ZyXEL P-661H Series User's Manual
Contents
1. METHOD KEY NCR EOS ENTER IEEE 802 1X MANAGEMENT PROTOCOL METHOD MANUAL KEY l Open None No Disable Enable without Dynamic WEP Key Open WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable Shared WEP No Enable with Dynamic WEP Key Yes Enable without Dynamic WEP Key Yes Disable WPA TKIP AES No Enable WPA PSK TKIP AES Yes Disable WPA2 TKIP AES No Enable WPA2 PSK TKIP AES Yes Disable P 661H HW Series User s Guide Appendix D Wireless LANs Antenna Overview An antenna couples RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Positioning the antennas properly increases the range and coverage area of a wireless LAN Antenna Characteristics Frequency An antenna in the frequency of 2 4GHz IEEE 802 11b and IEEE 802 11g or 5GHz IEEE 802 11a is needed to communicate efficiently in a wireless LAN Radiation Pattern A radiation pattern is a diagram that allows you to visualize the shape of the antenna s coverage area Antenna Gain Antenna gain measured in dB decibel is the increase in coverage within the RF beam width Higher antenna gain improves the range of the signal for better communications For an indoor site each 1 dB increase in antenna gain results i2. eeeeeeeeeeeeeeeeeeeeeeee eene 269 occ lp TT T T MU 271 Product SPCC CANONS select p vta EE E E oe 275 Appendices and MASK ue 281 P 661H HW Series User s Guide 9 Contents Overview P 661H HW Series User s Guide Table of Contents Table of Contents About This Usb s CUIUS uico sic vd cv FER EEER RE Fac DEFERT RE ORC RRE RH X ROV RE EE SRM SINUM RO Gr Nd a FAC REnE 3 Document C I NEU LS i cud kTaXEEGe ket RR EHE UK D AREE E CTRTUE ras OR FA RRR RR FUXR B EAK RR PORA NER IN RME TUER T R VERTES 4 Safety rli ce E S 6 Contents QUBIVIBU ios Ie Pa RYE ou TE Tu ED RAPRKTUEFGA ME OR UM GUXM EIE CIR A GRO NVe UC M D S TRIN CERO LI OU VM DU EK LM 9 Table DF CODES ucc fu eni UD cdc Fc FEE CERE QUE antes inate LORD AIME DU E UG prat uiid DH GrH d RET 11 EI ESsHIbi I Mere 21 last of T3bles cocer PUE REDE Id QL OU abb RUD o rf eU RU daa ESE va S CARMEN aunt 27 Part PEIrgeieif silere T 31 Chapter 1 Getting To Know Your ZyXEL DewiCe iiiienien ntn n anne n ana an Ra nata aaa Rt an Xt anat At naar aae r a rna eo aai 33 UB UG eo ED CTI GEMB I R 33 1 2 Applications Tor the ZyXEL DUNS sanera EIE AR FRI IDEE EE Ha ER REM As E bI REA 34 12 1 Protecdod Momot ACCC SS ie tore rro pL anter EE to tz dde Lo t doe ck Foske eder te e beo aped 34 SEP do Ere e sies ie eT RN T E OO 34 1 9 Ways to Manage the ZyXEL DEVICE iuudecscucen rr brote tiere br ddr ert E Rota d
3. Universal Plug and Play 0 4 MB 3 Virtual Private Networking 0 0 MB E Space used by installed components 42 4 MB Space required 0 0 MB Space available on disk 856 3 MB Description Universal Plug and Play enables seamless connectivity and communication between Windows and intelligent appliances Details 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 Inthe Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 136 Network Connections EN Network Connections File Edit View Favorites Tools esr Operator Assisted Dialing o Back wd P an 56 Dial up Preferences Address r3 Network Connections Network Identification i Bridge Connections Advanced Settings 8 al N king Components Network Tasks El Create a nem cannertinn 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Details 240 P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 137 Windows Optional Networking Components Wizard Windows Optional Networking Components Wizard Windows Components
4. 36 Figure 4s Connecing a POTS SDIBE iui coccsiakoecc t pex be DAE LAE ret L ES RE Ld ELA EI AA CL R4 37 Figure o Commecing a MEOE sorscniinsn centr erect Rete trac rnet ee te rer ertrate rrp rratr errr reat free rece rrr restr 38 Figure 6 Password Stree M 40 Figure 7T Change Password at Lolli 22s ei Dod n Et rad Boxen Eid EP and e P Da A Rd 41 sio iis es Wy 3 D ee 41 Figure d Web Configurator Mali Soren auscsitxmvecisiixrpcte vi pt t3 EVER M Eg VO LA EEVA VUL E VEN LAE Rp AKI PR 42 d di cud rl ever TFT 45 Figure 11 Stats Any IP Table ec 47 Figuie T2 Salus VVLAN SAU adiret a RR LA Rui dte a UR onlin ones 48 Foue Toos VFN GO ame nen pr eC mre er perenne iter peer roe mereete rye nr etter ert rea tremers reer are trent err 49 Figure 14 Status Bandwidth SIGUS siscccscsssercasvsesseneqsrievenecesstusneceesssteereasettaecaniveswasecesduum EET 49 Figure 19 Status aer dubii C 50 Fae Cor em Son a 50 SL o 0S Eme 52 Figure ly Wiese ubt a anlar ea beans 53 Figure 18 Internet Setup Wizard Connection Test cccccecccccesesecccceeeesee senses seeeceneesnsecseeensnsnaaeeneeneeaes 54 Figure 19 Internet Setup Wizard Automatic Detection eceeieeeeeiee eene tenent neant antena 54 Figure 20 Internet Setup Wizard Manual Configuration seen eene nnne 55 Figure 21 Internet Access Wizard
5. goce ic jinterface status Rate d LAN Information IP Address 192 168 1 1 DSL Down 0 kbps 0 kbps IP Subnet Mask 255 255 255 0 100M Full DHCP N A LAN HR DuplexActive WLAN Information SSID ZyXEL WLAN 54M Channel 6 WEP Disable Security Summary Firewall Enabled Content Filter Disable AnyIP Table WLAN Status Bandwidth Status VPN Status Packet Statistics The following table describes the labels shown in the Status screen Table 4 Status Screen LABEL DESCRIPTION Refresh Interval Select a number of seconds or None from the drop down list box to refresh all screen statistics automatically at the end of every time interval or to not refresh the screen statistics Apply Click this button to refresh the status screen statistics Device Information Host Name This is the System Name you enter in the Maintenance gt System gt General screen It is for identification purposes Model Number This is the model name of your device MAC Address This is the MAC Media Access Control or Ethernet address unique to your ZyXEL Device ZyNOS This is the ZyNOS Firmware version and the date created ZyNOS is ZyXEL s Firmware proprietary Network Operating System design Version WAN Information DSL Mode This is the standard that your ZyXEL Device is using IP Address This is the WAN port IP address IP Subnet Mask This is the WAN po
6. The following table describes the labels in this screen Table 5 Status Any IP Table LABEL DESCRIPTION This is the index number of the host computer IP Address This field displays the IP address of the network device P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Table 5 Status Any IP Table continued LABEL DESCRIPTION MAC Address This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 Refresh Click Refresh to update this screen 2 4 4 Status WLAN Status Wireless devices only Click WLAN Status in the Status screen to open this screen Use this screen to view the wireless stations that are currently associated to the ZyXEL Device Figure 12 Status WLAN Status 1 Wireless LAN Association List UU EEUU 00 ac c5 01 23 45 1 Refresh The following table describes the labels in this screen Table 6 Status WLAN Status LABEL DESCRIPTION This is the index number of an associated wireless station MAC Address This field displays the MAC Media Access Control address of an associated wireless station Association Time This field displa
7. Multiplexing Select the method of multiplexing used by your ISP from the drop down list Choices are VC or LLC By prior agreement a protocol is assigned a specific virtual circuit for example VC1 will carry IP If you select VC specify separate VPI and VCI numbers for each protocol For LLC based multiplexing or PPP encapsulation one VC carries multiple protocols with protocol identifying information being contained in each packet header In this case only one set of VPI and VCI numbers need be specified for all protocols VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you IP Address This option is available if you select Routing in the Mode field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation type except RFC 1483 select Obtain an IP Address Automatically when you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address field below If you use RFC 1483 enter the IP address given by your ISP in the IP Address field Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing
8. Server IP Enter the IP address of the server for the specified service Address Add Click this button to add a rule to the table below This is the rule index number read only Active Click this check box to enable the rule Service Name This is a service s name Start Port This is the first port number that identifies a service End Port This is the last port number that identifies a service Server IP This is the server s IP address Address Modify Click the edit icon to go to the screen where you can edit the port forwarding rule Click the delete icon to delete an existing port forwarding rule Note that subsequent rules move up by one when you take this action Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previous configuration P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens 7 5 1 Port Forwarding Rule Edit To edit a port forwarding rule click the rule s edit icon in the Port Forwarding screen to display the screen shown next Figure 75 Port Forwarding Rule Setup Rule Setup M Active Service Name WWW Start Port so End Port feo Server IP Address hoioi2 Back Apply Cancel The following table describes the fields in this screen Table 53 Port Forwarding Rule Setup LABEL DESCRIPTION Active Click this check box to enable the rule
9. 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP f you have a dynamic IP address click Obtain an IP address automatically f you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced 288 P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 172 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings btain an IP address automatically C Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses 6 Ifyou do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK Do one or more of the following if you want to configure additional IP addresses nthe IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways
10. Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter the port number again in the End Port field To forward a series of ports enter the start port number here and the end port number in the End Port field End Port Enter a port number in this field To forward only one port enter the port number again in the Start Port field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the Start Port field above Server IP Enter the inside IP address of the server here Address Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 7 6 Address Mapping BES The Address Mapping screen is available only when you select Full Feature in the NAT gt General screen P 661H HW Series User s Guide 131 Chapter 7 Network Address Translation NAT Screens Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify When a rule matches the current packet the ZyXEL Device takes the corresponding action and the remaining rules are ignored If there are any empty rules before your new configured rule your configured rule will be pushed up by tha
11. 2 a Ae rs ESS 3 71 t a d hae The previous figure shows the ZyXEL Device s default firewall rules in action as well as demonstrates how stateful inspection works User A can initiate a Telnet session from within the LAN and responses to this request are allowed However other Telnet traffic initiated from the WAN is blocked 8 5 1 Stateful Inspection Process In this example the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the packet is permitted a denied packet would simply be dropped at this point 3 The packet is inspected by a firewall rule to determine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this packet and it is not an attack then the settings in the Firewall General screen determine the action for this packet 4 Based on the obtained state information a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is d
12. This allows you to decide whether a service HTTP or FTP traffic for example from a computer on a network LAN or WAN for example can access the ZyXEL Device P 661H HW Series User s Guide Chapter 23 Product Specifications The following list which is not exhaustive illustrates the standards supported in the ZyXEL Device Table 118 Standards Supported STANDARD DESCRIPTION RFC 867 Daytime Protocol RFC 868 Time Protocol RFC 1058 RIP 1 Routing Information Protocol RFC 1112 IGMP v1 RFC 1157 SNMPv1 Simple Network Management Protocol version 1 RFC 1305 Network Time Protocol NTP version 3 RFC 1441 SNMPv2 Simple Network Management Protocol version 2 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator NAT RFC 1661 The Point to Point Protocol PPP RFC 1723 RIP 2 Routing Information Protocol RFC 1901 SNMPv2c Simple Network Management Protocol version 2c RFC 2236 Internet Group Management Protocol Version 2 RFC 2364 PPP over AAL5 PPP over ATM over ADSL RFC 2408 Internet Security Association and Key Management Protocol ISAKMP RFC 2516 A Method for Transmitting PPP Over Ethernet PPPoE RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 2766 Network Address Translation Protocol IEEE 802 11 Also known by the brand Wi Fi denotes a set of Wireless LAN WLAN
13. eeeeeesscesiseeeeeenn nnn eie tn nennt th anna hann 247 Figure 147 Network Connections My Network Places Properties Example seessssssss 247 Figure 149 esc CcIEC oLU E UTI En NS A 252 Figure TAS Seton TESEN oiia 253 Foue TOVON LOT Tem ET 258 Figure INE sui e 259 Figuie 192 Firmware Upgrade autista EUREpCU RD FOLE A HOA CAR HRREEDE PRU EBI UNA FERVOR UAR EA Rd 261 Figure 193 Firmware Upload In Progress cocido repo En rH per uda INO r Rae d ER Cl ei uH teatime 262 Figure 154 Network Temporarily Disconnected uoc isseeu cec tn neto era tnos tb bau aret ba donacio ebd en Ree bd dde pn 262 Figure 195 Ernror Mosag NNI UL I TTL 263 sm mergi cC emm 263 Figure 157 Comiiguration Upload Success uiuos icivenctes c npeO IS PO EO ERE RE COL ESO IRL Eti a itis d 264 Figure 158 Network Temporarily Disconnected eue ein enne nnn keith nna unit Ra Rau ERR RR RR A ER 264 Figure 158 Configuration Upload Brot 12 rrr berr tette rere tiet tetto korr tbde t keb bcd dier ko aa 265 ESL E Dcus m 265 Figuie Tet PISOS Gena el e teiscota o tetesdE ANNARS CIA RI RIDE 267 NR eis HR NEN v 268 Figure 163 Wal mouning Example cds carnarcceta saninnicarcind dana rna nE inaani E NEANS EA REENEN EARANN 278 Figure 164 Masonry Plug and M4 Tap Screw serssnneneinieieinriiti iiis knn Na 279 Figure 165 Windows 95 98 Me Network Configuration cccsscccccc
14. 14 5 Scheduler The scheduler divides up an interface s bandwidth among the bandwidth classes The ZyXEL Device has two types of scheduler fairness based and priority based 14 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes The larger a bandwidth class s priority number is the higher the priority Assign real time applications like those using audio or video a higher priority number to provide smoother operation 212 P 661H HW Series User s Guide Chapter 14 Bandwidth Management 14 5 2 Fairness based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness based scheduler thus preventing one bandwidth class from using all of the interface s bandwidth 14 6 Maximize Bandwidth Usage The maximize bandwidth usage option see Figure 120 on page 216 allows the ZyXEL Device to divide up any available bandwidth on the interface including unallocated bandwidth and any allocated bandwidth that a class 1s not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the ZyXEL Device first makes sure that each bandwidth class gets up to its bandwidth allotment Next the ZyXEL Device divides up an interface s available bandwidth bandwidth that is unbudgeted or unused by the classes depending o
15. ASPIRE TRE US FE EE LAS SE CT BE DR EET RAE ABE WD REESE HAREA Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz network throughout the EC region and Switzerland with restrictions in France This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme la norme NMB 003 du Canada Viewing Certifications 1 Go to http www zyxel com 2 Select your product on the ZyXEL home page to go to that product s page P 661H HW Series User s Guide Appendix F Legal Information 3 Select the certification you wish to view from this page ZyXEL Limited Warranty ZyXEL warrants to the original end user purchaser that this product 1s free from any defects in materials or workmanship for a period of up to two years from the date of purchase During the warranty period and upon proof of purchase should the product have indications of failure due to faulty workmanship and or materials ZyXEL will at its discretion repair or replace the defective products or components without charge for either parts or labor and to whatever extent it shall deem necessary to restore the product or components to proper operating condition Any replacement will consist of a new or re manufactured functionall
16. Active This field displays whether a firewall is turned on or not Select the check box to enable the rule Clear the check box to disable the rule Source IP This drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Destination IP This drop down list box displays the destination addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Service This drop down list box displays the services to which this firewall rule applies Action This field displays whether the firewall silently discards packets Drop discards packets and sends a TCP reset packet or an ICMP destination unreachable message to the sender Reject or allows the passage of packets Permit Schedule This field tells you whether a schedule is specified Yes or not No P 661H HW Series User s Guide Chapter 9 Firewall Configuration Table 61 Firewall Rules continued LABEL DESCRIPTION Log This field shows you whether a log is created when packets match this rule Yes or not No Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete th
17. Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup 6 4 2 WEP Encryption WEP encryption scrambles the data transmitted between the wireless clients and the access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless clients and the access points must use the same WEP key Your ZyXEL Device allows you to configure up to four 64 bit 128 bit or 256 bit WEP keys but only one key can be enabled at any one time In order to configure and enable WEP encryption click Network gt Wireless LAN to display the General screen Select Static WEP from the Security Mode list P 661H HW Series User s Guide Chapter 6 Wireless LAN Figure 56 Wireless Static WEP Encryption Wireless Setup M active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 06 2437MHz 7 Security Security Mode Static WEP WEP Key q Note The different WEP key lengths configure different strength security 40 64 bit 128 bit or 256 bit respectively Your wireless client must match the security strength set on the router Please type exactly 5 13 or 29 characters or Please type exactly 10 26 or 58 characters using only the numbers 0 9 and the letters a f or A F Apply Cancel Advanced Setup The following table describes the wireless LAN security labels
18. NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service P 661H HW Series User s Guide Chapter 6 Wireless LAN Table 45 Commonly Used Services SERVICE DESCRIPTION PING ICMP 0 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP U
19. BANDWIDTH MANAGEMENT SETUP Use these screens to limit bandwidth usage by application or packet size Logout D Click this icon to exit the web configurator Status Use this screen to look at the ZyXEL Device s general device system and interface status information You can also access the summary statistics tables Network WAN Internet Connection Use this screen to configure ISP parameters WAN IP address assignment and more advanced properties More Connections Use this screen to configure and place calls to a remote gateway WAN Backup Setup Use this screen to configure your traffic redirect properties and WAN backup settings LAN IP Use this screen to configure LAN TCP IP settings enable Any IP and other advanced properties DHCP Setup Use this screen to configure LAN DHCP settings Client List Use this screen to view current DHCP client information and to always assign an IP address to a MAC address and host name IP Alias Use this screen to partition your LAN interface into subnets Wireless LAN General Use this screen to configure the wireless LAN settings and WLAN wireless devices authentication security settings only OTIST This screen allows you to assign wireless clients the ZyXEL Device s wireless security settings MAC Filter Use this screen to configure the ZyXEL Device to block access to devices or block the devices from access
20. Phone Side P 661H HW Series User s Guide Introducing the Web Configurator This chapter describes how to access and navigate the web configurator 2 1 Web Configurator Overview The web configurator is an HTML based management interface that allows easy ZyXEL Device setup and management via Internet browser Use Internet Explorer 6 0 and later or Netscape Navigator 7 0 and later versions The recommended screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Explorer 2 2 Accessing the Web Configurator BS Even though you can connect to the device wirelessly wireless devices only it is recommended that you connect your computer to a LAN port for initial configuration 1 Make sure your ZyXEL Device hardware is properly connected refer to the Quick Start Guide 2 Prepare your computer computer network to connect to the ZyXEL Device refer to the Quick Start Guide 3 Launch your web browser P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator 4 Type 192 168 1 1 as the URL 5 A window displays as shown Enter the default admin
21. The appendices provide general information Some details may not apply to your ZyXEL Device Setting up Your Computer s IP Address 283 Pop up Windows JavaScripts and Java Permissions 305 IP Addresses and Subnetting 313 Wireless LANs 323 Common Services 337 Legal Information 341 Customer Support 345 Index 351 Setting up Your Computer s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP IP installed Windows 95 98 Me NT 2000 XP Vista Macintosh OS 7 and later operating systems and all versions of UNIX LINUX include the software components you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device s LAN port Windows 95 98 Me Click Start Settings Control Panel and double click the Network icon to open the Network window P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 165 WIndows 95 98 Me Network Configuration LPR for
22. Wireless LANs Wireless LAN Topologies This section discusses ad hoc and infrastructure wireless LAN topologies Ad hoc Wireless LAN Configuration The simplest WLAN configuration is an independent Ad hoc WLAN that connects a set of computers with wireless adapters A B C Any time two or more wireless adapters are within range of each other they can set up an independent network which is commonly referred to as an ad hoc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 213 Peer to Peer Communication in an Ad hoc Network _ _ A s L I i BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless clients in the BSS When Intra BSS is enabled wireless client A and B can access the wired network and communicate with each other When Intra BSS is disabled wireless client A and B can still access the wired network but cannot communicate with each other P 661H HW Series User s Guide 323 Appendix D Wireless LANs Figure 214 Basic Service Set s Tens n B I i gt E ve Pod a nmmmm9 gt m numamnuem ESS An Extended Service Se
23. 5 REDIRECT 13 TIMESTAMP REQUEST 14 TIMESTAMP REPLY 17 ADDRESS MASK REQUEST 18 ADDRESS MASK REPLY 8 4 2 2 Illegal Commands NetBIOS and SMTP The only legal NetBIOS commands are the following all others are illegal Table 58 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE VE RETARGET KEEPALIVE All SMTP commands are illegal except for those displayed in the following tables Table 59 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL NOOP QUIT RCPT RSET SAML SEND SOML TURN VRFY 8 4 2 3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall Often many DoS attacks also employ a technique known as IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewal
24. 7 5 Configuring Port Forwarding BS The Port Forwarding screen is available only when you select SUA Only in the NAT gt General screen BS If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup Click Network gt NAT gt Port Forwarding to open the following screen See Table 51 on page 128 for port numbers commonly used for particular services P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens Figure 74 Port Forwarding Port Forwarding Default Server Setup Default Server Port Forwarding Service Name Ww eT Aces Serica ame eae Beret ca Rare Races TR 1 Iv Www 60 60 0 0 0 0 Server IP Address 0 0 0 0 Add 1722 23 15 23 E Ww Apply Cancel The following table describes the fields in this screen Table 52 Port Forwarding LABEL DESCRIPTION Default Server Setup Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box
25. Enable Pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions Figure 199 Internet Options Privacy Internet Options PR Settings Move the slider to select a privacy setting for the Internet MER zone Medium privacy policy Blocks third party cookies that use personally identifiable tj information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Blocks third party cookies that do not have a compact Pop up Blocker Prevent most pop up windows from appearing v Block pop ups 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 200 Pop up Blocker Settings Pop up Blocker Settings Exceptions Pop ups are currently blocked You can allow pop ups from specific Web sites by adding the site to the list below Address of Web site to allow http 4 192 168 1 1 Add Allowed sites Notifications and Filter Level
26. Certificate Authority See CA certifications 341 notices 342 viewing 342 change password at login 41 channel 325 interference 325 Channel ID 105 command interface 35 compact guide 39 Configuration 90 Configuration Upload Successful 264 265 contact information 345 Content Filtering 171 Categories 171 Schedule 172 Trusted computers 173 URL keyword blocking 171 Content filtering 171 copyright 341 CTS Clear to Send 326 Custom Ports Creating Editing 160 customer support 345 Customized Services 160 Customized services 160 D Data Confidentiality 176 Data Integrity 176 Data Origin Authentication 176 default LAN IP address 40 Denial of Service 138 139 167 Destination Address 151 device model number 261 DH 194 DHCP 90 91 221 251 P 661H HW Series User s Guide Index diagnostic 267 Diffie Hellman Key Groups 194 dimensions 275 disclaimer 341 DNS 232 DNS Server For VPN Host 186 Domain Name 90 128 251 Domain Name System 90 DoS 139 169 Basics 139 Types 140 DoS attacks types of 140 DSL line reinitialize 268 DSLAM Digital Subscriber Line Access Multiplexer 34 Dynamic DNS 221 Dynamic Secure Gateway Address 183 dynamic WEP key exchange 331 DYNDNS Wildcard 221 E EAP Authentication 329 ECHO 128 E Mail 122 embedded help 43 Encapsulated Routing Link Protocol ENET ENCAP 73 Encapsulation 73 177 ENET ENCAP 73 PPP over Ethernet 73 PPPoA 74 RFC 1483 74 Encaps
27. LAN to LAN Router and WAN to WAN Router rules apply to packets coming in on the associated interface LAN or WAN respectively LAN to LAN Router means policies for LAN to ZyXEL Device the policies for managing the ZyXEL Device through the LAN interface and policies for LAN to LAN the policies that control routing between two subnets on the LAN Similarly WAN to WAN Router polices apply in the same way to the WAN port P 661H HW Series User s Guide 151 Chapter 9 Firewall Configuration 9 4 1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non restricted access to the WAN When you configure a LAN to WAN rule you in essence want to limit some or all users from accessing certain services on the WAN WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections WAN to LAN If you wish to allow certain WAN users to have access to your LAN you will need to create custom rules to allow it 9 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is matched in the Edit Rule screen see Figure 88 on page 158 When an event generates an alert a message can be immediately sent to an e mail account that you specify in the Log Settings screen Refer to the chapter on logs for details 9 5 Triangle Route When the firewall is on your ZyXEL Device ac
28. P 661H HW Series User s Guide Appendix F Legal Information P 661H HW Series User s Guide Customer Support Please have the following information ready when you contact customer support Required Information ee p Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it is the prefix number you dial to make an international telephone call Corporate Headquarters Worldwide Support E mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www zyxel co cr FTP ftp zyxel co cr Regular Mail ZyXEL Costa Rica Plaza Roble Escaz Etapa El Patio Tercer Piso San Jos Costa Rica Czech Republic E mail info cz zyxel com Telephone 420 241 091 350 Fax 420 241 091 359 Web www zyxel cz P 661H HW Series User s Guide Appendix G Customer Support Regular Mail ZyXEL Communications Czech s r o Modransk 621 143 01 Praha 4 Modrany Cesk Republika Denmark Support E mail support zyxel dk Sales E mail sales zy
29. Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause electrocution If the power adaptor or cord is damaged remove it from the device and the power source Do NOT attempt to repair the power adaptor or cord Contact your local vendor to order a new one Do not use the device outside and make sure all the connections are indoors There is a remote risk of electric shock from lightning Do NOT obstruct the device ventilation slots as insufficient airflow may harm your device Use only No 26 AWG American Wire Gauge or larger telecommunication line cord Antenna Warning This device meets ETSI and FCC certification requirements when using the included antenna s Only use the included antenna s If you wall mount your device make sure that no electrical lines gas or water pipes will be damaged This product is recyclable Dispose of it properly P 661H HW Series User s Guide Safety Warnings P 661H HW Series User s Guide Safety Warnings P 661H HW Series User s Guide Contents Overview Contents Overview DER GTN eec 31 Gema To Kow Your vL DEVI Lesson en Ebr DTS
30. keys The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients Figure 217 WPA 2 with RADIUS Application Example NEL a Ne Internet D m x m Es e Aa HI WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and allows it to join the network only if the password matches P 661H HW Series User s Guide 333 Appendix D Wireless LANs 3 The AP and wireless clients generate a common PMK Pairwise Master Key The key itself is not sent over the network but is derived from the PSK and the SSID 4 The AP and wireless clients use the TKIP or AES encryption process the PMK and information exchanged in a handshake to create temporal encryption keys They use these keys to encrypt data exchanged between them Figure 218 WPA 2 PSK Authentication PSK gt vu Internet Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these security features Table 134 Wireless Security Relational Matrix
31. pre shared because you have to share it with another party before you can communicate with them over a secure connection 12 11 Editing VPN Policies Click an Edit icon in the VPN Setup Screen to edit VPN policies P 661H HW Series User s Guide Chapter 12 VPN Screens Figure 108 Edit VPN Policies IPSec Setup Active Keep Alive NAT Traversal Name IPSec Key Mode IKE Y Negotiation Mode Main Encapsulation Mode Tunnel DNS Server for IPSec VPN 0 0 0 0 Local Local Address Type Single 7 IP Address Start 0 0 0 0 End Subnet Mask fe 0 0 0 Remote Remote Address Type Single IP Address Start 0 0 0 0 End Subnet Mask Address Information Local ID Type Content My IP Address Peer ID Type Content Secure Gateway Address Security Protocol VPN Protocol Pre Shared Key Encryption Algorithm pes 7 Authentication Algorithm SHa Apply Cancel The following table describes the fields in this screen Table 78 Edit VPN Policies LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select Yes to have the ZyXEL Device automatically reinitiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have kee
32. 3 Packet Direction Create a new rule after rule number IE 7 100 wan to LAN 7 Move the rule tolo Move FASES BST Rr d IE 2 RUN 57 ETE PET RT LN IP j 1 M any 7 any v NetBIOS TCPAUDP 137 139 445 v Permit No No amp fi bN Apply Cancel The following table describes the labels in this screen Table 61 Firewall Rules LABEL DESCRIPTION Firewall Rules Storage Space in Use This read only bar shows how much of the ZyXEL Device s memory for recording firewall rules it is currently using When you are using 80 or less of the storage space the bar is blue When the amount of space used is over 80 the bar is red Packet Direction Use the drop down list box to select a direction of travel of packets for which you want to configure firewall rules Create a new rule after rule number Select an index number and click Add to add a new firewall rule after the selected index number For example if you select 6 your new rule becomes number 7 and the previous rule 7 if there is one becomes rule 8 The following read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the default actions in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn
33. Many types of encryption use a key to protect the information in the wireless network The longer the key the stronger the encryption Every device in the wireless network must have the same key 6 2 5 One Touch Intelligent Security Technology OTIST With ZyXEU s OTIST you set up the SSID and WPA PSK on the ZyXEL Device Then the ZyXEL Device transfers them to the devices in the wireless networks As a result you do not have to set up the SSID and encryption on every device in the wireless network The devices in the wireless network have to support OTIST and they have to be in range of the ZyXEL Device when you activate it See Section 6 5 on page 112 for more details 6 3 Wireless Performance Overview The following sections introduce different ways to improve the performance of the wireless network 6 3 1 Quality of Service QoS You can turn on Wi Fi MultiMedia WMM QoS to improve the performance of voice and video applications in the wireless network QoS gives high priority to voice and video which makes them run more smoothly Similarly it gives low priority to many file downloads so that they do not reduce the quality of other applications 6 4 General Wireless LAN Screen LES If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change
34. OK Setting network parameters OK Bringing up loopback interface OK Bringing up interface eth0 OK P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Verifying Settings Enter ifconfig in a terminal screen to check your TCP IP properties Figure 196 Red Hat 9 0 Checking TCP IP Properties eth0 root localhost ifconfig Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bceast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0x1000 root localhost P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address P 661H HW Series User s Guide Pop up Windows JavaScripts and Java Permissions In order to use the web configurator you need to allow Web browser pop up windows from your device JavaScripts enabled by default Java permissions enabled by default BS Internet Explorer 6 screens are used here Screens for other Internet Explorer versions may vary Internet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or
35. You can add or remove components of Windows XP To add or remove a component click the checkbox 4 shaded box means that only part of the component will be installed To see what s included in a component click Details Components L1 Management and Monitoring Tools M lt Networking S 0 3 MB L 25 Other Network File and Print Services Description Contains a variety of specialized network related services and protocols Total disk space required 0 0 MB Desi Space available on disk 260 9 MB Deis 5 Inthe Networking Services window select the Universal Plug and Play check box Figure 138 Networking Services Networking Services To add or remove a component click the check box amp shaded box means that only part of the component will be installed To see what s included in a component click Details Subcomponents of Networking Services O RIP Listener 0 0 MB l Simple TCP IP Services 0 0 MB g Universal Plug and Play 0 2 MB Description Allows your computer to discover and control Universal Plug and Play devices Total disk space required 0 0 MB Space available on disk 260 8 MB Details P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 17 4 Using UPnP in Windows XP Example This section shows you how to use the UPnP featur
36. allow pop up blocking and create an exception for your device s IP address Disable Pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 197 Pop up Blocker Mail and News Pop up Blocker urn Off Pop up Blocker Manage Add ons Pop up Blocker Setting Synchronize f windows Update Windows Messenger Internet Options You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Internet Options Privacy P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions 2 Clear the Block pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 198 Internet Options Privacy Internet Options General Security Privacy Content Connections Programs Advanced Settings Move the slider to select a privacy setting for the Internet gt zone Medium Blocks third party cookies that do not have a compact privacy policy Blocks third party cookies that use personally identifiable information without your implicit consent Restricts first party cookies that use personally identifiable information without implicit consent Pop up Blocker Prevent most pop up windows from appearing Block pop ups 3 Click Apply to save this setting
37. behind the VPN gateway The security protocol appears after the outer IP header and before the inside IP header 11 4 IPSec and NAT Read this section 1f you are running IPSec on a host computer behind the ZyXEL Device NAT is incompatible with the AH protocol in both Transport and Tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a hash value appended to the packet When using AH protocol packet contents the data payload are not encrypted P 661H HW Series User s Guide Chapter 11 Introduction to IPSec A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value and complain that the hash value appended to the received packet doesn t match The VPN device at the receiving end doesn t know about the NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiving end When using ESP protocol with authentication the packet contents in this case the entire original packet are encrypted Th
38. 0 tr rra pg s aa Rt t a naa Eng 242 Part Y MaintenanG 249 Chapter 18 E E E E E E r E etal eat 251 Te WwEC D O UE oiii aha eee ese eee 251 18 1 1 General Setup and System Name 11er trn n en ort n b ed i nod ad ia 251 15 12 General SeU e TCR NR akaa 251 JUI enn a E EE R 253 Chapter 19 B 257 THE LODS Ee ahd aac ace ik 2 ea Vaya ictal eda DEN dae af Sere eU EM CEU ia 257 OMEP ic is Us ac eu E 257 T22 WCW TO LOS 257 P 661H HW Series User s Guide Table of Contents pres Is SEE ob uw MT 258 Chapter 20 TODOS Goes xp PF CLER UREEEREI FUR T E E UEM QU Rari S CEPERUNT A RR IIR KE A TA 261 zT Fre LAG iiuipxesetedaoninietufeaseidit e ivi qned puttuludein ten teen bua teer eu aps 261 Redes M 263 PUGS FRG SIA p NUR E PEPPER UDIN AEA 265 Chapter 21 oll 267 2131 General DIAGHOSHG 267 edqsmBIE upc c 268 Part VI Troubleshooting and Specifications 269 Chapter 22 Troubleshooting A M O aoai 271 22 1 Power Hardware Connections and LEDS ccccccccccecesseecececeeeeeseeeeanenseeeeetaaaeeeeeees 271 22 2 ZyXEL Device Access arid LOGIT iouis ciii esce sacer as
39. 180 x 128 x 36 mm Power 12V AC 1A Ethernet Ports Auto negotiating 10 Mbps or 100 Mbps in either half duplex or full duplex mode Auto crossover Use either crossover or straight through Ethernet cables Operating Environment Temperature 0 C 40 C Humidity 20 85 RH Storage Environment Temperature 20 C 60 C Humidity 20 90 RH Distance between the centers of the holes for wall mounting on the device s back 108 mm Recommended type of screws for wall mounting M4 Tap Screw see Figure 164 on page 279 Table 117 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192 168 1 1 Default Subnet Mask 255 255 255 0 24 bits Default Password Admin 1234 User user DHCP Pool 192 168 1 33 to 192 168 1 64 Device Management Use the web configurator to easily configure the rich range of features on the ZyXEL Device Wireless Functionality Allow the IEEE 802 11b and or IEEE 802 11g wireless clients to connect to the ZyXEL Device wirelessly Enable wireless security WEP WPA 2 WPA 2 PSK and or MAC filtering to protect your wireless network P 661H HW Series User s Guide 275 Chapter 23 Product Specifications 276 Table 117 Firmware Specifications FEATURE DESCRIPTION Firmware Upgrade Download new firmware when available from the ZyXEL web site and use the web configurator an FTP or
40. Address Automatically Static IP Select this if you have a static fixed IP address and enter the information below Address These fields appear if you select Static IP Address IP Address Enter the static IP address provided by your ISP Subnet Mask Enter the subnet mask provided by your ISP Gateway IP Enter the IP address of the gateway provided by your ISP If your ISP did not provide Address one use the default value First DNS Enter the IP address es of the DNS server s provided by your ISP If your ISP did Server not provide one or both use the default value s Second DNS Server Back Click Back to go back to the previous screen Apply Click Apply to finish manual configuration The ZyXEL Device tries to detect the connection again See Section 3 1 on page 54 Exit Click Exit to close the wizard screen without saving your changes This screen appears if your Internet connection uses PPPoE encapsulation Figure 23 Internet Setup Wizard ISP Parameters PPPoE fli internet Configuration User Name Password PC GE Service Name Note Device is automatically configured to obtain an IP address automatically The ISP will assigns you a different one each time you connect to the Internet The following table describes the fields in this screen Table 13 Internet Setup Wizard ISP Parameters PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as y
41. COMMAND ROO OR T SUBDIRECTO COMMAND DESCRIPTION RY wan tr069 All TR 069 related commands must be preceded by wan tr069 load Start configuring TR 069 on your ZyXEL Device active 0 no 1 yes Enable disable TR 069 operation acsUrl URL Set the IP address or domain name of CNM Access username maxlength 15 Username used to authenticate the device when making a connection to CNM Access This username is set up on the server and must be provided by the CNM Access administrator password maxlength 15 Password used to authenticate the device when making a connection to CNM Access This password is set up on the server and must be provided by the CNM Access administrator periodicEnable Whether or not the device must periodically send 0 Disable information to CNM Access It is recommended to set this 1 Enable value to 1 in order for the ZyXEL Device to send information to CNM Access informInterval The duration in seconds of the interval for which the device sec MUST attempt to connect with CNM Access to send information and check for configuration updates Enter a value between 30 and 2147483647 seconds save Save the TR 069 settings to your ZyXEL Device P 661H HW Series User s Guide Chapter 16 Remote Management Configuration P 661H HW Series User s Guide Universal Plug and Play UPnP This chapter introduces the UPnP feature in the web
42. DHCP Client Table IP Address0 0 0 0 MAC Address 00 00 00 00 00 00 _ Add COSI MS I A rea RE igi tw11947 192 168 1 33 00 00 E8 7C 14 80 a 2 192 168 1 35 00 AC 10 01 23 45 2 3 192 168 1 64 00 A0 C5 01 23 46 Iv Eg Apply Cancel Refresh The following table describes the labels in this screen Table 33 LAN Client List LABEL DESCRIPTION IP Address Enter the IP address that you want to assign to the computer on your LAN with the MAC address specified below The IP address should be within the range of IP addresses you specified in the DHCP Setup for the DHCP client MAC Address Enter the MAC address of a computer on your LAN Add Click Add to add a static DHCP entry This is the index number of the static IP table entry row Status This field displays whether the client is connected to the ZyXEL Device Host Name This field displays the computer host name IP Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card such as an Ethernet adapter has a hardwired address that is assigned at the factory This address follows an industry standard that ensures no other adapter has a similar address Reserve Select the check box es in each entry to have the ZyXEL Device alw
43. OTIST OTIST mm Setup Key 01234567 IV Yes Please enhance the Wireless Security Level to WPA PSK automatically if no WLAN security has been set This will generate a random PSK key for your convenience Start The following table describes the labels in this screen Table 42 OTIST LABEL DESCRIPTION Setup Key Type an OTIST Setup Key of exactly eight ASCII characters in length The default OTIST setup key is 01234567 Note If you change the OTIST setup key here you must also make the same change on the wireless client s Yes If you want OTIST to automatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN gt General screen Select the Yes checkbox in the OTIST screen and click Start The wireless screen displays an auto generated WPA PSK and is now in WPA PSK security mode The WPA PSK security settings are assigned to the wireless client when you start OTIST If you already have a WPA PSK configured in the Wireless LAN General Screen and you run OTIST with Yes selected OTIST will use the existing WPA PSK Start Click Start to encrypt the wireless security data using the setup key and have the ZyXEL Device set the wireless client to use the same wireless settings as the ZyXEL Device You must also activate and start OTIST on the wireless The process takes three minutes to complete P 661H HW Series U
44. TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED High Typically used for voice traffic or video that is especially sensitive to jitter jitter is the variations in delay Mid Typically used for excellent effort or better than best effort and would include important business traffic that can tolerate some delay Low This is typically used for non critical background traffic such as bulk transfers that are allowed but that should not affect other applications and users 14 7 Configuring Summary Click Advanced gt Bandwidth MGMT to open the screen as shown next Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface P 661H HW Series User s Guide 215 Chapter 14 Bandwidth Management Figure 120 Bandwidth Management Summary Summary BW Manager manages the bandwidth of traffic flowing out of router on the specific interface BW Manager can be switched on off independently for each interface See ee ee Scheduler Max Bandwidth Usage LAN Vv 100000 Priority Based VV Yes WLAN Iv 54000 Pricrity Based Iv Yes WAN Iv 800 Priority Based Iv Yes Apply Cancel The following table describes the labels in this screen Table 93 Media Bandwidth Management Summary LABEL DESCRIPTION Interface These read only labels represent the physical interfaces Select an interface s check box to enabl
45. This way the ZyXEL Device can pass the DNS servers to the computers and the computers can query the DNS server directly without the ZyXEL Device s intervention 5 1 4 DNS Server Address Assignment Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a computer before you can access it There are two ways that an ISP disseminates the DNS server addresses P 661H HW Series User s Guide Chapter 5 LAN Setup The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses enter them in the DNS Server fields in the DHCP Setup screen The ZyXEL Device acts as a DNS proxy when the Primary and Secondary DNS Server fields are left as 0 0 0 0 in the DHCP Setup screen 5 2 LAN TCP IP The ZyXEL Device has built in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability 5 2 1 IP Address and Subnet Mask Similar to the way houses on a street share a common street name so too do computers on a LAN share one common network number Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet
46. especially Access Control may result in many e mails being sent P 661H HW Series User s Guide Chapter 19 Logs Figure 151 Log Settings Log Settings E mail Log Settings Mail Server Mail Subject Send Log to Send Alerts to Enable SMTP Authentication User Name Password Log Schedule Day for Sending Log Time for Sending Log Outgoing SMTP Server Name or IP Address E Mail Address E Mail Address Cc nanamamamamm T When Log is Full 7 Monda v E hour 0 minute I clear log after sending mail Syslog Logging Active Syslog Server IP Address 0 0 0 0 Server Name or IP Address Local 1 Log Facility Active Log and Alert Log Send Immediate Alert O System Maintenance O System Errors Access Control Blocked Web Sites System Errors Access Control uPnP Attacks Forward Web Sites I IPSec I Blocked Web Sites IKE Attacks IPSec IKE Any IP l 802 1x Apply Cancel The following table describes the fields in this screen Table 111 Log Settings LABEL DESCRIPTION E mail Log Settings Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via E mail Mail Server Mail Subject Type a title that you want to be in the subject line of the log e mail message that the ZyXEL Device sends Not all
47. is using Heap memory refers to the memory that is not used by ZyNOS ZyXEL Network Operating System and is thus available for running processes like NAT VPN and the firewall The bar displays what percent of the ZyXEL Device s heap memory is in use The bar turns from blue to red when the maximum is being approached Memory Usage This number shows the ZyXEL Device s total heap memory in kilobytes The bar displays what percent of the ZyXEL Device s heap memory is in use The bar turns from blue to red when the maximum is being approached Interface Status Interface This displays the ZyXEL Device port types Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation For the WLAN port it displays Active when WLAN is enabled or Inactive when WLAN is disabled P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Table 4 Status Screen LABEL DESCRIPTION Rate For the LAN ports this displays the port speed and duplex setting Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to send and receive simultaneously while half duplex indicates that traffic can flow in only one direction at
48. not recommended Password User Password If you log in with the user password you can only view the ZyXEL Device status The default user password is user New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After you change the password use the new password to access the ZyXEL Device Retype to Type the new password again for confirmation Confirm Admin In addition to the wizard setup a user logs in with the admin password can also Password view and configure the advanced features on the ZyXEL Device P 661H HW Series User s Guide Chapter 18 System Table 108 System General Setup LABEL DESCRIPTION Old Password Type the default administrator password 1234 or the existing password you use to access the system for configuring advanced features in this field New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After you change the password use the new password to access the ZyXEL Device Retype to Type the new password again for confirmation Confirm Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 18 2 Time Setting To change your ZyXEL Device s time and date click Maintena
49. obstructions In point to point application position both antennas at the same height and in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area P 661H HW Series User s Guide Common Services The following table lists some commonly used services and their associated protocols and port numbers For a comprehensive list of port numbers ICMP type code numbers and services visit the IANA Internet Assigned Number Authority web site Name This is a short descriptive name for the service You can use this one or create a different one if you like Protocol This is the type of IP protocol used by the service If this is TCP UDP then the service uses the same port number with TCP and UDP If this is USER DEFINED the Port s is the IP protocol number not the port number e Port s This value depends on the Protocol Please refer to RFC 1700 for further information about port numbers Ifthe Protocol is TCP UDP or TCP UDP this is the IP port number Ifthe Protocol is USER this is the IP protocol number Description Th
50. 14 2 Application based Bandwidth Management sssssssssssseeenneenes 211 14 3 Subnet based Bandwidth Management eeccceeeecies ies esie tenen thea tn da 211 14 4 Application and Subnet based Bandwidth Management ssssssssssssss 212 TAS SEINE iocosstiptediitb iom p REDE Oppidi ura isset Ma rM mM NEMPE 212 14 5 1 Phority based Scheduler 4c iiie erii cia A A 212 14 5 2 Fairmmess based Scheduler urio eder ette itor ath aae ununi en GR UN AR ER KR a aUe uA 213 ir umcas r psupu dc hiina A 213 14 6 1 Reserving Bandwidth for Non Bandwidth Class Traffic ssssssssss 213 14 6 2 Maximize Bandwidth Usage Example esseessssseseerreeeserrrssserrneeerrnnneneeennesnnnnnanneena 213 146 3 Over Allotment OF Bandwidth iussseccon consciis citrate ka II onenak obi 215 14 6 4 Bandwidth Management Priorities eec ecceeen eene hnnaa 215 mr Conana SO asodxasrtetidnasiteladn a bebe EE ned ea eben hebetes Ee edendi ida 215 14 8 Bandwidth Management Rule Setup 1 eerie itte ttti std dta 217 14 5 1 RUE CODES 112i keel ced x odd ett ua dati koh doa kd d zd cad tad bk tlt ad 218 MES ge percer 220 Chapter 15 Dynamic DNS Seti e 221 TX Dynamic DNS QUBINIBWM csias ENE AAA N 221 Tote ENS si prp PET 221 15 2 Configuring Dynamic DNS sisisi auci btt per bad de Erbe Id de Rocher pdt ip poda 221 Chapter 16 Remote Management Configura
51. 16 Remote Management Configuration The following table describes the labels in this screen Table 99 Remote Management Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client A secured client is a trusted computer that is allowed to communicate with the IP ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to begin configuring this screen afresh 16 5 Configuring FTP You can use FTP File Transfer Protocol to upload and download the ZyXEL Device s firmware and configuration files To use this feature your computer must have an FTP client To change your ZyXEL Device s FTP settings click Advanced gt Remote MGMT gt FTP tab The screen appears as shown Use this screen to specify which interfaces allow FTP access and from which IP address the access can come Figure 127 Remote Management FTP q Note FTP FTP Port faa Access Sta
