P-662H/HW-D Series 802.11g ADSL 2+ 4-Port Security Gateway User’s Guide Version 3.
P-662H/HW-D Series User’s Guide Copyright Copyright © 2006 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
P-662H/HW-D Series User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
P-662H/HW-D Series User’s Guide ZyXEL Communications Corporation declared that P-662H/HW-D is limited in CH1~11 from 2400 to 2483.5 MHz by specified firmware controlled in USA. Viewing Certifications 1 Go to www.zyxel.com 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page.
P-662H/HW-D Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information.
P-662H/HW-D Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
P-662H/HW-D Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD SUPPORT E-MAIL TELEPHONE WEB SITE FAX FTP SITE REGULAR MAIL LOCATION CORPORATE HEADQUARTERS (WORLDWIDE) COSTA RICA CZECH REPUBLIC DENMARK FINLAND SALES E-MAIL support@zyxel.com.
P-662H/HW-D Series User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE SALES E-MAIL FAX FTP SITE support@zyxel.no +47-22-80-61-80 www.zyxel.no sales@zyxel.no +47-22-80-61-81 ZyXEL Communications A/S Nils Hansens vei 13 0667 Oslo Norway www.pl.zyxel.com ZyXEL Communications ul. Okrzei 1A 03-715 Warszawa Poland www.zyxel.ru ZyXEL Russia Ostrovityanova 37a Str. Moscow, 117279 Russia www.zyxel.es ZyXEL Communications Arte, 21 5ª planta 28033 Madrid Spain www.zyxel.
P-662H/HW-D Series User’s Guide 10 Customer Support
P-662H/HW-D Series User’s Guide Table of Contents Copyright .................................................................................................................. 3 Certifications ............................................................................................................ 4 Safety Warnings ....................................................................................................... 6 ZyXEL Limited Warranty................................................................
P-662H/HW-D Series User’s Guide 2.4.6 Status: VPN Status ....................................................................................59 2.4.7 Status: Packet Statistics.............................................................................60 2.4.8 Changing Login Password .......................................................................62 Chapter 3 Wizard Setup for Internet Access ......................................................................... 65 3.1 Introduction ...............
P-662H/HW-D Series User’s Guide 5.3.1.2 Variable Bit Rate (VBR) ...................................................................89 5.3.1.3 Unspecified Bit Rate (UBR) .............................................................90 5.4 Zero Configuration Internet Access ....................................................................90 5.5 Internet Connection ...........................................................................................90 5.5.1 Configuring Advanced Internet Connection ....
P-662H/HW-D Series User’s Guide 7.3 Wireless Performance Overview ......................................................................126 7.3.1 Quality of Service (QoS) .........................................................................126 7.4 Additional Wireless Terms ................................................................................127 7.5 General Wireless LAN Screen ........................................................................127 7.5.1 No Security ........................
P-662H/HW-D Series User’s Guide 9.3 NAT General Setup .........................................................................................160 9.4 Port Forwarding ................................................................................................161 9.4.1 Default Server IP Address ......................................................................162 9.4.2 Port Forwarding: Services and Port Numbers ........................................162 9.4.
P-662H/HW-D Series User’s Guide 11.3 Rule Logic Overview ......................................................................................182 11.3.1 Rule Checklist .......................................................................................182 11.3.2 Security Ramifications ..........................................................................182 11.3.3 Key Fields For Configuring Rules .........................................................183 11.3.3.1 Action ...........................
P-662H/HW-D Series User’s Guide 13.4 Configuring Trusted Computers ....................................................................213 Chapter 14 Content Access Control ...................................................................................... 215 14.1 Content Access Control Overview .................................................................215 14.1.1 Content Access Control WLAN Application ..........................................215 14.1.2 Configuration Steps .....................
P-662H/HW-D Series User’s Guide 16.2.2 ESP (Encapsulating Security Payload) Protocol ..................................239 16.3 My IP Address ................................................................................................240 16.4 Secure Gateway Address ..............................................................................241 16.4.1 Dynamic Secure Gateway Address ......................................................241 16.5 VPN Setup Screen ..........................................
P-662H/HW-D Series User’s Guide 17.12.1 Trusted Remote Host Certificate Fingerprints .....................................282 17.13 Trusted Remote Hosts Import ....................................................................283 17.14 Trusted Remote Host Certificate Details ....................................................283 17.15 Directory Servers .........................................................................................286 17.16 Directory Server Add or Edit .......................
P-662H/HW-D Series User’s Guide 21.1.2 Remote Management and NAT ............................................................310 21.1.3 System Timeout ...................................................................................310 21.2 WWW .............................................................................................................310 21.3 Telnet ..............................................................................................................311 21.4 Configuring Telnet ..
P-662H/HW-D Series User’s Guide Chapter 25 Tools ...................................................................................................................... 345 25.1 Firmware Upgrade ........................................................................................345 25.2 Configuration Screen .....................................................................................347 25.2.1 Backup Configuration ...........................................................................347 25.
P-662H/HW-D Series User’s Guide Macintosh OS X ..................................................................................................... 383 Linux....................................................................................................................... 384 Appendix E IP Addresses and Subnetting ............................................................................. 389 Introduction to IP Addresses ...............................................................................
P-662H/HW-D Series User’s Guide Appendix J Boot Commands .................................................................................................. 425 Appendix K Firewall Commands ............................................................................................. 427 Appendix L NetBIOS Filter Commands .................................................................................. 433 Introduction .........................................................................................
P-662H/HW-D Series User’s Guide 24 Table of Contents
P-662H/HW-D Series User’s Guide List of Figures Figure 1 ZyXEL Device Internet Access Application ........................................................... 46 Figure 2 ZyXEL Device LAN-to-LAN Application Example ................................................. 46 Figure 3 Firewall Application ............................................................................................... 47 Figure 4 P-662H Front Panel .......................................................................................
P-662H/HW-D Series User’s Guide Figure 39 Bandwidth Management Wizard: General Information ....................................... 81 Figure 40 Bandwidth Management Wizard: Configuration .................................................. 82 Figure 41 Bandwidth Management Wizard: Complete ........................................................ 83 Figure 42 Example of Traffic Shaping ................................................................................. 89 Figure 43 Internet Connection (PPPoE) ...
P-662H/HW-D Series User’s Guide Figure 82 How NAT Works .................................................................................................. 158 Figure 83 NAT Application With IP Alias ............................................................................. 159 Figure 84 NAT General ....................................................................................................... 161 Figure 85 Multiple Servers Behind NAT Example .......................................................
P-662H/HW-D Series User’s Guide Figure 125 Encryption and Decryption ................................................................................ 234 Figure 126 IPSec Architecture ............................................................................................ 235 Figure 127 Transport and Tunnel Mode IPSec Encapsulation ............................................ 236 Figure 128 IPSec Summary Fields .....................................................................................
P-662H/HW-D Series User’s Guide Figure 168 SNMP Management Model ............................................................................... 314 Figure 169 Remote Management: SNMP ........................................................................... 316 Figure 170 Remote Management: DNS .............................................................................. 317 Figure 171 Remote Management: ICMP ............................................................................
P-662H/HW-D Series User’s Guide Figure 211 Java (Sun) ......................................................................................................... 361 Figure 212 Internet Options Security .................................................................................. 362 Figure 213 Security Setting ActiveX Controls ..................................................................... 363 Figure 214 Wall-mounting Example ........................................................................
P-662H/HW-D Series User’s Guide Figure 254 Personal Certificate Import Wizard 3 ................................................................ 416 Figure 255 Personal Certificate Import Wizard 4 ................................................................ 416 Figure 256 Personal Certificate Import Wizard 5 ................................................................ 417 Figure 257 Personal Certificate Import Wizard 6 ................................................................
P-662H/HW-D Series User’s Guide 32 List of Figures
P-662H/HW-D Series User’s Guide List of Tables Table 1 ADSL Standards .................................................................................................... 42 Table 2 Front Panel LEDs .................................................................................................. 47 Table 3 Web Configurator Screens Summary .................................................................... 53 Table 4 Status Screen ...........................................................................
P-662H/HW-D Series User’s Guide Table 39 Wireless: Static WEP Encryption ......................................................................... 130 Table 40 Wireless: WPA(2)-PSK ........................................................................................ 131 Table 41 Wireless: WPA(2) ................................................................................................ 133 Table 42 Wireless LAN: Advanced ...............................................................................
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter .............................................. 222 Table 83 Content Access Control: General: Diagnose ....................................................... 227 Table 84 Content Access Control: User Profiles ................................................................ 228 Table 85 Content Access Control: Online Status ............................................................... 229 Table 86 VPN and NAT ........
P-662H/HW-D Series User’s Guide Table 125 Remote Management: WWW ............................................................................ 311 Table 126 Remote Management: Telnet ............................................................................ 312 Table 127 Remote Management: FTP ............................................................................... 313 Table 128 SNMP Traps ......................................................................................................
P-662H/HW-D Series User’s Guide Table 168 NetBIOS Filter Default Settings ......................................................................... 434 Table 169 Abbreviations Used in the Example Internal SPTGEN Screens Table .............. 439 Table 170 Menu 1 General Setup (SMT Menu 1) .............................................................. 440 Table 171 Menu 3 (SMT Menu 3 ) ......................................................................................
P-662H/HW-D Series User’s Guide 38 List of Tables
P-662H/HW-D Series User’s Guide Preface Congratulations on your purchase of the P-662H/HW-D series 802.11g Wireless ADSL 2+ 4port Gateway. P-662H-D has a 4-port switch that allows you to connect up to 4 computers to the ZyXEL Device without purchasing a switch/hub. P-662HW-D comes with built-in IEEE 802.11g wireless capability allowing wireless connectivity. Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.
P-662H/HW-D Series User’s Guide User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
P-662H/HW-D Series User’s Guide CHAPTER 1 Getting To Know Your ZyXEL Device This chapter describes the key features and applications of your ZyXEL Device. 1.1 Introducing the ZyXEL Device Your ZyXEL Device integrates high-speed 10/100Mbps auto-negotiating LAN interface(s) and a high-speed ADSL port into a single package. The ZyXEL Device is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks.
P-662H/HW-D Series User’s Guide High Speed Internet Access The ZyXEL Device is an ADSL router compatible with the ADSL/ADSL2/ADSL2+ standards. Maximum data rates attainable for each standard are shown in the next table. Table 1 ADSL Standards DATA RATE STANDARD UPSTREAM DOWNSTREAM ADSL 832 kbps 8Mbps ADSL2 3.5Mbps 12Mbps ADSL2+ 3.5Mbps 24Mbps Note: If your ZyXEL Device does not support Annex M, the maximum ADSL2/2+ upstream data rate is 1.2 Mbps.
P-662H/HW-D Series User’s Guide LAN/DMZ Interface The ZyXEL Device provides a LAN port that can function as a virtual DeMilitarized Zone (DMZ) port. Public servers (Web, FTP, etc.) attached to the DMZ port are visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death) and can also be accessed from the secure LAN.
