ZyXEL Communications 2802HWL-IX Network Router User Manual
Contents
1. LAN Frame ENETO RECV Size 62 62 Time 12089 790 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP TUE legere lee IP Version 4 Header Length 20 Type of Service 0x00 0 Total Length 0x0030 48 Idetification 0x330B 13067 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3E71 15985 All contents copyright c 2007 ZyXEL Communications Corporation 181 ZyXEL Source IP Destination IP TOP HeddeT Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000 02 04 05 B4 01 RAW DATA 0000 00 A0 C5 92 13 11 00 0010 00 30 33 OB 40 00 80 0020 07 82 04 5C 00 50 00 0030 20 00 BE C3 00 00 02 lt Q001 gt LAN Frame ENETO XMIT Size Frame Type TCP 192 31 7 130 Ethernet Header Destination MAC Addr Source MAC Addr Network Type IP Header IP Version Header Length Type of Service Total Length All contents copyright c 2007 ZyXEL Communications Corporation Prestige 2802HW L Ix Support Notes 0xC0A80102 192 168 1 2 UxCOIROT82 1927317130 0x045C 1116 0x0050 80 0x00BD15A7 12391847 0x00000000 0 S TOKO eS 0x2004 81922. 133 What advantage does Voice over IP can provide essse 134 What is the difference between H 323 and SIP sssss 134 Can H 323 and SIP interoperate with one another 134 Whatis voice quality iie tiet se siini P eee qu suntan EY REP e e pene ea oe 134 4 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How are voice quality normally rated seen 134 What 18 codes 7 ceo ceto ee dodi deiode teat eu t au 134 What is the relation of codec and VoIP sss 135 What codec does Prestige support acca ede peo eee ioa tane deg es 135 Which codec should I elioose ote tee e cee 135 What do I need in order to use SIP sesssseeeeeee 135 Unable to register with the SIP server esee 136 I can register but can not establish a call sess 136 I can make a call but the voice only goes one way not bothway 136 I can receive a call but the voice only goes one way not bothway 136 If all the about have been tried but register still fail what should I do 136 I suspect there is a hardware problem with my Prestige what should I do 137 Firewall FAQ ss 5 iu EC IU RU BAN i PP enm a a 137 What is a network firewall iuo ede deii en pire
3. Radius Access Accept Authentication EAP Success success Port authorized Radius Access Reject Authentication fail EAP F ail Port unauthorized Authentication EAPOL Logoff terminated B Port unauthorized Configure in WEB GUI Configurator From the Web Configurator main menu Click Network gt Wireless Lan to setup the RADIUS authentication and accounting server configuration 87 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes s Authentication Server IP Address nono Port Number he 2 Shared Secret Cc 3 Accounting Server optional IP Address ooo Port Number 1813 Shared Secret o eel Apply Cancel Advanced Setup If accounting is required you must setup the external RADIUS accounting server Normally RADIUS authentication server and RADIUS accounting server are put in the same machine However they own separated UDP port and shared secret you can separate authentication and accounting service in two different RADIUS servers You can refer to RADIUS authentication configuration Key settings for authentication server Option Descriptions Server Address Enter the IP address of the external RADIUS authentication server The default port of RADIUS server for authentication is 1812 You need not change Port this value unless your network administrator instructs you to do so Specify a password up to 31 characters as
4. OxBEC3 48835 0x0000 0 01 04 02 80 C8 4C EA 63 08 00 45 00 E 06 3E 71 CO A8 01 02 CO IF 03 gt q BDF lS Ay 00100100100 ONU psc 9 04 05 B4 01 01 04 02 58 58 Time 12090 020 sec 80 2192 168 1 2 1116 0080C84CEA63 00A0C5921311 0x0800 TCP IP 4 0x00 0 0x002C 44 182 ZyXEL Prestige 2802HW L Ix Support Notes Idetification x Ops ters O25 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum OxAC8C 44172 Source IP OxCOURO782 192 317 130 Destination IP 0xC0A80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x045C 1116 Sequence Number Ox4ADIBS7F 1255257471 Ack Number OxOOBDI5A8 12391848 Header Length 24 Flags OP e A SD Window Size OxFAFO 2802HWL40 Checksum OxF877 63607 Urcent Rit 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C CO IF 07 82 CO A8 W 0020 01 02 00 50 04 5C 4A DI B5 7F 00 BD 15 A8 60 12 P J Xs 0030 FA FO F8 77 00 00 02 04 05 B4 Aen Wiese cna lt 0002 gt LAN Frame ENETO RECV Size 60 60 Time 12090 210 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Sou
5. 80 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes PVT QE ABIT ARI RAI NIB ACERBA NAR Qd v EAPOL N Wireless Client 802 1x client Authenticator The EAP protocol can support multiple authentication mechanisms such as MD5 challenge One Time Passwords Generic Token Card TLS and TTLS etc Typically the authenticator will send an initial Identity Request followed by one or more Requests for authentication information When supplicant receive the EAP request it will reply associated EAP response So far ZyXEL Wireless AP only supports MD 5 challenge authentication mechanism but will support TLS and TTLS in the future EAPOL Exchange between 802 1x Authenticator and Supplicant The authenticator or the supplicant can initiate authentication If you enable 802 1x authentication on the Wireless AP the authenticator must initiate authentication when it determines that the Wireless link state transitions from down to up It then sends an EAP request identity frame to the 802 1x client to request its identity typically the authenticator sends an initial identity request frame followed by one or more requests for authentication information Upon receipt of the frame the supplicant responds with an EAP response identity frame However if during bootup the supplicant does not receive an EAP request identity frame from the Wireless AP the client can ini
6. Can I receive incoming PSTN call through P2802HWL Yes P2802HWL has a line port for connecting a PSTN line Thus enable you to receive incoming PSTN calls 132 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Can make an outgoing PSTN call through P2802HWL Yes P2802HWL allows you to make outgoing PSTN call via a prefix number that is defined in the configurable lifeline table It allows you to store up to 9 pre stored numbers If P2802HWL lost power it will by pass to PSTN line to allow you to call out as you where on regular PSTN phone VoIP FAQ What is Voice over IP Voice over IP is an emerging technology based on open standards of IEEE fundamentally the Internet Protocol that allows voice data to travel across the Internet There are many method to used this technology the most common and well known are SIP and H 323 How does Voice over IP work Basically VoIP 1s a technic to send voice information in digital form in discrete packets over digital network rather than by using traditional circuit switch PSTN To do so we will need an analog to digital converter on sender side to translate the voice analog signal to digital than transmit 1t and on the receiver end it will also need an analog to digital converter to covert the digital signal back to analog to the person being called can heard the voice Why use VoIP Traditionally telephony carrier use c
7. NC Wireless Supplicant IEEE 802 1x authentication is a client server architecture delivered with EAPOL Extensible Authentication Protocol over LAN The authentication server authenticates each client connected to a Access Point For Wireless LAN or switch port for Ethernet before accessing any services offered by the Wireless AP 802 1x contains tree major components 1 Authenticator The device i e Wireless AP facilitates authentication for the supplicant Wireless client attached on the Wireless network Authenticator controls the physical access to the network based on the authentication status of the client The authenticator acts as an intermediary proxy between the client and the authentication server i e RADIUS server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client 2 Supplicant The station i e Wireless client is being authenticated by an authenticator attached on the Wireless network The supplicant requests access to the LAN services and responds to the requests from the authenticator The station must be running 802 1x compliant client software such as that offered in the Microsoft Windows XP operating system Meeting House AEGIS 802 1x client and Odyssey 802 1x client 3 Authentication Server 78 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Note
8. sess 125 What can we do with Prestige eee nat sre innen evt eese ves ted aso eee e e 125 Does Prestige support dynamic IP addressing sssss 125 What is the difference between the internal IP and the real IP from my ISP UR 125 How does e mail work through the Prestige sssessss 126 Is it possible to access a server running behind SUA from the outside Internet If possible how s sisse ete e tero ate ctas e aee beet ie teen oo 126 3 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What DHCP capability does the Prestige support sssss 126 How do I used the reset button more over what field of parameter will be Tesel by reset DUIODO dai ie t tio D Ide uadit pet nh E EDO Qe 126 What network interface does the new Prestige series support 127 How does the Prestige support TFTP een 127 Can the Prestige support TFTP over WAN ssseeeeeeeee 127 How fast can the data go o ascccesqesraeciene es bur qe evagie Sect tH tues oes se vede aput 127 What ss Mul c NUAT 9a sos oso petam e Wr DEUS Ennii ecw 128 When do need Multi NAT ieia ecce dee dre ita ete ete eec d et eun 128 What IP Port mapping does Multi NAT support sesess 129 What is the difference between SUA and Multi NAT 130 WhlatisBOOTP DECP7 5
9. Figure1 Local Global IP Addresses e SUA e One to One e Many to One e Many to Many overload e Many One to One e Server The following table summarizes these types NAT Type IP Mapping One to One ILA 1 lt gt IGA1 ILA1 lt gt IGA1 Many to One ILA2 lt gt IGA1 SUA PAT ILA 1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA1 ILA4 lt gt IGA2 Many to Many Overload ILA1l lt gt IGA1 ILA2 lt gt IGA2 Many to Many No ILA3 lt gt IGA3 Overload ILA4 lt gt IGA4 Server Server 1 IP lt gt IGA1 SUA Server 2 IP lt gt IGA1 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Using the Dynamic DNS DDNS 1 What is DDNS The DDNS service an IP Registry provides a public central database where information such as email addresses hostnames IPs etc can be stored and retrieved This solves the problems if your DNS server uses an IP associated with dynamic IPs Without DDNS we always tell the users to use the WAN IP of the Prestige to access the internal server It is inconvenient for the users 1f this IP is dynamic With DDNS supported by the Prestige you apply a DNS name e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the Prestige When the ISP assigns the Prestige a new I
10. None a RIP Version Multicast IGMP v2 Any IP Setup Active Windows Networking NetBIOS over TCP IP Allow between LAN and WAN Enable IGMP in Prestige s WAN remote node in WEB GUI Network gt WAN gt Internet Connection gt Advanced Setup 54 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt WAN gt Internet Connection gt Advanced Setup RIP amp Multicast Setup RIP Direction Both E RIP Version RIP 2B Multicast IGMP v2 E Key Settings Multicast IGMP v1 for IGMP version 1 IGMP v2 for IGMP version 2 Using Prestige traffic redirect e What is Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when Prestige cannot connect to the Internet through it s normal gateway Thus make your backup gateway as an auxiliary backup of your WAN connection Once Prestige detects it s WAN connectivity is broken Prestige will try to forward outgoing traffic to backup gateway that users specify in traffic redirect configuration menu e How to deploy backup gateway You can deploy the backup gateway on LAN of Prestige 55 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Backup gateway Traffic Redirect on LAN port e Traffic Redirect Setup Configure parameters that determine when Prestige will forward WAN traffic to the ba
11. Send E mail evalee hotmail com Send a Message to a Mobile Device Make a Phone Gall amp Not Online 1 A Laker 4sk for Remote Assistance Start Application Sharing Start Whiteboard Add a Contact A Send an Instant 29 Send a File or PF C Make a Phone C Go to Chat Roon Delete Contact Delete More view Profile Properties Block Copy Contact to Moye Contact to Remove Contact from Group 3 Start a Video conversation with one online user 62 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 4 On the opposite side your partner select Accept to accept your conversation request L aker2 Conversation DER File Edit View Actions Help lakertw2 hotmail_con Start Camera to Accept Alt T or Decline Alt D the IESU invitation Invite Someone to amp You have accepted the request from this Conversation Laker to have a video and voice 2G Send a File or Photo conversation J Send E mail Ask For Remote 4B The video and voice conversation with Assistance Laker2 has ended amp Make a Phone Call a Start Application 4 amp Laker would like to have a video and Sharing voice conversation with you Do you want 9 Start Whiteboard aot Alt T or Decline Alt D the Messages that have been sent and received Block A Font Emoticons Send Last message received on 10 22 2002 at 8 04 PM E 5 Finally your video
12. The NAT router must support IPSec pass through For example for Prestige SUA NAT routers IPSec pass through is supported since ZyNOS 3 21 The default port and the client IP have to be specified in menu 15 SUA Server Setup Where can I configure Phase 1 ID in Prestige Phase 1 ID can be configured in VPN setup menu as following Note that you can make such configuration in WEB GUI 149 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes IPSec Key Mode KE v Negotiation Mode Aggressive Encapsulation Mode Tunnel w DNS Server for IPSec YPN 0 0 0 0 s Local BEN Local Address Type Subnet v IP Address Start lt Prestige LAN End Subnet Mask 2552552550 Remote LE Remote Address Type Subnet v IP Address Start lt Peer LAN gt End Subnet Mask 255 255 255 0 Address Information ee Local ID Type P M Content My IP Address Peer ID Type E mail Content Sonicwall Serial gt Secure Gateway Address 0 0 0 0 If have NAT router between two VPN gateways and would like to use IP type as Phase 1 ID what should know We presume your environment may look like this IPSec Tunnel Prestige 150 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes VPN client 10 1 33 33 NAT router WAN IP 202 132 154 2 Pre
13. What VPN protocols are supported by Prestige All Prestige series support ESP protocol number 50 and AH protocol number 51 What types of encryption does Prestige VPN support Prestige supports 56 bit DES and 168 bit 3DES and AES What types of authentication does Prestige VPN support VPN vendors support a number of different authentication methods Prestige VPN supports both SHA1 and MDS AH provides authentication integrity and replay protection but not confidentiality Its main difference with ESP is that AH also secures parts of the IP header of the packet like the source destination addresses but ESP does not ESP can provide authentication integrity replay protection and confidentiality of the data it secures everything in the packet that follows the header Replay protection requires authentication and integrity these two go always together Confidentiality encryption can be used with or without authentication integrity Similarly one could use authentication integrity with or without confidentiality I am planning my Prestige to Prestige VPN configuration What do need to know First of all both Prestige must have VPN capabilities Please check the firmware version V3 50 or later has the VPN capability If your Prestige is capable of VPN you can find the VPN options in Advanced VPN tab For configuring a box to box VPN there are some tips 1 Ifthere isa NAT router running in the front of Prestige
14. Address Mapping Edit Address Mapping Rule1 Type iem Local Start IP 192 168 110 Local End IP 192 168 1 12 Global Start IP Enter IGA1 Global End IP Enter IGA3 Server Mapping Set The three rules configured for using One to One mapping type is shown below gt Network gt NAT gt Address Mapping Edit Address Mapping Rule1 Type One to One Local Start IP 1192 168 1 10 Local End IP INZA dinadama S JJ Global Start IP Enter IGA1 Global End IP N A Server Mapping Set 10 Edit Details 36 All contents copyright c 2007 ZyXEL Communications Corporation yXEL Network gt NAT gt Address Mapping Edit Address Mapping Rule2 Type Local Start IP Local End IP Prestige 2802HW L Ix Support Notes One to One 192 168 1 11 N A Global Start IP Enter IGA2 1 Global End IP INZA Server Mapping Set 2 Edit Details Apply Cancel gt Network gt NAT gt Address Mapping Edit Address Mapping Rule3 Type One to One ae Local Start IP 192 168 1 12 Local End IP NZA Global Start IP Enter IGA3 Global End IP NZA Server Mapping Set Edit Details Prestige supports multiple type of NAT mapping rules 37 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Prestige ISP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses
15. All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes The following table describes the fields in this screen Field Description Option Example One to One Many to One Press CHOOSE BAR to toggle through a total of 5 types Many to Many Overload Type These are the mapping types discussed above plus a server type Many to Many No Some examples follow to clarify these a little more Overload Server Start This is the starting local IP address ILA 0 0 0 0 Local This is the ending local IP address ILA If the rule is for all IP End local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 255 255 255 255 This field is N A for One to One type San This is the starting global IP address IGA If you have T ar 0 0 Global dynamic IP enter 0 0 0 0 as the Global Start IP IP This is the ending global IP address IGA This field is N A for End 200 1 1 64 One to One Many to One and Server types Note For all Local and Global IPs the End IP address must begin after the IP Start address i e you cannot have an End IP address beginning before the Start IP address e NAT Server Sets The NAT Server Set 1s a list of LAN side servers mapped to external ports similar to the old SUA menu of before If you wish you can make inside servers for different services e g Web or FTP visible to the outside users even though NAT makes your network appears
16. IP IPX NBF NBF RAS NT RAS wan Client Modem Server Window98 PPTP Client Internet NT RAS Server Protocol Stack PPTP appears as new modem type Virtual Private Networking Adapter that can be selected when setting up a connection in the Dial Up Networking folder The VPN Adapter type does not appear elsewhere in the system Since PPTP encapsulates its data stream in the PPP protocol the VPN requires a second dial up adapter This second dial up adapter for VPN is added during the installation phase of the Upgrade in addition to the first dial up adapter that provides PPP support for the analog or ISDN modem The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade e Configuration This application note explains how to establish a PPTP connection with a remote private network in the Prestige SUA case In ZyNOS all PPTP packets can be forwarded to the internal PPTP Server WinNT server behind SUA The port number of the PPTP has to be Configure in the WEB GUI Network gt NAT gt Port Forwarding for Prestige to forward to the appropriate private IP address of Windows NT server 17 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Prestige _t __1 PPTP Client PPTP Server e Example The following example shows how to dial to an ISP via the Prestige and then est
17. Internet Access with an Internal Server 29 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Client 1 ILA1 Client 2 ILA2 Client 3 ILA3 B IGA Assigned by ISP FTP Server ILA4 Internet Access using NAT Many to One plus a Server Set In this case we do exactly as above use the convenient pre configured SUA Only set and also go to Menu Network gt NAT gt Port Forwarding to specify the Internet Server behind the NAT as shown in the NAT as shown below gt Network gt NAT gt Port Forwarding Port Forwarding Service Name VW Iv Server IP Address 0 00 0 0 0 0 Ag NN len nn ara D nne samaan FTP 192 168 1 33 3 Using Multiple Global IP addresses for clients and servers One to One Many to One Server Set mapping types are used 30 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes General Server 192 168 1 20 Other Clients 192 168 1 X Prestige FTP Server 1 192 168 1 10 3 IGAs Assigned by ISP FTP Server 2 192 168 1 11 Mapping Multiple IGAs for clients and servers In this case we have 3 IGAs IGAI IGA2 and IGA3 from the ISP We have two very busy internal FTP servers and also an internal general server for the web and mail In this case we want to assign the 3 IGAs by the following way using 4 NAT rules Rule 1 One to One type to map the FTP Server 1 with I
18. This is the descriptive name of the party that you will use this speed dial entry to call This is the SIP number of the party that you will call This field displays Use Proxy if calls to this party use one of your SIP accounts This field displays the SIP server s or the party s IP address or domain name if calls to this party do not use one of your SIP accounts Click this button to remove an entry from the speed dial phonebook Click this button to change the speed dial entry The speed dial entry displays in the Add New Entry section of the screen where you can edit it Click this button to remove all of the entries from the speed dial phonebook 110 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Voice QoS setup DSCP and Per Hop Behavior Diffserv is a class of service CoS model that marks packets so that they receive specific per hop treatment at DiffServ compliant network device along the route based on the application types and traffic flow Packets are marked with DSCP indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths or remember state information for every flow Diffserv defines a new DS Differentiated Services field to replace the TOS Type of Service field in IP header The DS field contains a 2 bi
19. Thus SUA is able to forward the incoming packets to the requested service behind SUA and the outside users access the server using the Prestige s WAN IP address So we have to configure the internal IPsec as a default server unspecified service port in menu 15 when it acts a server gateway PSTN Lifeline FAQ What is P2802 and what is the difference between P2802HW and P2802HWL P2802HW is a SIP based VoIP analog telephone adapter It allows you to send voice signals over the Internet or VoIP of IP via SIP protocol which is an internationally recongnized standard for VoIP Technology The main difference between P2802HW and P2802HWL is in Lifeline support P2802HWL supports PSTN lifeline function A PSTN lifeline allows you to have VoIP phone service and PSTN phone service at the same time What does Lifeline mean Lifeline means the ability to read specified emergency rescue authority Police Fire department etc as you can do on regular phone line in case emergency even if P2802HWL loses power Do I need Lifeline Not everyone needs lifeline support on VoIP telephone adapter It depends on the government authority or ITSP provider As in some countries lifeline support are mandatory by law Can I connect more than one phone on the phone port Yes P2802HWL supports REN Ringer Equivalence Number it can determine the number of devices that 1s connected to the phone line P2802HWL can support up to three devices per telephone port
20. please make sure the NAT router supports to pass through IPSec 2 In NAT case either run on the frond end router or in Prestige VPN box only IPSec ESP tunneling mode is supported since NAT againsts AH mode 3 Source IP Destination IP Please do not number the LANs local and remote using the same exact range of private IP addresses This will make VPN destination addresses and the local LAN addresses are indistinguishable and VPN will not work 4 Secure Gateway IP Address This must be a public routable IP address private IP is not allowed That means it can not be in the 10 x x x subnet the 192 168 x x subnet nor in the range 147 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 172 16 0 0 172 31 255 255 these address ranges are reserved by internet standard for private LAN numberings behind NAT devices It is usually a static IP so that we can pre configure it in Prestige for making VPN connections If it is a dynamic IP given by ISP you still can configure this IP address after the remote Prestige is on line and its WAN IP is available from ISP Does Prestige support dynamic secure gateway IP If the remote VPN gateways uses dynamic IP we enter 0 0 0 0 as the Secure Gateway IP Address in Prestige In this case the VPN connection can only be initiated from dynamic side to fixed side in order to update its dynamic IP to the fixed side However if both gateway
21. 0 0 0 Global End IP N A Server Mapping Set 2 El Edit Details 27 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Default Server Setup Default Server 0 0 0 0 Server Mapping Set 2 ww Ti a uaua Service Name WAW Ld Server IP Address 0 0 0 0 FTP 192 168 1 33 www 80 80 192 168 1 36 The most often used port numbers are shown in the following table Please refer RFC 1700 for further information about port numbers Service Port Number FTP 20 21 Telnet 23 SMTP 25 DNS Domain Name Server 53 www http Web 80 PPTP Point to Point Tunneling 1723 Protocol 1 Internet Access Only In our Internet Access example we only need one rule where all our ILAs map to one IGA assigned by the ISP See the following figure 28 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Client 1 ILA1 Client 2 ILA2 Prestige Client 3 ILA3 N IGA Assigned by ISP Client 4 ILA4 Internet Access Using NAT Many to One Mappin gt Network gt NAT gt General General Port Forwarding ALG NAT Setup ctive Network Address Translation NAT Full Feature Max NAT Firewall Session Per User 2048 From WEB GUI Network gt NAT gt General shown above simply choose the SUA Only option in the NAT Setup This 1s the Many to One mapping discussed earlier 2
22. 1 Disable to capture the WAN packet by entering sys trcp channel mpoa00 none 1 2 Enable to capture the LAN packet by entering sys trcp channel enetO bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys trcd brief or 1 5 Display the detailed trace online by entering sys trcd parse Example ras sys trcp channel mpoa00 none 180 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes ras sys trcp channel enetO bothway r s sys trcp sw on ras sys trcl sw on ras sys trcd brief 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 2192 31 7 130 80 11883 100 ENETO R 0062 TCP 192 168 1 2 1108 2192 31 7 130 80 2 11883 330 ENETO T 0058 TCP 192 31 7 130 80 gt 192 168 1 2 1108 3 11883 340 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 4 11883 340 ENETO R 0339 TCP 192 168 1 2 1108 2192 31 7 130 80 5 11883 610 ENETO T 0054 TCP 192 31 7 130 80 2192 168 1 2 1108 6 11883 620 ENETO T 0102 TCP 192 31 7 130 80 gt 192 168 1 2 1108 i 11883 630 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1108 8 11883 630 ENETO R 0060 TCP 192 168 1 2 1108 gt 192 31 7 130 80 9 11883 2802HWL ENETO R 0060 TCP 192 168 1 2 1108 2192 31 7 130 80 10 11883 2802HWL ENETO R 0062 TCP 192 168 1 2 1109 2192 31 7 130 80 ras sys trcd parse lt 0000 gt
23. 168 1 2 Destination IP OxCO01E0782 1927317130 TCP Header Source Port 0x045C 1116 165 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Destination Port 0x0050 80 Sequence Number OxOOBDI5A8 12391848 Ack Number Ox4ADIB580 1255257472 Header Length EU Flags OIO CA e Window Size 0x2238 8760 Checksum OxE8ED 59629 Urgent Pir 0x0000 0 TCP Data Length 6 Captured 6 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 Der E 0010 00 28 35 0B 40 00 80 06 3C 79 CO A8 01 02 CO IF 5 lt y 0020 07 82 04 SC 00 50 00 BD 15 A8 4A DI BS 80 50 10 P J P 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 goce 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0 none 1 2 Enable to capture the WAN packet by entering sys trcp channel enetl bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys trcd brief or 1 5 Display the detailed trace online by entering sys trcd parse Example Pres Pres Pres Pres Pires 0 1 ige gt sys trep channel enetO none ige gt sys trcp channel enetl bothway ige gt sys trcp sw on ige gt sys trcl sw on ige gt sys trcd brief 12367 680 ENETI R 0070 UDP 202 132 155 95 520 2202 132 155 255 520 12370 980
24. 330 ENET 1883 340 ENET ET NET ET NET ET NET 1883 650 ENET 0 ie 0 Us 0 5 0 0 0 Oe 0 Prestige sys trcp sw on Prestige sys trcl sw on R 0062 R 0062 T 0058 R 0060 R 0339 T 0054 T 0102 T 0054 R 0060 R 0060 R 0062 Prestige sys trcd parse lt Q000 gt 5 22 LAN Frame ENETO RECV All contents copyright c 2007 ZyXEL Communications Corporation Size Prestige sys trcp channel enetl none Prestige sys trcp channel enetO bothway TCE ISD TEP 192 MRE Ee TCE 192 CE TIO DAS TCP 192 JOD TCP 192 TORIO TCP 192 TCR 192 62 62 Time 12089 790 sec 168 1 2 1108 2192 31 168 1 2 1108 2192 31 31 7 130 80 2192 168 168 1 2 1108 2192 31 168 1 2 1108 2192 31 31 7 130 80 2192 168 31 7 130 80 2192 168 31 7 130 80 2192 168 168 1 2 1108 2192 31 168 1 2 1108 2192 31 168 1 2 1109 2192 31 130 80 130 80 2 1108 130 80 130 80 2 1108 2 1108 2 1108 130 80 130 80 130 80 162 ZyXEL Prestige 2802HW L Ix Support Notes Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Bthernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr Network IP Header Type of Flags Fragmen Time to Protocol Source IP Destinati Type IP Version Header Length Service Total Length Idetification Offset lib
