined 2 Internet Group Multicast Protocol is MULTI CAST used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IMAP4 TCP 143 The Internet Message Access Protocol is used for e mail IMAPAS TCP 993 This is a more secure version of MAP4 that runs over SSL IRC TCP UDP 6667 This is another popular Internet chat program P 660HW Tx v3 Series User s Guide Appendix E Services Table 135 Examples of Services continued NAME PROTOCOL PORT S DESCRIPTION MSN Mess
378. te and play with other gamers on Xbox LIVE Thomas needs to configure the port settings on his ZyXEL Device Xbox 360 requires the following ports to be available in order to operate Xbox LIVE correctly TCP 53 80 3074 UDP 53 88 3074 Thomas may set up the port settings in two ways He can either set the Xbox 360 s IP address as the default server see Section 4 5 1 on page 58 or he can configure the port settings for Xbox 360 see Section 4 5 2 on page 59 4 5 1 Default Server It is much easier to set the Xbox 360 s IP address as the default server if it is not already assigned to another server There is no need to enter any port number Note Setting a device as the default server exposes the device to potential attacks Any port service trying to access the ZyXEL Device s WAN IP address will be forwarded to the default server It is recommended that you set up a firewall rule to protect the device If you are not certain about the Xbox 360 s IP address you may check it in the DHCP client table Click Network gt LAN gt Client List to open the following screen Look for the IP address for Xbox 360 DHCP Client Table IP Address 0 0 0 0 MAC Address 00 00 00 00 00 00 ee twpci3477 192 168 1 33 00 0F FE 32 84 12 2 Xbox 360 00 1E 52 C3 5C 1B Apply Cancel Refresh P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2 Click Network gt NAT to open the General screen Select
379. ter 9 Network Address Translation NAT Configuring Servers Behind Port Forwarding Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 68 Multiple Servers Behind NAT Example A 192 168 1 33 LAN WAN B 192 168 1 34 T rr m zy 192 168 1 1 IP Address assigned by ISP C 192 168 1 35 D 192 168 1 36 9 3 1 Configuring the Port Forwarding Screen Click Network gt NAT gt Port Forwarding to open the following screen See Appendix E on page 411 for port numbers commonly used for particular services Figure 69 Network gt NAT gt Port Forwarding Port Forwarding Default Server Setup Default Server 0 0 0 0 Port Forwarding Service Name Www z Server IP Address 0 0 0 0 Add PST rs ee 1 2 WWW 80 80 192 168 1 2 EP du Apply Cancel P 660HW Tx v3 Series User s Guide 175 Chapter 9 Network Address Translation NAT 176 The following table describes the fields in this screen Table 45 Network gt NAT gt Port Forwarding LABEL DESCRIPTION Default Server Setup Default Server In addition to the servers for specified services NAT supports a defau
380. that provides services mainly for cable modems RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote Internet P 660HW Tx v3 Series User s Guide control for multimedia on the Appendix E Services Table 135 Examples of Services continued NAME PROTOCOL PORT S DESCRIPTION SFTP TCP 115 The Simple File Transfer Protocol is an old way of transferring files between computers SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SMTPS TCP 465 This is a more secure version of SMTP that runs over SSL SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers SSDP UDP 1900 The Simple Service Discovery Protocol supports Universal Plug and Play UPnP SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login H
381. the ZyXEL Device receives packets from the computer it creates an entry in the IP routing table so it can properly forward packets intended for the computer After all the routing information is updated the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device P 660HW Tx v3 Series User s Guide 135 Chapter 7 LAN Setup P 660HW Tx v3 Series User s Guide Wireless LAN 8 1 Overview This chapter describes how to perform tasks related to setting up and optimizing your wireless network including the following Turning the wireless connection on or off Configuring a name wireless channel and security for the network Using WiFi Protected Setup WPS to configure your wireless network Setting up multiple wireless networks Using a MAC Media Access Control address filter to restrict access to the wireless network Setting up a Wireless Distribution System WDS Performing other performance related wireless tasks 8 1 1 What You Can Do in the Wireless LAN Screens This section describes the ZyXEL Device s Network Wireless LAN screens Use these screens to set up your ZyXEL Device s wireless connection Use the AP screen see Section 8 2 on page 139 to turn the wireless connection on or off set up wireless security configure the MAC filter and make other basic configuration changes Use the More AP screen see Section 8 3 on page 148 to se