P-662H/HW-D Series User’s Guide Dynamic DNS Support With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider. DHCP DHCP (Dynamic Host Configuration Protocol) allows the individual clients (computers) to obtain the TCP/IP configuration at start-up from a centralized DHCP server.
P-662H/HW-D Series User’s Guide 1.1.1.1 P-662HW Wireless Features Wireless LAN The ZyXEL Device supports the IEEE 802.11g standard, which is fully compatible with the IEEE 802.11b standard, meaning that you can have both IEEE 802.11b and IEEE 802.11g wireless clients in the same wireless network. Note: The P-662HW may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled devices, and other wireless LANs.
P-662H/HW-D Series User’s Guide 1.1.2.1 Internet Access The ZyXEL Device is the ideal high-speed Internet access solution. Your ZyXEL Device supports the TCP/IP protocol, which the Internet uses exclusively. It is compatible with all major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers. A DSLAM is a rack of ADSL line cards with data multiplexed into a backbone network interface/connection (for example, T1, OC3, DS3, ATM or Frame Relay).
P-662H/HW-D Series User’s Guide Figure 3 Firewall Application 1.1.4 Front Panel LEDs Figure 4 P-662H Front Panel Figure 5 P-662HW Front Panel The following table describes the Lights. Table 2 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR/SYS Green On The ZyXEL Device is receiving power and functioning properly. Blinking The ZyXEL Device is rebooting or performing diagnostics. On Post (Power On Self Test) failure or the device has malfunctioned. Off The system is not receiving power.
P-662H/HW-D Series User’s Guide Table 2 Front Panel LEDs (continued) LED COLOR STATUS DESCRIPTION On The ZyXEL Device is ready, but is not sending/receiving data through the wireless LAN. Blinking The ZyXEL Device is sending/receiving data through the wireless LAN. None Off The wireless LAN is not ready or has failed. Green On The ZyXEL Device has a successful DSL connection. Blinking The DSL is attempting to synchronize with the ZyXEL Device.
P-662H/HW-D Series User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyXEL Device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
P-662H/HW-D Series User’s Guide only. Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password. Figure 6 Password Screen 6 If you entered the user password, skip the next two steps and refer to Section 2.4.2 on page 55 for more information about the Status screen.
P-662H/HW-D Series User’s Guide Note: If you do not replace the certificate, the following screen appears every time you log in. Figure 8 Replace Factory Default Certificate 8 Select Go to Wizard setup and click Apply to display the wizard main screen. Otherwise, select Go to Advanced setup and click Apply to display the Status screen.
P-662H/HW-D Series User’s Guide 2.3.1 Using the Reset Button 1 Make sure the POWER LED is on (not blinking). 2 Press the RESET button for 10 seconds or until the POWER LED begins to blink and then release it. When the POWER LED begins to blink, the defaults have been restored and the ZyXEL Device restarts. You can also use the RESET button to: • Activate/Deactivate the wireless network - by pressing the RESET button for 1 second. • Start OTIST - by pressing the RESET button for 3 seconds. 2.
P-662H/HW-D Series User’s Guide Note: Click the icon (located in the top right corner of most screens) to view embedded help. Table 3 Web Configurator Screens Summary LINK/ICON SUB-LINK FUNCTION Wizard INTERNET/ WIRELESS SETUP Use these screens for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC address assignment. BANDWIDTH MANAGEMENT SETUP Use these screens to limit bandwidth usage by application or packet type.
P-662H/HW-D Series User’s Guide Table 3 Web Configurator Screens Summary (continued) LINK/ICON Anti Virus Content Filter Content Access Control VPN Certificates SUB-LINK FUNCTION Threshold Use this screen to configure the threshold for DoS attacks. Packet Scan Use this screen to change your Packet Scan settings. Registration Use this screen to register, activate or update your anti-virus services. Keyword Use this screen to block sites containing certain keywords in the URL.
P-662H/HW-D Series User’s Guide Table 3 Web Configurator Screens Summary (continued) LINK/ICON SUB-LINK FUNCTION Remote MGMT WWW Use this screen to configure through which interface(s) and from which IP address(es) users can use HTTPS or HTTP to manage the ZyXEL Device. Telnet Use this screen to configure through which interface(s) and from which IP address(es) users can use Telnet to manage the ZyXEL Device.
P-662H/HW-D Series User’s Guide Figure 11 Status Screen The following table describes the labels shown in the Status screen. Table 4 Status Screen LABEL DESCRIPTION Refresh Interval Select a number of seconds or None from the drop-down list box to refresh all screen statistics automatically at the end of every time interval or to not refresh the screen statistics. Apply Click this button to refresh the status screen statistics.
P-662H/HW-D Series User’s Guide Table 4 Status Screen LABEL DESCRIPTION VPI/VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the Wizard or WAN screen. LAN Information IP Address This is the LAN port IP address. IP Subnet Mask This is the LAN port IP subnet mask. DHCP This is the WAN port DHCP role - Server, Relay or None. WLAN Information (wireless devices only) SSID This is the descriptive name used to identify the ZyXEL Device in the wireless LAN.
P-662H/HW-D Series User’s Guide Table 4 Status Screen LABEL DESCRIPTION Summary Any IP Table Use this screen to view a list of IP addresses and MAC addresses of computers, which are not in the same subnet as the ZyXEL Device. WLAN Status (wireless devices only) This screen displays the MAC address(es) of the wireless stations that are currently associating with the ZyXEL Device. Bandwidth Status Use this screen to view the ZyXEL Device’s bandwidth usage and allotments.
P-662H/HW-D Series User’s Guide Figure 13 Status: WLAN Status The following table describes the labels in this screen. Table 6 Status: WLAN Status LABEL DESCRIPTION # This is the index number of an associated wireless station. MAC Address This field displays the MAC (Media Access Control) address of an associated wireless station. Association TIme This field displays the time a wireless station first associated with the P-662H/HW-Dx. Refresh Click Refresh to reload this screen. 2.4.
P-662H/HW-D Series User’s Guide Figure 15 Status: VPN Status The following table describes the labels in this screen. Table 7 Status: VPN Status LABEL DESCRIPTION No This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocol, encryption algorithm, and authentication algorithm used in each SA.
P-662H/HW-D Series User’s Guide Figure 16 Status: Packet Statistics The following table describes the fields in this screen. Table 8 Status: Packet Statistics LABEL DESCRIPTION System Monitor System up Time This is the elapsed time the system has been up. Current Date/Time This field displays your ZyXEL Device’s present date and time. CPU Usage This field specifies the percentage of CPU utilization. Memory Usage This field specifies the percentage of memory utilization.
P-662H/HW-D Series User’s Guide Table 8 Status: Packet Statistics (continued) LABEL DESCRIPTION Tx B/s This field displays the number of bytes transmitted in the last second. Rx B/s This field displays the number of bytes received in the last second. Up Time This field displays the elapsed time this port has been up. Collisions This is the number of collisions on this port. Poll Interval(s) Type the time interval for the browser to refresh system statistics.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 9 System General: Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
P-662H/HW-D Series User’s Guide 64 Chapter 2 Introducing the Web Configurator
P-662H/HW-D Series User’s Guide CHAPTER 3 Wizard Setup for Internet Access This chapter provides information on the Wizard Setup screens for Internet access in the web configurator. 3.1 Introduction Use the Wizard Setup screens to configure your system for Internet access with the information given to you by your ISP. Note: See the advanced menu chapters for background information on these fields. 3.
P-662H/HW-D Series User’s Guide Figure 19 Wizard: Welcome 3 The wizard attempts to detect which WAN connection type you are using. If the wizard detects your connection type and your ISP uses PPPoE or PPPoA, go to Section 3.2.1 on page 67. The screen varies depending on the connection type you use.
P-662H/HW-D Series User’s Guide Figure 21 Auto Detection: Failed 3.2.1 Automatic Detection 1 If you have a PPPoE or PPPoA connection, a screen displays prompting you to enter your Internet account information. Enter the username, password and/or service name exactly as provided. 2 Click Next and see Section 3.3 on page 72 for wireless connection wizard setup. Figure 22 Auto-Detection: PPPoE 3.2.
P-662H/HW-D Series User’s Guide Figure 23 Internet Access Wizard Setup: ISP Parameters The following table describes the fields in this screen. Table 10 Internet Access Wizard Setup: ISP Parameters 68 LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop-down list box.
P-662H/HW-D Series User’s Guide 2 The next wizard screen varies depending on what mode and encapsulation type you use. All screens shown are with routing mode. Configure the fields and click Next to continue. See Section 3.3 on page 72 for wireless connection wizard setup Figure 24 Internet Connection with PPPoE The following table describes the fields in this screen. Table 11 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 12 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field. Type your ISP assigned IP address in this field. Back Click Back to go back to the previous wizard screen. Next Click Next to continue to the next wizard screen. Exit Click Exit to close the wizard screen without saving your changes.
P-662H/HW-D Series User’s Guide Table 13 Internet Connection with ENET ENCAP (continued) LABEL DESCRIPTION First DNS Server Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask. Second DNS Server As above. Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes back to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes.
P-662H/HW-D Series User’s Guide Figure 28 Connection Test Failed-1 • If the following screen displays, check if your account is activated or click Restart the Internet/Wireless Setup Wizard to verify your Internet access settings. Figure 29 Connection Test Failed-2. 3.3 Wireless Connection Wizard Setup After you configure the Internet access information, use the following screens to set up your wireless LAN. 1 Select Yes and click Next to configure wireless settings.
P-662H/HW-D Series User’s Guide Figure 30 Connection Test Successful 2 Use this screen to activate the wireless LAN and OTIST. Click Next to continue.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 15 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Active Select the check box to turn on the wireless LAN. Note: You can also activate the wireless LAN by pressing the RESET button for 1 second. Enable OTIST Select the check box to enable OTIST if you want to transfer your ZyXEL Device’s SSID and WEP or WPA-PSK security settings to wireless clients that support OTIST and are within transmission range.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 16 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Name(SSID) Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the ZyXEL Device, make sure all wireless stations use the same SSID in order to access the network. Channel Selection The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a channel.
P-662H/HW-D Series User’s Guide Figure 33 Manually assign a WPA key The following table describes the labels in this screen. Table 17 Manually assign a WPA key LABEL DESCRIPTION Pre-Shared Key Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure wireless connection by configuring WPA in the wireless LAN screens. You need to configure an authentication server to do this. Back Click Back to display the previous screen. Next Click Next to proceed to the next screen.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 18 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Enter any 5, 13 or 29 ASCII characters or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or 256-bit WEP key respectively. Back Click Back to display the previous screen.
P-662H/HW-D Series User’s Guide Figure 36 Internet Access and WLAN Wizard Setup Complete 7 Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct.
P-662H/HW-D Series User’s Guide CHAPTER 4 Bandwidth Management Wizard This chapter shows you how to configure basic bandwidth management using the wizard screens. 4.1 Introduction Bandwidth management allows you to control the amount of bandwidth going out through the ZyXEL Device’s WAN port and prioritize the distribution of the bandwidth according to service bandwidth requirements. This helps keep one service from using all of the available bandwidth and shutting out other users. 4.