52. 22 333 8251 Web www pl zyxel com Regular Mail ZyXEL Communications ul Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singapore Pte Ltd No 2 International Business Park The Strategy 03 28 Singapore 609930 Support E mail support zyxel es Sales E mail sales zyxel es Telephone 34 902 195 420 Fax 34 913 005 345 Web www zyxel es Regular Mail ZyXEL Communications Arte 21 5 planta 28033 Madrid Spain P 661H HW Series User s Guide Appendix G Customer Support Sweden Support E mail support zyxel se Sales E mail sales zyxel se Telephone 46 3 1 744 7700 Fax 46 31 744 7701 Web www zyxel se Regular Mail ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden Thailand Support E mail support zyxel co th Sales E mail sales zyxel co th Telephone 662 831 5315 Fax 662 831 5395 Web http www zyxel co th Regular Mail ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua
53. 8 Firewalls 8 3 1 Denial of Service Attacks Figure 78 ZyXEL Device Firewall Application x K E E 2 x NEED UE UNES LAN SSS F r E imn H 8 4 Denial of Service Denials of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources The ZyXEL Device is pre configured to automatically detect and thwart all known DoS attacks 8 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the network For example a Web server typically listens on port 80 Please note that while a computer may be intended for use over a single port such as Web on port 80 other ports are also active If the person configuring or managing the computer is not careful a hacker could attack it over an unprotected port Some of the most common IP port
54. Apply Cancel The following table describes the labels in this screen Table 26 More Connections LABEL DESCRIPTION This is the index number of a connection Active This displays whether this connection is activated Clear the check box to disable the connection Select the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of encapsulation used for this connection Modify The first ISP connection is read only in this screen Use the WAN gt Internet Connection screen to edit it Click the edit icon to go to the screen where you can edit the connection Click the delete icon to remove an existing connection You cannot remove the first connection Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh 4 6 1 More Connections Edit Click the edit icon in the More Connections screen to configure a connection P 661H HW Series User s Guide Chapter 4 WAN Setup Figure 41 More Connections Edit General Active Name ChangeMe Mode Routing Encapsulation PPPOE 7 User Name Password Service Name Multiplexing vc 7 VPI a VCI a3 IP Address Obtain an IP Address Automatically C Static IP Address IP Address Subnet Mask
55. Control Panels Favorites 4 Key Caps GR Network Browser G Recent Applications S Recent Documents cit Remote Access Status Scrapbook 49 Sherlock 2 Jj Speakable Items y Stickies Figure 184 Macintosh OS 8 9 Apple Menu ADSL Control and Status Appearance Apple Menu Options AppleTalk ColorSync Control Strip Date amp Time DialAssist Energy Saver Extensions Manager File Exchange File Sharing General Controls Internet Keyboard Keychain Access Launcher Location Manager Memory Modem Monitors Mouse Multiple Users Numbers QuickTime Settings Remote Access Software Update Sound Speech USB Printer Sharing 2 Select Ethernet built in from the Connect via list Figure 185 Macintosh OS 8 9 TCP IP TCP IP camest vn Setup Configure Using DHCP Server X IP Address Subnet mask Router address Name server addr 3 For dynamically assigned settings select Using DHCP Server from the Configure list DHCP Client ID l lt will be supplied by server 7 lt will be supplied by server gt lt will be supplied by server gt x will be supplied by server Search comans 4 For statically assigned settings do the following From the Configure box select Manually P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Type your IP address in the IP Address box T
56. Device acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the ZyXEL Device 4 1 5 Nailed Up Connection PPP A nailed up connection is a dial up line where the connection is always up regardless of traffic demand The ZyXEL Device does two things when you specify a nailed up connection The first is that idle timeout is disabled The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connection and the cost is of no concern 4 1 6 NAT NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a different IP address known within another network 4 2 Metric The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost The metric sets the prior
57. ESP with NAT in tunnel and transport modes is summarized in the following table Table 73 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport Y ESP Tunnel Y Y This is supported in the ZyXEL Device if you enable NAT traversal 12 8 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server you must identify that DNS server You cannot use DNS servers on the LAN or from the ISP since these DNS servers cannot resolve domain names to private IP addresses on the remote network The following figure depicts an example where three VPN tunnels are created from ZyXEL Device A one to branch office 2 one to branch office 3 and another to headquarters In order to access computers that use private domain names on the headquarters HQ network the ZyXEL Device at branch office 1 uses the Intranet DNS server in headquarters The DNS server feature for VPN does not work with Windows 2000 or Windows XP Figure 107 VPN Host using Intranet DNS Server Example Public DNS Servers 212 54 64 170 212 54 64 171 V i E D EN LAN mE INS 212 54 64 170 T gm ou ua ms NE HQ 10 1 1 1 200 S ecsnessissaan noona Http info2 zyxel com omic 0 eg ak 2 N 192 168 1 1 50 172 16 4 1 50 If you do not specify an Intranet DNS server on the remote net
58. IP Setup Select the Active check box to enable the Any IP feature This allows a computer to access the Internet without changing the network settings such as IP address and subnet mask of the computer even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet When you disable the Any IP feature only computers with dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN Allow between Select this check box to forward NetBIOS packets from the LAN to the WAN and LAN and WAN from the WAN to the LAN If your firewall is enabled with the default policy set to block WAN to LAN traffic you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic Clear this check box to block all NetBIOS packets going from the LAN to the WAN and from the WAN to the LAN Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel
59. IP address and type your information into the IP Address and Subnet Mask fields Figure 166 Windows 95 98 Me TCP IP Properties IP Address TCP IP Properties NE 7 x Bindings Advanced NeBIOS DNS Configuration Gateway WINS Configuration IP Address n IP address can be automatically assigned to this computer IF your network does not automatically assign IP addresses ask your network administrator for an address and then type it in the space below C Specify an IP address v Detect connection to network media Cancel 3 Click the DNS Configuration tab f you do not know your DNS information select Disable DNS f you know your DNS information select Enable DNS and type the information in the fields below you may not need to fill them all in P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 167 Windows 95 98 Me TCP IP Properties DNS Configuration TCP IP Properties 1 314 xl Bindings Advanced Netpios DNS Configuration Gateway WINS Configuration IP Address 4 Click the Gateway tab Ifyou do not know your gateway s IP address remove previously installed gateways If you have a gateway IP address type it in the New gateway field and click Add 5 Click OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn o
60. ISP 4 1 1 2 PPP over Ethernet PPPoE Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial up services using PPP PPPoE is an IETF standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wireless etc connection For the service provider PPPoE offers an access and authentication method that works with existing access control systems for example RADIUS One of the benefits of PPPoE is the ability to let you access one of multiple network services a function known as dynamic service selection This enables the service provider to easily create and offer new IP services for individuals Operationally PPPoE saves significant effort for both you and the ISP or carrier as it requires no specific configuration of the broadband modem at the customer site By implementing PPPoE directly on the ZyXEL Device rather than individual computers the computers on the LAN do not need PPPoE software installed since the ZyXEL Device does that part of the task Furthermore with NAT all of the LANs computers will have access P 661H HW Series User s Guide Chapter 4 WAN Setup 4 1 1 3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 AALS A PPPoA connection functions like a dial up Internet connection The ZyXEL Device encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC
61. In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 173 Windows XP Advanced TCP IP Properties Advanced TCP IP Settings IP Settings DNS WINS Options IP addresses IP address Subnet mask DHCP Enabled Default gateways Gateway Metric Automatic metric 7 Inthe Internet Protocol TCP IP Properties window the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es Ifyou know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 174 Windows XP Internet Protocol TCP IP Properties Internet Protocol TCP IP Properties A General Altemate Configuration You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your networ
62. Ji Gateway IP Address Connection C Nailed Up Connection Connect on Demand Max Idle timeout sec NAT C None SUA Only Edit Apply Cancel Advanced Setup The following table describes the labels in this screen Table 27 More Connections Edit LABEL DESCRIPTION Active Select the check box to activate or clear the check box to deactivate this connection Name Enter a unique descriptive name of up to 13 ASCII characters for this connection Mode Select Routing from the drop down list box if your ISP allows multiple computers to share an Internet account If you select Bridge the ZyXEL Device will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices are PPPoA RFC 1483 ENET ENCAP or PPPoE P 661H HW Series User s Guide 83 Chapter 4 WAN Setup Table 27 More Connections Edit continued LABEL DESCRIPTION User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password PPPoA and PPPoE encapsulation only Enter the password associated with the user name above Service Name PPPoE only Type the name of your PPPoE service here
63. MultiMedia QoS Quality of Service allows you to prioritize wireless traffic according to the delivery requirements of individual services WMM is a part of the IEEE 802 11e QoS enhancement to certified Wi Fi wireless networks 6 7 1 WMM QoS Example When WMM QoS is not enabled all traffic streams are given the same access throughput to the wireless network If the introduction of another traffic stream creates a data transmission demand that exceeds the current network capacity then the new traffic stream reduces the throughput of the other traffic streams When WMM QoS is enabled the streams are prioritized according to the needs of the application You can assign different priorities to different applications This prevents reductions in data transmission for applications that are sensitive 6 7 2 WMM QoS Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless network Table 44 WMM QoS Priorities PRIORITY LEVELS Highest Typically used for voice traffic or video that is especially sensitive to jitter variations in delay Use the highest priority to reduce latency for improved voice quality High Typically used for video traffic which has some tolerance for jitter but needs to be prioritized over other data traffic Mid Typically used for traffic from applications or devices that lack QoS capabilities Use mid priority for traffic that is l
64. P 661H HW Series User s Guide Chapter 11 Introduction to IPSec Figure 102 IPSec Architecture IPSec Algorithms AH Protocol RFC 2402 Authentication Algorithm ESP Protocol RFC 2406 ncryption Igorithm HMAC MD5 RFC 2403 HMAC SHA 1 RFC 2404 E A 11 2 1 IPSec Algorithms The ESP Encapsulating Security Payload Protocol RFC 2406 and AH Authentication Header protocol RFC 2402 describe the packet formats and the default standards for packet structure including implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an authentication mechanism for the AH and ESP protocols Please seeSection 12 2 on page 181for more information 11 2 2 Key Management Key management allows you to determine whether to use IKE ISAKMP or manual key configuration in order to set up a VPN 11 3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode P 661H HW Series User s Guide Chapter 11 Introduction to IPSec Figure 103 Transport and Tunnel Mode IPSec Encapsulation Original IP TCP Data IP Packet Header Header Transport Mode IPSec IP TCP ap Protected Packet Header Header Header Tunnel Mode IP IPSec IP it Tus Protected Pac
65. Play a sound when a pop up is blocked Show Information Bar when a pop up is blocked Filter Level Medium Block most automatic pop ups Pop up Blocker FAQ Close P 661H HW Series User s Guide 307 Appendix B Pop up Windows JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 201 Internet Options Security General Security Privacy Content Connections Programs Advanced Select a Web content zone to specify its security settings e Z o e Internet Local intranet Trusted sites Restricted sites Internet A This zone contains all Web sites you Sites haven t placed in other zones m Security level for this zone Move the slider to set the security level for this zone E Medium Safe browsing and still functional a Prompts before downloading potentially unsafe content Unsigned Activex controls will not be downloaded Appropriate for most Internet sites C Custom Level D Default Level OK Cancel Apply Click the Custom Level button Scroll down to Scripting oar WO ND Click OK to close the window Under Active scripting make sure that Enable is sele
66. Section 3 1 on page 54 3 1 3 No DSL Detection The ZyXEL Device cannot detect the DSL connection Check your hardware connections P 661H HW Series User s Guide Chapter 3 Wizards Internet Setup Wizard No DSL Connection STEP1 sTEP2 f Internet Configuration Figure 26 Restart the Internet Wireless Setup Wizard Continue to Wireless Setup wizard Yes No Click Restart the Internet Wireless Setup Wizard to return to the wizard main screen Click Next to continue to the Wireless Setup Wizard wireless devices only or click Exit to close the wizard main screen and return to the Status screen or the main window 3 2 Wireless Connection Wizard Setup wireless devices only After you configure the Internet access information use the following screens to set up your wireless LAN 1 Select Yes and click Next to configure wireless settings Otherwise select No and skip to Step 6 Figure 27 Connection Test Successful fli Internet Configuration ess the Internet now The Internet configuration is complete Continue to Wireless Setup wizard Yes No 2 Use this screen to activate the wireless LAN and OTIST Click Next to continue P 661H HW Series User s Guide Chapter 3 Wizards Figure 28 Wireless LAN Setup Wizard 1 STEP gt STEP 2 ff Wireless LAN M Active Give your netwo
67. Series User s Guide Chapter 5 LAN Setup Figure 53 LAN IP Alias IP Alias IP Alias 1 IP Alias 1 IP Address RIP Version IP Alias 2 IP Alias 2 IP Address IP Subnet Mask RIP Direction RIP Version IP Subnet Mask RIP Direction 0 0 0 6 0 0 0 6 None z zielje z BISs Io o E ajojo o o 4 4 4 Cancel The following table describes the labels in this screen Table 34 LAN IP Alias LABEL DESCRIPTION IP Alias 1 2 Select the check box to configure another LAN network for the ZyXEL Device IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Alternatively click the right mouse button to copy and or paste the IP address IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use the subnet mask computed by the ZyXEL Device RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When set to Both or Out Only the ZyXEL Device will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets
68. Setup The following table describes the fields in this screen Table 30 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example 192 168 1 1 factory default IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup 5 3 1 Configuring Advanced LAN Setup To edit your ZyXEL Device s advanced LAN settings click the Advanced Setup button in the LAN IP screen The screen appears as shown Figure 49 Advanced LAN Setup RIP amp Multicast Setup RIP Direction Both RIP Version RIP 1 Multicast IGMP v1 Any IP Setup M Active Windows Networking NetBIOS over TCP IP IV Allow between LAN and WAN Back Apply Cancel The following table describes the labels in this screen Table 31 Advanced LAN Setup LABEL DESCRIPTION RIP amp Multicast Setup RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction from Both In Only Out Only None When
69. Setup ISP Parameters c cccccseseccccceeeeecccceeeeeeeceeeeeneaaceeteaneanee 55 Figure 22 Internet Setup Wizard ISP Parameters Ethernet eese nennen nenne 56 Figure 23 Internet Setup Wizard ISP Parameters PPPOE ccccesecccceeeesecceeeenseeceneeensecenensneeaaes 57 Figure 24 Internet Setup Wizard ISP Parameters RFC1483 Routing Mode sessen 58 Figure 25 Internet Setup Wizard ISP Parameters PPPOA eeeeeeseeeeeeeeen enne nnns 59 Figure 26 Internet Setup Wizard No DSL Connection aeeeeeeueeeeeuieeshaeeneren nhan nna iita au aua hn than 60 Figure 27 Connection Test Successful 1er rere there erint ko er LIF saudi inne dde pde did 60 Figuig 28 Wireless LAN Setup Wizard T uisi ud ert ea o Pt Dd e as dou ea a RD e Rp 61 Figur 29 Wireless LAN Setup Wizard aem 62 Figure 30 Manually assigni a WPA Key 63 Red Eam Manually assign a WEP Key ATO OE E PEE EEEE NEAN EEA ENESE EENE ENEAN S 64 Figure 32 Wireless LAN Setup ADBIV orientera E R TEA 64 Figure 33 Internet Setup Wizard Summary Screen ccccceeccccccessssecceeeeseececeesseecacenensseeccenenseacecensnaees 65 Figure 34 Bandwidth Management Wizard General Information sssseeeennne 67 Figure 35 Bandwidth Management Wizard Configuration essen nene 68 Figure 36 Bandwidth Management Wizard Complete cccccesecccceeeseeccceeeneeeccceessseec
70. Status Device Nickname Type X Inactive ethO ethO Ethemet 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 189 Red Hat 9 0 KDE Ethernet Device General i w Ethernet Device General Route Hardware Device Nickname ethO lt Activate device when computer starts Allow all users to enable and disable the device Automatically obtain IP address settings with dhcp DHCP Settings Hostname optional Automatically obtain DNS information from provider Statically set IP addresses Manual IP Address Settings Address Subnet Mask Default Gateway Address 3 Cancel P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address f you have a dynamic IP address click Automatically obtain IP address settings with and select dhep from the drop down list f you have a static IP address click Statically set IP Addresses and fill in the Address Subnet mask and Default Gateway Address fields Click OK to save the changes and close the Ethernet Device General screen 4 If you know your DNS server IP address es click the DNS tab in the Network Configuration screen Enter the DNS server information in the fields provided Co Figure 190 Red Hat 9 0 KDE Network Config
71. TCP IP Printing 3Com EtherLink 10 100 PCI TX NIC 3C905B TX Dial Up Adapter USB Fast Ethernet Adapter Y TCP IP gt 3Com EtherLink 10 100 PCI TX NIC 3C905B T Ij Ff Client for Microsoft Networks sl Installing Components The Network window Configuration tab displays a list of installed components You need a network adapter the TCP IP protocol and Client for Microsoft Networks If you need the adapter 1 Inthe Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 Inthe Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select Microsoft from the list of manufacturers 4 Select Client for Microsoft Networks from the list of network clients and then click OK 5 Restart your computer so the changes you made take effect P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Configuring 1 Inthe Network window Configuration tab select your network adapter s TCP IP entry and click Properties 2 Click the IP Address tab f your IP address is dynamic select Obtain an IP address automatically Ifyou have a static IP address select Specify an
72. The wireless client needs to enter the username and password again before access to the wired network is allowed The default time interval is 3600 seconds or 1 hour P 661H HW Series User s Guide Chapter 6 Wireless LAN Table 39 Wireless WPA PSK WPA2 PSK LABEL DESCRIPTION Group Key The Group Key Update Timer is the rate at which the AP if using WPA PSK Update Timer In WPA2 PSK key management or RADIUS server if using WPA 2 key Seconds management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Advanced Setup Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup 6 4 4 WPA WPA2 In order to configure and enable WPA WPAQJ click the Wireless LAN link under Network to display the General screen Select WPA or WPA2 from the Security Mode list Figure 58 Wireless WPA WPA2 General Wireless Setup Active Wireless LAN Network Name SSID zxtt Hide SSID Channel Selection Channel 06 2437MHz Sec
73. Tools 261 Diagnostic 267 System Use this screen to configure the ZyXEL Device s time and date settings 18 1 General Setup 18 1 1 General Setup and System Name General Setup contains administrative and system related information System Name is for identification purposes However because some ISPs check this name you should enter your computer s Computer Name n Windows 95 98 click Start Settings Control Panel Network Click the Identification tab note the entry for the Computer Name field and enter it as the System Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name n Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the ZyXEL Device System Name 18 1 2 General Setup The Domain Name entry is what is propagated to the DHCP clients on the LAN If you leave this blank the domain name obtained by DHCP from the ISP is used While you must enter the host name System Name the domain name can be assigned from the ZyXEL Device via DHCP Click Maintenance gt System to open the General screen P 661H HW Series User s Guide 251 Chapter 18 System Figure 148 System General Setup System Setup System Ma
74. User s Guide Chapter 20 Tools Figure 155 Error Message System Upload The uploaded file was not accepted by the device Please return to the previous page and select a valid Firmware upload error upgrade file Click Help for more information Return 20 2 Configuration Use this screen to back up or restore the configuration of the ZyXEL Device You can also use this screen to reset the ZyXEL Device to the factory default settings To access this screen click Maintenance gt Tools gt Configuration Figure 156 Configuration Firmware Configuration Backup Configuration Click Backup to save the current configuration to you computer Backup Restore Configuration To restore a previously saved configuration file on your computer to the Prestige please type a location for storing the configuration file or click Browse to look for one and then click Upload File Path Browse Upload Reset to Factory Default Settings Click Reset to clear all user entered configuration and return the Prestige to the factory default settings The following default settings would becorne effective after click Reset Password 1234 Lan IP 192 168 1 1 DHCP Server Reset The following table describes the labels in this screen Table 113 Configuration LABEL DESCRIPTION Backup Configuration Backup Click this to save the ZyXEL Device s current configuration to a file
75. User s Guide Chapter 20 Tools Table 112 Firmware Upgrade continued LABEL DESCRIPTION Browse Click Browse to find the bin file you want to upload Remember that you must decompress compressed zip files before you can upload them Upload Click Upload to begin the upload process This process may take up to two minutes BS Do NOT turn off the ZyXEL Device while firmware upload is in progress After you see the Firmware Upload in Progress screen wait two minutes before logging into the ZyXEL Device again Figure 153 Firmware Upload In Progress Firmware Upload In Progress Do not Turn Off the Device Please Wait Please wait for the device to finish restarting PWR LED is on steady This should take about two minutes To access the device after a successful firmware upload you need to log in again Check your new firmware version in the system status menu The ZyXEL Device automatically restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 154 Network Temporarily Disconnected D Local Area Connection Network cable unplugged After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click Return to go back to the Firmware screen P 661H HW Series
76. Yes Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection No No Yes Yes No WPA and WPA2 Wi Fi Protected Access WPA is a subset of the IEEE 802 111 standard WPA2 IEEE 802 111 is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a single identical password entered into each access point wireless gateway and wireless client As long as the passwords match a wireless client will be granted access to a WLAN If the AP or the wireless clients do not support WPA2 just use WPA or WPA PSK depending on whether you have an external RADIUS server or not Select WEP only when the AP and or wireless clients do not support WPA or WPA2 WEP is less secure than WPA or WPA2 P 661H HW Series User s Guide a Appendix D Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol TKIP Message Integrity Check MIC and IEEE 802 1x WPA and WPA2 use Advanced Encryption Standard AES in the Counter mode
77. ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and the other outside the WAN network as shown next Figure 46 LAN and WAN IP Addresses The interface to f the LAN is Ethernet i d N WAN N z i Internet EMEN Theinterfaceto i the Internetora i seal remote node is EEE the DSL port P 661H HW Series User s Guide Chapter 5 LAN Setup 5 1 2 DHCP Setup DHCP Dynamic Host Configuration Protocol RFC 2131 and RFC 2132 allows individual clients to obtain TCP IP configuration at start up from a server You can configure the ZyXEL Device as a DHCP server or disable it When configured as a server the ZyXEL Device provides the TCP IP configuration for the clients If you turn DHCP service off you must have another DHCP server on your LAN or else the computer must be manually configured 5 1 2 1 IP Pool Setup The ZyXEL Device is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addresses from the DHCP pool to your LAN computers 5 1 3 DNS Server Address DNS Domain Name System is for mapping a domain name to its corresponding IP address and vice versa The DNS server is extremely important because without it you must know the IP address of a machine before you can access it The DNS server a
78. ZyXEL Device models have this field The ZyXEL Device sends logs to the e mail address specified in this field If this field is left blank the ZyXEL Device does not send logs via e mail Send Log To Send Alerts To Alerts are real time notifications that are sent as soon as an event such as a DoS attack system error or forbidden web access attempt occurs Enter the E mail address where the alert messages will be sent Alerts include system errors attacks and attempted access to blocked web sites If this field is left blank alert messages will not be sent via E mail Enable SMTP Authentication SMTP Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another Select the check box to activate SMTP authentication If mail server authentication is needed but this feature is disabled you will not receive the e mail logs P 661H HW Series User s Guide 259 Chapter 19 Logs Table 111 Log Settings LABEL DESCRIPTION User Name Enter the user name up to 31 characters usually the user name of a mail account Password Enter the password associated with the user name above Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily Weekly Hourly When Log is Full None If you select Weekly or Daily specify a time of day when the E mail
79. a time The Ethernet port must use the same speed or duplex mode setting as the peer Ethernet port in order to connect Simultaneous transmissions over the same port Full duplex essentially double the bandwidth For the WAN port it displays the downstream and upstream transmission rate For the WLAN port it displays the transmission rate when WLAN is enabled or N A when WLAN is disabled Summary not available if you entered the user password Any IP Table Use this screen to view a list of IP addresses and MAC addresses of computers which are not in the same subnet as the ZyXEL Device VPN Status Use this screen to view the status of any VPN tunnels the ZyXEL Device has negotiated Bandwidth Use this screen to view the ZyXEL Device s bandwidth usage and allotments Status Packet Use this screen to view port status and packet specific statistics Statistics WLAN Status This screen displays the MAC address es of the wireless stations that are wireless currently associating with the ZyXEL Device devices only 2 4 3 Status Any IP Table Click the Any IP Table hyperlink in the Status screen The Any IP table shows current read only information including the IP address and the MAC address of all network devices that use the Any IP feature to communicate with the ZyXEL Device Figure 11 Status Any IP Table Any IP Table RERO UIN NEU Y UU 1 255 255 255 255 11 22 33 44 55 66 Refresh
80. a value between 0 and 2432 If you select the Enable 802 11g mode Threshold checkbox this field is grayed out and the ZyXEL Device uses 4096 automatically Fragmentation It is the maximum data fragment size that can be sent Enter a value between 256 Threshold and 2432 If you select the Enable 802 11g mode checkbox this field is grayed out and the ZyXEL Device uses 4096 automatically Output Power Set the output power of the ZyXEL Device in this field This control changes the strength of the ZyXEL Device s antenna gain or transmission power Antenna gain is the increase in coverage Higher antenna gain improves the range of the signal for better communications If there is a high density of APs within an area decrease the output power of the ZyXEL Device to reduce interference with other APs The options are Maximum Middle and Minimum Preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support and to provide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have the ZyXEL Device automatically use short preamble when wireless adapters support it otherwise the ZyXEL Device uses long preamble 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g
81. always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Subnet Mask This is the subnet mask of the static route Modify Click the edit icon to go to the screen where you can set up a static route on the ZyXEL Device Click the delete icon to remove a static route from the ZyXEL Device A window displays asking you to confirm that you want to delete the route 13 2 1 Static Route Edit Select a static route index number and click Edit The screen shown next appears Use this screen to configure the required information for a static route P 661H HW Series User s Guide Chapter 13 Static Route Figure 118 Static Route Edit Active Route Name Static Route Setup Destination IP Address IP Subnet Mask Gateway IP Address 0 0 0 0 0 0 0 0 0 0 0 0 Back Apply Cancel The following table describes the labels in this screen Table 86 Static Route Edit LABEL DESCRIPTION Active This field allows you to activate deactivate this static route Route Name Enter the name of the IP static route Leave this field blank to delete this static route Destination IP Address This parameter specifies the IP network address of the final destination Routing is always based on network number If
82. by default Ifthere is no DHCP server on your network make sure your computer s IP address is in the same subnet as the ZyXEL Device See Section 5 4 on page 96 272 P 661H HW Series User s Guide Chapter 22 Troubleshooting 5 Check that you have enabled web service access If you have configured a secured client IP address your computer s IP address must match it See Section 16 2 on page 226 6 Reset the device to its factory defaults and try to access the ZyXEL Device with the default IP address See Section 2 3 on page 42 7 Ifthe problem continues contact the network administrator or vendor or try one of the advanced suggestions Advanced Suggestions If your computer is connected to the WAN port or is connected wirelessly use a computer that is connected to a ETHERNET port e can see the Login screen but cannot log in to the ZyXEL Device 1 Make sure you have entered the password correctly The default user password is user and admin password is 1234 These fields are case sensitive so make sure Caps Lock is not on 2 Youcannot log in to the web configurator while someone is using the Telnet to access the ZyXEL Device Log out ofthe ZyXEL Device in the other session or ask the person who is logged in to log out Turn the ZyXEL Device off and on If this does not work you have to reset the device to its factory defaults See Section 22 1 on page 271 AO e cannot Telnet to the ZyXEL D
83. by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equipment and the receiver 3 Connect the equipment into an outlet on a circuit different from that to which the receiver is connected 4 Consult the dealer or an experienced radio TV technician for help fa FCC Radiation Exposure Statement This transmitter must not be co located or operating in conjunction with any other antenna or transmitter JEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons dte TEX IKR BDR FE BCT PETERET EE BEIR RUS A ZR ee Be JERE AT ZH RBA Ata tHe A BS RS gt IAT a T RETE CURE SBP PES ESSA rE eZ BE EE Ss o RAR ATTERRIR EISH ie SE TEREE ANAE PRESERVE ELMIRE BIRREA m H He o SE CHER EK LS BER Be ee ie FA RN PETRUS L F
84. compliant WLAN devices to associate with the ZyXEL Device Select Mixed to allow either IEEE802 11b or IEEE802 11g compliant WLAN devices to associate with the ZyXEL Device The transmission rate of your ZyXEL Device might be reduced P 661H HW Series User s Guide t Chapter 6 Wireless LAN Table 41 Wireless LAN Advanced LABEL DESCRIPTION Enable Select the Enable 802 11g mode checkbox to allow any ZyXEL WLAN devices 802 11g mode that support this feature to associate with the ZyXEL Device at higher transmission speeds This permits the ZyXEL Device to transmit at a higher speed than the 802 11g Only mode Max Frame Enable Maximum Frame Burst to help eliminate collisions in mixed mode Burst networks networks with both IEEE 802 11g and IEEE 802 11b traffic and enhance the performance of both pure IEEE 802 11g and mixed IEEE 802 11b g networks Maximum Frame Burst sets the maximum time in micro seconds that the ZyXEL Device transmits IEEE 802 11g wireless traffic only Type the maximum frame burst between 0 and 1800 650 1000 or 1800 recommended Enter 0 to disable this feature Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen 6 5 OTIST In a wireless network the wireless clients must have the same SSID and security settings as the acce
85. confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctioned by government encryption restrictions an AH can be employed to ensure integrity This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator 12 2 2 ESP Encapsulating Security Payload Protocol The ESP protocol RFC 2406 provides encryption as well as the services offered by AH ESP authenticating properties are limited compared to the AH due to the non inclusion of the IP header information during the authentication process However ESP is sufficient if only the upper layer protocols need to be authenticated An added feature of the ESP is payload padding which further protects communications by concealing the size of the packet being transmitted P 661H HW Series User s Guide Chapter 12 VPN Screens Table 71 AH and ESP ESP AH ENCRYPTION DES default Data Encryption Standard DES is a widely used method of data encryption using a private secret key DES applies a 56 bit key to each 64 bit block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x 56 168 bits effectively doubling the strength of D
86. configurator 17 1 Introducing Universal Plug and Play Universal Plug and Play UPnP is a distributed open networking standard that uses TCP IP for simple peer to peer network connectivity between devices A UPnP device can dynamically join a network obtain an IP address convey its capabilities and learn about other devices on the network In turn a device can leave a network smoothly and automatically when it is no longer in use See Section 17 2 1 on page 238 for configuration instructions 17 1 1 How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 17 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable exchange of simple product and service descriptions NAT traversal allows the following Dynamic port mapping Learning public IP addresses Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP See the NAT chapter for more information on NAT 17 1 3 Cautions with UPnP The automated nature of NAT tr
87. describes the fields in this screen Table 82 VPN Global Setting LABEL DESCRIPTION Windows Networking NetBIOS Network Basic Input Output System are TCP or UDP packets that NetBIOS over TCP IP enable a computer to find other computers It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa Allow NetBIOS Traffic Select this check box to send NetBIOS packets through the VPN connection Through All IPSec Tunnels Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 12 18 Telecommuter VPN IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters The telecommuters use IPSec routers with dynamic WAN IP addresses The ZyXEL Device at headquarters has a static public IP address 12 18 1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters A B and C in the figure to use one VPN rule to simultaneously access a ZyXEL Device at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses sho
88. ecce 144 Co TURP IC MAP SBDQED 3t psteliovenere tien ette ves rela oet uer tel dd sai bul a ERE eei ul a deckt e eR AA MG 145 8 5 5 Upper Layer Protocols innacnetvesiivatei sme raid aksinten e AE EEEEIA VETE CE PPE iein eere 145 8 6 Guidelines for Enhancing Security with Your Firewall eee 146 yt cg MASSING 0c a a 146 Ba Packet FIGHO Ve Firewall nes onan nbn d od in OU bui un oce 147 OLI PakO FRON e 147 EA DUE EE E E TET 147 Chapter 9 Firewall Confiqurdtl QUI nena no Nan eR onae ease aaa aekin 149 CMS CN uuo MARNE Pt MN 149 92 acoge s cmd pus Sem 149 29 2 Rule LOGI 18 150 CROANICIIA ono o eT 150 9 3 2 Security RaMIMMCAIONG e 150 9 3 3 Key Fields For Configuring RUIS dcr ete atio nte i o peo dog ton d Rp 151 c EI I e cl esos cues na cigiadsaptsuadtecenaneoielaneauaiate 151 g4 LT WAN RUES e 152 Eu Re rer fuses hc ndis dente taut ide buen Enfin ead tota amen i Ga dtd gun 152 To moe ROU Eee TT DIU UP 152 9 9 1 The Triangle Route PIODIGHE 12 555 5 stb eh ad t a tL eau ta P o on d 152 9 5 2 Solving the Triangle Route Problem eeseeeeiene seen ennt na nnrnnrth nana n 153 9 6 General Firewall POWGY A M 154 Sua Firowall Rules SUMMAI sisan 155 2 7 1 Conigurnng Firowal RUS ssnscenssnisiniiii i iinn 157 9 7 2 Customized Genies aeudcsnsseiecisesdedutiiusbidepucdpeneduur sa
89. in this screen Table 38 Wireless Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop down list box Passphrase Enter a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless clients must use the same WEP key for data transmission If you want to manually set the WEP key enter any 5 13 or 29 characters ASCII string or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit 128 bit or 256 bit WEP key respectively Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Advanced Click Advanced Setup to display the Wireless Advanced Setup screen and edit Setup more details of your WLAN setup 6 4 3 WPA PSK WPA2 PSK In order to configure and enable WPA 2 PSK authentication click Network gt Wireless LAN to display the General screen Select WPA PSK or WPA2 PSK from the Security Mode list P 661H HW Series User s Guide Chapter 6 Wireless LAN Figure 57 Wireless WPA PSK WPA2 PSK Wireless Setup Active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 06 2437MHz 7 Security Security Mode wra2 PSk wPA Compatible Pre Shared Key ReAuthentication Timer 1800 In Se
90. information that is sent in the wireless network 6 2 2 MAC Address Filter Every device that can use a wireless network has a unique identification number called a MAC address A MAC address is usually written using twelve hexadecimal characters for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other documentation You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network If a device is allowed to use the wireless network it still has to have the correct information SSID channel and security If a device is not allowed to use the wireless network it does not matter if it has the correct information This type of security does not protect the information that is sent in the wireless network Furthermore there are ways for unauthorized wireless devices to get the MAC address of an authorized device Then they can use that MAC address to use the wireless network 6 2 3 User Authentication You can make every user log in to the wireless network before they can use it This is called user authentication However every device in the wireless network has to support IEEE 802 1x to do this For wireless networks user names and passwords can be stored ina RADIUS server This is a server used in businesses more than in homes If you do not have a RADIUS server you canno
91. is a static IP address on the LAN behind your ZyXEL Device End Subnet Mask When the Local Address Type field is configured to Single this field is N A When the Local Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is a subnet mask on the LAN behind your ZyXEL Device Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses The remote fields do not apply when the Secure Gateway IP Address field is configured to 0 0 0 0 In this case only the remote IPSec router can initiate the VPN Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Remote Address Type Use the drop down menu to choose Single Range or Subnet Select Single with a single IP address Select Range for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask P 661H HW Series User s Guide Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL DESCRIPTION IP Address Start When the Remote Address Type field is configured to Single enter a
92. it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that WPA 2 PSK uses a simple common password instead of user specific credentials The common password approach makes WPA 2 PSK susceptible to brute force password guessing attacks but it s still an improvement over WEP as it employs a consistent single alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys This prevent all wireless devices sharing the same encryption keys a weakness of WEP User Authentication WPA and WPA2 apply IEEE 802 1x and Extensible Authentication Protocol EAP to authenticate wireless clients using an external RADIUS database WPA2 reduces the number of key exchange messages from six to four CCMP 4 way handshake and shortens the time required to connect to a network Other WPA2 authentication features that are different from WPA include key caching and pre authentication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP The wireless client uses the PMK when it tries to connect to the same AP and does not need to go with the authentication process again Pre authentication enables fast roaming by allo
93. itte then nnn nan 319 Table 130 16 bit Network Number Subnet Planning i eceseieeececciisee esee tiene domes 319 TAAS O TEER A02 TIO NUT IINE 32r Table 132 Wircless SECUTI Lovels sccrccseinikhei innan eae PAX ERU QIENAK ER OUS RU PANE DIRE eRe 328 Table 133 Comparison of EAP Authentication Types eeieceeenie nene nete atn hann da tanda 331 Table 134 Wireless Security Relational Matrix eeeseieceeesiieiseeeeeienn eene eene nnne ttn nhanh 334 Table 135 Commonly Used SECS 12 crissscucir esses tert a ctor sd dod ke EAE A AES 337 P 661H HW Series User s Guide PART I Introduction Getting To Know Your ZyXEL Device 33 Introducing the Web Configurator 39 Wizards 53 Getting To Know Your ZyXEL Device This chapter describes the key features and applications of your ZyXEL Device 1 1 Introducing the ZyXEL Device The ZyXEL Device is an ADSL2 gateway that allows super fast secure Internet access over analog POTS or digital ISDN telephone lines depending on your model The ZyXEL Device is compatible with the ADSL ADSL2 ADSL2 standards Maximum data rates attainable for each standard are shown in the next table Table 1 ADSL Standards DATARATESTANDARD UPSTREAM DOWNSTREAM ADSL 832 kbps 8Mbps ADSL2 3 5Mbps 12Mbps ADSL2 3 5Mbps 24Mbps If your ZyXEL Device does not support Annex M the maximum ADSL2 2 upstream data rate is 1 2 Mbps
94. lower depending on range IEEE 802 11g has several intermediate rate steps between the maximum and minimum data rates The IEEE 802 11g data rate and modulation are as follows Table 131 IEEE 802 11g DATA RATE MBPS MODULATION 1 DBPSK Differential Binary Phase Shift Keyed 2 DQPSK Differential Quadrature Phase Shift Keying 5 5111 CCK Complementary Code Keying 6 9 12 18 24 36 48 54 OFDM Orthogonal Frequency Division Multiplexing Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients access points and the wired network P 661H HW Series User s Guide 327 Appendix D Wireless LANs BS Wireless security methods available on the ZyXEL Device are data encryption wireless client authentication restricting access by device MAC address and hiding the ZyXEL Device identity The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device Table 132 Wireless Security Levels SECURITY LEVEL SECURITY TYPE Least Unique SSID Default Secure Unique SSID with Hide SSID Enabled MAC Address Filtering WEP Encryption IEEE802 1x EAP with RADIUS Server Authentication Wi Fi Protected Access WPA Most Secure WPA2 You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want
95. mask Ifthe ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the ZyXEL Device The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first three numbers specify the network number while the last number identifies an individual computer on that network Once you have decided on the network number pick an IP address that is easy to remember for instance 192 168 1 1 for your ZyXEL Device but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise 5 2 1 1 Private IP Addresses Every machine on the Internet must have a unique address If your networ
96. option only if your wireless clients support WPA See Section 3 2 1 on page 63 for more information Select Manually assign a WEP key to configure a WEP Key See Section 3 2 2 on page 63 for more information Select Disable wireless security to have no wireless LAN security configured and your network is accessible to any wireless networking device that is within range Note If you enable OTIST in the previous wizard screen but select Disable wireless security here the ZyXEL Device still creates a pre shared key WPA PSK automatically Note If you enable OTIST and select Manually assign a WEP key the ZyXEL Device will replace the WEP key with a WPA PSK Click Back to display the previous screen Click Next to proceed to the next screen Click Exit to close the wizard screen without saving P 661H HW Series User s Guide Chapter 3 Wizards LES The wireless stations and ZyXEL Device must use the same SSID channel ID and WEP encryption key if WEP is enabled WPA PSK if WPA PSK is enabled for wireless communication 4 This screen varies depending on the security mode you selected in the previous screen Fill in the field if available and click Next 3 2 1 Manually assign a WPA PSK key Choose Manually assign a WPA PSK key in the Wireless LAN setup screen to set up a Pre Shared Key Figure 30 Manually assign a WPA key fa Wireless LAN The following table describes the labels in t
97. previously configured DNS servers click Advanced and then the DNS tab to order them P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 183 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 ICP IPv4 Properties 2E You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses Advanced 10 Click OK to close the Internet Protocol Version 4 TCP IPv4 Properties window 11 Click Close to close the Local Area Connection Properties window 12 Close the Network Connections window 13 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Macintosh OS 8 9 1 Click the Apple menu Control Panel and double click TCP IP to open the TCP IP Control Panel P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address About This Computer D Apple System Profiler E Calculator gt Chooser
98. s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management The sum of the bandwidth allotments that apply to any interface must be less than or equal to the speed allocated to that interface in the Bandwidth Management Summary screen 14 2 Application based Bandwidth Management You can create bandwidth classes based on individual applications like VoIP Web FTP E mail and Video for example 14 3 Subnet based Bandwidth Management You can create bandwidth classes based on subnets The following figure shows LAN subnets You could configure one bandwidth class for subnet A and another for subnet B P 661H HW Series User s Guide 211 Chapter 14 Bandwidth Management Figure 119 Subnet based Bandwidth Management Example LAN WAN A 192 168 1 1 192 168 1 24 m Internet gt FCES Tn B 492 168 2 1 192 168 2 24 14 4 Application and Subnet based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets Table 87 Application and Subnet based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B VoIP 64 Kbps 64 Kbps Web 64 Kbps 64 Kbps FTP 64 Kbps 64 Kbps E mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps
99. send an RTS Request To Send message to the AP for permission to send it The AP then responds with a CTS Clear to Send message to all other stations within its range to notify them to defer their transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake Ifthe RTS CTS value is greater than the Fragmentation Threshold value see next then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size between 256 and 2432 bytes that can be sent in the wireless network before the AP will fragment the packet into smaller data frames A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that
100. subnetting Gateway IP address Specify a gateway IP address supplied by your ISP Connection Nailed Up Select Nailed Up Connection when you want your connection up all the time Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected Connect on Select Connect on Demand when you don t want the connection up all the time Demand and specify an idle time out in the Max Idle Timeout field Max Idle Timeout Specify an idle time out in the Max Idle Timeout field when you select Connect on Demand The default setting is 0 which means the Internet session will not timeout NAT SUA only is available only when you select Routing in the Mode field Select SUA Only if you have one public IP address and want to use NAT Click Edit to go to the Port Forwarding screen to edit a server mapping set Otherwise select None to disable NAT Back Click Back to return to the previous screen Apply Click Apply to save the changes P 661H HW Series User s Guide Chapter 4 WAN Setup Table 27 More Connections Edit continued LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Click this button to display the More Connections Advanced screen and edit more details of your WAN setup 4 6 2 Configuring More Connections Advanced Setup To edit your ZyXEL Device s advanced WAN settings click the Adv
101. the ZyXEL Device s bandwidth usage and allotments click Advanced gt Bandwidth MGMT gt Monitor The screen appears as shown Select an interface from the drop down list box to view the bandwidth usage of its bandwidth rules Figure 123 Bandwidth Management Monitor Monitor LAN To LAN Interface 0955 095 P 661H HW Series User s Guide Dynamic DNS Setup This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS 15 1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you in NetMeeting CU SeeMe etc You can also access your FTP server or Web site on your own computer using a domain name for instance myhost dhs org where myhost is a name of your choice that will never change instead of using an IP address that changes each time you reconnect Your friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 15 1 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is
102. the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set IDentity Iftwo wireless networks overlap they should use a different channel Like radio stations or television channels each wireless network uses a specific channel or frequency to send and receive information P 661H HW Series User s Guide Chapter 6 Wireless LAN Every device in the same wireless network must use security compatible with the ZyXEL Device Security stops unauthorized devices from using the wireless network It can also protect the information that is sent in the wireless network 6 2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network 6 2 1 SSID Normally the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area You can hide the SSID instead in which case the ZyXEL Device does not broadcast the SSID In addition you should change the default SSID to something that is difficult to guess This type of security is fairly weak however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the
103. the fields in this screen Table 107 Configuring UPnP LABEL DESCRIPTION Active the Universal Plug and Play UPnP Feature Select this check box to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyXEL Device s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applications to automatically configure the ZyXEL Device so that they can communicate through the ZyXEL Device for example by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Table 107 Configuring UPnP LABEL DESCRIPTION Apply Click Apply to save the setting to the ZyXEL Device Cancel Click Cancel to return to the previously saved settings 17 3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me 1 Click Start and Control Panel Double click Add Remove Programs 2 Click on the Windows Setup tab and select
104. tik pe bee Ide EY LIFE E RNa anii 108 Figure SS Wimiess VIPADUNPAE pee pete Pre Terry Prem mente emo ed ded Mod ida dents odd Pra ua e atto up do 109 Figur 59 Wireless LAN Aya o IT 111 Figure 00 Yyreless LAN NRI 113 Figure 61 Example Wireless Client OTIST Screen 11er rk tk nin kn tt Rx Eo IR RR E ik 114 geifste mj Aer 114 Eo LI cGAADMINDOPDCIC IAP em TIS Figure 64 OTIST in Progress CID isicing RE ra ace NER Eit Ee 115 Figure 05 No AP with O NST o e 115 PWS Se RU y pp n H 115 gecTrE EEC ACeS FI gem 116 Figure 68 Wireless LAN GOS Me ssi snidade aai aa aa iaa 120 Figure 69 Application Priority Configuration ass cure e paa Ee paa RR Kt poda e n poa ak E S NNSS ERR e pna dd 121 gs Wis 450g c m c 124 Figure 71 NAT Applicaton Wih IPF AaS urere pete IE apo DERE Fon EE E00 EIS tases pa Ere ERR Eo da i Fiet 125 zd Fra ht Peer rU Mercere Re TT Retr eT 127 Figure 73 Multiple Servers Behind NAT Example 14st bte kt bnt erri sd I Urat ct kata dae edad tees 129 Figuie P4 POLCFOWSEGINS aa wid nin dod Ges tete adu tad de Ht ind Aap dero d C 130 Figure To POR Forwarding Rule OS aeressabteneiateniicupvidteastitete ad certc asp iube e tibete veni copa dr brluUe 131 Figure 76 hn cc4naensbp e 132 Figure 77 Edit Address Mapping RUIS qussxccbosi itenim rs ei pa a o iP iR a bU A Dk E Md 133 gl FfsssizmE 2 Application m mem