382. the ZyXEL Device uses to determine when to start dropping sessions that do not become fully established half open sessions 10 1 2 What You Need to Know About Firewall DoS Denials of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources The ZyXEL Device is pre configured to automatically detect and thwart all known DoS attacks Anti Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device an ICMP response packet is automatically returned This allows the outside user to know the ZyXEL Device exists The ZyXEL Device supports anti probing which prevents the ICMP response packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed ICMP Internet Control Message Protocol ICMP is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user DoS Thresholds For DoS attacks the ZyXEL Device uses thresholds to determine when to drop sessions that do not become fully established These thresholds apply globally to all sessions You can use the default threshold values or you can change them to values more suitabl
383. the check box to activate wireless LAN Wireless LAN Auto Scan Select this option to have the ZyXEL Device automatically scan for and Channel select a channel which is not used by another device Channel Set the operating frequency channel depending on your particular region Selection Click the Scan button to list available channels and then select a channel from the drop down list box Common Setup Network Name SSID The SSID Service Set IDentity identifies the service set with which a wireless device is associated Wireless devices associating to the access point AP must have the same SSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Hide SSID Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site survey tool Security Mode See the following sections for more details about this field MAC Filter This shows whether the wireless devices with the MAC addresses listed are allowed or denied to access the ZyXEL Device using this SSID Edit Click this t
384. ther reserves the right to make changes in any products described herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions This device may not cause harmful interference P 660HW Tx v3 Series User s Guide Appendix F Legal Information This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the de
385. this screen to configure WiFi Protected Setup WPS on your ZyXEL Device WPS allows you to quickly set up a wireless network with strong security without having to configure security settings manually Set up each WPS connection between two devices Both devices must support WPS Click Network gt Wireless LAN gt WPS The following screen displays Figure 55 Network gt Wireless LAN gt WPS WPS Setup C Enable wes PIN Number 21129674 WPS Status Status Unconfigured Ni Note If you enable WPS the UPnP service will be turned on automatically The following table describes the labels in this screen Table 38 Network gt Wireless LAN gt WPS LABEL DESCRIPTION WPS Setup Enable WPS Select the check box to activate WPS on the ZyXEL Device PIN Number This shows the PIN Personal Identification Number of the ZyXEL Device Enter this PIN in the configuration utility of the device you want to connect to using WPS The PIN is not necessary when you use WPS push button method Generate Click this to have the ZyXEL Device create a new PIN WPS Status This displays Configured when the ZyXEL Device has connected to a wireless network using WPS or Enable WPS is selected and wireless or wireless security settings have been changed The current wireless and wireless security settings also appear in the screen This displays Unconfigured if WPS is disabled and there is no wireless or wir
386. ting Table 126 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 129 192 168 1 128 Broadcast Address Highest Host ID 192 168 1 190 192 168 1 191 Table 127 Subnet 4 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create eight subnets 000 001 010 011 100 101 110 and 111 The following table shows IP address last octet values for each subnet Table 128 Eight Subnets suoner SUBMET rims aponess Meneses BRQADGAST 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting Subnet Planning The following table is a summary for subnet planning on a network with a 24 bit network number Table 129 24 bit Network Number
387. tion Since the mask is always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255 128 The following table shows some possible subnet masks using both notations Table 123 Alternative Subnet Mask Notation SUBNET ALTERNATIVE LAST OCTET LAST OCTET MASK NOTATION BINARY DECIMAL 255 255 255 0 24 0000 0000 0 255 255 255 12 25 1000 0000 128 8 255 255 255 19 26 1100 0000 192 2 255 255 255 22 27 1110 0000 224 4 255 255 255 24 28 1111 0000 240 0 255 255 255 24 29 1111 1000 248 8 255 255 255 25 30 1111 1100 252 2 Subnetting You can use subnetting to divide one network into multiple sub networks In the following example a network administrator creates two sub networks to isolate a group of servers from the rest of the company network for security reasons In this example the company network address is 192 168 1 0 The first three octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 28 2 or 254 possible hosts P 660HW Tx v3 Series User