P-662H/HW-D Series User’s Guide Table 19 Media Bandwidth Management Setup: Services (continued) SERVICE DESCRIPTION VoIP (SIP) Sending voice signals over the Internet is called Voice over IP or VoIP. Session Initiated Protocol (SIP) is an internationally recognized standard for implementing VoIP. SIP is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
P-662H/HW-D Series User’s Guide Figure 38 Wizard: Welcome 3 Activate bandwidth management and select to allocate bandwidth to packets based on the services. Figure 39 Bandwidth Management Wizard: General Information The following fields describe the label in this screen. Table 20 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device’s WAN, LAN or WLAN port.
P-662H/HW-D Series User’s Guide 4 Use the second wizard screen to select the services that you want to apply bandwidth management and select the priorities that you want to apply to the services listed. Figure 40 Bandwidth Management Wizard: Configuration The following table describes the labels in this screen. Table 21 Bandwidth Management Wizard: Configuration LABEL DESCRIPTION Active Select an entry’s Active check box to turn on bandwidth management for the service/ application.
P-662H/HW-D Series User’s Guide Table 21 Bandwidth Management Wizard: Configuration LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. 5 Follow the on-screen instructions and click Finish to complete the wizard setup and save your configuration.
P-662H/HW-D Series User’s Guide 84 Chapter 4 Bandwidth Management Wizard
P-662H/HW-D Series User’s Guide CHAPTER 5 WAN Setup This chapter describes how to configure WAN settings. 5.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 5.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods. 5.1.1.1 ENET ENCAP The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol.
P-662H/HW-D Series User’s Guide By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access. 5.1.1.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection.
P-662H/HW-D Series User’s Guide 5.1.4 IP Address Assignment A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP. However the encapsulation method assigned influences your choices for IP address and ENET ENCAP gateway. 5.1.4.
P-662H/HW-D Series User’s Guide 5.2 Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the ZyXEL Device’s routes to the Internet.
P-662H/HW-D Series User’s Guide Maximum Burst Size (MBS) is the maximum number of cells that can be sent at the PCR. After MBS is reached, cell rates fall below SCR until cell rate averages to the SCR again. At this time, more cells (up to the MBS) can be sent at the PCR again. If the PCR, SCR or MBS is set to the default of "0", the system will assign a maximum value that correlates to your upstream line rate. The following figure illustrates the relationship between PCR, SCR and MBS.
P-662H/HW-D Series User’s Guide The VBR-nRT (non real-time Variable Bit Rate) type is used with bursty connections that do not require closely controlled delay and delay variation. It is commonly used for "bursty" traffic typical on LANs. PCR and MBS define the burst levels, SCR defines the minimum level. An example of an VBR-nRT connection would be non-time sensitive data file transfers. 5.3.1.3 Unspecified Bit Rate (UBR) The Unspecified Bit Rate (UBR) ATM traffic class is for bursty data transfers.
P-662H/HW-D Series User’s Guide Figure 43 Internet Connection (PPPoE) The following table describes the labels in this screen. Table 22 Internet Connection LABEL DESCRIPTION General Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge.
P-662H/HW-D Series User’s Guide Table 22 Internet Connection LABEL DESCRIPTION Virtual Circuit ID VPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a virtual circuit. Refer to the appendix for more information. VPI The valid range for the VPI is 0 to 255. Enter the VPI assigned to you. VCI The valid range for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Enter the VCI assigned to you.
P-662H/HW-D Series User’s Guide Figure 44 Advanced Internet Connection The following table describes the labels in this screen. Table 23 Advanced Internet Connection LABEL DESCRIPTION RIP & Multicast Setup RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None.
P-662H/HW-D Series User’s Guide Table 23 Advanced Internet Connection LABEL DESCRIPTION cell/sec Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here. Sustain Cell Rate The Sustain Cell Rate (SCR) sets the average cell rate (long-term) that can be transmitted. Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec.
P-662H/HW-D Series User’s Guide Figure 45 More Connections The following table describes the labels in this screen. Table 24 More Connections LABEL DESCRIPTION # This is the index number of a connection. Active This display whether this connection is activated. Clear the check box to disable the connection. Select the check box to enable it. Name This is the descriptive name for this connection. VPI/VCI This is the VPI and VCI values used for this connection.
P-662H/HW-D Series User’s Guide Figure 46 More Connections Edit The following table describes the labels in this screen. Table 25 More Connections Edit 96 LABEL DESCRIPTION Active Select the check box to activate or clear the check box to deactivate this connection. Name Enter a unique, descriptive name of up to 13 ASCII characters for this connection. Mode Select Routing from the drop-down list box if your ISP allows multiple computers to share an Internet account.
P-662H/HW-D Series User’s Guide Table 25 More Connections Edit (continued) LABEL DESCRIPTION Multiplexing Select the method of multiplexing used by your ISP from the drop-down list. Choices are VC or LLC. By prior agreement, a protocol is assigned a specific virtual circuit, for example, VC1 will carry IP. If you select VC, specify separate VPI and VCI numbers for each protocol.
P-662H/HW-D Series User’s Guide 5.6.2 Configuring More Connections Advanced Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown. Figure 47 More Connections Advanced Setup The following table describes the labels in this screen. Table 26 More Connections Advanced Setup LABEL DESCRIPTION RIP & Multicast Setup RIP Direction Select the RIP direction from None, Both, In Only and Out Only.
P-662H/HW-D Series User’s Guide Table 26 More Connections Advanced Setup (continued) LABEL DESCRIPTION Apply Click Apply to save the changes. Cancel Click Cancel to begin configuring this screen afresh. 5.7 Traffic Redirect Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet. An example is shown in the figure below.
P-662H/HW-D Series User’s Guide Figure 49 Traffic Redirect LAN Setup 5.8 Configuring WAN Backup To change your ZyXEL Device’s WAN backup settings, click WAN > WAN Backup Setup. The screen appears as shown.
P-662H/HW-D Series User’s Guide Figure 50 WAN Backup Setup The following table describes the labels in this screen. Table 27 WAN Backup Setup LABEL DESCRIPTION Backup Type Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up. Select ICMP to have the ZyXEL Device periodically ping the IP addresses configured in the Check WAN IP Address fields.
P-662H/HW-D Series User’s Guide Table 27 WAN Backup Setup (continued) LABEL DESCRIPTION Timeout Type the number of seconds (3 recommended) for your ZyXEL Device to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request. The WAN connection is considered "down" after the ZyXEL Device times out the number of times specified in the Fail Tolerance field. Use a higher value in this field if your network is busy or congested.
P-662H/HW-D Series User’s Guide Figure 51 WAN Backup Advanced Setup The following table describes the labels in this screen. Table 28 WAN Backup Advanced Setup LABEL DESCRIPTION Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls. Options are: CHAP/PAP - Your ZyXEL Device accepts either CHAP or PAP when requested by this remote node. CHAP - Your ZyXEL Device accepts CHAP only. PAP - Your ZyXEL Device accept PAP only.
P-662H/HW-D Series User’s Guide Table 28 WAN Backup Advanced Setup LABEL DESCRIPTION Advanced Modem Setup Click the Edit button to display the Advanced Modem Setup screen and edit the details of your dial backup setup. TCP/IP Options Metric This field sets this route's priority among the three routes the ZyXEL Device uses (normal, traffic redirect and dial backup). Type a number (1 to 15) to set the priority of the dial backup route for data transmission.
P-662H/HW-D Series User’s Guide Table 28 WAN Backup Advanced Setup LABEL DESCRIPTION Connect on Demand Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field. Max Idle Timeout Specify an idle time-out in the Max Idle Timeout field when you select Connect on Demand. The default setting is 0, which means the Internet session will not timeout.
P-662H/HW-D Series User’s Guide Figure 52 WAN Dial Backup Modem Setup The following table describes the labels in this screen. Table 29 WAN Dial Backup Modem Setup LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Example: atdt Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~+++~~ath" can be used if your modem has a slow response time. Answer Type the AT Command string to answer a call.
P-662H/HW-D Series User’s Guide Table 29 WAN Dial Backup Modem Setup LABEL DESCRIPTION Retry Interval Type a number of seconds for the ZyXEL Device to wait before trying another call after a call has failed. This applies before a phone number is blacklisted. Example: 10 Drop Timeout Type the number of seconds for the ZyXEL Device to wait before dropping the DTR signal if it does not receive a positive disconnect confirmation.
P-662H/HW-D Series User’s Guide 108 Chapter 5 WAN Setup
P-662H/HW-D Series User’s Guide CHAPTER 6 LAN Setup This chapter describes how to configure LAN settings. 6.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. See Section 6.3 on page 115 to configure the LAN screens. 6.1.
P-662H/HW-D Series User’s Guide 6.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. 6.1.2.
P-662H/HW-D Series User’s Guide 6.1.4 DNS Server Address Assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. There are two ways that an ISP disseminates the DNS server addresses. • The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up.
P-662H/HW-D Series User’s Guide 6.2.1.1 Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: • 10.0.0.0 — 10.255.255.255 • 172.16.0.0 — 172.31.255.255 • 192.168.0.0 — 192.168.
P-662H/HW-D Series User’s Guide 6.2.3 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
P-662H/HW-D Series User’s Guide Figure 54 Any IP Example The Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device’s IP address. Note: You must enable NAT/SUA to use the Any IP feature on the ZyXEL Device. 6.2.4.
P-662H/HW-D Series User’s Guide After all the routing information is updated, the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device. 6.3 Configuring LAN IP Click LAN to open the IP screen. See Section 6.1 on page 109 for background information. Figure 55 LAN IP The following table describes the fields in this screen.
P-662H/HW-D Series User’s Guide Figure 56 Advanced LAN Setup The following table describes the labels in this screen. Table 31 Advanced LAN Setup LABEL DESCRIPTION RIP & Multicast Setup 116 RIP Direction Select the RIP direction from None, Both, In Only and Out Only. RIP Version Select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group.
P-662H/HW-D Series User’s Guide 6.4 DHCP Setup Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN. Figure 57 DHCP Setup The following table describes the labels in this screen. Table 32 DHCP Setup LABEL DESCRIPTION DHCP Setup DHCP If set to Server, your ZyXEL Device can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client.
P-662H/HW-D Series User’s Guide Table 32 DHCP Setup LABEL DESCRIPTION Primary DNS Server Secondary DNS Server This field is not available when you set DHCP to Relay. Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP clients along with the IP address and the subnet mask. If the fields are left as 0.0.0.0, the ZyXEL Device acts as a DNS proxy and forwards the DHCP client’s DNS query to the real DNS server learned through IPCP and relays the response back to the computer.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 33 LAN Client List LABEL DESCRIPTION IP Address Enter the IP address that you want to assign to the computer on your LAN with the MAC address specified below. The IP address should be within the range of IP addresses you specified in the DHCP Setup for the DHCP client. MAC Address Enter the MAC address of a computer on your LAN. Add Click Add to add a static DHCP entry.
P-662H/HW-D Series User’s Guide Figure 59 Physical Network & Partitioned Logical Networks To change your ZyXEL Device’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown. Figure 60 LAN IP Alias The following table describes the labels in this screen. Table 34 LAN IP Alias 120 LABEL DESCRIPTION IP Alias 1, 2 Select the check box to configure another LAN network for the ZyXEL Device. IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation.