25. 802 1x request the port remains in the unauthorized state and the client is not granted access to the network When 802 1x is enabled the authenticator controls the port authorization state by using the following control parameters The following three authentication control parameter are applied in Wireless AP Force Unauthorized Auto v Force Authorized 79 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 1 Force Authorized Disables 802 1x and causes the port to transition to the authorized state without any authentication exchange required The port transmits and receives normal traffic without 802 1x based authentication of the client This 1s the default port control setting While AP 1s setup as Force Authorized Wireless client supported 802 1x client or none 802 1x client can always access the network 2 Force Unauthorized Causes the port to remain in the unauthorized state 1gnoring all attempts by the client to authenticate The authenticator cannot provide authentication services to the supplicants through the port While AP is setup as Force Unauthorized Wireless clients supported 802 1x client or none 802 1x client never have the access for the network 3 Auto Enables 802 1x and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received through the port The authentication process begins when the link sta
26. Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Configure in WEB GUI Configuration 1 From the Web Configurator main menu Click Network gt Wireless LAN gt General and select 802 1x 2 Click Apply to make your setting work gt Network gt Wireless LAN gt General General OTIST MAC Filter QoS LocalUser Database i Wireless Setup M Active Wireless LAN Network Name SSID ZyXEL I Hide SSID Channel Selection Channel 06 2437MHz Security Security Mode 8021x No WEP x No Security ReAuthentication Timer Idle Timeout Authentication Server IP Address Port Number Shared Secret Accounting Server optional IP Address 0 0 0 0 Port Number 1613 Shared Secret e Using Internal Authentication Server ZyXEL Wireless Access Point has an internal authentication server for authenticating the wireless 802 1x client users It builds total 32 users database and allows up to 32 authorized users to login to the Wireless AP simultaneously When you use internal authentication server ZyXEL wireless AP is acted as Authenticator and Authentication Server By storing wireless 802 1x client profiles locally your ZyXEL AP is able to authenticate wireless client without interacting with a extra network RADIUS server Follow the steps to add user accounts on your ZyXEL AP 84 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support
27. Corporation ZyXEL Prestige 2802HW L Ix Support Notes If we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA see the following figure The term inside refers to the set of networks that are subject to translation NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers and then forwards each packet to the Internet ISP thus making them appear as if they had come from the NAT system itself e g the Prestige router The Prestige keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored Prestige ISP ILA Inside Local Addresses ILA IGA IGA Inside Global Addresses Figure1 Local Global IP Addresses 1 NAT Mapping Types NAT supports five types of IP port mapping They are 2 Oneto One In One to One mode the Prestige maps one ILA to one IGA 3 Many to One In Many to One mode the Prestige maps multiple ILA to one IGA This is equivalent to SUA e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers supported the SUA only option in today s routers 4 Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple ILA to shared IGA 2 All contents copyright c 2007 ZyXEL Communications Co
28. Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr RAW DATA Prestige 2802HW L Ix Support Notes 0x0028 40 Ox7BOC 31500 0x02 0x00 ZOE C127 0x06 TCP 0x533C 21308 OxCA849B61 202 132 155 97 OxCOIF0782 192 31 7 130 Ox281E 10270 0x0050 80 0x00C18F63 12685155 OxD3E95DE9 3555286505 E20 Ox CA ED OxlDD5 7637 Ox7All 31249 0x0000 0 0000 00 AO C5 01 23 45 00 A0 C5 92 13 12 08 00 45 00 0010 00 28 7B 0C 40 00 7F 06 53 3C CA 84 9B 61 CO IF 0020 07 82 28 1E 00 50 00 CI 8F 63 D3 E9 5D E9 50 11 0030 1D D5 7A 11 00 00 Pres tise Offline Trace 1 Trace LAN packet 2 Trace WAN packet All contents copyright c 2007 ZyXEL Communications Corporation qon ren E GeO Seal operc Imp node wd 170 ZyXEL Prestige 2802HW L Ix Support Notes 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel enetl none 1 2 Enable to capture the LAN packet by entering sys trep channel enetO bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through Prestige over LAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packets by using sys trcp parse from index to index Exmaple Prestige sys trop channel en
29. Metric stat Timer Use 192 168 3 0 00 24 enif0 1 DOPO 1 041b 0 0 192 1608 2 0 00 24 enif0 0 192 168 2 1 jl 041b 0 0 192 168 1 0 00 24 enifO TOT G8 el 1 041b 0 0 ras Two new protocol filter interfaces in menu 3 2 1 allow you to accept or deny LAN packets from to the IP alias and IP alias 2 go through the Prestige The filter set in menu 3 1 1s used for main network configured in menu 3 4 e IP Alias Setup 1 Edit the first network in WEB GUI menu Network gt LAN gt IP Alias by configuring the Prestige s first LAN IP address 52 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt LAN gt IP Alias IP DHCP Setup Glient List IP Alias IP Alias 1 V IP Alias 1 IP Address 192 168 2 1 IP Subnet Mask 255 255 255 0 RIP Direction None v RIP Version IP Alias 2 v iP Alias 2 IP Address 192468 333 IP Subnet Mask 255 255 255 0 RIP Direction None E RIP Version N A Key Settings IP Alias 1 2 Select the check box to configure another LAN network for ZyXEL Device IPAdd Enter IP address of your ZyXEL Device in dotted decimal notation ress Alternatively click the right mouse button to copy and or pate IP address IP pus Your ZyXEL device will automatically calculate the subnet mask based on the IP address ubne Mask the you assign Unless you are implementing subnetting use the subnet mask computed as
30. Notes Configure in WEB Configurator 1 From the Web Configurator main menu Network gt Wireless LA N gt Local User Database 2 Select one of the profile and check Active check box 3 Input the User Name and Password then click Apply to save the profile gt Network gt Wireless LAN gt Local User Database N General OTIST MAC Filter Das Local User Database Local User Database a IO ON RECO TCR RN zyxel ee eee eoe Oo on O OC hk WN m B ri 5 e Key settings Option Descriptions User Name Enter a username up to 31 alphanumeric characters long cius Press SPACE BAR to select Yes and press Enter to activate this 802 1x client profile Password Enter a password up to 31 characters long 85 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e Using External RADIUS Authentication Server In addition to the internal authentication server inside ZyXEL AP you can use external RADIUS authentication server to centrally manage the user account profile RADIUS 1s based on a client server model that supports authentication authorization and accounting The wireless AP 1s the client and the server is the RADIUS server The authenticator includes the RADIUS client which is responsible for encapsulating and decapsulating the Extensible Authentication Protocol EAP frames and interacting with the authentication se
31. ROMFILE via web configurator 121 How do I backup restore configurations by using FTP client program via DT e eM aaa e A E RU E 121 Why can t I make Telnet to Prestige from WAN seeeee 121 What should I do if I forget the system password sess 122 What is SUA When should I use SUA see 122 What is the difference between NAT and SUA ssssessees 122 How many network users can the SUA NAT support 123 What are Device filters and Protocol filters sesssss 123 Why can t I configure device filters or protocol filters 123 Product EAQUE ee see eT ERES 123 What is the Prestige Integrated Access Device sssssesses 123 Will the Prestige work with my Internet connection 124 What do I need to use the Prestige user reete e eee tenebo esas e 124 What 1s PPPOB AA uode bein Messe endis eee uci Decani tures 124 Does the Prestige support PPPOE tec iet eret terere ett egeat 124 How do I know I am using PPPOE ira oie dor Garewal 124 Why does my provider use PPPoE eeeseseeeeeeeneeen 125 Which Internet Applications can I use with the Prestige 125 How can I configure the Prestige cese eerte eter etienne 125 What network interface does the Prestige support
32. Start 1p Local End IP Global Start IP Global End IP Modify 1 T Gd Up Gd Gp GU GU d EP ED ED ED ED ED ED ED ED ED 24 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Field Description Option Example This is the rule index number 0 0 0 0 for Local Start IP This is the starting local IP address ILA Many to One type This is the starting local IP address ILA If the rule is for all Local End IP local IPs then the Start IP is 0 0 0 0 and the End IP 1s 255 255 255 255 255 255 255 255 Global Start This is the starting global IP address IGA If you have a IP dynamic IP enter 0 0 0 0 as the Global Start IP Global End IP This is the ending global IP address IGA N A Type This is the NAT mapping types Many to One and Server Click the edit icon to go to the screen where you can edit the address mapping rule Modify Click the delete icon to delete an existing address mapping N A rule Note that subsequent address mapping rules move up by one when you take this action To edit an address mapping rule click the rule s edit icon in the Address Mapping screen to display the screen show next Network gt NAT gt Address Mapping Edit Address Mapping Rulel Type Local Start IP 0 0 0 0 Local End IP Global Start IP Global End IP Server Mapping Set Edit Details 25
33. WEP key A WEP key is a user defined string of characters used to encrypt and decrypt data A WEP key is a user defined string of characters used to encrypt and decrypt data 128 bit WEP will not communicate with 64 bit WEP or 256 bit WEP Although 128 bit WEP also uses a 24 bit Initialization Vector but it uses a 104 bit as secret key Users need to use the same encryption level in order to make a connection Can the SSID be encrypted WEP the encryption standard for 802 11 only encrypts the data packets not the 802 11 management packets and the SSID is in the beacon and probe management messages The SSID is not encrypted if 158 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes WEP is turned on The SSID goes over the air in clear text This makes obtaining the SSID easy by sniffing 802 11 wireless traffic By turning off the broadcast of SSID can someone still sniff the SSID Many APs by default have broadcasting the SSID turned on Sniffers typically will find the SSID in the broadcast beacon packets Turning off the broadcast of SSID in the beacon message a common practice does not prevent getting the SSID since the SSID is sent in the clear in the probe message when a client associates to an AP a sniffer just has to wait for a valid user to associate to the network to see the SSID What are Insertion Attacks The insertion attacks are based on placing unautho
34. a contract between two parties indicating what security parameters such as keys and algorithms they will use What is IKE IKE is short for Internet Key Exchange Key Management allows you to determine whether to use IKE ISAKMP or manual key configuration to set up a VPN There are two phases in every IKE negotiation phase 1 Authentication and phase 2 Key Exchange Phase 1 establishes an IKE SA and phase 2 uses that SA to negotiate SAs for IPSec 144 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is Pre Shared Key A pre shared key identifies a communicating party during a phase 1 IKE negotiation It is called Pre shared because you have to share it with another party before you can communicate with them over a secure connection What are the differences between IKE and manual key VPN The only difference between IKE and manual key is how the encryption keys and SPIs are determined e For IKE VPN the key and SPIs are negotiated from one VPN gateway to the other Afterward two VPN gateways use this negotiated keys and SPIs to send packets between two networks e For manual key VPN the encryption key authentication key if needed and SPIs are predetermined by the administrator when configuring the security association IKE is more secure than manual key because IKE negotiation can generate new keys and SPIs randomly for the VPN connection What is Ph
35. and DSL connection To use both VOIP and regular phone service with P2802HWL s lifeline feature You will need to connect ADSL line and phone line appropriately and make proper configuration Making the correct connection it allows you to still receive phone calls while someone else 1s making outgoing VoIP call though Prestige s 2 pots port the following figure shows you how to connect your phone and DSL service If your ADSL line type 1s Splitter type you ISP will provide you with splitter otherwise it should be splitterless For correct info you may check with your service provider as for which type of line you have Phone Firgure 1 Splitter type 94 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes E em Poe teh ONOFF POWER PHONE DSL 1 The P2802HWL includes a DSL cable and a RJ 11 cable Connect the DSL cable to the DSL port and connect RJ 11 to Lifeline port Connect the RJ11 to the splitter phone jack or a telephone wall jack Connect the DSL cable to the splitter modem jack or ADSL line Connect the splitter jack where it label Line to ADSL line from the ISP CELL IL Modem Phone Figure 2 Splitterless type The P2802HWL includes a DSL cable and a RJ 11 cable Connect the DSL cable to the DSL port and connect RJ 11 to Lifeline port You need to obtain a regular PSTN Y connector from regular phone shop Connect the RJ 11 to one of the ou
36. and hybrid codec Each consume different amount of bandwidth and provide different voice quality level 134 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is the relation of codec and VoIP As VolP is a general term send voice information in digital form in discrete packets over digital network and this digital network 1s public network thus there maybe other packet such data packet uses network at the same time The codec choose is related to how much bandwidth voice packet will consume In bandwidthwise aspect the smaller amount of bandwidth used the better But in voice aspect the higher quality the better What codec does Prestige support Prestige supports the following commonly used codec e 5 729 voice codec e G 711lu law voice codec e G 711a law voice codec Note G 711 u law or G 711 a law is country specific thus ZyXEL device is shipped preconfigured to use u law or a law according to specific country If for special reason this setting needed to be changed It can be modify through device CI command through telnet For the command please refer to the CI command list in the firmware release note Which codec should choose As which codec choose is depending on what codec 1s supported on both end of the VoIP host Generally a codec with low bandwidth consumption and high voice quality 1s a good codec What do I need in order to use SIP The minimum requ
37. as a single machine to the outside world A server 1s identified by the port number e g Web service 1s on port 80 and FTP on port 21 As an example see the following figure if you have a Web server at 192 168 1 36 and a FTP server at 192 168 1 33 then you need to specify for port 80 Web the server at IP address 192 168 1 36 and for port 21 FTP another at IP address 192 168 1 33 26 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes FTP Server 192 168 1 33 Web Server Prestige 192 168 1 36 E Global IP assigned by the ISP Figure Configure Multiple Servers behind NAT Please note that a server can support more than one service e g a server can provide both FTP and Mail service while another provides only Web service The following procedures show how to configure a server behind NAT Step 1 Enter Network NAT Address Mapping in the WEB GUI to go to Address Mapping Setup Step 2 Enter Edit Details of Server Mapping Set to go to NAT Server Setup Step 3 Selet the service type in Service Name field and the inside IP address of the server in the Server IP Address field Step 4 Press Add icon to add your configuration after you define all the servers press Apply icon to save the settings gt Network gt NAT gt Address Mapping Edit Address Mapping Rulel Type Server Local Start IP N A Local End IP N A Global Start IP 0
38. gt oIP gt SIP gt SIP Settings SO oos N SIP Account spt 7 SIP Settings M Active SIP Account Number 197 SIP Local Port 5060 1025 65535 SIP Server Address 220 130 46 198 SIP Server Port 5060 1 65535 REGISTER Server Address 220 130 46 198 REGISTER Server Port 5060 1 65535 SIP Service Domain 220 130 46 198 V Send Caller ID Authentication User Name ChangeMe Password mm Reset Advanced Setup 100 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt oIP gt Phone Book gt Speed Dial Incoming Call Policy 4 Speed Dial Speed Dial Speed Dial Number Name Type Use Proxy zor z Non Proxy Use IP or URL Add Speed Dial Phone Book 01 198 198 i 220 130 46 198 B d 02 B wi 03 E ou 04 B 05 B wi 06 B wi 07 B ou 08 BP 09 g wi 10 B uj Clear Reset 1 Setup WEB GUI VoIP enter device A s number in the SIP number column 2 Hill in device B s IP into SIP server address Register server address as example 3 Setup speed dial put device B s information into the column Setup Configuring SIP VoIP related settings in device B 101 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt VoIP gt SIP gt SIP Settings Sota oS SIP Account se x SIP Settings V Active SIP Accoun
39. of the day or week Yes but only one blocking period of time is supported currently on ZyXEL appliance Can I override block or allow certain URLs by wording Yes you can use key word blocking to achieve this How many URL keywords does Prestige support 64 keywords are supported IPSec FAQ What is VPN A VPN gives users a secure link to access corporate network over the Internet or other public or private networks without the expense of lease lines A secure VPN is a combination of tunneling encryption authentication access control and auditing technologies services used to transport traffic over the Internet or any insecure network that uses the TCP IP protocol suite for communication Why do I need VPN There are some reasons to use a VPN The most common reasons are because of security and cost Security 1 Authentication With authentication VPN receiver can verify the source of packets and guarantee the data integrity 2 Encryption 142 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes With encryption VPN guarantees the confidentiality of the original user data Cost 1 Cut long distance phone charges Because users typically dial the their local ISP for VPN thus long distance phone charge is reduced than making a long direct connection to the remote office 2 Reducing number of access lines Many companies pay monthly charges for two types ac
40. password on your computer to connect to the ISP you are probably using PPPoE If you are simply connected to the Internet when you turn on your computer you probably are not You can also check your ISP or the information sheet given by the ISP Please choose PPPoE as the encapsulation type in the Prestige if the ISP uses PPPoE 124 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Why does my provider use PPPoE PPPoE emulates a familiar Dial Up connection It allows your ISP to provide services using their existing network configuration over the broadband connections Besides PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management Which Internet Applications can I use with the Prestige Most common applications include MIRC PPTP ICQ Cu SeeMe NetMeeting IP TV RealPlayer VDOLive Quake Quakell Quakelll StarCraft amp Quick Time How can configure the Prestige a Telnet remote management Menu driven user interface for easy remote management b Web browser web server embedded for easy configurations What network interface does the Prestige support The Prestige supports 10 100M Ethernet to connect to the LAN computer or hub switch and 10 100M ADSL interface to the ISP What can we do with Prestige Browse the World Wide Web WWW send and receive individual e mail
41. strength security 40 64 bit 128 bit or 256 bit respectively Your wireless client must match the security strength set on the router Please type exactly 5 13 or 29 characters or Please type exactly 10 26 or 58 characters using only the numbers 0 9 and the letters a f or A F Cancel Advanced Setup Key settings Hexadecimal digits have to preceded by Ox WEP Key type Example 64 bit WEP with 5 characters Key4z 98jui Key 1 0x123456789A 64 bit WEP with 10 hexadecimal digits Key2 0x23456789AB 0 9 A F Key3 0x3456789ABC 73 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Key4 0x456789ABCD Key 1 2e3f4w345ytre Key2 5y7jse8r41038 Key3 24fg700kx3fr7 Key4 98jui2wss35u4 128 bit WEP with 13 characters Key 1 0x112233445566778899 AABBCDEF Key2 0x2233445566778899AABBCCDDEE Key3 0x3344556677889900AABBCCDDFF Key4 0x44556677889900A ABBCCDDEEFF 128 bit WEP with 26 hexadecimal digits 0 9 A F Select one of the WEP key as default Key to encrypt wireless data transmission The receiver will use the corresponding key to decrypt the data For example if access point use Key 3 to encrypt data then station will use Key 3 to decrypt data So the Key 3 of station has to equal to the Key 3 of access point Though access point use Key 3 as default key but the station can use the other Key as its default key to encry
42. they can receive data at speeds up to 30 Mbps In the real world with cost conscious cable companies running the systems the speed will probably fall to about 1 5 Mbps What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the Inside network and the other 1s the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the Prestige thus preventing intruders from probing your network The SUA feature that the Prestige supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The Prestige with ZyNOS V3 00 supports the most of the features of the NAT based on RFC 1631 and we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 7he I
43. wired LAN backbone Wireless clients have their configurations set for infrastructure mode in order to utilise access points relaying How many Access Points are required in a given area This depends on the surrounding terrain the diameter of the client population and the number of clients If an area is large with dispersed pockets of populations then extension points can be used for extend coverage What is Direct Sequence Spread Spectrum Technology DSSS DSSS spreads its signal continuously over a wide frequency band DSSS maps the information bearing 156 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes bit pattern at the sending station into a higher data rate bit sequence using a chipping code The chipping code also known as processing gain introduces redundancy which allows data recovery if certain bit errors occur during transmission The FCC rules the minimum processing gain should be 10 typical systems use processing gains of 20 IEEE 802 11b specifies the use of DSSS What is Frequency hopping Spread Spectrum Technology FHSS FHSS uses a narrowband carrier which hops through a predefined sequence of several frequencies at a specific rate This avoids problems with fixed channel narrowband noise and simple jamming Both transmitter and receiver must have their hopping sequences synchronized to create the effect of a single logical channel To an uns
44. 0 Ox281E 10270 0xD3E95985 3555285381 0x00C18F63 12685155 All contents copyright c 2007 ZyXEL Communications Corporation 167 ZyXEL Prestige 2802HW L Ix Support Notes Header Length 20 Flags EO C ADR Window Size OxFAFO 64240 Checksum 0x3735 14133 Uncen Ptr 0x0000 0 TCP Data Lengthz1127 Captured 42 0000 DF 33 AF 62 58 37 52 3D 79 99 A5 3C 2B 59 E2 78 3 bX7R y lt Y x 0010 A7 98 SE 3F A9 09 B4 OF 26 14 9C 58 3E 95 3B E7 2 amp X 5 0020 FC 2A 4C 2F FB BE 2F FE EF DO Foy eee RAW DATA 0000 00 AO C5 92 13 12 00 AO C5 01 23 45 08 00 45 00 HE E 0010 04 8B B1 39 40 00 EE 06 A9 AB CO IF 07 82 CA 84 9 0020 9B 61 00 50 28 IE D3 E9 59 85 00 Cl 8F 63 50 19 a P Y cP 0030 FA FO 37 35 00 00 DF 33 AF 62 58 37 52 3D 79 99 75 3 bX7R y 0040 A5 3C 2B 59 E2 78 A7 98 8F 3F A9 09 E4 OF 26 14 Y x amp 0050 9C 58 3B 95 3E E7 FC 2A 4C 2F FB BE 2F FE EF DO X gt gt L lt 0001 gt LAN Frame ENETI XMIT Size 54 54 Time 12387 490 sec Frame Type TCP 202 132 155 97 10270 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5012345 Source MAC Addr 00A0C5921312 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length Type of Service 0x00 0 Total Length 0x0028 40 Idetification Ox7A0C 31244 Flags 0x0
45. 02 192 168 1 2 ICE Header Source Port 0x0050 80 Destination Port 0x044F 1103 Sequence Number OxD91B1826 3642431526 Ack Number 0x00AA405F 11157599 Header Length 24 Flags zx A Sn Window Size OxFAFO 64240 Checksum OxDCEF 56559 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c IB 172 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 0010 00 2C 7F 02 40 00 ED 06 85 7D CO IF 07 82 CO A8 0 0020 01 02 00 50 04 4F D9 1B 18 26 00 AA 40 SF 60 12 P O amp 0 0030 FA FO DC EF 00 00 02 04 05 B4 Prestige 2 Trace WAN packet 1 1 Disable to capture the LAN packet by entering sys trcp channel enet0 none 1 2 Enable to capture the WAN packet by entering sys trcp channel enetl bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through Prestige over WAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packets by using sys trcp parse from index to index Example Bres Pres Pres Pres Pres Bres Pres 0 1 2 3 4 5 1ge 1ge 1ge 1ge ige gt 1ge 1ge 12864 Sys Sys Sys Sys Sys Sys Sys 12864 12864 1
46. 02HW L Ix Support Notes different types The Prestige supports NAT sets on a remote node basis They are reusable but only one set 1s allowed for each remote node The Prestige 2802HWL supports 8 sets since there are 8 remote node The default SUA Read Only Set is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions e WEB GUI Menus 1 Applying NAT in the WEB GUI You apply NAT via WEB GUI Network gt NAT gt General as displayed next The next figure that you could apply NAT for Internet access Full Feature gt Network gt NAT gt General NAT Setup Active Network Address Translation NAT SUA Only Full Feature Max NAT Firewall Session Per User 2048 The following table describes the options for Network Address Translation Field Options Description When you select this option the SMT will use Address Full Feature Mapping Set 1 Menu 15 1 see later for further discussion None NAT is disabled when you select this option Network Address Translation When you select this option the SMT will use Address Mapping Set 255 Menu 15 1 see later for further SUA Only discussion This option use basically Many to One Overload mapping Select Full Feature when you require other mapping types It is a convenient 23 All contents copyright c 2007 ZyXEL Communicat
47. 05 15 00 00 Enter Debug Mode atgo Compressed Version RAS P2802R start bfc58030 Length 3DB3EC Checksum 9AA9 Compressed Length 12AC58 Checksum DC06 Copyright c 1994 2004 ZyXEL Communications Corp initialize ch 0 ethernet address 00 a0 c5 d1 78 e9 Wan Channel init done VC5402 Init OK Press ENTER to continue Enter Password XXXX LAN WAN Packet Trace 179 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It 1s designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 2192 31 7 130 80 index timer second channel receive transmit length protocol sourcelP port destIP port There are two ways to dump the trace Online Trace display the trace real time on screen 2 Offline Trace capture the trace first and display later The details for capturing the trace in CLI command are as follows Online Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1
48. 07 18 192 168 1 1 ZyXEL Communications Corp board 0 line 0 channel 0 call 18 C02 Call Terminated 49 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e Packet triggered log Format sdemdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Packet trigger Protocol xx Data xxxxxxxxxx Protocol 1 IP 2 IPX 3 IPXHC 4 BPDU 5 ATALK 6 IPNG Data We will send forty eight Hex characters to the server Example Jul 19 11 28 39 192 168 102 2 ZyXEL Communications Corp Packet Trigger EN Da t a 4500003c 100100001 f010004c0a86614ca849a7b508004a5c020001006162636465666768696a6b6c6d66 6 707172 1374 Jul 19 11 28 56 192 168 102 2 ZyXEL Communications Corp Packet Trigger Protocol 1 Dat a 4500002c1b0140001 f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 e Filter log This message is available when the Log is enabled in the filter rule setting The message consists of the packet header and the log of the filter rules Format sdemdSyslogSend S YSLOG_FILLOG SYSLOG_NOTICE String String IP Src xx xx xx xx Dst Xx XX XX XX prot spozxxxx dpo xxxx S04 gt RO1mD IP is the packet header and SO04 gt RO1mD means filter set 4 S and rule 1 R match m drop D Src Source Address Dst Destination Address prot Protocol TCP UDP ICMP spo Source port dpo Destination port Example Jul 19 14 44 09 192 168 1 1 ZyXEL Communications Co
49. 0x00 mme to Live 0XED 237 Protocol 0x06 TCP Header Checksum OxAC8C 44172 Source IP OxCOIF0782 192 31 7 130 Destination IP 0xC0A80102 192 168 1 2 TCP Header Source Port 0x0050 80 Destination Port 0x045C 1116 Sequence Number Ox4ADIBS7F 1255257471 Ack Number OxOOBDI5A8 12391848 Header Length 24 Flags zx CARS Window Size OxFAFO 64240 All contents copyright c 2007 ZyXEL Communications Corporation 164 ZyXEL Prestige 2802HW L Ix Support Notes Checksum OxF877 63607 Urgent Ptr 0x0000 0 Options 0000 02 04 05 B4 RAW DATA 0000 00 80 C8 4C EA 63 00 A0 C5 92 13 11 08 00 45 00 L c E 0010 00 2C 57 F3 40 00 ED 06 AC 8C CO IF 07 82 CO A8 W 0020 01 02 00 50 04 5C 4A DI B5 7F 00 BD 15 A8 60 12 P J DE 0030 FA FO F8 77 00 00 02 04 05 B4 S lt Q002 gt LAN Frame ENETO RECV Size 60 60 Time 12090 210 sec Frame Type TCP 192 168 1 2 1116 gt 192 31 7 130 80 Ethernet Header Destination MAC Addr 00A0C5921311 Source MAC Addr 0080C84CEA63 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length E Type of Service 0x00 0 Total Length 0x0028 40 Idetification 0x350B 13579 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3C79 15481 Source IP 0xC0A80102 192