388. tiple public WAN IP addresses for your ZyXEL Device Max NAT When computers use peer to peer applications such as file sharing Firewall Session applications they need to establish NAT sessions If you do not limit the Per User number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may not be able to access the Internet Each NAT session establishes a corresponding firewall session Use this field to limit the number of NAT Firewall sessions client computers can establish through the ZyXEL Device If your network has a small number of clients using peer to peer applications you can raise this number to ensure that their performance is not degraded by the number of NAT sessions they can establish If your network has a large number of users using peer to peer applications you can lower this number to ensure no single client is exhausting all of the available NAT sessions P 660HW Tx v3 Series User s Guide 173 Chapter 9 Network Address Translation NAT Table 44 Network gt NAT gt General continued LABEL DESCRIPTION Apply Click this to save your changes Cancel Click this to restore your previously saved settings 9 3 The Port Forwarding Screen Note This screen is available only when you select SUA only in the NAT General screen Use this screen t
389. tly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise You must also enable Network Address Translation NAT on the ZyXEL Device Once you have decided on the network number pick an IP address for your ZyXEL Device that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 1
390. to air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Positioning the antennas properly increases the range and coverage area of a wireless LAN Antenna Characteristics Frequency An antenna in the frequency of 2 4GHz IEEE 802 11b and IEEE 802 119 or 5GHz IEEE 802 11a is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results in a range increase of approximately 2 596 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of approximately 596 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wirele
391. to their destinations Subnet Mask This parameter specifies the IP network subnet mask of the final destination Modify Click the Edit icon to go to the screen where you can set up a static route on the ZyXEL Device Click the Remove icon to remove a static route from the ZyXEL Device A window displays asking you to confirm that you want to delete the route P 660HW Tx v3 Series User s Guide Chapter 14 Static Route Table 69 Advanced gt Static Route LABEL DESCRIPTION Apply Click this to save your changes Cancel Click this to restore your previously saved settings 14 2 1 Static Route Edit Use this screen to configure the required information for a static route Select a static route index number and click Edit The screen shown next appears Figure 102 Advanced gt Static Route Edit Static Route Setup Active Route Name m Destination IP Address nono IP Subnet Mask oo 0 Gateway Type Gateway Address Gateway IP Address noo Gateway Node na Apply Cancel The following table describes the labels in this screen Table 70 Advanced gt Static Route Edit LABEL DESCRIPTION Active This field allows you to activate deactivate this static route Route Name Enter the name of the IP static route The text may consist of up to 9 letters numerals and any printable character found on a typical English language keyboard Leave t
392. tten it see the troubleshooting suggestions for forgot the IP address for the ZyXEL Device 2 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide 3 Make sure your Internet browser does not block pop up windows and has JavaScript and Java enabled See Appendix B on page 375 4 f you disabled Any IP Section 7 6 7 on page 133 make sure your computer is in the same subnet as the ZyXEL Device If you know that there are routers between your computer and the ZyXEL Device skip this step f there is a DHCP server on your network make sure your computer is using a dynamic IP address See Appendix A on page 351 Your ZyXEL Device is a DHCP server by default f there is no DHCP server on your network make sure your computer s IP address is in the same subnet as the ZyXEL Device See Appendix A on page 351 5 Reset the device to its factory defaults and try to access the ZyXEL Device with the default IP address See Section 1 6 on page 27 6 If the problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions Try to access the ZyXEL Device using another service such as Telnet If you can access the ZyXEL Device check the remote management settings and firewall rules to find out why the ZyXEL Device does not respond to HTTP f your computer is connected to the WAN port or is connected wirelessly use a