P-662H/HW-D Series User’s Guide Table 34 LAN IP Alias LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically.
P-662H/HW-D Series User’s Guide 122 Chapter 6 LAN Setup
P-662H/HW-D Series User’s Guide CHAPTER 7 Wireless LAN This chapter discusses how to configure the wireless network settings in your ZyXEL Device. This chapter applies to the P-662HW-D models only. 7.1 Wireless Network Overview The following figure provides an example of a wireless network. Figure 61 Example of a Wireless Network The wireless network is the part in the blue circle.
P-662H/HW-D Series User’s Guide • Every device in the same wireless network must use security compatible with the AP. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 7.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network. 7.2.1 SSID Normally, the ZyXEL Device acts like a beacon and regularly broadcasts the SSID in the area.
P-662H/HW-D Series User’s Guide For wireless networks, there are two typical places to store the user names and passwords for each user. • In the ZyXEL Device: this feature is called a local user database or a local database. • In a RADIUS server: this is a server used in businesses more than in homes. If your ZyXEL Device does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users.
P-662H/HW-D Series User’s Guide Note: It is recommended that wireless networks use WPA-PSK, WPA, or stronger encryption. IEEE 802.1x and WEP encryption are better than none at all, but it is still possible for unauthorized wireless devices to figure out the original information pretty quickly. It is not possible to use WPA-PSK, WPA or stronger encryption with a local user database.
P-662H/HW-D Series User’s Guide 7.4 Additional Wireless Terms The following table describes wireless network terms and acronyms used in the ZyXEL Device. Table 36 Additional Wireless Terms TERM DESCRIPTION Intra-BSS Traffic This describes direct communication (not through the ZyXEL Device) between two wireless devices within a wireless network. You might disable this kind of communication to enhance security within your wireless network.
P-662H/HW-D Series User’s Guide Figure 62 Wireless LAN: General The following table describes the general wireless LAN labels in this screen. Table 37 Wireless LAN: General LABEL DESCRIPTION Active Wireless Click the check box to activate wireless LAN. LAN Note: You can also activate the wireless LAN by pressing the RESET button for 1 second. Network Name(SSID) (Service Set IDentity) The SSID identifies the Service Set with which a wireless station is associated.
P-662H/HW-D Series User’s Guide 7.5.1 No Security Select No Security to allow wireless stations to communicate with the access points without any data encryption. Note: If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range. Figure 63 Wireless: No Security The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Figure 64 Wireless: Static WEP Encryption The following table describes the wireless LAN security labels in this screen. Table 39 Wireless: Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop-down list box. Passphrase Enter a Passphrase (up to 32 printable characters) and click Generate. The ZyXEL Device automatically generates a WEP key. WEP Key The WEP keys are used to encrypt data.
P-662H/HW-D Series User’s Guide Figure 65 Wireless: WPA(2)-PSK The following table describes the wireless LAN security labels in this screen. Table 40 Wireless: WPA(2)-PSK LABEL DESCRIPTION Security Mode Choose WPA-PSK or WPA2-PSK from the drop-down list box. WPA Compatible This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field.
P-662H/HW-D Series User’s Guide Table 40 Wireless: WPA(2)-PSK LABEL DESCRIPTION Group Key Update The Group Key Update Timer is the rate at which the AP (if using WPA(2)-PSK Timer (In key management) or RADIUS server (if using WPA(2) key management) sends a Seconds) new group key out to all clients. The re-keying process is the WPA(2) equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis.
P-662H/HW-D Series User’s Guide The following table describes the wireless LAN security labels in this screen. Table 41 Wireless: WPA(2) LABEL DESCRIPTION WPA Compatible This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2.
P-662H/HW-D Series User’s Guide Table 41 Wireless: WPA(2) LABEL DESCRIPTION Cancel Click Cancel to reload the previous configuration for this screen. Advanced Setup Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup. 7.5.5 Wireless LAN Advanced Setup To configure advanced wireless settings, click the Advanced Setup button in the General screen. The screen appears as shown.
P-662H/HW-D Series User’s Guide Table 42 Wireless LAN: Advanced LABEL DESCRIPTION 802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the ZyXEL Device. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the ZyXEL Device. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices to associate with the ZyXEL Device. The transmission rate of your ZyXEL Device might be reduced. Enable Select Enable 802.
P-662H/HW-D Series User’s Guide 7.6.1.1 AP Click the Wireless LAN link under Network and then the OTIST tab. The following screen displays. Figure 68 OTIST The following table describes the labels in this screen. Table 43 OTIST LABEL DESCRIPTION Setup Key Type an OTIST Setup Key of exactly eight ASCII characters in length. The default OTIST setup key is "01234567". Note: If you change the OTIST setup key here, you must also make the same change on the wireless client(s).
P-662H/HW-D Series User’s Guide Table 43 OTIST LABEL DESCRIPTION Yes! If you want to configure your own WPA-PSK and have OTIST use that WPAPSK, you must: • Configure a WPA-PSK in the Wireless > General screen. • Clear the Yes! checkbox in the OTIST screen and click Start. Note: If you already have a WPA-PSK configured in the Wireless screen, and you run OTIST with Yes! selected, OTIST will not replace the WPA-PSK. Clear the checkbox in the OTIST screen.
P-662H/HW-D Series User’s Guide 7.6.2 Starting OTIST Note: You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing). You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled. 1 In the AP, a web configurator screen pops up showing you the security settings to transfer. After reviewing the settings, click OK.
P-662H/HW-D Series User’s Guide Figure 74 Start OTIST? 2 If an OTIST-enabled wireless client loses its wireless connection for more than ten seconds, it will search for an OTIST-enabled AP for up to one minute. (If you manually have the wireless client search for an OTIST-enabled AP, there is no timeout; click Cancel in the OTIST progress screen to stop the search.
P-662H/HW-D Series User’s Guide Figure 75 MAC Address Filter The following table describes the labels in this menu. Table 44 MAC Address Filter LABEL DESCRIPTION Active MAC Filter Select the check box to enable MAC address filtering. Filter Action Define the filter action for the list of MAC addresses in the MAC Address table.
P-662H/HW-D Series User’s Guide 7.8 WMM QoS WMM (Wi-Fi MultiMedia) QoS (Quality of Service) ensures quality of service in wireless networks for multimedia applications. WMM allows you to prioritize wireless traffic according to the delivery requirements of the individual and applications. WMM is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. 7.8.1 WMM QoS Example When WMM QoS is not enabled, all traffic streams are given the same access throughput to the wireless network.
P-662H/HW-D Series User’s Guide 7.8.3 Services The commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the DNS service.
P-662H/HW-D Series User’s Guide Table 46 Commonly Used Services SERVICE DESCRIPTION AIM/New-ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ. AUTH(TCP:113) Authentication protocol used by some servers. BGP(TCP:179) Border Gateway Protocol. BOOTP_CLIENT(UDP:68) DHCP Client. BOOTP_SERVER(UDP:67) DHCP Server. CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software.
P-662H/HW-D Series User’s Guide Table 46 Commonly Used Services SERVICE DESCRIPTION REAL_AUDIO(TCP:7070) A streaming audio service that enables real time sound over the web. REXEC(TCP:514) Remote Execution Daemon. RLOGIN(TCP:513) Remote Login. RTELNET(TCP:107) Remote Telnet. RTSP(TCP/UDP:554) The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP(TCP:115) Simple File Transfer Protocol.
P-662H/HW-D Series User’s Guide Click Network > Wireless LAN > QoS. The following screen displays. Figure 76 Wireless LAN: QoS The following table describes the fields in this screen. Table 47 Wireless LAN: QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device. WMM QoS Policy Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends.
P-662H/HW-D Series User’s Guide Table 47 Wireless LAN: QoS LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to reload the previous configuration for this screen. 7.9.2 Application Priority Configuration To edit a WMM QoS application entry, click the edit icon under Modify. The following screen displays. Figure 77 Application Priority Configuration The following table describes the fields in this screen.
P-662H/HW-D Series User’s Guide Table 48 Application Priority Configuration LABEL DESCRIPTION Service The following is a description of the applications you can prioritize with WMM QoS. Select a service from the drop-down list box. • FTP File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21. • E-Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals.
P-662H/HW-D Series User’s Guide Figure 78 Multiple SSID Network Example In this section the second wireless network is referred to as the “guest wireless network” and user’s connecting to this network are referred to as “guests”. Multiple SSID is only configurable via commands. The next sections describe multiple SSID commands and show a configuration example. See Appendix H on page 419 for information on the command structure and how to access the CLI (Command Line Interface) on the ZyXEL Device. 7.10.
P-662H/HW-D Series User’s Guide The following table gives a description of multiple SSID commands. Table 49 Multiple SSID Commands Command Description guestssid Use this command to specify the SSID of the guest wireless network. This is the SSID guests have to configure on their wireless clients to connect to your wireless network. Type a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
P-662H/HW-D Series User’s Guide 7.10.2 Multiple SSID Example This example shows how to configure a guest wireless network with the following parameters. Table 50 Multiple SSID Example Configuration PARAMETER VALUE SSID guestnetwork Security 64-bit WEP key encryption. WEP key abcde Other Intranet blocking is enabled, so that guests only have access to the Internet and cannot access the local network. In the following script example all typed commands and parameters have been bolded.
P-662H/HW-D Series User’s Guide CHAPTER 8 DMZ This chapter describes how to configure the ZyXEL Device’s DMZ. 8.1 Introduction The DeMilitarized Zone (DMZ) auto-negotiating 10/100 Mbps Ethernet port provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death). These public servers can also still be accessed from the secure LAN.
P-662H/HW-D Series User’s Guide Figure 79 DMZ The following table describes the labels in this screen. Table 51 DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyXEL Device’s DMZ port in dotted decimal notation. Make sure the IP address is on a separate subnet from the LAN port. IP Subnet Mask The subnet mask specifies the network number portion of an IP address. Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign.
P-662H/HW-D Series User’s Guide Table 51 DMZ (continued) LABEL DESCRIPTION Allow between DMZ Select this check box to forward NetBIOS packets from the LAN to the DMZ and and LAN from the DMZ to the LAN. If your firewall is enabled with the default policy set to block DMZ to LAN traffic, you also need to enable the default DMZ to LAN firewall rule that forwards NetBIOS traffic.Clear this check box to block all NetBIOS packets going from the LAN to the DMZ and from the DMZ to the LAN.
P-662H/HW-D Series User’s Guide Figure 80 DMZ Public Address Example 8.4 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet. The DMZ port and server F use private IP addresses that are in one subnet.
P-662H/HW-D Series User’s Guide Figure 81 DMZ Private and Public Address Example Chapter 8 DMZ 155
P-662H/HW-D Series User’s Guide 156 Chapter 8 DMZ
P-662H/HW-D Series User’s Guide CHAPTER 9 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the ZyXEL Device. 9.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. 9.1.
P-662H/HW-D Series User’s Guide 9.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
P-662H/HW-D Series User’s Guide 9.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyXEL Device can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 83 NAT Application With IP Alias 9.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.