50. 110 38 101110 46 110000 48 111000 56 Quality of Service QoS refers to both a network s ability to deliver data with minimum delay and the networking methods used to provide bandwidth for real time multimedia applications Click VoIP gt SIP gt QoS to display the following screen All contents copyright c 2007 ZyXEL Communications Corporation 113 ZyXEL Prestige 2802HW L Ix Support Notes SIP Settings EH TOS SIP TOS Priority Setting fico 0 255 RTP TOS Priority Setting 160 04255 LAN Taging voice VLAN ID o 0 4095 Apply Reset Each field s detail description of the page is listed below Label Description SIP TOS Type a priority for voice transmissions The Prestige applies Type of Service Priority priority tags with this priority to voice traffic that it transmits RTP TOS Type a priority for voice transmissions The Prestige applies Type of Service Priority priority tags with this priority to RTP traffic that it transmits Voice VLAN Enable VLAN tagging if the Prestige needs to be a member of a VLAN group ID in order to communicate with the SIP server Your LAN and gateway must also be set up to use VLAN tags Some switches also give priority to voice traffic based on its VLAN tag Type the VLAN ID VID from 1 to 4095 for the Prestige to add to voice Ethernet frames that it sends out to the network Disable VLAN tagging if the Prest
51. 13 1 225 teca Using NAT Multi NAT e What is Multi NAT NAT Network Address Translation NAT RFC 1631 is the translation of an Internet Protocol address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outszde Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses The IP addresses for the NAT can be either fixed or dynamically assigned by the ISP In addition you can designate servers e g a web server and a telnet server on your local network and make them accessible to the outside world If you do not define any servers NAT offers the additional benefit of firewall protection In such case all incoming connections to your network will be filtered out by the Prestige thus preventing intruders from probing your network The SUA feature that the Prestige supports previously operates by mapping the private IP addresses to a global IP address It is only one subset of the NAT The Prestige with ZyNOS V3 40 supports the most of the features of the NAT based on RFC 1631 and we call this feature as Multi NAT For more information on IP address translation please refer to RFC 1631 Zhe IP Network Address Translator NAT e How NAT works 20 All contents copyright c 2007 ZyXEL Communications
52. 2 Fragment Offset 0x00 168 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Time to Live Protocol Header Checksum Source IP Destination IP TCP Header Source Port Sequence Number Ack Number Header Length Flags Window Size Checksum Destination Port ZORE 127 OOC 6 0x543C 21564 OxCA849B61 202 132 155 97 0XC01F0782 1927 3172130 Ox281E 10270 0x0050 80 0x00C18F63 12685155 OxD3E9SDE9 3555286505 E20 Ox Aen 0x1DD5 7637 Ox7A12 31250 Uncent Ptr 0x0000 0 RAW DATA 0000 00 A0 C5 01 23 45 00 A0 C5 92 13 12 08 00 45 00 E E 0010 00 28 7A OC 40 00 7F 06 54 3C CA 84 9B 61 CO IF z 0 T a 0020 076228 1E 000501 008 GT SRUOS D3 E9 3D E950 107r es cs peces pe 0030 1D D5 7A 12 00 00 Roe 0002 LAN Frame ENETI XMIT Frame Type TCP 202 132 155 97 10270 gt 192 31 7 130 80 Ethernet Header Size 54 54 Time 12387 490 sec Destination MAC Addr 00A0C5012345 Source MAC Addr Network Type Ie Header IP Version Header Length Type of Service 00A0C5921312 0x0800 TCP IP Ed 20 0x00 0 All contents copyright c 2007 ZyXEL Communications Corporation 169 ZyXEL Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header Source Port
53. 2 character maximum string and is case sensitive 157 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How do secure the data across an Access Point s radio link Enable Wired Equivalency Protocol WEP or Wi Fi Protected Access WPA to encrypt the payload of packets sent across a radio link What is WEP Wired Equivalent Privacy WEP is a security mechanism defined within the 802 11 standard and designed to make the security of the wireless medium equal to that of a cable wire WEP data encryption was designed to prevent access to the network by intruders and to prevent the capture of wireless LAN traffic through eavesdropping WEP allows the administrator to define a set of respective Keys for each wireless network user based on a Key String passed through the WEP encryption algorithm Access is denied by anyone who does not have an assigned key WEP comes in 40 64 bit and 128 bit encryption key lengths Note WEP has shown to have fundamental flaws in its key generation processing What is the difference between 40 bit and 64 bit WEP 40 bit WEP amp 64 bit WEP are the same encryption level and can interoperate The lower level of WEP encryption uses a 40 bit 10 Hex character as secret key set by user and a 24 bit Initialization Vector not under user control 40 24 64 Some vendors refer to this level of WEP as 40 bit others as 64 bit What is a
54. 2865 Prestige sys 0003 LAN Frame ENETI RECV Size 247 96 Time 12865 120 sec Frame Type TCP 204 217 0 2 80 2202 132 155 97 10278 trep channel enetO none trep channel enetl bothway trcl sw on trcp sw on trcl sw off trcp sw off trcp brief 800 ENET1 T 0411 TCP 202 132 155 97 10278 gt 204 217 0 2 80 890 ENET1 R 0247 TCP 204 217 0 2 80 2202 132 155 97 10282 900 ENET1 T 0416 TCP 202 132 155 97 10282 gt 204 217 0 2 80 12865 12865 120 ENET1 R 0247 TCP 204 217 0 2 80 gt 202 132 155 97 10278 130 ENET1 T 0411 TCP 202 132 155 97 10278 2204 217 0 2 80 220 ENET1 R 0247 TCP 204 217 0 2 80 2202 132 155 97 10282 trcp parse 3 4 Ethernet Header Destination MAC Addr 00A0C5921312 173 All contents copyright c 2007 ZyXEL Communications Corporation yXEL Source MAC Addr Network Type IP Header IP Version Header Length Type of Service Total Length Idetification Prestige 2802HW L Ix Support Notes 00A0C5591284 0x0800 TCP IP 20 0x00 0 0x00E5 229 OxE93B 59707 Flags 0x02 Fragment Offset 0x00 Mime to Live OxFO 240 Protocol 0x06 TCP Header Checksum Ox6E15 28181 Source IP OxCCD90002 204 217 0 2 Destination IP OxCA849B61 202 132 155 97 TCP Header 0x0050 80 0x2826 10278 Ox4D713D8A 1299266954 Source Port Destination Port Sequence Number Ack Number 0x00C8
55. All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Application Notes General Application Notes Internet Connection A typical Internet access application of the Prestige is shown below For a small office there are some components needs to be checked before accessing the Internet e Before you begin e Setting up the Windows e Setting up the Prestige router e Troubleshooting SOHO Network Prestige Internet Figure Internet Access e Before you begin The Prestige 1s shipped with the following factory default 1 IP address 192 168 1 1 subnet mask 255 255 255 0 24 bits 2 DHCP server enabled with IP pool starting from 192 168 1 33 3 Default SMT menu password 1234 e Setting up the PC Windows OS 1 Ethernet connection All PCs must have an Ethernet adapter card installed All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e If you only have one PC connect the PC s Ethernet adapter to the Prestige s LAN port with a crossover red one Ethernet cable e If you have more than one PC both the PC s Ethernet adapters and the Prestige s LAN port must be connected to an external hub with straight Ethernet cable 2 TCP IP Installation You must first install TCP IP software on each PC before you can use it for Internet access If you have already installed TCP IP go to the next section to configu
56. C015 13156373 Header Length E Flags UIS ADS Window Size 0x2238 8760 Checksum 0xAB57 43863 Urseni Pir 0x0000 0 TCP Data Length 193 Captured 42 0000 48 54 54 50 2F 31 2E 31 20 33 30 34 20 4E 6F 74 HTTP 1 1 304 Not 0010 20 4D 6F 64 69 66 69 65 64 OD OA 44 61 74 65 3A Modified Date 0020 20 57 65 64 2C 20 30 37 20 4A Wed 07 J RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 59 12 84 0800 45 00 W E 174 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 0010 00 E5 E9 3B 40 00 FO 06 6E 15 CC D9 00 02 CA 84 0 n 0020 9B 61 00 50 28 26 4D 71 3D 8A 00 C8 CO 15 50 18 a P amp Mqz p 0030 22 38 AB 57 00 00 48 54 54 50 2F 31 2E 31 20 33 8 W HTTP 1 1 3 0040 30 34 20 4E 6F 74 20 4D 6F 64 69 66 69 65 64 OD 04 Not Modi fied 0050 OA 44 61 74 65 3A 20 57 65 64 2C 20 30 37 20 4A Date Wed 07 J lt 0004 gt LAN Frame ENETI XMIT Size 411 96 Time 12865 130 sec Frame Type TCP 202 132 155 97 10278 gt 204 217 0 2 80 I Ethernet Header Destination MAC Addr 00A0C5591284 Source MAC Addr 00A0C5921312 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length E ype ol Service 0x00 0 Total Length 0x018D 397 Idetification OxF20C 61964 Flags 0x02 Fragment Offset 0x00 Time to Live Ox7E 127 Protocol 0x06 TCP Header Checksu
57. ChangeMe SIP Local Port 5060 1025 65535 SIP Server Address h27001 SIP Server Port 5060 1 65535 REGISTER Server Address fiz7001 REGISTER Server Port 5060 1 65535 SIP Service Domain Rh27001 Send Caller ID Authentication User Name ChangeMe Password TET Apply Reset Advanced Setup 96 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes With the account information your ITSP provider provided now you may start Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige LAN IP address The default management IP of Prestige 1s 192 168 1 1 Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 Step 3 On the left column click on VoIP to bring you to VoIP configuration menu than click on SIP While in the SIP Settings page use the account selector on upper right of the page to select the SIP account you will like to configure Step 4 Check active sip box if you like to use this account and fill in the account information the ITSP provided you in the SIP setting category Which will normally include you SIP number SIP local port SIP server address SIP server port Register server port Register server address SIP service domain Step 5 In the Authentication category fill in the User Name and authentication p
58. Corporation ZyXEL Prestige 2802HW L Ix Support Notes Select RFC 2833 to send the DTMF tones in RTP packets Select PCM Pulse Code Modulation to include the DTMF tones in the voice data stream This method works best when you are using a codec that does not use compression like G 711 Codecs that use compression like G 729 could distort the tones Select SIP INFO to send the DTMF tones in SIP messages MWI Enable Message Waiting Indication MWI to have your phone give you a Message message waiting beeping dial tone when you have a voice message s Waiting Your voice service provider must have a messaging system that supports Indication this feature Use this field to set how long the SIP server should continue providing the message waiting service after receiving a SIP SUBSCRIBE message from the Prestige The SIP server stops providing the message waiting service if it has not received another SIP SUBSCRIBE message from the Prestige before this time period expires Expiration Time Select which call forwarding table you want the Prestige to use to block or Call Forward redirect calls You can use a different call forwarding table for each SIP Table account or use the same call forwarding table for both Back Click Back to return to the previous screen without saving configuration changes Apply Click Apply to save your changes back to the Prestige Phone book Speed dial Prestige allows you to configure up t
59. Corporation ZyXEL Prestige 2802HW L Ix Support Notes provides cryptographic security services These services allow for authentication integrity access control and confidentiality IPSec allows for the information exchanged between remote sites to be encrypted and verified You can create encrypted tunnels VPNs or just do encryption between computers Since you have so many options IPSec is truly the most extensible and complete network security solution What secure protocols does IPSec support There are two protocols provided by IPSec they are AH Authentication Header protocol number 51 and ESP Encapsulated Security Payload protocol number 50 What are the differences between Transport mode and Tunnel mode The IPSec protocols AH and ESP can be used to protect either an entire IP payload or only the upper layer protocols of an IP payload Transport mode is mainly for an IP host to protect the data generated locally while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability In this case Transport mode only protects the upper layer protocols of IP payload user data Tunneling mode protects the entire IP payload including user data There is no restriction that the IPSec hosts and the security gateway must be separate machines Both IPSec protocols AH and ESP can operate in either transport mode and tunnel mode What is SA A Security Association SA is
60. DNS server auto detect IP Address py Gams Key Settings for using DDNS function Option Active Dynamic DNS Select this check box to use dynamic DNS Enter the DDNS server in this field Currently we support WWW DYNDNS ORG Service Provider Select the type of service that you are registered for from your Dynamic DNS Dynamic DNS Type service provider Enter the hostname you subscribe from the above DDNS server Host Name You can specify up to two host names in the field separated by a comma User Name Enter the user name Password Enter the password that the DDNS server gives to you Enable Wildcard Select the check box to enable DynDNS Wildcard Option This option is available when CustomDNS is selected in the DDNS Type field Enable off line option f Check with your Dynamic DNS service provider to have traffic redirected to a 40 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes RL that you can specify while you are off line Use WAN IP Address Select this option to update IP Address of the host name to the WAN IP Address Select this option only when there are one or more NAT routers between ZyXEL Device and DDNS server This feature has DDNS server automatically detect Dynamic DNS server and use the IP address of the NAT router that has a public IP address auto detect IP Address NOTES The DDNS server may not be ab
61. Dicet 137 What makes Prestige firewall secure seseeeeeeerenn 137 What are the basic types of firewalls cessere 137 What kind of firewall is the Prestige sseeeeen 138 Why do you need a firewall when your router has packet filtering and NAF UUs tess cates pte e OO cums OD A rant yt sme tuapus 138 What is Denials of Service DoS attack ssssseeeseee 139 What is Ping of Death attack eee e tete terret tenet nectare 139 Whats Teardrop aac adore eedem deditus a bee ds 139 Whats S YN Flood attack eese Detective cipes 139 Whats LOXIND att ae E soiree eI oe erect eei eaire 140 What is Brute force attack scii ete ceeded 140 What is IP Spoofing attack eere exeat ees 140 What are the default ACL firewall rules in Prestige 140 How can I protect against IP spoofing attacks sss 141 Content Filt t FAQ 5 3 sds Cit ndieeh a nnd uis 142 MP SSCA ondes teca eq edi dot Una utens an eaten QU ten nia dat 142 What TS V DNO uice tao a D be Lt Doa nU uL ot Sth ett 142 Mscdo Enesd VPN Ss suites petu echa node Gesteha T 142 What are most common VPN protocols eeeeeeee 143 What iSi PP EP ode err p a Deoa A seat tg E 143 What S12 I EU 143 What is IP See o sod t eo toe 143 What secure protocols does IPSec support sees 144 5 All contents copyright c 2007 ZyXEL Communication
62. ENET1 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 166 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL AID UN A W N 12373 940 12374 930 12374 940 12374 940 12375 320 12375 360 E lee z EE en les es t E sr es les T1 T 0062 T1 R 0064 T1 T 0054 T1 T 0438 T1 R 0064 T1 R 0090 Prestige 2802HW L Ix Support Notes T0p22025192 155 0 10261 2102 31 7 130280 TCP 192 31 7 130 80 2202 132 155 97 10261 TCR 2027 152 155197 102601 2192 95 9 130780 10p 202 152 155507 10261 192 5 9 15080 TCP 192 31 7 130 80 2202 132 155 97 10261 UDR 2027S 155 95520202 2 510 56 5 e MEM T ee Prestige sys trcd parse i eese eds LAN Frame ENETI RECV Size 1181 96 Time 12387 260 sec Frame Type TCP 192 31 7 130 80 2202 132 155 97 10270 Ethernet Header Destination MAC Source MAC Addr Network Type IP Header IP Version Header Length Type of Service Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header Source Port Destination Port Sequence Number Ack Number Addr 00A0C5921312 00A0C5012345 0x0800 TCP IP zu W 0x00 0 0x048B 1163 0xB139 45369 0x02 0x00 OxEE 238 0x06 TCP OxA9AB 43435 OxCOIF0782 192 31 7 130 OxCA849B61 202 132 155 97 0x0050 8
63. FTP servers are allowed on the LAN for outside access In previous ZyNOS versions that supported SUA visible servers had to be of different types The Prestige supports NAT sets on a remote node basis They are reusable but only one set 1s allowed for each remote node The Prestige supports 2 sets since there is only one remote node The default SUA Read Only Set in menu 15 1 is a convenient pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions What is BOOTP DHCP BOOTP stands for Bootstrap Protocol DHCP stands for Dynamic Host Configuration Protocol Both are mechanisms to dynamically assign an IP address for a TCP IP client by the server In this case the Prestige Internet Access Sharing Router is a BOOTP DHCP server Win95 and WinNT clients use DHCP to request an internal IP address while WFW and WinSock clients use BOOTP TCP IP clients may specify their own IP or utilize BOOTP DHCP to request an IP address What is DDNS The Dynamic DNS service allows you to alias a dynamic IP address to a static hostname allowing your computer to be more easily accessed from various locations on the Internet To use the service you must first apply an account from several free Web servers such aa WWW DYNDNS ORG Without DDNS we always tell the users to use the WAN IP of the 312 to reach our internal server It is inconvenient for the users 1f t
64. LA1 192 168 1 10 to IGAI Rule 2 One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 Rule 3 Many to One type to map the other clients to IGA3 Rule 4 Server type to map a web server and mail server with ILA3 192 168 1 20 to IGA3 Type Server allows us to specify multiple servers of different types to other machines behind NAT on the LAN po c gv CA Step 1 In this case we need to configure Address Mapping Set 1 from Network gt NAT gt Address Mapping Menu Therefore we must choose the Full Feature option in Network gt NAT gt General 31 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt NAT gt General General Address Mapping ALG NAT Setup v Active Network Address Translation NAT C SUA Only Full Feature Max NAT Firewall Session Per User 2048 Step 2 Go to menu 15 1 and choose 1 not 255 SUA this time to begin configuring this new set Enter a Set Name choose the Edit Action and then select 1 from Select Rule field Press ENTER to confirm See the following setup for the four rules in our case Rule 1 Setup Select One to One type to map the FTP Server 1 with ILA1 192 168 1 10 to IGAL gt Network gt NAT gt Address Mapping Edit Address Mapping Rulel f One tox Type One to One Iv Local Start IP 192 168 1 10 Local End IP N A Global Start IP r Globa
65. N Lifeline By using the PSTN lifeline function you can make and receive regular PSTN phone calls in coexistence with VoIP service on the same set of phone This can be done by simply assigning a prefix number by default the prefix for PSTN dial out 1s 0000 and can be change to value you wish to and dial this prefix to switch over to PSTN line than dial the PSTN number as normal 92 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Furthermore when the P2802HWL DIA experience power loss such as in case of earthquake and other natural hazard that cause power loss it will automatically switch to PSTN line and you can dial a regular phone number without dialing a prefix number This can be applied on the emergency situation such as for contacting police fire or emergency medical services when is powerless situation On the following section it tells you how to configure lifeline under P2802HWL D1A WEB GUI Lifeline configuration To configure lifeline in P2802HWL click on Vol P gt PSTN Line gt General to display the following screen gt oIP gt PSTN Line gt General General Call through PSTN Line PSTN Line Pre fix Number foooo Relay to PSTN Line s RM 2 3 4 s 6 7 8 9 Apply Reset You can specify a prefix number in prefix field This number will be used to switch from VoIP to PSTN sy
66. N cable attached on the Prestige Enter SMT using console port Enter Menu 24 8 CI command mode Type the following commands systrcpswon turn on packet trace Sys errctl 3 save crash information and make system enter debug mode after the crash 176 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes poe debug 1 turn on pppoe debug dev dial 1 dial remote node 1 5 After all if the Prestige crashes and you can do nothing please send the above log back to us I f the Prestige crashes and you are able to enter commands please type atds in debug mode to dump the log and send the log to us 7 I f the Prestige does not crash but just can not dial out please capture the following further log and send us the log Exampl Sys trcp sw off turn off packet trace Syslog disp i capture system error log Sys trcp parse parse the trace in detail e A trace with system crashes ras sys trcp sw on ras sys errctl 3 ras poe debug 1 ras dev dial 1 Start dialing for node lt GPMI gt poeNetCmdExe chann poe0 event x420 poeChannDial start session peer lt GPMI gt bdcastInit pch poed poePutiSrvcName len 0 host uniq 31303030 len 4 putPoeHdr ver 1 type 1 code x09 sess id 0 len 12 x000C bdcastSendInit ll pktTx failed pch poe0 ch enetO poePutiSrvcName len 0 host uniq 31303030 len 4 putPoeHdr
67. OE OF e5bdbfe0 e2 8 00 06 e 5 d5 20 06 e5 d5 20 Oa e5 d5 20 Oe b f e5bdbff0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f e5bdc000 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f e5bdc010 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b rre Shae All contents copyright c 2007 ZyXEL Communications Corporation 178 ZyXEL Prestige 2802HW L Ix Support Notes e5bdc020 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f Jee D e5bdc030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f Jess e5bdc040 00 00 00 00 00 00 00 00 0000 00 00 00 01 ed 2b b f jx e5bdc050 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f j n e5bdc060 00 00 00 00 00 00 0000 0000 00 00 00 01 ed 2b b f js e5bdc070 00 00 00 00 00 00 00 0000 00 00 00 00 01 ed 2b b f Je e5bdc080 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f j n e5bdc090 00 00 00 00 00 00 0000 00 00 00 00 00 01 ed 2b b f Jean e5bdc0a0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f jen e5bdc0b0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f j n e5bdc0c0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f Jeg al e5bdc0d0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b b f Jagd e5bdc0e0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b Bess Jess Bootbase Version V1 10 12 02 2004 14 00 00 RAM Size 16384 Kbytes FLASH Intel 16M 1 ZyNOS Version V3 40 RE 0 01 27 20
68. P the Prestige must inform the DDNS server the change of this IP so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable The DDNS server stores password protected email addresses with IPs and hostnames and accepts queries based on email addresses So there must be an email entry in the Prestige menu 1 The DDNS servers the Prestige supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to e Setup the DDNS e Before configuring the DDNS settings in the Prestige you must register an account from the DDNS server such as WWW DYNDNS ORG first After the registration you have a hostname for your internal server and a password using to update the IP to the DDNS server e Goto Advanced gt Dynamic DNS in WEB GUI and active Dynamic DNS checkbox and press Apply for configuring the settings of the DDNS 39 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Advanced gt Dynamic DNS Dynamic DNS Dynamic DNS Setup V Active Dynamic DNS Service Provider WAW DynDNS ORG E Dynamic DNS Type Dynamic DNS B Host Name User Name l Password C Enable wildcard Option E Enable off line option Only applies to custom DNS IP Address Update Policy Use WAN IP Address Oo Dynamic
69. P Network Address Translator NAT When do I need Multi NAT a Make local server accessible from outside Internet When NAT 1s enabled the local computers are not accessible from outside You can use Multi NAT to make an internal server accessible from outside a Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address Thus users on the same network can not login to the same server simultaneously In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address 128 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What IP Port mapping does Multi NAT support NAT supports five types of IP port mapping They are One to One Many to One Many to Many Overload Many to Many No Overload and Server The details of the mapping between ILA and IGA are described as below Here we define the local IP addresses as the Internal Local Addresses ILA and the global IP addresses as the Inside Global Address IGA 1 One to One In One to One mode the Prestige maps one ILA to one IGA 2 Many to One In Many to One mode the Prestige maps multiple ILA to one IGA This is equivalent to SUA 1 e PAT port address translation ZyXEL s Single User Account feature that previous ZyNOS routers s
70. P addresses configured in the Tolerance Check WAN IP Address fields without getting a response before switching to a WAN backup connection or a different WAN backup connection Recovery When the Prestige is using a lower priority connection usually a WAN backup connection it periodically 57 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Label Interval Timeout Traffic Redirect Active Metric Backup Gateway Back Apply Cancel Description checks to whether or not it can use a higher priority connection Type the number of seconds 80 recommended for the Prestige to wait between checks Allow more time if your destination IP address handles lots of traffic Type the number of seconds 3 recommended for your Prestige to wait for a ping response from one of the IP addresses in the Check WAN IP Address fields before timing out the request The WAN connection is considered down after the Prestige times out the number of times specified in the Fail Tolerance field Use a higher value in this field if your network is busy or congested Select this check box to have the Prestige use traffic redirect if the normal WAN connection goes down If you activate traffic redirect you must configure at least one Check WAN IP Address This field sets this route s priority among the routes the Prestige uses The metric represents the cost of
71. Prestige 2802HW L Ix Support Notes Version 3 40 Unleash Networking Power ZyXEL Prestige 2802HW L Ix Support Notes Index Application NOTES aine npa i pex eie RiRIU Ia Nor OE Pe ea niaaa Pe DUM EDS UMOR 9 General Application INGLES eu eed e rodeo tastes deese praec Reg ed ba EAS PES 9 Interbet COmnectlOg cui ede oot oie b tod td een cin aed 9 Setup the Prestige as a DHCP Relay eee bre deci ades 13 Configure an Internal Server Behind SUA eese 15 Configure a PPTP server Behind SUA eese 16 Using NAT Multi NAT eise stem ederet Ha eta HE RA AP EXE TUNE 20 Using the Dynamic DNS DDNS xc a4 eee ee deron pde eet dies 39 Network Management Using SNMP eene 41 USNE SVSIOG eu dc MU dt oie 48 Using IP Alias M 51 Using TR Multicast 2 591 Qt tipa ed aant odas elle ien pee 53 Using Prestige traffic TeITeQt serorei ote t tispetta E Eis e 55 Using Universal Plug n Play UPnD a eii adie ete e ecco 58 Wireless Application Notes isscasicccissisisacieiensccsssscvecsasnssaesbecsneessdsceonsnooaatedebsnereaens 64 Tnfra struct re 00 Ae a 3p a Badges EE a A e 64 Wireless MAC address TITUerinig coeno iecit tea ee e env I Ree reg nee eu UR 68 WEP configuration Wired Equivalent Privacy eee 70 Configuring 802 Tx tuit i RESTER SOR E ERE EA CURE AEN TRL PAN Ta dE T Site SUVE Y UNE T TN 88 PSTN Lifeline Applicatio
72. Prestige allows you to transfer the firmware from to Prestige by using FIP program via LAN The procedure for uploading ZyNOS via FTP is as follows a To upgrade firmware use FTP client program to put firmware in file ras in the Prestige After data transfer is finished the Prestige will program the upgraded firmware into FLASH ROM and reboot 120 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes b itself Note Do not power off the unit after upload the file via ftp until the system LED have become steady light up Fail to due so may result in update fail and require RMA To backup your firmware use the FTP client program to get file ras from the Prestige How do I upload or backup ROMFILE via web configurator In some situations you may need to upload the ROMFILE restore to previous saved configuration orthe need of resetting SMT to factory default The procedure for uploading ROMFILE via the web configurator 1s as follows ap sf Log on into the web configurator Press MAINTENANCE from the left menu Press Configuration tab Press Restore tab and press browse button point to the directory where the romfile you want to upload is stored Press Upload button The procedure for backup ROMFILE via the web configurator is as follow mono oF Log on into the web configurator Press MAINTENANCE from the left menu Press Configuration tab Pres
73. S or DSSS 153 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is 802 11b 802 11b is the first revision of 802 11 standard allowing data rates up to 11Mbps in the 2 4GHz ISM band Also known as 802 11 High Rate and Wi Fi 802 11b only uses DSSS the maximum speed of 11Mbps has fallbacks to 5 5 2 and 1Mbps How fast is 802 11b The IEEE 802 11b standard has a nominal speed of 11 megabits per second Mbps However depending on signal quality and how many other people are using the wireless ethernet through a particular Access Point usable speed will be much less on the order of 4 or 5 Mbps which is still substantially faster than most dialup cable and DSL modems What is 802 11a 802 11a the second revision of 802 11 that operates in the unlicensed 5 GHz band and allows transmission rates of up to 54Mbps 802 11a uses OFDM orthogonal frequency division multiplexing as opposed to FHSS or DSSS Higher data rates are possible by combining channels Due to higher frequency range is less than lower frequency systems i e 802 11b and 802 11g and can increase the cost of the overall solution because a greater number of access points may be required 802 11a is not directly compatible with 802 11b or 802 11g networks In other words a user equipped with an 802 11b or 802 11g radio card will not be able to interface directly to an 802 11a access point Multi mode NIC