393. twork connections TWPCS99111 Internet Diagnose and repair This computer Not connected 5 Right click Local Area Connection and then click Properties Note During this procedure click Continue whenever Windows displays a screen saying that it needs your permission to continue Figure 159 Windows Vista Network and Sharing Center TOE qe Network and Internet Network Connection File Edit View Tools Advanced Help By Organize v S Views v Disable this network device Name Status Device Name Networ LAN or High Sneed Internat 1 lcs Collapse group A em x a tee Expand all groups Collapse all groups Connectivity Left Arrow Disable Status Diagnose Bridge Connections Create Shortcut Delete Rename P 660HW Tx v3 Series User s Guide 361 Appendix A Setting up Your Computer s IP Address 6 Select Internet Protocol Version 4 TCP IPv4 and click Properties Figure 160 Windows Vista Local Area Connection Properties LLL i Local Area Connection Properties LEM Networking Connect using Intel R PRO 1000 MT Desktop Connection This connection uses the following items ivi Client for Microsoft Networks vi f Network Monitor3 Driver ivi i File and Printer Sharing for Microsoft Networks ivi amp Intemet Pretecol V ersion 5 P IPvB Internet Prot 4 TCP IP v4 i gt M i tink
394. ugh No x Back Apply Canes Click Apply 3 Click the More Connections tab and then click the Edit icon next to the entry two DEKO LL ue LLLI Ur D CrecsseqatEn Internet Connection PPPoE 9j ONANAN mE BT Er Eb El QQ YQ E B E Apply Cancel 4 Then configure the screen using the following example settings Select Active Name PVC for Vol P Mode Routing Encapsulation ENET ENCAP P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials PVC LLC 0 33 IV Active Name Mode Encapsulation Multiplexing VPI VCI IP Address Static IP Address IP Address Subnet Mask Gateway IP Address NAT C None SUA Only Edit Detail PvC for voIP Routing ENET ENCAP 7 ie x B btain an IP Address Automatically Apply Cancel Advanced Setup Click Apply 5 Click the Advanced Setup button and then select CBR in the ATM QoS Type field RIP amp Multicast Setup RIP Direction RIP Version Multicast ATM Qos ATM QoS Type Peak Cell Rate Sustain Cell Rate Maximum Burst Size PPPoE Passthrough pon gt Re e None 7 cen 7 0 cell sec o cell sec o cell No x Back Apply Canes Click Apply P 660HW Tx v3 Series User s Guide 75 Chapter 4 Tutorials 4 10 2 Configuring Traffic Classifiers 2 This section shows you how to map different port traffic to the di
395. ur ZyXEL Device s advanced WAN settings Click the Advanced Setup button in the More Connections Edit screen The screen appears as shown Figure 36 Network gt WAN gt More Connections Edit Advanced Setup RIP amp Multicast Setup RIP Direction None RIP Version nia z Multicast None v ATM Qos ATM QoS Type UBR v Peak Cell Rate fo cell sec Sustain Cell Rate o cell sec Maximum Burst Size fo cell MTU MTU 1500 Packet Filter Incoming Filter Sets Protocol Filter None None None None Generic Filter None None None None Outgoing Filter Sets Protocol Filter None None None None 7 Generic Filter None None None None Apply Cancel The following table describes the labels in this screen Table 23 Network gt WAN gt More Connections Edit Advanced Setup LABEL DESCRIPTION RIP amp Multicast Setup This section is not available when you configure the ZyXEL Device to be in bridge mode RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RI P 1 RIP 2B and RI P 2M Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports I GMP v1 I GMP v2 and IGMP v3 Select None to disable it ATM QoS P 660HW Tx v3 Series User s Guide EU C
396. usly saved settings 12 2 3 Editing Generic Filters Use this screen to display a generic filter set on your ZyXEL Device The purpose of generic rules is to allow you to filter non IP packets For IP packets it is generally easier to use the IP rules directly For generic rules the ZyXEL Device treats a packet as a byte stream as opposed to an IP or IPX packet You specify the portion of the packet to check with the P 660HW Tx v3 Series User s Guide 223 Chapter 12 Packet Filter Offset from 0 and the Length fields both in bytes The ZyXEL Device applies the Mask bit wise ANDing to the data portion before comparing the result against the Value to determine a match The Mask and Value are specified in hexadecimal numbers Note that it takes two hexadecimal digits to represent a byte so if the length is 4 bytes the value in either field will take 8 digits for example FFFFFFFF In the Packet Filter screen select Generic Filter from the Filter Type field Then click the Edit button from the Modify field to display the following screen Figure 93 Security gt Packet Filter gt Edit Generic Filter i a TU RI Tr 1 Gerenic Filter 0 012345 B ww 2 gu 3 z g w ox g m 5 g ou z g m Back Apply Cancel The following table describes the labels in this screen Table 64 Security gt Packet Filter gt Edit Generic Filter LABEL DESCRIPTION