P-662H/HW-D Series User’s Guide Port numbers do NOT change for One-to-One and Many-to-Many No Overload NAT mapping types. The following table summarizes these types. Table 53 NAT Mapping Types TYPE IP MAPPING One-to-One ILA1ÅÆ IGA1 Many-to-One (SUA/PAT) ILA1ÅÆ IGA1 ILA2ÅÆ IGA1 … Many-to-Many Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA1 ILA4ÅÆ IGA2 … Many-to-Many No Overload ILA1ÅÆ IGA1 ILA2ÅÆ IGA2 ILA3ÅÆ IGA3 … Server Server 1 IPÅÆ IGA1 Server 2 IPÅÆ IGA1 Server 3 IPÅÆ IGA1 9.
P-662H/HW-D Series User’s Guide Figure 84 NAT General The following table describes the labels in this screen. Table 54 NAT General LABEL DESCRIPTION Active Network Address Translation (NAT) Select this check box to enable NAT. SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device. Full Feature Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device.
P-662H/HW-D Series User’s Guide You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers.
P-662H/HW-D Series User’s Guide 9.4.3 Configuring Servers Behind Port Forwarding (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 85 Multiple Servers Behind NAT Example 9.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 56 NAT Port Forwarding LABEL DESCRIPTION Default Server Setup Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 57 Port Forwarding Rule Setup LABEL DESCRIPTION Active Click this check box to enable the rule. Service Name Enter a name to identify this port-forwarding rule. Start Port Enter a port number in this field. To forward only one port, enter the port number again in the End Port field. To forward a series of ports, enter the start port number here and the end port number in the End Port field.
P-662H/HW-D Series User’s Guide Figure 88 Address Mapping Rules The following table describes the fields in this screen. Table 58 Address Mapping Rules 166 LABEL DESCRIPTION # This is the rule index number. Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local IP Address (ILA). If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address and 255.
P-662H/HW-D Series User’s Guide 9.6.1 Address Mapping Rule Edit To edit an address mapping rule, click the rule’s edit icon in the Address Mapping screen to display the screen shown next. Figure 89 Edit Address Mapping Rule The following table describes the fields in this screen. Table 59 Edit Address Mapping Rule LABEL DESCRIPTION Type Choose the port mapping type from one of the following. • One-to-One: One-to-One mode maps one local IP address to one global IP address.
P-662H/HW-D Series User’s Guide Table 59 Edit Address Mapping Rule (continued) LABEL 168 DESCRIPTION Edit Details Click this link to go to the Port Forwarding screen to edit a server mapping set that you have selected in the Server Mapping Set field. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
P-662H/HW-D Series User’s Guide CHAPTER 10 Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
P-662H/HW-D Series User’s Guide 10.2.2 Application-level Firewalls Application-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data.
P-662H/HW-D Series User’s Guide • The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, “inbound access” will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service. 10.3.1 Denial of Service Attacks Figure 90 Firewall Application 10.
P-662H/HW-D Series User’s Guide Table 60 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing. 5 "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.
P-662H/HW-D Series User’s Guide Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. • SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response.
P-662H/HW-D Series User’s Guide Figure 93 Smurf Attack 10.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 61 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY 10.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.
P-662H/HW-D Series User’s Guide 10.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Often, many DoS attacks also employ a technique known as "IP Spoofing" as part of their attack.
P-662H/HW-D Series User’s Guide The previous figure shows the ZyXEL Device’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 10.5.1 Stateful Inspection Process In this example, the following sequence of events occurs when a TCP packet leaves the LAN network through the firewall's WAN interface.
P-662H/HW-D Series User’s Guide • Allow certain types of traffic from the Internet to specific hosts on the LAN. • Allow access to a Web server to everyone but competitors. • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator. Note: The ability to define firewall rules is a very powerful tool.
P-662H/HW-D Series User’s Guide A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, simply because they are too dangerous and contain too little tracking information.
P-662H/HW-D Series User’s Guide 10.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. • Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information.
P-662H/HW-D Series User’s Guide 10.7.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed. • Packet filtering is a powerful tool, yet can be complex to configure and maintain, especially if you need a chain of rules to filter a service. • Packet filtering only checks the header portion of an IP packet. 10.7.1.1 When To Use Filtering • To block/allow LAN packets by their MAC addresses.
P-662H/HW-D Series User’s Guide C H A P T E R 11 Firewall Configuration This chapter shows you how to enable and configure the ZyXEL Device firewall. 11.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. CLI (Command Line Interpreter) commands provide limited configuration options and are only recommended for advanced users. 11.
P-662H/HW-D Series User’s Guide Note: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them. For example, you may create rules to: • Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
P-662H/HW-D Series User’s Guide 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 5 Does this rule conflict with any existing rules? 6 Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens. 11.
P-662H/HW-D Series User’s Guide 11.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed nonrestricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN).
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 64 Firewall: General LABEL DESCRIPTION Active Firewall Select this check box to activate the firewall. The ZyXEL Device performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Route Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network.
P-662H/HW-D Series User’s Guide Figure 96 Firewall Rules The following table describes the labels in this screen. Table 65 Firewall Rules LABEL DESCRIPTION Firewall Rules Storage Space in Use This read-only bar shows how much of the ZyXEL Device's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
P-662H/HW-D Series User’s Guide Table 65 Firewall Rules (continued) LABEL DESCRIPTION Action This field displays whether the firewall silently discards packets (Drop), discards packets and sends a TCP reset packet or an ICMP destination-unreachable message to the sender (Reject) or allows the passage of packets (Permit). Schedule This field tells you whether a schedule is specified (Yes) or not (No). Log This field shows you whether a log is created when packets match this rule (Yes) or not (No).
P-662H/HW-D Series User’s Guide Figure 97 Firewall: Edit Rule 188 Chapter 11 Firewall Configuration
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 66 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule. Action for Matched Packet Use the drop-down list box to select what the firewall is to do with packets that match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
P-662H/HW-D Series User’s Guide Table 66 Firewall: Edit Rule (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 11.6.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
P-662H/HW-D Series User’s Guide 11.6.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Refer to Section 10.1 on page 169 for more information. Figure 99 Firewall: Configure Customized Services The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Figure 100 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8. 4 Click Add to display the firewall rule configuration screen. 5 In the Edit Rule screen, click the Edit Customized Services link to open the Customized Service screen.
P-662H/HW-D Series User’s Guide Figure 102 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Note: Custom services show up with an “*” before their names in the Services list box and the Rules list box.
P-662H/HW-D Series User’s Guide Figure 103 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
P-662H/HW-D Series User’s Guide Figure 104 Firewall Example: Rules: MyService 11.8 Predefined Services The Available Services list box in the Edit Rule screen (see Section 11.6.1 on page 187) displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
P-662H/HW-D Series User’s Guide Table 69 196 Predefined Services (continued) SERVICE DESCRIPTION H.323(TCP:1720) Net Meeting uses this protocol. HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICQ(UDP:4000) This is a popular Internet chat program. IPSEC_TRANSPORT/ TUNNEL(AH:0) The IPSEC AH (Authentication Header) tunneling protocol uses this service.
P-662H/HW-D Series User’s Guide Table 69 Predefined Services (continued) SERVICE DESCRIPTION SSDP(UDP:1900) Simole Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900. SSH(TCP/UDP:22) Secure Shell Remote Login Program. STRMWORKS(UDP:1558) Stream Works Protocol. SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 70 Firewall: Anti Probing LABEL DESCRIPTION Respond to PING on The ZyXEL Device does not respond to any incoming ping requests when Disable is selected. Select the interface which you want to reply to incoming ping requests. Do Not Respond to Requests for Unauthorized Services. Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports.
P-662H/HW-D Series User’s Guide You should make any changes to the threshold values before you continue configuring firewall rules. 11.10.2 Half-Open Sessions An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "halfopen" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see Figure 91 on page 172).
P-662H/HW-D Series User’s Guide 11.10.3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall, and Threshold to bring up the next screen. Figure 106 Firewall: Threshold The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Table 71 Firewall: Threshold (continued) LABEL DESCRIPTION DEFAULT VALUES Maximum Incomplete Low This is the number of existing half-open 80 existing half-open sessions. sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.
P-662H/HW-D Series User’s Guide 202 Chapter 11 Firewall Configuration
P-662H/HW-D Series User’s Guide CHAPTER 12 Anti-Virus Packet Scan This chapter introduces and shows you how to configure the anti-virus packet scan. 12.1 Overview A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate programs. A worm is a self-replicating virus that resides in active memory and duplicates itself.
P-662H/HW-D Series User’s Guide For maximum protection, you must keep the pattern file up-to-date. 12.2.1 Computer Virus Infection and Prevention The follow describes a simplistic life cycle of a computer virus. 1 A computer gets a copy of a virus from an unknown source (such as the Internet, e-mail, file sharing or any removable storage media). The virus is harmless until the execution of an infected program. 2 The virus spreads to other files and programs on the computer.
P-662H/HW-D Series User’s Guide This is an Internet file transfer service that operates on the Internet and over TCP/IP networks. A system running the FTP server accepts commands from a system running an FTP client. The service allows users to send commands to the server for uploading and downloading files. Note: The anti-virus packet scan on the ZyXEL Device offers the first defense against possible virus attacks on your network.
P-662H/HW-D Series User’s Guide Click Security > AntiVirus to display the configuration screen as shown next. Figure 108 Anti-Virus: Packet Scan The following table describes the labels in this screen. Table 73 Anti-Virus: Packet Scan LABEL DESCRIPTION Packet Scan Configuration Active Select this check box to enable the anti-virus packet scan on the ZyXEL Device. Clear this check box to disable it.
P-662H/HW-D Series User’s Guide Table 73 Anti-Virus: Packet Scan (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to return to the previously saved settings. 12.5 Registration and Online Update Use the Registration and Virus Information Update screen to register for and activate the anti-virus packet scan feature on the ZyXEL Device.
P-662H/HW-D Series User’s Guide Figure 109 Anti-Virus: Registration and Virus Information Update The following table describes the labels in this screen. Table 74 Anti-Virus: Registration and Virus Information Update 208 LABEL DESCRIPTION Registration You must register for the anti-virus service before you can use the packet scan feature on the ZyXEL Device. Registering for the service allows you to activate packet scan and download the virus pattern file.
P-662H/HW-D Series User’s Guide 12.5.1 Updating the Anti-Virus Packet Scan Follow the steps below to update the virus scan on the ZyXEL Device manually. Note: Do not turn off the ZyXEL Device while the virus scan update is in progress! 1 In the Registration and Virus Information Update screen, click Update Now. An update progress screen displays as shown. Figure 110 Virus Scan Update in Progress 2 After the virus scan update is successful, a screen displays as shown.