105. to begin configuring this screen afresh 16 7 Configuring DNS Use DNS Domain Name System to map a domain name to its corresponding IP address and vice versa Refer to the chapter on LAN for background information To change your ZyXEL Device s DNS settings click Advanced gt Remote MGMT gt DNS The screen appears as shown Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device s DNS settings Figure 130 Remote Management DNS DNS DNS Port Access Status Secured Client IP q Note You may also need to create a Firewallrule E LAN Y al Selected 0 0 0 0 Cancel P 661H HW Series User s Guide Chapter 16 Remote Management Configuration The following table describes the labels in this screen Table 104 Remote Management DNS LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may send DNS queries to the ZyXEL Device Secured Client IP A secured client is a trusted computer that is allowed to send DNS queries to the ZyXEL Device Select All to allow any computer to send DNS queries to the ZyXEL Device Choose Selected to just allow the computer with the IP address t
106. used including spaces but trailing spaces are truncated Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHAT algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum security Authentication Key Type a unique authentication key to be used by IPSec if applicable Enter 16 characters for MD5 authentication or 20 characters for SHA1 authentication Any characters may be used including spaces but trailing spaces are truncated Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Reset Click Reset to begin configuring this screen afresh 12 16 Viewing SA Monitor Click Security VPN and Monitor to open the SA Monitor screen as shown Use this screen to display and manage active VPN connections A Security Association SA is the group of security settings related to a specific VPN tunnel This screen displays active VPN connections Use Refresh to display active VPN connections This screen is read only The following table describes the fields in this tab P 661H HW Series User s Guide Chapter 12 VPN Screens When there is outbound traffic but no inbound traffic the SA times out automatically after two minutes A tunnel with no outbound
107. web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICQ UDP 4000 This is a popular Internet chat program IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IPSEC TUNNEL AH 0 The IPSEC AH Authentication Header tunneling protocol uses this service IPSEC TUNNEL ESP 0 The IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending packets to a specific group of hosts NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments
108. when you select PPPoE encapsulation Passthrough In addition to the ZyXEL Device s built in PPPoE client you can enable PPPoE Passthrough to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the ZyXEL Device Each host can have a separate account and a public WAN IP address PPPoE pass through is an alternative to NAT for applications where NAT is not appropriate Disable PPPoE passthrough if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh 4 6 Configuring More Connections This section describes the protocol independent parameters for a remote network They are required for placing calls to a remote gateway and the network behind it across a WAN connection When you use the WAN gt Internet Connection screen to set up Internet access you are configuring the first WAN connection Click Network gt WAN gt More Connections to display the screen as shown next P 661H HW Series User s Guide Chapter 4 WAN Setup Figure 40 More Connections More Connections Iv aw OU amp WN be activeh Name WPI CI_ Encapsulation __ Internet Connection 8 35 ENET ENCAP test 0 33 PPPoA Ui Ui Ui UU UU Eb E B B B B B
109. you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Enter the IP address of the gateway The gateway is a router or switch on the same Address network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Back Click Back to return to the previous screen without saving Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Chapter 13 Static Route P 661H HW Series User s Guide Bandwidth Management This chapter contains information about configuring bandwidth management editing rules and viewing the ZyXEL Device s bandwidth management logs 14 1 Bandwidth Management Overview ZyXEU s Bandwidth Management allows you to specify bandwidth management rules based on an application and or subnet You can allocate specific amounts of bandwidth capacity bandwidth budgets to different bandwidth rules The ZyXEL Device applies bandwidth management to traffic that it forwards out through an interface The ZyXEL Device does not control the bandwidth of traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic
110. zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 1344 303044 08707 555779 UK only Fax 44 1344 303034 Web www zyxel co uk FTP ftp zyxel co uk Regular Mail ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK P 661H HW Series User s Guide Appendix G Customer Support P 661H HW Series User s Guide Index A Address Assignment 90 Address Resolution Protocol ARP 94 ADSL standards 33 Advanced Encryption Standard See AES AES 332 AH 177 AH Protocol 181 alternative subnet mask notation 315 antenna directional 335 gain 335 omni directional 335 Antenna gain 111 Any IP 93 How it works 94 note 94 Any IP Setup 96 AP access point 325 Application level Firewalls 138 applications Internet access 34 ATM Adaptation Layer 5 AAL5 74 Attack Alert 168 Attack Types 142 Authentication Header 181 B Backup Type 88 Bandwidth Management 211 Bandwidth Manager Class Configuration 217 Bandwidth Manager Monitor 220 Bandwidth Manager Summary 215 Basic Service Set See BSS 323 Basic wireless security 63 Blocking Time 167 Brute force Attack 141 BSS 323 BW Budget 217 Index C CA 330 CBR Continuous Bit Rate 80 85
111. 0 the default then the ZyXEL Device deletes the oldest existing half open session for the host for every new connection request to the host This ensures that the number of half open sessions to a given host will never exceed the threshold Ifthe Blocking Time timeout is greater than 0 then the ZyXEL Device blocks all new connection requests to the host giving the server time to handle the present connections The ZyXEL Device continues to block all new connection requests until the Blocking Time expires e 9 10 3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded The global values specified for the threshold and timeout apply to all TCP connections Click Firewall and Threshold to bring up the next screen P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 97 Firewall Thresholds Threshold One Minute Low One Minute High Denial of Service Thresholds Maximum Incomplete Low so Sessions Maximum Incomplete High 100 Sessions TCP Maximum Incomplete 16 Sessions Action taken when TCP Maximum Incomplete reached threshold Delete the Oldest Half Open Session when New Connection Request Comes Deny New Connection Request for fic Minutes 1 255 so Sessions per Minute 100 Sessions per Minute Cancel The following table describes the labels in this screen Table 66 Firewall Thre
112. 0 255 255 255 0 29 bit mask 11111111 11111111 11111111 11111000 255 255 255 248 Network Size The size of the network number determines the maximum number of possible hosts you can have on your network The larger the number of network number bits the smaller the number of remaining host ID bits An IP address with host IDs of all zeros is the IP address of the network 192 168 1 0 with a 24 bit subnet mask for example An IP address with host IDs of all ones 1s the broadcast address for that network 192 168 1 255 with a 24 bit subnet mask for example As these two IP addresses cannot be used for individual hosts calculate the maximum number of possible hosts in a network as follows Table 122 Maximum Host Numbers SUBNET MASK HOST ID SIZE MAXIMUM NUMBER OF HOSTS 8bits 255 0 0 0 24 bits 242 16777214 16 bits 255 255 0 0 16 bits 216_2 65534 24 bits 255 255 255 0 8 bits 28 2 254 29 bits 255 255 255 248 3 bits 0925 6 Notation Since the mask 1s always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25 is equivalent to saying 192 1 1 0 with subnet mask 255 255 255
113. 00 00 00 21 00 00 00 00 00 00 22 00 00 00 00 00 00 23 p0 00 00 00 00 00 24 p0 00 00 00 00 00 25 p0 00 00 00 00 00 26 00 00 00 00 00 00 27 00 00 00 00 00 00 28 p0 00 00 00 00 00 29 00 00 00 00 00 00 30 p0 00 00 00 00 00 31 00 00 00 00 00 00 32 o0 00 00 00 00 00 Apply Cancel The following table describes the labels in this menu Table 43 MAC Address Filter LABEL DESCRIPTION Active MAC Select the check box to enable MAC address filtering Filter Filter Action Define the filter action for the list of MAC addresses in the MAC Address table Select Deny to block access to the ZyXEL Device MAC addresses not listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device P 661H HW Series User s Guide Chapter 6 Wireless LAN Table 43 MAC Address Filter LABEL DESCRIPTION Set This is the index number of the MAC address MAC Enter the MAC addresses of the wireless client that are allowed or denied access to Address the ZyXEL Device in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen 6 7 WMM QoS WMM Wi Fi
114. 101 Encryption and Decryption Plaintext Encryption Cip Ciphertext Decryption Phintext 11 1 3 2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network 11 1 3 3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission 11 1 3 4 Data Origin Authentication The IPSec receiver can verify the source of IPSec packets This service depends on the data integrity service 11 1 4 VPN Applications The ZyXEL Device supports the following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Accessing Network Resources When NAT Is Enabled When NAT is enabled remote users are not able to access hosts on the LAN unless the host is designated a public LAN server for that specific protocol Since the VPN tunnel terminates inside the LAN remote users will be able to access all computers that use private IP addresses on the LAN Unsupported IP Applications A VPN tunnel may be created to add support for unsupported emerging IP applications See the chapter on Getting to Know Your ZyXEL Device for an example of a VPN application 11 2 IPSec Architecture The overall IPSec architecture is shown as follows
115. 12 13 on page 195 The ID type and content act as an extra level of identification for incoming SAs The type of ID can be a domain name an IP address or an e mail address The content 1s the IP address domain name or e mail address Table 74 Local ID Type and Content Fields LOCAL ID TYPE CONTENT IP Type the IP address of your computer or leave the field blank to have the ZyXEL Device automatically use its own IP address DNS Type a domain name up to 31 characters by which to identify this ZyXEL Device E mail Type an e mail address up to 31 characters by which to identify this ZyXEL Device The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address Table 75 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyXEL Device automatically use the address in the Secure Gateway field DNS Type a domain name up to 31 characters by which to identify the remote IPSec router E mail Type an e mail address up to 31 characters by which to identify the remote IPSec router The domain name or e mail address that you use in the Content field is used for identification purposes only and does not need to be a real domain name or e mail address The domain nam
116. 128 The following table shows some possible subnet masks using both notations Table 123 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION BINARY DECIMAL 255 255 255 0 24 0000 0000 0 255 255 255 128 25 1000 0000 128 P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Table 123 Alternative Subnet Mask Notation continued sumerweek AURA T eene GENSAT 255 255 255 192 26 1100 0000 192 255 255 255 224 27 1110 0000 224 255 255 255 240 28 1111 0000 240 255 255 255 248 29 1111 1000 248 255 255 255 252 30 1111 1100 252 Subnetting You can use subnetting to divide one network into multiple sub networks In the following example a network administrator creates two sub networks to isolate a group of servers from the rest of the company network for security reasons In this example the company network address is 192 168 1 0 The first three octets of the address 192 168 1 are the network number and the remaining octet is the host ID allowing a maximum of 2 2 or 254 possible hosts The following figure shows the company network before subnetting Figure 208 Subnetting Example Before Subnetting a a Y Internet il a i p i a i I y 192 168 1 0 24 4 4 L umumum m m m m m m m m m You
117. 2 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting IP Address Conflicts Each device on a network must have a unique IP address Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources The devices may also be unreachable through the network Conflicting Computer IP Addresses Example More than one device can not use the same IP address In the following example computer A has a static or fixed IP address that is the same as the IP address that a DHCP server assigns to computer B which is a DHCP client Neither can access the Internet This problem can be solved by assigning a different static IP address to compu
118. 2 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 127 Subnet 4 LAST OCTET BIT IP SUBNET MASK NETWORK NUMBER VALUE IP Address 192 168 1 192 IP Address Binary 11000000 10101000 00000001 11000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Example Eight Subnets Similarly use a 27 bit mask to create eight subnets 000 001 010 011 100 101 110 and 111 The following table shows IP address last octet values for each subnet Table 128 Eight Subnets SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Table 128 Eight Subnets continued SUBNET ADDRESS FIRST ADDRESS ADDRESS ADDRESS 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Subnet Planning The following table is a summary for subnet planning on a network with a 24 bit network number Table 129 24 bit Network Number Subnet Planning NO BORROWED SUBNET MASK NO SUBNETS NO HOSTS PER NET HOST BITS SUB 1 255 255 255 128 2
119. 2 Configuring Keyword Blocking Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the ZyXEL Device blocks all sites containing this keyword including the URL http www website com bad html even if it is not included in the Filter List To have your ZyXEL Device block Web sites containing keywords in their URLs click Security gt Content Filter The screen appears as shown P 661H HW Series User s Guide Chapter 10 Content Filtering Figure 98 Content Filter Keyword Keyword I Active Keyword Blocking Block Websites that contain these keywords in the URL bad Delete Clear All Keyword Add Keyword Apply Cancel The following table describes the labels in this screen Table 67 Content Filter Keyword LABEL DESCRIPTION Active Keyword Blocking Select this check box to enable this feature Block Websites that This box contains the list of all the keywords that you have configured the contain these keywords in ZyXEL Device to block the URL Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 127 characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this procedure to add other keywords U
120. 212 2 Diffie Hellman DH Koy Eti po mem m 194 12 12 3 Perfect Forward Secrecy PES icai ieee uci sceurcnnss eiei dnas askxid dete S aa 194 12 13 Configuring Advanced IKE SII IUS cca caidas entes pcnc sinh kd c ta da be kr vans 195 12 V4 Baal Kee 256 CD an E 197 12141 Security Faramoter Index SPI 255 5 ton erdt d c dd id e odd d ta 197 12 15 Configuring Manual KOU Ls ticcs espace rape erra nd dark E Da doa dk ien da E Ran dt 197 12 16 rM e 200 P 661H HW Series User s Guide Table of Contents T2017 Coniguing Goba SS uisccssixumate n du ER XVRHHU EUER UE FAXO REVUE ESO OD c Ba HOCH a Stt 201 12 16 Tetecommuler vVPNITPSec EXSImples orisirisii Xx REA SHEER RE Ad ERE ER pe IAE KERN Ld dta Eau 202 12 18 1 Telecommuters Sharing One VPN Rule Example eeececeeeeneeee 202 12 18 2 Telecommuters Using Unique VPN Rules Example sssssssss 203 12 19 VPN and Remote Madgeelil uccaapetdto reine uberes botte ek be tov eode bubo vi br a 204 Part W i10 o 205 Chapter 13 Stale ROIG P M H 207 131 Statio ROUE E 207 T Oa Ae ROWE a dado d apad ed dope dad Ke ad eked 208 esca brun s fi du aper E 208 Chapter 14 Bandwidth Manatemeltt incisione ese kpn dn ipaa p rra a i Ta RE Vpri aeea aa iaaa diea 211 14 1 Bandwidth Management Overview ose n aao Lo RP FH aba EE aret d ebrio a ai aaaea z11
121. 42 RFC 1483 74 RFC 1631 123 RIPSee Routing Information Protocol 92 Routing Information Protocol 92 Direction 92 Version 92 RTS Request To Send 326 threshold 325 326 Rules 152 Checklist 150 Key Fields 151 LAN to WAN 152 Logic 150 S SA 175 safety warnings 6 Saving the State 142 Scheduler 212 screws 278 Secure Gateway Address 182 P 661H HW Series User s Guide Index Security Association 175 Security In General 146 Security Parameter Index 197 Security Ramifications 150 Server 125 126 254 Service 151 Service Set 105 Service Type 161 Services 128 SMTP 128 Smurf 141 SNMP 35 128 229 Manager 230 MIBs 230 Source Address 151 SPI 197 Splitters 37 Stateful Inspection 137 138 142 143 Device 144 Process 143 Static Route 207 SUA 126 SUA Single User Account 126 SUA vs NAT 126 subnet 313 Subnet Mask 91 159 subnet mask 314 subnetting 316 Sustain Cell Rate SCR 81 85 Sustained Cell Rate SCR 76 SYN Flood 140 141 SYN ACK 140 syntax conventions 4 Syslog 164 System Name 252 System Timeout 226 T TCP Maximum Incomplete 167 TCP maximum incomplete 169 TCP Security 144 TCP IP 139 140 Teardrop 140 Telnet 227 temperature 275 Temporal Key Integrity Protocol TKIP 332 TFTP Restrictions 226 Three Way Handshake 140 Threshold Values 166 TR 069 35 Traceroute 142 trademarks 341 Traffic Redirect 86 87 Traffic redirect 86 88 Traffic shaping 76 Trans
122. 5 126 2 255 255 255 192 26 62 3 255 255 255 224 27 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252 30 64 2 7 255 255 255 254 31 128 1 The following table is a summary for subnet planning on a network with a 16 bit network number Table 130 16 bit Network Number Subnet Planning Nostre SOWED SUBNET MASK NO SUBNETS NO HOSTS PER 1 255 255 128 0 17 32766 2 255 255 192 0 18 16382 3 255 255 224 0 19 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Table 130 16 bit Network Number Subnet Planning continued NO BORROWED NO HOSTS PER HOST BITS SUBNET MASK NO SUBNETS SUBNET 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Configuring IP Addresses Where you obtain your network number depends on your particular situation If the ISP or your network administrator assigns you a block of registered IP addresses follow their instructions in selecting the IP addresses and the subnet mask Ifthe ISP di
123. 9 Subnetting Example After Subnetting eeeeeeeessesseeeeeeenner nennen nt tn nnn nnn 217 Figure 210 Conflicting Computer IP Addresses Example eeeseeceeesessseeee ennt mann 321 P 661H HW Series User s Guide 25 List of Figures Figure 211 Conflicting Computer IP Addresses Example ccccccessccecceessaceeeeeseaneeceesnsaneeeeeeteanes 321 Figure 212 Conflicting Computer and Router IP Addresses Example sseeeeeee 322 Figure 213 Peer to Peer Communication in an Ad hoc Network ssesseeeenen 323 Figure zi Basic Gerelos SEL osse dec to da dut BO dada saute ti ia n abd ee etr a t da a ead 324 Figure 219 Inwasiicitre WLAN emque 325 Figure 216 RTSO TO 326 Figure 217 WPA 2 with RADIUS Application Example sene 333 Figure 219 WA eos PULERIESEEID senkinek Y DH EERtIN ERE He PI TL ERU D Fer a e pe rRU EPA RE PRU SQ MEDI 334 P 661H HW Series User s Guide List of Tables List of Tables VME DPSS ara AS spac ed E 33 HFS aliu bey BN Sener UU S pe om nn MM m renee 36 Table 3 Web Configurator Screens SuMMary Liisuuccccessecces smceceess censsecoss reneisse EES E 43 TD AAAS SSE icc 45 Palle gt Side iMac ae eL 47 Table 6 Status WLAN SEUS nnn 48 Tahe Statia YPN SIES aria ie vases cba ied c dad esi baden dds banda eese best
124. ANPA2 PSK snini iiaa a aA a aA aaa 108 Tobedad SVIPGIGR ER WPANIRAZ EE MTS 110 Table 41 Wireless LAN ABVABGOO scisvssciiicroxincductenteapiceteantannicemiciiyiienundoge abia i eri annia aat 111 PEA OTST uosa EE aRU E lle eta eal daa 113 Table 43 MAG Address FUSE 2 1 e Pre ome E E 116 Teale 44 WNN QOS PriornlieS Wem AREE 117 Table 45 Commonly Used Services iuiscreeeutat annie Epbr PLE Pici ek EBEN REM X ELE E dU KI E Xx aC RIPE Etna 118 Table 46 Wireless LAN DOS ussmbessiub reti pm roe HR Pr NI MEM be Eb MEUS e Od ain 120 Table Application Priority Configuration uiriscc sa tice earch word do edd dide oda od or adt 121 Ne e MIB er E E DO S aaa diets 123 Table 49 NAT Mapping TYPES uuescescesqdurtosrtessete oesi duce e EERE e PENIS an ae Fer TS VEI EF LET RET LIA ERE PI e EPI Lg NOR 126 Tape S0 NAT Gona al Me 127 Table 51 Services and Port NUITIDBIB accaiciaccaisssnciangistcacccasiseqemat nai aiuto ER 128 Table o2 Porn Forwarding osissirinrakiis isinasara RE DNE O H 130 Table 53 Port Forwarding Rule Setup uidisse era ed rta pad tk tdt ad paa na ba naina ud 131 Table 54 Address Mapping PUB 1a bote ea boe HE ERR ET na rao ns er ob p oA PER Mod eet bbubo een EMI UE 132 Table 55 Edit Address Mapping Rule 2 iocci river ta or e HIE EE Re REFS bra La RE ERE Era di Renee 134 TOGS CONTONE PONET WU Tm 139 Table 57 ICMP Commands That Trigger AIGIS iuiuscseieceiees
125. AP MD5 EAP MSCHAPv2 and EAP GTC EAP Generic Token Card for client authentication EAP GTC is implemented only by Cisco LEAP Lightweight Extensible Authentication Protocol is a Cisco implementation of IEEE 802 1x P 661H HW Series User s Guide Appendix D Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server This key expires when the wireless connection times out disconnects or reauthentication times out A new WEP key is generated each time reauthentication is performed If this feature is enabled it is not necessary to configure a default encryption key in the wireless security configuration screen You may still configure and store keys but they will not be used while dynamic WEP is enabled EAP MD5 cannot be used with Dynamic WEP Key Exchange For added security certificate based authentications EAP TLS EAP TTLS and PEAP use dynamic keys for data encryption They are often deployed in corporate environments but for public deployment a simple user name and password pair 1s more practical The following table is a comparison of the features of authentication types Table 133 Comparison of EAP Authentication Types EAP MD5 EAP TLS EAP TTLS PEAP LEAP Mutual Authentication No Yes Yes Yes Yes Certificate Client No Yes Optional Optional No Certificate Server No Yes Yes Yes No Dynamic Key Exchange No Yes Yes Yes
126. Authentication Algorithm SA Life Time Seconds Key Group Phase2 Active Protocol Encryption Algorithm Main DH1 ESP DES Authentication Algorithm SA Life Time Seconds Encapsulation Tunnel Perfect Forward Secrecy PFS NONE Apply Cancel a T d The following table describes the fields in this screen Table 79 Advanced VPN Policies LABEL DESCRIPTION VPN IKE Protocol Enter 1 for ICMP 6 for TCP 17 for UDP etc 0 is the default and signifies any protocol Enable Replay As a VPN setup is processing intensive the system is vulnerable to Denial of Detection Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Select YES from the drop down menu to enable replay detection or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field If Local Start Port is left at 0 End will also remain at 0 Remote Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number
127. BR doesn t guarantee any bandwidth and only delivers traffic when the network has spare bandwidth An example application is background file transfer 4 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and makes the necessary configuration changes In cases where additional account information such as an Internet account user name and password is required or the ZyXEL Device cannot connect to the ISP you will be redirected to web screen s for information input or troubleshooting Zero configuration for Internet access is disabled when the ZyXEL Device is in bridge mode you set the ZyXEL Device to use a static fixed WAN IP address P 661H HW Series User s Guide Chapter 4 WAN Setup 4 5 Internet Connection To change your ZyXEL Device s WAN remote node settings click Network gt WAN The screen differs by the encapsulation See Section 4 1 on page 73 for more information Figure 38 Internet Connection PPPoE Internet Connection General Name MyISP Mode Routing x Encapsulation PPPoE User Name Password Service Name Multiplexing LLC z Virtual Circuit ID VPI 0 VCI 33 IP Address Obtain an IP Address Automatically C static IP Address IP Address Connection C Nailed Up Connection Connect on Demand Max Idle Timeou
128. Click Cancel to begin configuring this screen afresh Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN P 661H HW Series User s Guide Chapter 5 LAN Setup Figure 50 DHCP Setup DHCP Setup DHCP Setup DHCP Server 7 IP Pool Starting Address 192 168 1 33 Pool Size 32 Remote DHCP Server DNS Server DNS Servers Assigned by DHCP Server Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Cancel The following table describes the labels in this screen Table 32 DHCP Setup LABEL DESCRIPTION DHCP Setup DHCP Select what type of DHCP services the ZyXEL Device provides to the network Choices are None the ZyXEL Device does not provide any DHCP services There is already a DHCP server on the network DHCP Relay the ZyXEL Device routes DHCP requests to the DHCP server There may be a DHCP server on another network DHCP Server the ZyXEL Device assigns IP addresses and provides subnet mask gateway and DNS server information to the network The ZyXEL Device is the DHCP server for the network IP Pool Starting This field is enabled if the ZyXEL Device is a DHCP Server Enter the first of the Address contiguous addresses in the IP address pool Pool Size This field is enabled if the ZyXEL Device is a DHCP Server Enter the size of or the number of addresses in the IP address pool Remote
129. Communication in the Components selection box Click Details Figure 134 Add Remove Programs Windows Setup Communication Properties 1 xl Install Uninstall Windows Setup Startup Disk To add of remove a component select or clear the check box If the check box is shaded only part of the component will be installed To see what s included in a component click Details Components Gey Address Book Communications 5 6 MB A Desktop Themes 0 0 MB al vj jaf Games 10 1 MB L Multilanguage Support 0 0 MB gt Space used by installed components 42 4 MB Space required 0 0 MB Space available on disk 866 3 MB Description Includes accessories to help you connect to other computers and online services 5 of 10 components selected Details Have Disk OK Cancel Apply 3 Inthe Communications window select the Universal Plug and Play check box in the Components selection box P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 135 Add Remove Programs Windows Setup Communication Components CI To install a component select the check box next to the component name or clear the check box if you do not want to install it amp shaded box means that only part of the component will be installed To see what s included in a component click Details Components a NetMeeting Phone Dialer 0 2 MB
130. Cs 4 1 3 VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers assigned to you The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 0 to 31 1s reserved for local management of ATM traffic Please see the appendix for more information 4 1 4 IP Address Assignment A static IP is a fixed IP that your ISP gives you A dynamic IP is not fixed the ISP assigns you a different one each time The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway P 661H HW Series User s Guide Chapter 4 WAN Setup 4 1 4 1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and ENET ENCAP Gateway fields are not applicable N A If you have a static IP then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field 4 1 4 2 IP Assignment with RFC 1483 Encapsulation In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above 4 1 4 3 IP Assignment with ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the ZyXEL
131. DHCP This field is enabled if the ZyXEL Device is a DHCP Relay Enter the IP address Server of the DHCP server to which the ZyXEL Device should route requests DNS Server DNS Servers The ZyXEL Device passes a DNS Domain Name System server IP address to Assigned by DHCP the DHCP clients Server Primary DNS Server This field is not available when you set DHCP to Relay Secondary DNS Enter the IP addresses of the DNS servers The DNS servers are passed to the Server DHCP clients along with the IP address and the subnet mask If the fields are left as 0 0 0 0 the ZyXEL Device acts as a DNS proxy and forwards the DHCP client s DNS query to the real DNS server learned through IPCP and relays the response back to the computer Apply Click Apply to save your changes back to the ZyXEL Device Reset Click Reset to begin configuring this screen afresh P 661H HW Series User s Guide Chapter 5 LAN Setup 5 5 LAN Client List This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 To change your ZyXEL Device s static DHCP settings click Network gt LAN gt Client List The screen appears as shown Figure 51 LAN Client List Client List
132. DNS server allows clients on the VPN to find other computers and servers on the VPN by their private domain names Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 Local Address Type Use the drop down menu to choose Single Range or Subnet Select Single for a single IP address Select Range for a specific range of IP addresses Select Subnet to specify IP addresses on a network by their subnet mask IP Address Start When the Local Address Type field is configured to Single enter a static IP address on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this
133. DP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution 6 8 QoS Screen The QoS screen by default allows you to automatically give a service a priority level according to the ToS value in the IP header of the packets it sends P 661H HW Series User s Guide Chapter 6 Wireless LAN 6 8 1 ToS Type of Service and WMM QoS ToS defines the DS Differentiated Service field in the IP packet header Th
134. Dynamic DNS Setup P 661H HW Series User s Guide Remote Management Configuration This chapter provides information on configuring remote management 16 1 Remote Management Overview Remote management allows you to determine which services protocols can access which ZyXEL Device interface if any from which computers BS When you configure remote management to allow management from the WAN you still need to configure a firewall rule to allow access You may manage your ZyXEL Device from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable BS When you choose WAN only or LAN amp WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Access Status field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts The priorities for the different types of remote management sessions are as follows 1 Telnet 2 HTTP P 661H HW Series User s Guide 225 Chapter 16 Remote Management Configuration 16 1 1 Remote Management Limitations Remote management over LAN or WAN will not work when You have disabled that service in one of the remote management screens The IP address in the Secured Client
135. EAP to interact with an EAP compatible RADIUS server an access point helps a wireless station and a RADIUS server perform authentication The type of authentication you use depends on the RADIUS server and an intermediary AP s that supports IEEE 802 1x P 661H HW Series User s Guide Appendix D Wireless LANs For EAP TLS authentication type you must first have a wired connection to the network and obtain the certificate s from a certificate authority CA A certificate also called digital IDs can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner EAP MD5 Message Digest Algorithm 5 MDS authentication is the simplest one way authentication method The authentication server sends a challenge to the wireless client The wireless client proves that it knows the password by encrypting the password with the challenge and sends back the information Password is not sent in plain text However MD authentication has some weaknesses Since the authentication server needs to get the plaintext passwords the passwords must be stored Thus someone other than the authentication server may access the password file In addition it is possible to impersonate an authentication server as MDS authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic session key You must configure WEP encrypt
136. EL Device is the ideal high speed Internet access solution It is compatible with all major ADSL DSLAM Digital Subscriber Line Access Multiplexer providers and supports the ADSL standards as shown in Table on page 33 The ZyXEL Device provides protection from attacks by Internet hackers By default the firewall blocks all incoming traffic from the WAN The firewall supports TCP UDP inspection and DoS Denial of Services detection and prevention as well as real time alerts reports and logs Figure 1 Protected Internet Access Applications Internet p A 1 2 2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application example is shown as follows P 661H HW Series User s Guide Chapter 1 Getting To Know Your ZyXEL Device Figure 2 LAN to LAN Application Example LAN LAN ja a 778 T 7 B NV ume ATM N ye E Y 1 3 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device Web Configurator This is recommended for everyday management of the ZyXEL Device using a supported web browser See Chapter 2 on page 39 Command Line Interface Line commands are mostly used for troubleshooting by service engineers FTP Use File Transfer Protocol for firmware upgrades and configuration backup restore SNMP The device can be monitored and or managed by an SNMP manager Se
137. ER QU ERO Pad ERES A DAIREB FAtd DE RE oL OI RES EEXOR EE ENDE EEEAdOE 96 OO LAN CANS EST inerte dii obe bb LEE EU EE EU UI P CUo GA E marae omni cece CU V ECREU CI ECCE SUN 98 50 LAME SIS tte a Dr iE A Ro po bot ted Rot o d Fert bt n Un ERR UA 99 Chapter 6 wireless LAN e 101 96 1 Wireless Network OVeFVIQW Licences bonae e ber ute eM Re Iesse E PURI IS NE bRIAM SEM RENDIR en E PERDU UNE ENRUE 101 6 2 Wireless se Jua qe 102 SEM Ipc se B na Tm TET E 102 62 2 MAC Address Filet er 102 Gad o LES Po REPE ERA IERI 1a oerte satt Heo eL Dites b app Edi bad git e o e Rb DA FE att 102 CLAE Mr UE 103 6 2 5 One Touch Intelligent Security Technology OTIST eeecseeeeeeeeees 104 6 3 Wireless Performance Overview essere nnne nnn nennen 104 SEMERI DIC SEITE TOS rS 104 64 General Wireless LAN SEON usi lesen p pror SY E PORA n e EFE EDH AREE RR EER AER HI HH YR ES RRY REM 104 CAT NO S rig 105 0 4 2 WEP EDGYPUON ge 106 DAS WPAPSWWPAZAPSK cosain ue ere aac c rte EU e X EN Aa 107 CR NILUM CL T 109 65 Wireless LAN Advanced DO 1 acu seuss cesses teri sadersaas tess senusceuehamesssetrncaunineniasaaeaennes Tfl Do DIS T codes aia sine io Pac bi a CRM R ea PR CERE bed uL EDER NAE GU lu ema EUR EES Masai ERR a uat PE Hon 112 8 5 4 Enabling OTIST aicasacieiecdnsbr vog vitem xfecsc mir dert riter Rea FM Ma HEN rr PER 112 Borcam
138. ES SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data AES Advanced Encryption Standard is a newer method of data encryption that also uses a secret key This implementation of AES applies a 128 bit key to 128 bit blocks of data AES is faster than 3DES Select NULL to set up a phase 2 tunnel without encryption AUTHENTICATION MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data SHA1 SHA1 Secure Hash Algorithm produces a 160 bit digest to authenticate packet data Select MD5 for minimal security and SHA1 for maximum security 12 3 My IP Address My IP Address is the WAN IP address of the ZyXEL Device The ZyXEL Device has to rebuild the VPN tunnel if the My IP Address changes after setup The following applies if this field is configured as 0 0 0 0 The ZyXEL Device uses the current ZyXEL Device WAN IP address static or dynamic to set up the VPN tunnel Ifthe WAN connection goes down the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See the chapter on WAN for details on dial backup and traffic redirect 12 4 Secure Gateway A
139. Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time when you want the content filtering to stop in hour minute format Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings 10 4 Configuring Trusted Computers To exclude a range of users on the LAN from content filtering on your ZyXEL Device click Security gt Content Filter gt Trusted The screen appears as shown P 661H HW Series User s Guide Chapter 10 Content Filtering Figure 100 Content Filter Trusted Trusted User IP Range From IP address To IP address Apply Cancel The following table describes the labels in this screen Table 69 Content Filter Trusted LABEL DESCRIPTION Trusted User IP Range From Type the IP address of a computer or the beginning IP address of a specific range of computers on the LAN that you want to exclude from content filtering To Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering Leave this field blank if you want to exclude an individual computer Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previously saved settings P 661H HW Series User s Guide Introduction to IPSec This chapter introduces th
140. Example ssssseseeee 188 Table 77 Mismatching ID Type and Content Configuration Example sse 188 Table Fe Edit YPN POU lee cc sccsacia cece cosas EIER MERI a EEHR CH R 189 Tabs 79 Advabcedgd VPNIPUlGIBS 1nd psc el Ebr di e te a opi wl aaae 195 Table oH VPN Manual KOy uccoatcacenpedeizttendabdntexpad ann erinadudceidclen ctemdadzt vendat Madden aodabum ees inda 198 E SVP INE SA ear e 201 P 661H HW Series User s Guide List of Tables TOES VFN DIODES SUING m 202 Table 83 Telecommuters Sharing One VPN Rule Example sss 203 Table 84 Telecommuters Using Unique VPN Rules Example sssesssseeeeeeenes 204 THEOS oE ON M ce m 208 Table 66 SINE Rolle EO aucsdasseletamttev sa i ua eu nari ee eek 209 Table 87 Application and Subnet based Bandwidth Management Example suuuuuses 212 Table 88 Maximize Bandwidth Usage Example sceeeceeeieei esses enan nhat tan hb anth RR Rada u ARR RR uaa 213 Table 89 Priority based Allotment of Unused and Unbudgeted Bandwidth Example 214 Table 90 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example 214 Table 91 Over Allotment of Bandwidth Example ssssssssssssssesseeeeee rene 215 Table 92 Bandwidth Management Priorities 1e cire r
141. Guide Network Address Translation NAT Screens This chapter discusses how to configure NAT on the ZyXEL Device T 1 NAT Overview NAT Network Address Translation NAT RFC 1631 is the translation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a different IP address known within another network 7 1 1 NAT Definitions Inside outside denotes where a host is located relative to the ZyXEL Device for example the computers of your subscribers are the inside hosts while the web servers on the Internet are the outside hosts Global local denotes the IP address of a host in a packet as the packet traverses a router for example the local address refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the local network while an inside global address IGA is the IP address of the same inside host when the packet is on the WAN side The following table summarizes this information Table 48 NAT Definitions ITEM DESCRIPTION Inside This refers to the host on the LAN Ou
142. HW Series User s Guide Chapter 3 Wizards 3 3 3 Screen 3 Follow the on screen instructions and click Finish to complete the wizard setup and save your configuration Figure 36 Bandwidth Management Wizard Complete CONGRATULATIONS etup You can p Finish button to Finish button to d or click the following link to open other pages Return to Wizard Main Page Go to Advanced Setup page P 661H HW Series User s Guide Chapter 3 Wizards P 661H HW Series User s Guide PART II Network WAN Setup 73 LAN Setup 89 Wireless LAN 101 Network Address Translation NAT Screens 123 WAN Setup This chapter describes how to configure WAN settings 4 1 WAN Overview A WAN Wide Area Network is an outside connection to another network or the Internet 4 1 1 Encapsulation Be sure to use the encapsulation method required by your ISP The ZyXEL Device supports the following methods 4 1 1 1 ENET ENCAP The MAC Encapsulated Routing Link Protocol ENET ENCAP is only implemented with the IP network protocol IP packets are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment For instance it encapsulates routed Ethernet frames into bridged ATM cells ENET ENCAP requires that you specify a gateway IP address in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your
143. IP Address Enter the single IP address or the starting IP address in a range here End IP Address Enter the ending IP address in a range here Subnet Mask Enter the subnet mask here if applicable Add Click Add gt gt to add a new address to the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it Services Available Selected Services Please see Appendix E on page 337 for more information on commonly used services Highlight a service from the Available Services box on the left then click Add gt gt to add it to the Selected Services box on the right To remove a service highlight it in the Selected Services box on the right then click Remove Edit Customized Service Click the Edit Customized Services link to bring up the screen that you use to configure a new custom service that is not in the predefined list of services Schedule Day to Apply Select everyday or the day s of the week to apply the rule Time of Day to Apply 24 Hour Format Select All Day or enter the start and end times in the hour minute format to apply the rule Log Log Packet Detail This field det
144. IP field does not match the client IP address If it does not match the ZyXEL Device will disconnect the session immediately There is already another remote management session with an equal or higher priority running You may only have one remote management session running at one time There is a firewall rule that blocks it 16 1 2 Remote Management and NAT When NAT is enabled Usethe ZyXEL Device s WAN IP address when configuring from the WAN Usethe ZyXEL Device s LAN IP address when configuring from the LAN 16 1 3 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period The management session does not time out when a statistics screen is polling 16 2 WWW To change your ZyXEL Device s World Wide Web settings click Advanced gt Remote MGMT to display the WWW screen Figure 125 Remote Management WWW Www Port 80 Access Status WAN Y Secured Client IP all Selected 0 0 0 0 q Note CO UPnPto function normally the HTTP service must be available for LAN computers using 2 You may also need to create a Firewallrule Apply Cancel P 661H HW Series User s Guide Chapter 16 Remote Management Configuration The following table describes the labels in this screen Table 98 Remote Management WWW LABEL DESCRIPTI
145. Internet Allow certain types of traffic from the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator The ability to define firewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules Test changes after creating them to make sure they work correctly Below is a brief technical description of how these connections are tracked Connections may either be defined by the upper protocols for instance TCP or by the ZyXEL Device itself as with the virtual connections created for UDP and ICMP 8 5 3 TCP Security The ZyXEL Device uses state information embedded in TCP packets The first packet of any new connection has its SYN flag set and its ACK flag cleared these are initiation packets All packets that do not have this flag structure are called subsequent packets since they represent data that occurs later in the TCP stream If an initiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few specia
146. M Status ATM Loopback Test DSL Line Status Reset ADSL Line Capture All Logs The following table describes the fields in this screen Table 115 Diagnostic DSL Line LABEL DESCRIPTION ATM Status Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network DSL Line Status Click this button to view the DSL port s line operating values and line bit allocation Reset ADSL Line Click this button to reinitialize the ADSL line The large text box above then displays the progress and results of this operation for example Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully Capture All Logs Click this button to display all logs generated by the DSL line P 661H HW Series User s Guide PART VI Troubleshooting and Specifications bleshooting 271 cifications 275 270 Troubleshooting This chapter offers some suggestions to solve problems you might encounter The potential problems are divided into the following categories Power Hardware Connections and LEDs ZyXEL Devi
147. No No EP fi bN Apply Cancel 9 9 Anti Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device an ICMP response packet is automatically returned This allows the outside user to know the ZyXEL Device exists The ZyXEL Device supports anti probing which prevents the ICMP response packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed Internet Control Message Protocol ICMP is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user Refer to Section 8 1 on page 137 for more information Click Security gt Firewall gt Anti Probing to display the screen as shown Figure 96 Firewall Anti Probing General Rules Anti Probing Threshold Anti Probing Respond to PING on fan amp WAN Do Not Respond to Requests for Unauthorized Services Apply Cancel P 661H HW Series User s Guide Chapter 9 Firewall Configuration The following table describes the labels in this screen Table 65 Firewall Anti Probing LABEL DESCRIPTION Respond to PING The ZyXEL Device does not respond to any incoming Ping requests when on Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply
148. O iin 177 TA Ena PURO iu E NE A 177 a1 Fansport Male 3 uapoi dinside siaend dies Spa bei etti iaa Cea d saaana E Vd eive vida d rave 178 Taa DOC NOE coni tifa ate asa lade Hebdddesi etd uad dpa sat tad udi op ud eed ida 178 THE IS ar MART oaissmtestaeuic vue telvedeitutu epit tatertubecequa ree errr ce er eim Crete errr ere ter er ee 178 Chapter 12 VPN SCPC T 181 QE ILLI 4 cgo mm 181 plu Geer eL E S o i LN LT 181 12 2 1 AH Authentication Header Protocol 11i tnt tru at bed daa bt 4t uS EE RuIe 181 12 2 2 ESP Encapsulating Security Payload Protocol ssessss 181 r1 ADI D eT 182 124 Secure Gateway DUDEN oinin iins xt RU Fed dL D A RE 182 12 4 1 Dynamic Secure Gateway Address ccccsceccceesseeeeceeenseneeeeeeteneeeeeeeneneeeeeeneenees 183 12 5 VPN Setip SEEEN e 183 TA orc o 185 12 7 VPN NAT and NAT Traversal sansurin HERR ERIEVRATEFNRE ES ANKE NR Er T EE MERE TEN deOekEEPQN 185 12 8 Remote DNS GOET e 186 12 9 1D Type and a sss pases ancl T TL I I TT T 187 12 9 1 ID Type and Content EXambpIBS Loa pie ey PENAS EH d e Ep e ni 188 T2010 Pie SAO INS 188 Mee AD ITA usc s m 188 TAA KE PRS we 193 1212 1 NIT MOUTO aussen tot a eat tlla rr d tof d d od re 194 1
149. ON Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your settings back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 16 3 Telnet You can use Telnet to access the ZyXEL Device s command line interface Specify which interfaces allow Telnet access and from which IP address the access can come 16 4 Configuring Telnet Click Advanced gt Remote MGMT gt Telnet tab to display the screen as shown Use this screen to specify which interfaces allow Telnet access and from which IP address the access can come Figure 126 Remote Management Telnet Telnet Port ps Access Status LAN amp WAN Secured Client IP all C Selected 0 0 0 0 Note You may also need to create a Firewallrule Apply Cancel P 661H HW Series User s Guide 227 Chapter
150. P 661H HW Series 802 11g Wireless ADSL2 4 port Security Gateway User s Guide Version 3 40 7 2007 Edition 3 DEFAULT LOGIN IP Address http 192 168 1 1 Admin Password 1234 User Password user ZyXEL www zyxel com About This User s Guide About This User s Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator You should have at least a basic knowledge of TCP IP networking concepts and topology Related Documentation Quick Start Guide The Quick Start Guide is designed to help you get up and running right away It contains information on setting up your network and configuring for Internet access Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Send all User Guide related comments questions or suggestions for improvement to the following address or use e mail instead Thank you The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan E mail techwriters zyxel com tw P 661H HW Series User s Guide 3 Document Conventions Document Conventions Warnings and N
151. P address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyXEL Device s default rules 9 3 Rule Logic Overview BS Study these points carefully before configuring rules 9 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server 1 Is the intent of the rule to forward or block traffic 2 What direction of traffic does the rule apply to 3 What IP services will be affected 4 What computers on the LAN are to be affected if any 5 What computers on the Internet will be affected The more specific the better For example if traffic is being allowed from the Internet to the LAN it is better to allow only certain machines on the Internet to access the LAN 9 3 2 Security Ramifications 1 Once the logic of the rule has been defined it is critical to consider the security ramifications created by the rule P 661H HW Series User s Guide Chapter 9 Firewall Configuration 2 Does this rule stop LAN users from accessing critical resources on the Internet For example 1f IRC is blocked are there users that require this service 3 Isit possible to modify the rule to be more specific For example if IRC is blocked for all users will a
152. P uses port number 21 NetMeeting H 323 A multimedia communications product from Microsoft that enables groups to teleconference and videoconference over the Internet NetMeeting supports VoIP text chat sessions a whiteboard and file transfers and application sharing NetMeeting uses H 323 H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service H 323 is transported primarily over TCP using the default port number 1720 VoIP H 323 Sending voice signals over the Internet is called Voice over IP or VoIP H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service H 323 is transported primarily over TCP using the default port number 1720 VoIP SIP Sending voice signals over the Internet is called Voice over IP or VoIP Session Initiated Protocol SIP is an internationally recognized standard for implementing VoIP SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is tra
153. Permanent Virtual Circuit to the Internet Service Provider s ISP DSLAM digital access multiplexer Please refer to RFC 2364 for more information on PPPoA Refer to RFC 1661 for more information on PPP 4 1 1 4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 AALS The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protocol is carried over a separate ATM virtual circuit VC based multiplexing Please refer to the RFC for more detailed information 4 1 2 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexing method required by your ISP 4 1 2 1 VC based Multiplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual circuit for example VC1 carries IP etc VC based multiplexing may be dominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 4 1 2 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carried protocol for example if charging heavily depends on the number of simultaneous V
154. RIPTION Direction Select the direction of traffic to which you want to apply bandwidth management Service Select a service for your rule or you can select User define to go to the screen where you can define your own Priority Select a priority from the drop down list box Choose High Mid or Low Bandwidth Specify the maximum bandwidth allowed for the rule in kbps The recommendation is a setting between 20 kbps and 20000 kbps for an individual rule Add Click this button to add a rule to the following table This is the number of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule Enabling a bandwidth management rule also allows you to control the maximum amounts of bandwidth that can be used by traffic that matches the rule Rule Name This is the name of the rule Destination Port This is the port number of the destination 0 means any destination port Priority This is the priority of this rule Bandwidth kbps This is the maximum bandwidth allowed for the rule in kbps Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delete an existing rule Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin c
155. RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within range of each other The following figure illustrates a hidden node Both stations STA are within range of the access point AP or wireless gateway but out of range of each other so they cannot hear each other that is they do not know if the channel is currently being used Therefore they are considered hidden from each other P 661H HW Series User s Guide 325 Appendix D Wireless LANs BS Figure 216 RTS CTS pron CTS Range it ath O nn M Se AR RO AR T a e a a n ma aene P mra Station AP E oss iia j A Data E Mr Pi Ce r m DC Ke EH NR Stations A and B do not FN 7 pee Station A D hear each other They f Station B m t m can hear the AP When station A sends data to the AP it might not know that the station B is already using the channel If these two stations send data at the same time collisions may occur when both sets of data arrive at the AP at the same time resulting in a loss of messages for both stations RTS CTS is designed to prevent collisions due to hidden nodes An RTS CTS defines the biggest size data frame you can send before an RTS Request To Send CTS Clear to Send handshake is invoked When a data frame exceeds the RTS CTS value you set between 0 to 2432 bytes the station that wants to transmit this frame must first
156. Restart to have the device perform a software restart The SYS or PWR LED blinks as the device restarts and then stays steady on if the restart is successful Wait a minute before logging into the device again Restart P 661H HW Series User s Guide Chapter 20 Tools P 661H HW Series User s Guide Diagnostic These read only screens display information to help you identify problems with the ZyXEL Device 21 1 General Diagnostic Click Maintenance gt Diagnostic to open the screen shown next Figure 161 Diagnostic General General TCP IP Address Ping Resolving 192 168 1 34 192 168 1 34 Reply from 192 168 1 34 Reply from 192 168 1 34 Reply from 192 168 1 34 Ping Host Successful The following table describes the fields in this screen Table 114 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered The results are displayed in the screen P 661H HW Series User s Guide 267 Chapter 21 Diagnostic 21 2 DSL Line Diagnostic Click Maintenance gt Diagnostic gt DSL Line to open the screen shown next Figure 162 Diagnostic DSL Line DSL Line o ee Start to reset ADSL Loading ADSL modem F W Reset ADSL Line Successfully AT