74. S will solve this problem What is 802 11g 802 11g is an extension to 802 11b 802 11g increases 802 11b s data rates to 54 Mbps and still utilise the the 2 4 GHz ISM Modulation is based upon OFDM orthogonal frequency division multiplexing technology An 802 11b radio card will interface directly with an 802 11g access point and vice versa at 11 Mbps or lower depending on range The range at 54 Mbps is less than for 802 11b operating at 11 Mbps Is it possible to use products from a variety of vendors Yes As long as the products comply to the same IEEE 802 11 standard The Wi Fi logo is used to define 802 11b compatible products Wi Fi5 is a compatibility standard for 802 11a products running in the 5GHz band 154 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is Wi Fi The Wi Fi logo signifies that a product is interoperable with wireless networking equipment from other vendors A Wi Fi logo product has been tested and certified by the Wireless Ethernet Compatibility Alliance WECA The Socket Wireless LAN Card is Wi Fi certified and that means that it will work interoperate with any brand of Access Point that is also Wi Fi certified What types of devices use the 2 4GHz Band Various spread spectrum radio communication applications use the 2 4 GHz band This includes WLAN systems not necessarily of the type IEEE 802 11b cordless phones wireless medica
75. Send Caller ID Advanced Setup Apply Type the IP address of the SIP server in this field Enter the SIP server s listening port for SIP in this field Leave this field set to the default if your VoIP service provider did not give you a local port number for SIP A SIP register server maintains a database of SIP identity to IP address or domain name mapping The register server checks your user name and password when you register Enter the SIP register server s address in this field If you were not given a register server address then enter the address from the SIP Server Address field again here Enter the SIP register server s listening port for SIP in this field If you were not given a register server port then enter the port from the SIP Server Port field again here A SIP service domain is the domain name that comes after the symbol in a full SIP URI Enter the SIP service domain name in this field You can use up to 127 ASCII Extended set characters This is the user name for registering this SIP account with the SIP register server Type the user name exactly as it was given to you Use ASCII characters Type the password associated with the user name above Use ASCII Extended set characters Select this check box to show identification information when you make VoIP calls Clear this check box to not show identification information when you make VoIP calls Click Advanced Setup to open a screen where you ca
76. State Connected BSSID 00 A0 C5 00 11 00 Current Channel 1 Current Transfer Rate 54 Mbps Curent Service Set Identifier csoG1000 Tx Rx Total Frames Transmitted Received Link Quality No Signal HERERRRRRRRRRRRRRRRRR RRR Signal Strength No Signal EERRRERRRRERERR RHEE RRR 6 After the client have associated with the selected AP The linked AP s channel current linkup rate SSID link quality and signal strength will show on the Link Info page You now successfully associate with the selected AP with Infrastructure Mode Wireless MAC address filtering MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs ZyXEL s APs provide the capability for checking MAC address of the station before allowing it to connect to the network This provides an additional layer of control layer in that only stations with registered MAC addresses can connect This approach requires that the list of MAC addresses be configured 68 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes MAC Filter List Sunc EHE Allow 0 22 22 22 22 22 22 Block 2 ZyXEL MAC Hiter Implementation ZyXEL s MAC Filter Implementation allows users to define a list to allow or block association from STAs The filter set allows users to input 12 entries in the list If Allow Association 1s selected all other STAs which are n
77. What iS WEP MC 158 What is the difference between 40 bit and 64 bit WEP 2 158 M Batas a WEP Key eec ulia tese d dua cb ise dashed seach gve NR 158 A WEP key is a user defined string of characters used to encrypt and lalea Ta Laa e WEEE E A E Edd 158 Can the SSID be encrypted 12 suisse etn siad nnii 158 By turning off the broadcast of SSID can someone still sniff the SSID 159 What are Insertion Attacks 9i sa ee oet Lh Te afe ti bna 159 What is Wireless Sniffer inosia la meiste e NER nee 159 What is the difference between Open System and Shared Key of Authentication Lye Josep ero m aude an cae edu T te eee 159 Whatis 609 X9 2a pet ne Ares at coat iota si utu estote tue ue cal 159 What is the difference between No authentication required No access allowed and Authentication required sssseeeeeee 160 7 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Whiat 1s AAA Peien anaia a ei a aTa EE OAA TAARE AE 160 A Bats RADIUS soe oce ath Satie E E O iS RE 160 What 1s WP scite tuse ii n E E ET E 160 What is WEASBSK sci ci ee redis risus epu ec malia 161 Trouble Shooting reos ccr pa hx n EH p Fed etry tel L a b d Ee VERRE ys 161 Using Embedded Packet Trace petet etn as 161 Debug PPPOE Comme Ct OM senrose tee ed ee ee e dede vod tage ino de ge bee toe etus 176 CLI Command List coiris n reri rti serio cun eei E E Ke du 187 8
78. ablish a tunnel to a private network There will be three items that you need to set up for PPTP application these are PPTP server WinNT PPTP client Win9x and the Prestige o PPTP server setup WinNT Add the VPN service from Control Panel gt Network Add an user account for PPTP logged on user Enable RAS port Select the network protocols from RAS such as IPX TCP IP NetBEUI Set the Internet gateway to Prestige o PPTP client setup Win9x Add one VPN connection from Dial Up Networking by entering the correct username amp password and the IP address of the Prestige s Internet IP address for logging to NT RAS server Set the Internet gateway to the router that is connecting to ISP o Prestige router setup e Before making a VPN connection from Win9x to WinNT server you need to connect Prestige router to your ISP first e Go to WEB GUI Network gt NAT gt Port Forwarding Enter the IP address of the PPTP server WinNT server and specify the Service Name for PPTP as shown below 18 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt NAT gt Port Forwarding Port Forwarding Default Server Setup Default Server 0 0 0 0 Port Forwarding Service Name Ww E E Server IP Address 0 0 0 0 0 o PPTP 1723 1723 192 168 1 10 When you have finished the above settings you can ping to the remo
79. alls ceilings furniture etc 2 Building Materials metal door aluminum studs 3 Electrical devices microwaves monitors electric motors 155 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Solution 1 Minimizing the number of walls and ceilings 2 Antenna is positioned for best reception 3 Keep WLAN products away from electrical devices eg microwaves monitors electric motors etc 4 Add additional APs if necessary What s the difference between a WLAN and a WWAN WLANs are generally privately owned wireless systems that are deployed in a corporation warehouse hospital or educational campus setting Data rates are high and there are no per packet charges for data transmission WWANS are generally publicly shared data networks designed to provide coverage in metropolitan areas and along traffic corridors WWANS are owned by a service provider or carrier Data rates are low and charges are based on usage Specialized applications are characteristically designed around short burst messaging What is Ad Hoc mode A wireless network consists of a number of stations without access points Without using an access point or any connection to a wired network What is Infrastructure mode Infrastructure mode implies connectivity to a wired communications infrastructure If such connectivity is required the Access Points must be used to connected to the
80. and download software These are just a few of many benefits you can enjoy when you put the whole office on line with the Prestige Internet Access Sharing Router Does Prestige support dynamic IP addressing The Prestige supports either a static or dynamic IP address from ISP What is the difference between the internal IP and the real IP from my ISP Internal IPs is sometimes referred to as virtual IPs They are a group of up to 255 IPs that are used and recognized internally on the local area network They are not intended to be recognized on the Internet The real IP from ISP instead can be recognized or pinged by another real IP The Prestige Internet Access Sharing Router works like an intelligent router that route between the virtual IP and the real IP 125 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How does e mail work through the Prestige It depends on what kind of IP you have Static or Dynamic If your company has a domain name it means that you have a static IP address Suppose your company s e mail address is xxx mycompany com Joe and Debbie will be able to send e mail through Prestige Internet Access Device using jane mycompany com and debbie mycompany com respectively as their e mail addresses They will be able to retrieve their individual private and secure e mail if they have been assigned the proper access right If your company does not have a domain nam
81. as www yourhost dyndns org and still reach your hostname Does the Prestige support DDNS wildcard Yes the Prestige supports DDNS wildcard that WWW DynDNS ORG supports When using wildcard you simply enter yourhost dyndns org in the Host field 1n Menu 1 1 Can the Prestige SUA handle IPsec packets sent by the VPN gateway behind Prestige Yes the Prestige s SUA can handle IPsec ESP Tunneling mode We know when packets go through SUA SUA will change the source IP address and source port for the host To pass IPsec packets SUA must understand the ESP packet with protocol number 50 replace the source IP address of the IPsec gateway to the router s WAN IP address However SUA should not change the source port of the UDP packets which are used for key managements Because the remote gateway checks this source port during connections the port thus 1s not allowed to be changed 131 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How do I setup my Prestige for routing IPsec packets over SUA For outgoing Psec tunnels no extra setting 1s required For forwarding the inbound IPsec ESP tunnel A Default server set in menu 15 is required It is because SUA makes your LAN appear as a single machine to the outside world LAN users are invisible to outside users So to make an internal server for outside access we must specify the service port and the LAN IP of this server in Menu 15
82. ase 1 ID for In IKE phase 1 negotiation IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request However in some application remote VPN box or client software is using an IP address dynamically assigned from ISP so Prestige needs additional information to make the decision Such additional information is what we call phase 1 ID In the IKE payload there are local and peer ID field to achieve this What are Local ID and Peer ID Local ID and Peer ID are used in IKE phase 1 negotiation It s in FQDN Fully Qualified Domain Name format IKE standard takes it as one type of Phase 1 ID Phase 1 ID is an identification for each VPN peer The type of Phase 1 ID may be IP FQDN DNS Ueser FQDN E mail The content of Phase 1 ID depends on the Phase 1 ID type The following is an example for how to configure phase 1 ID ID type Content IP 202 132 154 1 DNS www zyxel com 145 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes E mail support zyxel com tw Please note that in Prestige if DNS or E mail type is choosen you can still use a random string as the content such as this is Prestige It s not neccessary to follow the format exactly By default Prestige takes IP as phase 1 ID type for itself and it s remote peer But if it s remote peer is using DNS or E mail you have to ajust the settings to pa
83. assword your ITSP provided to you Step 6 If you wish to send caller ID check the check box in the Caller ID category if you do not wish to send out caller ID leave the check box uncheck Step 7 Click on Apply to save the setting and take effect If you would like to configure the 2nd SIP account please select SIP2 by using the SIP account selector than follow step 1 to 8 to complete the 2nd account setup Each field s detail description on this page 1s listed below SIP You can configure the Prestige to use multiple SIP accounts Select one to Account configure its settings on the Prestige SIP A SIP account s Uniform Resource Identifier URI identifies the SIP account Number in a way similar to the way an e mail address identifies an e mail account It is also known as a SIP identity or address The format of a SIP identity is SIP Number SIP Srevice Domain A SIP number is the part of the SIP URI that comes before the symbol Enter your SIP number in this field You can use up to 31 ASCII characters SIP Local Use this field to configure the Prestige s listening port for SIP Leave this field Port set to the default if you were not given a local port number for SIP 97 All contents copyright c 2007 ZyXEL Communications Corporation XEL Zy Prestige 2802HW L Ix Support Notes SIP Server Address SIP Server Port REGISTER Server Address REGISTER Server Port SIP Service Domain User Name Password
84. be set to a value causing the node to reset after the time had elapsed SNMP variables are defined using the OSI Abstract Syntax Notation One ASN 1 ASN 1 specifies how a variable is encoded in a transmitted data frame it is very powerful because the encoded data is self defining 41 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes For example the encoding of a text string includes an indication that the data unit is a string along with its length and value ASN 1 1s a flexible way of defining protocols especially for network management protocols where nodes may support different sets of manageable variables The net of variables that each node supports 1s called the Management Information Base MIB The MIB is made up of several parts including the Standard MIB specified as part of SNMP and Enterprise Specific MIB which are defined by different manufacturer for hardware specific management The current Internet standard MIB MIB II is defined in RFC 1213 and contains 171 objects These objects are grouped by protocol including TCP IP UDP SNMP and other categories including system and interface The Internet Management Model is as shown in figure 1 Interactions between the NMS and managed devices can be any of four different types of commands 6 Reads Read is used to monitor the managed devices NMSs read variables that are maintained by the devices 7 Wr
85. by ZyXEL device Using IP Multicast e What is IP Multicast Traditionally IP packets are transmitted in two ways unicast or broadcast Multicast is a third way to deliver IP packets to a group of hosts Host groups are identified by class D IP addresses i e those with 53 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 1110 as their higher order bits In dotted decimal notation host group addresses range from 224 0 0 0 to 239 255 255 255 Among them 224 0 0 1 is assigned to the permanent IP hosts group and 224 0 0 2 is assigned to the multicast routers group IGMP Internet Group Management Protocol 1s the protocol used to support multicast groups The latest version 1s version 2 see RFC2236 IP hosts use IGMP to report their multicast group membership to any immediate neighbor multicast routers so the multicast routers can decide if a multicast packet needs to be forwarded At start up the Prestige queries all directly connected networks to gather group membership After that the Prestige updates the information by periodic queries The Prestige implementation of IGMP 1s also compatible with version 1 The multicast setting can be turned on or off on Ethernet and remote nodes e IP Multicast Setup Enable IGMP in Prestige s LAN in WEB GUI Network gt LAN gt Advanced gt Network gt LAN gt Advanced RIP amp Multicast Setup RIP Direction
86. ccess to the network verifying that they are who they say they are via login name and password or MAC address and accounting for their network usage What is RADIUS RADIUS stands for Remote Authentication Dial In User Service RADIUS is a standard that has been implemented into several software packages and networking devices It allows user information to be sent to a central database running on a RADIUS Server where it is verified RADIUS also provides a mechanism for accounting What is WPA WPA Wi Fi Protected Access is a subset of the IEEE 802 11i security sepcification draft Key difference between WPA and WEP are user authentication and improve data encryption 160 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is WPA PSK WPA PSK Wi Fi Protected Access Pre Shared Key can be used if user do not have a Radius server but still want to benefit from it Because WPA PSK only requires a single password to be entered on wireless AP gateway and wireless client As long as the passwords match a client will be granted access to the WLAN Trouble Shooting For general device installation or basic trouble shooting please refer to the device user s guide Using Embedded Packet Trace Embedded Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces It 1s designed for users with technical backgrounds who are int
87. ce Prestige IAD offers an Ethernet port to connect to your computer so the Prestige is placed in the line between the computer and your ISP If your ISP supports PPPoE PPPoA you can also use the Prestige because PPPoE PPPoA had been supported in the Prestige What do I need to use the Prestige You need an ADSL modem router to use with ADSL line Prestige is an idea device for such application The Prestige has one Ethernet ports LAN port and one ADSL WAN port You should connect the computer to the LAN port and connect the ADSL line to the WAN port If the ISP uses PPPoE or PPPoA you need the user account to enter in the Prestige What is PPPoE PPPoE stands for Point to Point Protocol over Ethernet that is an IETF draft standard specifying how a computer interacts with a broadband modem ie xDSL cable wireless etc to achieve access to the high speed data networks via a familiar PPP dialer such as Dial Up Networking user interface PPPoE supports a broad range of existing applications and service including authentication accounting secure access and configuration management There are some service providers running of PPPoE today Before configuring PPPoE in the Prestige please make sure your ISP supports PPPoE Does the Prestige support PPPoE Yes The Prestige supports PPPoE since ZyNOS 2 50 How do I know I am using PPPoE PPPoE requires a user account to login to the provider s server If you need to configure a user name and
88. cess lines 1 high speed links for their Internet access and 2 frame relay ISDN Primary Rate Interface or T1 lines to carry data A VPN may allow a company to carry the data traffic over its Internet access lines thus reducing the need for some installed lines What are most common VPN protocols There are currently three major tunneling protocols for VPNs They are Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Internet Protocol Security IPSec What is PPTP PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself The PPTP is supported in Windows NT and Windows 98 already For Windows 95 it needs to be upgraded by the Dial Up Networking 1 2 upgrade What is L2TP Layer Two Tunneling Protocol L2TP is an extension of the Point to Point Tunneling Protocol PPTP used by an Internet service provider ISP to enable the operation of a virtual private network VPN over the Internet What is IPSec IPSec is a set of IP extensions developed by IETF Internet Engineering Task Force to provide security services compatible with the existing IP standard IPv 4 and also the upcoming one IPv 6 In addition IPSec can protect any protocol that runs on top of IP for instance TCP UDP and ICMP The IPSec 143 All contents copyright c 2007 ZyXEL Communications
89. ckup gateway using Network gt WAN gt WAN Backup in WEB GUI 56 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt WAN gt WAN Backup Let Access Setup More Connections WAN Backup Setup a WAN Backup Setup Backup Type DSL Link 4 Check WAN IP Address 1 0 00 00 Check WAN IP Address 2 0 0 0 0 Check WAN IP Address 3 0 0 0 0 Fail Tolerance Recovery Interval Timeout Traffic Redirect Cl active Traffic Redirect Metric Backup Gateway Key Settings Label Description Backup Select the method that the Prestige uses to check the DSL connection Type Select DSL Link to have the Prestige check if the connection to the DSLAM is up Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields Check Configure this field to test your Prestige s WAN accessibility Type the IP address of a reliable nearby WAN IP computer for example your ISP s DNS server address Address1 3 If you select ICMP in the Backup Type field you must configure at least one IP address here When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response Fail Type the number of times 2 recommended that your Prestige may ping the I
90. conversation 1s achieved All contents copyright c 2007 ZyXEL Communications Corporation 63 ZyXEL Prestige 2802HW L Ix Support Notes d evalee hotmail com Conversation File Edit View Actions Help X eN aupegpv HE LUI Nos UUEpiuu vuur requestto have a video and voice conversation 48 The video and voice conversation with evalee hotmail com has ended 4 amp You have asked to have a video and voice conversation with evalee hotmail com Please wait for a response or Cancel Alt Q the pending invitation 4 amp evalee hotmail com has accepted your Speakers requestto have a video and voice conversation n Microphone EF Invite Someone to this Conversation n Block A Font Emoticons More Connection established A Wireless Application Notes Infrastructure mode What is Infrastructure mode Infrastructure mode sometimes referred to as Access Point mode is an operating mode of an 802 1 1b W1 Fi client unit In infrastructure mode the client unit can associate with an 802 11b Wi Fi Access Point and communicate with other clients in infrastructure mode through that access point All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes NS f Y a NX NC A B Configuration Wireless Access Point to Infrastructure mode using Web configurator To configure Infrastructur
91. device filter group and the other is called protocol filter group Generic filters belong to the device filter group TCP IP and IPX filters belong to the protocol filter group Why can t I configure device filters or protocol filters In ZyNOS you can not mix different filter groups in the same filter set Product FAQ What is the Prestige Integrated Access Device The Prestige series fulfills a range of application environments from small and medium businesses SOHO or Telecommuters to home user or education applications Prestige s design helps users to save expenses minimize maintenance and simultaneously provide a high quality networking environment The Prestige series is a robust solution complete with everything needed for providing Internet access to multiple workstations through ADSL The IAD is equipped with 1 auto MDI MDIX 10 100Mbps Ethernet LAN port 1 ADSL WAN port It is the most simple and affordable solution for multiple and instant broadband Internet access router 123 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Virtually all popular applications over Internet such as Web E Mail FTP Telnet Gopher are supported Prestige 1s designed for SOHO branch offices workgroups and educational users Will the Prestige work with my Internet connection The Prestige 1s designed to be compatible major ISP utilize ADSL as a broadband servi
92. e Header Checksum TCP Header Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0080C84CEA63 0x0800 TCP IP Ed 20 0x00 0 0x0030 48 0x330B 13067 0x02 0x00 0x80 128 0x06 TCP 0x3E71 15985 0xC0A80102 192 168 1 2 OxCOLFO782 192 31E 75130 0x045C 1116 0x0050 80 Ox00BD15A7 12391847 0x00000000 0 ES 0x02 Geese 0x2000 8192 OxBEC3 48835 0x0000 0 0000 02 04 05 B4 01 01 04 02 RAW DATA All contents copyright c 2007 ZyXEL Communications Corporation 163 ZyXEL Prestige 2802HW L Ix Support Notes 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 loea 0010 00 30 33 OB 40 00 80 06 3E 71 CO A8 01 02 CO IF 03 gt q 0020 07 82 04 5C 00 50 00 BD 15 A7 00 00 00 00 70 02 V P p 0030 20 00 BE C3 00 00 02 04 05 B4 01010402 a eee eee lt Q001 gt LAN Frame ENETO XMIT Size 58 58 Time 12090 020 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1116 Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length X Type of Service 0x00 0 Total Length 0x002C 44 Idetification Oxs F3 22515 Flags 0x02 Fragment Offset
93. e gt Advanced Analog Phone 1 Voice Volume Control Speaking Volume imn Listening Volume 1n x Echo Cancellation M G 168 Active Dialing Interval Select Dialing Interval Select VAD Support To configure the phone port setting please follow the below step Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige The default management IP of Prestige 1s 192 168 1 1 Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 Step 3 On the left column click on VoIP Phone gt Analog Phone gt Advanced Setup to bring you to voice function menu Step 4 Change the phone port parameter as you desired and click Apply when you are finish to save and let the setting to take effect Each field s detail description 1s listed below Label Description Speaking Use this field to set the loudness that the Prestige uses for the speech signal Volume that it sends to the peer device 1 is the quietest and 1 is the loudest Listening Use this field to set the loudness that the Prestige uses for the speech signal Volume that it receives from the peer device and sends to your phone 1 is the 104 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes quietest and 1 is the loudest G 168 Active Select this check box to cancel
94. e it means that your ISP provides you with a dynamic IP address Suppose your company s e mail address is mycompany ispname com Jane and John will be able to send e mail through Prestige Internet Access Sharing Router using jane lt mycompany ispname com gt and john mycompany ispname com gt respectively as their e mail addresses Again they will be able to retrieve their individual private and secured e mail if they have been assigned the proper access right Is it possible to access a server running behind SUA from the outside Internet If possible how Yes it is possible because Prestige delivers the packet to the local server by looking up to a SUA server table Therefore to make a local server accessible to the outside users the port number and the inside IP address of the server must be configured in WEB GUI Network gt NAT gt Port Forwarding What DHCP capability does the Prestige support The Prestige supports DHCP client Ethernet encap on the WAN port and DHCP server on the LAN port The Prestige s DHCP client allows it to get the Internet IP address from ISP automatically if your ISP use DHCP as a method to assign IP address The Prestige s internal DHCP server allows it to automatically assign IP and DNS addresses to the clients on the local LAN How do used the reset button more over what field of parameter will be reset by reset button You can used a sharp pointed object insert it into the little reset hole be
95. e original packet except that it contains an offset field The Teardrop program creates a series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot What is SYN Flood attack SYN attack floods a targeted system with a series of SYN packets Each packet causes the targeted system to issue a SYN ACK response While the targeted system waits for the ACK that follows the SYN ACK it queues up all outstanding SYN ACK responses on what is known as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set a relatively long intervals terminates the TCP three way handshake Once the queue is full the system will ignore all incoming SYN requests making the system unavailable for legitimate users 139 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is LAND attack In a LAN attack hackers flood SYN packets to the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself What is Brute force attack A Brute force attack such as Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flood the target network with useles
96. e forward incoming calls to the number that you configure whenever you do not answer the call after a specific time period Set how long the Prestige should let a call ring before considering the call unanswered Configure Advanced Setup call forwarding entries to have the Prestige 116 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Setup Activate Incoming Call Number Forward to Number Condition perform specific actions on calls from specific numbers If a caller s number does not match the Incoming Call Number of any of these entries the Prestige performs the default action configured in the Forward to Number Setup section Select this check box to turn on an call forwarding entry You can set the Prestige to take a particular action on incoming calls from a number that you specify here You can set the Prestige to forward incoming calls to a number that you specify here Select under what circumstances you want the Prestige to use this call forwarding entry Select Unconditional to have the Prestige immediately forward any calls from the number specified in the Incoming Call Number field to the number in the Forward to Number field Select Busy to have the Prestige forward any calls from the number specified in the Incoming Call Number field to the number in the Forward to Number field when your SIP account has a call connected Select No Answ
97. e log by entering sys trcp sw on amp sys trcl sw on 1 4 Display the brief trace online by entering sys trcd brief or 1 5 Display the detailed trace online by entering sys trcd parse Example ras sys trcp channel enetO none ras sys trcp channel mpoa00 bothway ras sys trcp sw on ras sys trcl sw on ras sys trcd brief 0 12367 680 MPOA00 R 0070 UDP 202 132 155 95 520 2202 132 155 255 520 1 12370 980 MPOA00 T 0062 TCP 202 132 155 97 10261 gt 192 31 7 130 80 ras gt sys tred parse lt 0000 gt LAN Frame MPOA00 RECV Size 1181 96 Time 12387 260 sec Frame Type TCP 192 31 7 130 80 2202 132 155 97 10270 Ethernet Header Destination MAC Addr 00A0C5921312 Source MAC Addr 00A0C5012345 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length E Type of Service 0x00 0 Total Length 0x048B 1163 Idetification 0xB139 45369 All contents copyright c 2007 ZyXEL Communications Corporation 185 ZyXEL Prestige 2802HW L Ix Support Notes Flags 0x02 Fragment Offset 0x00 ine to Live OxEE 238 Protocol 0x06 TCP Header Checksum OxA9AB 43435 Source IP OxCOIF0782 192 31 7 130 Destination IP OxCA849B61 202 132 155 97 TCP Header Source Port 0x0050 80 Destination Port Ox281E 10270 Sequence Number 0xD3E95985 3555285381 Ack Number 0x00C18F63 12685155 Heade