P-662H/HW-D Series User’s Guide 210 Chapter 12 Anti-Virus Packet Scan
P-662H/HW-D Series User’s Guide CHAPTER 13 Content Filtering This chapter covers how to configure content filtering. 13.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the ZyXEL Device performs content filtering.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 75 Content Filter: Keyword LABEL DESCRIPTION Active Keyword Blocking Select this check box to enable this feature. Block Websites that contain This box contains the list of all the keywords that you have configured the these keywords in the URL: ZyXEL Device to block. Delete Highlight a keyword in the box and click Delete to remove it. Clear All Click Clear All to remove all of the keywords from the list.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 76 Content Filter: Schedule LABEL DESCRIPTION Schedule Select Active Everyday to Block to make the content filtering active everyday. Otherwise, select Edit Daily to Block and configure which days of the week (or everyday) and which time of the day you want the content filtering to be active. Active Select the check box to have the content filtering to be active on the selected day.
P-662H/HW-D Series User’s Guide 214 Chapter 13 Content Filtering
P-662H/HW-D Series User’s Guide CHAPTER 14 Content Access Control This chapter gives some background information on Content Access Control and explains how to get started with the ZyXEL Device Content Access Control. 14.1 Content Access Control Overview Content Access Control (CAC) lets a LAN administrator control a LAN user’s Internet access privileges by blocking services that you specify.
P-662H/HW-D Series User’s Guide 14.2 Activating CAC and Creating User Groups From the main menu click Security > Content Access Control and General to open the configuration screen. Use this screen to activate Content Access Control and set up the four user groups. Note: You must set up all four user groups. Figure 116 Content Access Control: General The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Table 78 Content Access Control: General (continued) LABEL DESCRIPTION Service Click Edit to select the services you wish to block access for a user group. Web Browsing Click Edit to specify the web site category(ies) and/or key words in a web site address you wish to block access for a user group. Click the Diagnose icon ( ) to test the access privilege on a specified web site address.
P-662H/HW-D Series User’s Guide Figure 117 Control Access Control: General: Time Scheduling The following table describes the labels in this screen. Table 79 Control Access Control: General: Time Scheduling LABEL DESCRIPTION Time Scheduling Select the first radio button to allow everyday access at the same times to the Internet. Type the interval time allowance (number of hours and minutes).
P-662H/HW-D Series User’s Guide 14.2.2 Configuring Services To customize services for each user group, click Edit under Services for that user group in the Content Access Control: General screen. Figure 118 Content Access Control: General: Services The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Table 80 Content Access Control: General: Services (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to return to the previously saved settings. 14.2.2.1 Available Services The Available Services list box in the Services screen displays some predefined services that the ZyXEL Device supports. The following table shows a list of services that can be configured.
P-662H/HW-D Series User’s Guide Table 81 Available Services (continued) SERVICE DESCRIPTION MULTICAST(IGMP:0) Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. NEW-ICQ(TCP:5190) An Internet chat program. NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System - NFS is a client/server distributed file service that provides transparent file sharing for network environments.
P-662H/HW-D Series User’s Guide 14.2.3 Configuring Web Site Filters To enable content filtering and to configure URL keyword blocking for a user group, click Edit under Web Browsing in the Content Access Control: General screen. A screen displays as shown next. Figure 119 Content Access Control: General: Web Site Filter The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter (continued) LABEL DESCRIPTION Log Matched Web Site Select this option to record attempts to access prohibited web pages. Select Blocked Categories Use this section to prevent users from accessing web pages that match the categories that you select below. Select All Select this check box to restrict access to all site categories listed below. Clear All Select this check box to clear the selected categories below.
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter (continued) LABEL DESCRIPTION Abortion Selecting this category excludes pages that provide information or arguments in favor of or against abortion, describe abortion procedures, offer help in obtaining or avoiding abortion, or provide information on the effects, or lack thereof, of abortion.
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter (continued) LABEL DESCRIPTION Health Selecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, selfhelp, and support organizations dedicated to a disease or condition.
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter (continued) LABEL DESCRIPTION Society/Lifestyle Selecting this category excludes pages providing information on matters of daily life. This does not include pages relating to entertainment, sports, jobs, sex or pages promoting alternative lifestyles such as homosexuality. Personal homepages fall within this category if they cannot be classified in another category.
P-662H/HW-D Series User’s Guide Table 82 Content Access Control: General: Web Site Filter (continued) LABEL DESCRIPTION Keyword Type a keyword in the Keyword field and then click Add Keyword to add a keyword to the list of keywords. The list of keywords that will be inaccessible to computers on your LAN once you enable URL keyword blocking. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device.
P-662H/HW-D Series User’s Guide 14.3 User Account Setup With Content Access Control, the ZyXEL Device requires LAN users to login with valid username and password before they are allowed to access the Internet. Use the User Profile screen to set up user accounts. From the main menu click Security > Content Access > User Profile to display the screen as shown next. Figure 121 Content Access Control: User Profiles The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide 14.4 User Online Status To view the online status of each user, click Security > Content Access Control > Online Status to display the screen as shown. Figure 122 Content Access Control: Online Status The following table describes the labels in this screen. Table 85 Content Access Control: Online Status LABEL DESCRIPTION Index This field displays the index number. Username This field displays the username (up to 30 characters) for this user profile.
P-662H/HW-D Series User’s Guide 14.5 Content Access Control Logins The following sections describe the user and administrator login experience. 14.5.1 User Login 1 Once the initial configuration is complete, a computer on the network cannot gain Internet access without first logging into the ZyXEL Device. 2 When you attempt to access a website, you are directed to the ZyXEL Device’s user login screen.
P-662H/HW-D Series User’s Guide 14.5.2 Administrator Login The administrator can log into the system. • The administrator opens their browser and is directed to the ZyXEL Device user login page (this is the same as the user login). • The administrator enters “admin” as the username and the system password. • The system administrator main menu screen opens.
P-662H/HW-D Series User’s Guide 232 Chapter 14 Content Access Control
P-662H/HW-D Series User’s Guide CHAPTER 15 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 15.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. 15.
P-662H/HW-D Series User’s Guide Figure 125 Encryption and Decryption 15.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 15.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. 15.1.3.4 Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 15.1.
P-662H/HW-D Series User’s Guide 15.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 126 IPSec Architecture 15.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
P-662H/HW-D Series User’s Guide Figure 127 Transport and Tunnel Mode IPSec Encapsulation 15.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP). With ESP, protection is applied only to the upper layer protocols contained in the packet.
P-662H/HW-D Series User’s Guide NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing.
P-662H/HW-D Series User’s Guide 238 Chapter 15 Introduction to IPSec
P-662H/HW-D Series User’s Guide CHAPTER 16 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 16.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 16.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
P-662H/HW-D Series User’s Guide Table 87 AH and ESP ESP AH DES (default) MD5 (default) Data Encryption Standard (DES) is a widely MD5 (Message Digest 5) produces a 128-bit used method of data encryption using a digest to authenticate packet data. private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES SHA1 Triple DES (3DES) is a variant of DES, which SHA1 (Secure Hash Algorithm) produces a iterates three times with three separate keys 160-bit digest to authenticate packet data.
P-662H/HW-D Series User’s Guide 16.4 Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway). If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Secure Gateway Address field.
P-662H/HW-D Series User’s Guide Figure 129 VPN Setup The following table describes the fields in this screen. Table 88 VPN Setup 242 LABEL DESCRIPTION No. This is the VPN policy index number. Click a number to edit VPN policies. Active This field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active. No signifies that this VPN policy is not active. Name This field displays the identification name for this VPN policy.
P-662H/HW-D Series User’s Guide Table 88 VPN Setup LABEL DESCRIPTION Remote Address This is the IP address(es) of computer(s) on the remote network behind the remote IPSec router. This field displays N/A when the Secure Gateway Address field displays 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. The same (static) IP address is displayed twice when the Remote Address Type field in the VPN-IKE (or VPN-Manual Key) screen is configured to Single.
P-662H/HW-D Series User’s Guide 16.7 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address.
P-662H/HW-D Series User’s Guide Y* - This is supported in the ZyXEL Device if you enable NAT traversal. 16.8 Remote DNS Server In cases where you want to use domain names to access Intranet servers on a remote network that has a DNS server, you must identify that DNS server.
P-662H/HW-D Series User’s Guide With main mode (see Section 16.12.1 on page 253), the ID type and content are encrypted to provide identity protection. In this case the ZyXEL Device can only distinguish between up to 12 different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
P-662H/HW-D Series User’s Guide The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel. Table 92 Matching ID Type and Content Configuration Example ZYXEL DEVICE A ZYXEL DEVICE B Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.
P-662H/HW-D Series User’s Guide Figure 132 Edit VPN Policies The following table describes the fields in this screen. Table 94 Edit VPN Policies LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Select either Yes or No from the drop-down list box.
P-662H/HW-D Series User’s Guide Table 94 Edit VPN Policies LABEL DESCRIPTION NAT Traversal This function is available if the VPN protocol is ESP. Select this check box if you want to set up a VPN tunnel when there are NAT routers between the ZyXEL Device and remote IPSec router. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward UDP port 500 packets to the remote IPSec router behind the NAT router. Name Type up to 32 characters to identify this VPN policy.
P-662H/HW-D Series User’s Guide Table 94 Edit VPN Policies LABEL DESCRIPTION Remote Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
P-662H/HW-D Series User’s Guide Table 94 Edit VPN Policies LABEL DESCRIPTION Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Content The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection. If you configure this field to 0.0.0.
P-662H/HW-D Series User’s Guide Table 94 Edit VPN Policies LABEL DESCRIPTION Encryption Select DES, 3DES, AES or NULL from the drop-down list box. Algorithm When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key.
P-662H/HW-D Series User’s Guide • • • • • Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
P-662H/HW-D Series User’s Guide 16.12.2 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.
P-662H/HW-D Series User’s Guide Figure 134 Advanced VPN Policies The following table describes the fields in this screen. Table 95 Advanced VPN Policies LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol. Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Detection Service (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks.
P-662H/HW-D Series User’s Guide Table 95 Advanced VPN Policies LABEL DESCRIPTION Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode. Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation.
P-662H/HW-D Series User’s Guide Table 95 Advanced VPN Policies LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field.
P-662H/HW-D Series User’s Guide Figure 135 VPN: Manual Key The following table describes the fields in this screen. Table 96 VPN: Manual Key LABEL DESCRIPTION IPSec Setup 258 Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces. IPSec Key Mode Select IKE or Manual from the drop-down list box.
P-662H/HW-D Series User’s Guide Table 96 VPN: Manual Key (continued) LABEL DESCRIPTION DNS Server (for IPSec VPN) If there is a private DNS server that services the VPN, type its IP address here. The ZyXEL Device assigns this additional DNS server to the ZyXEL Device 's DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names.
P-662H/HW-D Series User’s Guide Table 96 VPN: Manual Key (continued) LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyXEL Device. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.
P-662H/HW-D Series User’s Guide When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See Section 16.6 on page 243on keep alive to have the ZyXEL Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic. Figure 136 VPN: SA Monitor The following table describes the fields in this screen.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 98 VPN: Global Setting LABEL DESCRIPTION Windows Networking NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that (NetBIOS over TCP/IP) enable a computer to find other computers. It may sometimes be necessary to allow NetBIOS packets to pass through VPN tunnels in order to allow local computers to find computers on the remote network and vice versa.