157. SASANN 35 1 4 Good Habits for Managing the ZyXEL Devite esisser preda perta rena rr rara dena arenas 35 T rient Fanal EEBS 25ucldaisintelioctnieietattcsietet eerta tsbeteistedote ertet tulit eluted 35 1 6 Hardware Conneccion aeiscciaer sic sec pue E Cer aime SU IER EE EE rM E Ce eUL Aba da C aei Faso Pe EDI EE rE 36 pcs cie eir iz MNT m T MmMMTMT 36 1 7 1 Connecing a POTS SPOT i esie qx i eor EFI E ERE D ME Urea PER t o ERR E usn et d Ea EE Sr 1 7 2 Telephone MICFOBLUBES 1 2 d est petii n Red odd co on d RP s LN 37 Chapter 2 Introducing the Web Configurator 22 c seeeeeeeeeeeeeeeeeeeeeeeanenaneneeeeeeneeneeeeeeeeeneeeeeees 39 21 Neb Congosto OYSA A e 39 2 2 Accessing the Web Configurator siisiseci iacere inr deni vixi or ente rt re Naa E ein pL bU d apad 39 2 0 Res ting the LyXEL DEvViCE auis iai oe etie prede erp t Re an Be prinia EA ABIRE RM AIR EPA ea 42 Pee Usno he Resa Sol CUT S US 42 2 4 Navigating the Web LOBITOUEPSEDE sioaiei asser ret repre HIS ERE LI RM A ERR R FRA Ke RELAIS XR KE HOOK 42 SAD RVR URSIN RING eT Em 42 2g tts OREM errs EE A n ERU ELO EO CEP 45 P 661H HW Series User s Guide LE Table of Contents 2A ASS FOIE NP TANS A 47 2 4 4 Status WLAN Status Wireless devices only seee 48 285 Status VPN SiS M 48 25 Stats Boney SEES 2c tila iin ad c ea pta Les a o alanis 49 PINE tulcduces cci eT 50 po m xmocn
158. SERR REDE Po 8 RU Pp REO ap RR np Gta 33 introducing the Web Configurator iei eso ccono niet tis sate Cri ppt ntu FER R Pi Itu nc tdd a EYED E aL ded rc 39 bio 53 ijv T 71 WAN SOUD e 73 UY TR Pn 89 MPU tera LEY e T 101 Network Address Translation NAT Screens aee esee ennt 123 SECHUHMD iaceo dee Dre DEPO a aV is iac eR OU Ed eR Ia I aa 135 i1 7 137 aps EB ai D pe EN Ne T ROT 149 enia e 171 mirou dod 18m abe decode tede t bts eec date d da e tp n rr A rrr ree ster 175 akee Vis iP 181 Fetske clare e MAA eT AT 205 NE PONS aec M LL 207 Bandwidih Management em 211 Dynami DNS CEUD hina is tec inda dude tech io paced Sakina ech ei padb de pad b edu e V aae afi caa 221 Remote Management Configuration ueber vice PE kx ee aa FEE ed dne excu dE ERN MEE REN A RERO 225 Universal Plug and Play UPR 51st trt ht tk SU nda n t rae n sop S aat de 237 Maintenant ebbe M 249 c pm 251 LO aono Da rep io Ta dado wn E 257 o 261 POTOSI 267 Troubleshooting and Specifications
159. The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out then the IPSec router must renegotiate the SA the next time someone attempts to send traffic e Negotiation Mode The phase 1 Negotiation Mode you select determines how the Security Association SA will be established for each connection through IKE negotiations Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA negotiation Diffie Hellman exchange and an exchange of nonces a nonce is a random number This mode features identity protection your identity 1s not revealed in the negotiation Aggressive Mode is quicker than Main Mode because it eliminates several steps when the communicating parties are negotiating authentication phase 1 However the trade off is that faster speed limits its negotiating power and it also does not provide identity protection It is useful in remote access situations where the address of the initiator is not know by the responder and both parties want to use pre shared key authentication Diffie Hellman DH Key Groups Diffie Hellman DH is a public key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish sess
160. The configuration of the peer content depends on the peer ID type For IP type the IP address of the computer with which you will make the VPN connection If you configure this field to 0 0 0 0 or leave it blank the ZyXEL Device will use the address in the Secure Gateway Address field refer to the Secure Gateway Address field description For DNS or E mail type a domain name or e mail address by which to identify the remote IPSec router Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string It is recommended that you type an IP address other than 0 0 0 0 or use the DNS or E mail ID type in the following situations When there is a NAT router between the two IPSec routers When you want the ZyXEL Device to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses Secure Gateway Address Type the WAN IP address or the URL up to 31 characters of the IPSec router with which you re making the VPN connection Set this field to 0 0 0 0 if the remote IPSec router has a dynamic WAN IP address the Key Management field must be set to IKE In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gat
161. UPnP 239 Windows Me 239 Windows XP 240 Integrated Services Digital Network 34 Internet Access 34 Internet access 54 Internet access wizard setup 54 Internet Assigned Numbers Authority See IANA 320 Internet Assigned Numbers AuthoritySee IANA 91 Internet Control Message Protocol ICMP 141 165 Internet Key Exchange 193 Internet Protocol Security 175 IP Address 91 127 128 129 130 IP Address Assignment 74 ENET ENCAP 75 PPPoA or PPPoE 75 RFC 1483 75 IP Pool 97 IP Pool Setup 90 IP Spoofing 140 142 IPSec 175 IPSec Algorithms 177 181 IPSec and NAT 178 IPSec Architecture 176 ISDN Integrated Services Digital Network 34 K Keep Alive 185 Key Fields For Configuring Rules 151 L LAN Setup 73 89 LAN TCP IP 91 LAN to WAN Rules 152 LAND 140 141 Logs 257 MAC Address Filter Action 116 MAC Address Filtering 116 MAC Filter 116 Management Information Base MIB 230 managing the device good habits 35 using FTP See FTP using SNMP See SNMP using Telnet See command interface using the command interface See command interface using the web configurator See web configurator using TR 069 See TR 069 Maximize Bandwidth Usage 213 Maximum Burst Size MBS 76 81 86 maximum incomplete high 168 maximum incomplete low 168 Max incomplete High 167 Max incomplete Low 167 Message Integrity Check MIC 332 Metric 75 Multicast 92 Multiplexing 74 multiplexing 74 LLC based 74 VC based 74 Multiprotocol E
162. User s Guide Document Conventions Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer Notebook computer Ne mmc mm Server Firewall NN LL Nr ooo oom ml E qc c cd amm E I Seo cot SS SS Telephone Switch Router we M n lt P 661H HW Series User s Guide a Safety Warnings Safety Warnings gt For your safety be sure to read and follow all warning notices and instructions e e e e e e Do NOT use this product near water for example in a wet basement or near a swimming pool Do NOT expose your device to dampness dust or corrosive liquids Do NOT store things on the device Do NOT install use or service this device during a thunderstorm There is a remote risk of electric shock from lightning Connect ONLY suitable accessories to the device Do NOT open the device or unit Opening or removing covers can expose you to dangerous high voltage points or other risks ONLY qualified service personnel should service or disassemble this device Please contact your vendor for further information Make sure to connect the cables to the correct ports Place connecting cables carefully so that no one will step on them or stumble over them Always disconnect all cables from this device before servicing or disassembling
163. WAN traffic between the specific inside host network A and outside host network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 8 7 2 Firewall The firewall inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer IP headers up to the application layer The firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked e The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine reports and when alerts occur 8 7 2 1 When To Use The Firewall To prevent DoS attacks and prevent hackers cracking your network Arange of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the fire
164. ZyXEL Devices which work over ISDN do not support Annex M The standard your ISP supports determines the maximum upstream and downstream speeds attainable Actual speeds attained also depend on the distance from your ISP line quality etc The ZyXEL Device is a Triple Play gateway capable of simultaneously transferring data voice and video over the Internet The gateway possesses advanced Quality of Service QoS features to provide a high standard of Triple Play delivery P 661H HW Series User s Guide EI Chapter 1 Getting To Know Your ZyXEL Device In the ZyXEL Device product name H denotes an integrated 4 port switch hub and W denotes an included wireless LAN card that provides wireless connectivity Models ending in 1 for example P 661H D1 denote a device that works over the analog telephone system POTS Plain Old Telephone Service Models ending in 3 denote a device that works over ISDN Integrated Services Digital Network Models ending in 7 denote a device that works over T ISDN UR 2 The DSL RJ 11 ADSL over POTS models or RJ 45 ADSL over ISDN models connects to your ADSL enabled telephone line BS Only use firmware for your ZyXEL Device s specific model Refer to the label on the bottom of your ZyXEL Device 1 2 Applications for the ZyXEL Device Here are some example uses for which the ZyXEL Device is well suited 1 2 1 Protected Internet Access The ZyX
165. a TFTP tool to put it on the ZyXEL Device Note Only upload firmware for your specific model Configuration Backup amp Restoration Make a copy of the ZyXEL Device s configuration You can put it back on the ZyXEL Device later if you decide to revert back to an earlier configuration Network Address Translation NAT Each computer on your network must have its own unique IP address Use NAT to convert your public IP address es to multiple private IP addresses for the computers on your network Port Forwarding If you have a server mail or web server for example on your network you can use this feature to let people access it from the Internet DHCP Dynamic Host Configuration Protocol Use this feature to have the ZyXEL Device assign IP addresses an IP default gateway and DNS servers to computers on your network Dynamic DNS Support With Dynamic DNS Domain Name System support you can use a fixed URL www zyxel com for example with a dynamic IP address You must register for this service with a Dynamic DNS service provider IP Multicast IP multicast is used to send traffic to a specific group of computers The ZyXEL Device supports versions 1 and 2 of IGMP Internet Group Management Protocol used to join multicast groups see RFC 2236 IP Alias IP alias allows you to subdivide a physical network into logical networks over the same Ethernet interface with the ZyXEL Device itself as the gate
166. aa opa aad x nk Keane Kai pt Ke ak deanna 165 IRE Boi 5 mE SM 168 Figure SS Content Filter KOyWOrd Liussgusseaccexsiaspeteesieppticezr Ant E eH NEQUE REICH EXER IDA ERU NU ALLANT ERU NUMR 172 Figure 99 Content Filter Schedule Cm 173 Figure 108 eundcm 174 Figure TOT Eneyption and DocnypiOD 41d ascia A 176 s T2 IPSec Arne 0 UE aa NN renner ree reretr errr terre 177 Figure 103 Transport and Tunnel Mode IPSec Encapsulation sesssssssssssseesees 178 Figure 104 IP See Summary Filialda 1isrecesoueeteceiivnteden addet pieni n Ad ko EA lib nt edunt Ri D Fa ti td 183 Fone TO YPN SSU e er cee tre er errr tr car rere Terr rhern ret err tre Center rer rrre renner rrr cere Mererrr tr rrr 184 Figure 106 NAT Router Between IPSec Routers ccccccscccccetseecccceesseeecceeesseeacaeeenseeaaaeenteneaaaeenenseas 185 Figure 107 VPN Host using Intranet DNS Server Example sseessseeeen 186 Figure 108 Edit VPN PONGHES f 189 Figure TOS Two Phases to Set Up ihe IR S66 SA siccacss ssimcessinsscsexsinnsanaeuorsolnadeerinsaeeaasinasaucenerveuuesesainians 193 Figure TO Advanced VPN Ponies pe kananan 195 x mus ED MC s v 198 Figure TZ dc HEC Nus s eer rr E 201 si TS tu tci E uet T 201 Figure 114 Telecommuters Sharing One VPN Rule Example cccssseccccceeseeccceeesseacaeeeensecaaeeneneees 202 Figure 115 Telecommuters Using Unique VPN Ru
167. ach UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select Invoke The web configurator login screen displays P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 146 Network Connections My Network Places My Network Places File Edit View Favorites Tools Help Q E d J2 Search lp Folders Ez Address E My Network Places Local Network Network Tasks gd Add a network place R 31 Internet ZYXEL Prestige 650 view network connections Sharing Ga Create Shortcut Set up a home or small office network 4 View workgroup computers Rename Properties Other Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device Figure 147 Network Connections My Network Places Properties Example ZyXEL Prestige 650R 31 Internet Sharing Gateway Pr x General ZEL Prestige 650R 31 Internet Sharing Gateway Manufacturer ZyXEL Model Name ZyXEL Internet Sharing Gateway Model Number Prestige 650R 31 Description ZyXEL Prestige 650R 31 Internet Sharing Gateway Device Address http 192 168 1 1 P 661H HW Series User s Guide 247 Chapter 17 Universal Plug and Play UPnP P 661H HW Series User s Guide PART V Maintenance System 251 Logs 257
168. all Introduction 138 P 661H HW Series User s Guide Index P 661H HW Series User s Guide 357 Index P 661H HW Series User s Guide
169. anagement speed for an interface higher than the interface s actual transmission speed Higher priority traffic gets to use up to its allocated bandwidth even if it takes up all of the interface s available bandwidth This could stop lower priority traffic from being sent The following is an example Table 91 Over Allotment of Bandwidth Example BANDWIDTH CLASSES ALLOTMENTS PRIORITIES Actual outgoing bandwidth available on the interface 1000 kbps Root Class 1500 kbps same VoIP traffic Service SIP 500 Kbps High AS Spes SRNO NetMeeting traffic Service H 323 500 kbps High FTP Service FTP 500 Kbps Medium If you use VoIP and NetMeeting at the same time the device allocates up to 500 Kbps of bandwidth to each of them before it allocates any bandwidth to FTP As a result FTP can only use bandwidth when VoIP and NetMeeting do not use all of their allocated bandwidth Suppose you try to browse the web too In this case VoIP NetMeeting and FTP all have higher priority so they get to use the bandwidth first You can only browse the web when VoIP NetMeeting and FTP do not use all 1000 Kbps of available bandwidth 14 6 4 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface Table 92 Bandwidth Management Priorities PRIORITY LEVELS TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE
170. anced Setup button in the More Connections Edit screen The screen appears as shown Figure 42 More Connections Advanced Setup RIP amp Multicast Setup RIP Direction None z RIP Version N A z Multicast IGMP v2 ATM Qos ATM QoS Type CBR v Peak Cell Rate o cell sec Sustain Cell Rate fo cell sec Maximum Burst Size fo cell Apply Cancel The following table describes the labels in this screen Table 28 More Connections Advanced Setup LABEL DESCRIPTION RIP amp Multicast Setup RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP 2B and RIP 2M Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type
171. and will ignore any RIP packets received RIP Version This field is enabled if RIP Direction is not None The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Wireless LAN This chapter discusses how to configure the wireless network settings in your device wireless devices only See the appendices for more detailed information about wireless networks 6 1 Wireless Network Overview The following figure provides an example of a wireless network Example of a Wireless Network The wireless network is the part in the blue circle In this wireless network devices A and B use
172. are executed during the handshake that initiates a communication session between two applications Figure 79 Three Way Handshake Client Server ACK E pee Under normal circumstances the application that initiates a session sends a SYN synchronize packet to the receiving server The receiver sends back an ACK acknowledgment packet and its own SYN and then the initiator responds with an ACK acknowledgment After this handshake a connection is established SYN Attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users P 661H HW Series User s Guide Chapter 8 Firewalls Figure 80 SYN Flood Client Server SYN SYN SYN SYN SYN ACK SYN ACK SYN ACK SYN ACK Ina LAND Attack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to
173. are prone to interference P 661H HW Series User s Guide Appendix D Wireless LANs If the Fragmentation Threshold value is smaller than the RTS CTS value see previously you set then the RTS Request To Send CTS Clear to Send handshake will never occur as data frames will be fragmented before they reach RTS CTS size Preamble Type Preamble is used to signal that data is coming to the receiver Short and long refer to the length of the synchronization field in a packet Short preamble increases performance as less time sending preamble means more time for sending data All IEEE 802 11 compliant wireless adapters support long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode other wireless devices on the network support and to provide more reliable communications in busy wireless networks Use short preamble if you are sure all wireless devices on the network support it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyXEL Device uses long preamble LES The wireless devices MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can interface directly with an IEEE 802 11g access point and vice versa at 11 Mbps or
174. ation that it receives In Only the ZyXEL Device will not send any RIP packets but will accept all RIP packets received Out Only the ZyXEL Device will send out RIP packets but will not accept any RIP packets received None the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting 5 2 3 Multicast Traditionally IP packets are transmitted in one of either two ways Unicast 1 sender 1 recipient or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just 1 IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a Multicast group it is not used to carry user data IGMP version 2 RFC 2236 is an improvement over version 1 RFC 1112 but IGMP version 1 is still in wide use If you would like to read more detailed information about interoperability between IGMP version 2 and version 1 please see sections 4 and 5
175. ations you can prioritize with WMM QoS Select a service from the drop down list box e FTP File Transfer Program enables fast transfer of files including large files that may not be possible by e mail FTP uses port number 21 E Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 WWW The World Wide Web is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser User Defined User defined services are user specific services configured using known ports and applications Dest Port This displays the port the selected service uses Type a port number in the field provided if you want to use a different port to the default port See table Table 45 on page 118 for information on port numbers Priority Select a priority from the drop down list box Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previous screen without saving your changes P 661H HW Series User s
176. aversal applications in establishing their own services and opening firewall ports may present network security issues Network information and configuration may also be obtained and modified by users in some network environments P 661H HW Series User s Guide 237 Chapter 17 Universal Plug and Play UPnP When a UPnP device joins a network it announces its presence with a multicast message For security reasons the ZyXEL Device allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 17 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnPTM Implementers Corp UIC ZyXEL s UPnP implementation supports Internet Gateway Device IGD 1 0 See the following sections for examples of installing and using UPnP 17 2 1 Configuring UPnP Click Advanced gt UPnP to display the screen shown next See Section 17 1 on page 237 for more information Figure 133 Configuring UPnP UPnP Setup NI Note Device Name ZyXEL P 661HW D1 Internet Sharing Gateway Active the Universal Plug and Play UPnP Feature allow users to make configuration changes through UPnP Allow UPnP to pass through Firewall For UPnP to function normally the HTTP service must be available for LAN computers using UPnP Apply Cancel The following table describes
177. ays assign the selected entry ies s IP address es to the corresponding MAC address es and host name s You can select up to 32 entries in this table Modify Click the modify icon to have the IP address field editable and change it Apply Click Apply to save your changes back to the ZyXEL Device P 661H HW Series User s Guide Chapter 5 LAN Setup Table 33 LAN Client List LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh Refresh Click Refresh to reload the DHCP table 5 6 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets BES Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 52 Physical Network amp Partitioned Logical Networks A 192 168 1 1 192 168 1 24 Ethemet B 192168 2 1 192 168 2 24 Inte rface Romx C 192168 3 1 192 168 3 24 A To change your ZyXEL Device s IP alias settings click Network gt LAN gt IP Alias The screen appears as shown P 661H HW
178. because they have the highest priority 6 If they each require 1536 kbps or more of extra bandwidth the ZyXEL Device divides the total 3072 kbps total of unbudgeted and unused bandwidth equally between the sales and marketing departments 1536 kbps extra to each for a total of 3584 kbps for each because they both have the highest priority level Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes 14 6 2 2 Fairness based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets Table 90 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class 10240 kbps Administration 1024 kbps Sales 3072 kbps Marketing 3072 kbps Research 3072 kbps Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The ZyXEL Device divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps P 661H HW Series User s Guide Chapter 14 Bandwidth Management 14 6 3 Over Allotment of Bandwidth You can set the bandwidth m
179. bers A blank destination IP address means any destination IP address Source Address Enter the source IP address in dotted decimal notation A blank source IP address means any source IP address Source Subnet Enter the destination subnet mask This field is N A if you do not specify a Netmask Source Address Refer to the appendices for more information on IP subnetting A blank source port means any source port number Source Port Enter the port number of the source See Table 96 on page 220 for some common services and port numbers Protocol Select the protocol TCP or UDP or select User defined and enter the protocol service type number ID 0 means any protocol number Back Click Back to go to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Chapter 14 Bandwidth Management Table 96 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 14 9 Bandwidth Monitor To view
180. can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The subnet mask is now 25 bits 255 255 255 128 or 25 The borrowed host ID bit can have a value of either 0 or 1 allowing two subnets 192 168 1 0 25 and 192 168 1 128 25 The following figure shows the company network after subnetting There are now two sub networks A and B P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Figure 209 Subnetting Example After Subnetting HB LY LU LU jl et D s C 2 D et il cu Nm LE 1192 168 1 0 25 4 V192 168 1 128 251 ammumumumum um um um PP mm m m m um Dp n VA In a 25 bit subnet the host ID has 7 bits so each sub network has a maximum of 27 2 or 126 possible hosts a host ID of all zeroes is the subnet s address itself all ones is the subnet s broadcast address 192 168 1 0 with mask 255 255 255 128 is subnet A itself and 192 168 1 127 with mask 255 255 255 128 is its broadcast address Therefore the lowest IP address that can be assigned to an actual host for subnet A is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for subnet B is 192 168 1 129 to 192 168 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into fou
181. ccceesseeeceeenseeeceeeneneees 293 Figure 180 Windows Vista Local Area Connection Properties cccseeccccceseecccceeeeeeecareeeneeaeneeneees 293 Figure 181 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties esssesss 294 Figure 182 Windows Vista Advanced TCP IP Properties eeeeeeeeesseeeessssenne en tnnnnnannn n 295 Figure 183 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties sssssssss 296 Figure 184 Macintosh OS 8 9 Apple MONU 2 5 prr pr HIS EELREEE HR RI FREE VR PME EE e E ERE pI qd di AAAA 297 Figure 185 Macintosh OS 8 9 TCP IP assess toon i itio Haie E Cep renk iiin E El tta b dace t KR UC E 297 Figure 186 Macintosh OS X Apple MOD iive eeciskovide bi tio Ebrei epe RF Ene E Ya S dI DR USE pot CE Ka Mia OU Ven teo dir EROR Es 298 Figure Te Machtbsh OS ASW iussi sat ete aptid d e doc Gd eed tepido ed a edad 299 Figure 188 Red Hat 9 0 KDE Network Configuration Devices eeeeeeeseseeeeeeeneeeen nennen 300 Figure 189 Red Hat 9 0 KDE Ethernet Device General 2er tm eite than atia ta tonto ra cousesenes 300 Figure 190 Red Hat 9 0 KDE Network Configuration DNS eese nennen nnn 301 Figure 191 Red Hat 9 0 KDE Network Configuration Activate eeeseeeseeeeeeenee 301 Figure 192 Red Hat 9 0 Dynamic IP Address Setting in ifconfig ethO sssssesssss 302 Figure 193 Red Hat 9 0 Sta
182. ce Access and Login Internet Access Wireless Router AP Troubleshooting 22 1 Power Hardware Connections and LEDs e The ZyXEL Device does not turn on None of the LEDs turn on 1 Make sure the ZyXEL Device is turned on Make sure you are using the power adaptor or cord included with the ZyXEL Device 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the ZyXEL Device off and on 5 Ifthe problem continues contact the vendor r One of the LEDs does not behave as expected Make sure you understand the normal behavior of the LED See Section 1 5 on page 35 Check the hardware connections See the Quick Start Guide Inspect your cables for damage Contact the vendor to replace any damaged cables Turn the ZyXEL Device off and on If the problem continues contact the vendor cO WN P 661H HW Series User s Guide 271 Chapter 22 Troubleshooting 22 2 ZyXEL Device Access and Login e forgot the IP address for the ZyXEL Device 1 The default IP address is 192 168 1 1 2 Ifyou changed the IP address and have forgotten it you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer To do this in most Windows computers click Start gt Run enter cmd and then enter ipconfig The IP address of the Default Gateway
183. ch between the hash value and the data and assumes that the data has been maliciously altered NAT is not normally compatible with ESP in transport mode either but the ZyXEL Device s NAT Traversal feature provides a way to handle this NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers Internet 3 J IPSec Router B Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet The NAT router forwards the IPSec packet with the UDP port 500 header unchanged In Figure 106 on page 185 when IPSec router A tries to establish an IKE SA IPSec router B checks the UDP port 500 header and IPSec routers A and B build the IKE SA Figure 106 NAT Router Between IPSec Routers ANOT i IPSec Router A For NAT traversal to work you must Use ESP security protocol in either transport or tunnel mode Use IKE keying mode Enable NAT traversal on both IPSec endpoints Set the NAT router to forward UDP port 500 to IPSec router A P 661H HW Series User s Guide Chapter 12 VPN Screens Finally NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device The compatibility of AH and
184. change them to values more suitable to your security requirements Refer to Section 9 10 3 on page 167 to configure thresholds 9 10 1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters These default values should work fine for most small offices Factors influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LAN network Network bandwidth Type of traffic for certain servers If your network is slower than average for any of these factors especially 1f you have servers that are slow or handle many tasks and are often busy then the default values should be reduced You should make any changes to the threshold values before you continue configuring firewall rules P 661H HW Series User s Guide Chapter 9 Firewall Configuration 9 10 2 Half Open Sessions An unusually high number of half open sessions either an absolute number or measured as the arrival rate could indicate that a Denial of Service attack 1s occurring For TCP half open means that the session has not reached the established state the TCP three way handshake has not yet been completed see Figure 79 on page 140 For UDP half open means that the firewall has detected no return traffic The ZyXEL Device measures both the total number of existing half op
185. conds Idle Timeout 600 In Seconds Group Key Update Timer fisoo In Seconds Apply Cancel Advanced Setup The following table describes the wireless LAN security labels in this screen Table 39 Wireless WPA PSK WPA2 PSK LABEL DESCRIPTION Security Mode Choose WPA PSK or WPA2 PSK from the drop down list box WPA Compatible This check box is available only when you select WPA2 PSK or WPA2 in the Security Mode field Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2 PSK or WPA2 Pre Shared Key The encryption mechanisms used for WPA WPA2 and WPA PSK WPA2 PSK are the same The only difference between the two is that WPA PSK WPA2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and symbols ReAuthentication Specify how often wireless clients have to resend usernames and passwords in Timer In order to stay connected Enter a time interval between 10 and 9999 seconds The Seconds default time interval is 1800 seconds 30 minutes Note If wireless client authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout In The ZyXEL Device automatically disconnects a wireless client from the wired Seconds network after a period of inactivity
186. count feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the ZyXEL Device maps the multiple local IP addresses to shared global IP addresses Many to Many No Overload In Many to Many No Overload mode the ZyXEL Device maps each local IP address to a unique global IP address Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Port numbers do NOT change for One to One and Many to Many No Overload NAT mapping types P 661H HW Series User s Guide 125 Chapter 7 Network Address Translation NAT Screens The following table summarizes these types Table 49 NAT Mapping Types TYPE IP MAPPING One to One ILA1 amp IGA1 Many to One SUA PAT ILA1 amp IGA1 ILA2 amp 2 IGA1 Many to Many Overload ILA1 amp IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 Many to Many No Overload ILA1 amp IGA1 ILA2 IGA2 ILA3 gt IGA3 Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 7 2 SUA Single User Account Versus NAT SUA Single User Account is a ZyNOS implementation of a subset of NAT that supports two types of mapping Many to One and Server The ZyXEL Device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mappi
187. cted the default Under Scripting of Java applets make sure that Enable is selected the default P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions Figure 202 Security Settings Java Scripting Security Settings Settings Scripting amp Active scripting Disan Q Pramp 3 Allow paste operations via script Q Disable 9 Enable Q Prompt amp Scripting of Java applets Q Disable OQ Prompt lleas fuikhanticstian E b custom settings Reset to Medium Reset ced Java Permissions From Internet Explorer click Tools Internet Options and then the Security tab Click the Custom Level button Scroll down to Microsoft VM Under Java permissions make sure that a safety level is selected Click OK to close the window cO WN Figure 203 Security Settings Java Security Settings Settings Q Disable 9 Enable es Font download Q Disable 9 Enable a Prompt 3 Microsoft VM Java permissions Q Custom J Disable Jav 9 High safety Q Low safety Reset custom settings Reset to Medium Reset J P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the wi
188. d not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 The Internet Assigned Number Authority LANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise You must also enable Network Address Translation NAT on the ZyXEL Device Once you have decided on the network number pick an IP address for your ZyXEL Device that is easy to remember for instance 192 168 1 1 but make sure that no other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP address that you entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If your networks are isolated from the Internet running only between two branch offices for example you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 17
189. ddress Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router secure gateway P 661H HW Series User s Guide Chapter 12 VPN Screens If the remote secure gateway has a static WAN IP address enter it in the Secure Gateway Address field You may alternatively enter the remote secure gateway s domain name if it has one in the Secure Gateway Address field You can also enter a remote secure gateway s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS The ZyXEL Device has to rebuild the VPN tunnel each time the remote secure gateway s WAN IP address changes there may be a delay until the DDNS servers are updated with the remote gateway s new WAN IP address 12 4 1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the secure gateway s address In this case only the remote secure gateway can initiate SAs This may be useful for telecommuters initiating a VPN tunnel to the company network see Section 12 18 on page 202 for configuration examples The Secure Gateway IP Address may be configured as 0 0 0 0 only when using IKE key management and not Manual key management 12 5 VPN Setup Screen The following figure helps explain the main fields in the web configurator Figure 104 IPSec Summary Fields Local Remote IP addresses IP addresses L
190. ddresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask There are two ways that an ISP disseminates the DNS server addresses The first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the connection is up If your ISP did not give you explicit DNS servers chances are the DNS servers are conveyed through IPCP negotiation The ZyXEL Device supports the IPCP DNS server extensions through the DNS proxy feature If the Primary and Secondary DNS Server fields in the DHCP Setup screen are not specified for instance left as 0 0 0 0 the ZyXEL Device tells the DHCP clients that it itself is the DNS server When a computer sends a DNS query to the ZyXEL Device the ZyXEL Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions It does not mean you can leave the DNS servers out of the DHCP setup under all circumstances If your ISP gives you explicit DNS servers make sure that you enter their IP addresses in the DHCP Setup screen
191. ders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 7 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming packets the ILA is the destination address on the LAN and the IGA is the destination address on the WAN NAT maps private local IP addresses to globally unique ones required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored The following figure illustrates this Figure 70 How NAT Works NAT Table LAN Inside Local Inside Global IP Address IP Address WAN 192 168 1 10 IGA 1 192 168 1 11 IGA2 192 168 1 13 m 192168 1 12 IGA3 192 168 1 13 IGA4 m ak A 192 168 1 12 192 168 1 10 es Internet _ s E l 192 168 1 11 Inside Local i Inside Global 192 168 1 10 Addresses ILA Addresses IGA 7 1 4 NAT Application The following figure illustrates a possible NAT applicat
192. dresses Select Subnet to specify IP addresses on a network by their subnet mask IP Address Start When the Local Address Type field is configured to Single enter a static IP address on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is a static IP address on the LAN behind your ZyXEL Device End Subnet Mask When the Local Address Type field is configured to Single this field is N A When the Local Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is a subnet mask on the LAN behind your ZyXEL Device Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Remote Address Type Use the drop down menu to choose Single Range or Subnet Select Single with a single IP address Select Range for a specific range of IP addresses Selec
193. dvanced Static Route Use this screen to configure IP static routes Bandwidth MGMT Summary Use this screen to enable bandwidth management on an interface Rule Setup Use this screen to define a bandwidth rule Monitor Use this screen to view the ZyXEL Device s bandwidth usage and allotments Dynamic DNS Use this screen to set up dynamic DNS Remote MGMT WWW Use this screen to configure through which interface s and from which IP address es users can use HTTPS or HTTP to manage the ZyXEL Device Telnet Use this screen to configure through which interface s and from which IP address es users can use Telnet to manage the ZyXEL Device FTP Use this screen to configure through which interface s and from which IP address es users can use FTP to access the ZyXEL Device SNMP Use this screen to configure your ZyXEL Device s settings for Simple Network Management Protocol management DNS Use this screen to configure through which interface s and from which IP address es users can send DNS queries to the ZyXEL Device ICMP Use this screen to change your anti probing settings UPnP Use this screen to enable UPnP on the ZyXEL Device Maintenance System General This screen contains administrative and system related information and also allows you to change your password Time Setting Use this screen to change your ZyXEL Device s time and date Logs View Log Use this screen to view th
194. e Edit Address Mapping Rule1 Type Local Start IP Local End IP Global Start IP Global End IP Server Mapping Set Back Apply Cancel One to One o 0 0 0 N A 0 0 0 0 N a N A Edit Details P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens The following table describes the fields in this screen Table 55 Edit Address Mapping Rule LABEL DESCRIPTION Type Choose the port mapping type from one of the following One to One One to One mode maps one local IP address to one global IP address Note that port numbers do not change for One to one NAT mapping type Many to One Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only Many to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all l
195. e Enter th nount of bandwidth that yo iv Active Services Setup _ lt Back Next gt Exit The following fields describe the label in this screen Table 22 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth ee to traffic going out through the ZyXEL Device s WAN LAN or WLAN snm Services Setup to allocate bandwidth based on the service requirements Back Click Back to display the previous screen Next Click Next to proceed to the next screen Exit Click Exit to close the wizard screen without saving 3 3 2 Screen 2 Use the second wizard screen to select the services that you want to apply bandwidth management and select the priorities that you want to apply to the services listed P 661H HW Series User s Guide Chapter 3 Wizards Figure 35 Bandwidth Management Wizard Configuration fa Service Configuration e bandwidth n the applications and se s important to t ach application you use and change the priori tting to match your individual xl High C mid C Low FTP C High mid C Low E Mail C High mid C Low xl 71 Telnet C High C Mid Low NetMeeting H 323 C High C Mid Low VoIP SIP High C Mid C Low VoIP H 323 C High C Mid Low i a C High C Mid Low Use Highs Mid or Low to prioritize the bandwidth for each service r Auto classifie
196. e Chapter 16 on page 225 TR 069 This is a standard that defines how your ZyXEL Device can be managed by a management server See Chapter 16 on page 225 1 4 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage the ZyXEL Device more effectively Change the password Use a password that s not easy to guess and that consists of different types of characters such as numbers and letters Write down the password and put it in a safe place Back up the configuration and make sure you know how to restore it Restoring an earlier working configuration may be useful if the device becomes unstable or even crashes If you forget your password you will have to reset the ZyXEL Device to its factory default settings If you backed up an earlier configuration file you would not have to totally re configure the ZyXEL Device You could simply restore your last configuration 1 5 Front Panel LEDs The following figure shows the front panel LEDs P 661H HW Series User s Guide 35 Chapter 1 Getting To Know Your ZyXEL Device Figure3 Front Panel ZyXEL P 600 series 1 ARRANI 4 WLAN DSL INTERNET The following table describes the LEDs Table 2 Front Panel LEDs LED COLOR STATUS DESCRIPTION POWER Green On The ZyXEL Device is receiving power and functioning properly Blinking The ZyXEL Device is rebooting or perf
197. e Management DNS 1 aeiiccee senes iurtusi siete thue t ater apa as EE pc Zune se kn E S qn Ria up DIRE ER 232 Figure 131 Remote Management ICMP s ecdisssrecien kept tneal th retten Rn bn seam Pci d ntn E ead da d te 233 gi to 2 Brann IRO I Tem 234 Figuie 199 en boring PE siderostat renidet dat daa pb eun emai bo as to d d on do ron bc ane 238 Figure 134 Add Remove Programs Windows Setup Communication sees 239 Figure 135 Add Remove Programs Windows Setup Communication Components 240 Fig T25 Mebwok CODHBQUDTES ouucpcecsixerpekestie d dep RR YOL EROR OU EE SURROR EU a CERO RECO SHOE ERAT GU KR b 240 Figure 137 Windows Optional Networking Components Wizard sss 241 Figure 138 Networking SermiCES e 241 Figure 139 Network Connections sssassireidi ed ree dh rapa paced ntn dion a Kn x RR pu a aa Ed 242 Figure 140 Internet Connection PIODIFIBE uico e rtp e n Rr pl I EAE ule ens E Era ceo bob scan tpi descv oL va qui bdUI 243 Figure 141 Internet Connection Properties Advanced Settings ccccccccccceesecceeceseeecceeeessecceceneneees 244 Figure 142 Internet Connection Properties Advanced Settings Add sssssssess 244 E MERCI 245 Figure 144 biet Contacto Se UB cusxcoesiexcendbosscediadienoed ad detiene o ten d dg e c tas 245 Figure 145 Nawoik IA MINS aset RU NU T 246 Figure 146 Network Connections My Network Places
198. e ToS value of outgoing packets is between 0 and 255 0 is the lowest priority WMM QoS checks the ToS in the header of transmitted data packets It gives the application a priority according to this number If the ToS is not specified then transmitted data 1s treated as normal or best effort traffic Click Network gt Wireless LAN gt QoS The following screen displays Figure 68 Wireless LAN QoS QoS M Enable WMM QoS WMM QoS Policy Application Priority 7 Le Name Service Dest Port Priority 1 0 K g mi 2 0 B ul 3 o B i 4 0 B w 5 E ww 6 0 B GI 7 o B 8 0 g ou 9 o B wi 10 0 g w Apply Cancel The following table describes the fields in this screen Table 46 Wireless LAN QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device WMM QoS Policy Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends Select Application Priority from the drop down list box to display a table of application names services ports and priorities to which you want to apply WMM QoS This is the number of an individual application entry Name This field displays a description given to an application entry Service This field displays either FTP WWW E mail or a User Defined service to which you want to apply WMM QoS Dest Port This field di
199. e also does not have to match the remote router s IP address or what you configure in the Secure Gateway Addr field below P 661H HW Series User s Guide Chapter 12 VPN Screens 12 9 1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel Table 76 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type E mail Local ID type IP Local ID content tom yourcompany com Local ID content 1 1 1 2 Peer ID type IP Peer ID type E mail Peer ID content 1 1 1 2 Peer ID content tom yourcompany com The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B s Local ID type is IP but ZyXEL Device A s Peer ID type is set to E mail An ID mismatched message displays in the IPSEC LOG Table 77 Mismatching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type IP Local ID type IP Local ID content 1 1 1 10 Local ID content 1 1 1 10 Peer ID type E mail Peer ID type IP Peer ID content aa yahoo com Peer ID content N A 12 10 Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation seeSection 12 12 on page 193for more on IKE phases It is called
200. e bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management Active Select an interface s check box to enable bandwidth management on that interface Speed kbps Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management This appears as the bandwidth budget of the interface s root class The recommendation is to set this speed to match the interface s actual transmission speed For example set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps If this number is higher than the interface s actual transmission speed and you configure bandwidth rules for all of the bandwidth higher priority traffic could use all of the bandwidth so lower priority traffic does not get through Note Unless you enable Max Bandwidth Usage the ZyXEL Device only uses up to the amount of bandwidth that you configure here The ZyXEL Device does not use any more bandwidth for the interface s connections even if the interface has more outgoing bandwidth Scheduler Select either Priority Based or Fairness Based from the drop down menu to control the traffic flow Select Priority Based to give preference to bandwid
201. e basics of IPSec VPNs 11 1 VPN Overview A VPN Virtual Private Network provides secure communications between sites without the expense of leased site to site lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication 11 1 1 IPSec Internet Protocol Security IPSec is a standards based VPN that offers flexible solutions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer 11 1 2 Security Association A Security Association SA is a contract between two parties indicating what security parameters such as keys and algorithms they will use 11 1 3 Other Terminology 11 1 3 1 Encryption Encryption is a mathematical operation that transforms data from plaintext readable to ciphertext scrambled text using a key The key and clear text are processed by the encryption operation which leads to the data scrambling that makes encryption secure Decryption is the opposite of encryption it is a mathematical operation that transforms ciphertext to plaintext Decryption also requires a key P 661H HW Series User s Guide Chapter 11 Introduction to IPSec Figure
202. e encrypted contents but not the new headers are signed with a hash value appended to the packet Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the original header plus original payload which is unchanged by a NAT device Transport mode ESP with authentication is not compatible with NAT Table 70 VPN and NAT SECURITY PROTOCOL MODE NAT AH Transport N AH Tunnel N ESP Transport N ESP Tunnel Y P 661H HW Series User s Guide Chapter 11 Introduction to IPSec P 661H HW Series User s Guide VPN Screens This chapter introduces the VPN screens See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions 12 1 VPN IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections 12 2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association SA the foundation of an IPSec VPN An SA is built from the authentication provided by the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transport of data may commence 12 2 1 AH Authentication Header Protocol AH protocol RFC 2402 was designed for integrity authentication sequence integrity replay resistance and non repudiation but not for
203. e firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click the Move icon to display the Move the rule to field Type a number in the Move the rule to field and click the Move button to move the rule to the number that you typed The ordering of your rules is important as they are applied in order of their numbering Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 9 7 1 Configuring Firewall Rules Refer to Section 8 1 on page 137 for more information In the Rules screen select an index number and click Add or click a rule s Edit icon to display this screen and refer to the following table for information on the labels P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 88 Firewall Edit Rule Edit Rule 2 M Active Action for Matched Packets Permit Source Address Address Type any Address x Start IP Address End IP Address Subnet Mask Source Address List Any fo 0 0 0 o 0 0 0 Add gt gt Edit lt Delete Destination Address Address Type any Address x Start IP Address End IP Address Subnet Mask Service Schedule Available Services AIMINEW ICQ TCP 5190 AUTH TCP 113 BGP TCP 178 Edit Customized Services Destination Address List Any fo D 0 0 fo 0 0 0 Add gt g
204. e in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the computer is connected to a LAN port of the ZyXEL Device Turn on your computer and the ZyXEL Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties Figure 139 Network Connections Network Connections File Edit View Favorites Tools Advanced Help Q peck x d P Search lie Folders i Address e Network Connections Internet Gateway Network Tasks E Create a new connection 9 Set up a home or small office network Disable this network device il Rename this connection view status of this Disable LANorH Status Create Shortcut T Perens connection Change settings of this Properties connection E 3 Inthe Internet Connection Properties window click Settings to see the port mappings there were automatically created P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 140 Internet Connection Properties Nae Internet Connection Properties General Connect to the Internet using amp J Intemet Connection This connection allows you to connect to the Internet through a shared connection on another computer Show icon in notification area w
205. e logs for the categories that you selected Log Settings Use this screen to change your ZyXEL Device s log settings Tools Firmware Use this screen to upload firmware to your ZyXEL Device Configuration Use this screen to backup and restore the configuration or reset the factory defaults to your ZyXEL Device Restart This screen allows you to reboot the ZyXEL Device without turning the power off Diagnostic General These screens display information to help you identify problems with the ZyXEL Device general connection DSL Line These screens display information to help you identify problems with the DSL line P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator 2 4 2 Status Screen The following summarizes how to navigate the web configurator from the Status screen Some fields or links are not available if you entered the user password in the login password screen see Figure 6 on page 40 Figure 10 Status Screen Refresh Interval None Apply Device Information System Status Host Name System Uptime 0 35 38 Model Number P 661HW D1 Current Date Time 01 01 2000 00 44 00 MAC Address 00 13 49 02 59 37 System Mode ting Bridging ZyNOS Firmware Version V3 40 AHQ 3 bi 6 28 2007 CPU Usage LR 2 45 WAN Information Memory Usage NN j DSL Mode NORMAL IP Address N A IP Subnet Mask N A Interface Status Default Gateway 0 0 0 0 Li
206. e same line A splitter also eliminates the destructive interference conditions caused by telephone sets Install the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Figure 4 Connecting a POTS Splitter Wall POTS Splitter Jack L Line 1 Connect the side labeled Phone to your telephone 2 Connect the side labeled Modem or DSL to your ZyXEL Device 3 Connect the side labeled Line to the telephone wall jack 1 7 2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4AKHz while ADSL transmissions take place in the higher bandwidth range above 4KHz A microfilter acts as a low pass filter for your telephone to ensure that ADSL transmissions do not interfere with your telephone voice transmissions The use of a telephone microfilter 1s optional 1 Locate and disconnect each telephone 2 Connect a cable from the wall jack to the wall side of the microfilter 3 Connect the phone side of the microfilter to your telephone as shown in the following figure 4 After you are done make sure that your telephone works If your telephone does not work disconnect the microfilter and contact either your local telephone company or the provider of the microfilter P 661H HW Series User s Guide Chapter 1 Getting To Know Your ZyXEL Device Figure 5 Connecting a Microfilter Wall Jack Wall Side
207. e the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the last Sunday of October Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the United States you would select Last Sunday October and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday October The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide 255 Chapter 18 System P 661H HW Series User s Guide Logs This chapter contains information about configuring general log settings and viewing the ZyXEL Device s logs Refer to the appendix for example log message explanations 19 1 Logs Overview The web configurator allows you to choose which categories of events and or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL D
208. e you entered has priority and the Time Zone and Daylight Saving settings do not affect it New Time This field displays the last updated time from the time server or the last time hh mm ss configured manually When you set Time and Date Setup to Manual enter the new time in this field and then click Apply New Date This field displays the last updated date from the time server or the last date yyyy mm dd configured manually When you set Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server sends when you turn on the ZyXEL Device Not all time servers support all protocols so you may have to check with your ISP network administrator or use trial and error to find a protocol that works The main difference between them is the format Daytime RFC 867 format is day month year time zone of the server Time RFC 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Time Server Address Enter the IP address or URL up to 20 extended ASCII characters in length of your time server Check with your ISP network administrator if you are unsure of this information Time Zone Setu