98. e mode of your Prestige wireless VoIP IAD please follow the steps below 1 From the web configurator main menu click Network gt Wireless LAN gt General All contents copyright c 2007 ZyXEL Communications Corporation 65 ZyXEL Prestige 2802HW L Ix Support Notes 4 gt Network gt Wireless LAN gt General General MAC Filter QoS Local User Database Wireless Setup M Active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 06 2437MHz 7 Security Security Mode Static WEP x WEP Key Note The different WEP key lengths configure different strength security 40 64 bit 128 bit or 256 bit respectively Your wireless client must match the security strength set on the router Please type exactly 5 13 or 29 characters or Please type exactly 10 26 or 58 characters using only the numbers 0 9 and the letters a f or A F Apply Cancel Advanced Setup 3 Configure the desired configuration on Prestige wireless VoIP IAD and check the Active wireless LAN check box 4 When finish click on apply button to take effect e Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B 100 B 200 B 300 wireless NIC card please follow the following steps 1 Double click on the utility icon in your windows task bar the utility will pop up on your windows screen 2 Select configuration tab 66 All con
99. e security gateway outside of Prestige NAT port forwarding and Firewall forwarding are necessary To configure NAT port forwarding please go to WEB interface Setup SUA NAT put the secure gateway s IP address in default server To configure Firewall forwarding please go to WEB interface Setup Firewall select Packet Direction to WAN to LAN and create a firewall rule the forwards IKE UDP 500 151 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Can Prestige behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously No Prestige can t support them simultaneously You need to choose either one If Prestige is to support IPSec passthrough you have to disable the VPN function on Prestige To disable it you can either deactivate each VPN rule or issue a CI command ipsec switch off from SMT menu 24 8 You can get into SMT menu via either telnet or console connection Wireless FAQ What is a Wireless LAN Wireless LANs provide all the functionality of wired LANs without the need for physical connections wires Data is modulated onto a radio frequency carrier and transmitted through the ether Typical bit rates are 11Mbps and 54Mbps although in practice data throughput is half of this Wireless LANs can be formed simply by equipping PC s with wireless NICs If connectivity to a wired LAN is required an Access Point AP is used as a bridg
100. ection firewalls generally provides the best speed and transparency however they may lack the granular application level access control or caching that some proxies support What kind of firewall is the Prestige 1 The Prestige s firewall inspects packets contents and IP headers It is applicable to all protocols that understands data in the packet is intended for other layers from network layer up to the application layer 2 The Prestige s firewall performs stateful inspection It takes into account the state of connections it handles so that for example a legitimate incoming packet can be matched with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked 3 The Prestige s firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session 4 The Prestige s firewall is fast It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet 5 The Prestige s firewall provides email service to notify you for routine reports and when alerts occur Why do you need a firewall when your router has packet filtering and NAT built in With the spectacular growth of the Internet and online access companies that do business on the Internet face greater security threats Although pack
101. ed web configurator The Web configurator a user friendly configuration interface via user s web browser which can be access by typing in the LAN IP address of the Prestige in users web browser To access the Prestige s web configurator via web browser the configuration PC must be in the same IP segment of Prestige and Prestige must be reachable to the configuration station By default the Prestige LAN IP is 192 168 1 1 What is the default LAN IP address and Password Moreover how do I change it The default LAN IP address is 192 168 1 1 and you can change the LAN IP in web configuration menu under LAN gt LAN TCP IP the default password 1s 1234 You can change the password once you enter the web configuration menu under SYSTEM and press the Password tab At the password screen type in the old password and the new password and retype to confirm than press Apply button to save the change How do I upload the ZyNOS firmware code via embeded web configurator The procedure for uploading ZyNOS via embeded web configurator is as follows Log on into the web configurator Press MAINTENANCE from the left menu Press F W Upload tab Press browse button and point to the directory where the firmware you want to upload is kept and a9 F BP press Upload button e It will prompt you the firmware is upload successful and Prestige will reboot How do upgrade backup the ZyNOS firmware by using FTP client program via LAN The
102. er to have the Prestige forward any calls from the number specified in the Incoming Call Number field to the number in the Forward to Number field when the No Answer Waiting Time period expires whether or not the no answer feature is enabled in the Forward to Number Setup section Select Block to have the Prestige reject calls from the number specified in the call forwarding entry Select Accept to have the Prestige allow calls from the number specified in the Incoming Call Number field 117 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Voice Common Settings Click VoIP gt Phone gt Common to display the following screen Use this screen to configure Immediate Dial VoIP gt Phone gt Common Analog Phone common Region Common Settings Active Immediate Dial Apply Reset Click VoIP gt Phone gt Region to display the following screen Use this screen to configure VoIP Common Settings gt oIP gt Phone gt Region Analog Phone Common Region Settings Region Settings Defaut Call Service Mode Europe Type Label Description Region Use the drop down list box to select the country where your Prestige is Settings located Use these fields to specify phone numbers to which the Prestige will always send calls through the regular phone service without the need of dialing a prefix number These number
103. erested in the details of the packet flow on LAN or WAN end of Prestige It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule The format of the display is as following Packet 0 11880 160 ENETO R 0062 TCP 192 168 1 2 1108 2192 31 7 130 80 index timer second channel receive transmit length protocol sourcelP port destIP port There are two ways to dump the trace 1 Online Trace display the trace real time on screen 2 Offline Trace capture the trace first and display later The details for capturing the trace in CLI command are as follows 161 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Online Trace 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable to capture the WAN packet by entering sys trcp channel enetl none 1 2 Enable to capture the LAN packet by entering sys trcp channel enetO bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on Prestige 2802HW L Ix Support Notes 1 4 Display the brief trace online by entering sys trcd brief or 1 5 Display the detailed trace online by entering sys trcd parse Example 1883 340 H 1883 610 1883 620 1883 630 1883 630 Fl 1883 650 Z iO onun O t d Q t2 C E m E pb td 10 Prestige sys trcd brief 11880 160 ENET 1883 100 ENET 1883
104. es Key settings The WEP Encryption type of station has to equal to the access point Check ASCII field for characters WEP key or uncheck ASCII field for Hexadecimal digits WEP key Hexadecimal digits don t need to preceded by Ox For example 64 bits with characters WEP key Key 1 2e3f4 Key2 5y7js Key3 24fg7 Key4 98jui 64 bits with hexadecimal digits WEP key Key1 123456789A Key2 23456789AB Key3 3456789ABC Key4 456789ABCD Configuring 802 1x IEEE 802 1x Introduction IEEE 802 1x port based authentication 1s desired to prevent unauthorized devices clients from gaining access to the network As LANs extend to hotels airports and corporate lobbies insecure environments could be created 802 1x port based network access control makes use of the physical access characteristics of IEEE 802 LAN infrastructures such as 802 3 Ethernet 802 11 Wireless LAN and VDSL LRE Long Reach Ethernet in order to provide a means of authenticating and authorizing devices attached to a LAN port that has point to point connection characteristics and of preventing access to that port in cases the authentication process fails 77 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes NEN Internet lb iit IT A x N Application Server I Authori Authorized AMM UnAutnorized sa ioii Authentication Umm ME Server lt m
105. es the private local addresses to one or multiple public addresses This adds a level of security since the clients on the private LAN are invisible to the Internet What are the basic types of firewalls Conceptually there are three types of firewalls 1 Packet Filtering Firewall 2 Application level Firewall 3 Stateful Inspection Firewall 137 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Packet Filtering Firewalls generally make their decisions based on the header information in individual packets These header information include the source destination addresses and ports of the packets Application level Firewalls generally are hosts running proxy servers which permit no traffic directly between networks and which perform logging and auditing of traffic passing through them A proxy server is an application gateway or circuit level gateway that runs on top of general operating system such as UNIX or Windows NT It hides valuable data by requiring users to communicate with secure systems by mean of a proxy A key drawback of this device is performance Stateful Inspection Firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols The flexible nature of Stateful Insp
106. esse voesod uu cea dp eoi d qut 130 Whatis DDNS iiie eu eet dee cet rri Le elc aie 130 When do I need DDNS service a a uis oed dei pet edes delis desde do 131 What DDNS servers does the Prestige SUPPOTt eee eeeeeeeeseceetteeeetaees 131 Whats DIDNS wAldeard hein etti techo terit lot e Do EB na 131 Does the Prestige support DDNS wildcard sesssss 131 Can the Prestige SUA handle IPsec packets sent by the VPN gateway behind Prestige 1s sop erste e I eoe iai e e ENNIUS 131 How do I setup my Prestige for routing IPsec packets over SUA 132 PSTN Lifeline FAQ uec et a I ed NUUS UELUT EA THURIS S UNE a 132 What is P2802 and what is the difference between P2802HW and P2807 EIW E seus sossedeto irme oe coton aiite D os tesete d dicit ie cc ipels 132 What does Lifeline mean a2 ous e Quee eode set Lee ipta oed Eae 132 Do need Lateline rai estoit ete to eee ies 132 Can I connect more than one phone on the phone port 132 Can I receive incoming PSTN call through P2802HWL 132 Can I make an outgoing PSTN call through P2802HWL 133 VoIP FAQ wa nh A E 133 What is Voice Over IP iiie aeu d de Rad eet ede dabei de 133 How does Voice over IP WOIE T uocat e teet oto Prestssh ete t aceite 133 Whyuse VOIP t eraann a a use ola De fiu iue ciam ed 133 What is the relationship between codec and VoIP
107. et filter and NAT restrict access to particular computers and networks however for the other companies this security may be insufficient because packets filters typically cannot maintain session state Thus for greater security a firewall is considered 138 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is Denials of Service DoS attack Denial of Service DoS attacks are aimed at devices and networks with a connection to the Internet Their goal is not to steal information but to disable a device or network so users no longer have access to network resources There are four types of DoS attacks 1 Those that exploits bugs in a TCP IP implementation such as Ping of Death and Teardrop 2 Those that exploits weaknesses in the TCP IP specification such as SYN Flood and LAND Attacks 3 Brute force attacks that flood a network with useless data such as Smurf attack 4 IP Spoofing What is Ping of Death attack Ping of Death uses a PING utility to create an IP packet that exceeds the maximum 65535 bytes of data allowed by the IP specification The oversize packet is then sent to an unsuspecting system Systems may crash hang or reboot What is Teardrop attack Teardrop attack exploits weakness in the reassemble of the IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like th
108. etail description of the page 1s listed below 109 All contents copyright c 2007 ZyXEL Communications Corporation XEL Zy Prestige 2802HW L Ix Support Notes Speed Dial SIP Number Name Type Add Speed Dial Phone Book Speed Dial Name SIP Number Type Delete Edit Clear Select a speed dial key combination from the drop down list box Enter the SIP number of the party that you will call use the number or text that comes before the symbol in a full SIP URI You can use up to 127 ASCII characters Enter a descriptive name to identify the party that you will use this entry to call You can use up to 127 ASCII characters Select Use Proxy if calls to this party use your SIP account configured in the VoIP screen Select Non Proxy Use IP or URL if calls to this party use a different SIP server or go directly to the callee s VoIP phone IP to IP Enter the SIP servers or the party s IP address or domain name up to 127 ASCII Extended set characters Click this button to save the entry in the speed dial phone book The speed dial entry displays in the Speed Dial Phone Book section of the screen This section of the screen displays the currently saved speed dial entries You can configure up to 10 entries and use them to make calls This is the entry s speed dial key combination Press this key combination on a telephone attached to the Prestige in order to call the party named in this entry
109. etl none Prestige sys trcp channel enetO bothway Prestige sys trcp sw on Prestige sys trcl sw on Prestige sys trcp sw off Prestige sys trcl sw off Prestige sys trcp brief 0 10855 790 ENETO T 0141 TCP 192 31 7 130 80 gt 192 168 1 2 1102 10855 800 ENETO R 0060 TCP 192 168 1 2 1102 gt 192 31 7 130 80 2 10855 810 ENETO R 0062 TCP 192 168 1 2 1103 gt 192 31 7 130 80 3 10855 840 ENETO R 0062 TCP 192 168 1 2 1104 gt 192 31 7 130 80 4 10856 020 ENETO T 0054 TCP 192 31 7 130 80 gt 192 168 1 2 1102 5 10856 030 ENETO T 0058 TCP 192 31 7 130 80 2192 168 1 2 1103 6 10856 040 ENETO R 0060 TCP 192 168 1 2 1103 gt 192 31 7 130 80 Prestige sys trcp parse 5 5 lt Q005 gt 22 2 22 55 2 22 2222 222 222 222 LAN Frame ENETO XMIT Size 58 58 Time 10856 030 sec Frame Type TCP 192 31 7 130 80 gt 192 168 1 2 1103 171 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Ethernet Header Destination MAC Addr 0080C84CEA63 Source MAC Addr 00A0C5921311 Network Type 0x0800 TCP IP IP Header IP Version 4 Header Length E ype ol eS Ce 0x00 0 Total Length 0x002C 44 Idetification OxT7F02 32514 Flags 0x02 Fragment Offset 0x00 Time to Live OxED 237 Protocol 0x06 TCP Header Checksum 0x857D 34173 Source IP OxGOUEO782 19223157 2130 Destination IP 0xC0A801
110. f you can register to server but can not make a call very likely there is NAT router or firewall before it which is blocking it We do not suggest to have an NAT router before it as it may cause many unexpected problem If you have an NAT router before it we suggest to use a VoIP ATA VoIP Analog Telephone Adapter such as Prestige ATA series If the problem is a firewall before it Please check with the firewall manager make sure the SIP protocol is allow to pass through firewall and the range of RTP port is allowed through firewall can make a call but the voice only goes one way not bothway If you can register to server and I can make a call signal establishment but the voice only goes one way In this case it is very likely there are NAT router or firewall before it please see NAT firewall related question above can receive a call but the voice only goes one way not bothway If you can register to server but can only make out going call but can not receive incoming calls or the incoming call signal establishment can be made but voice only goes one way very likely there is NAT firewall router before it please see NAT firewall related question above for tips to troubleshoot If all the about have been tried but register still fail what should do In such case please contact your local vendor for support If they can t help out the problem they will escalate your problem to ZyXEL tech center To report a problem please prepared belo
111. fter booting e linkDown defined in RFC 1215 If any link of IDSL or WAN is down the trap will be sent with the port number The port number is its interface index under the interface group e linkUp defined in RFC 1215 If any link of IDSL or WAN is up the trap will be sent with the port number The port number 1s its interface index under the interface group e authenticationFailure defined in RFC 1215 When receiving any SNMP eet or set requirement with wrong community this trap 1s sent to the manager 1 whyReboot defined in ZY XEL MIB When the system is going to restart warmstart the trap will be sent with the reason of restart before rebooting 1 For intentional reboot In some cases download new files CI command sys reboot reboot 1s done intentionally And traps with the message System reboot by user will be sent 11 For fatal error System has to reboot for some fatal errors And traps with the message of the fatal code will be sent 45 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Products 1 pSysVariables Group pBRIVariables Group pIPXVariables Group pAPTVariables Group pBR6Variable Group pDialInVariables Group pRemoteNodeVariables Group pRemoteUserVariables Group Zyxel Traps Figure 3 ZyXEL Private MIB Tree 4 Configure the Prestige for SNMP The SNMP related settings in Prestige are configu
112. gineering Task Force in 1999 to carry voice over IP Since it was created by the IETF it approaches voice and multimedia from the Internet or IP perspective of view Where as H 323 emerged around 1996 and as an International Telecommunication Union standard it was designed from a telecommunications perspective Both standards have the same objective to enable voice and multimedia convergence with IP protocols Can H 323 and SIP interoperate with one another In interoperability between the two the industry 1s making slow but sure progress Interoperability must first happen between vendor implementations of the same protocol SIP to SIP and H 323 to H 323 and then between protocols Currently in order for SIP client to talk to H 323 client the ITSP must have a trunking gateway act as a translator between the two protocols without the trunking gateway the two protocols are not able to communicate to one another What is voice quality Voice quality is how well an person can hear the voice on the opposite end How are voice quality normally rated Voice quality is most commonly rated through a voice quality metric called the Mean Opinion Score MOS which is recommendation by ITU T The MOS is a5 point scale where 5 represent excellent voice quality and 1 represent bad voice quality What is codec Codec is a algorithm which converts analog signal into digital signal and vice versa There are three main type of waveform codec source codec
113. grams gt IEEE802 11b WLAN Card gt IEEE802 11b WLAN Card 2 Select the Encryption tab Select encryption type correspond with access point Set up 4 Keys which correspond with the WEP Keys of access point And select on WEP key as default key to encrypt wireless data transmission 75 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Z AIR G 100 Wireless LAN PC Card Utility Link Info Configuration Site Survey Encryption About Your encryption settings must match those of your network or your computer will be unable to communicate Encryption 64 Bits Y r WEP Key Entry Create with Passphrase Passphrase Manual Entry iv ASCII Key1 mem A Key 2 eene 7777 Key 3 eene 7 Key 4 eene 77777 Default Tx Key 2 Restore Defaults Undo Changes Apply Changes Z AIR G 100 Wireless LAW PC Card Utility Link Info Configuration Site Survey Encryption About Your encryption settings must match those of your network or your computer will be unable to communicate Encryption WEP Key Entry C Create with Passphrase Passphrase zc NN C Manual Entry ASCII Keyl eoo Key2 Fe Key 3 xookolololololotok Key 4 He Default Tx Key 2 x Restore Defaults Undo Changes Apply Changes All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Not
114. gth information on the diagram as you go alone 90 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW Stock Room with Metal Shelves Hitches Trailers 5 When you reach the farthest point of connection mark the spot Now you move the access point to this new spot as have already determine the farthest point of the access point installation spot if wireless service is required from corner of the room 6 Repeat step 1 5 and now you should be able to mark an RF coverage area as illustrated in above picutre 7 You may need more than one access point is the RF coverage area have not cover all the wireless service area you needed 8 Repeat step 1 6 of survey on site as necessary upon completion you will have an diagram and information of site survey As illustrated below 91 All contents copyright c 2007 ZyXEL Communications Corporation XHX IXUDXUXIX INIDXIMIDIDMI Ehbnbntdbidd 95 626959920980 XXXXXXXXX Hd XX X HARMRX ARKH AHARAKAERH XXNXXXXXXXXNXXXXXXXE x X X X x X X X x X X X X X X X X X X x X X X X x X X x Se Sede Sede de ge Se ae dene dese MUM ME MUM KEE XXX x Note If there are more than one access point 1s needed be sure to make the adjacent access point service area over lap one another So the wireless station are able to roam For more information please refer to roaming at PSTN Lifeline Application Notes Usage of PST
115. his IP is dynamic With DDNS supported by the Prestige you apply a DNS name 130 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e g www zyxel com tw for your server e g Web server from a DDNS server The outside users can always access the web server using the www zyxel com tw regardless of the WAN IP of the 312 When the ISP assigns the Prestige a new IP the Prestige updates this IP to DDNS server so that the server can update its IP to DNS entry Once the IP to DNS table in the DDNS server is updated the DNS name for your web server 1 e www zyxel com tw is still usable When do I need DDNS service When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service The DDNS server allows to alias a dynamic IP address to a static hostname Whenever the ISP assigns you a new IP the Prestige sends this IP to the DDNS server for its updates What DDNS servers does the Prestige support The DDNS servers the Prestige supports currently is WWW DYNDNS ORG where you apply the DNS from and update the WAN IP to What is DDNS wildcard Some DDNS servers support the wildcard feature which allows the hostname yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org This feature is useful when there are multiple servers inside and you want users to be able to use things such
116. ht c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes so on and the object values involved in the operation The following figure shows the SNMPv1 message format 4 SNMPv1 Message __________ Error e bj ect 1 Obj ect 3 Index Value 1 2 Value 3 Variable Bindings Figure 2 SNMPv1 Message Format The SNMP PDU contains the following fields e PDU type Specifies the type of PDU e Request ID Associates requests with responses e Error status Indicates an error and an error type e Errorindex Associates the error with a particular object variable e Variable bindings Associates particular object with their value 3 ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some Prestige routers It is implemented based on the SNMPv1 so it will be able to communicate with SNMPv1 NMSs For SNMPv1 operation ZyXEL permits one community string so that the router can belong to only one community and allows trap messages to be sent to only one NMS manager Some traps are sent to the SNMP manager when anyone of the following events happens e coldStart defined in RFC 1215 If the machine coldstarts the trap will be sent after booting 44 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e warmStart defined in RFC 1215 If the machine warmstarts the trap will be sent a
117. ige does not need to be a member of a VLAN group to communicate with the SIP server Apply Click Apply to save your changes back to the Prestige 114 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Call Forwarding setup Call forwarding function allows users to determine handling of incoming calls For example a user may wish to decide that all incoming calls will ring his cell phone as well The following screenshot shows how users can use this screen to configure the Prestige to block or redirect calls You can configure a different call forwarding table for each SIP account or use the same call forwarding table for both gt oIP gt Phone Book gt Incoming Call Policy s Table Number Table 1 7 Forward to Number Setup r Unconditional Forward to Number DO Busy Forward to Number O No nswer Forward to Number No Answer Waiting Time s Second Advanced Setup activate Incoming Call Number Forward to Number Condition e Unconaitionat z m 6 O Ww O Q N LIS B OI CIRCE D SLM O e Unconditional Forward to Number Enable this feature to have the Prestige forward incoming calls to the number that you configure Busy Forward to Number Enable this feature to have the Prestige forward incoming calls to the number that you configure when your SIP account has a call connected 115 All contents copyright c 2007 ZyXEL Com
118. ing device AP s are typically located close to the centre of the wireless client population What are the advantages of Wireless LANs a Mobility Wireless LAN systems can provide LAN users with access to real time information anywhere in their organization This mobility supports productivity and service opportunities not possible with wired networks b Installation Speed and Simplicity Installing a wireless LAN system can be fast and easy and can eliminate the need to pull cable through walls and ceilings c Installation Flexibility Wireless technology allows the network to go where wire cannot go d Reduced Cost of Ownership While the initial investment required for wireless LAN hardware can be higher than the cost of wired 152 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes LAN hardware overall installation expenses and life cycle costs can be significantly lower Long term cost benefits are greatest in dynamic environments requiring frequent moves and changes e Scalability Wireless LAN systems can be configured in a variety of topologies to meet the needs of specific applications and installations Configurations are easily changed and range from peer to peer networks suitable for a small number of users to full infrastructure networks of thousands of users that enable roaming over a broad area What are the disadvantages of Wireless LANs The s
119. ing speeds Very few can handle it at 30 Mbps Ethernet 10baseT is the most popular cable modem interface standard for the PC This automatically limits the speed of the connection to under 10 Mbps even if the cable modem can receive at 30 Mbps Most Local Area Networks use lObaseT Ethernet and although they are 10 Mbps networks it takes a LOT longer than one second to transmit 10 megabits or 1 25 megabytes of data from one terminal to another Cable modems on the same node share bandwidth which means that congestion 1s created when too many people are on simultaneously One user downloading large graphic or video files can use a significant portion of shared bandwidth slowing down access for other users in the same neighborhood Most independent Internet Service Providers today connect to the Internet using a single 1 5 Mbps Tl telephone line All of their subscribers share that 1 5 Mbps pipeline Cable head ends connecting to the Internet backbone using a T1 limit their subscribers to an absolute maximum of 1 5 Mbps 127 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes To create the appearance of faster network access service companies plan to store or cache frequently requested web sites and Usenet newsgroups on a server at their head end Storing data locally will remove some of the bottleneck at the backbone connection How fast can they go In a perfect world or lab
120. ions Corporation ZyXEL Prestige 2802HW L Ix Support Notes pre configured read only Many to One mapping set sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions Note that there is also a Server type whose IGA is 0 0 0 0 in this set 2 Address Mapping Sets and NAT Server Sets Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients Each remote node must specify which NAT Address Mapping Set to use The P2802HWL has 8 remote nodes and so allows you to configure 8 NAT Address Mapping Set You can see nine NAT Address Mapping sets in WEB GUI Network gt NAT gt Address Mapping You can only configure from Set 1 to Set 10 when you select Full Feature in WEB GUI NAT configuration When you select SUA Only the Port Forwarding will auto configure as to Many to one and Server as default in system The NAT Server Set is a list of LAN side servers mapped to external ports To use this set one set for the Prestige a server rule must be set up inside the NAT Address Mapping set Please see NAT Server Sets for further information on these menus Enter WEB GUI Network gt NAT gt Address Mapping to bring up Address Mapping Sets Menu Now let s look at WEB GUI Menu Network gt NAT gt Address Mapping gt Network gt NAT gt Address Mapping Address Mapping Address Mapping Rules E Local