P-662H/HW-D Series User’s Guide Table 99 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS My IP Address: 0.0.0.0 (dynamic IP address assigned Public static IP address by the ISP) Secure Gateway IP Address: Public static IP address 0.0.0.0 With this IP address only the telecommuter can initiate the IPSec tunnel. Local IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15 192.168.1.10 Remote IP Address: 192.168.1.10 HEADQUARTERS 0.0.0.
P-662H/HW-D Series User’s Guide Table 100 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My IP Address 0.0.0.0 My IP Address: bigcompanyhq.com Secure Gateway Address: bigcompanyhq.com Local IP Address: 192.168.1.10 Remote IP Address: 192.168.1.10 Local ID Type: E-mail Peer ID Type: E-mail Local ID Content: bob@bigcompanyhq.com Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.
P-662H/HW-D Series User’s Guide CHAPTER 17 Certificates This chapter gives background information about public-key certificates and explains how to use them. 17.1 Certificates Overview The ZyXEL Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.
P-662H/HW-D Series User’s Guide A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL Device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List).
P-662H/HW-D Series User’s Guide Use the Directory Servers screen to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). 17.4 My Certificates Click Security > Certificates > My Certificates to open the My Certificates screen. This is the ZyXEL Device’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray.
P-662H/HW-D Series User’s Guide Table 101 My Certificates (continued) 268 LABEL DESCRIPTION Type This field displays what kind of certificate this is. REQ represents a certification request and is not yet a valid certificate. Send a certification request to a certification authority, which then issues a certificate. Use the My Certificate Import screen to import the certificate and replace the request. SELF represents a self-signed certificate.
P-662H/HW-D Series User’s Guide 17.5 My Certificate Import Click Security > Certificates > My Certificates and then Import to open the My Certificate Import screen. Follow the instructions in this screen to save an existing certificate to the ZyXEL Device. Note: You can only import a certificate that matches a corresponding certification request that was generated by the ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 102 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload. Apply Click Apply to save the certificate on the ZyXEL Device. Cancel Click Cancel to quit and return to the My Certificates screen. 17.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 103 My Certificate Create LABEL DESCRIPTION Certificate Name Type up to 31 ASCII characters (not including spaces) to identify this certificate. Subject Information Use these fields to record information that identifies the owner of the certificate. You do not have to fill in every field, although the Common Name is mandatory.
P-662H/HW-D Series User’s Guide Table 103 My Certificate Create (continued) LABEL DESCRIPTION Enrollment Protocol Select the certification authority’s enrollment protocol from the drop-down list box. Simple Certificate Enrollment Protocol (SCEP) is a TCP-based enrollment protocol that was developed by VeriSign and Cisco. Certificate Management Protocol (CMP) is a TCP-based enrollment protocol that was developed by the Public Key Infrastructure X.
P-662H/HW-D Series User’s Guide Figure 144 My Certificate Details Chapter 17 Certificates 273
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 104 My Certificate Details 274 LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate. You may use any character (not including spaces). Property Default self-signed certificate which signs the imported remote host certificates.
P-662H/HW-D Series User’s Guide Table 104 My Certificate Details (continued) LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).
P-662H/HW-D Series User’s Guide Figure 145 Trusted CAs The following table describes the labels in this screen. Table 105 Trusted CAs 276 LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyXEL Device’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
P-662H/HW-D Series User’s Guide Table 105 Trusted CAs (continued) LABEL DESCRIPTION Import Click Import to open a screen where you can save the certificate of a certification authority that you trust, from your computer to the ZyXEL Device. Refresh Click this button to display the current validity status of the certificates. 17.9 Trusted CA Import Click Security > Certificates > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen.
P-662H/HW-D Series User’s Guide 17.10 Trusted CA Details Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyXEL Device to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 107 Trusted CA Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
P-662H/HW-D Series User’s Guide Table 107 Trusted CA Details (continued) LABEL DESCRIPTION Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyXEL Device uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative Name This field displays the certificate’s owner‘s IP address (IP), domain name (DNS) or e-mail address (EMAIL).
P-662H/HW-D Series User’s Guide Figure 148 Trusted Remote Hosts The following table describes the labels in this screen. Table 108 Trusted Remote Hosts LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyXEL Device’s PKI storage space that is currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
P-662H/HW-D Series User’s Guide 17.12 Verifying a Trusted Remote Host’s Certificate Certificates issued by certification authorities have the certification authority’s signature for you to check. Self-signed certificates only have the signature of the host itself. This means that you must be very careful when deciding to import (and thereby trust) a remote host’s selfsigned certificate. 17.12.
P-662H/HW-D Series User’s Guide Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. 17.13 Trusted Remote Hosts Import Click Security > Certificates > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. Follow the instructions in this screen to save a trusted host’s certificate to the ZyXEL Device.
P-662H/HW-D Series User’s Guide Figure 152 Trusted Remote Host Details 284 Chapter 17 Certificates
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 110 Trusted Remote Host Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate. You may use any character (not including spaces).
P-662H/HW-D Series User’s Guide Table 110 Trusted Remote Host Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyXEL Device calculated using the MD5 algorithm. You cannot use this value to verify that this is the remote host’s actual certificate because the ZyXEL Device has signed the certificate; thus causing this value to be different from that of the remote hosts actual certificate. See Section 17.
P-662H/HW-D Series User’s Guide Figure 153 Directory Servers The following table describes the labels in this screen. Table 111 Directory Servers LABEL DESCRIPTION PKI Storage Space This bar displays the percentage of the ZyXEL Device’s PKI storage space that is in Use currently in use. The bar turns from green to red when the maximum is being approached. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
P-662H/HW-D Series User’s Guide Figure 154 Directory Server Add The following table describes the labels in this screen. Table 112 Directory Server Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server. Access Protocol Use the drop-down list box to select the access protocol used by the directory server.
P-662H/HW-D Series User’s Guide CHAPTER 18 Static Route This chapter shows you how to configure static routes for your ZyXEL Device. 18.1 Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1.
P-662H/HW-D Series User’s Guide Figure 156 Static Route The following table describes the labels in this screen. Table 113 Static Route LABEL DESCRIPTION # This is the number of an individual static route. Active This field shows whether this static route is active (Yes) or not (No). Name This is the name that describes or identifies this route. Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
P-662H/HW-D Series User’s Guide Figure 157 Static Route Edit The following table describes the labels in this screen. Table 114 Static Route Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Destination IP Address This parameter specifies the IP network address of the final destination. Routing is always based on network number.
P-662H/HW-D Series User’s Guide 292 Chapter 18 Static Route
P-662H/HW-D Series User’s Guide CHAPTER 19 Bandwidth Management This chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device’s bandwidth management logs. 19.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.
P-662H/HW-D Series User’s Guide Figure 158 Subnet-based Bandwidth Management Example 19.4 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
P-662H/HW-D Series User’s Guide 19.5.2 Fairness-based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface’s bandwidth. 19.
P-662H/HW-D Series User’s Guide 19.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps. The unbudgeted 2048 kbps allows traffic not defined in any of the bandwidth filters to go out when you do not select the maximize bandwidth option.
P-662H/HW-D Series User’s Guide • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. 19.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets.
P-662H/HW-D Series User’s Guide Figure 159 Bandwidth Management: Summary The following table describes the labels in this screen. Table 120 Media Bandwidth Management: Summary 298 LABEL DESCRIPTION Interface These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
P-662H/HW-D Series User’s Guide 19.8 Bandwidth Management Rule Setup You must use the Bandwidth Management Summary screen to enable bandwidth management on an interface before you can configure rules for that interface. Click Advanced > Bandwidth MGMT > Rule Setup to open the following screen. Figure 160 Bandwidth Management: Rule Setup The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide Table 121 Bandwidth Management: Rule Setup (continued) LABEL DESCRIPTION Modify Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing rule. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 19.8.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 122 Bandwidth Management Rule Configuration LABEL DESCRIPTION Rule Configuration Active Select this check box to have the ZyXEL Device apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule.
P-662H/HW-D Series User’s Guide Table 122 Bandwidth Management Rule Configuration (continued) LABEL DESCRIPTION Destination Port Enter the port number of the destination. See Table 123 on page 302 for some common services and port numbers. A blank destination IP address means any destination IP address. Source Address Enter the source IP address in dotted decimal notation. A blank source IP address means any source IP address. Source Subnet Netmask Enter the destination subnet mask.
P-662H/HW-D Series User’s Guide Figure 162 Bandwidth Management: Monitor Chapter 19 Bandwidth Management 303
P-662H/HW-D Series User’s Guide 304 Chapter 19 Bandwidth Management
P-662H/HW-D Series User’s Guide CHAPTER 20 Dynamic DNS Setup This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS. 20.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.
P-662H/HW-D Series User’s Guide Figure 163 Dynamic DNS The following table describes the fields in this screen. Table 124 Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Dynamic DNS Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Dynamic DNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
P-662H/HW-D Series User’s Guide Table 124 Dynamic DNS (continued) LABEL DESCRIPTION Dynamic DNS server auto detect IP Address Select this option only when there are one or more NAT routers between the ZyXEL Device and the DDNS server. This feature has the DDNS server automatically detect and use the IP address of the NAT router that has a public IP address. Note: The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server.
P-662H/HW-D Series User’s Guide 308 Chapter 20 Dynamic DNS Setup
P-662H/HW-D Series User’s Guide CHAPTER 21 Remote Management Configuration This chapter provides information on configuring remote management. 21.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
P-662H/HW-D Series User’s Guide • The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately. • There is already another remote management session with an equal or higher priority running. You may only have one remote management session running at one time. • There is a firewall rule that blocks it. 21.1.
P-662H/HW-D Series User’s Guide The following table describes the labels in this screen. Table 125 Remote Management: WWW LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
P-662H/HW-D Series User’s Guide Figure 166 Remote Management: Telnet The following table describes the labels in this screen. Table 126 Remote Management: Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
P-662H/HW-D Series User’s Guide Figure 167 Remote Management: FTP The following table describes the labels in this screen. Table 127 Remote Management: FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
P-662H/HW-D Series User’s Guide Figure 168 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
P-662H/HW-D Series User’s Guide 21.6.2 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs: Table 128 SNMP Traps TRAP NAME DESCRIPTION 0 coldStart (defined in RFC-1215) A trap is sent after booting (power on). 1 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). 6 whyReboot (defined in ZYXELMIB) A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
P-662H/HW-D Series User’s Guide Figure 169 Remote Management: SNMP The following table describes the labels in this screen. Table 129 Remote Management: SNMP LABEL DESCRIPTION SNMP Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
P-662H/HW-D Series User’s Guide 21.7 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on LAN for background information. To change your ZyXEL Device’s DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown. Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device’s DNS settings.
P-662H/HW-D Series User’s Guide If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed. Figure 171 Remote Management: ICMP The following table describes the labels in this screen.
P-662H/HW-D Series User’s Guide 21.9 TR-069 TR-069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL’s Vantage CNM Access. An administrator can use CNM Access to remotely set up the ZyXEL device, modify settings, perform firmware upgrades as well as monitor and diagnose the ZyXEL device. All you have to do is enable the device to be managed by CNM Access and specify the CNM Access IP address or domain name and username and password.