209. eaesvinnrssesiatuon Fosse at bd ER buda 252 Tablo 109 System TIO SERUUM diziorcniddieevudiis rnt ds Hee Id HR OL ad a ERR HE E CLASE EE Rd 254 E XusEu 28i ect 258 WARIS TTT ui T M 259 Table 112 Fimware CRESS axubpccdesantepucu e e Haie cutem ep Pen EASA en dtm but uM eiu E 261 TOE TO CONIA O em 263 Table 114 Diagnostic General saeni aAA AEEA AA ARARA 267 Table Tio Tear DSL LING er 268 Table 116 Hardware SpeciigatiOns ep R 275 LC Su EID i coi cr RE 275 Table 118 Standards Supporied iduiccasestu ti ERA RPM E eta tul du Ei ps Ht 277 Table 119 Ethernet Cable Pin ASSIQPITIOITS i2 iau etri rupe tssis kerien akaa 279 Table 120 IP Address Network Number and Host ID Example sssssssssssee 314 Table 121 S bnhet BISSES 2 52 ATE ERUE AE REN uo EL ER dem uide au ERR BIN Ix NIE MM maie C Min 315 Table 122 Maximum Host Morrielke 135accenten ded nio DIR EE Darts rer D OR nee 315 Table 123 Alternative Subnet Mask Notation cccccccccceeeeeeeeeeeeceeeeeaeeeeceeeeeeeeeseeecececnieeeeeeeeeeees 215 Table 124 Subnet e 317 P 661H HW Series User s Guide List of Tables Te 125 SUD 318 js UE ds sr P 318 Table 127 SUbnEl e 318 jQuery c EET 318 Table 129 24 bit Network Number Subnet Planning iren erre rnn
210. ear as a single computer to the outside world You may enter a single port number or a range of port numbers to be forwarded and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP 7 4 1 Default Server IP Address In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens BES If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup 7 4 2 Port Forwarding Services and Port Numbers Use the Port Forwarding screen to forward incoming service requests to the server s
211. ect if the normal Redirect WAN connection goes down Note If you activate traffic redirect you must configure at least one Check WAN IP Address Metric This field sets this route s priority among the routes the ZyXEL Device uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Backup Gateway Type the IP address of your backup gateway in dotted decimal notation The ZyXEL Device automatically forwards traffic to this IP address if the ZyXEL Device s Internet connection terminates Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide LAN Setup This chapter describes how to configure LAN settings 5 1 LAN Overview A Local Area Network LAN is a shared communication system to which many computers are attached A LAN is a computer network limited to the immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 5 3 on page 94 to configure the LAN screens 5 1 1 LANs WANs and the
212. edit the VPN configuration Click the Remove icon to remove an existing VPN configuration Back Click Back to return to the previous screen P 661H HW Series User s Guide Chapter 12 VPN Screens 12 6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled the ZyXEL Device automatically renegotiates the tunnel when the IPSec SA lifetime period expires see Section 12 12 on page 193 for more on the IPSec SA lifetime In effect the IPSec tunnel becomes an always on connection after you initiate it Both IPSec routers must have a ZyXEL Device compatible keep alive feature enabled in order for this feature to work If the ZyXEL Device has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled then no other tunnels can take a turn connecting to the ZyXEL Device because the ZyXEL Device never drops the tunnels that are already connected When there is outbound traffic with no inbound traffic the ZyXEL Device automatically drops the tunnel after two minutes 12 7 VPN NAT and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode An IPSec VPN using the AH protocol digitally signs the outbound packet both data payload and headers with a hash value appended to the packet but a NAT device between the IPSec endpoints rewrites the source or destination address As a result the VPN device at the receiving end finds a mismat
213. eeensnnseceeeneesaaes 69 Figure oF Example Of Wane Shaping eec Pm T8 Figure 38 Intemet Connection PPPOE 12ieeicc esiecsksstadbuctesabedetusk abe up ask s bid uc sad te dob Eca bee pecu dE I pde 78 P 661H HW Series User s Guide 21 List of Figures Figure 39 Advanced Internet Calig BUDE usse serere Ye Pott nsn PR Pep ER YR PP PREMO CAI RR M AXES MF PL LEN PME R 80 Figure 40 M re TSM c 00 DM 82 Figure 41 More C onnectons BGI qe 83 Figure 42 More Connections Advanced Setup iuecissc ci nere popa dati a peti Red d aS e XR d d xa rx Rua 85 Figure 43 Tanie Rediroc l Example m 86 Figure 44 Trafic Redirect LAN SORUP e isinen aa aaa R ai 87 Figure ds WAN Backup SOUS suneceraarenii iaiia iiai E aA aa N aA eE NE qu dai Ekaia 87 Figure 46 LAN and WAN ILLI c r 89 route 47 Any IF EOT E enaa 93 Figur dS LSDUIE aeuo ci aa Mortem wn AE o CUM FULL Med cad opc id 94 Figure E NP CETT m 95 Fae Sh Wd Rc T 97 ED CEU S LERIIANCG T 98 Figure 52 Physical Network amp Partitioned Logical Networks sssssseeeennn ee 99 Foue o LAN IFAI AEN 100 Figure o4 Wiroless LAN Gencfal sessapitirinnin nn tenpcesamiauescamtanee 105 Foue SS Wireless slc 106 Figure 56 Wireless Static WEP Ely ION uenerat a ie apa en d od lecta at 107 Figure 57 Wireless WPA PSKIWEPA2 PSK 12r iit ecuai istos aci vbt
214. egories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination This field lists the destination IP address and the port number of the incoming packet Notes This field displays additional information about the log entry Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in the E mail Log Settings fields in Log Settings Refresh Click Refresh to renew the log screen Clear Log Click Clear Log to delete all the logs 19 3 Configuring Log Settings Use the Log Settings screen to configure to where the ZyXEL Device is to send logs the schedule for when the ZyXEL Device is to send the logs and which logs and or immediate alerts the ZyXEL Device is to record See Section 19 1 on page 257 for more information To change your ZyXEL Device s log settings click Maintenance gt Logs gt Log Settings The Screen appears as shown Alerts are e mailed as soon as they happen Logs may be e mailed as soon as the log is full Selecting many alert and or log categories
215. eisBosiisti p 51 Chapter 3 li 53 wu nemet Setup Vizard sirinata iaioa deed cal vnda dd a e px Ei ble ed aa 54 3 11 Aulomate DEIGCHON 54 m Sears CUTTING PERRO UEM 54 EFC IIBER OIM e 59 3 2 Wireless Connection Wizard Setup wireless devices only seeeeeee 60 3 2 1 Manually assign a WPA PSK key eeesesesieeeeseeee enne etta nana nani th aka k ani thank a a notan aa 63 24e Mamialy assin a WEP R crassna E OO 63 3 3 Bandwidth Management WIZarTd 1uiasteeseenisulen t dil rn ELUSRT asidi Fa aE 65 SERES E i E E TS 66 3 3 2 SOBO 2 rrii aaia i AA e i aeeNeds 67 eer po ME 69 ux 71 Chapter 4 Qul eM HE EET TN 73 UT em erc vc T3 AIT CABS sarriena noina eE aten nE E DELENE nEn ee 73 Te ON aa N E Ren r eerie OD 74 wid mr e 74 4 1 4 IP Address ASSIONMONT m n 74 4 1 9 Nailod Up Connection PPP iuiuisedscerkac to perb ka eua Ee rri ais ed EU bri d ad EP aaa Naaa 75 TRIVIUM T EM 75 LE saan peer tree eres Peeters Pea tered Premiers Pe rrr Peat ert Peer vere errr Pert rrr ert rere terre rrr rr 75 eM es sgl e PTS I TIT 76 AS ADM irane Classes D T 24 Zoro Configuration IMIemet ACCOSS sic cesissscxessraisrsacsrasnncscaevaswasasananaaasanerssoetsalvias
216. el to begin configuring this screen afresh 16 9 TR 069 P 661H Only TR 069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL s Vantage CNM Access An administrator can use CNM Access to remotely set up the ZyXEL Device modify settings perform firmware upgrades as well as monitor and diagnose the ZyXEL Device All you have to do 1s enable the device to be managed by CNM Access and specify the CNM Access IP address or domain name and username and password Follow the procedure below to configure your ZyXEL Device to be managed by CNM Access See the Command Interpreter appendix for information on the command structure and how to access the CLI Command Line Interface on the ZyXEL Device In this example a b c d is the IP address of CNM Access You must change this value to reflect your actual management server IP address or domain name See Table 106 on page 235 for detailed descriptions of the commands Figure 132 Enabling TR 069 ras gt wan tr069 load ras gt wan tr069 acsUrl a b c d Auto Configuration Server URL http a b c d ras wan tr069 periodicEnable 1 ras wan tr069 informInterval 2400 TRO69 Informinterval 2400 ras wan tr069 active 1 ras wan tr069 save P 661H HW Series User s Guide Chapter 16 Remote Management Configuration The following table gives a description of TR 069 commands Table 106 TR 069 Commands
217. en sessions and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute When the number of existing half open sessions rises above a threshold max incomplete high the ZyXEL Device starts deleting half open sessions as required to accommodate new connection requests The ZyXEL Device continues to delete half open requests as necessary until the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts deleting half open sessions as required to accommodate new connection requests The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period 9 10 2 1 TCP Maximum Incomplete and Blocking Time An unusually high number of half open sessions with the same destination host address could indicate that a Denial of Service attack 1s being launched against the host Whenever the number of half open sessions with the same destination host address rises above a threshold TCP Maximum Incomplete the ZyXEL Device starts deleting half open sessions according to one of the following methods Ifthe Blocking Time timeout is
218. encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key P 661H HW Series User s Guide Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and Algorithm SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHAT algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum security Advanced Click Advanced to configure more detailed settings of your IKE key management Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 12 12 IKE Phases There are two phases to every IKE Internet Key Exchange negotiation phase 1 Authenticatio
219. er for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service P 661H HW Series User s Guide 231 Chapter 16 Remote Management Configuration Table 103 Remote Management SNMP LABEL DESCRIPTION Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is the password for incoming Set requests from the management station The default is public and allows all requests Trap Community Type the trap community which is the password sent with each trap to the SNMP manager The default is public and allows all requests Destination Type the IP address of the station to send your SNMP traps to Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel
220. er of existing half open sessions drops below this number Maximum Incomplete High This is the number of existing half open sessions that causes the firewall to start deleting half open sessions When the number of existing half open sessions rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection requests Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number For example if you set the maximum incomplete high to 100 the ZyXEL Device starts deleting half open sessions when the number of existing half open sessions rises above 100 It stops deleting half open sessions when the number of existing half open sessions drops below the number set as the maximum incomplete low P 661H HW Series User s Guide Chapter 9 Firewall Configuration Table 66 Firewall Thresholds continued LABEL DESCRIPTION TCP Maximum An unusually high number of half open sessions with the same destination host Incomplete address could indicate that a DoS attack is being launched against the host Specify the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth The ZyXEL D
221. erlap The local IP addresses of the rules configured on the telecommuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located at headquarters The ZyXEL Device at headquarters HQ in the figure identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyXEL Device at headquarters can also initiate VPN connections to the telecommuters since it can find the telecommuters by resolving their domain names Figure 115 Telecommuters Using Unique VPN Rules Example BE LAN A 192168 212 mid TS B v HQ LAN 192 168 3 2 gz 168 110 192 168 4 15 X P 661H HW Series User s Guide Chapter 12 VPN Screens Table 84 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules All Headquarters Rules My IP Address 0 0 0 0 My IP Address bigcompanyhq com Secure Gateway Address bigcompanyhq com Local IP Address 192 168 1 10 Remote IP Address 192 168 1 10 Local ID Type E mail Peer ID Type E mail Local ID Content bob bigcompanyhq com Peer ID Content bob bigcompanyhq com Telecommuter A telecommutera dydns org Headquarters ZyXEL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Co
222. ermines if a log for packets that match the rule is created or not Go Information to the Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs Alert Send Alert Select the check box to have the ZyXEL Device generate an alert when the rule Message to is matched Administrator When Matched P 661H HW Series User s Guide Chapter 9 Firewall Configuration Table 62 Firewall Edit Rule continued LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving 9 7 2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority web site See Appendix E on page 337 for a list of commonly used services and port numbers Click the Edit Customized Services link while editing a firewall rule to configure a custom service port This displays the following screen Refer to Section 8 1 on page 137 for more information Figure 89 Firewall Customized Services Customized Services OG S mo deo pu io Kn S Ko Io des Back The following table describes the labels in this screen Table 63 Customized Services LABEL DESCRIPTION No This is the number of your customized port Click a rule s numbe
223. errors Table 102 SNMPv2 Traps OBJECT LABEL OBJECT ID DESCRIPTION SNMPv2 Traps Cold Start 1 3 6 1 6 3 1 1 5 This trap is sent when the switch is turned on 1 P 661H HW Series User s Guide Chapter 16 Remote Management Configuration Table 102 SNMPv2 Traps continued OBJECT LABEL OBJECT ID DESCRIPTION WarmStart 1 3 6 1 6 3 1 1 5 This trap is sent when the switch restarts 2 linkDown 1 3 6 1 6 3 1 1 5 This trap is sent when the Ethernet link is down 3 linkUp 1 3 6 1 6 3 1 1 5 This trap is sent when the Ethernet link is up 4 RFC 1493 Traps newRoot 1 3 6 1 2 1 17 0 1 This trap is sent when the STP topology changes topology change 1 3 6 1 2 1 17 0 2 This trap is sent when the STP root switch changes 16 6 3 Configuring SNMP To change your ZyXEL Device s SNMP settings click Advanced gt Remote MGMT gt SNMP The screen appears as shown Figure 129 Remote Management SNMP SNMP SNMP Port 161 Access Status Disable Secured Client IP all Selected o 0 0 SNMP Configuration Get Community public Set Community public TrapCommunity public TrapDestination 0 0 0 0 q Note You may also need to create a Firewallrule Cancel The following table describes the labels in this screen Table 103 Remote Management SNMP LABEL DESCRIPTION SNMP Port You may change the server port numb
224. es the ZyXEL Device to decide which hop to use to help forward data along to its specified destination The following lists out the steps taken when a computer tries to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway which is not the ZyXEL Device by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway an ARP request is broadcast on the LAN 3 The ZyXEL Device receives the ARP request and replies to the computer with its own MAC address 4 The computer updates the MAC address for the default gateway to the ARP table Once the ARP table is updated the computer is able to access the Internet through the ZyXEL Device 5 When the ZyXEL Device receives packets from the computer it creates an entry in the IP routing table so it can properly forward packets intended for the computer After all the routing information is updated the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device 5 3 Configuring LAN IP Click LAN to open the IP screen See Section 5 1 on page 89 for background information Figure 48 LAN IP LAN TCP IP IP Address 192 168 1 1 IP Subnet Mask 255 255 255 0 Apply Cancel Advanced Setup P 661H HW Series User s Guide Chapter 5 LAN
225. eseuacui Gupcs c tercero e 272 22 WAVER 4 e CP AA NA 273 22 4 Wireless Router AP Troubleshooting estecrirbteacees csetera ex r ee HEP PYY Cer tM E ert EE ON Sea Manda 274 Chapter 23 Product Specifications e 275 23 1 General ZYXEL Device Spacift dll ps serisi pe dtc v ad tk qs Hid daas te ha dese Re 275 29 2 Walkmounting UE plerum EMI 278 23 9 Cable Pn c 0p m 279 Part VII Appendices and Index eeeessee 281 Appendix A Setting up Your Computer s IP Address ssssss RA 283 Appendix B Pop up Windows JavaScripts and Java Permissions sssss 305 Appendix C IP Addresses and Subnetting sssssssssssseee eee 313 Append D Wiroless LANS ecrini eec E SU da prn tube p deE 323 Appendix E Common SEI VICUS i ca scat nc ie acta nate SERE Pts bn tied VERE EO VI UM Ru EA RENE RUE 337 S isis e F Legal erar 2 NES E E S ee ere trea eerer rms 341 Append G Customer BOD PON isecees iore ek berita rr enaa e pep E NER n REES 345 P 661H HW Series User s Guide Table of Contents P 661H HW Series User s Guide List of Figures List of Figures Figure 1 Protected Internet Access Applications sssssssssssseeeeeneenn entre 34 Figure 2 LAN to LAN Application Example sssssssssssssessesseeerene ener nnns 35 Figure 3 Front Panal e
226. esigned to permit inbound packets of the same connection as the outbound packet just inspected 5 The outbound packet is forwarded out through the interface P 661H HW Series User s Guide Chapter 8 Firewalls 6 Later an inbound packet reaches the interface This packet is part of the connection previously established with the outbound packet The inbound packet is evaluated against the inbound access list and is permitted because of the temporary access list entry previously created 7 The packet is inspected by a firewall rule and the connection s state table entry is updated as necessary Based on the updated state information the inbound extended access list temporary entries might be modified in order to permit only packets that are valid for the current state of the connection 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required and are forwarded through the interface 9 When the connection terminates or times out the connection s state table entry is deleted and the connection s temporary inbound access list entries are deleted 8 5 2 Stateful Inspection and the ZyXEL Device Additional rules may be defined to extend or override the default rules For example a rule may be created which will Block all traffic of a certain type such as IRC Internet Relay Chat from the LAN to the
227. ess sensitive to latency but is affected by long delays such as Internet surfing Low This is typically used for non critical background traffic such as bulk transfers and print jobs that are allowed but that should not affect other applications and users Use low priority for applications that do not have strict latency and throughput requirements P 661H HW Series User s Guide Chapter 6 Wireless LAN 6 7 3 Services The commonly used services and port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the DNS service UDP TCP 53 means UDP port 53 and TCP port 53 Table 45 Commonly Used Services SERVICE DESCRIPTION AIM New ICQ TCP 5190 AOL s Internet Messenger service used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP CLIENT UDP 68 DHCP Client BOOTP SERVER UDP 67 DHCP Server CU SEEME TCP UDP 7648 24032 A popular videoconferencing solution from White Pines Software DNS UDP TCP 53 Domain Name Server a service that matches
228. essescccceeessecccceetseecaceeenseccectuenenes 284 Figure 166 Windows 95 98 Me TCP IP Properties IP Address see 285 Figure 167 Windows 95 98 Me TCP IP Properties DNS Configuration seeeeeeeeees 286 P 661H HW Series User s Guide List of Figures Figure ToS Windows XP SET MONU dussiissen x y axte 3 MOULE NR OE SE NY RSS ERE ad s 287 Figure 169 Windows XP Control Panel tet 287 Figure 170 Windows XP Control Panel Network Connections Properties suuuss 288 Figure 171 Windows XP Local Area Connection Properties cccccssccccesssssceeeeesseneeeeeesseceeeeenseeees 288 Figure 172 Windows XP Internet Protocol TCP IP Properties eren nnne 289 Figure 173 Windows XP Advanced TCP IP Properties 1er rtr resonat sepan autor eoru a eub niia 290 Figure 174 Windows XP Internet Protocol TCP IP Properties sssmm 291 Figure 175 Windows Vista start Memi susscicusqtetdbacten Ebo eeepee b pee psu bbb ter ride de dei EPUPcUE ET ERH QUEE Ee EEUU RE EdE 292 Figure 176 Windows Vista Control Panel 22 nd tto oda due d n Gud ee ud cen bat x Hp ERU 292 Figure 177 Windows Vista Network And Internet eeeeeeseeeeee essen nennt tn anna nna 292 Figure 178 Windows Vista Network and Sharing Center eesceeeesceeeen nennen 292 Figure 179 Windows Vista Network and Sharing Center ccccccccccsesecccceeseee
229. evice See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator Ignore the suggestions about your browser 22 3 Internet Access e cannot access the Internet 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 35 2 Make sure you entered your ISP account information correctly in the wizard These fields are case sensitive so make sure Caps Lock is not on 3 If you are trying to access the Internet wirelessly make sure the wireless settings in the wireless client are the same as the settings in the AP P 661H HW Series User s Guide 273 Chapter 22 Troubleshooting 4 Disconnect all the cables from your device and follow the directions in the Quick Start Guide again 5 Ifthe problem continues contact your ISP e cannot access the Internet anymore had access to the Internet with the ZyXEL Device but my Internet connection is not available anymore 1 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 35 Reboot the ZyXEL Device If the problem continues contact your ISP O N e The Internet connection is slow or intermittent 1 There might be a lot of traffic on the network Look at the LEDs and check Section 1 5 on page 35 If the ZyXEL Device is sending or receiving a lot o
230. evice send them to an administrator as e mail or to a syslog server 19 1 1 Alerts and Logs An alert is a type of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black 19 2 Viewing the Logs Click Maintenance gt Logs to open the View Log screen Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen see Section 19 3 on page 258 Log entries in red indicate alerts The log wraps around and deletes the old entries after it fills Click a column heading to sort the entries A triangle indicates ascending or descending sort order P 661H HW Series User s Guide 257 Chapter 19 Logs Figure 150 View Log View Logs Display All Logs Email Log Now Refresh Clear Log E D MECCLUTII ILI E 4 2 01 01 2000 Firewall default policy TCP Lto W 192 168 1 33 1237 61 100 0 37 50 Ed 2 904 000 Router reps ICMP MMC x 4 p dr Firewall default policy TCP Lto W 192 168 1 33 1237 61 100 0 37 50 se ATELIm cicer Successful WEB login 192 168 1 33 User admin The following table describes the fields in this screen Table 110 View Logs LABEL DESCRIPTION Display The cat
231. evice sends alerts whenever the TCP Maximum Incomplete is exceeded Action taken when TCP Maximum Incomplete reached threshold Select the action that ZyXEL Device should take when the TCP maximum incomplete threshold is reached Delete the oldest half open session when new connection request comes Select this radio button to clear the oldest half open session when a new connection request comes Deny new connection request for Select this radio button and specify for how long the ZyXEL Device should block new connection requests when TCP Maximum Incomplete is reached Enter the length of blocking time in minutes between 1 and 256 Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Chapter 9 Firewall Configuration P 661H HW Series User s Guide Content Filtering This chapter covers how to configure content filtering 10 1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs Content filtering gives you the ability to block web sites that contain key words that you specify in the URL You can set a schedule for when the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 10
232. eway Address field and the LAN s full IP address range as the local IP address then you cannot configure any other active rules with the Secure Gateway Address field set to 0 0 0 0 Security Protocol VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields described below Pre Shared Key Type your pre shared key in this field A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Type from 8 to 31 case sensitive ASCII characters or from 16 to 62 hexadecimal 0 9 A F characters You must precede a hexadecimal key with a Ox zero X which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF Ox denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm Select DES 3DES AES or NULL from the drop down list box When you use one of these
233. ey tool Channel Set the operating frequency channel depending on your particular region Selection Select a channel from the drop down list box Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Advanced Click Advanced Setup to display the Wireless Advanced Setup screen and edit Setup more details of your WLAN setup See the rest of this chapter for information on the other labels in this screen 6 4 1 No Security Select No Security to allow wireless clients to communicate with the access points without any data encryption P 661H HW Series User s Guide Chapter 6 Wireless LAN BES If you do not enable any wireless security on your ZyXEL Device your network is accessible to any wireless networking device that is within range Figure 55 Wireless No Security Wireless Setup Security Mode M Active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 08 2437MHz Security No Security x Apply Cancel Advanced Setup The following table describes the labels in this screen Table 37 Wireless No Security LABEL DESCRIPTION Security Mode Choose No Security from the drop down list box Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Advanced Setup
234. f information try closing some programs that use the Internet especially peer to peer applications Reboot the ZyXEL Device If the problem continues contact the network administrator or vendor or try one of the advanced suggestions O N Advanced Suggestions Check the settings for bandwidth management If it is disabled you might consider activating it If it is enabled you might consider changing the allocations 22 4 Wireless Router AP Troubleshooting 2 e cannot access the ZyXEL Device or ping any computer from the WLAN Make sure the wireless LAN is enabled on the ZyXEL Device Make sure the wireless adapter on the wireless station is working properly Make sure the wireless adapter installed on your computer is IEEE 802 11 compatible and supports the same wireless standard as the ZyXEL Device Ma Co 4 Make sure your computer with a wireless adapter installed is within the transmission range of the ZyXEL Device 5 Check that both the ZyXEL Device and your wireless station are using the same wireless and wireless security settings 274 P 661H HW Series User s Guide Product Specifications This chapter gives details about your ZyXEL Device s hardware and firmware features 23 1 General ZyXEL Device Specifications The following tables summarize the ZyXEL Device s hardware and firmware features Table 116 Hardware Specifications SPECIFICATION DESCRIPTION Dimensions W x D x H
235. f unused bandwidth and the orange color represents the percentage of bandwidth in use Figure 14 Status Bandwidth Status Monitor LAN To LAN Interface 0 0 P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator 2 4 7 Status Packet Statistics Click the Packet Statistics hyperlink in the Status screen Read only information here includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configurable Figure 15 Status Packet Statistics System Monitor System up Time 0 46 38 Current Date Time 01 01 2000 00 46 49 CPU Usage 3 78 Memory Usage 69 WAN Port Statistics Link Status Down WAN IP Address 0 0 0 0 Upstream Speed 0 kbps Downstream Speed 0 kbps 1 ENET N 0 00 00 LAN Port Statistics a Interface 4257 3544 e 919 1205 Wireless 0 Poll Interval s sec Stop The following table describes the fields in this screen Table 8 Status Packet Statistics LABEL DESCRIPTION System Monitor System up Time This is the elapsed time the system has been up Current Date Time This field displays your ZyXEL Device s present date and time CPU Usage This field specifies the percentage of CPU utilization Memory Usage This field specifies the percentage of memory uti
236. f you want to configure additional IP addresses nthe IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of transmission hops clear the Automatic metric check box and type a metric in Metric Click Add Repeat the previous three steps for each default gateway you want to add Click OK when finished P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 182 Windows Vista Advanced TCP IP Properties Advanced TCP IP Settings ee IP Settings pws wis IP addresses IP address Subnet mask DHCP Enabled Add Edit Remove Default gateways Gateway Metric Add Edit Remove J Automatic metric Cancel 9 Inthe Internet Protocol Version 4 TCP IPv4 Properties window the General tab Click Obtain DNS server address automatically if you do not know your DNS server IP address es f you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have
237. fier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more information Automatically VPI The valid range for the VPI is 0 to 255 Enter the VPI assigned to you VCI The valid range for the VCI is 32 to 65535 0 to 31 is reserved for local management of ATM traffic Enter the VCI assigned to you IP Address These fields only appear if the Mode is Routing A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Obtain an IP PPPoE PPPoA and ENET ENCAP only Select this if you have a dynamic IP Address address Static IP Address PPPoE PPPoA and ENET ENCAP only Select this if you do not have a dynamic IP address IP Address Enter the static IP address provided by your ISP Subnet Mask ENET ENCAP only Enter the subnet mask provided by your ISP Gateway IP address ENET ENCAP only Enter the gateway IP address provided by your ISP Connection This section only appears if the Encapsulation is PPPoE and PPPoA Nailed Up Select Nailed Up Connection when you want your connection up all the time Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected Connect on Select Connect on Demand when you don t want the connection up all the time Demand and specify an idle time out in the Max Idle Time
238. ft Networks etPretecolVersion 5 TCP IPvG on 4 TCP IP v4 pa Mapper 20 Driver Link Layer Topology Discovery Responder Install Uninstall Description lt Jf K Kl 4 CMK Ira L K Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks OK l Cancel P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address 7 The Internet Protocol Version 4 TCP IPv4 Properties window opens the General tab f you have a dynamic IP address click Obtain an IP address automatically f you have a static IP address click Use the following IP address and fill in the IP address Subnet mask and Default gateway fields Click Advanced Figure 181 Windows Vista Internet Protocol Version 4 TCP IPv4 Properties Internet Protocol Version 4 TCP IPv4 Properties nex You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses Advanced cance 8 If you do not know your gateway s IP address remove any previously installed gateways in the IP Settings tab and click OK Do one or more of the following i
239. g Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types 132 P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens Table 54 Address Mapping Rules continued LABEL DESCRIPTION Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses MM No No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Modify Click the edit icon to go to the screen where you can edit the address mapping rule Click the delete icon to delete an existing address mapping rule Note that subsequent rules move up by one when you take this action 7 6 1 Address Mapping Rule Edit To edit an address mapping rule click the rule s edit icon in the Address Mapping screen to display the screen shown next Figure 77 Edit Address Mapping Rul
240. g uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol a client server protocol for the world wide web HTTPS TCP 443 HTTPS is a secured http session often used in e commerce ICMP User Defined 1 Internet Control Message Protocol is often used for diagnostic or routing purposes ICQ UDP 4000 This is a popular Internet chat program IGMP MULTICAST User Defined 2 Internet Group Management Protocol is used when sending packets to a specific group of hosts IKE UDP 500 The Internet Key Exchange algorithm is used for key distribution and management IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol NEW ICQ TCP 5190 An Internet chat program NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that provides transparent file sharing for network environments NNTP TCP 119 Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service PING User Defined 1 Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is
241. ge A static IP address and a subnet mask are displayed when the Local Address Type field in the VPN IKE or VPN Manual Key screen is configured to Subnet Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway Address field displays 0 0 0 0 In this case only the remote IPSec router can initiate the VPN The same static IP address is displayed twice when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Single The beginning and ending static IP addresses in a range of computers are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Range A static IP address and a subnet mask are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Subnet Encap This field displays Tunnel or Transport mode Tunnel is the default selection IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyXEL Device processing requirements and communications latency delay Secure Gateway IP This is the static WAN IP address or URL of the remote IPSec router This field displays 0 0 0 0 when you configure the Secure Gateway Address field in the VPN IKE screen to 0 0 0 0 Modify Click the Edit icon to go to the screen where you can
242. ges are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point requesting authentication Access Reject Sent by a RADIUS server rejecting access Access Accept Sent by a RADIUS server allowing access Access Challenge Sent by a RADIUS server requesting more information in order to allow access The access point sends a proper response from the user and then sends another Access Request message The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the shared key password information exchanged is also encrypted to protect the network from unauthorized access Types of EAP Authentication This section discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP Your wireless LAN device may not support all authentication types EAP Extensible Authentication Protocol is an authentication protocol that runs on top of the IEEE 802 1x transport mechanism in order to support multiple types of user authentication By using
243. h the firewall A similar situation exists for ICMP except that the ZyXEL Device is even more restrictive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they could be used to reroute traffic through attacking machines 8 5 5 Upper Layer Protocols Some higher layer protocols such as FTP and RealAudio utilize multiple network connections simultaneously In general terms they usually have a control connection which is used for sending commands between endpoints and then data connections which are used for transmitting bulk information Consider the FTP protocol A user on the LAN opens a control connection to a server on the Internet and requests a file At this point the remote server will open a data connection from the Internet For FTP to work properly this connection must be allowed to pass through even though a connection from the Internet would normally be rejected In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipa
244. haracters including spaces BW Budget Specify the maximum bandwidth allowed for the rule in kbps The recommendation is a setting between 20 kbps and 20000 kbps for an individual rule Priority Select a priority from the drop down list box Choose High Mid or Low P 661H HW Series User s Guide Chapter 14 Bandwidth Management Table 95 Bandwidth Management Rule Configuration continued LABEL DESCRIPTION Use All Managed Select this option to allow a rule to borrow unused bandwidth on the interface Bandwidth Bandwidth borrowing is governed by the priority of the rules That is a rule with the highest priority is the first to borrow bandwidth Do not select this if you want to leave bandwidth available for other traffic types or if you want to restrict the amount of bandwidth that can be used for the traffic that matches this rule Filter Configuration Service This field simplifies bandwidth class configuration by allowing you to select a predefined application When you select a predefined application you do not configure the rest of the bandwidth filter fields other than enabling or disabling the filter SIP Session Initiation Protocol is a signaling protocol used in Internet telephony instant messaging and other VoIP Voice over IP applications Select SIP from the drop down list box to configure this bandwidth filter for traffic that uses SIP File Transfer Protocol FTP is an Internet file tran
245. hat you specify to send DNS queries to the ZyXEL Device Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to begin configuring this screen afresh 16 8 Configuring ICMP To change your ZyXEL Device s security settings click Advanced gt Remote MGMT gt ICMP The screen appears as shown If an outside user attempts to probe an unsupported port on your ZyXEL Device an ICMP response packet is automatically returned This allows the outside user to know the ZyXEL Device exists Your ZyXEL Device supports anti probing which prevents the ICMP response packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed Figure 131 Remote Management ICMP ICMP ICMP Respond to Ping on LAN amp WAN 7 Do not respond to requests for unauthorized services Apply Cancel The following table describes the labels in this screen Table 105 Remote Management ICMP LABEL DESCRIPTION ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the TCP IP software and directly apparent to the application user Respond to Ping The ZyXEL Device will not respond to any incoming Ping requests when Disable is on selected Select LAN to repl
246. he manager to retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations Set Allows the manager to set values for object variables within an agent Trap Used by the agent to inform the manager of some events 16 6 1 Supported MIBs The ZyXEL Device supports MIB II that 1s defined in RFC 1213 and RFC 1215 The focus of the MIBs is to let administrators collect statistical data and monitor status and performance 16 6 2 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs Table 101 SNMPv1 Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmstart defined in RFC 1215 A trap is sent after booting software reboot 6 whyReboot defined in ZYXEL A trap is sent with the reason of restart before MIB rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files Cl command sys reboot etc 6b For fatal error A trap is sent with the message of the fatal code if the system reboots because of fatal
247. hen connected 4 You may edit or delete the port mappings or click Add to manually add port mappings P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 141 Internet Connection Properties Advanced Settings Advances Sethings Services Select He sarvices unnig on pour neto that Intemet iee can SSA ES Serices Pi marisa 192 168 1658618 16608 TEP be mernege 192 168 7 6S 9859 271171 UOP msrases 132 168 1 81 7 281 25037 UDF e mma 192 1 81 37 7810 31711 TCR Figure 142 Internet Connection Properties Advanced Settings Add Service Settings Description of service Test Name or IP address for example 192 168 0 12 of the computer hosting this service on your network 132 168 1 11 External Port number for this service i3 TCP C UDP Internal Port number for this service 143 Cancel 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 143 System Tray Icon J Internet Connection is now connected Click here For more information 3 Upnp2 Paint 6 43 PM 7 Double click on the icon to display your current Internet connection status Figure 144 Internet Connection S
248. here is a NAT router between the two IPSec routers When you want the remote IPSec router to be able to distinguish between VPN connection requests that come in from IPSec routers with dynamic WAN IP addresses When you select DNS or E mail in the Local ID Type field type a domain name or e mail address by which to identify this ZyXEL Device in the local Content field Use up to 31 ASCII characters including spaces although trailing spaces are truncated The domain name or e mail address is for identification purposes only and can be any string My IP Address Enter the WAN IP address of your ZyXEL Device The VPN tunnel has to be rebuilt if this IP address changes The following applies if this field is configured as 0 0 0 0 The ZyXEL Device uses the current ZyXEL Device WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the ZyXEL Device uses the dial backup IP address for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See the chapter on WAN for details on dial backup and traffic redirect Peer ID Type Select IP to identify the remote IPSec router by its IP address Select DNS to identify the remote IPSec router by a domain name Select E mail to identify the remote IPSec router by an e mail address P 661H HW Series User s Guide Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL DESCRIPTION Content
249. herein without notice This publication is subject to change without notice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the following two conditions This device may not cause harmful interference This device must accept any interference received including interference that may cause undesired operations This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation P 661H HW Series User s Guide Appendix F Legal Information If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference
250. his screen Table 18 Manually assign a WPA key LABEL DESCRIPTION Pre Shared Type from 8 to 63 case sensitive ASCII characters You can set up the most secure Key wireless connection by configuring WPA in the wireless LAN screens You need to configure an authentication server to do this Back Click Back to display the previous screen Next Click Next to proceed to the next screen Exit Click Exit to close the wizard screen without saving 3 2 2 Manually assign a WEP key Choose Manually assign a WEP key to setup WEP Encryption parameters P 661H HW Series User s Guide Chapter 3 Wizards Figure 31 Manually assign a WEP key STEP 2 STEP fa Wireless LAN Note On the last page of the Wireless Setup wizard you will have a chance write down this key and your network settings for safekeeping ack Exit The following table describes the labels in this screen Table 19 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII characters or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit 128 bit or 256 bit WEP key respectively Back Click Back to display the previous screen Next Click Next to proceed to the next screen Exit Click Exit to close the wizard screen wit
251. hout saving 5 Click Apply to save your wireless LAN settings Figure 32 Wireless LAN Setup Apply fa Wireless LAN Please Click the Apply Button to e the Wireless LAN settings Note If you are currently using a Wireless PC card to access this router AND you made changes to the SSID then you will need to make the same changes to your Wireless PC card AFTER you click the Apply Button Once the changes have been made to the Wireless PC card you will be able to connect back to the router and continue the configuration process P 661H HW Series User s Guide Chapter 3 Wizards Figure 33 Internet Setup Wizard Summary Screen INTERNET WIRELESS SETUP ZyXEL CONGRATULATIONS etup configuration is complete Here is your current settings Mode Routing Encapsulation ENET ENCAP Multiplexi LLC PI C 5 Network Name SSID ZyXEL Channel Selecti Security Autom Network Key W Return to Wizard Main Page Go to Advanced Setup Page 6 Use the read only summary table to check whether what you have configured is correct Click Finish to complete and save the wizard setup The following table describes the fields in this screen Table 20 Internet Setup Wizard Summary LABEL DESCRIPTION Return to Click this to return to the wizard main page Wizard Main Page Go to This field is displayed if you are using the admin password Advanced Click this to go to the
252. ient s 5 Ifyou configure OTIST to generate a WPA PSK key this key changes each time you run OTIST Therefore if a new wireless client joins your wireless network you need to run OTIST on the AP and ALL wireless clients again P 661H HW Series User s Guide 115 Chapter 6 Wireless LAN 6 6 MACFilter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices Allow or exclude up to 32 devices from accessing the ZyXEL Device Deny Every Ethernet device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC address of the devices to configure this screen To change your ZyXEL Device s MAC filter settings click Network gt Wireless LAN gt MAC Filter The screen appears as shown Figure 67 MAC Address Filter MAC Filter Active MAC Filter Filter Action Allow C Deny es 7 RR 73777 RN 00 00 00 00 00 00 00 00 00 00 00 00 3 00 00 00 00 00 00 4 00 00 00 00 00 00 5 00 00 00 00 00 00 6 00 00 00 00 00 00 7 o0 00 00 00 00 00 8 p0 00 00 00 00 00 9 p0 00 00 00 00 00 10 00 00 00 00 00 00 11 00 00 00 00 00 00 12 p0 00 00 00 00 00 13 00 00 00 00 00 00 14 p0 00 00 00 00 00 15 00 00 00 00 00 00 16 00 00 00 00 00 00 17 00 00 00 00 00 00 18 o0 00 00 00 00 00 19 00 00 00 00 00 00 20 00 00 00
253. ies User s Guide Chapter 4 WAN Setup Figure 44 Traffic Redirect LAN Setup Subnet 1 192 168 1 1 192 168 1 24 LAN m NN WAN Subnet 2 192 168 2 1 192 168 2 2 N AAA 4 8 Configuring WAN Backup Setup To change your ZyXEL Device s WAN backup settings click WAN gt WAN Backup Setup The screen appears as shown Figure 45 WAN Backup Setup WAN Backup Setup WAN Backup Setup Backup Type DSL Link Check WAN IP Address1 foooc Check WAN IP Address 2 0 0 0 0 Check WAN IP Address3 oooo0 Fail Tolerance o Recovery Interval o sec o Timeout sec Traffic Redirect Active Traffic Redirect Metric fis Backup Gateway Apply Cancel P 661H HW Series User s Guide Chapter 4 WAN Setup The following table describes the labels in this screen Table 29 WAN Backup Setup LABEL DESCRIPTION Backup Type Select the method that the ZyXEL Device uses to check the DSL connection Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up Select ICMP to have the ZyXEL Device periodically ping the IP addresses configured in the Check WAN IP Address fields Check WAN IP Address1 3 Configure this field to test your ZyXEL Device s WAN accessibility Type the IP address of a reliable nearby computer for example your ISP s DNS server address Note If you activate either traffic redirect or dial backup you must config
254. in Screen ZyXEL gt Status el Refresh Interval None z A Status P Click the Logout icon at any time i rator HERNESES syste tO Exit the web configurato Model Number P 661HW D1 Current Date7Time ICH MAC Address 00 13 49 02 59 37 System Mode Routing Bridging ZyNOS Firmware Version 3 40 AHQ 3 b1 6 28 2007 CPU Usage 2 45 WAN Information Memory Usage i 64 DSL Mode NORMAL IP Address N A IP Subnet Mask N A Interface Status Default Gateway 0 0 0 0 i duse status rate D Use LAN Information B IP Address 192 168 1 1 DSL Down 0 kbps 0 kbps submenus to IP Subnet Mask 255 255 255 0 Joad u configure DHCP N A LAN Up DuplexActive ZyXEL Device WLAN Information SSID ZyXEL 54M features RAE a WEP Disable Security Summary Firewall Enabled Content Filter Disable AnyIP Table WLAN Status Bandwidth Status VPN Status Packet Statistics Message E T n P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator BS embedded help Click the amp icon located in the top right corner of most screens to view Table 3 Web Configurator Screens Summary LINK ICON SUB LINK FUNCTION Wizard INTERNET SETUP Use these screens for initial configuration including general setup ISP parameters for Internet Access and WAN IP DNS Server MAC address assignment
255. in this field to define a port range This port number must be greater than that specified in the previous field If Remote Start Port is left at 0 End will also remain at 0 P 661H HW Series User s Guide Chapter 12 VPN Screens Table 79 Advanced VPN Policies continued LABEL DESCRIPTION Phase 1 Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Pre Shared Key Type your pre shared key in this field A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called pre shared because you have to share it with another party before you can communicate with them over a secure connection Type from 8 to 31 case sensitive ASCII characters or from 16 to 62 hexadecimal 0 9 A F characters You must precede a hexadecimal key with a Ox zero X which is not counted as part of the 16 to 62 character range for the key For example in 0x0123456789ABCDEF Ox denotes that the key is hexadecimal and 0123456789ABCDEF is the key itself Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm Select DES 3DES or AES from the drop down list box When you use one of these encryption algorithms for data c
256. ing the ZyXEL Device QoS WMM QoS allows you to prioritize wireless traffic according to the delivery requirements of the individual and applications NAT General Use this screen to enable NAT Port Forwarding Use this screen to configure servers behind the ZyXEL Device Address Mapping Use this screen to configure network address translation mapping rules Security Firewall General Use this screen to activate deactivate the firewall and the direction of network traffic to which to apply the rule Rules This screen shows a summary of the firewall rules and allows you to edit add a firewall rule Anti Probing Use this screen to change your anti probing settings P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Table 3 Web Configurator Screens Summary continued LINK ICON SUB LINK FUNCTION Threshold Use this screen to configure the threshold for DoS attacks Content Filter Keyword Use this screen to block sites containing certain keywords in the URL Schedule Use this screen to set the days and times for the ZyXEL Device to perform content filtering Trusted Use this screen to exclude a range of users on the LAN from content filtering on your ZyXEL Device VPN Setup Use this screen to configure each VPN tunnel Monitor Use this screen to look at the current status of each VPN tunnel VPN Global Setting Use this screen to allow NetBIOS traffic through VPN tunnels A
257. inute before attempting to access the router again The device now automatically restarts This causes a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 158 Network Temporarily Disconnected Local Area Connection Network cable unplugged If the ZyXEL Device s IP address is different in the configuration file you selected you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address 192 168 5 1 See your Quick Start Guide or the appendices for details on how to set up your computer s IP address P 661H HW Series User s Guide Chapter 20 Tools You might have to open a new browser to log in again If the upload was not successful a Configuration Upload Error screen appears Figure 159 Configuration Upload Error System Restore Restore configuration error The configuration file was not accepted by the device Please return to the previous page and select a valid configuration file Click Help for more information Return Click Return to go back to the previous screen 20 3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off Click Maintenance gt Tools gt Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 160 Restart Screen System Reboot Click
258. ion where three inside LANs logical LANs using IP Alias behind the ZyXEL Device can communicate with three distinct WAN networks More examples follow at the end of this chapter P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens Figure 71 NAT Application With IP Alias LAN1 192 168 1 X Server in Network Server Admin Netwo rk Admin 2 192 168 1 1 IP 1 IGA 1 Corporation B EE Gm Corporation A N NT Server 192 168 1 1 1 zo M E fL Server in LUNJ 8 internet ec Sales Network E 1 lI AUEEENM IP 2 IGA 2 LAN2 192168 2X ce 9 c Network Server gt E Sales 192 168 2 1 EE NT Server gt 192 168 2 1 i Server in R amp D Network LAN3 192 168 3 X y se IP 3 IGA 3 Network Server R amp D 192 168 3 1 F E WAN Addresses LAN Address es Default IPs II E GAd 192 168 1 1 NT Server IGA 2 192 168 2 1 192 168 3 1 IGA 3 182 168 11 7 1 5 NAT Mapping Types NAT supports five types of IP port mapping They are One to One In One to One mode the ZyXEL Device maps one local IP address to one global IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Ac
259. ion keys 768 bit Group 1 DH1 and 1024 bit Group 2 DH2 Diffie Hellman groups are supported Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys Perfect Forward Secrecy PFS Enabling PFS means that the key is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent keys are not compromised because subsequent keys are not derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not require such security so PFS is disabled None by default in the ZyXEL Device Disabling PFS means new authentication and encryption keys are derived from the same root secret which may have security implications in the long run but allows faster SA setup by bypassing the Diffie Hellman key exchange P 661H HW Series User s Guide Chapter 12 VPN Screens 12 13 Configuring Advanced IKE Settings Click Advanced in the Edit VPN Policies screen to open this screen Figure 110 Advanced VPN Policies VPN IKE Advanced Setup Protocol o Enable Replay Detection no 7 Local Start Port fo End O Remote Start Port fo Endjo Phasel Negotiation Mode Pre Shared Key Encryption Algorithm
260. ion keys for data encryption EAP TLS Transport Layer Security With EAP TLS digital certifications are needed by both the server and the wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the sender s identity However to implement EAP TLS you need a Certificate Authority CA to handle certificates which imposes a management overhead EAP TTLS Tunneled Transport Layer Service EAP TTLS is an extension of the EAP TLS authentication that uses certificates for only the server side authentications to establish a secure connection Client authentication is then done by sending username and password through the secure connection thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP LEAP Like EAP TTLS server side certificate authentication is used to establish a secure connection then use simple username and password methods through the secured connection to authenticate the clients thus hiding client identity However PEAP only supports EAP methods such as E