121. ircuit switching for carrying voice traffic As circuit switching is designed to carry voice and it does it very well Than why use IP for voice As broadband booms and technology evolve People now want to communicate through various way not just voice such as email instant messaging video and so on Traditional telephony can not evolve as quickly as the demand and develop new feature on circuit switch takes much time and money IP is an already exist standard and many type of service already runs on IP by using IP as a platform integrate service 1s now possible and low cost where traditional circuit may take long time to achieve What is the relationship between codec and VoIP In order to transfer voice analog signal over IP it first need to be digitized Codec is a technic to digitize analog signal to digital and vice versa There are various speech codec available and can be used with VoIP each with it s advantage and disadvantage 133 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What advantage does Voice over IP can provide The advantage of VoIP is it can provide advance services such as joining e mail instant messaging video voice mail all together Where current circuit switching PSTN can not What is the difference between H 323 and SIP H 323 and SIP are proposed by different group Session Initiation Protocol SIP is a standard introduced by the Internet En
122. ired Equivalent Privacy WEP algorithm is used to protect wireless communication from eavesdropping because wireless transmissions are easier to intercept than transmissions over wired networks and wireless is a shared medium everything that is transmitted or received over a wireless network can be intercepted WEP relies on a secret key that is shared between a mobile station e g a laptop with a wireless Ethernet card and an access point i e a base station The secret key is used to encrypt packets before they are transmitted and an integrity check is used to ensure that packages are not modified during the transition The standard does not discuss how the shared key is established In practice most installations use a single key that is shared between all mobile stations and access points APs WEP employs the key encryption algorithm Ron s Code 4 Pseudo Random Number Generator RC4 PRNG The same key is used to encrypt and decrypt the data Initialization IV 24 bits Vector IV Secret key k Message M Transmitted T WEP has defences against this attack To avoid encrypting two cipher texts with the same key stream an Initialisation Vector IV is used to augment the shared WEP key secret key and produce a different RC4 key for each packet the IV is also included in the package WEP key secret key are available in two types 64 bits and 128 bits Many times you will see them referenced as 40 bits and 104 bit
123. ired to use VoIP is as follow 1 A high speed Internet connection This can be a cable modem or a high speed network services such as ISDN DSL or a T 1 link The need of the bandwidth required will depend on the amount of telephone traffic will be in your network 2 A PC with VoIP software installed or a hardware VoIP box such as ATA or device like Prestige 2802 VoIP station router 3 An account with a VoIP provider such as an ITSP The account can be configured to recognize your calls automatically or you can require the users to enter their unique account numbers issued 135 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Unable to register with the SIP server If you are unable to register with SIP server 1 Make sure the Internet is reachable and the SIP register server is reachable If your register server uses domain name make sure DNS name can be resolved If you are using static WAN IP make sure DNS server is configured correctly on your Prestige 2 Make sure the SIP account is correct and the password is key in correctly 3 Check if there is NAT router before it Prestige is a VoIP station gateway We do not suggest to have an NAT router before it as it may cause many unexpected problem If you have an NAT router before it we suggest to use a VoIP ATA VoIP Analog Telephone Adapter such as Prestige ATA series can register but can not establish a call I
124. irst DNS Server Obtained From ISP ig 1 0 0 Second DNS Server Obtained From ISP Hjo 0 0 0 Third DNS Server Obtained From ISP o 006 y Cema 14 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Configure an Internal Server Behind SUA Prestige Remote client Web Server e Introduction If you wish you can make internal servers e g Web ftp or mail server accessible for outside users even though SUA makes your LAN appear as a single machine to the outside world A service 1s identified by the port number Also since you need to specify the IP address of a server in the Prestige a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on In addition to the servers for specific services SUA supports a default server A service request that does not have a server explicitly designated for it is forwarded to the default server If the default server is not defined the service request 1s simply discarded e Configuration To make a server visible to the outside world specify the port number of the service and the inside address of the server in Network gt NAT gt Port Forwarding Port Forwarding Configuration The outside users can access the local server using the Prestige s WAN JP address e For example Configuring an internal Web server for outside access 15 A
125. ites Write is used to control the managed devices NMSs write variables that are stored in the managed devices 8 Traversal operations NMSs use these operations to determine which variables a managed device supports and to sequentially gather information from variable tables such as IP routing table in managed devices 9 Traps The managed devices to asynchronously report certain events to NMSs use trap 42 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes User Interface Managed Managed Managed device device device Figure 1 SNMP Management Model 2 SNMPv1 Operations SNMP itself is a simple request response protocol 4 SNMPv1 operations are defined as below e Get Allows the NMS to retrieve an object variable from the agent e GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent In SNMPv1 when a NMS wants to retrieve all elements of a table from an agent it initiates a Get operation followed by a series of GetNext operations e Set Allows the NMS to set values for object variables within an agent e Trap Used by the agent to inform the NMS of some events The SNMPv1 messages contains two part The first part contains a version and a community name The second part contains the actual SNMP protocol data unit PDU specifying the operation to be performed Get Set and 43 All contents copyrig
126. l End IP N A Server Mapping Set 10 Edit Details Rule 2 Setup Selecting One to One type to map the FTP Server 2 with ILA2 192 168 1 11 to IGA2 32 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt NAT gt Address Mapping Edit Address Mapping Rule1 Type One to One al Local Start IP 192 168 1 11 Local End IP INZA Global Start IP Enter I1GA2 IP Global End IP N A Server Mapping Set _Edit Details Rule 3 Setup Select Many to One type to map the other clients to IGA3 gt Network gt NAT gt Address Mapping Edit Address Mapping Rule1 Type Many to One Local Start IP 0 0 0 0 Local End IP 255 255 255 255 Global Start IP Enter IGA3 Global End IP N A Server Mapping Set 10 Edit Details S AA Rule 4 Setup Select Server type to map our web server and mail server with ILA3 192 168 1 20 to IGA3 33 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt NAT gt Address Mapping Edit Address Mapping Rule4 Type Server v Local Start IP N A Local End IP N A Enter IGA3 IP N A Global Start IP Global End IP Server Mapping Set 2 Sl Edit Details When we have configured all four rules WEB GUI Address Mapping Configuration should look as follows Idx Local Sta
127. l telemetry equipment and Bluetooth short range wireless applications which include connecting printers to computers and connecting modems or hands free kits to mobile phones Does the 802 11 interfere with Bluetooth devices Any time devices are operated in the same frequency band there is the potential for interference Both the 802 11b and Bluetooth devices occupy the same2 4 to 2 483 GHz unlicensed frequency range the same band But a Bluetooth device would not interfere with other 802 11 devices much more than another 802 11 device would interefere While more collisions are possible with the introduction of a Bluetooth device they are also possible with the introduction of another 802 11 device or a new 2 4 GHz cordless phone for that matter But BlueTooth devices are usually low power so the effects that a Bluetooth device may have on an 802 11 network if any aren t far reaching Can radio signals pass through walls Transmitting through a wall is possible depending upon the material used in its construction In general metals and substances with a high water content do not allow radio waves to pass through Metals reflect radio waves and concrete attenuates radio waves The amount of attenuation suffered in passing through concrete will be a function of its thickness and amount of metal re enforcement used What are potential factors that may causes interference among WLAN products Factors of interference 1 Obstacles w
128. le to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server Use specific IP Address Tyep the IP address of hostname Use this if you have a static IP address Network Management Using SNMP 1 SNMP Overview The Szmple Network Management Protocol SNMP is an applications layer protocol used to exchange the management information between network devices e g routers By using SNMP network administrators can more easily manage network performance find and solve network problems The SNMP is a member of the TCP IP protocol suite it uses the UDP to exchange messages between a management Client and an Agent residing in a network node There are two versions of SNMP Version 1 and Version 2 ZyXEL supports SNMPv1 Most of the changes introduced in Version 2 increase SNMP s security capabilities SNMP encompasses three main areas 1 Asmall set of management operations 2 Definitions of management variables 3 Data representation The operations allowed are Get GetNext Set and Trap These functions operates on variables that exist in network nodes Examples of variables include statistic counters node port status and so on All of the SNMP management functions are carried out through these simple operations No action operations are available but these can be simulated by the setting of flag variables For example to reset a node a counter variable named time to reset could
129. ll contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Network gt NAT gt Port Forwarding Port Forwarding Default Server Setup Default Server 0 0 0 0 Port Forwarding Service Name WWW Server IP Address 0 0 0 0 ESECO ECTINEDONEEIDOGESLILNEECUOIISUTONENCTON 1 v 80 80 B uw www 192 168 1 10 e Port numbers for some services Service Port Number Telnet DNS Domain Name Server www http Web Configure a PPTP server Behind SUA e Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol IP packets and forwarded over any IP network including the Internet itself In order to run the Windows 9x PPTP client you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4 0 Remote Access Server 16 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Windows Dial Up Networking uses the Internet standard Point to Point PPP to provide a secure optimized multiple protocol network connection over dial up telephone lines All data sent over this connection can be encrypted and compressed and multiple network level protocols TCP IP NetBEUI and IPX can be run correctly Windows NT Domain Login level security 1s preserved even across the Internet IP IPX
130. m OxD59C 54684 Source IP OxCA849B61 202 132 155 97 Destination IP OxCCD90002 204 217 0 2 TCP Header Source Port 0x2826 10278 Destination Port 0x0050 80 Sequence Number 0x00C8C015 13156373 Ack Number 0x4D713E47 1299267143 Header Length 20 Flags 0x18 AP 175 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Window Size OxlE87 7815 Checksum 0x4374 17268 Urgent Ptr 0x0000 0 TCP Data Length 357 Captured 42 0000 0010 0020 47 45 54 20 2F 70 69 63 74 75 72 65 73 2F 6D 61 GET pictures ma 67 61 7A 69 6E 65 5F 6C 6F 67 6F 2F 62 65 73 74 gazine_logo best 6F 66 74 69 6D 65 73 2E 67 69 oftimes gi RAW DATA 0000 0010 0020 0030 0040 0050 00 AO C5 59 12 84 00 A0 C5 92 13 12 08 00 45 00 Y E 01 8D F2 0C 40 00 7F 06 D5 9C CA 84 9B 61 CC DO a 00 02 28 26 00 50 00 C8 CO 15 4D 71 3E 47 50 18 amp P Maq gt GP IE 87 43 74 00 00 47 45 54 20 2F 70 69 63 74 75 Ct GET pictu 72 65 73 2F 6D 61 67 61 7A 69 6E 65 5F 6C 6F 67 res magazine log 6F 2F 62 65 73 74 6F 66 74 69 6D 65 73 2E 67 69 o bestoftimes gi Prestige Debug PPPoE Connection Debug PPPoE Connection The Prestige supports traces when there is problem to connect your ISP using PPPoE protocol Please follow the procedure below to collect the trace for our troubleshooting 1 2 3 4 Remove the LA
131. m devices description in XML format The description may include product name model name serial number vendor ID and embedded services etc e Control Devices can be manipulated by control points through Control message e Eventing Devices can send event message to notify control points if there is any update on services provided e Presentation Each device can provide their own control interface by URL link So that users can go to the device s presentation web page by the URL to control this device e 2 Using UPnP in ZyXEL devices In this example we will introduce how to enable UPnP function in ZyXEL devices Currently Microsoft MSN is the most popular application exploiting UPnP so we take Microsoft MSN application as an example in this support note You can learn how MSN benefit from NAT traversal feature in UPnP in this application note In the diagram suppose PC1 and PC2 both sign in MSN server and they would like to establish a video conference PC is behind PPPoE dial up router which supports UPnP Since the router supports UPnP we don t need to setup NAT mapping for PC1 As long as we enable UPnP function on the router PC1 will assign the mapping to the router dynamically Note that since PC must support UPnP we presume that it s OS is Microsoft WinME or WinXP 60 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes UPal Enabled Dynamic NAT port Ma
132. munications Corporation ZyXEL Prestige 2802HW L Ix Support Notes No Answer Forward to Number Enable this feature to have the Prestige forward incoming calls to the number that you configure whenever you do not answer the call after a specific time period Each field s detail description of the page is listed below Table Number Select which call forwarding table you want to configure You can configure Forward to Number Setup Unconditional Forward to Number Busy Forward to Number No Answer Forward to Number No Answer Waiting Time Advanced a different call forwarding table for each SIP account or use the same call forwarding table for both The following applies to the number fields in this screen For a SIP number use the number or text that comes before the symbol in a full SIP URI These are the global call forwarding settings that define the default action to take on incoming calls that do not match any of the Advanced Setup call forwarding entries Enable this feature to have the Prestige forward all incoming calls to the number that you configure regardless of whether or not the phone s connected to the phone port s is busy Enable this feature to have the Prestige forward incoming calls to the number that you configure when the phone s connected to the phone port s is busy With call waiting a second call is only forwarded after being rejected Enable this feature to have the Prestig
133. n 00 00 00 00 00 00 3 00 00 00 00 00 00 4 00 00 00 00 00 00 5 00 00 00 00 00 00 6 00 00 00 00 00 00 7 00 00 00 00 00 00 8 00 00 00 00 00 00 9 p0 00 00 00 00 00 10 00 00 00 00 00 00 O 11 00 00 00 00 00 00 12 00 00 00 00 00 00 13 00 00 00 00 00 00 14 p0 00 00 00 00 00 15 00 00 00 00 00 00 16 00 00 00 00 00 00 17 00 00 00 00 00 00 18 00 00 00 00 00 00 19 00 00 00 00 00 00 20 00 00 00 00 00 00 21 00 00 00 00 00 00 22 00 00 00 00 00 00 23 00 00 00 00 00 00 24 00 00 00 00 00 00 25 00 00 00 00 00 00 26 00 00 00 00 00 00 27 00 00 00 00 00 00 28 00 00 00 00 00 00 29 00 00 00 00 00 00 30 00 00 00 00 00 00 31 p0 00 00 00 00 00 32 00 00 00 00 00 00 Apply Cancel Key Settings Option Descriptions Allow or block association from MAC addresses contained in this list If Allow Association 1s selected in this field hosts with MAC addresses configured in this list will be allowed to Filter Action associate with AP If Deny Association is selected in this field hosts with MAC addresses configured in this list will be blocked MAC Address This field specifies those MAC Addresses that you want to add in the list WEP configuration Wired Equivalent Privacy Introduction 70 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes The 802 11 standard describes the communication that occurs in wireless LANs The W
134. n NOUS ae eerta br gh tas eot EN PU ture pecie ve Ue Map venee 92 Usage Or PS TNOEIeID S ui ordo vali ees nn pr ade e rendi acne esed 92 Lifeline configuration ieri ete eraat cta beiin 93 Relay to PSTN ag dean ene Bade ee i ENE ENE 94 How to connect Lifeline and DSL connection eese 94 VoIP Application INOIGS e eo ea ese ee 96 Setup SIP Accoutant E E As 96 Peer to Pecr odll oe uo toc de ade a A AS 99 Phone port settini soare uer rs pr oh eo ra a a ae RG 103 Advanced voice settings configuration ssesssessssssesssesessstessresseesseessees 105 Phone book Speed dlal 5 2 ee eit ect tenia 108 AFOIGO IGS SOLDE stan essa upon s LC tu 111 Call PorwardImme Setupius inesse tomada Cate PD PNE AI S ORE und 115 Voice Common Seg su ec eere eee Ga eae 118 jo MENU 119 2 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes LY NOS FAQ M KERES 119 What IS 4 VINOS e e hb Gi ce t eA ae ale aa d 119 How do I access the embedded web configurator sssse 120 What is the default LAN IP address and Password Moreover how do I change E 120 How do I upload the ZyNOS firmware code via embeded web Configurator eileg i ars 120 How do I upgrade backup the ZyNOS firmware by using FTP client program via LAN 120 How do I upload or backup
135. n configure the Prestige s advanced VoIP settings like SIP server settings the RTP port range and the coding type Click Apply to save your changes back to the Prestige All contents copyright c 2007 ZyXEL Communications Corporation 98 ZyXEL Prestige 2802HW L Ix Support Notes Reset Click Reset to begin configuring this screen afresh Peer to Peer call Topology P RQ lt gt o n Topology Explanation 1 Device A and B located at Internet 2 Device A and B WAN interface is Public Static IP 220 130 46 197 and 220 130 46 198 3 SIP number for device A and B is 197 and 198 Preparation and Steps 1 Install the device properly in user s networking topology 2 Setup device s WAN connection 3 Configuring SIP VoIP related settings in device A and B There are two ways to make IP to IP call 1 Make you can call by speed dial like 01 defined in the phone book You need to configure the self SIP number at VOIP screen and callee s IP address in the phone book Note that there are 10 speed dial can be configured only so far 99 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 2 Make you can call by callee s SIP number You need to configure the self SIP number and put callee s IP address at SIP server SIP proxy Domain server all in the VOIP screen Setup Configuring SIP VoIP related settings in device A
136. nd trade name for functioning PAT which is a specific type of NAT SUA or PAT for NAT translates address into port mapping The primary motivation for RFC 1631 is that there is not enough IP address to go around In addition many corporations simply did not bother to obtain legal globally unique IP addresses for their networks and now finding themselves unable to connect to the Internet 122 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Basically NAT 1s a process of translating one address to another A NAT implementation can be as simple as substituting an IP address with another This allows a network to rectify the illegal address problem mentioned above without going through each and every host The design goal of ZyXEL s SUA 1s to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside It does more than IP address translation so that multiple hosts on the LAN can access the Internet at the same time How many network users can the SUA NAT support The Prestige does not limit the number of the users but the number of the sessions The Prestige supports 1024 sessions that you can use the 1p nat iface enif0 disp command in menu 24 8 to view the current active sessions What are Device filters and Protocol filters In ZyNOS the filters have been separated into two groups One group is called
137. nment a LAN router is required to connect two local networks The Prestige can connect three local networks to the ISP or a remote node we call this function as TP Alias In this case an internal router is not required For example the network manager can divide the local network into three networks and connect them to the Internet using Prestige s single user account See the figure below 51 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes LANI 192 168 1 0 24 LANZ 192 168 2 0 24 ISP LAN3 192 168 3 0 24 The Prestige s IP Alias connects three local networks to the Internet The Prestige supports three virtual LAN interfaces via its single physical Ethernet interface The first network can be configured in menu 3 2 as usual The second and third networks that we call IP Alias 1 and IP Alias 2 can be configured in menu 3 2 1 IP Alias Setup There are three internal virtual LAN interfaces for the Prestige to route the packets from to the three networks correctly They are enifO for the major network enif0 0 for the IP alias 1 and enif0 1 for the IP alias 2 Therefore three routes are created in the Prestige as shown below when the three networks are configured If the Prestige s DHCP is also enabled the IP pool for the clients can be any of the three networks Copyright c 1994 2004 ZyXEL Communications Corp ras ip ro st Dest FF Len Interface Gateway
138. o 10 SIP numbers in the phone book for speed dial 108 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt oIP gt Phone Book gt Speed Dial Incoming Call Policy Speed Dial Speed Dial Speed Dial Number Name Type Use Proxy eo zj test zyxel C Non Proxy Use IP or URL Speed Dial Phone Book 01 test zyxel B A 02 B wi 03 E wf 04 B wi 05 g wi 06 B wi 07 B A 08 B Wt 09 B wi 10 B wi Clear Reset To configure phone book for speed dial please follow the below step Step 1 Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige The default management IP of Prestige is 192 168 1 1 Step 2 Enter the administrator password appear on the page of login and click on login The default is 1234 Step 3 On the left column click on VoIP Phone Book Speed Dial to bring you to Speed Dial page to enter speed dial configuration page Step 4 Select the entry number you wish to add to the phone book by the entry selector located under add new entry category on the speed dial field Step 5 Fill in the SIP number of the remote party and a descriptive name and click on the radio button to select either to use proxy or entering static IP or URL remote peer Step 6 Click on Add button when you are finish to add the entry to the phone book Each field s d
139. on is needed to determine the number of AP required 4 Determine the preliminary access point location on the facility diagram base on the service area needed obstacles power wall jack considerations Survey on Site 1 With the diagram with all information you gathered in the preparation phase Now you are ready to make the survey 2 Install an access point at the preliminary location 3 User a notebook with wireless client installed and run it s utility An utility will provide information such as connection speed current used channel associated rate link quality signal strength and etc information as shown in utility below 89 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes ZyAIR G 100 Wireless LAW PC Card Utility Link Info Configuration Site Survey Encryption About State Connected BSSID 00 A0 C5 00 11 00 Curent Channel 1 Current Transfer Rate 54 Mbps Current Service Set Identifier csoG1000 Tx Rx Total Frames Transmitted r Received 11 14 Link Quality NoSigd EELDELTTTTTTTTTTTTTULTTTTTTTTITTITI Signal Strength No Signal ITT TIETITTT TTT 4 It s always a good idea to start with putting the access point at the corner of the room and walk away from the access point in a systematic manner Record down the changes at point where transfer rate drop and the link quality and signal stren
140. onents in UPnP are devices services and control points e Devices Network devices such as networking gateways TV refrigerators printers etc which provides services e Services Services are provided by devices such as time services provided by alarm clocks In UPnP services are described in XML format Control points can set get services information from devices e Control points Control points can manipulate network devices When you add a new control point in this case a laptop to a network the device may ask the network to find UPnP enabled devices These devices respond with their URLs and device descriptions LAPTOP Control G Point Device j Device I3 DEVICE a Ra L E U DEVICE DEVICE UPnP Operations 59 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e Addressing UPnPv1 devices MAY support IPv4 IPv6 or both For IPv4 each devices should have DHCP client when the device gets connected to the network it will discover DHCP server on network to get an IP address If not then Auto IP mechanism should be supported so that the device can give itself an IP address 169 254 0 0 16 e Discovery Whenever a device is added on the network it will advertise it s service over the network Control point can also discover services provided by devices e Description Control points can get more detailed service information fro
141. ort 65535 1025 65535 Voice Compression Primary Compression Type jemma v Secondary Compression Type e723 v Third Compression Type oz29 DTMF Mode RFC 2633 MWI Message Waiting Indication Enable Expiration Time 1800 1 65535 sec Fax Option G 711 Fax Passthrough C T 38 Fax Relay Call Forward Call Forward Table Table 1 x Eee apply Reset Each field s detail description of the page 1s listed below Description This read only field displays the number of the SIP account that you are configuring The changes that you save in this page affect the Prestige s settings with the SIP account displayed here 106 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes URL Type Expiration Duration Register Re send Timer Session Expires Min SE RTP Port Range DTMF Mode Select SIP to have the Prestige include the domain name with the SIP number in the SIP messages that it sends Select TEL to have the Prestige use the SIP number without a domain name in the SIP messages that it sends This field sets how long an entry remains registered with the SIP register server After this time period expires the SIP register server deletes the Prestige s entry from the database of registered SIP numbers The register server can use a different time period The Prestige sends another registration request after half of thi
142. ot on the list will be denied Otherwise if Deny Association 1s selected all other STAs which are not on the list will be allowed for association Users can choose either way to configure their filter rule 3 Configure the WLAN MAC Filter The MAC Filter related settings in ZyXEL APs are configured in menu 3 5 1 WLAN MAC Address Filter Configuration Before you configure the MAC filter you need to know the MAC address of the client first If not knowing what your MAC address 1s please enter a command ipconfig all after DOS prompt to get the MAC physical address of your wireless client If you use WEB configuration the MAC Address Filter configuration are as shown below L Qv ME ue De po Using a web browser login AP by giving the LAN IP address of AP in URL field Default LAN IP is 192 168 1 1 default password to login web configurator is 1234 Click Network and click Wireless LAN tab on the left Click MAC Filter link and check Active MAC Filter to enable MAC Filter Select the Filter Action to allow or deny association from hosts in the list Enter the MAC Addresses which you may want to apply the filter to allow or block associations from Click Apply to make your setting work 69 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt Wireless LAN gt MAC Filter s M Active MAC Filter Filter Action Allow C Deny LL TURNER i Parma
143. peed of Wireless LAN is still relative slower than wired LAN The most popular wired LAN is operated in 100Mbps which is almost 10 times of that of Wireless LAN 10Mbps A faster wired LAN standard 1000Mbps which is 100 times faster becomes popular as well The setup cost of Wireless LAN is relative high because the equipment cost including access point and PCMCIA Wireless LAN card is higher than hubs and CAT 5 cables Where can you find wireless 802 11 networks Airports hotels and even coffee shops like Starbucks are deploying 802 11 networks so people can wirelessly browse the Internet with their laptops As these types of networks increase this will create additional security risk for the remote user if not properly protected What is an Access Point The AP access point also known as a base station is the wireless server that with an antenna and a wired Ethernet connection that broadcasts information using radio signals AP typically act as a bridge for the clients It can pass information to wireless LAN cards that have been installed in computers or laptops allowing those computers to connect to the campus network and the Internet without wires What is IEEE 802 11 The IEEE 802 11 is a wireless LAN industry standard and the objective of IEEE 802 11 is to make sure that different manufactures wireless LAN devices can communicate to each other 802 11 provides 1 or 2 Mbps transmission in the 2 4 GHz ISM band using either FHS