397. ut firmware bin ras Where i specifies binary image transfer mode use this mode when transferring binary files host is the device s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the device Commands that you may see in GUI based TFTP clients are listed earlier in this chapter Using the FTP Commands to Back Up Configuration Launch the FTP client on your computer Enter open followed by a space and the IP address of your ZyXEL Device Press ENTER when prompted for a username Enter your password as requested the default is 1234 Enter bin to set transfer mode to binary Use get to transfer files from the ZyXEL Device to the computer for example get rom 0 config rom transfers the configuration file on the ZyXEL Device to your computer and renames it con ig rom See earlier in this chapter for more information on filename conventions Enter quit to exit the ftp prompt P 660HW Tx v3 Series User s Guide Chapter 22 Tools FTP Command Configuration Backup Example This figure gives an example of using FTP commands from the DOS command prompt to save your device s configuration onto your computer Figure 131 FTP Session Example 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port comman
398. ver Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via E mail Mail Subject Type a title that you want to be in the subject line of the log e mail message that the ZyXEL Device sends Not all ZyXEL Device models have this field Send Log to The ZyXEL Device sends logs to the e mail address specified in this field If this field is left blank the ZyXEL Device does not send logs via e mail Send Alerts to Alerts are real time notifications that are sent as soon as an event such as a DoS attack system error or forbidden web access attempt occurs Enter the E mail address where the alert messages will be sent Alerts include system errors attacks and attempted access to blocked web sites If this field is left blank alert messages will not be sent via E mail Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily Weekly Hourly When Log is Full None If you select Weekly or Daily specify a time of day when the E mail should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Use the drop down list box to select which day of the week to send the
399. verhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as EAP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authentication EAP GTC is implemented only by Cisco LEAP LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the wireless security configuration
400. vice off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help fa FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter EEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons BER BIR PERC PERPE REIS HORIE PK HUAI HARE gt SERGE AT AE RDE HH A TE JLRS E ZI AIME BHOR Ra e Mail A at RE S BTU dE Caf RAR HH THEBURIEE EEVLBIPSHI gt dte A CHIESE CHER l gt A erae gt TRIKE a ede FSR RES BIRARE SAH TR EKCLSR PEt Ree P 660HW Tx v3 Series User s Guide H
401. vilian use For the purposes of wireless networking these bands are divided into numerous channels This allows a variety of networks to exist in the same place without interfering with one another When you create a network you must select a channel to use Since the available unlicensed spectrum varies from one country to another the number of available channels also varies P 660HW Tx v3 Series User s Guide 157 Chapter 8 Wireless LAN 8 8 2 Additional Wireless Terms The following table describes some wireless network terms and acronyms used in the ZyXEL Device s Web Configurator Table 42 Additional Wireless Terms TERM DESCRIPTION RTS CTS Threshold In a wireless network which covers a large area wireless devices are sometimes not aware of each other s presence This may cause them to send information to the AP at the same time and result in information colliding and not getting through By setting this value lower than the default value the wireless devices must sometimes get permission to send information to the ZyXEL Device The lower the value the more often the devices must get permission If this value is greater than the fragmentation threshold value see below then wireless devices never have to get permission to send information to the ZyXEL Device Preamble A preamble affects the timing in your wireless network There are two preamble modes long and short If a device uses a different pream