261. is is a brief explanation of the applications that use this service or the situations in which this service is used Table 135 Commonly Used Services NAME PROTOCOL PORT S DESCRIPTION AH User Defined 51 The IPSEC AH Authentication Header IPSEC_TUNNEL tunneling protocol uses this service AIM New ICQ TCP 5190 AOL s Internet Messenger service It is also used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP CLIENT UDP 68 DHCP Client BOOTP_SERVER UDP 67 DHCP Server CU SEEME TCP 7648 A popular videoconferencing solution from UDP 24032 White Pines Software DNS TCP UDP 53 Domain Name Server a service that matches web names for example www zyxel com to IP numbers ESP User Defined 50 The IPSEC ESP Encapsulation Security IPSEC_TUNNEL Protocol tunneling protocol uses this service FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on P 661H HW Series User s Guide 337 Appendix E Common Services Table 135 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION FTP TCP 20 File Transfer Program a program to enable TCP 21 fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeetin
262. ise tetti erdt hd derit ed zd dta 142 Tablo 50 Legal NeiBIOS Com lt a tape ansaid zit o dep racio p Ot n oa tron 142 Table 59 Legal SMTP Comiliteamib 50seecive ni to vi EE be ND PEINE SURE Prec mE EHE T DHM IEEE Iena RIA Ra 142 TAOS GU Firewall General MT 154 TUSSI FEVAL RUES tH T pere EAA 156 ys cy amies Alc ELI 159 Tab D3 CSTD SONICOS auiborcdtiduseta ive ei toten orit ix P dva Haee dte Dod d a Raa 160 Table 64 Firewall Configure Customized Services sss 161 Table 65 Firewall du 166 Table 6O Frowa THESSHORIS 12 niente t boxe AS op DH det E aa EIS Fa EIE SFr HE ER Eo EE Ye PD Hot 168 dabis OF Content Filer ROVNO isussuicqesriniqui it DE ERO QE PRO Eder cR Ua Y FRED QURE FUP C EO d ctp dtd al PER AERE 172 Table G6 Content Fillet SOMOOUle c M 173 Table 69 C ntent Filter TRUSTER uiuere ba caida eR PARURE Rmo tial epa RE LR PER XESUR NR MEER VEU d IRURE DRM RU E da 174 Table 79 YPN Ane WAT iisssustsenint iei idea arde ba re e b pd elei Mida omi 179 Tabie 7 LAH End Me LIENS 182 Ue 4id spud emer RS 184 Teale FS VPN and mM 186 Table 74 Local ID Type and Content Fields 1i di dise tiis rr baa ede go ti Rot n ger Ln a d X a 187 Table 75 Peer ID Type and Content Fields 1 serene Ero an AER anced vosssaseascasaatese IE aa iiaa 187 Table 76 Matching ID Type and Content Configuration
263. ity for the ZyXEL Device s routes to the Internet If any two of the default routes have the same metric the ZyXEL Device uses the following pre defined priorities Normal route designated by the ISP see Section 4 5 on page 78 Traffic redirect route see Section 4 7 on page 86 WAN backup route also called dial backup see Section 4 8 on page 87 P 661H HW Series User s Guide Chapter 4 WAN Setup For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the normal route acts as the primary default route If the normal route fails to connect to the Internet the ZyXEL Device tries the traffic redirect route next In the same manner the ZyXEL Device uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traffic redirect route or even the normal route all you need to do is set the dial backup route s metric to 1 and the others to 2 or greater IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above 4 3 Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network This agreement helps eliminate congestion which is important for transmission of real time data such as audio and
264. ius repas ens eoru onec repe aene nee p eee no EEnpas 128 7 4 3 Configuring Servers Behind Port Forwarding Example sss 128 To Coniiguring Port Forwarding vt C 129 15 1 Pok Forwarding Rule Edil srrcnscnnnencnaniiine nN 131 ERIS a tie P 131 1 8 1 Address Mapping Rule Edit 12i anai rhe ERE d rta ta a iaai Ree ad a nada 133 Part Ill SOCII iinne evup d i eui cEHd VEU RUD MM al Cus usi RV MR V ui RR R 135 Chapter 8 ali e 137 S T FT OVI csecbaetucd nitla quante pn iade ade M MM MEME ERN 137 Bar Tepes or FISWEIS incised tod d as dn o Gn RH Ln an a a do LR D 137 8 2 1 Packet Filtering Firewalls 2 c rte sinsaweusdiaeatdcussenneaavdsssunaateds rin i ER ti nda 137 6 2 2 Applicatiomlevel ar 7 e 138 2 2 3 Statehul Inspection Fire Wall ys assise poco ro pe Erst AAt 138 52 Inregducdon to ZyXEL S Firewall 2aiiiscpebeteiivo d SEEN II PIEEPHOTESAK EMEN Ad PEE MuR E ME INga SEU EUR PI RUN 138 SEmEETOCEeEe Rut Rouct m R 139 ARIES slt MN T T TM 139 CN MIT s E E E A asec oe eee ee 139 01 2 PESO DOS DICES nisappassivepenni dad aito Ud cna a LAORE X EOE oA Rd a ul a adf 140 P 661H HW Series User s Guide Table of Contents 29 Statau Inspeccion e PT eset 142 Ba Siena nspechon fel To IS 143 8 5 2 Stateful Inspection and the ZyXEL Device eneeeeeeeen sentent nhe enne na 144 crop pa
265. k administrator for the appropriate IP settings btain an IP address automatically C Use the following IP address Obtain DNS server address automatically C Use the following DNS server addresses 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click Close OK in Windows 2000 NT to close the Local Area Connection Properties window 10 Close the Network Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 Inthe Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab Windows Vista This section shows screens from Windows Vista Enterprise Version 6 0 1 Click the Start icon Control Panel P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 175 Windows Vista Start Menu Dr eye 7 0 Professional Connect To g Media Player Classic gt All Programs Help and Support Bion seorch 5 2M eee as 2 Inthe Control Panel double click Network and Internet Default Pr NE Customize the appearance and functionality of your computer add or remove programs and set up network connections and user accounts Fig
266. ket Header Header Header Header 11 3 1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet In Transport mode the IP packet contains the security protocol AH or ESP located after the original IP header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protocol protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 11 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an IP tunnel with authentication and encryption This is the most common mode of operation Tunnel mode is required for gateway to gateway and host to gateway communications Tunnel mode communications have two sets of IP headers Outside header The outside IP header contains the destination IP address of the VPN gateway nside header The inside IP header contains the destination IP address of the final system
267. ks are isolated from the Internet for example only between your two branch offices you can assign any IP addresses to the hosts without problems However the Internet Assigned Numbers Authority IANA has reserved the following three blocks of IP addresses specifically for private networks e 10 0 0 0 10 255 255 255 e 172 16 0 0 172 31 255 255 192 168 0 0 192 168 255 255 P 661H HW Series User s Guide Chapter 5 LAN Setup You can obtain your IP address from the IANA from an ISP or it can be assigned from a private network If you belong to a small organization and your Internet access is through an ISP the ISP can provide you with the Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Adaress Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 5 2 2 RIP Setup RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to Both the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP inform
268. l The ZyXEL Device blocks all IP Spoofing attempts 8 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This remembering is called saving the state When the outside system responds to your request the firewall compares the received packets with the saved state to determine if they P 661H HW Series User s Guide Chapter 8 Firewalls are allowed in The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet By default the ZyXEL Device s stateful inspection allows all communications to the Internet that originate from the LAN and blocks all traffic to the LAN that originates from the Internet In summary stateful inspection Allows all sessions originating from the LAN local network to the WAN Internet Denies all sessions originating from the WAN to the LAN Figure 82 Stateful Inspection eria saababa RAP RARARARA D EPA i marararrrrssararastonna nyg P i xx n Me WAN k Es ka Retu rn traffic for User A s Teln gt session is permitted x Protected UserA initiates a Telnet session H is LAN i Other Telnet traffic is blocked i d Internet
269. l cases see Upper Layer Protocols shown next these packets are dropped and logged P 661H HW Series User s Guide Chapter 8 Firewalls If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of the security policy as is the case with the default policy the connection will be allowed A cache entry is added which includes connection information such as IP addresses TCP ports sequence numbers etc When the ZyXEL Device receives any subsequent packet from the Internet or from the LAN its connection information is extracted and checked against the cache A packet is only allowed to pass through if it corresponds to a valid connection that is if it is a response to a connection which originated on the LAN 8 5 4 UDP ICMP Security UDP and ICMP do not themselves contain any connection information such as sequence numbers However at the very minimum they contain an IP address pair source and destination UDP also contains port pairs and ICMP has type and code information All of this data can be analyzed in order to build virtual connections in the cache For instance any UDP packet that originates on the LAN will create a cache entry Its IP address and port pairs will be stored For a short period of time UDP packets from the WAN that have matching IP and UDP information will be allowed back in throug
270. le 88 Maximize Bandwidth Usage Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class 10240 kbps Administration 2048 kbps Sales 2048 kbps Marketing 2048 kbps Research 2048 kbps P 661H HW Series User s Guide 213 Chapter 14 Bandwidth Management The ZyXEL Device divides up the unbudgeted 2048 kbps among the classes that require more bandwidth If the administration department only uses 1024 kbps of the budgeted 2048 kbps the ZyXEL Device also divides the remaining 1024 kbps among the classes that require more bandwidth Therefore the ZyXEL Device divides a total of 3072 kbps of unbudgeted and unused bandwidth among the classes that require more bandwidth 14 6 2 1 Priority based Allotment of Unused and Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Table 89 Priority based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES PRIORITIES AND ALLOTMENTS Root Class 10240 kbps Administration Priority 4 1024 kbps Sales Priority 6 3584 kbps Marketing Priority 6 3584 kbps Research Priority 5 2048 kbps Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth
271. les Example sese 203 Figure 116 Exemple of Static Routing Topology iiuececsceieite erret porre erra dt erra d ka apttd E Rea teda rna 207 eet TTT Sig PSOUDG acsdacacdenadgutetadag Dt cena tren rere ia a X M Rp tre ree t At ua 208 Powe TO cole p a e TET 209 Figure 119 Subnet based Bandwidth Management Example ssseeee 212 Figure 120 Bandwidth Management SUMMATY uuceuuiesseececz s ceca kai kn taa khi ak En ki En Pa E kanes 216 Figure 121 Bandwidth Management Rule Setup iua isesicexkortbna deor terae Pope tene bio p eee eyPRME ERE PERE C NEQRRRMEA 217 Figure 122 Bandwidth Management Rule Configuration eese enne nnne 218 Figure 123 Bandwidth Management Monitor sssssseseee eene enne nennen 220 Figure 124 Dynamic DNG e 222 P 661H HW Series User s Guide 23 List of Figures Figure 125 Remote Management VIVI uuu sesecus yore rea 3s bb 1S Rod x REY d d Ead Rd dS rd XR dte 226 Figure 126 Remote Management Telnet sicci ccc ssccccacecssscndencssseanseeussenmasectsstenaeeattanaadecasseneedearsinaadcuasiece 227 Figure 127 Remote Management FTP iuueni sencccersteaanacivrtsanantuys tendadon staanaaduvaaaanbivi seadedwuis aaia 228 Figure 129 SNMP Management Modal 5 currite ema ig toad Lev b en su FG eO on DR swansea 229 Figure 129 Remote Management SNMP uses ct aci euni iinan Ean eet od eni e ncen ca RE ds 231 Figure 138 Remot
272. lization WAN Port Statistics This is the WAN or LAN port Link Status This is the status of your WAN link WAN IP Address This is the IP address assigned to your ZyXEL Device on the WAN Upstream Speed This is the upstream speed of your ZyXEL Device Downstream Speed This is the downstream speed of your ZyXEL Device Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation TxPkts This field displays the number of packets transmitted on this port P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Table 8 Status Packet Statistics continued LABEL DESCRIPTION RxPkts This field displays the number of packets received on this port Errors This field displays the number of error packets on this port Tx B s This field displays the number of bytes transmitted in the last second Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up LAN Port Statistics Interface This field displays the type of p
273. m 139 Figure 9 Tias VV HRS KE iiid dbacc d terea cic aged Gba dade bus cia d tn odd ed nd 140 Fg DO SORORE esses paste aitean alice pnb es pd deg ui basa it Dod neem Let Hos OU dedi Hostes uda sed M ode 141 Figure G1 SMUN ANGOR gu 141 22 P 661H HW Series User s Guide List of Figures Figure oZ Saeul Mpo 2 2 0 20 9 RERO GIOI GS ad dk qx Ea aed FOR Haa d a adag Edda d RN RO 143 Figure 83 ideal Firowall Setup Tr 152 Figure 84 Triangle Route Problem c nanie a i aAA aAa 153 P IP mem 153 Foue oe Firewall Gonrad er RT 154 Figure 87 Firewall RUES e enie EE a 156 Figure od32 577 dm dui c ERS 158 Figure B9 Firewall Customized Soria uuum anten ir nitik ennO IN HEP MIN MEE IEEE pe RUNE INDE MAUI 160 Figure 90 Firewall Configure Customized Services cccccccccccessseccceeenseecceeenseaceeeenseeeaeenenseeaeenenses 161 Figure 91 Firewall Example EUles ay edie cerae Space ERE EIU ada Ex Leod a d 162 Figure 92 Edit Custom Port EXaImplg 12 uitiorum cta eer emunt tope od nata saper Ipse eau pc danni a Ius riv pe EPI E 162 Figure 93 Firewall Example Edit Rule Destination Address eeeseeeeeene 163 Figure 94 Firewall Example Edit Rule Select Customized Services essere arent erattu cs 164 Figure 95 Firewall Example Rules MyYS rvite aues essent iiem ctt en amati tu ueniat ba tuu iba duae 165 Figure 96 Firewall Anti Probing istered w
274. main window Setup Page View Device This field is displayed if you are using the user password Status Click this to go to the Status screen Finish Click this to close the wizard main screen and return to the Status screen or the main window Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you cannot access the Internet open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct 3 3 Bandwidth Management Wizard Use these screens to control the amount of bandwidth going out through the ZyXEL Device s WAN port and prioritize the distribution of the bandwidth This helps keep one service or application from using all of the available bandwidth and shutting out other services P 661H HW Series User s Guide Chapter 3 Wizards The following table describes the services you can select Table 21 Media Bandwidth Management Setup Services SERVICE DESCRIPTION E Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 FTP File Transfer Program enables fast transfer of files including large files that may not be possible by e mail FT
275. me Domain Name Administrator Inactivity Timer 60 minutes 0 means no timeout Password User Password New Password MR Retype to confirm ee Admin Password Old Password 77 New Password r7 Retype to confirm i9 A Caution Please record your new password whenever you change it The system will lock you out if you have forgotten your password Apply Cancel The following table describes the labels in this screen Table 108 System General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes It is recommended you enter your computer s Computer name in this field This name can be up to 30 alphanumeric characters long Spaces are not allowed but dashes and underscores _ are accepted Domain Name Enter the domain name if you know it here If you leave this field blank the ISP may assign a domain name via DHCP The domain name entered by you is given priority over the ISP assigned domain name Administrator Type how many minutes a management session either via the web configurator or Inactivity Timer CLI Command Line Interpreter can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how long it has been left idle
276. might be the IP address of the ZyXEL Device it depends on the network so enter this IP address in your Internet browser 3 Ifthis does not work you have to reset the device to its factory defaults See Section 2 3 on page 42 e forgot the password 1 The default user password is user and admin password is 1234 2 Ifthis does not work you have to reset the device to its factory defaults See Section 2 3 on page 42 e cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 f you changed the IP address Section 5 3 on page 94 use the new IP address f you changed the IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the ZyXEL Device 2 Check the hardware connections and make sure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 35 3 Make sure your Internet browser does not block pop up windows and has JavaScripts and Java enabled See Appendix B on page 305 4 If you disabled Any IP Chapter 5 on page 89 make sure your computer is in the same subnet as the ZyXEL Device If you know that there are routers between your computer and the ZyXEL Device skip this step Ifthere is a DHCP server on your network make sure your computer is using a dynamic IP address See Section 5 4 on page 96 Your ZyXEL Device is a DHCP server
277. n and phase 2 Key Exchange A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec Figure 109 Two Phases to Set Up the IPSec SA Phase 1 IPSec SA In phase 1 you must Choose a negotiation mode Authenticate the connection by entering a pre shared key Choose an encryption algorithm Choose an authentication algorithm Choose a Diffie Hellman public key cryptography key group DH1 or DH2 Set the IKE SA lifetime This field allows you to determine how long an IKE SA should stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected e In phase 2 you must Choose which protocol to use ESP or AH for the IKE key exchange Choose an encryption algorithm P 661H HW Series User s Guide Chapter 12 VPN Screens 12 12 1 12 12 2 12 12 3 Choose an authentication algorithm Choose whether to enable Perfect Forward Secrecy PFS using Diffie Hellman public key cryptography seeSection 12 12 3 on page 194 Select None the default to disable PFS Choose Tunnel mode or Transport mode Set the IPSec SA lifetime This field allows you to determine how long the IPSec SA should stay up before it times out The ZyXEL Device automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires
278. n a range increase of approximately 2 5 For an unobstructed outdoor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how much the antenna increases the signal power compared to using an isotropic antenna An isotropic antenna 1s a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus shaped like a donut which makes these antennas ideal for a room environment With a wide coverage area it 1s possible to make circular overlapping coverage areas with multiple access points Directional antennas concentrate the RF signal in a beam like a flashlight does with the light from its bulb The angle of the beam determines the width of the coverage pattern Angles typically range from 20 degrees very directional to 120 degrees less directional Directional antennas are ideal for hallways and outdoor point to point applications P 661H HW Series User s Guide 335 Appendix D Wireless LANs Positioning Antennas In general antennas should be mounted as high as practically possible and free of
279. n how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra bandwidth to that class When multiple classes require more bandwidth the ZyXEL Device gives the highest priority classes the available bandwidth first as much as they require if there is enough available bandwidth and then to lower priority classes if there 1s still bandwidth available The ZyXEL Device distributes the available bandwidth equally among classes with the same priority level 14 6 1 Reserving Bandwidth for Non Bandwidth Class Traffic Do the following three steps to configure the ZyXEL Device to allow bandwidth for traffic that 1s not defined in a bandwidth filter 1 Leave some of the interface s bandwidth unbudgeted 2 Do not enable the interface s Maximize Bandwidth Usage option 3 Do not enable bandwidth borrowing on the child classes that have the root class as their parent see Section 14 8 on page 217 14 6 2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface The following table shows each bandwidth class s bandwidth budget The classes are set up based on subnets The interface is set to 10240 kbps Each subnet is allocated 2048 kbps The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option Tab
280. n that the firewall is take on packets that are traveling in the selected direction and do not match any of the firewall rules Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Log Select the check box to create a log when the above action is taken for packets that are traveling in the selected direction and do not match any of your customized rules Expand Click this button to display more information Basic Click this button to display less information Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 9 7 Firewall Rules Summary BS The ordering of your rules is very important as rules are applied in turn Refer to Section 8 1 on page 137 for more information Click Security gt Firewall gt Rules to bring up the following screen This screen displays a list of the configured firewall rules Note the order in which the rules are listed P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 87 Firewall Rules Rules ov fll oo ie Firewall Rules Storage Space in Use
281. n your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 Inthe Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default gateway Windows 2000 NT XP The following example figures use the default Windows XP GUI theme 1 Click start Start in Windows 2000 NT Settings Control Panel P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 168 Windows XP Start Menu Internet Explorer e My Documents e Outlook Express W Paint Files and Settings Transfer W BJ Command Prompt e My Music E Acrobat Reader 4 0 B My Computer Tour Windows xP Windows Movie Maker B Control Panel 2 My Recent Documents gt e My Pictures tS Printers and Faxes Q9 Help and Support Search All Programs gt 177 Run P Log Off o Turn Off Computer 5 untitled Paint 2 Inthe Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 169 Windows XP Control Panel amp Control Panel File Edit view Favorites Tools Help Q Ba d po Search E Folders E Address Control Panel Vg Control Panel Network Add Hardware Je Switch to Category view Connections danced See Also 7 2s Fonts Game Controller
282. ncapsulation 74 My IP Address 182 P 661H HW Series User s Guide Index N Nailed Up Connection 75 NAT 91 127 129 320 Address mapping rule 133 Application 124 Definitions 123 How it works 124 Mapping Types 125 What it does 124 What NAT does 124 NAT Network Address Translation 123 NAT mode 127 NAT Traversal 237 NAT traversal 185 navigating the web configurator 42 Negotiation Mode 194 NetBIOS commands 142 Network Management 128 Network Temporarily Disconnected 264 NNTP 128 O one minute high 168 one minute low 168 One Minute High 167 Outside Header 178 P Packet Filtering 147 Packet filtering When to use 147 Packet Filtering Firewalls 137 Pairwise Master Key PMK 332 334 Peak Cell Rate PCR 76 81 85 Perfect Forward Secrecy 194 PFS 194 Ping of Death 140 Point to Point Protocol over ATM Adaptation Layer 5 AAL5 74 Point to Point Tunneling Protocol 128 POP3 128 139 power specification 275 PPPoE 73 Benefits 73 PPTP 128 preamble mode 327 Pre Shared Key 188 Priorities 117 215 Priority 217 Priority based Scheduler 212 product registration 343 PSK 332 R RADIUS 328 message types 329 messages 329 shared secret key 329 registration product 343 reinitialize the ADSL line 268 related documentation 3 remote management Telnet 227 Remote Management and NAT 226 Remote Management Limitations 226 Reset button 264 Reset button the 42 resetting the Device
283. nce gt System gt Time Setting The screen appears as shown Use this screen to configure the ZyXEL Device s time based on your local time zone Figure 149 System Time Setting Time Setting Current Time and Date Current Time Current Date Time and Date Setup Manual New Time hh mm ss New Date yyyy mm dd C Get from Time Server Time Protocol Time Server Address Time Zone Setup Time Zone IV Enable Daylight Savings Start Date End Date 03 51 48 2000 01 01 GMT 01 00 Belgrade Bratislava Budapest Ljubljana Prague 7 First Saturday of January 2000 01 01 at 0 o clock First x Saturday of January x 2000 01 01 at o o clock Cancel P 661H HW Series User s Guide Chapter 18 System The following table describes the fields in this screen Table 109 System Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the time with the time server Current Date This field displays the date of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the date with the time server Time and Date Setup Manual Select this radio button to enter the time and date manually If you configure a new time and date Time Zone and Daylight Saving at the same time the new time and dat
284. ndow Figure 204 Java Sun General Security Privacy Content Connections Programs Advanced Settings O Use inline AutoComplete O Use Passive FTP for firewall and DSL modem compatibility Use smooth scrolling E HTTP 1 1 settings Use HTTP 1 1 O Use HTTP 1 1 through proxy connections amp Java Sun C v Use Java 2 v1 4 1 07 for applet requires restart 3 Microsoft v O Java console enabled requires restart O Java logging enabled JIT compiler for virtual machine enabled requires restart Multimedia O Always show Internet Explorer 5 0 or later Radio toolbar O Don t display online media content in the media bar Enable Automatic Image Resizing xf gt Restore Defaults Mozilla Firefox Mozilla Firefox 2 0 screens are used here Screens for other versions may vary You can enable Java Javascripts and pop ups in one screen Click Tools then click Options in the screen that appears P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions Figure 205 Mozilla Firefox Tools Options IEEE Help Web Search Ctrl K Downloads Ctr 3 Add ons Web Developer Error Console Adblock Plus Ctri Shift A Page Info FireFTP Clear Private Data Ctrl Shift Del Tab Mix Plus Options 3 Session Manager i Options Click Content to show the screen below Select the check boxes as shown in the following screen Figure 206 Mo
285. nds dba e ped d imus kb eda dU i ce Ed dUb p pa E 160 9 7 3 Configuring A Customized Service uus nena ga Enn ga en pad enun pda ga Ent d a a 160 9 8 Example Firewall Rule oussste voto REI PEEHPEI SI pete REIR a e e Tt IUE E 161 3 5 Pa OIG 122453 122p d Eta Fato a i Ra GR a P ON a a qo rd t ii tdg ha pg S RR HR 165 TAU DOS Uwo NOE RR P 166 9 10 1 Threshold Valles M ao A 166 B Z HIFP Sessions 215 xd P ede a a AR 167 9 10 3 Configuring Firewall Thresholds uec eerie e brtecens brbevend Eos AREE bebe tede bore ru ERU ROE 167 Chapter 10 Content FIBOHIBO aisssoiico serrer eX EXRRY aa INN SRIG MU E FIO EU CN IR ES 171 Ti T Content FINN ICRI iudcsxsdec aenddadten iinet caer asd ined etn a toa dde 171 10 2 Configuring Keyword Blocking 2i certe Eon ES a Ep tace En ad eda aaa adc Ep 171 10 3 Configuring Te SCNGAUS e 172 P 661H HW Series User s Guide 15 Table of Contents 10 4 Configuring Trusted Lom DUUBES iusscccenticact esL t ERR Ga E EEUU EEG RR GU RR e RU RU 173 Chapter 11 Introduce toi TO TP SG aid i YR anataat AY ORE R ENEA A RIEAN aE 175 UNE OVOME sn M 175 REL e 175 TL2 SOR oro ce MERI T UU 175 IL ONT EMO aa m LITT 175 DLL VPNEORBONCSHONE aa E o pedo pd a i em s a e 176 TLA Set hg 1 voi 0218 0 1224223 odaicn c endadn tebdaban eodein morn opr Pern puUE2 m Tre rcrrern ay reer repr 176 11 21 IPSec AGOM d 177 112 2 TOY Mana N
286. net settings manually P 661H HW Series User s Guide Chapter 3 Wizards 3 1 2 1 Screen 1 Figure 20 Internet Setup Wizard Manual Configuration STEP STEP 2 Click Back to return to the wizard main screen Click Next to continue to the next screen Click Exit to close the wizard main screen and return to the Status screen or the main window 3 1 2 2 Screen 2 This screen lets you enter some of the ISP settings for your Internet connection Figure 21 Internet Access Wizard Setup ISP Parameters SER SE Loo NE Next gt m P 661H HW Series User s Guide 55 Chapter 3 Wizards The following table describes the fields in this screen Table 11 Internet Setup Wizard ISP Parameters LABEL DESCRIPTION Mode Select Routing default if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplexing Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virt
287. network number to send packets to the correct network while the host ID determines to which host on the network the packets are delivered Structure An IP address is made up of four parts written in dotted decimal notation for example 192 168 1 1 Each of these four parts is known as an octet An octet 1s an eight digit binary number for example 11000000 which is 192 in decimal notation Therefore each octet has a possible range of 00000000 to 11111111 1n binary or 0 to 255 in decimal The following figure shows an example IP address in which the first three octets 192 168 1 are the network number and the fourth octet 16 is the host ID P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Figure 207 Network Number and Host ID 192 168 1 16 mt i at i i i M mmmh i I L L L I L I i I L I L I L 7 n mm m m m m m um m 9 How much of the IP address is the network number and how much is the host ID varies according to the subnet mask Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation The term subnet is short for sub network A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corre
288. ng OTIS aont ii e ER ee S b e LO E ER RP DROP ERR c 114 aoe NOES BID OTS T sisira a aaa eaa da Vide NU ond 115 GO nivel oc n sonin 116 P 661H HW Series User s Guide 13 Table of Contents cw MUD TOS 117 0 Ue WAN GOS EXIME REL UU TTC 117 oA WMM QOG PONIES M iania bio nr e arik i 117 NEC De er 118 68 US DOPEOM S oae pbdisam tide yd iuf ate bibet eae a iam 119 6 8 1 Tos Type of Service and WMM QOS 2 rice etras tta trarre a innies a bbe pu ruS ER tp A 120 0 5 2 Application Priority COPMRQUEBIQPI aiias tate ria ea ttn eiae n Riu E B tk kt Eon 121 Chapter 7 Network Address Translation NAT Screens Leeeeeeeeeeeeeeeeeeeeeeeeeee 123 LER INS I 123 FI NATIVOS 2ciciaccsebtc dd repeti e tere Uu pecc i rad e Hate MR pte taie dl d etenduiaied 123 Ls NE NAT DOSE cirian aane ER DA eiat EE Ia M Tabula qept i M SEE 124 13 Pow MAT WOKS d sepasicer deca e ie Fed ninii EUM E DG x FUN sea bL e Fut Od rT oia 124 EAE AEN Pap EAA UNODN oss ssa Sans I U 124 L9 NAT Mapping TPES gic icceuclsssistinesetian Em bias vie eu nM 125 7 2 SUA Single User Account Versus NAT eee nnne nnthe ean tnn en tnhhk a de n node 126 PECES OA N AE N A 126 TA udzei mm 127 TA 1 Detull Server IP AdIess 1 or eio or ES leta eet ot pde d est e p did 127 7 4 2 Port Forwarding Services and Port Numbers
289. ng types as outlined in Table 49 on page 126 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device 7 3 NAT General Setup You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the ZyXEL Device Click Network gt NAT to open the following screen P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens Figure 72 NAT General NAT Setup M Active Network Address Translation NAT sua Only C Full Feature Apply Cancel The following table describes the labels in this screen Table 50 NAT General LABEL DESCRIPTION Active Select this check box to enable NAT Network Address Translation NAT SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device Full Feature Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen 7 4 Port Forwarding A port forwarding set is a list of inside behind NAT on the LAN servers for example web or FTP that you can make visible to the outside world even though NAT makes your whole inside network app
290. ngle route problem is to use IP alias IP alias allows you to partition your network into logical sections over the same Ethernet interface Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network By putting your LAN and Gateway A in different subnets all returning network traffic must pass through the ZyXEL Device to your LAN The following steps describe such a scenario 1 Acomputer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the packet to Gateway A which is in Subnet 2 3 The reply from the WAN goes to the ZyXEL Device 4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1 Figure 85 IP Alias Subnet 1 WAN Internet Subnet 2 3 A P 661H HW Series User s Guide 153 Chapter 9 Firewall Configuration 9 6 General Firewall Policy Click Security gt Firewall to display the following screen Activate the firewall by selecting the Active Firewall check box as seen in the following screen Refer to Section 8 1 on page 137 for more information Figure 86 Firewall General General Active Firewall A Caution Firewall check M Bypass Triangle Route When Bypass Triangle Route is checked all LAN to LAN and WAN to WAN packets will bypass the Default Action r WAN to LAN Drop gt 2 LAN to WAN Permit 2 WAN to WAN Router Dro
291. ngs in this screen Click Next P 661H HW Series User s Guide Chapter 3 Wizards Figure 29 Wireless LAN Setup Wizard 2 f Wireless LAN Network Name SSID ZyXEL Give your network a name You will search for this name from your wir Channel Selection Channel 06 2437MHz channels You should use the default channel unless other ame channel Security Manually assign a WPA PSK key Y Use thi ion if you would prefer to create your own key WPA is stronger than WEP but not all compatible with W lt Back next gt exit The following table describes the labels in this screen Table 17 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless Name SSID LAN If you change this field on the ZyXEL Device make sure all wireless stations use the same SSID in order to access the network Channel The range of radio frequencies used by IEEE 802 11b g wireless devices is called a Selection channel Select a channel ID that is not already in use by a neighboring device Security Select Automatically assign a WPA key Recommended to have the ZyXEL Device create a pre shared key WPA PSK automatically only if your wireless clients support WPA and OTIST This option is available only when you enable OTIST in the previous wizard screen Select Manually assign a WPA PSK key to configure a Pre Shared Key WPA PSK Choose this
292. nsitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate cells may be dropped Examples of connections that need CBR would be high resolution video and voice 4 3 1 2 Variable Bit Rate VBR The Variable Bit Rate VBR ATM traffic class 1s used with bursty connections Connections that use the Variable Bit Rate VBR traffic class can be grouped into real time VBR RT or non real time VBR nRT connections The VBR RT real time Variable Bit Rate type is used with bursty connections that require closely controlled delay and delay variation It also provides a fixed amount of bandwidth a PCR is specified but is only available when data is being sent An example of an VBR RT connection would be video conferencing Video conferencing requires real time data transfers and the bandwidth requirement varies in proportion to the video image s changing dynamics The VBR nRT non real time Variable Bit Rate type is used with bursty connections that do not require closely controlled delay and delay variation It is commonly used for bursty traffic typical on LANs PCR and MBS define the burst levels SCR defines the minimum level An example of an VBR nRT connection would be non time sensitive data file transfers 4 3 1 3 Unspecified Bit Rate UBR The Unspecified Bit Rate UBR ATM traffic class 1s for bursty data transfers However U
293. nsnneeseeennneeees 66 Table 22 Bandwidth Management Wizard General Information sssssseeeeee 67 Table 23 Bandwidth Management Wizard Configuration sse 68 Table 24 intemmet COUneclloli acdcstese RM dede debui e ER vetera P debo Pe equa Ed e ues am Hee bai 78 Table 25 Advanced Intemet C ODBIBCWDE Lotti Rp dad Fonbt aa kb rid d 3 MERE IS dS EPA X35 UR Ld o dd 438 80 Tabie 26 More ORME CIONE RE T TNR DUNT 82 Table 27 More Conmebtions EG 4e eret IP LII esce ep Va Por sovegeuaupieeenaduedeautuadiasdaath joa LEUR d HPV RUE 83 Table 28 More Connections Advanced Setup 25 5 o II ont Maro t Lope LP E dE E usto od kao EX ANN 85 Table 25 WAN Backup ilt 88 IE CNN V He M 95 Tape Sr Advanced LAN SODD irys i ipris tU HO EELEN IS Rt bXMEN PARKER S EAA UREEEHE tH UE EFE CA RU E AE ELE I ERNEA 95 Tabie 32 DPIGP OBUBD iuste da OU PR REM qRet letus utem inem mU ic MA ie 97 AE em CI Ee 45 EET 98 0 5 LAIN IP ANIS eM P EMI 100 Table 35 Types of Encryption for Each Type of Authentication ssssssssssseee 103 Table 30 Wireless LANE Gulli ecce ra yetee eir HERUM SEHE PALE V RED FEREETEAE HI EE edF EE ett 105 Table E 1I Mofc c j Atr c 106 Table 38 Wireless Static WEP EnprypllDIT iosssaiseesesacut itera cutter tan cbe resa abbia eaa Eabb da eae bbb ak rid RR dad 107 P 661H HW Series User s Guide List of Tables Table 39 Wireless WPA PSK
294. nsported primarily over UDP but can also be transported over TCP using the default port number 5060 Telnet Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems Telnet uses TCP port 23 TFTP Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol WWW The World Wide Web WWW is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser To access this wizard open the web configurator see Section 2 2 on page 39 and click BANDWIDTH MANAGEMENT SETUP in the wizard main screen 3 3 1 Screen 1 Activate bandwidth management and select to allocate bandwidth to packets based on the services P 661H HW Series User s Guide Chapter 3 Wizards Figure 34 Bandwidth Management Wizard General Information STEP 1 STEP 2 ffi General Information S the check box to apply ba th ma nent to traffic going through the devic
295. nt further changes 4 For statically assigned settings do the following From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turnon your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location may vary depending on your Linux distribution and release version P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address LES Make sure you are logged in as the root administrator Using the K Desktop Environment KDE Follow the steps below to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 188 Red Hat 9 0 KDE Network Configuration Devices wv Network Configuration aiii Ax File Profile Help f B Xx New Edit Copy Delete Activate Deactivate Devices Hardware DNS Hosts atc You may configure network devices associated with 2 E physical hardware here Multiple logical devices can be T associated with a single piece of hardware Profile
296. ntent 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192 168 2 12 Telecommuter B telecommuterb dydns org Headquarters ZyXEL Device Rule 2 Local ID Type DNS Peer ID Type DNS Local ID Content telecommuterb com Peer ID Content telecommuterb com Local IP Address 192 168 3 2 Secure Gateway Address telecommuterb com Remote Address 192 168 3 2 Telecommuter C telecommuterc dydns org Headquarters ZyXEL Device Rule 3 Local ID Type E mail Peer ID Type E mail Local ID Content myVPN 2myplace com Peer ID Content myVPN myplace com Local IP Address 192 168 4 15 Secure Gateway Address telecommuterc com Remote Address 192 168 4 15 12 19 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for that service P 661H HW Series User s Guide PART IV Advanced Static Route 207 Bandwidth Management 211 Dynamic DNS Setup 221 Remote Management Configuration 225 Universal Plug and Play UPnP 237 Static Route This chapter shows you how to configure static routes for your ZyXEL Device 13 1 Static Route The ZyXEL Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet To have the ZyXEL Device send data to devices n
297. o configure Internet access and wireless network settings WIRELESS wireless devices only See Section 3 1 on page 54 SETUP BANDWIDTH Click this if you want to configure basic bandwidth management See Section 3 3 on MANAGEMEN page 65 T SETUP Exit Click this to close the wizard main screen and return to the Status screen or the main window P 661H HW Series User s Guide 53 Chapter 3 Wizards 3 1 Internet Setup Wizard Use these screens to configure Internet access and wireless network settings wireless devices only To access this wizard click INTERNET WIRELESS SETUP in the wizard main screen Wait while the device tries to detect your DSL connection and connection type Figure 18 Internet Setup Wizard Connection Test Connection Test in Progress Please wait a moment about 3 Seconds The next screen depends on the results 3 1 1 Automatic Detection The ZyXEL Device detected the DSL connection and the Internet settings Figure 19 Internet Setup Wizard Automatic Detection f Internet Configuration Click Next to continue to the next screen or click Exit to close the wizard main screen and return to the Status screen or the main window 3 1 2 Manual Configuration The ZyXEL Device detected the DSL connection but not the Internet settings You should specify the Inter
298. o detect the connection again See Section 3 1 on page 54 Exit Click Exit to close the wizard screen without saving your changes This screen appears if your Internet connection uses PPPoA encapsulation P 661H HW Series User s Guide Chapter 3 Wizards Figure 25 Internet Setup Wizard ISP Parameters PPPoA f Internet Configuration Pi User Note Device is automatically configured to obtain an IP address automatically The ISP will assigns you a different one each time you connect to the Internet Er EP Gn The following table describes the fields in this screen Table 15 Internet Setup Wizard ISP Parameters PPPoA LABEL DESCRIPTION exactly as given User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components connection again See Section 3 1 on page 54 Password Enter the password associated with the user name above Back Click Back to go back to the previous screen Apply Click Apply to finish manual configuration The ZyXEL Device tries to detect the Exit Click Exit to close the wizard screen without saving your changes No additional screen appears if your Internet connection uses RFC1483 encapsulation in bridge mode In this case the ZyXEL Device immediately tries to detect the connection again See
299. obstructions on a sturdy wall 2 Drill two holes for the screws D gt Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not insert the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screws and the wall 4 Make sure the screws are snugly fastened to the wall They need to hold the weight of the ZyXEL Device with the connection cables 5 Align the holes on the back of the ZyXEL Device with the screws on the wall Hang the ZyXEL Device on the screws Figure 163 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm 278 P 661H HW Series User s Guide Chapter 23 Product Specifications Figure 164 Masonry Plug and M4 Tap Screw 4 22 0 1 6 041 0 2 01 2 16 30 0 2 0 30 0 2 0 23 3 Cable Pin Assignments Table 119 Ethernet Cable Pin Assignments WAN LAN ETHERNET CABLE PIN LAYOUT Straight through Crossover Switch Adapter Switch Switch 1 IRD mmmmummumm 1 OTD 1 IRD mnp ammm 1 IRD SN d e 2 IRD 2 OTD 2 IRD s 2 IRD m m m m m m m m m m a mmi OTD 3 IRD 3 OTD 3 OTD 6 OTD 6 IRD 6 OTD 6 OTD P 661H HW Series User s Guide 279 Chapter 23 Product Specifications P 661H HW Series User s Guide PART VII Appendices and Index
300. ocal IP addresses then enter 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to One and Server mapping types Global Start IP This is the starting global IP address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP Global End IP This is the ending global IP address IGA This field is N A for One to One Many to One and Server mapping types Server Mapping Only available when Type is set to Server Set Select a number from the drop down menu to choose a server mapping set Edit Details Click this link to go to the Port Forwarding screen to edit a server mapping set that you have selected in the Server Mapping Set field Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide PART II Security Firewalls 137 Firewall Configuration 149 Content Filtering 171 Introduction to IPSec 175 VPN Screens 181 Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall 8 1 Firewall Overview Originally the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another The networking term firewall is a system or group of systems that enforces an access control p
301. ocal Remote m Network Network EH Tm OE Remote IPSec Router m aou m VPN Tunnel My IP address Secure Gateway IP address Local and remote IP addresses must be static Click Security and VPN to open the VPN Setup screen This is a read only menu of your IPSec rules tunnels The IPSec summary menu is read only Edit a VPN by selecting an index number and then configuring its associated submenus P 661H HW Series User s Guide Chapter 12 VPN Screens Figure 105 VPN Setup Summary 2 1 lt Ee zu oa B ul B i Apply Cancel The following table describes the fields in this screen Table 72 VPN Setup LABEL DESCRIPTION No This is the VPN policy index number Click a number to edit VPN policies Active This field displays whether the VPN policy is active or not A Yes signifies that this VPN policy is active No signifies that this VPN policy is not active Name This field displays the identification name for this VPN policy Local Address This is the IP address es of computer s on your local network behind your ZyXEL Device The same static IP address is displayed twice when the Local Address Type field in the VPN IKE or VPN Manual Key screen is configured to Single The beginning and ending static IP addresses in a range of computers are displayed when the Local Address Type field in the VPN IKE or VPN Manual Key screen is configured to Ran
302. oda EO Kio bei VISA A edad 49 Table 3 Salus Packet SSIES iusensiesipi bnt nist or ote s b mune oH pn EAS o Tee M oa Ma SH podR aM HIM E A DRE 50 Tabla 9 System Generals PHEISWOF usitata Exp ITE E EO RR EAE ERE Rp MCEH EV ENTE 52 Aue TO Wizard Main SOFGON Lisndeesqieibhrfeotua ek a omens Ur FEL a SOA Xe FERIRU eU eR FEE COE EFT a E ES ERd UN 53 Table 11 Intemet Setup Wizard ISP Parameters cidit era nt porene onein iii vi potan Nidaa 56 Table 12 Internet Setup Wizard ISP Parameters Ethernet nenne 57 Table 13 Internet Setup Wizard ISP Parameters PPPOE iere rette eR Ce nan ER Fed nk kr Ex nn SE KEEN IaRR 57 Table 14 Internet Setup Wizard ISP Parameters RFC1483 Routing Mode sesers 58 Table 15 Internet Setup Wizard ISP Parameters PPPOA eeseeeeeeeissseeee een etna tta nn nh han 59 Table T5 Wireless LAN Seto Via T 12s oi ERI ER RFPISED EMI IE QR ERN PER qEPPP RN SERENA EI EEREM POM PEDES 61 Tabe 17 Wireless LAN Setup Wizard Z aseo en ect ED bin ode ct ts Da od Eo e t edd 62 Table 16 Manually assign a WPA key ui eiie cheat tirada npa a dI n uaa a TEA 2 MER MUDER RR ERA MEL MERE 63 Table 19 Manually assign a WEP Key iiic mecctie sese iceo t tereti tdt crit atate td eder kac id E S 64 Table 20 Internet Setup Wizard SUITIITBE Y iuscesestassscentcezeceX tpa adiu ERE CIA ERR P p IANTEUER RA Fax SY PoA d uS Roc IX XE P MdgS 65 Table 21 Media Bandwidth Management Setup Services ccccesseceeeeeneeeeeeeennneeeeeee
303. of RFC 2236 The class D IP address is used to identify host groups and can be in the range 224 0 0 0 to 239 255 255 255 The address P 661H HW Series User s Guide Chapter 5 LAN Setup 224 0 0 0 is not assigned to any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to the permanent group of all IP hosts including gateways All hosts must join the 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group The ZyXEL Device supports both IGMP version 1 IGMP v1 and IGMP version 2 IGMP v2 At start up the ZyXEL Device queries all directly connected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the web configurator LAN WAN Select None to disable IP multicasting on these interfaces 5 2 4 Any IP Traditionally you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device to be in the same subnet to allow the computer to access the Internet through the ZyXEL Device In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to access the Internet via the ZyXEL Device With the Any IP feature and NAT enabled the ZyXEL Device all
304. olicy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network Of course firewalls cannot solve every security problem A firewall is one of the mechanisms used to establish a network security perimeter in support of a network security policy It should never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself Refer to Section 9 6 on page 154 to configure default firewall settings Refer to Section 9 7 on page 155 to view firewall rules Refer to Section 9 7 1 on page 157 to configure firewall rules Refer to Section 9 7 2 on page 160 to configure a custom service Refer to Section 9 10 3 on page 167 to configure firewall thresholds 8 2 Types of Firewalls There are three main types of firewalls Packet Filtering Firewalls Application level Firewalls Stateful Inspection Firewalls 8 2 1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source destination computer network address of a packet and the type of application P 661H HW Series User s Guide Chapter 8 Firewalls 8 2 2 Application level Firewalls Application level firewalls restrict access by serving as proxies for external servers Since
305. ommunications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHAT algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum security SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Key Group You must choose a key group for phase 1 IKE setup DH1 default refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random n
306. on your local network The most often used port numbers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT Table 51 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protocol or WWW Web 80 POP3 Post Office Protocol 110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 7 4 3 Configuring Servers Behind Port Forwarding Example Let s say you want to assign ports 21 25 to one FTP Telnet and SMTP server A in the example port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet P 661H HW Series User s Guide Chapter 7 Network Address Translation NAT Screens Figure 73 Multiple Servers Behind NAT Example A 7 192 168 1 33 t wl B 192 168 1 34 coc 192 168 1 1 Internet gt A C 7192168 1 35 ER EE IP address D 192 168 1 36 assigned by ISP
307. on your computer Once your device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file is useful if you need to return to your previous settings Restore Configuration File Path Enter the location of the file you want to upload or click Browse to find it Browse Click this to find the file you want to upload P 661H HW Series User s Guide Chapter 20 Tools Table 113 Configuration LABEL DESCRIPTION Upload Click this to restore the selected configuration file See below for more information about this Note Do not turn off the device while configuration file upload is in progress Back to Factory Defaults Reset Click this to clear all user entered configuration information and return the ZyXEL Device to its factory defaults There is no warning screen See Section 2 3 on page 42 for more information about resetting the ZyXEL Device Do not turn off the device while configuration file upload is in progress When the ZyXEL Device has finished restoring the selected configuration file the following screen appears Figure 157 Configuration Upload Successful Restore Configuration successful The Router Is Rebooting Now Please Wait The router will now reboot As there will be no indication of when the process is complete please wait for one m
308. onfiguring this screen afresh P 661H HW Series User s Guide 217 Chapter 14 Bandwidth Management 14 8 1 Rule Configuration Click the Edit icon or select User define in the Service field to configure a bandwidth management rule Use bandwidth rules to allocate specific amounts of bandwidth capacity bandwidth budgets to specific applications and or subnets Figure 122 Bandwidth Management Rule Configuration M Active Rule Name BW Budget Priority Rule Configuration Iv Use All Managed Bandwidth Filter Configuration WW Wy fio Kbps High 7 User defined Service Destination Address foooo Destination Subnet Netmask pooo0 Destination Port so Source Address pono Source Subnet Netmask oooo0 Source Port o Protocol Hc a b Apply Cancel The following table describes the labels in this screen Table 95 Bandwidth Management Rule Configuration LABEL DESCRIPTION Rule Configuration Active Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule Enabling a bandwidth management rule also allows you to control the maximum amounts of bandwidth that can be used by traffic that matches the rule Rule Name Use the auto generated name or enter a descriptive name of up to 20 alphanumeric c
309. oo Any Address 0 0 0 0 Add gt gt End IP nooo Address 0 0 0 0 Edit cu Subnet Mask 0 0 0 0 Delete Source Address List Destination Address Address Type Range Address x Start IP Rioo 010 10 0 0 140 10 0 0 145 ddraze 10 0 0 10 Add gt gt End IP inooi1s eu Fori 10 0 0 15 Edit lt lt Subnet Mask 0 0 0 0 Delete Destination Address List Service Available Services Selected Services MyService TCP LIDP 123 mum AIMINEW ICQ TCP 5190 AUTH TCP 113 Remove BGP TCP 178 zl Edit Customized Services Schedule Day to Apply iv Everyday IV sun IV Mon V Tue V wed IV Thu IV Fri V sat Time of Day to Apply 24 Hour Format IV All day Staro hour minute End o hour minute Log Log Packet Detail Information Alert I Send Alert Message to Administrator When Matched Cancel On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 95 Firewall Example Rules MyService Rules Firewall Rules Storage Space in Use 395 ov i Packet Direction waNto LAN Create a new rule after rule number IE 7 Add 1 v any 100 0110 100 015 7 MyService TCPIUDP 123 7 Permit
310. or inbound traffic is idle and does not timeout until the SA lifetime period expires See Section 12 6 on page 185 on keep alive to have the ZyXEL Device renegotiate an IPSec SA when the SA lifetime expires even if there is no traffic Figure 112 VPN SA Monitor o NILM Monitor P No Name Encapsulation IP Sec Algorithm 1 aaa Tunnel ESP DES SHA1 o 2 The following table describes the fields in this screen Table 81 VPN SA Monitor LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocol encryption algorithm and authentication algorithm used in each VPN tunnel Disconnect Select one of the security associations and then click Disconnect to stop that security association Refresh Click Refresh to display the current active VPN connection s 12 17 Configuring Global Setting To change your ZyXEL Device s global settings click VPN and then Global Setting The screen appears as shown Figure 113 VPN Global Setting PN Global Setting PN Global Setting Windows Networking NetBIOS over TCP IP M Allow NetBIOS Traffic Through All IPSec Tunnels Apply Cancel P 661H HW Series User s Guide Chapter 12 VPN Screens The following table