144. pi ase cut mut ocio tu Atte 154 Mliapis BOX Ta bh eate 154 What1s 502 Tlg 4 1 dni iere qu ented een ieee 154 Is it possible to use products from a variety of vendors 154 Whats WIEET ood o ede oerte piede pee tastiera esee coco laus eais 155 What types of devices use the 2 4GHz Band sss 155 Does the 802 11 interfere with Bluetooth devices sse 155 Can radio signals pass through walls 0 eee eeeeeeseesscecseeceteeeeeeeeneeenaeens 155 What are potential factors that may causes interference among WLAN DEOGUEUS d ebbe aive aon eub A n nr OPEC st eee et tte 155 What s the difference between a WLAN and a WWAN 156 What 1s Ad Hoe mode 7 ino exe tea rette dalle dead 156 What is Infrastructure mode Josie coeno toe n te e Decilbura Fahne 156 How many Access Points are required in a given area susse 156 What is Direct Sequence Spread Spectrum Technology DSSS 156 What is Frequency hopping Spread Spectrum Technology FHSS 157 Do I need the same kind of antenna on both sides of a link 157 Why the 2 4 Ghz Frequency range P oso esee ree een eoo eae anas ee kae in rns eg 157 Whatis Server Set ID SSID 75 nee eter E bise 157 What 1s anESSID 3 sodes deii opt cond tepla tutu tenet on ecen dud 157 How do I secure the data across an Access Point s radio link 158
145. pping A Device Prestige Router Service NAT function provided by Prestige Router Control Point PC1 1 Enable UPnP function in ZyXEL device Go to Advanced gt UPnP check two boxes Active UPnP feature and Allow users to make configuration changes through UPnP The first check box enables UPnP function in this device The second check box allow users application to change configuration in this device For instance if you enable this item then user s MSN application can assign dynamic port mapping to the router So that network administrator don t need to setup SUA port mapping in the router 61 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Advanced gt UPnP gt General General UPnP Setup Device Name ZyXEL Prestige 2602HWL D1A4 Internet Sharing Gateway I Active the Universal Plug and Play UPnP Feature Allow users to make configuration changes through UPnP q Note For UPnP to function normally the HTTP service must be available for LAN computers using UPnP apply _cancei 2 After getting IP address you can go to open MSN application on PC and sign in MSN server 4 Windows Messenger E ini xj File Actions Tools Help My Status v Laker Be Right Back net gt Go to my e mail inbox Online 1 Send an Instant Message Start a Voice Conversation Start a Video Conversation Send a File or Photo
146. pt wireless data transmission Access Point encrypt data by Key 3 Station decrypt data by Key 3 Access Point decrypt data by Key 2 lt Station encrypt data by Key 2 In this case access point transmits data to station which encrypt data by Key 3 of access point The station will decrypt the data by its Key 3 At the same time when the station transmits data to access point which encrypt data by Key 2 The access point will decrypt the data by its Key 2 Enter exactly 5 13 or 29 characters to match the security strength 40 64bit 128 bit 256 nit respectively Setting up the Station 1 Double click on the utility icon in your windows task bar or right click the utility icon then select Show Config Utility 74 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Show Config Utility The utility will pop up on your windows screen ZyAIR G 100 Wireless LAW PC Card Utility Link Info Configuration Site Survey Encryption About State Connected BSSID 00 A0 C5 00 11 00 Curent Channel 1 Current Transfer Rate 54 Mbps Current Service Set Identifier CsOG1000 Tx Rx Total Frames m Transmitted Received D Link Quality No Signal Signal Strength No Signal TTT TUTTI Note If the utility icon doesn t exist in your task bar click Start gt Pro
147. r Length 20 Flags 0X19 CAR SE Window Size OxFAFO 2802HWL40 Checksum 0x3735 14133 Urgent Ptr 0x0000 0 TCP Data Lengthz1127 Captured 42 0000 DF 33 AF 62 58 37 52 3D 79 99 A5 3C 2B 59 E2 78 3 bX7Rzy Y x 0010 A7 98 8F 3F A9 09 E4 OF 26 14 9C 58 3E 95 GE E7 2 amp X 0020 FC 2A 4C 2F FB BE 2F FE EF DO UE RAW DATA 0000 00 AO C5 92 13 12 00 A0 C5 01 23 45 0800 45 00 AEE 0010 04 8B B1 39 40 00 EE 06 A9 AB CO IF 07 82 CA 84 98 0020 95 60110050129 less ROE So So 00CSE 63 500 T AER ex DE 0030 EA FO 37 35 00 00 DF 33 AP 62 58 37 52 3D 79 99 75 3 OAIR 0040 A5 3C 2B 59 E2 78 A7 98 8F 3F A9 09 E4 OF 26 14 lt amp Y x amp 0050 0C 58 3B 95 3E E7 EC 2A 4C 2B FB BE 2E BE EP DO X gt 5 L I Offline Trace All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 1 Trace LAN packet 2 Trace WAN packet 1 Trace LAN packet 1 1 Disable the capture of the WAN packet by entering sys trcp channel mpoa00 none 1 2 Enable the capture of the LAN packet by entering sys trcp channel enetO bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through the Prestige over LAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packe
148. rce MAC Addr 0080C84CEA63 All contents copyright c 2007 ZyXEL Communications Corporation 183 yXEL Network Type IP Header IP Version Header Length lr COURS C SEGUE Total Length Idetification Prestige 2802HW L Ix Support Notes 0x0800 TCP IP 4 0x00 0 0x0028 40 0x350B 13579 Flags 0x02 Fragment Offset 0x00 Time to Live 0x80 128 Protocol 0x06 TCP Header Checksum 0x3C79 15481 Source IP 0xC0A80102 192 168 1 2 Destination IP OxCOIF0782 192 31 7 130 TCP Header Source Port 0x045C 1116 Destination Port 0x0050 80 Sequence Number Ox00BD15A8 12391848 Ack Number Ox4ADIBS580 1255257472 Header Length Flags OIO Aee Window Size 0x2238 8760 Checksum OxE8ED 59629 Urcent Pir 0x0000 0 TCP Data Length 6 Captured 6 0000 20 20 20 20 20 20 RAW DATA 0000 00 AO C5 92 13 11 00 80 C8 4C EA 63 08 00 45 00 0010 00 28 35 0B 40 00 80 06 3C 79 CO A8 01 02 CO IF 0020 07 82 04 5C 00 50 00 BD 15 A8 4A DI B5 80 50 10 All contents copyright c 2007 ZyXEL Communications Corporation DUE I CREE ES Ges RVers ANE S ava 184 ZyXEL Prestige 2802HW L Ix Support Notes 0030 22 38 E8 ED 00 00 20 20 20 20 20 20 Mo 2 Trace WAN packet 1 1 Disable the capture of the LAN packet by entering sys trcp channel enetO none 1 2 Enable to capture the WAN packet by entering sys trcp channel mpoa00 bothway 1 3 Enable the trac
149. re it otherwise follow these steps to install e Inthe Control Panel Network window click Add button e Inthe Select Network Component Type windows select Protocol and click Add e In the Select Network Protocol windows select Microsoft from the manufacturers then select TCP IP from the Network Protocols and click OK 3 TCP IP Configuration Follow these steps to configure Windows TCP IP e In the Control Panel Network window click the TCP IP entry to select it and click Properties button e Inthe TCP IP Properties window select obtain an IP address automatically Note Do not assign arbitrary IP address and subnet mask to your PCs otherwise you will not be able to access the Internet e Click the WINS configuration tab and select Disable WINS Resolution e Click the Gateway tab Highlight any installed gateways and click the Remove button until there are none listed e Click the DNS Configuration tab and select Disable DNS e Click OK to save and close the TCP IP properties window e Click OK to close the Network window You will be prompted to insert your Windows CD or disk When the drivers are updated you will be asked if you want to restart the PC Make sure your Prestige is powered on before answering Yes to the prompt Repeat the above steps for each Windows PC on your network e Setting up the Prestige router 10 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Suppor
150. red in WEB GUI menu Advanced gt Remote MGMT gt SNMP SNMP Configuration The following steps describe a simple setup procedure for configuring all SNMP settings 46 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Advanced gt Remote MGMT gt SNMP Port Rer Access Status Lan amp WAN E Secured Client IP Gal OSelected 0 0 0 0 SNMP Configuration Get Community public Set Community public Trap Community public Trap Destination 192 168 1 33 q Note You may also need to create a Firewall rule Key Settings Option Descriptions Pari You may change the server port number for a server if needed however you must use or i the same port number in order to use that service for remote management Select the interface through which a computer may access the ZyXEL Device using Access Status the service A secured client is a trusted computer that is allowed to communicate with the ZyXEL device using this service Secured Client IP Select AII to allow any computer to access ZyXEL device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL device using this service _ Enter the correct Get Community This Get Community must match the Get and Get Community f GetNext community requested from the NMS The default is p
151. rized devices on the wireless network without going through a security process and review What is Wireless Sniffer An attacker can sniff and capture legitimate traffic Many of the sniffer tools for Ethernet are based on capturing the first part of the connection session where the data would typically include the username and password An intruder can masquerade as that user by using this captured information An intruder who monitors the wireless network can apply this same attack principle on the wireless What is the difference between Open System and Shared Key of Authentication Type Open System The default authentication service that simply announces the desire to associate with another station or access point A station can authenticate with any other station or access point using open system authentication if the receiving station designates open system authentication Share Key The optional authentication that involves a more rigorous exchange of frames ensuring that the requesting station is authentic For a station to use shared key authentication it must implement WEP What is 802 1x IEEE 802 1x Port Based Network Access Control is an IEEE Institute of Electrical and Electronics Engineers standard which specifies a standard mechanism for authenticating at the link layer Layer 2 159 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes users acces
152. rp IP Srcz202 132 154 1 Dst 192 168 1 33 UDP spo 0035 dpo 05d4 S03 gt RO1mF Jul 19 14 44 13 192 168 1 1 ZyXEL Communications Corp IP Src 192 168 1 33 Dst 202 132 154 1 ICMP SO3 gt RO1mF 50 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e PPP Log Format sdemdSyslogSend SYSLOG_PPPLOG SYSLOG NOTICE String String ppp Proto Starting ppp Proto Opening ppp Proto Closing ppp Proto Shutdown Proto LCP ATCP BACP BCP CBCP CCP CHAP PAP IPCP IPXCP Example Jul 19 11 43 25 192 168 1 1 ZyXEL Communications Corp ppp LCP Starting Jul 19 11 43 29 192 168 1 1 ZyXEL Communications Corp ppp IPCP Starting Jul 19 11 43 34 192 168 1 1 ZyXEL Communications Corp ppp CCP Starting Jul 19 11 43 38 192 168 1 1 ZyXEL Communications Corp ppp BACP Starting Jul 19 11 43 43 192 168 1 1 ZyXEL Communications Corp ppp IPCP Opening Jul 19 11 43 51 192 168 1 1 ZyXEL Communications Corp ppp CCP Opening Jul 19 11 43 55 192 168 1 1 ZyXEL Communications Corp ppp BACP Opening Jul 19 11 44 00 192 168 1 1 ZyXEL Communications Corp ppp LCP Closing Jul 19 11 44 05 192 168 1 1 ZyXEL Communications Corp ppp IPCP Closing Jul 19 11 44 09 192 168 1 1 ZyXEL Communications Corp ppp CCP Closing Jul 19 11 44 14 192 168 1 1 ZyXEL Communications Corp ppp BACP Closing Using IP Alias e What is IP Alias In a typical enviro
153. rporation ZyXEL Prestige 2802HW L Ix Support Notes 5 Many to Many No Overload In Many to Many No Overload mode the Prestige maps each ILA to unique IGA e Server In Server mode the Prestige maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types Mapping NAT Type IP Mapping ME Direction One to One ILA1I lt gt IGA1 Both ILA 1 gt IGA1 Many to One SUA PAT ILA2 2IGAI Outgoing ILA 1 gt IGA1 ILA2 gt IGA2 Many to Many Overload ILA3 2IGAI Outgoing ILA4 gt IGA2 ILA 1 gt IGA1 Many to Many No ILA2 gt IGA3 Overload ILA3 gt IGA2 Outgoing Allocate by Connections ILA4 2IGA4 Server 1 P lt IGA1 Server Incoming Server 2 IP IGAI e SUA Versus NAT SUA Single User Account in previous ZyNOS versions 1s a NAT set with 2 rules Many to One and Server The Prestige now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g FTP servers are allowed on the LAN for outside access In previous ZyNOS versions that supported SUA visible servers had to be of 22 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 28
154. rporation ZyXEL Prestige 2802HW L Ix Support Notes Ethernet Frame Destination Source 0180C2 000003 LI mai o7 ow P d i j 1 L Protocol Packet Packet body Packet Body EAPOL packet iim a gt y Version Type length 1 A EAP Packet 0 Pad EAPOL Start 7 EAPOL Logoff 2 EAPOL Key 3 EAP Packet Both the supplicant and the authenticator send this packet when authentication is taking place This is the packet that contains either the MD5 Challenge or TLS information required for authentication EAPOL Start This supplicant sends this packet when it wants to initiate the authentication process EAPOL Logoff The supplicant sends this packet when it wants to terminate its 802 1x session EAPOL Key This is used for TLS authentication method The Wireless AP uses this packet to send the calculated WEP key to the supplicant after TLS negotiation has completed between the supplicant and the RADIUS server IEEE 802 1x Configuration in ZyXEL Wireless Access Point e Enable 802 1x in AP When the IEEE 802 1x authentication 1s enabled the wireless client must be authenticated by the ZyXEL AP before it can communicate on your network through ZyXEL AP By default the 802 1x function 1s disabled Authentication Control Force Authorized to allow all wireless client You can use Web Configuration to configure it 83 All contents copyright c 2007 ZyXEL
155. rt IP Local End IP Global Start IP Global End IP Type 1 192 TGS 1 10 IGAI 1 1 2 192 168 111 1642 1 1 3 0 0 0 0 255955 995059 IGAS M 1 4 1GA3 Server B 6 T 8 9 10 Step 3 Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15 2 NAT Server Setup not Set 1 Set 1 is used for SUA Only case 34 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Default Server Setup Default Server 0 0 0 0 Server Mapping Set 2 Service Name VAN C Z Server IP Address 0 0 0 0 SMTP 192 168 1 20 www 80 80 192 168 1 20 4 Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address In this case it is better to use Many to Many No Overload or One to One NAT mapping types thus each user login to the server using a unique global IP address The following figure illustrates this User 1 ILA1 192 168 1 10 User 2 ILA2 Prestige 192 168 1 11 User 3 ILA3 192 168 1 12 3 ILAs 3 IGAs 3 ILAs map to 3 IGAs using Many to Many No Overload or One to One type One rule configured for using Many to Many No Overload mapping type is shown below 35 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt Network gt NAT gt
156. rver When the authenticator receives EAPOL frames and relays them to the authentication server the Ethernet header is stripped and the remaining EAP frame is re encapsulated in the RADIUS format The EAP frames are not modified or examined during encapsulation and the authentication server must support EAP within the native frame format When the authenticator receives frames from the authentication server the server s frame header is removed leaving the EAP frame which is then encapsulated for Ethernet and sent to the supplicant When the client supplies its identity the authenticator begins its role as the intermediary passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails If the authentication succeeds the switch port becomes authorized The specific exchange of EAP frames depends on the authentication method being used The figure below shows a message exchange initiated by the client using the MDS Challenge authentication method with a RADIUS server 86 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Supplicant Authenticator Authentication Server Radius server EAPOL Start oH EAP Request ldentiby EAP Response identity MyID ERIS RESP One eels NO Radius Access Request Radius Access Challenge EAP Request Challenge MD5 _ EAP Response Challenge MD5 Radius Access Request
157. s The device i e RADIUS server provides an authentication service to an authenticator This service determines from the credentials provided by the supplicant whether the supplicant is authorized to access the services provided by the authenticator The authentication server performs the actual authentication of the client It validates the identity of the supplicant Because the authenticator acts as the proxy the authentication service 1s transparent to the supplicant Some Wireless AP i e ZyXEL Wireless AP have built in authentication server external RADIUS authentication server is not needed In this case Wireless AP is acted as both authenticator and authentication server e Authentication Port State and Authentication Control The port state determines whether or not the supplicant Wireless Client is granted access to the network behind Wireless AP There are two authentication port state on the AP authorized state and unauthorized state By default the port starts in the unauthorized state While in this state the port disallows all incoming and outgoing data traffic except for 802 1x packets When a supplicant is successfully authenticated the port transitions to the authorized state allowing all traffic for the client to flow normally If a client that does not support 802 1x is connected to an unauthorized 802 1x port the authenticator requests the client s identity In this situation the client does not respond to the
158. s Backup button a pop up windows will ask you where to store the back up romfile Press Save file and browse to where you want the file be save Press Save button How do backup restore configurations by using FTP client program via LAN Use the a FTP client program in your PC such as cuteftp wsftp client to login to your Prestige To backup the configurations use FTP client program to get file rom 0 from the Prestige To restore the configurations use the FTP client program to put your configuration in file ROM O in the Prestige Why can t make Telnet to Prestige from WAN There are three possible reasons that Telnet from WAN is blocked 121 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes a You have not enable Telnet service on WAN interface in Menu 24 11 Telnet service is enabled but your host IP is not the secured host entered in Menu 24 11 In this case the error message Client IP 1s not allowed will appear on the Telnet screen c The default filter rule 3 Telnet FTP WAN is applied in the Input Protocol field in menu 11 5 What should do if forget the system password In case you forget the system password You can reset the unit back to factory default You can reset the unit by using a sharp pointed object such as a pen and press and hold down the reset button for 5 second or until the power LED starts to blink than release The unit is
159. s Corporation ZyXEL Prestige 2802HW L Ix Support Notes What are the differences between Transport mode and Tunnel mode 144 dip po ud M C IP ait 144 What TSU rd EE 144 What is Presshiared Key 2 eset es end ua te A DURER I gU ETE 145 What are the differences between IKE and manual key VPN 145 Whats Phase ID FOr 4 uieeschda tod ec epe eodd pa eese taxed 145 What are Local ID and Peer 1D 7 iuo eene toy oe ED adeps 145 When should I use FQDN oo cccccsesscececececeesssseceeecceseeeserseseeeseceesees 146 Is my Prestige ready for IPSec VPN esseeeseeeeeeeeeee 146 How do I configure Prestige VPN Lise tee edi road eee 146 How many VPN connections does Prestige support sessse 146 What VPN protocols are supported by Prestige sssssses 147 What types of encryption does Prestige VPN support 147 What types of authentication does Prestige VPN support 147 I am planning my Prestige to Prestige VPN configuration What do I need io IO eiae aote tas tea toads aa esadiat a cate sce acc adde aias 147 Does Prestige support dynamic secure gateway IP 148 What VPN gateway that has been tested with Prestige successfully 148 What VPN software that has been tested with Prestige successfully 148 Will ZyXEL support Secure Remote Management sess 149 Doe
160. s Prestige VPN support NetBIOS broadcast ssssse 149 Is the host behind NAT allowed to use IPSec sess 149 Where can I configure Phase 1 ID in Prestige sess 149 If Ihave NAT router between two VPN gateways and I would like to use IP type as Phase 1 ID what should I know eee 150 How can I keep a tunnel alive 7s o eee 151 Single Range Subnet which types of IP address do Prestige 10 101I 10W 50 100 support in VPN IPSec eene 151 Can Prestige support IPSec passthrough eee 151 Can Prestige behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously 5 eene ses teena ce rau aves iesadencbes dee eda senses 152 Wireless BAS tectis te iei tatio saa ereibes cies ee esM oo qoid ced 152 What is a Wireless LAN eite reni dete ean Geet 152 What are the advantages of Wireless LANS sese 152 What are the disadvantages of Wireless LANS esee 153 Where can you find wireless 802 11 networks sssssse 153 What is an Access Point 4 eiua edente d toetdac piedi eens 153 6 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What is IEEE 802 11 7 4 uester sito ee ett ein ives ede ima eu ES 153 WY aS LL EUN NT Trenere P M EU 154 How fastis 802 11b o sett coo t
161. s configured time period has expired Use this field to set how long the Prestige waits before sending a repeat registration request if a registration attempt fails or there is no response from the registration server Use this field to set the longest time that the Prestige will allow a SIP session to remain idle without traffic before dropping it When two SIP devices negotiate a SIP session they must negotiate a common expiration time for idle SIP sessions This field sets the shortest expiration time that the Prestige will accept The Prestige checks the session expiration values of incoming SIP INVITE requests against the minimum session expiration value that you configure here If the session expiration of an incoming INVITE request is less than the value you configure here the Prestige negotiates with the other SIP device to increase the session expiration value to match the Prestige s minimum session expiration value Real time Transport Protocol is used to handle voice data transfer Use this field to configure the Prestige s listening port range for RTP traffic Leave these fields set to the defaults if you were not given a range of RTP ports to use The Dual Tone Multi Frequency DTMF mode sets how the Prestige handles the tones that your telephone makes when you push its buttons It is recommended that you use the same mode that your VoIP service provider uses 107 All contents copyright c 2007 ZyXEL Communications
162. s data A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request packet the resulting ICMP traffic will not only clog up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communications impossible What is IP Spoofing attack Many DoS attacks also use IP Spoofing as part of their attack IP Spoofing may be used to break into systems to hide the hacker s identity or to magnify the effect of the DoS attack IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP Spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall What are the default ACL firewall rules in Prestige There are two default ACLs pre configured in the Prestige one allows all connections from LAN to WAN and the other blocks all connections from WAN to LAN except of the DHCP packets Prestige Internet z i Forward LAN to VVAN Connections Default ACLs Sa
163. s instead The reson for this misnomer is that the WEP key 40 104 bits is concatenated with the initialisation vector 24 bits resulting in a 64 128 bit total key size 71 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes a a Mext x q Key Sequence RCA IV k amp Transmitted Data Setting up the Access Point ll _ FT _ ha Most access points and clients have the ability to hold up to 4 WEP keys simultaneously You need to specify one of the 4 keys as default Key for data encryption To set up the Access Point you will need to set the one of the following parameters o 64 bit WEP key secret key with 5 characters o 64 bit WEP key secret key with 10 hexadecimal digits o 128 bit WEP key secret key with 13 characters o 128 bit WEP key secret key with 26 hexadecimal digits 72 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e Setting up the Access Point with Web configurator gt Network gt Wireless LAN gt General General OTIST MAC Filter Q Local User Database Wireless Setup M Active Wireless LAN Network Name SSID ZyXEL Hide SSID Channel Selection Channel 06 2437MHz 7 Security Security Mode Static WEP Passphrase Generate WEP Key 12345 Note The different WEP key lengths configure different
164. s must be for phones on the PSTN not VoIP Immediate Dial All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes phones Use this field to set how the Prestige handles supplementary phone services call hold call waiting call transfer and three way conference calls Select the mode that your voice service provider supports Select Europe Type to use the supplementary phone services in European mode Call Service Mode Select USA Type to use the supplementary phone services American mode See your User s Guide for supplementary phone service details To take full advantage of the supplementary phone services available though the Prestige s phone ports you may need to subscribe to the services from your voice service provider Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the Prestige FAQ ZyNOS FAQ What is ZyNOS ZyNOS is ZyXEL s proprietary Network Operating System It is the platform on all Prestige routers that delivers network services and applications It is designed in a modular fashion so it 1s easy for developers to add new features New ZyNOS software upgrades can be easily downloaded from our FTP sites and public Web download site as they become available 119 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How do l access the embedd
165. s to IEEE 802 networks such as Ethernet IEEE 802 3 and Wireless LAN IEEE 802 11 For IEEE 802 11 WLAN IEEE 802 1x authentication can be based on username password or digital certificate What is the difference between No authentication required No access allowed and Authentication required No authentication required disables 802 1X and causes the port to transition to the authorized state without any authentication exchange required The port transmits and receives normal traffic without 802 1 X based authentication of the client No access allowed causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the interface Authentication required enables 802 1 X and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received through the port The authentication process begins when the link state of the port transitions from down to up or when an EAPOL start frame is received The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to access the network is uniquely identified by the switch by using the client s MAC address What is AAA AAA is the acronym for Authentication Authorization and Accounting and refers to the idea of managing subscribers by controlling their a
166. s use dynamic IP addresses it is no way to establish VPN connection at all What VPN gateway that has been tested with Prestige successfully We have tested Prestige successfully with the following third party VPN gateways e Cisco 1720 Router IOS 12 2 2 XH IP ADSL FW IDS PLUS IPSEC 3DES e NetScreen 5 ScreenOS 2 6 0r6 e SonicWALL SOHO 2 e WatchGuard Firebox II e ZyXEL Prestige 100 e Avaya VPN e Netopia VPN e III VPN What VPN software that has been tested with Prestige successfully We have tested Prestige successfully with the following third party VPN software e SafeNet Soft PK 3DES edition e Checkpoint Software e SSH Sentinel 1 4 e SecGo IPSec for Windows e F Secure IPSec for Windows e KAME IPSec for UNIX e Nortel IPSec for UNIX e Intel VPN v 6 90 e FreeS WAN for Linux e SSH Remote ISAKMP Testing Page http isakmp test ssh fi cgi bin nph isakmp test 148 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes e Windows 2000 Windows XP IPSec Will ZyXEL support Secure Remote Management Yes we will support it and we are working on it currently Does Prestige VPN support NetBIOS broadcast The current 3 50 firmware release does not support it But it is in our wish list Is the host behind NAT allowed to use IPSec VPN Gateway embedded NAT AH tunnel mode ESP tunnel mode VPN client gateway behind NAT ESP tunnel mode NAT in Transport mode None
167. se enter the U Name and Password given to you our Internet Service Provider here If er it in the third User Name 85111279Ghitnet net Password Cee Service Name imet o ECCLES Note Device is automatically configured to obtain an IP address automatically The ISP will assigns you a different one each time you connect to the Internet Setup the Prestige as a DHCP Relay e What is DHCP Relay DHCP stands for Dynamic Host Configuration Protocol In addition to the DHCP server feature the P2802 supports the DHCP relay function When it is configured as DHCP server it assigns the IP addresses to the LAN clients When it 1s configured as DHCP relay it 1s reponsable for forwarding the requests and responses negotiating between the DHCP clients and the server See figure 1 13 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes DHCP Server Prestige DHCP Client Figure1 Prestige as a DHCP Relay e Setup the Prestige as a DHCP Client 1 Toggle the DHCP to Relay in Network gt LAN gt DHCP Setup and enter the IP address of the DHCP server in the Remote DHCP Server field gt Network gt LAN gt DHEP Setup DHCP Setup Client List IP Alias DHCP Setup DHCP IP Pool Starting Address Pool Size Remote DHCP Server 192 168 1 2 DNS Server DNS Servers Assigned by DHCP Server F