402. ving Apply Click this to save your changes Cancel Click this to restore your previously saved settings 8 3 The More AP Screen This screen allows you to enable and configure multiple Basic Service Sets BSSs on the ZyXEL Device Click Network gt Wireless LAN gt More AP The following screen displays Figure 53 Network Wireless LAN More AP More AP Setup 1 L1 ZyXELO2 None B Ow 2 F ZyXELO3 None EP qu S3 ZyXELO4 None B P 660HW Tx v3 Series User s Guide Chapter 8 Wireless LAN The following table describes the labels in this screen Table 36 Network Wireless LAN More AP LABEL DESCRIPTION This is the index number of each SSID profile Active Select the check box to activate an SSID profile SSID An SSID profile is the set of parameters relating to one of the ZyXEL Device s BSSs The SSID Service Set Dentifier identifies the Service Set with which a wireless device is associated This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates the security mode of the SSID profile Modify Click the Edit icon to configure the SSID profile Click the Remove icon to delete the SSID profile Apply Click this to save your changes Cancel Click this to restore your previous
403. virtual circuit for example VC1 will carry IP If you select VC specify separate VPI and VCI numbers for each protocol For LLC based multiplexing or PPP encapsulation one VC carries multiple protocols with protocol identifying information being contained in each packet header In this case only one set of VPI and VCI numbers need be specified for all protocols VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you IP Address This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation type except RFC 1483 select Obtain an IP Address Automatically when you have a dynamic IP address otherwise select Static I P Address and type your ISP assigned IP address in the IP Address field below If you use RFC 1483 enter the IP address given by your ISP in the IP Address field Subnet Mask This option is available if you select ENET ENCAP in the Encapsulation field Enter a subnet mask in dotted decimal notation P 660HW Tx v3 Series User s Guide Chapter 6 WAN Setup Table 22 Network gt WAN gt More Connections Edit continued
404. vl a ANRA m ur Rem das EOD ate met tide 215 1I Thes TIGSIOO DODBSSI i ER E d S Or cien ERR Sco un FaR un Erebi eontesta bienes e Ee 216 Chapter 12 xe FINE TETTE 219 LUG IE deem en E Metter SUM ener A EE DET PORE MOS IRSE TINO I NONE 219 12 1 1 What You Can Do in the Packet Filter Screen sss 219 12 1 2 What You Need to Know About the Packet Filter sss 219 12 2 The Packet Filler SCre n 1s eese esie einn iun pec ce cnn xa neun Rag A anuo MUSAE X BER A RRRK KK aga ununi mas 220 12 2 1 Eding Protocol FINIGIS e n9 221 12 2 2 Goniguring Protocol Fiter RUES saiseinanaaa a b eO ap s 222 185 3 Eging Genoe FINES nicnn eis 223 12824 Coniguniig Genero Packet RUES ciatis ini aaa 225 12 3 Packet Filter Technical Reference esses enean nnns 226 Teo Pin Tepes CHU lp ET 226 123 2 Firewall Versus FIEIS 1c box e ea er eco a vse arouses andan d Rb GC RR Land 227 Chapter 13 epp pee RE 229 DU EE uU EE mee 229 13 1 1 What You Can Do in the Certificates Screens ssssssssssssseee 229 13 1 2 What You Need to Know About Certificates cesses 229 13 2 mhe tused CAS Sorea ousscuiestm tidem ache lode laden dede ne qe M ullis CAT 230 premo ped det T SE 232 13 2 2 MEDICUS DEL REI ND Um TT 233 13 3 Certificates Technical Referent 2 rsecceaeatrsete tope kp ker REX SR RUD eh M S SEDE ERR nr ai 235 19 3 1 Gerlificates LO ViBI iu
405. wan E mail techwriters zyxel com tw P 660HW Tx v3 Series User s Guide 3 About This User s Guide Customer Support In the event of problems that cannot be solved by using this manual you should contact your vendor If you cannot contact your vendor then contact a ZyXEL office for the region in which you bought the device See http www zyxel com web contact us php for contact information Please have the following information ready when you contact an office Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Disclaimer Graphics in this book may differ slightly from the product due to differences in operating systems operating system versions or if you installed updated firmware software for your device Every effort has been made to ensure that the information in this manual is accurate 4 P 660HW Tx v3 Series User s Guide Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User s Guide Warnings tell you about things that could harm you or your device Note Notes tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions The P 660HW Tx v3 may be referred to as the ZyXEL Device the device the system or the product i
406. when prompted for a username Enter your password as requested the default is 1234 Enter bin to set transfer mode to binary Use put to transfer files from the computer to the device for example put firmware bin ras transfers the firmware on your computer firmware bin to the device and renames it ras Similarly put config rom rom O transfers the configuration file on your computer config rom to the device and renames it rom 0 Likewise get rom 0 config rom transfers the configuration file on the device to your computer and renames it config rom See earlier in this chapter for more information on filename conventions Enter quit to exit the ftp prompt P 660HW Tx v3 Series User s Guide Chapter 22 Tools FTP Session Example of Firmware File Upload Figure 130 FTP Session Example of Firmware File Upload 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp put firmware bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 1103936 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit More commands found in GUI based FTP clients are listed in this chapter Refer to Section 22 1 2 on page 316 to read about configurations that disallow TFTP and FTP over WAN TFTP File Upload The device also supports the uploading of firmware files using TFTP Trivial File Transfer Protocol over LAN Although TFT