311. or the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 and version two SNMPv2 The next figure illustrates an SNMP management operation BS SNMP is only available if TCP IP is configured Figure 128 SNMP Management Model MANAGER Managed Device Managed Device Managed Device An SNMP managed network consists of two main types of component agents and a manager P 661H HW Series User s Guide Chapter 16 Remote Management Configuration An agent is a management software module that resides in a managed device the ZyXEL Device An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each piece of information to be collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows t
312. orming diagnostics Red On Power to the ZyXEL Device is too low Off The system is not ready or has malfunctioned ETHERNET Green On The ZyXEL Device has a successful 10 100Mb Ethernet 1 4 connection Blinking The ZyXEL Device is sending receiving data Off The LAN is not connected WLAN Green On The ZyXEL Device is ready but is not sending receiving data wireless through the wireless LAN seat Blinking The ZyXEL Device is sending receiving data through the only wireless LAN Off The wireless LAN is not ready or has failed DSL Green On The DSL line is up Blinking The ZyXEL Device is initializing the DSL line Off The DSL line is down INTERNET Green On The Internet connection is up Blinking The ZyXEL Device is sending receiving data Off The Internet connection is down 1 6 Hardware Connection Refer to the Quick Start Guide for information on hardware connection 1 7 Splitters and Microfilters This section describes how to connect ADSL splitters and microfilters See your Quick Start Guide for details on other hardware connections P 661H HW Series User s Guide Chapter 1 Getting To Know Your ZyXEL Device 1 7 1 Connecting a POTS Splitter When you use the Full Rate G dmt ADSL standard you can use a POTS Plain Old Telephone Service splitter to separate the telephone and ADSL signals This allows simultaneous Internet access and telephone service on th
313. ort Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation For the WLAN port wireless devices only it displays the transmission rate when WLAN is enabled or N A when WLAN is disabled TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Collisions This is the number of collisions on this port Poll Interval s Type the time interval for the browser to refresh system statistics Set Interval Click this button to apply the new poll interval you entered in the Poll Interval field above Stop Click this button to halt the refreshing of the system statistics 2 4 8 Changing Login Itis highly recomme Password nded that you periodically change the password for accessing the ZyXEL Device If you didn t change the default one after you logged in or you want to change to a new password again then click Maintenance System to display the screen as shown next P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Figure 16 System General System Setup System Name Domain Name Administrator Inactivity Timer eo minutes 0 means no timeout Pass
314. ot reachable through the default gateway use static routes For example the next figure shows a computer A connected to the ZyXEL Device s LAN The ZyXEL Device routes most traffic from A to the Internet through the default gateway R1 You create one static route to connect to premium services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a router R3 connected to the LAN Figure 116 Example of Static Routing Topology 407 UN Internet LAN ill T EM P 661H HW Series User s Guide 207 Chapter 13 Static Route 13 2 Configuring Static Route Click Advanced gt Static Route to open the Static Route screen Figure 117 Static Route Static Route Static Route Rules Pt Active Name destination Gateway Subnet Mask Modify 1 z E 5 z y m re oP ON DH 0 N M m m om m nan RC ON G4 Gp Gp Gp Gp Gp GGG Gp UH GU GU d EP EP ED ED ED ED ED ED ED ED ED ED ED E E E Apply Cancel The following table describes the labels in this screen Table 85 Static Route LABEL DESCRIPTION This is the number of an individual static route Active This field shows whether this static route is active Yes or not No Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is
315. otes These are how warnings and notes are shown in this User s Guide lt gt Warnings tell you about things that could harm you or your device BS Notes tell you other important information for example other things you may need to configure or helpful tips or recommendations Syntax Conventions The 661H HW may be referred to as the ZyXEL Device the device the system or the product in this User s Guide Product labels screen names field labels and field choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket gt within a screen name denotes a mouse click For example Maintenance gt Log gt Log Setting means you first click Maintenance in the navigation panel then the Log sub menu and finally the Log Setting tab to get to that screen Units of measurement may denote the metric value or the scientific value For example k for kilo may denote 1000 or 1024 M for mega may denote 1000000 or 1048576 and so on e g is a Shorthand for for instance and i e means that is or in other words P 661H HW Series
316. our ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the user name above P 661H HW Series User s Guide Chapter 3 Wizards Table 13 Internet Setup Wizard ISP Parameters PPPoE LABEL DESCRIPTION Service Name Type the name of your PPPoE service here Leave this field blank if your ISP did not provide you a PPPoE service Back Click Back to go back to the previous screen Apply Click Apply to finish manual configuration The ZyXEL Device tries to detect the connection again See Section 3 1 on page 54 Exit Click Exit to close the wizard screen without saving your changes This screen appears if your Internet connection uses RFC1483 encapsulation in routing mode Figure 24 Internet Setup Wizard ISP Parameters RFC1483 Routing Mode STEP I STEP 2 ffi Internet Configuration IP Address 0 0 0 0 lt Back J Apply J exit The following table describes the fields in this screen Table 14 Internet Setup Wizard ISP Parameters RFC1483 Routing Mode LABEL DESCRIPTION IP Address Enter the static IP address provided by your ISP Back Click Back to go back to the previous screen Apply Click Apply to finish manual configuration The ZyXEL Device tries t
317. out field Max Idle Timeout Specify an idle time out in the Max Idle Timeout field when you select Connect on Demand The default setting is 0 which means the Internet session will not timeout Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Click this button to display the Advanced WAN Setup screen and edit more details of your WAN setup To edit your ZyXEL 4 5 1 Configuring Advanced Internet Connection Device s advanced WAN settings click the Advanced Setup button in the Internet Connection screen The screen appears as shown P 661H HW Series User s Guide Chapter 4 WAN Setup Figure 39 Advanced Internet Connection RIP amp Multicast Setup RIP Direction RIP Version Multicast ATM Qos ATM QoS Type Peak Cell Rate Sustain Cell Rate Maximum Burst Size Zero Configuration PPPoE Passthrough None uy None Y UBR fo cell sec fo cell sec o cell ves 7 No Apply Cancel The following table describes the labels in this screen Table 25 Advanced Internet Connection LABEL DESCRIPTION RIP amp Multicast Setup RIP Direction RIP Routing Information Protocol RFC 1058 and RFC 1389 allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets Select the RIP direction f
318. ows a computer to access the Internet without changing the network settings such as IP address and subnet mask of the computer when the IP addresses of the computer and the ZyXEL Device are not in the same subnet Whether a computer is set to use a dynamic or static fixed IP address you can simply connect the computer to the ZyXEL Device and access the Internet The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house where a ZyXEL Device is installed you can still use the computer to access the Internet without changing the network settings even when the IP addresses of the computer and the ZyXEL Device are not in the same subnet Figure 47 Any IP Example f CS E lt Internet 192 168 10 1 J va B Internet 192 168 10 1 192 168 1 1 The Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device s IP address P 661H HW Series User s Guide Chapter 5 LAN Setup BS You must enable NAT SUA to use the Any IP feature on the ZyXEL Device 5 2 4 1 How Any IP Works Address Resolution Protocol ARP is a protocol for mapping an Internet Protocol address IP address to a physical machine address also known as a Media Access Control or MAC address on the local area network IP routing table is defined on IP Ethernet devic
319. p Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Enable Daylight Saving Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening Select this option if you use Daylight Saving Time P 661H HW Series User s Guide Chapter 18 System Table 109 System Time Setting continued LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time starts in most parts of the United States on the first Sunday of April Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States you would select First Sunday April and type 2 in the o clock field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday March The time you type in the o clock field depends on your time zone In Germany for instance you would type 2 because Germany s time zone is one hour ahead of GMT or UTC GMT 1 End Date Configur
320. p File Edit View Tools Help Tasks e Network and Sharing Center View computers and devices View full map Connect to a network Set up a connection or network A 3 er Manage network connections 5 3 TWPC99111 Internet Diagnose and repair This computer a gt Not connected P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address 5 Right click Local Area Connection and then click Properties BS During this procedure click Continue whenever Windows displays a screen saying that it needs your permission to continue Figure 179 Windows Vista Network and Sharing Center z 5 OW E Network and Internet p Network Connections File Edit View Tools Advanced Help L7 Organize v Views v Disable this network device Name Status Device Name Connectivity Network LAN or High Sesed Internet 11 Local Collapse group Left Arrow Bus Conne x a6 y e Expand all groups WU Inte Collapse all groups Disable Diagnose Bridge Connections Create Shortcut 6 Select Internet Protocol Version 4 TCP IPv4 and click Properties Figure 180 Windows Vista Local Area Connection Properties QU Local Ares Connection Properties Networking Connect using Pu Intel R PRO 1000 MT Desktop Connection This connection uses the following items 0M Client for Microsoft Networks B Network Monitor3 Driver mr File and Printer Sharing for Microso
321. p gt Ie LAN to LAN Router Permit Basic Cancel The following table describes the labels in this screen Table 60 Firewall General LABEL DESCRIPTION Active Firewall Select this check box to activate the firewall The ZyXEL Device performs access control and protects against Denial of Service DoS attacks when the firewall is activated Bypass Triangle Route Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network See the appendix for more on triangle route topology Note Allowing asymmetrical routes may let traffic from the WAN go directly to a LAN computer without passing through the router See Section 9 5 on page 152 for more on triangle route topology and how to deal with this problem Packet Direction This is the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router and WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyXEL Device or the ZyXEL Device itself P 661H HW Series User s Guide Chapter 9 Firewall Configuration Table 60 Firewall General continued LABEL DESCRIPTION Default Action Use the drop down list boxes to select the default actio
322. p alive enabled in order for this feature to work NAT Traversal This function is available if the VPN protocol is ESP Select this check box if you want to set up a VPN tunnel when there are NAT routers between the ZyXEL Device and remote IPSec router The remote IPSec router must also enable NAT traversal and the NAT routers have to forward UDP port 500 packets to the remote IPSec router behind the NAT router P 661H HW Series User s Guide 489 Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL DESCRIPTION Name Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box IKE provides more protection so it is generally recommended Manual is a useful option for troubleshooting if you have problems using IKE key management Negotiation Mode Select Main or Aggressive from the drop down list box Multiple SAs connecting through a secure gateway must have the same negotiation mode Encapsulation Select Tunnel mode or Transport mode from the drop down list box Mode DNS Server for If there is a private DNS server that services the VPN type its IP address here IPSec VPN The ZyXEL Device assigns this additional DNS server to the ZyXEL Device s DHCP clients that have IP addresses in this IPSec rule s range of local addresses A
323. p to 64 keywords are allowed When you try to access a web page containing a keyword you will get a message telling you that the content filter is blocking this request Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to return to the previously saved settings 10 3 Configuring the Schedule To set the days and times for the ZyXEL Device to perform content filtering click Security gt Content Filter gt Schedule The screen appears as shown P 661H HW Series User s Guide Chapter 10 Content Filtering Figure 99 Content Filter Schedule co REN Schedule Active Everyday to Block IV Edit Daily to Block a a a Monday Iv 8 ndo min 17 h 30 min Tuesday Iv 0 do min 0 ndo min Wednesday v 0 hdo min o ho min Thursday Iv o ho min 0 hdo min Friday A 0 hdo min o ho min Saturday E fo ndo min 0 ho min Sunday r7 o do min o ho min Cancel The following table describes the labels in this screen Table 68 Content Filter Schedule LABEL DESCRIPTION Schedule Select Active Everyday to Block to make the content filtering active everyday Otherwise select Edit Daily to Block and configure which days of the week or everyday and which time of the day you want the content filtering to be active Active Select the check box to have the content filtering to be active on the selected day Start Time
324. packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to manage the ZyXEL Device and communicate between networks or subnets connected to the LAN interface LAN to WAN By default the ZyXEL Device s stateful packet inspection drops packets traveling in the following directions WAN to LAN e WAN to WAN Router This prevents computers on the WAN from using the ZyXEL Device as a gateway to communicate with other computers on the WAN and or managing the ZyXEL Device P 661H HW Series User s Guide Chapter 9 Firewall Configuration You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so BS If you configure firewall rules without a good understanding of how they work you might inadvertently introduce security risks to the firewall and to the protected network Make sure you test your rules after you configure them For example you may create rules to Block certain types of traffic such as IRC Internet Relay Chat from the LAN to the Internet Allow certain types of traffic such as Lotus Notes database synchronization from specific hosts on the Internet to specific hosts on the LAN Allow everyone except your competitors to access a Web server Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by comparing the Source I
325. password 1234 to configure the wizards and the advanced features or enter the default user password user to view the status only Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password Figure 6 Password Screen P 661HW D1 Welcome to your router Configuration Interface Enter your password and press enter or click Login 9 Password 6 Ifyou entered the user password skip the next two steps and refer to Section 2 4 2 on page 45 for more information about the Status screen 7 Ifyou entered the admin password it is highly recommended you change the default admin password Enter a new password between 1 and 30 characters retype it to confirm and click Apply alternatively click Ignore to proceed to the main menu if you do not want to change the password now If you do not change the password at least once the following screen appears every time you log in with the admin password P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Figure 7 Change Password at Login ZyXEL Use this screen to change the password 8 The next screen depends on which password admin or user you used in step 5 Select Go to Wizard setup and click Apply to display the wizard main screen Select Go to Advanced setup or View Device Status and click Apply to display the S
326. port Mode 178 Triangle 152 Triangle Route Solutions 153 Tunnel Mode 178 U UBR Unspecified Bit Rate 80 85 UDP ICMP Security 145 Universal Plug and Play 237 Application 237 UPnP 237 Forum 238 security issues 237 Upper Layer Protocols 144 145 User Name 222 V VBR Variable Bit Rate 80 85 Virtual Channel Identifier VCI 74 virtual circuit VC 74 Virtual Path Identifier VPI 74 Virtual Private Network 175 VPI amp VCI 74 VPN 175 VPN Applications 176 W WAN Wide Area Network 73 WAN backup 87 WAN to LAN Rules 152 warranty 343 note 343 Web 226 Web Configurator 39 42 138 145 146 151 P 661H HW Series User s Guide Ed Index web configurator 35 web configurator screen summary 43 WEP Encryption 108 WEP encryption 106 Wi Fi Multimedia QoS 117 Wi Fi Protected Access 331 wireless channel 274 wireless client WPA supplicants 333 wireless LAN 274 wireless security 274 327 WLAN interference 325 security parameters 334 WPA 331 key caching 332 pre authentication 332 user authentication 332 vs WPA PSK 332 wireless client supplicant 333 with RADIUS application example 333 WPA2 331 user authentication 332 vs WPA2 PSK 332 wireless client supplicant 333 with RADIUS application example 333 WPA2 Pre Shared Key 331 WPA2 PSK 331 332 application example 333 WPA PSK 331 332 application example 333 WWW 122 Z Zero configuration Internet access 77 ZyXEL s Firew
327. r Upgrade your software regularly Many older versions of software especially web browsers have well known security deficiencies When you upgrade to the latest versions you get the latest patches and fixes If you use chat rooms or IRC sessions be careful with any information you reveal to strangers If your system starts exhibiting odd behavior contact your ISP Some hackers will set off hacks that cause your system to slowly become unstable or unusable P 661H HW Series User s Guide Chapter 8 Firewalls Always shred confidential information particularly about your computer before throwing it away Some hackers dig through the trash of companies or individuals for information that might help them in an attack 8 7 Packet Filtering Vs Firewall Below are some comparisons between the ZyXEL Device s filtering and firewall functions 8 7 1 Packet Filtering The router filters packets as they pass through the router s interface according to the filter rules you designed Packet filtering is a powerful tool yet can be complex to configure and maintain especially if you need a chain of rules to filter a service Packet filtering only checks the header portion of an IP packet 8 7 1 1 When To Use Filtering To block allow LAN packets by their MAC addresses To block allow special IP packets which are neither TCP nor UDP nor ICMP packets To block allow both inbound WAN to LAN and outbound LAN to
328. r of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service See Section 9 7 3 on page 160 for more information Name This is the name of your customized service Protocol This shows the IP protocol TCP UDP or TCP UDP that defines your customized service Port This is the port number or range that defines your customized service Back Click Back to return the Firewall Edit Rule screen 9 7 3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action displays the following screen P 661H HW Series User s Guide Chapter 9 Firewall Configuration Refer to Section 8 1 on page 137 for more information Figure 90 Firewall Configure Customized Services Config Service Name Service Type Type Port Number Port Configuration TCP single Port Range From 0 To o Cancel Delete The following table describes the labels in this screen Table 64 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Range to specify a span of ports
329. r rest bandwidth The following table describes the labels in this screen Table 23 Bandwidth Management Wizard Configuration LABEL DESCRIPTION Active Select an entry s Active check box to turn on bandwidth management for the service application Service These fields display the services names Priority Select High Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service A service with High priority is given as much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated bandwidth after all specified services receive their bandwidth requirements If the rules set up in this wizard are changed in Advanced Bandwidth MGMT Rule Setup then the service priority radio button will be set to User Configured The Advanced gt Bandwidth MGMT gt Rule Setup screen allows you to edit these rule configurations Auto classifier Select Auto classifier rest bandwidth to automatically allocate unbudgeted or rest bandwidth unused bandwidth to services based on the packet type Back Click Back to go back to the previous wizard screen Apply Click Apply to save your changes back to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes 68 P 661H
330. r subnets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet a host ID of all zeroes is the subnet itself all ones is the subnet s broadcast address Table 124 Subnet 1 LAST OCTET BIT IP SUBNET MASK NETWORK NUMBER VALUE IP Address Decimal 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address Lowest Host ID 192 168 1 1 192 168 1 0 Broadcast Address Highest Host ID 192 168 1 62 192 168 1 63 P 661H HW Series User s Guide 31 7 Appendix C IP Addresses and Subnetting Table 125 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Table 126 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 19
331. re an IKE SA automatically renegotiates in this field Seconds It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Encapsulation Select Tunnel mode or Transport mode from the drop down list box Perfect Forward Secrecy PFS Perfect Forward Secrecy PFS is disabled NONE by default in phase 2 IPSec SA setup This allows faster IPSec setup but is not so secure Choose DH1 or DH2 from the drop down list box to enable PFS DH1 refers to Diffie Hellman Group 1 a 768 bit random number DH2 refers to Diffie Hellman Group 2 a 1024 bit 1Kb random number more secure yet slower Apply Click Apply to save your changes back to the ZyXEL Device and return to the VPN IKE screen Cancel Click Cancel to return to the VPN IKE screen without saving your changes 12 14 Manual Key Setup Manual key management is useful if you have problems with IKE key management 12 14 1 Security Parameter Index SPI An SPI is used to distinguish different SAs terminating at the same destination and using the same IPSec protocol This data allows for the multiplexing of SAs to a single gateway The SPI Security Parameter Index along with a destination IP address uniquely identify a par
332. res against attacks The best defense against hackers and crackers is information Educate all employees about the importance of security and how to minimize risk Produce lists like this one DSL or cable modem connections are always on connections and are particularly vulnerable because they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e mail Never e mail sensitive information such as passwords credit card information etc without encrypting the information first Never submit sensitive information via a web page unless the web site uses secure connections You can identify a secure connection by looking for a small key icon on the bottom of your browser Internet Explorer 3 02 or better or Netscape 3 0 or better If a web site uses a secure connection it is safe to submit information Secure web transactions are quite difficult to crack Never reveal your IP address or other system networking information to people outside your company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Also use passwords that are not easy to figure out The most difficult passwords to crack are those with upper and lower case letters numbers and a symbol such as o
333. respond to Itself 7 Abrute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useless data A Smurf hacker floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the source IP address of the ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible Figure 81 Smurf Attack Ping Responses Attacker broadcasts ping Every host on the packets with a spoofed source intermediary network address to every host on responds by sending the intermediary network responses to every host on the victim network P 661H HW Series User s Guide Chapter 8 Firewalls 8 4 2 1 ICMP Vulnerability ICMP is an error reporting protocol that works in concert with IP The following ICMP types trigger an alert Table 57 ICMP Commands That Trigger Alerts
334. ress for the VPN tunnel when using dial backup or the LAN IP address when using traffic redirect See the chapter on WAN for details on dial backup and traffic redirect Secure Gateway Address Type the WAN IP address or the URL up to 31 characters of the IPSec router with which you re making the VPN connection Security Protocol IPSec Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP here you must select options from the Encryption Algorithm and Authentication Algorithm fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Encapsulation Key only with ESP With DES type a unique key 8 characters long With 3DES type a unique key 24 characters long Any characters may be
335. rk a name You will search for this name from your wireless clients jv Enale OTIST Setup K Check here t Note 01234567 set up a ZyAIR client adapter that supports OTIST Please type in a unique setup key This key acts like a password to ensure only those wireless LAN devices you authorize are configured by OTIST This key should not be the same as the router password the password you use to log in to your ISP You will need to remember this key to setup new devices via OTIST pr gum op The following table describes the labels in this screen Table 16 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Active Select the check box to turn on the wireless LAN Enable OTIST Select the check box to enable OTIST if you want to transfer your ZyXEL Device s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process takes three minutes to complete Note Enable OTIST only if your wireless clients support WPA and OTIST Setup Key Type an OTIST Setup Key of up to eight ASCII characters in length Be sure to use the same OTIST Setup Key on the ZyXEL Device and wireless clients Back Click Back to display the previous screen Next Click Next to proceed to the next screen Exit Click Exit to close the wizard screen without saving 3 Configure your wireless setti
336. rminal Access Controller Access Control System TELNET TCP 23 Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks Its primary function is to allow users to log into remote host systems TFTP UDP 69 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP 7000 Another videoconferencing solution P 661H HW Series User s Guide Appendix E Common Services P 661H HW Series User s Guide Legal Information Copyright Copyright O 2007 by ZyXEL Communications Corporation The contents of this publication may not be reproduced in any part or as a whole transcribed stored in a retrieval system translated into any language or transmitted in any form or by any means electronic mechanical magnetic optical chemical photocopying manual or otherwise without the prior written permission of ZyXEL Communications Corporation Published by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described
337. rom Both In Only Out Only None When set to Both or Out Only the ZyXEL Device will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version This field is enabled if RIP Direction is not None The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data
338. rt IP subnet mask P 661H HW Series User s Guide 45 Chapter 2 Introducing the Web Configurator Table 4 Status Screen LABEL DESCRIPTION Default This is the IP address of the default gateway if applicable Gateway VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the Wizard or WAN screen LAN Information IP Address This is the LAN port IP address IP Subnet Mask This is the LAN port IP subnet mask DHCP This is the WAN port DHCP role Server Relay or None WLAN Information Wireless devices only SSID This is the descriptive name used to identify the ZyXEL Device in the wireless LAN Channel This is the channel number used by the ZyXEL Device now Security This displays the status of data encryption on the ZyXEL Device Security not available if you entered the user password Firewall This displays whether or not the ZyXEL Device s firewall is activated Content Filter This displays whether or not the ZyXEL Device s content filtering is activated System Status System Uptime This is the total time the ZyXEL Device has been on Current Date Time This field displays your ZyXEL Device s present date and time System Mode This displays whether the ZyXEL Device is functioning as a router or a bridge CPU Usage This number shows how many kilobytes of the heap memory the ZyXEL Device
339. rule that blocks just certain users be more effective 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability For example if FTP ports TCP 20 21 are allowed from the Internet to the LAN Internet users may be able to connect to computers with running FTP servers 5 Does this rule conflict with any existing rules 6 Once these questions have been answered adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens 9 3 3 Key Fields For Configuring Rules 9 3 3 1 Action Should the action be to Drop Reject or Permit BES Drop means the firewall silently discards the packet Reject means the firewall discards packets and sends an ICMP destination unreachable message to the sender 9 3 3 2 Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Appendix E on page 337 for more information on commonly used services 9 3 3 3 Source Address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet 9 3 3 4 Destination Address What is the connection s destination address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet 9 4 Connection Direction This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN
340. s A Windows Update 3 Right click Local Area Connection and then click Properties P 661H HW Series User s Guide 287 Appendix A Setting up Your Computer s IP Address Figure 170 Windows XP Control Panel Network Connections Properties s Network Connections File Edit View Favorites Tools Advanced Help ck v Ss 2 ya Search Folders E s e Network Connections LAN or High Speed Internet Network Tasks ocal Area Connection E Create a new d connection Standard PCI Fast Ethernet Adapte 9 Set up a home or small Disable office network Stat atus Disable this network device Repair W Repair this connection Bridge Connections mij Rename this connection view status of this connection Change settings of this connection Create Shortcut 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 171 Windows XP Local Area Connection Properties 4 Local Area Connection Properties General Authentication Advanced Connect using B Accton EN1207D TX PCI Fast Ethernet Adapter This connection uses the following items ied Client for Microsoft Networks ivi vi Internet Protocol TCP IP Description Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected
341. s are Table 56 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 P 661H HW Series User s Guide Chapter 8 Firewalls 8 4 2 Types of DoS Attacks There are four types of DoS attacks 1 Those that exploit bugs in a TCP IP implementation Those that exploit weaknesses in the TCP IP specification Brute force attacks that flood a network with useless data IP Spoofing Ping of Death and Teardrop attacks exploit bugs in the TCP IP implementations of various computer and host systems a Ff WS KN Ping of Death uses a ping utility to create an IP packet that exceeds the maximum 65 536 bytes of data allowed by the IP specification The oversize packet 1s then sent to an unsuspecting system Systems may crash hang or reboot Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 6 Weaknesses in the TCP IP specification leave it open to SYN Flood and LAND attacks These attacks
342. se wait for 3 minutes Aute Security in Process Please wait a moment about 149 Seconds 3 In the wireless client you see this screen if it can t find an OTIST enabled AP with the same Setup key Click OK to go back to the ZyXEL utility main screen Figure 65 No AP with OTIST Found Please make sure you have ZyXEL g APs or wireless routers with OTIST function enabled OK fthere is more than one OTIST enabled AP within range you see a screen asking you to select one AP to get settings from 6 5 3 Notes on OTIST 1 If you enabled OTIST in the wireless client you see this screen each time you start the utility Click Yes for it to search for an OTIST enabled AP Figure 66 Start OTIST Do you wantto start OTIST function No Don t show me this window again 2 Ifan OTIST enabled wireless client loses its wireless connection for more than ten seconds it will search for an OTIST enabled AP for up to one minute If you manually have the wireless client search for an OTIST enabled AP there is no timeout click Cancel in the OTIST progress screen to stop the search 3 When the wireless client finds an OTIST enabled AP you must still click Start in the AP OTIST web configurator screen or hold in the RESET button for one to five seconds for the AP to transfer settings 4 Ifyou change the SSID or the keys on the AP after using OTIST you need to run OTIST again or enter them manually in the wireless cl
343. ser s Guide Tools This chapter covers uploading new firmware managing configuration and restarting your ZyXEL Device 20 1 Firmware Upgrade Find firmware at www zyxel com in a file that usually uses the system model name with a bin extension for example ZyXEL Device bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance gt Tools to open the Firmware screen Follow the instructions in this screen to upload firmware to your ZyXEL Device Figure 152 Firmware Upgrade Firmware Upgrade To upgrade the internal device firmware browse to the location of the binary BIN upgrade file and click Upload Upgrade files can be downloaded from website If the upgrade file is compressed ZIP file you must first extract the binary BIN file In some cases you may need to reconfigure Current Firmware Version 3 40 4HH 0 b1 01 09 2006 File Path Browse Upload The following table describes the labels in this screen Table 112 Firmware Upgrade LABEL DESCRIPTION Current This is the present Firmware version and the date created Firmware Version File Path Type in the location of the file you want to upload in this field or click Browse to find it P 661H HW Series
344. ser s Guide client at the same time Chapter 6 Wireless LAN 6 5 1 2 Wireless Client On your wireless client start the ZyXEL utility and click the Adapter tab Select the OTIST check box enter the same Setup Key as your AP s and click Save Figure 61 Example Wireless Client OTIST Screen F Link Info Site Survey Profile E Adapter Transfer Rate Fully Auto gt Power Saving Mode Disabled 5 v OTIST One Touch Intelligent Security Technology Setup Key 01234557 sat 6 5 2 Starting OTIST BS You must click Start in the AP OTIST web configurator screen and in the wireless client s Adapter screen all within three minutes at the time of writing You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled 1 Inthe AP a web configurator screen pops up showing you the security settings to transfer You can use the key in this screen to set up WPA PSK encryption manually for non OTIST devices in the wireless network After reviewing the settings click OK Figure 62 Security Key Microsoft Internet Explorer P 661H HW Series User s Guide Chapter 6 Wireless LAN 2 This screen appears while OTIST settings are being transferred It closes when the transfer is complete Figure 63 OTIST in Progress AP Figure 64 OTIST in Progress Client gt OTIST OTIST in progress plea
345. set to Both or Out Only the ZyXEL Device will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received P 661H HW Series User s Guide Chapter 5 LAN Setup 5 4 DHCP Setup Table 31 Advanced LAN Setup continued LABEL DESCRIPTION RIP Version This field is enabled if RIP Direction is not None The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicasting can reduce the load on non router machines since they generally do not listen to the RIP multicast address and so will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting also Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The ZyXEL Device supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it Any
346. sfer service that operates on the Internet and over TCP IP networks A system running the FTP server accepts commands from a system running an FTP client The service allows users to send commands to the server for uploading and downloading files Select FTP from the drop down list box to configure this bandwidth filter for FTP traffic H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of service Select H 323 from the drop down list box to configure this bandwidth filter for traffic that uses H 323 Select User defined from the drop down list box if you do not want to use a predefined application for the bandwidth class When you select User defined you need to configure at least one of the following fields other than the Subnet Mask fields which you only enter if you also enter a corresponding destination or source IP address Destination Address Enter the destination IP address in dotted decimal notation Destination Subnet Netmask Enter the destination subnet mask This field is N A if you do not specify a Destination Address Refer to the appendices for more information on IP subnetting Destination Port Enter the port number of the destination See Table 96 on page 220 for some common services and port num
347. sholds LABEL DESCRIPTION Denial of Service The ZyXEL Device measures both the total number of existing half open sessions Thresholds and the rate of session establishment attempts Both TCP and UDP half open sessions are counted in the total number and rate measurements Measurements are made once a minute One Minute Low This is the rate of new half open sessions per minute that causes the firewall to stop deleting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number One Minute High This is the rate of new half open sessions per minute that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection attempts For example if you set the one minute high to 100 the ZyXEL Device starts deleting half open sessions when more than 100 session establishment attempts have been detected in the last minute It stops deleting half open sessions when the number of session establishment attempts detected in a minute goes below the number set as the one minute low Maximum Incomplete Low This is the number of existing half open sessions that causes the firewall to stop deleting half open sessions The ZyXEL Device continues to delete half open requests as necessary until the numb
348. should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Use the drop down list box to select which day of the week to send the logs Log Time for Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to Sending Log send the logs Clear log after sending mail Select the check box to delete all the logs after the ZyXEL Device sends an E mail of the logs Syslog Logging The ZyXEL Device sends a log to an external syslog server Active Click Active to enable syslog logging Syslog Server IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs Log Facility Select a location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the syslog server manual for more information Active Log and Alert Log Select the categories of logs that you want to record Send Immediate Alert Select log categories for which you want the ZyXEL Device to send E mail alerts immediately Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to return to the previously saved settings P 661H HW Series U
349. smsessunendssas 77 Aa mem OnE O s ET 78 4 5 1 Configuring Advanced Internet Connection cessit 79 46 Configuring More Connections 25 55 bn ca ta eio ak Ka Ke RR uno a a ep PA iu Lu 81 401 More Conec on Edt Mie uec oan enna 82 4 6 2 Configuring More Connections Advanced Setup ccccccecesscceceeeeeecceeeeessseeeceeeneanes 85 12 P 661H HW Series User s Guide Table of Contents 4T Mes PREGIRREL We 86 4 8 Configuring WAN Backup Setup ascsxeced pesti sensaaeeas sasneweds aun cuddrasratdendsdangdeadseipa eed iirde 87 Chapter 5 LAN SS gm 89 ST LAN OVERIG 89 5 1 1 LANs WANS and The ZyXEL Devieriissesein seca tri kir obl koe bb prin ta Ka gn e Een dd 89 BLZ DHOGP IUE a initi REFERO BER IPM IO DEPO PIE Gad Ge a 90 BT 2 BDNS Server AdS air a T rer DR M eite te p aoe 90 5 1 4 DNS Server Address Assignment eee iens seen a tne seta a a n tha ka 90 DALAN yel Mu 91 581 IP Adress and Subst MASK oos br irepht EVER ER REPE ER aa LUE Sen ort SL ERE oA 91 Beer IP je CR 92 v cS i qe N 92 Lees iota ee TTE t To ORT IRURE POESIE 93 eger ga TIT eem TT 94 5 2 1 Configuring Advanced LAN Selup i25 ertt se rra ar prO Rr LL RPRP KE BERE Ka appe dS 95 SL IDEE ODD onde Ha desea ER Eo adii FRE OF dr bra ER P
350. some proxies support See Section 8 5 on page 142 for more information on stateful inspection Firewalls of one type or another have become an integral part of standard security solutions for enterprises 8 3 Introduction to ZyXEL s Firewall The ZyXEL Device firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated The ZyXEL Device s purpose is to allow a private Local Area Network LAN to be securely connected to the Internet The ZyXEL Device can be used to prevent theft destruction and modification of data as well as log events which may be important to the security of your network The ZyXEL Device also has packet filtering capabilities The ZyXEL Device is installed between the LAN and the Internet This allows it to act as a secure gateway for all data passing between the Internet and the LAN The ZyXEL Device has one DSL ISDN port and one Ethernet LAN port which physically separate the network into two areas The DSL ISDN port connects to the Internet The LAN Local Area Network port attaches to a network of computers which needs security from the outside world These computers will have access to Internet services such as e mail FTP and the World Wide Web However inbound access will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service P 661H HW Series User s Guide Chapter
351. splays the destination port number to which the application sends traffic Priority This field displays the WMM QoS priority for traffic bandwidth P 661H HW Series User s Guide Chapter 6 Wireless LAN Table 46 Wireless LAN QoS LABEL DESCRIPTION Modify Click the Edit icon to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the Application Priority Configuration screen Click the Remove icon to delete an application entry Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen 6 8 2 Application Priority Configuration To edit a WMM QoS application entry click the edit icon under Modify The following screen displays Figure o9 AApplicauun Promy Gongureuon Application Priority Configuration Name Service E Mail X Dest Port 55 65535 Priority Highest Cancel E The following table describes the fields in this screen Table 47 Application Priority Configuration LABEL DESCRIPTION Application Priority Configuration Name Type a description of the application priority P 661H HW Series User s Guide 121 Chapter 6 Wireless LAN Table 47 Application Priority Configuration LABEL DESCRIPTION Service The following is a description of the applic
352. sponding bit in the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal Table 120 IP Address Network Number and Host ID Example 1ST OCTET cter octet ATHOCTET 168 1 IP Address Binary 11000000 10101000 00000001 00000010 Subnet Mask Binary 11111111 11111111 11111111 00000000 Network Number 11000000 10101000 00000001 Host ID 00000010 By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Subnet masks can be referred to by the size of the network number part the bits with a 1 value For example an 8 bit mask means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes P 661H HW Series User s Guide Appendix C IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses The following examples show the binary and decimal notation for 8 bit 16 bit 24 bit and 29 bit subnet masks Table 121 Subnet Masks BINARY DECIMAL OcrET OCTET OcTET SCTE 8 bit mask 11111111 00000000 00000000 00000000 255 0 0 0 16 bit mask 11111111 11111111 00000000 00000000 255 255 0 0 24 bit mask 11111111 11111111 11111111 0000000
353. ss network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest encryption that every device in the wireless network supports For example suppose you have a wireless network with the ZyXEL Device The ZyXEL Device does not have a local user database and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A only supports WEP and device B supports WEP and WPA Therefore you should set up Static WEP in the wireless network BS It is recommended that wireless networks use WPA PSK WPA or stronger encryption IEEE 802 1x and WEP encryption are better than none at all but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly LES It is not possible to use WPA PSK WPA or stronger encryption with a local user database In this case it is better to set up stronger encryption with no authentication than to set up weaker encryption with the local user database P 661H HW Series User s Guide Chapter 6 Wireless LAN When you select WPA2 or WPA2 PSK in your ZyXEL Device you can also select an option WPA compatible to support WPA as well In this case if some of the devices support WPA and some support WPA2 you should set up WPA2 PSK or WPA2 depending on the type of wireless network login and select the WPA compatible option in the ZyXEL Device
354. ss point AP or wireless router we will refer to both as AP here in order to associate with it Traditionally this meant that you had to configure the settings on the AP and then manually configure the exact same settings on each wireless client OTIST One Touch Intelligent Security Technology allows you to transfer your AP s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You can also choose to have OTIST generate a WPA PSK key for you if you didn t configure one manually LES OTIST replaces the pre configured wireless settings on the wireless clients 6 5 1 Enabling OTIST You must enable OTIST on both the AP and wireless client before you start transferring settings BES The AP and wireless client s MUST use the same Setup key 6 5 1 1 AP You can enable OTIST using the RESET button or the web configurator 112 P 661H HW Series User s Guide Chapter 6 Wireless LAN 6 5 1 1 1 Reset button If you use the RESET button the default 01234567 or previous saved through the web configurator Setup key is used to encrypt the settings that you want to transfer Hold in the RESET button for one to five seconds BES If you hold in the RESET button too long the device will reset to the factory defaults 6 5 1 1 2 Web Configurator Click the Network gt Wireless LAN gt OTIST The following screen displays Figure 60 Wireless LAN
355. standards developed by working group 11 of the IEEE LAN MAN Standards Committee IEEE 802 IEEE 802 11b Uses the 2 4 gigahertz GHz band IEEE 802 11g Uses the 2 4 gigahertz GHz band IEEE 802 11g Turbo and Super G modes IEEE 802 11e QoS IEEE 802 11 e Wireless LAN for Quality of Service ANSI T1 413 Issue 2 Asymmetric Digital Subscriber Line ADSL standard G dmt G 992 1 G 992 1 Asymmetrical Digital Subscriber Line ADSL Transceivers ITU G 992 1 G DMT ITU standard for ADSL using discrete multitone modulation ITU G 992 2 G Lite ITU standard for ADSL using discrete multitone modulation ITU G 992 3 G dmt bis ITU standard also referred to as ADSL2 that extends the capability of basic ADSL in data rates ITU G 992 4 Glite bis ITU standard also referred to as ADSL2 that extends the capability of basic ADSL in data rates ITU G 992 5 ADSL2 ITU standard also referred to as ADSL2 that extends the capability of basic ADSL by doubling the number of downstream bits TR 069 P 661H only TR 069 DSL Forum Standard for CPE WAN Management P 661H HW Series User s Guide 277 Chapter 23 Product Specifications 23 2 Wall mounting Instructions Complete the following steps to hang your ZyXEL Device on a wall BES See Table 116 on page 275 for the size of screws to use and how far apart to place them 1 Select a position free of
356. static IP address on the network behind the remote IPSec router When the Remote Address Type field is configured to Range enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Remote Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configured to Single this field is N A When the Remote Address Type field is configured to Range enter the end static IP address in a range of computers on the network behind the remote IPSec router When the Remote Address Type field is configured to Subnet enter a subnet mask on the network behind the remote IPSec router Address Information Local ID Type Select IP to identify this ZyXEL Device by its IP address Select DNS to identify this ZyXEL Device by a domain name Select E mail to identify this ZyXEL Device by an e mail address Content When you select IP in the Local ID Type field type the IP address of your computer in the local Content field The ZyXEL Device automatically uses the IP address in the My IP Address field refer to the My IP Address field description if you configure the local Content field to 0 0 0 0 or leave it blank It is recommended that you type an IP address other than 0 0 0 0 in the local Content field or use the DNS or E mail ID type in the following situations When t
357. t Edit Delete Selected Services Add gt gt Remove E Day to Apply iv Everyday VV sun V Mon I Tue IV wed IV Thu V rri IV sat Time of Day to Apply 24 Hour Format I All day start hour Endo houro minute minute Log S Log Packet Detail Information Alert Send Alert Message to Administrator When Matched Cancel P 661H HW Series User s Guide Chapter 9 Firewall Configuration The following table describes the labels in this screen Table 62 Firewall Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule Action for Matched Packet Use the drop down list box to select what the firewall is to do with packets that match this rule Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP reset packet for a TCP packet or an ICMP destination unreachable message for a UDP packet to the sender Select Permit to allow the passage of the packets Source Destination Address Address Type Do you want your rule to apply to packets with a particular single IP a range of IP addresses e g 192 168 1 10 to 192 169 1 50 a subnet or any IP address Select an option from the drop down list box that includes Single Address Range Address Subnet Address and Any Address Start
358. t ESS consists of a series of overlapping BSSs each containing an access point with each access point connected together by a wired network This wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate P 661H HW Series User s Guide Appendix D Wireless LANs Figure 215 Infrastructure WLAN Channel A channel is the radio frequency ies used by wireless devices to transmit and receive data Channels available depend on your geographical area You may have a choice of channels for your region so you should use a channel different from an adjacent AP access point to reduce interference Interference occurs when radio signals from different access points overlap causing interference and degrading performance Adjacent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11
359. t o sec Apply Cancel Advanced Setup The following table describes the labels in this screen Table 24 Internet Connection LABEL DESCRIPTION General Name Enter the name of your Internet Service Provider e g MyISP This information is for identification purposes only Mode Select Routing default from the drop down list box if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password PPPoA and PPPoE only Enter the password associated with the user name above P 661H HW Series User s Guide Chapter 4 WAN Setup Table 24 Internet Connection LABEL DESCRIPTION Service Name PPPoE only Type the name of your PPPoE service here Multiplexing Select the method of multiplexing used by your ISP from the drop down list Choices are VC or LLC Virtual Circuit ID VPI Virtual Path Identi
360. t Example Config Service Name MyService Service Type rcpiupe 7 Port Configuration Type single Port Range Port Number From 123 To 123 Cancel Delete 7 Select Any in the Destination Address box and then click Delete 8 Configure the destination address screen as follows and click Add P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 93 Firewall Example Edit Rule Destination Address Edit Rule 1 M Active Source Address Address Type Any Address z Start IP Address End IP nooo0 Address 0 Subnet Mask 0 0 0 Destination Address Address Type Range Address Start IP 0 0030 Address UD End IP io0015 Address 1903 Subnet Mask 0 0 0 0 Action for Matched Packets Permit z Source Address List Destination Address List 10 0 0 10 10 0 0 15 9 Use the Add gt gt and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done LS Custom services show up with an before their names in the Services list box and the Rules list box P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 94 Firewall Example Edit Rule Select Customized Services Edit Rule 2 M Active Action for Matched Packets Permit Source Address Address Type Any Address 7 Start IP to
361. t Subnet to specify IP addresses on a network by their subnet mask IP Address Start When the Remote Address Type field is configured to Single enter a static IP address on the network behind the remote IPSec router When the Remote Address Type field is configured to Range enter the beginning static IP address in a range of computers on the network behind the remote IPSec router When the Remote Address Type field is configured to Subnet enter a static IP address on the network behind the remote IPSec router End Subnet Mask When the Remote Address Type field is configured to Single this field is N A When the Remote Address Type field is configured to Range enter the end static IP address in a range of computers on the network behind the remote IPSec router When the Remote Address Type field is configured to Subnet enter a subnet mask on the network behind the remote IPSec router Address Information P 661H HW Series User s Guide Chapter 12 VPN Screens Table 80 VPN Manual Key continued LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyXEL Device The VPN tunnel has to be rebuilt if this IP address changes The following applies if this field is configured as 0 0 0 0 The ZyXEL Device uses the current ZyXEL Device WAN IP address static or dynamic to set up the VPN tunnel If the WAN connection goes down the ZyXEL Device uses the dial backup IP add