168. side the power connector Press down the reset button and hold down for approx 5 second the unit will be reset When the reset button is pressed the devices all parameter will be reset back to factory default include password and IP address The default IP address 1s 192 168 1 1 Password 1234 126 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes What network interface does the new Prestige series support The new Prestige series support auto MDX MDIX 10 100M Ethernet LAN port to connect to the computer or Switch on LAN and ADSL port on WAN How does the Prestige support TFTP In addition to the direct console port connection the Prestige supports the uploading download of the firmware and configuration file using TFTP Trivial File Transfer Protocol over LAN Can the Prestige support TFTP over WAN Although TFTP should work over WAN as well it is not recommended because of the potential data corruption problems How fast can the data go The speed of the ADSL 1s only one part of the equation There are a combination of factors starting with how fast your PC can handle IP traffic then how fast your PC to cable modem interface is then how fast the cable modem system runs and how much congestion there is on the cable network then how big a pipe there is at the head end to the rest of the Internet Different models of PCs and Macs are able to handle IP traffic at vary
169. ss phase 1 ID checking When should I use FQDN If your VPN connection is Prestige to Prestige and both of them have static IP address and there is no NAT router in between you can ignore this option Just leave Local Peer ID type as IP then skip this option If either side of VPN tunneling end point is using dynamic IP address you may need to configure ID for the one with dynamic IP address And in this case Aggressive mode is recommended to be applied in phase 1 negotiation Is my Prestige ready for IPSec VPN IPSec VPN is available for Prestige since ZyNOS V3 50 It is free upgrade no registration is needed By upgrading the firmware and also configurations romfile to ZyNOS V3 50 the IPSec VPN capability is ready in your Prestige You then can configure VPN via web configurator Please download the firmware from our web site NOTE For updating from ZyNOS V3 2x to V3 5x please use console or TFTP update This is because the memory allocation difference between these two versions How do configure Prestige VPN You can configure Prestige for VPN using SMT or Web configurator Prestige 1 supports Web only How many VPN connections does Prestige support Prestige 1 supports 1 VPN connection Prestige 10 supports 10 VPN connections Prestige 50 supports 50 tunnels Prestige 100 supports 100 tunnels 146 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes
170. stem when you wish to make a call to PSTN destination For example when you want to dial out to a PSTN destination you first pick up the phone and you will heard a dial tone than you push in the prefix number as defined in prefix field in this case it will be 0000 than the device will switch over to PSTN line At this moment you will heard dial tone from PSTN again At this state you can dial out to PSTN as you would on a regular PSTN system 93 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Relay to PSTN The Relay to PSTN field can be find under PSTN configuration WEB GUI in Relay to PSTN section This field is used to specify phone numbers to which the Prestige will always send calls through the regular PSTN phone service without pushing prefix In other words numbers which specify on this field do not need to dial prefix number to be dialed out However these numbers must be for phones on the PSTN not VOIP phones and currently P2802HWL support up to nine entries under this field After configuring the PSTN setup click Apply to save changes back to P2802HWL Note It is recommended to configure your local emergency services such as Police Dept Fire Dept Emergency Medical services phone number in this field Thus in any cases these unit can be reach in case of emergency by dialing their number without prefix regardless if there are power loss How to connect Lifeline
171. stige WAN 202 132 154 3 Since the VPN client is behind a NAT router it must have a private IP address in most case This may cause the VPN client to send it s private IP address as the content of it s phase 1 ID So you have to configure Prestige s secure gateway s phase 1 ID as the private IP address of the VPN client How can keep a tunnel alive To keep a tunnel alive you can check keep alive option when configuring your VPN tunnel With this option whenever phase 2 SA lifetime is due IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay But to reduce the consumption of system resource if VPN tunnels get disconnected either manually by idle timer or because of power cycle packet triggering is still necessary to make the tunnel up Single Range Subnet which types of IP address do Prestige 10 1011 10W 50 100 support in VPN IPSec The mentioned Prestige series support all of the types In other words you can specify a single PC a range of PCs or even a network of PCs to utilize the VPN IPSec service Can Prestige support IPSec passthrough Yes Prestige can support IPSec passthrough Prestige series don t only support IPSec VPN gateway it can also be a NAT router supporting IPSec passthrough If the VPN connection is initiated from the security gateway behind Prestige no configuration is necessary for NAT nor Firewall If the VPN connection is initiated from th
172. syslog server manual for more information e UNIX Setup 48 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 1 Make sure that your syslogd starts with rargument r this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services The default setting is not enabled 2 Edit the file etc syslog conf by adding the following line at the end of the etc syslog conf file locall var log zyxel log Where var log zyxel log 1s the full path of the log file 3 Restart syslogd e CDR log call messages Format sdcmdSyslogSend SYSLOG CDR SYSLOG INFO String String board xx line xx channel xx call xx str board the hardware board ID line the WAN ID ina board channel channel ID within the WAN call the call reference number which starts from 1 and increments by 1 for each new call str C0 Outgoing Call dev xx ch xx dev device No ch channel No C01 Incoming Call xxxxBps xxxxx L2TP xxxxx means Remote Call ID C01 Incoming Call xxxx means connected speed xxxxx means Remote Call ID L02 Tunnel Connected L2TP C02 OutCall Connected xxxx means connected speed xxxxx means Remote Call ID C02 CLID call refused L02 Call Terminated C02 Call Terminated Example Feb 14 16 57 17 192 168 1 1 ZyXEL Communications Corp board O line O channel 0 call 18 C01 Incoming Call OK Feb 14 17
173. t Number 198 SIP Local Port 5060 1025 65535 SIP Server Address 220113046197 SIP Server Port 5060 1 65535 REGISTER Server Address 220 130 46 197 REGISTER Server Port 5060 1 65535 SIP Service Domain 220 130 46 197 MV Send Caller ID Authentication User Name Changeme Password eccececcce Reset Advanced Setup 102 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes gt oIP gt Phone Book gt Speed Dial 1 ee TF Speed Dial Speed Dial Speed Dial Number Name Type Use Proxy sot z C Non Proxy Use IP or URL Add E Speed Dial Phone Book Lit SSS SS Ss 01 197 197 220 130 46 197 gu 02 g tu 03 B a 04 B tul 05 B T 06 B tu 07 B d 08 B tu 09 B tU 10 B tu Clear Reset 1 Setup WEB GUI VoIP enter device B s number in the SIP number column 2 Fill in device A s IP into SIP server address Register server address as example 3 Setup speed dial put device A s information into the column After completing the setting you can dial 01 from the phone under device A then the phone under device B will ring Phone port settings Prestige allow you to configure the volume and echo cancellation setting for each individual phone port 103 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Phone gt Analog Phon
174. t Notes The following procedure is for the most typical usage of the Prestige where you have a single user account SUA The Prestige supports embedded web server that allows you to use Web browser to configure it Before configuring the router using Browser please be sure there is no Telnet or Console login 1 Retrieve Prestige Web Please enter the LAN IP address of the Prestige router in the URL location to retrieve the web screen from the Prestige The default LAN IP of the Prestige is 192 168 1 1 See the example below Note that you can either use http 192 168 1 1 2 Login first The default password is the default WEB GUI password 1234 3 Configure Prestige for Internet access by using WIZARD SETUP 11 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes ZyXEL Welcome to the ZyXEL Wizard Setup r 7 INTERNET WIRELESS SETUP e The connec zard will walk you through the mos nmon configuration options Th rd has been broken down into two s each of which may have multiple pages a VOICE OVER INTERNET SETUP x The Web screen shown below takes PPPoE as the example 12 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes INTERNET WIRELESS SETUP ZyXEL fl Internet Configuration ISP Parameters for Internet Access Plea
175. t unused field and a 6 bit DSCP filed which can define up to 64 service levels The following figure illustrates the DS field DiffServ Differentiated Service Field Diffserv Code Point Unused 6 bit 2 bit The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the Diffserv network The PHB value is define in the RFC2597 and introduced where classes are developed such as Business Telecommuter Residential etc that can be offered by an ISP as different levels of service The following is the table illustrates the DSCP values Low Drop Medium Drop High Drop Assured Forwarding Probability Probability Probability 111 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes ee he ron Class AF21 AF22 AF23 cea I mE UE Class AF31 AF32 AF33 en ce i ES Class AF41 AF42 AF43 ey a Expedited Forwardi EAM ENT OE The values in decimal are given in the following table DSCP Binary m Default m All contents copyright c 2007 ZyXEL Communications Corporation 112 ZyXEL CS2 AF21 AF22 AF23 CS3 AF31 AF32 AF33 CS4 AF41 AF42 AF43 CS5 EF CS6 CS7 Prestige 2802HW L Ix Support Notes 010000 16 010010 18 010100 20 010110 22 011000 24 011010 26 011100 28 011110 30 100000 32 100010 34 100100 36 100
176. te Win9x client from WinNT This ping command is used to demonstrate that remote the Win9x can be reached across the Internet If the Internet connection between two LANs is achieve you can place a VPN call from the remote Win9x client For example C ping 203 66 113 2 When a dial up connection to ISP is established a default gateway is assigned to the router traffic through that connection Therefore the output below shows the default gateway of the Win9x client after the dial up connection has been established Before making a VPN connection from the Win9x client to the NT server you need to know the exact Internet IP address that the ISP assigns to Prestige router in SUA mode and enter this IP address in the VPN dial up dialog box You can check this Internet IP address from PNC Monitor or WEB GUI Status page If the Internet IP address is a fixed IP address provided by ISP in SUA mode then you can always use this IP address for reaching the VPN server In the following example the IP address 140 113 1 225 is dynamically assigned by ISP You must enter this IP address in the VPN Server dialog box for reaching the PPTP server After the VPN link is established you can start the network protocol application such as IP IPX and NetBEUI 19 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 2 Connect To EES m 23 VPN User name pro Password VPN server 140 1
177. te of the port transitions from down to up or when an EAPOL start frame is received requests the identity of the client and begins relaying authentication messages between supplicant and the authentication server Each supplicant attempting to access the network is uniquely identified by the authenticator by using the client s MAC address While AP is setup as Auto only Wireless client supported 802 1x client can access the network e Re Authentication The administrator can enable periodic 802 1x client re authentication and specify how often it occurs When re authentication time out Authenticator will send EAP Request Identity to reinitiate authentication process In ZyXEL Wireless AP 802 1x implementation if you do not specify a time period before enabling re authentication the number of seconds between re authentication attempts is 1800 seconds 30 minutes e EAPOL Extensible Authentication Protocol over LAN Authenticators and supplicants communicate with one another by using the Extensible Authentication Protocol EAP RFC 2284 EAP was originally designed to run over PPP and to authenticate dial in users but 802 1x defines an encapsulation method for passing EAP packets over Ethernet frames This method is referred to as EAP over LANs or EAPOL Ethernet type of EAPOL 1s 88 8E two octets in length EAPOL encapsulations are described for IEEE 802 compliant environment such as 802 3 Ethernet 802 11 Wireless LAN and Token Ring FDDI
178. tents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes ZyAIR G 100 Wireless LAN PC Card Utility Link Info Configuration Site Survey Encryption About Profile Default Remove Configuration Operating Mode Infrastructure v Service Set Identifier GSID Channel Y Power Saving Mode Disabled a Restore Defaults Undo Changes Apply Changes 3 Select Infrastructure from the operation mode pull down menu fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect 4 Click on Site Survey tab and press search all the available AP will be listed ZY AIR G 100 Wireless LAN PC Card Utility Link Info Configuration Site Survey Encryption About The list contains available Access Points and their features To update the list click Search button You can select a desired Access Point rion I list and click Connect button to connect to the specified ccess Point Wireless OU A0 C5 bE 73 100 CSOG1000 00 A0 C5 56 61 100 ZyAIR D6 7C F 40 5F n a default 00 60 B3 17 91 100 6 67 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 5 Double click on the AP you want to associated with Zy AIR G 100 Wireless LAN PC Card Utility Link Info Configuration Site Survey Encryption About
179. than reset back to factory default The reset button 1s located near by the power jack on the unit back panel Note By reset the unit back to factory default you will lost all your previous settings What is SUA When should use SUA SUA Single User Account is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account When Prestige acting as SUA receives a packet from a local client destined for the outside Internet it replaces the source address in the IP packet header with its own address and the source port in the TCP or UDP header with another value chosen out of a local pool It then recomputed the appropriate header checksums and forwards the packet to the Internet as if it is originated from Prestige using the IP address assigned by ISP When reply packets from the external Internet are received by Prestige the original IP source address and TCP UDP source port numbers are written into the destination fields of the packet since it is now moving in the opposite direction the checksums are recomputed and the packet 1s delivered to its true destination This 1s because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it What is the difference between NAT and SUA NAT is a generic name defined in RFC 1631 The IP Network Address Translator NAT SUA Internet Single User Account is ZyXEL s implementation a
180. the echo caused by the sound of your voice reverberating in the telephone receiver while you talk Select this check box to use Voice Activity Detection VAD to reduce the VAD ar bandwidth that a call uses The Prestige will generate and send comfort PP noise when you are not talking When you are dialing a telephone number the Prestige waits this long after Dialing you stop pressing the buttons before initiating the call Select how many Interval seconds you want the Prestige to wait after the last input on the telephone s keypad before dialing making a call Apply Click Apply to save your changes back to the Prestige Reset Click Reset to begin configuring this screen afresh Advanced voice settings configuration Click VoIP in the navigation panel and then SIP to open the SIP Settings Select a SIP account and then click Advanced Settings to display the following screen Advanced voice settings configuration allows user to modify SIP server related settings RTP port range preferred compression type codec DTMF type and Message Waiting Indication MWI 105 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes N SIP Account SIP1 SIP Server Settings URL Type se x Expiration Duration 5600 20 65535 sec Register Re send timer Reo 1 65535 sec Session Expires Reo 30 3600 sec Min SE 30 20 1800 sec RTP Port Range Start Port 50000 1025 65535 End P
181. the key to be shared between external RADIUS authentication server and ZyXEL AP RADIUS client The key is not send Shared Secret G to the network This key must be the same on the external RADIUS authentication server and ZyXEL AP Site Survey Introduction What is Site Survey 88 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes An RF site survey 1s a MAP to RF contour of RF coverage in a particular facility With wireless system it 1s very difficult to predict the propagation of radio waves and detect the presence of interfering signals Walls doors elevator shafts and other obstacles offer different degree of attenuation This will cause the RF coverage pattern be irregular and hard to predict Site survey can help us overcome these problem and even provide us a map of RF coverage of the facility Preparation Below are the step to complete a simple site survey with simple tools 1 First you will need to Obtain a facility diagram such as a blueprints This is for you to mark and take record on 2 Visually inspect the facility walk through the facility to verify the accuracy of the diagram and mark down any large obstacle you see that may effect the RF signal such as metal shelf metal desk etc on the diagram 3 Identify user s area when doing so ask a question where is wireless coverage needed and where does not and note and take note on the diagram this 1s informati
182. tiate authentication by sending an EAPOL Start frame which prompts the switch to request the supplicant s identity In above case authenticator co locate with authentication server When the supplicant supplies its identity the authenticator directly exchanges EAPOL to the supplicant until authentication succeeds or fails If the authentication succeeds the port becomes authorized If the authentication fails the port becomes unauthorized When the supplicant does not need Wireless access any more it sends EAPOL Logoff packet to terminate its 802 1x session the port state will become unauthorized The following figure shows the EAPOL exchange ping pong chart 81 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Authenticator Supplicant Authentication Server EAPOL Start EAP Request Identity EAP Response identity vi EAP Request Challenge EAP Response Challenge M EAP Success Authentication success 8 Port authorized EAP Fail Authentication fail w Port unauthorized EAPOL Logoff Authentication terminated g Port unauthorized The EAPOL packet contains the following fields protocol version packet type packet body length and packet body Most of the fields are obvious The packet type can have four different values and these values are described below 82 All contents copyright c 2007 ZyXEL Communications Co
183. tput jack on the Y connector Connect the DSL cable to the other output jacket on the Y connector Connect the Y connector input port with a phone cable to the wall Jack or line from ISP 95 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes VoIP Application Notes Setup SIP Account VolP is the sending of voice signals over the Internet Protocol This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit switched telephone network The Session Initiation Protocol SIP 1s an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP signaling 1s separate from the media for which it handles sessions The media that 1s exchanged during the session can use a different path from that of the signaling SIP handles telephone calls and can interface with traditional circuit switched telephone networks The Prestige can hold up to two SIP account simultaneously please follow the below instruction to configure the SIP account properly Note You should have a voice account already set up and have VolP information from your VolP service provider prior to configure STP account on to the unit gt oIP gt SIP gt SIP Settings SIP Settings QoS SIP Account se SIP Settings M Active SIP Account Number
184. transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link is down The smaller the number the lower the cost Type the IP address of your backup gateway in dotted decimal notation The Prestige automatically forwards traffic to this IP address if the Prestige s Internet connection terminates Click Back to return to the previous screen Click Apply to save the changes Click Cancel to begin configuring this screen afresh Using Universal Plug n Play UPnP e 1 What is UPnP All contents copyright c 2007 ZyXEL Communications Corporation 58 ZyXEL Prestige 2802HW L Ix Support Notes UPnP Universal Plug and Play makes connecting PCs of all form factors intelligent appliances and wireless devices in the home office and everywhere in between easier and even automatic by leveraging TCP IP and Web technologies UPnP can be supported on essentially any operating system and works with essentially any type of physical networking media wired or wireless UPnP also supports NAT Traversal which can automatically solve many NAT unfriendly problems By UPnP applications assign the dynamic port mappings to Internet gateway and delete the mappings when the connections are complete The key comp
185. ts by using sys trcp parse from index to index 2 Trace WAN packet 1 1 Disable the capture of the LAN packet by entering sys trcp channel enetO none 1 2 Enable the capture of the WAN packet by entering sys trcp channel mpoa00 bothway 1 3 Enable the trace log by entering sys trcp sw on amp sys trcl sw on 1 4 Wait for packet passing through the Prestige over WAN 1 5 Disable the trace log by entering sys trcp sw off amp sys trcl sw off 1 6 Display the trace briefly by entering sys trcp brief 1 7 Display specific packets by using sys trcp parse from index to index CLI Command List The latest CI command list is available in release notes of every ZyXEL firmware release Please go to ZyXEL public WEB site http www zyxel com support download php to download firmware package zip you should unzip the package to get the release note in PDF format 187 All contents copyright c 2007 ZyXEL Communications Corporation
186. u ASES Block WAN to LAN Connections 140 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes How can protect against IP spoofing attacks The Prestige s firewall will automatically detect the IP spoofing and drop it if the firewall is turned on If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks The basic scheme is as follows For the input data filter e Deny packets from the outside that claim to be from the inside e Allow everything that is not spoofing us Filter rule setup e Filter type TCP IP Filter Rule e Active Yes e Source IP Addr a b c d e Source IP Mask w x y z e Action Matched Drop e Action Not Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask For the output data filters e Deny bounceback packet e Allow packets that originate from us Filter rule setup e Filter Type TCP IP Filter Rule e Active Yes e Destination IP Addr a b c d e Destination IP Mask w x y z e Action Matched Drop e Action No Matched Forward Where a b c d is an IP address on your local network and w x y z is your netmask 141 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Content Filter FAQ What types of content filter does Prestige provide Can I have different policies in effect for different times
187. ublic Enter the correct Set Community This Set Community must match the Set Community Set community requested from the NMS The default is public Enter the community name in each sent trap to the NMS This Trap Community must Community match what the NMS is expecting The default is public 47 All contents copyright c 2007 ZyXEL Communications Corporation XEL Zy Prestige 2802HW L Ix Support Notes Enter the IP address of the NMS that you wish to send the traps to If 0 0 0 0 is entered the Prestige will not send trap any NMS manager Using syslog 4 Prestige Setup gt Maintenance gt Logs gt Log Settings Syslog Logging Cl Active Syslog IP Address 0 0 0 0 Server Name or IP Address Log Facility Local t E Active Log and Alert Log v System Maintenance System Errors Access Control UPnP Forward Web Sites v Blocked Web Sites Attacks 1Psec Oike Cl Any IP L Pkr 1802 1x SIP RTP FSM Configuration 1 Click Active to enable Syslog logging Send Immediate Alert O System Errors Cl Access Control Cl Blocked Web Sites Cl Attacks Cl iPsec CKE C pki Cancel 2 Syslog IP Address enter the IP address of the UNIX server that you wish to send the syslog 3 Log Facility select the location from the drop down list box The log facility allows you to log the messages to different files in the syslog server Refer to the
188. upported the SUA only option in today s routers 3 Many to Many Overload In Many to Many Overload mode the Prestige maps the multiple ILA to shared IGA 4 Many to Many No Overload In Many to Many No Overload mode the Prestige maps each ILA to unique IGA 5 Server In Server mode the Prestige maps multiple inside servers to one global IP address This allows us to specify multiple servers of different types behind the NAT for outside access Note if you want to map each server to one unique IGA please use the One to One mode The following table summarizes these types NAT Type IP Mapping One to One ILA1 lt gt IGA1 ILA 1 lt gt IGA1 Many to One ILA2 lt gt IGA1 SUA PAT Many to Many ILA1I lt gt IGA1 129 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes Overload ILA2 lt gt IGA2 ILA3 lt gt IGA1 ILA4 lt gt IGA2 ILA 1 lt gt IGA1 ILA2 lt gt IGA2 ILA3 lt gt IGA3 ILA4 lt gt IGA4 Many to Many No Overload Server 1 IP lt gt IGA1 Server 2 IP lt gt IGA1 What is the difference between SUA and Multi NAT Server SUA Single User Account in previous ZyNOS versions 1s a NAT set with 2 rules Many to One and Server The Prestige now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers With multiple global IP addresses multiple severs of the same type e g
189. ver 1 type 1 code x09 sess id 0 len 12 x000C Hit any key to continue DIALING dev 6 ch 0 poel C ver 1 type 1 code x07 sessId x0000 len 274 x0112 poeCtr l poeGeti LI C pkt len 274 Tags service name 177 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes service name telstra service name bpa service name iprimus service name pacificinternet service name integrationisp service name bpa dev service name bpa sif service name telstrarna service name gpmsystems service name cmux service name launceston broadband service name vivanet service name n1234567k00 service name bigpond Service name n7061992k Service name n3068223k service name n2155202k service name n7061995k AC name vetl exhibition bsn 1 host uniq 31303030 len 4 PADO recv d chann enetl procPADO for poe chann poeO0 Chann poe0 sending request poePutiSrvcName len 0 host uniq 31303030 len 4 putPoeHdr ver 1 type 1 code x19 sess id 0 len 12 x000C Undefined Address OxE3F045C4 Undefined Data Ox56FF5A4FF r0 OxE3F045C4 rl 0x0001FFCO r2 0x000000E5 r3 Ox56FF54FF r4 OxE3F045C4 r5 OxE5BDBFEC r6 0x0001C468 r7 0x60000093 r8 0x00000000 r9 0xE3550000 r10 0xE3550000 fp 0x00000000 r12 0x56FF54FF sp 0x0001EDBC lr 0x00004F64 pc 0x00013954 00 01 02 03 04 05 06 07 08 09 0A OB OC OD
190. w info 136 All contents copyright c 2007 ZyXEL Communications Corporation ZyXEL Prestige 2802HW L Ix Support Notes 1 Serial number of the device 2 SIP Call server type and vendor 3 Your device firmware version and romfile with password 4 Detail information what you have tried to resolve the problem suspect there is a hardware problem with my Prestige what should I do Please follow the troubleshooting section in the user s guide for brief hardware troubleshooting and diagnostic tips If you are sure there is a hardware problem after following the hardware diagnostic tips in the user s guide Please contact your ZyXEL local vendor to send the device in for RMA service Firewall FAQ What is a network firewall A firewall is a system or group of systems that enforces an access control policy between two networks It may also be defined as a mechanism used to protect a trusted network from an untrusted network The firewall can be thought of two mechanisms One to block the traffic and the other to permit traffic What makes Prestige firewall secure The Prestige firewall is pre configured to automatically detect and thwart Denial of Service DoS attacks such as Ping of Death SYN Flood LAND attack IP Spoofing etc It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN The Prestige supports Network Address Translation NAT which translat
191. ynchronised receivers an FHSS transmission appears to be short duration impulse noise 802 11 may use FHSS or DSSS Do I need the same kind of antenna on both sides of a link No Provided the antenna is optimally designed for 2 4GHz or 5GHz operation WLAN NICs often include an internal antenna which may provide sufficient reception Why the 2 4 Ghz Frequency range This frequency range has been set aside by the FCC and is generally labeled the ISM band A few years ago Apple and several other large corporations requested that the FCC allow the development of wireless networks within this frequency range What we have today is a protocol and system that allows for unlicensed use of radios within a prescribed power level The ISM band is populated by Industrial Scientific and Medical devices that are all low power devices but can interfere with each other What is Server Set ID SSID SSID is a configurable identification that allows clients to communicate to the appropriate base station With proper configuration only clients that are configured with the same SSID can communicate with base stations having the same SSID SSID from a security point of view acts as a simple single shared password between base stations and clients What is an ESSID ESSID stands for Extended Service Set Identifier and identifies the wireless LAN The ESSID of the mobile device must match the ESSID of the AP to communicate with the AP The ESSID is a 3
Download Pdf Manuals
Related Search