407. works Introduction to IP Addresses One part of the IP address is the network number and the other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four parts written in dotted decimal notation for example 192 168 1 1 Each of these four parts is known as an octet An octet is an eight digit binary number for example 11000000 which is 192 in decimal notation Therefore each octet has a possible range of 00000000 to 11111111 in binary or O to 255 in decimal P 660HW Tx v3 Series User s Guide Appendix C IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets 192 168 1 are the network number and the fourth octet 16 is the host ID Figure 187 Network Number and Host ID 192 168 1 16 8 i i i P a a I 1 P a P 1 i 1 P 1 a 1 s T e How much of the IP address is the network number and how much is the host ID varies according to the subnet mask Subnet Masks A subnet mask is used to determine which bits are part of
408. ximum incomplete low TCP Maximum Incomplete An unusually high number of half open sessions with the same destination host address could indicate that a DoS attack is being launched against the host Specify the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth The ZyXEL Device sends alerts whenever the TCP Maximum I ncomplete is exceeded Action taken Select the action that ZyXEL Device should take when the TCP when TCP maximum incomplete threshold is reached You can have the ZyXEL Maximum Device either Incomplete reached Delete the oldest half open session when a new connection request threshold comes or Deny new connection requests for the number of minutes that you specify between 1 and 255 Apply Click this to save your changes Cancel Click this to restore your previously saved settings P 660HW Tx v3 Series User s Guide Chapter 10 Firewalls 10 5 Firewall Technical Reference This section provides some technical background information about the topics covered in this chapter 10 5 1 Firewall Rules Overview Your customized rules take precedence and override the ZyXEL Device s default settings The
409. y 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default P 660HW Tx v3 Series User s Guide 379 Appendix B Pop up Windows JavaScript and Java Permissions 6 Click OK to close the window Security Settings Settings 5 Scripting B Active scripting Grom 3 Allow paste operations via script Q Disable 9 Enable Q Prompt E Scripting of Java applets Q Disable 9 Enable Prompt Llenar Aube nkie Sion Figure 182 Security Settings Java Scripting m Reset custom settings Reset to Medium Reset ced Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 UnderJava permissions make sure that a safety level is selected P 660HW Tx v3 Series User s Guide Appendix B Pop up Windows JavaScript and Java Permissions 5 Click OK to close the window Figure 183 Security Settings Java Security Settings Settings Q Disable 9 Enable 3 Font download Disable 9 Enable p Prompt 3 Microsoft VM 3 Java permissions custom Qora Jav 9 High safety Q Low safety m Reset custom settings j Reset to Medium Reset TN JAVA Sun 1
410. y them Figure 22 Connection Test Failed 1 STEP 1 5 STEP 2 ffi Internet Configuration Your lo gin username an d passwor d are wron g Back to Username and Password setup Continue to Wireless Setup wizard Yes No Back Next Ea f the following screen displays check if your account is activated or click Restart the I nternet Wireless Setup Wizard to verify your Internet access settings Figure 23 Connection Test Failed 2 STEP 1 STEP 2 fil Internet Configuration Cannot at ternet plea your t tha ttings you entered int zard are correct till he ns ontact er support Restart the Internet Wireless Setup Wizard Continue to Wireless Setup wizard Q Yes Back Next gt Exit P 660HW Tx v3 Series User s Guide EE Chapter 5 Internet and Wireless Setup Wizard 5 3 Wireless Connection Wizard Setup After you configure the Internet access information use the following screens to set up your wireless LAN 1 Select Yes and click Next to configure wireless settings Otherwise select No and skip to Step 6 Figure 24 Connection Test Successful STEP 1 STEP2 fa Internet Configuration should be able to access the Internet now R Continue to Wireless Setup wizard Yes No lt Back Next gt Exit 2 Use this screen to activate the wireless LAN Click Next to continue Figure 25 Wireless LAN Setup Wizard 1 STEP T STEP2 Wireless