362. t number of empty rules For example if you have already configured rules 1 to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network gt NAT gt Address Mapping to open the following screen Figure 76 Address Mapping Rules Address Mapping Address Mapping Rules j Local start 1p Local End IP Global Start IP Global End IP Type Modify 1 z E E Server B i g El T O N N g E E E B B B E B The following table describes the fields in this screen Table 54 Address Mapping Rules LABEL DESCRIPTION This is the rule index number Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end Inside Local IP Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is N A for One to one and Server mapping types Global Start IP This is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP You can only do this for Many to One and Server mapping types Global End IP This is the endin
363. t set up user names and passwords for your users 1 Some wireless devices such as scanners can detect wireless networks but cannot use wireless networks These kinds of wireless devices might not have MAC addresses 2 Hexadecimal characters are 0 1 2 3 4 5 6 7 8 9 A B C D E and F P 661H HW Series User s Guide Chapter 6 Wireless LAN Unauthorized wireless devices can still see the information that is sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network Local user databases also have an additional limitation that is explained in the next section 6 2 4 Encryption Wireless networks can use encryption to protect the information that 1s sent in the wireless network Encryption is like a secret code If you do not know the secret code you cannot understand the message The types of encryption you can choose depend on the type of authentication See Section 6 2 3 on page 102 for information about this Table 35 Types of Encryption for Each Type of Authentication NO AUTHENTICATION RADIUS SERVER Weakest No Security WPA Static WEP 1 WPA PSK Strongest WPA2 PSK WPA2 For example if the wireless network has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wirele
364. tatus Internet Connection Status General Internet Gateway Status Connected Duration 00 00 56 Speed 100 0 Mbps Activity Internet Internet Gateway My Computer amp Packets Sent 8 Received 5 943 Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places P 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP Figure 145 Network Connections Network Connections File Q Back OQ d po Search li Folders Fis Address Edit view Favorites Tools Advanced Help e Network Connections Internet Gateway Network Tasks Internet Connection Disabled Internet Connection 5 Create a new connection Set up a home or small office network LAN or High Speed Internet Local Area Connection Enabled E a Accton EN1207D TX PCI Fast See Also Network Troubleshooter Other Places iy Control Panel amp My Network Places i My Documents E My Computer Details Network Connections System Folder Network Connections 4 Anicon with the description for e
365. tatus screen Select Change Password if you want to change the user password Figure8 Select a Mode Please select Wizard or Advanced mode BS The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the ZyXEL Device if this happens to you P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator 2 3 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator you will need to use the RESET button at the back of the ZyXEL Device to reload the factory default configuration file This means that you will lose all configurations that you had previously and the password will be reset to 1234 2 3 1 Using the Reset Button 1 Make sure the POWER LED is on not blinking 2 Press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defaults have been restored and the ZyXEL Device restarts 2 4 Navigating the Web Configurator We use the P 661H D1 web screens in this guide as an example Screens vary slightly for different ZyXEL Device models 2 4 1 Navigation Panel After you enter the admin password use the sub menus on the navigation panel to configure ZyXEL Device features The following table describes the sub menus Figure 9 Web Configurator Ma
366. ted data connection This can be done safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protocol that operates in this way must be supported on a case by case basis You can use the web configurator s Custom Ports feature to do this P 661H HW Series User s Guide Chapter 8 Firewalls 8 6 Guidelines for Enhancing Security with Your Firewall Change the default password Limit who can telnet into your router Don t enable any local service such as SNMP or NTP that you don t use Any enabled service could present a potential security risk A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network For local services that are enabled protect against misuse Protect by configuring the services to communicate only with specific peers and protect by configuring rules to block packets for the services at specific interfaces Protect against IP spoofing by making sure the firewall is active Keep the firewall in a secured locked room 8 6 1 Security In General You can never be too careful Factors outside your firewall filtering or NAT can cause security breaches Below are some generalizations about what you can do to minimize them Encourage your company or organization to develop a comprehensive security plan Good network administration takes into account what hackers can do and prepa
367. ter A or setting computer A to obtain an IP address automatically Figure 210 Conflicting Computer IP Addresses Example E AD SQ I 192 168 1 33 Gees Dw rmer p a E 192 168 1 33 uammmmmmm oem mm Conflicting Router IP Addresses Example Since a router connects different networks it must have interfaces using different network numbers For example if a router is set between a LAN and the Internet WAN the router s LAN and WAN addresses must be on different subnets In the following example the LAN and WAN are on the same subnet The LAN computers cannot access the Internet because the router cannot route between networks Figure 211 Conflicting Computer IP Addresses Example gt z Se SB SS SS SSS Ss Internet P 661H HW Series User s Guide 321 Appendix C IP Addresses and Subnetting Conflicting Computer and Router IP Addresses Example More than one device can not use the same IP address In the following example the computer and the router s LAN port both use 192 168 1 1 as the IP address The computer cannot access the Internet This problem can be solved by assigning a different IP address to the computer or the router s LAN port Figure 212 Conflicting Computer and Router IP Addresses Example pum um um um um um Um m mo a g 192 168 1 1 LAN WAN i a n 192 168 1 1 Internet u mmm mm m um 9 322 P 661H HW Series User s Guide
368. th classes with higher priorities Select Fairness Based to treat all bandwidth classes equally Max Select this check box to have the ZyXEL Device divide up all of the interface s Bandwidth unallocated and or unused bandwidth among the bandwidth classes that require Usage bandwidth Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the speed of this interface see the Speed field description Apply Click Apply to save your settings back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Chapter 14 Bandwidth Management 14 8 Bandwidth Management Rule Setup You must use the Bandwidth Management Summary screen to enable bandwidth management on an interface before you can configure rules for that interface Click Advanced gt Bandwidth MGMT gt Rule Setup to open the following screen Figure 121 Bandwidth Management Rule Setup Rule Setup Rule Setup Direction LAN z To LAN Interface Fs Active fuleName Destination port Prionty Bandwidth kbos Modify w 10 BP Service Ww Priority High z Bandwidth 10 kbps Add 1 Iv wi High 2 iv E Mail 0 Mid 10 BP Apply Cancel The following table describes the labels in this screen Table 94 Bandwidth Management Rule Setup LABEL DESC
369. that define your customized service Port Number Type a single port number or the range of port numbers that define your customized service Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to return to the previous screen Delete Click Delete to delete the current rule and return to the previous screen 9 8 Example Firewall Rule The following Internet firewall rule example allows a hypothetical MyService connection from the Internet 1 Click Security gt Firewall gt Rules 2 Select WAN to LAN in the Packet Direction field P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 91 Firewall Example Rules Anti Probina Threshold Rules Firewall Rules Storage Space in Use 395 ovi Packet Direction wan to LAN 7 Create a new rule after rule number o s Add XE ES Fr eom mee en iem pnma Apply Cancel 3 Inthe Rules screen select the index number after that you want to add the rule For example if you select 6 your new rule becomes number 7 and the previous rule 7 if there is one becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 Inthe Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 92 Edit Custom Por
370. the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Type the SCR which must be less than the PCR Note that system default is 0 cells sec P 661H HW Series User s Guide Chapter 4 WAN Setup Table 28 More Connections Advanced Setup continued LABEL DESCRIPTION Maximum Burst Maximum Burst Size MBS refers to the maximum number of cells that can be Size sent at the peak rate Type the MBS which is less than 65535 Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh 4 7 Traffic Redirect Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet An example is shown in the figure below Figure 43 Traffic Redirect Example WAN j Backup Gateway The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 P 661H HW Ser
371. the control channel PPTP_TUNNEL User Defined 47 PPTP Point to Point Tunneling Protocol GRE enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio service that enables real time sound over the web REXEC TCP 514 Remote Execution Daemon RLOGIN TCP 513 Remote Login P 661H HW Series User s Guide Appendix E Common Services Table 135 Commonly Used Services continued NAME PROTOCOL PORT S DESCRIPTION RTELNET TCP 107 Remote Telnet RTSP TCP UDP 554 The Real Time Streaming media control Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange systems UNIX systems and network servers SSH TCP UDP 22 Secure Shell Remote Login Program STRM WORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Te
372. the wireless settings of your computer to match the ZyXEL Device s new settings Click Network gt Wireless LAN to open the General screen P 661H HW Series User s Guide Chapter 6 Wireless LAN Figure 54 Wireless LAN General Wireless Setup M Active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 06 2437MHz Security Security Mode No Security 7 Apply Cancel Advanced Setup The following table describes the general wireless LAN labels in this screen Table 36 Wireless LAN General LABEL DESCRIPTION Active Wireless Click the check box to activate wireless LAN LAN Network Name Service Set IDentity The SSID identifies the Service Set with which a wireless client SSID is associated Wireless clients associating to the access point AP must have the same SSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or security settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Hide SSID Select this check box to hide the SSID in the outgoing beacon frame so a station cannot obtain the SSID through scanning using a site surv
373. they use programs written for specific Internet services such as HTTP FTP and telnet they can evaluate network packets for valid application specific data Application level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts Information hiding prevents the names of internal systems from being made known via DNS to outside systems since the application gateway is the only host whose name must be made known to outside systems Robust authentication and logging pre authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging Filtering rules at the packet filtering router can be less complex than they would be if the router needed to filter application traffic and direct it to a number of specific systems The router need only allow application traffic destined for the application gateway and reject the rest 8 2 3 Stateful Inspection Firewalls Stateful inspection firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access control or caching that
374. tic IP Address Setting in ifconfig ethO ssssseeeeeees 302 Figure 194 Rod Hat 9 0 DNS Settings in resolv conf uuouscssccenscer ttn troie tte teret tane roa PE pa rte td d epu pUR 302 Figure 195 Red Hat 9 0 Restart Ethernet Card ossessispscte xD RE ERSUHIOGREESRMN ERR EX VERR REL EE R RR CLEAR 302 Figure 196 Red Hat 9 0 Checking TCP IP Properties ccciccisseeuicccstenesscevanneiidecinaveuieccstneecctovannesceaenniens 303 lux MensexledrhevilMe me S M 305 Figure 198 Internet Options Privacy sc sins chirp enapa n ER ES Ra Rn an E UA ida bah ania di 306 Figur 199 imemet ODIO PIVa asitenon en eon na ton netu HEU ee PL can cn n ntt bu e Pu bubu asi cone MEE E DOE 307 EP 200 Pop up Blocker SOWN Pe e A 307 Figure 201 Intermet Options DG QUEICUE ua quas accen Rh Id Lig tik a p d kis t iR tiet da at Ct da n aL RR cd pa i 308 Figure 202 Security Settings Java OCPIpling 22st recinto rre et korr td det ker ke bte ke ide beds 309 Figure 209 Securty Slings Java Lusssstodetiminasi petenda te Hagae Matti da e b MU ania ie 309 Foe c r ccr ou Nem 310 Figure 205 Mozilla Firefox Tools gt ODEODS 1escesesse ciscus eieo rate tot rt tuat pup d tta keiina aa eL raura aera d Tae pecca 311 Figure 206 Mozilla Firefox Content Security uus ciere pln ebria Rai n bct ntn n Pon 311 Figure 207 Network Number and Host Bee eR 314 Figure 208 Subnetting Example Before Subnetting 1er ena ota nes deed a aa 316 Figure 20
375. ticular Security Association SA The SPI is transmitted from the remote VPN gateway to the local VPN gateway The local VPN gateway then uses the network encryption and key values that the administrator associated with the SPI to establish the tunnel Current ZyXEL implementation assumes identical outgoing and incoming SPIs 12 15 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field on the VPN IKE screen This is the VPN Manual Key screen as shown next P 661H HW Series User s Guide Chapter 12 VPN Screens Figure 111 VPN Manual Key IPSec Setup Active Mame 2488393585 IPSec Key Mode Manual SPI o Encapsulation Mode Transport z DNS Server for IPSec VPN 0 0 0 0 Local Local Address Type Range IP Address Start End Subnet Mask Remote Remote Address Type Range 7 IP Address Start End Subnet Mask Address Information My IP Address Secure Gateway Address Security Protocol IPSec Protocol ESP Encryption Algorithrn pes x Encapsulation Key Authentication Algorithm suni Authentication Key Back Reset The following table describes the fields in this screen Table 80 VPN Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy Name Type up to 32 characters to identify this VPN policy You may use any character including spaces b
376. ting up Your Computer s IP Address Figure 192 Red Hat 9 0 Dynamic IP Address Setting in ifconfig ethO EVICE eth0 BOOT yes OOT PROTO dhcp SERCTL no ERDNS yes TYPE Ethernet ucGUOog Ifyou have a static IP address enter static in the BOOTPROTO field Type IPADDR followed by the IP address in dotted decimal notation and type NETMASK followed by the subnet mask The following example shows an example where the static IP address is 192 168 1 10 and the subnet mask 1s 255 255 255 0 Figure 193 Red Hat 9 0 Static IP Address Setting in ifconfig ethO DEVICE ethO0 ONBOOT yes BOOTPROTO static IPADDR 192 168 1 10 NETMASK 255 255 255 0 USERCTL no PEERDNS yes TYPE Ethernet 2 Ifyou know your DNS server IP address es enter the DNS server information in the resolv conf file in the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 194 Red Hat 9 0 DNS Settings in resolv conf nameserver 172 23 5 1 nameserver 172 23 5 2 3 After you edit and save the configuration files you must restart the network card Enter network restart inthe etc rc d init d directory The following figure shows an example Figure 195 Red Hat 9 0 Restart Ethernet Card root localhost init d network restart Shutting down interface eth0 OK Shutting down loopback interface
377. tion eese eeueeeueenee nennen nnne 225 P 661H HW Series User s Guide Table of Contents 16 1 Remote Management Overview sisccecssssssuraserssssnsaesisseccaseviswsnsessvsaancests RIA SER REDE EEXVENNIE 225 16 1 1 Remote Management Limitations seen enne thnhk na nua tn ha a ana naa AA 226 16 1 2 Remote Management and NAT issuer atiende rbd det inaron abad uada 226 pog ecc ginis PU 226 TA NNN A m 226 DN qu 227 Te TP E A UT 227 To CORUM FIF an A 228 irl e NI 229 TO TS MIBS suonissa aana spied d aaa Mesa Eee teen epa pedes pd 230 166 2 SNMP TADS e n 230 15 5 2 COHPONHRO SINIP 4555 ort ERECI EY RPROHSNE KEREC IARE RHCLUISSI Fab ES oL ED S d SR 231 rC OMRUM DNS et ec M 232 16 8 Configuring ICMP psc siiani a i NARA E E 233 169 TEES Tae TOMY sonaia a aa a a E aa aaa aa NEA 234 Chapter 17 Universal Plug and Play UPMP LL adi aid e klER FERMO PERAGERE d Rr E belua d Go ER iiaiai Me MME DUE EUR 237 17 1 Introducing Universal Plug and Play 12222 irent notation tona n 237 17 1 0 How del know if musing DP BIS eine d to UR AUR REOS RR UO tcd an ana 237 JAUNE 237 ASIE Wih UPP sirinin a deaseetacannrends 237 Toa ESPERE snae a Naaa E eaten ANECA 238 Tar omga UP m E 238 17 3 Installing UPBP ip Windows EXample 2 5 dx gei o ut ead birra c ado ea a asta 239 17 4 Using UPnP in Windows XP Example 2225 2 1
378. to associate with it IEEE 802 1x In June 2001 the IEEE 802 1x standard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of network devices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server e Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS server handles the following tasks Authentication Determines the identity of the users Authorization P 661H HW Series User s Guide Appendix D Wireless LANs Determines the network services available to authenticated users once they are connected to the network Accounting Keeps track of the client s network activity RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server Types of RADIUS Messages The following types of RADIUS messa
379. to incoming WAN Ping requests Otherwise select LAN amp WAN to reply to both incoming LAN and WAN Ping requests Do Not Respond Selectthis option to prevent hackers from finding the ZyXEL Device by probing for to Requests for unused ports If you select this option the ZyXEL Device will not respond to port Unauthorized request s for unused ports thus leaving the unused ports and the ZyXEL Device Services unseen By default this option is not selected and the ZyXEL Device will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports and a TCP Reset packet for a port probe on its unused TCP ports Note that the probing packets must first traverse the ZyXEL Device s firewall mechanism before reaching this anti probing mechanism Therefore if the firewall mechanism blocks a probing packet the ZyXEL Device reacts based on the corresponding firewall policy to send a TCP reset packet for a blocked TCP packet or an ICMP port unreachable packet for a blocked UDP packets or just drop the packets without sending a response packet Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh 9 10 DoS Thresholds For DoS attacks the ZyXEL Device uses thresholds to determine when to drop sessions that do not become fully established These thresholds apply globally to all sessions You can use the default threshold values or you can
380. to the wired network is allowed The default time interval is 3600 seconds or 1 hour Group Key Update Timer In Seconds The Group Key Update Timer is the rate at which the AP if using WPA PSK WPA2 PSK key management or RADIUS server if using WPA 2 key management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Authentication Server IP Address Enter the IP address of the external authentication server in dotted decimal notation Port Number Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on the external authentication server and your ZyXEL Device The key is not sent over the network Accounting Server optional IP Address Enter the IP address of the external accounting server in dotted decimal notation Port Number Enter the port number of the external accounting server The default port n
381. traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications P 661H HW Series User s Guide Chapter 4 WAN Setup Table 25 Advanced Internet Connection LABEL DESCRIPTION cell sec Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Type the SCR which must be less than the PCR Note that system default is 0 cells sec Maximum Burst Size Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 Zero This feature is not applicable available when you configure the ZyXEL Device to Configuration use a static WAN IP address or in bridge mode Select Yes to set the ZyXEL Device to automatically detect the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and make the necessary configuration changes Select No to disable this feature You must manually configure the ZyXEL Device for Internet access PPPoE This feature is available only
382. ts as a secure gateway between your LAN and the Internet In an ideal network topology all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks Figure 83 Ideal Firewall Setup LAN WAN Internet 9 5 1 The Triangle Route Problem You may have more than one connection to the Internet through one or more ISPs If the alternate gateway is on the LAN and its IP address is in the same subnet as the ZyXEL Device s LAN IP address the triangle route also called asymmetrical route problem may occur The steps below describe the triangle route problem 1 Acomputer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the SYN packet through Gateway A on the LAN to the WAN 3 The reply from the WAN goes directly to the computer on the LAN without going through the ZyXEL Device As a result the ZyXEL Device resets the connection as the connection has not been acknowledged 152 P 661H HW Series User s Guide Chapter 9 Firewall Configuration Figure 84 Triangle Route Problem LAN WAN Internet 9 5 2 Solving the Triangle Route Problem You can have the ZyXEL Device allow triangle route sessions However this can allow traffic from the WAN to go directly toa LAN computer without passing through the ZyXEL Device and its firewall protection Another way to solve the tria
383. tside This refers to the host on the WAN Local This refers to the packet address source or destination as the packet travels on the LAN Global This refers to the packet address source or destination as the packet travels on the WAN NAT never changes the IP address either local or global of an outside host P 661H HW Series User s Guide 123 Chapter 7 Network Address Translation NAT Screens 7 1 2 What NAT Does In the simplest form NAT changes the source IP address in a packet received from a subscriber the inside local address to another the inside global address before forwarding the packet to the WAN side When the response comes back NAT translates the destination address the inside global address back to the inside local address before forwarding it to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers for Many to One and Many to Many Overload mapping see Table 49 on page 126 NAT offers the additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intru
384. tt torto t eerte x bz t dde Ee rina na 215 Table 93 Media Bandwidth Management Summary eeeeesiieeeeeieeeenee eene then ehh 216 Table 94 Bandwidth Management Rule Setup st retener rreb dn dae EHEH Ada Eb rR A oe db erra d ak kk HE Na SE Kb HRS 217 Table 95 Bandwidth Management Rule Configuration seem 218 Table 96 Services and Port NUMDeErS aoi redd raa padded a pa ah Rd Pd ERE Rada 220 Table ur Dunamig DNS auissxbIiisisatestibedidiiuauatitusauaiedtabiseed ids bibemtnpiva n oes iU 222 Table 98 Remote Management WWW 1i isse rnnt tnn dna nb hdd Ik RIA a 227 Table 99 Remote Management Telnet usse euam ehh rubr RR aar EE EA Rau E EAR a RXLEN REA DRAKE EE RA ERR ERA Id d 228 Table 100 Remote Management FIP 2a euis i rrt eta cur aiia 228 Table TOT AI T TEDS a Dor eB Rn tea a pd d Fera up aces 230 Table 102 Ups qe ee 230 Table 103 Remote Management SNMP oos ceciiiauece ttt trauen ott urne ides Supr aae a SEI aane eI deae aep bb rd qu iene 231 Table 104 Remote Management DNS iiiess ient eil estaba EE tk d eae E ht r cavers Ebr ad trn M bad iE aSa 233 Table 105 Remote Management ICMP auucessssbe netos epe I err pPr Uo Per bep Pe ErEREN Tee EE PEU perbrER Iq etir i dap rinde 233 Tapio 106 TROI Ei omi NAS caissara aa a a co aA 235 Tobe 107 Contigumo UPRP ue vr en revue ma a con eran mee v a i R aE 238 Table 108 System General Setup cccciessccsccicocsiececnscecscatenedasvcencvacaasserreataarverced
385. tus WAN v Secured Client IP all Selected 0 0 0 0 You may also need to create a Firewallrule Cancel The following table describes the labels in this screen Table 100 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service P 661H HW Series User s Guide Chapter 16 Remote Management Configuration Table 100 Remote Management FTP LABEL DESCRIPTION Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to begin configuring this screen afresh 16 6 SNMP Simple Network Management Protocol SNMP is a protocol used for exchanging management information between network devices SNMP is a member of the TCP IP protocol suite Your ZyXEL Device supports SNMP agent functionality which allows a manager station to manage and monit
386. ual Circuit VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit ID Refer to the appendix for more information VPI Enter the VPI assigned to you This field may already be configured VCI Enter the VCI assigned to you This field may already be configured Back Click Back to go back to the previous screen Next Click Next to continue to the next wizard screen The next wizard screen you see depends on what mode and encapsulation you selected above Exit Click Exit to close the wizard screen without saving your changes 3 1 2 3 Screen 3 These screens let you enter the rest of the Internet settings which depend on the encapsulation your Internet connection uses and the mode you selected for RFC1483 This screen appears if your Internet connection uses Ethernet encapsulation Figure 22 Internet Setup Wizard ISP Parameters Ethernet Internet Configuration Obtain an IP Address Automatically Static IP Address IP Address 0 0 0 0 0 0 0 0 rete etree 0 0 0 0 0 0 0 0 0 0 0 0 Static IP Address First DNS Server Second DNS Server P 661H HW Series User s Guide Chapter 3 Wizards The following table describes the fields in this screen Table 12 Internet Setup Wizard ISP Parameters Ethernet LABEL DESCRIPTION Obtain an IP Select this if you have a dynamic IP address
387. ulation Security Payload 181 Encryption 175 encryption 332 ESP 177 ESP Protocol 181 ESS 324 ESSID 274 Extended Service Set IDentification 105 Extended Service Set See ESS 324 Extended wireless security 63 F Fairness based Scheduler 213 FCC interference statement 341 Finger 128 Firewall Access Methods 149 Address Type 159 Alerts 152 Anti Probing 165 Creating Editing Rules 157 Custom Ports 160 Enabling 154 Firewall Vs Filters 147 Guidelines For Enhancing Security 146 Introduction 138 LAN to WAN Rules 152 Policies 149 Rule Checklist 150 Rule Logic 150 Rule Security Ramifications 150 Types 137 When To Use 147 firewall DoS 169 Dos threshold 168 maximum incomplete high 168 maximum incomplete low 168 one minute high 168 one minute low 168 TCP maximum incomplete 169 firmware 261 upgrade 261 upload 261 upload error 262 fragmentation threshold 326 FTP 35 127 128 226 228 FTP Restrictions 226 Full Rate 37 G General Setup 251 General wireless LAN screen 104 H Half Open Sessions 167 hidden node 325 Host 52 252 253 P 661H HW Series User s Guide Index HTTP 128 138 139 HTTP Hypertext Transfer Protocol 261 humidity 275 IANA 91 92 320 IANA Internet Assigned Number Authority 160 IBSS 323 ICMP echo 141 ID Type and Content 187 IEEE 802 11g 327 IGMP 92 93 IKE Phases 193 Independent Basic Service Set See IBSS 323 initialization vector IV 332 Inside Header 178 Install
388. uld not overlap Figure 114 Telecommuters Sharing One VPN Rule Example BN LAN A res m 192 168 2 12 VN HQ LAN __ SE mmm errre Internet E 192 168 3 2 j 192 168 1 10 Bl LAN 3 Ei _ E LAN e 192 168 4 15 P 661H HW Series User s Guide Chapter 12 VPN Screens Table 83 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My IP Address 0 0 0 0 dynamic IP address Public static IP address assigned by the ISP Secure Gateway IP Public static IP address 0 0 0 0 With this IP address only the Address telecommuter can initiate the IPSec tunnel Local IP Address Telecommuter A 192 168 2 12 192 168 1 10 Telecommuter B 192 168 3 2 Telecommuter C 192 168 4 15 Remote IP 192 168 1 10 0 0 0 0 N A Address 12 18 2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters A B and C in the figure use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses use Dynamic DNS to do this With aggressive negotiation mode seeSection 12 12 1 on page 194 the ZyXEL Device can use the ID types and contents to distinguish between VPN rules Telecommuters can each use a separate VPN rule to simultaneously access a ZyXEL Device at headquarters They can use different IPSec parameters The local IP addresses or ranges of addresses of the rules configured on the ZyXEL Device at headquarters can ov
389. umber Phase 2 Active Protocol Use the drop down list box to choose from ESP or AH Encryption Algorithm This field is available when you select ESP in the Active Protocol field Select DES 3DES AES or NULL from the drop down list box When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key P 661H HW Series User s Guide Chapter 12 VPN Screens Table 79 Advanced VPN Policies continued LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and Algorithm SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum security SA Life Time Define the length of time befo
390. umber is 1813 You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the ZyXEL DeviceZyXEL Device The key must be the same on the external accounting server and your ZyXEL Device The key is not sent over the network Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Advanced Setup Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup P 661H HW Series User s Guide Chapter 6 Wireless LAN 6 4 5 Wireless LAN Advanced Setup To configure advanced wireless settings click the Advanced Setup button in the General screen The screen appears as shown Figure 59 Wireless LAN Advanced Wireless Advanced Setup RTS CTS Threshold 2432 0 2432 4096 when G Enhanced Fragmentation Threshold 2432 256 2432 4096 when G Enhanced Output Power Maximum Preamble Lena 802 11 Mode Mixed Enable 802 11g4 mode Max Frame Burst eso 0 1800 Apply Cancel The following table describes the labels in this screen Table 41 Wireless LAN Advanced LABEL DESCRIPTION Wireless Advanced Setup RTS CTS Enter
391. uration DNS Y Network Configuration File Profile Help 689 New Edit Copy Delete Devices Hardware DNS Hosts mss You may configure the system s hostname domain name servers and search domain Name servers are used to look up other hosts on the network Hostname Primary DNS Secondary DNS Tertiary DNS DNS Search Path Active Profile Common modified 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 191 Red Hat 9 0 KDE Network work Configuration Activate redhat config network You have made some changes in your configuration To activate the network device ethO the changes have to be saved Do you want to continue 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address 1 Assuming that you have only one network card on the computer locate the ifconfig eth0 configuration file where eth0 is the name of the Ethernet card Open the configuration file with any plain text editor f you have a dynamic IP address enter dhcp in the BOOTPROTO field The following figure shows an example P 661H HW Series User s Guide Appendix A Set
392. ure 176 Windows Vista Control Panel g Control Panel File Edit View Tools Help e Control Panel Home j System and Maintenance User Accounts Classic View a B Get started with Windows Change account type Back up your computer Ae Appearance and Personalization Change desktop background Security Check for updates Allow a program through Windows Firewall Change the color scheme Adjust screen resolution etwork and Internet onnect to the Internet D Clock Language and Region View network status and tasks p Change keyboards or other input methods Set up file sharing Change display language 3 Click Network and Sharing Center Figure 177 Windows Vista Network And Internet CION GP p Control Panel p Network and Internet v 5 Search p File Edit View Tools Help Control Panel Home EN Network and Sharing Center System and Maintenance Wew network status and Connect to a network View network c 5 vices vic work 5 Security View network computers and devices dd a device to the network Set up file sharing Network and Internet Internet Options Connect to the Internet Change your homepage Manage browser add ons Programs Delete browsing history and cookies Hardware and Sound 4 Click Manage network connections Figure 178 Windows Vista Network and Sharing Center O AS Network and Internet p Network and Sharing Center v 5 Search
393. ure at least one IP address here When using a WAN backup connection the ZyXEL Device periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your ZyXEL Device may ping the IP addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection or a different WAN backup connection Recovery Interval When the ZyXEL Device is using a lower priority connection usually a WAN backup connection it periodically checks to whether or not it can use a higher priority connection Type the number of seconds 30 recommended for the ZyXEL Device to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds 3 recommended for your ZyXEL Device to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request The WAN connection is considered down after the ZyXEL Device times out the number of times specified in the Fail Tolerance field Use a higher value in this field if your network is busy or congested Traffic Redirect Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet Active Traffic Select this check box to have the ZyXEL Device use traffic redir
394. urity Security Mode WPA2 Y WPA Compatible ReAuthentication Timer fisoo In Seconds Idle Timeout 3600 _ In Seconds Group Key Update Timer fisoo In Seconds Authentication Server IP Address 0 0 0 0 Port Number Rei2 Shared Secret Accounting Server optional IP Address oo0 Port Number Reis Shared Secret i Apply Cancel Advanced Setup P 661H HW Series User s Guide Chapter 6 Wireless LAN The following table describes the wireless LAN security labels in this screen Table 40 Wireless WPA WPA2 LABEL DESCRIPTION WPA Compatible This check box is available only when you select WPA2 PSK or WPA2 in the Security Mode field Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2 PSK or WPA2 ReAuthentication Specify how often wireless clients have to resend usernames and passwords in Timer In Seconds order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless client authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout In Seconds The ZyXEL Device automatically disconnects a wireless client from the wired network after a period of inactivity The wireless client needs to enter the username and password again before access
395. useful if you want to be able to use for example www yourhost dyndns org and still reach your hostname If you have a private WAN IP address then you cannot use Dynamic DNS See Section 15 2 on page 221 for configuration instruction 15 2 Configuring Dynamic DNS To change your ZyXEL Device s DDNS click Advanced gt Dynamic DNS The screen appears as shown See Section 15 1 on page 221 for more information P 661H HW Series User s Guide 221 Chapter 15 Dynamic DNS Setup Figure 124 Dynamic DNS Dynamic DNS Dynamic DNS Setup Active Dynamic DNS Service Provider WWW DynDNS ORG Dynamic DNS Type Dynamic DNS 7 Host Name User Name Password Enable Wildcard Option Enable off line option Only applies to custom DNS IP Address Update Policy Use WAN IP Address C Dynamic DNS server auto detect IP Address C Use specified IP Address 0 0 0 0 Apply Cancel The following table describes the fields in this screen Table 97 Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Dynamic Select this check box to use dynamic DNS DNS Service Provider This is the name of your Dynamic DNS service provider Dynamic DNS Select the type of service that you are registered for from your Dynamic DNS Type service provider Host Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to t
396. ut the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box Manual is a useful option for troubleshooting if you have problems using IKE key management SPI Type a number base 10 from 1 to 999999 for the Security Parameter Index Encapsulation Select Tunnel mode or Transport mode from the drop down list box Mode 198 P 661H HW Series User s Guide Chapter 12 VPN Screens Table 80 VPN Manual Key continued LABEL DESCRIPTION DNS Server for If there is a private DNS server that services the VPN type its IP address here IPSec VPN The ZyXEL Device assigns this additional DNS server to the ZyXEL Device s DHCP clients that have IP addresses in this IPSec rule s range of local addresses A DNS server allows clients on the VPN to find other computers and servers on the VPN by their private domain names Local Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs cannot have the local and remote IP address es both the same Two active SAs can have the same local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time Local Address Type Use the drop down menu to choose Single Range or Subnet Select Single for a single IP address Select Range for a specific range of IP ad
397. video connections Peak Cell Rate PCR is the maximum rate at which the sender can send cells This parameter may be lower but not higher than the maximum line speed 1 ATM cell is 53 bytes 424 bits so a maximum speed of 832Kbps gives a maximum PCR of 1962 cells sec This rate is not guaranteed because it is dependent on the line speed Sustained Cell Rate SCR is the mean cell rate of each bursty traffic source It specifies the maximum average rate at which cells can be sent over the virtual connection SCR may not be greater than the PCR Maximum Burst Size MBS is the maximum number of cells that can be sent at the PCR After MBS is reached cell rates fall below SCR until cell rate averages to the SCR again At this time more cells up to the MBS can be sent at the PCR again If the PCR SCR or MBS is set to the default of 0 the system will assign a maximum value that correlates to your upstream line rate The following figure illustrates the relationship between PCR SCR and MBS Figure 37 Example of Traffic Shaping Cell Rate PC A SCR PR d Time P 661H HW Series User s Guide Chapter 4 WAN Setup 4 3 1 ATM Traffic Classes These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4 0 Specification 4 3 1 1 Constant Bit Rate CBR Constant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic is generally time se
398. wall a better choice when complex rules are required P 661H HW Series User s Guide Chapter 8 Firewalls To selectively block allow inbound or outbound traffic between inside host networks and outside host networks Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur The firewall can block specific URL traffic that might occur in the future The URL can be saved in an Access Control List ACL database P 661H HW Series User s Guide Firewall Configuration This chapter shows you how to enable and configure the ZyXEL Device firewall 9 1 Access Methods The web configurator is by far the most comprehensive firewall configuration tool your ZyXEL Device has to offer For this reason it is recommended that you configure your firewall using the web configurator CLI Command Line Interpreter commands provide limited configuration options and are only recommended for advanced users 9 2 Firewall Policies Overview Firewall rules are grouped based on the direction of travel of packets to which they apply LAN to LAN Router WAN to LAN LAN to WAN WAN to WAN Router BES The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful
399. way for each subnet Time and Date Get the current time and date from an external server when you turn on your ZyXEL Device You can also set the time manually These dates and times are then used in logs Logging and Tracing Use packet tracing and logs for troubleshooting You can send logs from the ZyXEL Device to an external syslog server PPPoE PPPoE mimics a dial up Internet access connection Universal Plug and Play UPnP A UPnP enabled device can dynamically join a network obtain an IP address and convey its capabilities to other devices on the network Firewall You can configure firewall on the ZyXEL Device for secure Internet access When the firewall is on by default all incoming traffic from the Internet to your network is blocked unless it is initiated from your network This means that probes from the outside to your network are not allowed but you can safely browse the Internet and download files for example Content Filter The ZyXEL Device blocks access to web sites with URLs that contain keywords that you specify You can define time periods and days during which content filtering is enabled You can also include or exclude particular computers on your network from content filtering Bandwidth Management You can efficiently manage traffic on your network by reserving bandwidth and giving priority to certain types of traffic and or to particular computers Remote Managemet
400. wing the wireless client already connecting to an AP to perform IEEE 802 1x authentication with another AP before connecting to it 332 P 661H HW Series User s Guide Appendix D Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patch for Windows XP Funk Software s Odyssey client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it WPA 2 with RADIUS Application Example To set up WPA 2 you need the IP address of the RADIUS server its port number default is 1812 and the RADIUS shared secret A WPA 2 application example with an external RADIUS server looks as follows A is the RADIUS server DS is the distribution system 1 The AP passes the wireless client s authentication request to the RADIUS server The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 A 256 bit Pairwise Master Key PMK is derived from the authentication process by the RADIUS server and the client 4 The RADIUS server distributes the PMK to the AP The AP then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption
401. with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKIP TKIP uses 128 bit keys that are dynamically generated and distributed by the authentication server AES Advanced Encryption Standard is a block cipher that uses a 256 bit mathematical algorithm called Rijndael They both include a per packet key mixing function a Message Integrity Check MIC named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism WPA and WPA2 regularly change and rotate the encryption keys so that the same encryption key 1s never used twice The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the PMK to dynamically generate unique data encryption keys to encrypt every data packet that 1s wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Message Integrity Check MIC is designed to prevent an attacker from capturing data packets altering them and resending them The MIC provides a strong mathematical function in which the receiver and the transmitter each compute and then compare the MIC If they do not match it is assumed that the data has been tampered with and the packet 1s dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES
402. wo host names in the field separated by a comma User Name Type your user name Password Type the password assigned to you Enable Wildcard Select the check box to enable DynDNS Wildcard Option Enable off line This option is available when Custom DNS is selected in the DDNS Type field option Check with your Dynamic DNS service provider to have traffic redirected to a URL that you can specify while you are off line IP Address Update Policy Use WAN IP Select this option to update the IP address of the host name s to the WAN IP Address address 222 P 661H HW Series User s Guide Chapter 15 Dynamic DNS Setup Table 97 Dynamic DNS continued LABEL DESCRIPTION Dynamic DNS Select this option only when there are one or more NAT routers between the ZyXEL server auto Device and the DDNS server This feature has the DDNS server automatically detect IP detect and use the IP address of the NAT router that has a public IP address Address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server Use specified IP Type the IP address of the host name s Use this if you have a static IP address Address Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide 223 Chapter 15
403. word User Password New Password Retype to confirm Admin Password Old Password New Password Retype to confirm AN Caution Please record your new password whenever you change it The system will lock you out if you have forgotten your password Apply Cancel The following table describes the fields in this screen Table 9 System General Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Retype to Confirm Type the new password again in this field Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh P 661H HW Series User s Guide Wizards Use these screens to configure Internet access or to configure basic bandwidth management BS See the advanced menu chapters for background information on these fields To access the wizards click Go to Wizard setup in Figure 8 on page 41 or click the wizard icon ka in the top right corner of the web configurator The wizard main screen appears Figure 17 Wizard Main Screen Welcome to the ZyXEL Wizard Setup IET WIRELESS SET The following table describes the fields in this screen Table 10 Wizard Main Screen LABEL DESCRIPTION INTERNET Click this if you want t
404. work then the VPN host must use IP addresses to access the computers on the remote network DNS 10 1 1 10 VPN Tunnel P 661H HW Series User s Guide Chapter 12 VPN Screens 12 9 ID Type and Content With aggressive negotiation mode seeSection 12 12 1 on page 194 the ZyXEL Device identifies incoming SAs by ID type and content since this identifying information is not encrypted This enables the ZyXEL Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers with dynamic IP addresses seeSection 12 18 on page 202 for a telecommuter configuration example Regardless of the ID type and content configuration the ZyXEL Device does not allow you to save multiple active rules with overlapping local and remote IP addresses With main mode seeSection 12 12 1 on page 194 the ID type and content are encrypted to provide identity protection In this case the ZyXEL Device can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses The ZyXEL Device can distinguish up to 12 incoming SAs because you can select between three encryption algorithms DES 3DES and AES two authentication algorithms MDS and SHA1 and two key groups DH1 and DH2 when you configure a VPN rule seeSection
405. xel co jp Telephone 81 3 6847 3700 Fax 81 3 6847 3705 Web www zyxel co jp Regular Mail ZyXEL Japan 3F Office T amp U 1 10 10 Higashi Gotanda Shinagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web http www zyxel com my Regular Mail ZyXEL Malaysia Sdn Bhd 1 02 amp 1 03 Jalan Kenari 17F Bandar Puchong Jaya 47100 Puchong Selangor Darul Ehsan Malaysia North America Support E mail support zyxel com Sales E mail sales zyxel com Telephone 1 800 255 4101 1 714 632 0882 Fax 1 714 632 0858 Web www us zyxel com FTP ftp us zyxel com P 661H HW Series User s Guide 347 Appendix G Customer Support Regular Mail ZyXEL Communications Inc 1130 N Miller St Anaheim CA 92806 2001 U S A Norway Support E mail support zyxel no Sales E mail sales zyxel no Telephone 47 22 80 61 80 Fax 47 22 80 61 81 Web www zyxel no Regular Mail ZyXEL Communications A S Nils Hansens vei 13 0667 Oslo Norway Poland E mail info pl zyxel com Telephone 48 22 333 8250 Fax 48
406. xel dk Telephone 45 39 55 07 00 Fax 45 39 55 07 07 Web www zyxel dk Regular Mail ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark Finland Support E mail support zyxel fi Sales E mail sales zyxel fi Telephone 358 9 4780 8411 Fax 358 9 4780 8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Regular Mail ZyXEL Deutschland GmbH Adenauerstr 20 A2 D 52146 Wuerselen Germany Hungary Support E mail support g zyxel hu Sales E mail info zyxel hu Telephone 36 1 3361649 Fax 36 1 3259100 Web www zyxel hu Regular Mail ZyXEL Hungary 48 Zoldlomb Str H 1025 Budapest Hungary P 661H HW Series User s Guide Appendix G Customer Support India Support E mail support zyxel in Sales E mail sales zyxel in Telephone 91 11 30888144 to 91 11 30888153 Fax 91 11 30888149 91 11 26810715 Web http www zyxel in Regular Mail India ZyXEL Technology India Pvt Ltd II Floor F2 9 Okhla Phase 1 New Delhi 110020 India Support E mail support zyxel co jp Sales E mail zyp zy
407. y equivalent product of equal or higher value and will be solely at the discretion of ZyXEL This warranty shall not apply if the product has been modified misused tampered with damaged by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty 1s the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact ZyXEL s Service Center for your Return Material Authorization number RMA Products must be returned Postage Prepaid It 1s recommended that the unit be insured when shipped Any returned products without proof of purchase or those with an out dated warranty will be repaired or replaced at the discretion of ZyXEL and the customer will be billed for parts and labor All repaired or replaced products will be shipped by ZyXEL to the corresponding return address Postage Paid This warranty gives you specific legal rights and you may also have other rights that vary from country to country Registration Register your product online to receive e mail notices of firmware upgrades and information at www zyxel com for global products or at www us zyxel com for North American products
408. y to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN amp WAN to reply to both incoming LAN and WAN Ping requests P 661H HW Series User s Guide 233 Chapter 16 Remote Management Configuration Table 105 Remote Management ICMP LABEL DESCRIPTION Do not respond to Select this option to prevent hackers from finding the ZyXEL Device by probing for requests for unused ports If you select this option the ZyXEL Device will not respond to port unauthorized request s for unused ports thus leaving the unused ports and the ZyXEL Device services unseen By default this option is not selected and the ZyXEL Device will reply with an ICMP Port Unreachable packet for a port probe on its unused UDP ports and a TCP Reset packet for a port probe on its unused TCP ports Note that the probing packets must first traverse the ZyXEL Device s firewall mechanism before reaching this anti probing mechanism Therefore if the firewall mechanism blocks a probing packet the ZyXEL Device reacts based on the firewall policy which by default is to send a TCP reset packet for a blocked TCP packet You can use the command sys firewall tcprst rst on off to change this policy When the firewall mechanism blocks a UDP packet it drops the packet without sending a response packet Apply Click Apply to save your customized settings and exit this screen Cancel Click Canc
409. ype your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Close the TCP IP Control Panel 6 Click Save if prompted to save changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 186 Macintosh OS X Apple Menu r1 Grab File Edit Capt About This Mac Get Mac OS X Software a System Preferences Location 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet from the Show list Click the TCP IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list P 661H HW Series User s Guide Appendix A Setting up Your Computer s IP Address Figure 187 Macintosh OS X Network 6 0 Network Show All Displays Network Startup Disk Location Automatic E Show Built in Ethernet AppleTalk Proxies Configure Using DHCP Domain Name Servers Optional IP Address 192 168 11 12 168 95 1 1 Provided by DHCP Server Subnet Mask 255 255 254 0 Router 192 168 10 11 Search Domains Optional DHCP Client ID Optional Example apple com earthlink net Ethernet Address 00 05 02 43 93 ff a Click the lock to preve
410. ys the time a wireless station first associated with the ZyXEL Device Refresh Click Refresh to reload this screen 2 4 5 Status VPN Status Click the VPN Status hyperlink in the Status screen The VPN Status shows the current status of any VPN tunnels the ZyXEL Device has negotiated P 661H HW Series User s Guide Chapter 2 Introducing the Web Configurator Figure 13 Status VPN Status oo NILUM Monitor SSS SS 1 Sec Algorithm 1 aaa Tunnel ESP DES SHA1 Oo 2 Disconnect Refresh The following table describes the labels in this screen Table 7 Status VPN Status LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec This field displays the security protocol encryption algorithm and authentication Algorithm algorithm used in each SA Disconnect Select one of the security associations and then click Disconnect to stop that security association Refresh Click Refresh to display the current active VPN connection s 2 4 6 Status Bandwidth Status Select the Bandwidth Status hyperlink in the Status screen View the bandwidth usage of the configured bandwidth rules This is also shown as bandwidth usage over the bandwidth budget for each rule The gray section of the bar represents the percentage o
411. zilla Firefox Content Security x ld d amp amp Main Tabs Feeds Privacy Security Advanced w Block pop up windows Exceptions IV Load images automatically Exceptions v Enable JavaScript Advanced IV Enable Java r Fonts amp Colors Default Font Times New Roman Size 16 v Advanced Colors r File Types Configure how Firefox handles certain types of Files Manage HT P 661H HW Series User s Guide Appendix B Pop up Windows JavaScripts and Java Permissions 312 P 661H HW Series User s Guide IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks IP addresses identify individual devices on a network Every networking device including computers servers routers printers etc needs an IP address to communicate across the network These networking devices are also known as hosts Subnet masks determine the maximum number of possible hosts on a network You can also use subnet masks to divide one network into multiple sub networks Introduction to IP Addresses One part of the IP address is the network number and the other part is the host ID In the same way that houses on a street share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host ID Routers use the
Download Pdf Manuals
Related Search