411. yXEL Device 9 1 2 What You Need To Know About NAT Inside Outside Inside outside denotes where a host is located relative to the ZyXEL Device for example the computers of your subscribers are the inside hosts while the web servers on the Internet are the outside hosts Global Local Global local denotes the IP address of a host in a packet as the packet traverses a router for example the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side P 660HW Tx v3 Series User s Guide 1 71 Chapter 9 Network Address Translation NAT 172 NAT In the simplest form NAT changes the source IP address in a packet received from a subscriber the inside local address to another the inside global address before forwarding the packet to the WAN side When the response comes back NAT translates the destination address the inside global address back to the inside local address before forwarding it to the original inside host Port Forwarding A port forwarding set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of
412. yXEL Device supports the following methods 6 4 1 1 ENET ENCAP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment For instance it encapsulates routed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the Gateway IP Address field in the wizard or WAN screen You can get this information from your ISP 6 4 1 2 PPP over Ethernet The ZyXEL Device supports PPPoE Point to Point Protocol over Ethernet PPPoE is an IETF Draft standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wireless etc connection The PPPoE option is for a dial up connection using PPPoE For the service provider PPPoE offers an access and authentication method that works with existing access control systems for example RADIUS One of the benefits of PPPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the
413. you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN P 660HW Tx v3 Series User s Guide Appendix D Wireless LANs If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 Encryption WPA improves data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA2 also uses TKIP when required for compatibility reasons but offers stronger encryption than TKIP with Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael They both include a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key is never used twice
414. you will need to configure the same account and host name on the ZyXEL Device later 4 6 2 Configuring DDNS on Your ZyXEL Device 1 Loginto the ZyXEL Device s advanced mode 2 Configure the following settings in the Advanced gt Dynamic DNS screen 2a Select Active Dynamic DNS 2b Select Dynamic DNS for the DDNS type 2c Type zyxelrouter dyndns org in the Host Name field 2d Enter the user name UserNamel1 and password 12345 P 660HW Tx v3 Series User s Guide Chapter 4 Tutorials 2e Select Use WAN IP Address for the IP address update policy Dynamic DNS Dynamic DNS Setup M Active Dynamic DNS Service Provider iva DynDNS ORG Dynamic DNS Type Dynamic DNS Host Name zyxelrouter dyndns org User Name Username Password Enable Wildcard Option Enable off line option Only applies to custom DNS IP Address Update Policy Use WAN IP Address C Dynamic DNS server auto detect IP Address C Use specified IP Address 0 0 0 0 Cancel 2f Click Apply 4 6 3 Adding a Firewall Rule for Remote Management 1 2 3 By default your ZyXEL Device firewall is enabled to secure your network from attacks In this tutorial you add a firewall rule that lets you manage the ZyXEL Device from the Internet Click Security gt Firewall and select Rules Select WAN to WAN Router and select the number of the last rule that has been configured on this screen Click Add
415. your computer s IP address If the upload was not successful the following screen will appear Click Return to go back to the Configuration screen Figure 139 Configuration Upload Error System Restore Restore configuration error The configuration file was not accepted by the device Please return to the previous page and select a valid configuration file Click Help for more information Return P 660HW Tx v3 Series User s Guide 327 Chapter 22 Tools Reset to Factory Defaults Click the Reset button to clear all user entered configuration information and return the ZyXEL Device to its factory defaults The following warning screen appears Figure 140 Reset Warning Message x Are you sure you want to reset the device back to the Factory defaults This will erase all of your custom configuration Figure 141 Reset In Process Message Reset to Factory Default Settings Please Wait The router will now reboot As there will be no indication of when the process is complete please wait for one minute before attempting to access the device again You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device Refer to Section 1 6 on page 27 for more information on the RESET button 22 4 The Restart Screen System restart allows you to reboot the ZyXEL Device remotely without turning the power off You may need to do this if the ZyXEL Device h
Download Pdf Manuals
Related Search