P-662H/HW-D Series User’s Guide Table 132 TR-069 Commands Root 320 Command or Subdirectory Command Description periodicEnable [0:Disable/ 1:Enable] Whether or not the device must periodically send information to CNM Access. It is recommended to set this value to 1 in order for the ZyXEL Device to send information to CNM Access.
P-662H/HW-D Series User’s Guide CHAPTER 22 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 22.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
P-662H/HW-D Series User’s Guide 22.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyXEL Device allows multicast messages on the LAN only.
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 133 Configuring UPnP LABEL DESCRIPTION Active the Universal Plug and Select this check box to activate UPnP. Be aware that anyone could use Play (UPnP) Feature a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address (although you must still enter the password to access the web configurator).
P-662H/HW-D Series User’s Guide Figure 174 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 175 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted.
P-662H/HW-D Series User’s Guide Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 176 Network Connections 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.
P-662H/HW-D Series User’s Guide Figure 178 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 22.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device. Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device.
P-662H/HW-D Series User’s Guide Figure 179 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
P-662H/HW-D Series User’s Guide 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 181 Internet Connection Properties: Advanced Settings Figure 182 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
P-662H/HW-D Series User’s Guide Figure 183 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 184 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This comes helpful if you do not know the IP address of the ZyXEL Device. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel.
P-662H/HW-D Series User’s Guide Figure 185 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays.
P-662H/HW-D Series User’s Guide Figure 186 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device.
P-662H/HW-D Series User’s Guide 332 Chapter 22 Universal Plug-and-Play (UPnP)
P-662H/HW-D Series User’s Guide CHAPTER 23 System Use this screen to configure the ZyXEL Device’s time and date settings. 23.1 General Setup 23.1.1 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". • In Windows 95/98 click Start, Settings, Control Panel, Network.
P-662H/HW-D Series User’s Guide Figure 188 System General Setup The following table describes the labels in this screen. Table 134 System General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes “-” and underscores "_" are accepted.
P-662H/HW-D Series User’s Guide Table 134 System General Setup LABEL DESCRIPTION Admin Password In addition to the wizard setup, if you log in with the admin password you can also view and configure the advanced features on the ZyXEL Device. Old Password Type the default administrator password (1234) or the existing password you use to access the system for configuring advanced features in this field. New Password Type your new system password (up to 30 characters).
P-662H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 135 System Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synchronizes the time with the time server. Current Date This field displays the date of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synchronizes the date with the time server.
P-662H/HW-D Series User’s Guide Table 135 System Time Setting (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the first Sunday of April. Each time zone in the United States starts using Daylight Saving Time at 2 A.M. local time.
P-662H/HW-D Series User’s Guide 338 Chapter 23 System
P-662H/HW-D Series User’s Guide CHAPTER 24 Logs This chapter contains information about configuring general log settings and viewing the ZyXEL Device’s logs. Refer to the appendix for example log message explanations. 24.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server. 24.1.
P-662H/HW-D Series User’s Guide Figure 190 View Log The following table describes the fields in this screen. Table 136 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded. Message This field states the reason for the log.
P-662H/HW-D Series User’s Guide Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full. Selecting many alert and/or log categories (especially Access Control) may result in many emails being sent. Figure 191 Log Settings The following table describes the fields in this screen. Table 137 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
P-662H/HW-D Series User’s Guide Table 137 Log Settings LABEL DESCRIPTION Send Log To The ZyXEL Device sends logs to the e-mail address specified in this field. If this field is left blank, the ZyXEL Device does not send logs via e-mail. Send Alerts To Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs. Enter the E-mail address where the alert messages will be sent.
P-662H/HW-D Series User’s Guide 24.4 SMTP Error Messages The following table lists common SMTP errors. Table 138 SMTP Error Messages -1 means ZyXEL Device out of socket -2 means tcp SYN fail -3 means smtp server OK fail -4 means HELO fail -5 means MAIL FROM fail -6 means RCPT TO fail -7 means DATA fail -8 means mail data send fail 24.4.1 Example E-mail Log An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail.
P-662H/HW-D Series User’s Guide 344 Chapter 24 Logs
P-662H/HW-D Series User’s Guide CHAPTER 25 Tools This chapter describes how to upload new firmware, manage configuration and restart your ZyXEL Device. 25.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a.bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. Only use firmware for your device’s specific model.
P-662H/HW-D Series User’s Guide Table 139 Firmware Upgrade (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
P-662H/HW-D Series User’s Guide Figure 196 Error Message 25.2 Configuration Screen Click Maintenance > Tools > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next. Figure 197 Configuration 25.2.1 Backup Configuration Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer.
P-662H/HW-D Series User’s Guide 25.2.2 Restore Configuration Restore configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device. Table 140 Maintenance Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse... to find it. Browse... Click Browse... to find the file you want to upload. Remember that you must decompress compressed (.
P-662H/HW-D Series User’s Guide Figure 200 Configuration Restore Error 25.2.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyXEL Device to its factory defaults. You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device. Refer to the chapter about introducing the web configurator for more information on the RESET button. 25.
P-662H/HW-D Series User’s Guide 350 Chapter 25 Tools
P-662H/HW-D Series User’s Guide CHAPTER 26 Diagnostic These read-only screens display information to help you identify problems with the ZyXEL Device. 26.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 202 Diagnostic: General The following table describes the fields in this screen. Table 141 Diagnostic: General LABEL DESCRIPTION TCP/IP Address Type the IP address of a computer that you want to ping in order to test a connection.
P-662H/HW-D Series User’s Guide 26.2 DSL Line Diagnostic Click Maintenance > Diagnostic > DSL Line to open the screen shown next. Figure 203 Diagnostic: DSL Line The following table describes the fields in this screen. Table 142 Diagnostic: DSL Line LABEL DESCRIPTION ATM Status Click this button to view ATM status. ATM Loopback Test Click this button to start the ATM loopback test. Make sure you have configured at least one PVC with proper VPIs/VCIs before you begin this test.
P-662H/HW-D Series User’s Guide CHAPTER 27 Troubleshooting This chapter covers potential problems and the corresponding remedies. 27.1 Problems Starting Up the ZyXEL Device Table 143 Troubleshooting Starting Up Your ZyXEL Device PROBLEM CORRECTIVE ACTION None of the LEDs turn on when I turn on the ZyXEL Device. Make sure that the ZyXEL Device’s power adaptor is connected to the ZyXEL Device and plugged in to an appropriate power source.
P-662H/HW-D Series User’s Guide 27.3 Problems with the WAN Table 145 Troubleshooting the WAN PROBLEM CORRECTIVE ACTION The DSL LED is off. Check the telephone wire and connections between the ZyXEL Device DSL port and the wall jack. Make sure that the telephone company has checked your phone line and set it up for DSL service. Reset your ADSL line to reinitialize your link to the DSLAM. For details, refer to the Table 142 on page 352. 354 I cannot get a WAN IP address from the ISP.
P-662H/HW-D Series User’s Guide 27.4 Problems Accessing the ZyXEL Device Table 146 Troubleshooting Accessing the ZyXEL Device PROBLEM CORRECTIVE ACTION I cannot The default user password is “user” and admin password is “1234”. The Password access the field is case-sensitive. Make sure that you enter the correct password using the proper ZyXEL Device. case. If you have changed the password and have now forgotten it, you will need to upload the default configuration file.
P-662H/HW-D Series User’s Guide Figure 204 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 205 Internet Options 3 Click Apply to save this setting. 27.4.1.1.
P-662H/HW-D Series User’s Guide Figure 206 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.
P-662H/HW-D Series User’s Guide Figure 207 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. 27.4.1.2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab.
P-662H/HW-D Series User’s Guide Figure 208 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.
P-662H/HW-D Series User’s Guide Figure 209 Security Settings - Java Scripting 27.4.1.3 Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
P-662H/HW-D Series User’s Guide Figure 210 Security Settings - Java 27.4.1.3.1 JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for
P-662H/HW-D Series User’s Guide 27.4.2 ActiveX Controls in Internet Explorer If ActiveX is disabled, you will not be able to download ActiveX controls or to use Trend Micro Security Services. Make sure that ActiveX controls are allowed in Internet Explorer. Screen shots for Internet Explorer 6 are shown. Steps may vary depending on your version of Internet Explorer. 1 In Internet Explorer, click Tools, Internet Options and then the Security tab. 2 In the Internet Options window, click Custom Level.
P-662H/HW-D Series User’s Guide Figure 213 Security Setting ActiveX Controls Chapter 27 Troubleshooting 363
P-662H/HW-D Series User’s Guide 364 Chapter 27 Troubleshooting
P-662H/HW-D Series User’s Guide APPENDIX A Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 147 Device Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default Password 1234 DHCP Pool 192.168.1.32 to 192.168.1.
P-662H/HW-D Series User’s Guide Table 148 Firmware 366 ADSL Standards Multi-Mode standard (ANSI T1.413,Issue 2; G.dmt(G.992.1); G.lite(G992.2)). ADSL2 G.dmt.bis (G.992.3) ADSL2 G.lite.bis (G.992.4) ADSL2+ (G.992.
P-662H/HW-D Series User’s Guide Table 148 Firmware (continued) Wireless (P-662HW only) IEEE 802.11g Compliance Wireless g+ technology Frequency Range: 2.4 GHz Advanced Orthogonal Frequency Division Multiplexing (OFDM) Data Rates: 108Mbps and Auto Fallback Wired Equivalent Privacy (WEP) Data Encryption 64/128/256 bit. WLAN bridge to LAN Up to 32 MAC Address filters WPA(2), WPA-PSK Wi-Fi Mulitimedia specifications (WMM) OTIST (One Touch Intelligent Security Technology) IEEE 802.
P-662H/HW-D Series User’s Guide 368 Product Specifications
P-662H/HW-D Series User’s Guide APPENDIX B About ADSL Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twistedpair wire that runs between the local telephone company switching offices and most homes and offices.
P-662H/HW-D Series User’s Guide 2 Because your line is dedicated (not shared), transmission speeds between you and the device to which you connect at your service provider are not affected by other users. With cable modems, transmission speeds drop significantly as more users go on-line because the line is shared. 3 ADSL can be "always on" (connected).
P-662H/HW-D Series User’s Guide APPENDIX C Wall-mounting Instructions Do the following to hang your ZyXEL Device on a wall. Note: See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions. Use a sturdy wall. 2 Drill two holes for the screws. Make sure the distance between the centers of the holes matches what is listed in the product specifications appendix.
P-662H/HW-D Series User’s Guide 372 Appendix C Wall-mounting Instructions
P-662H/HW-D Series User’s Guide APPENDIX D Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
P-662H/HW-D Series User’s Guide Figure 215 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add.
P-662H/HW-D Series User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • • If your IP address is dynamic, select Obtain an IP address automatically.
P-662H/HW-D Series User’s Guide Figure 217 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • If you do not know your gateway’s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted.
P-662H/HW-D Series User’s Guide Figure 218 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 219 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
P-662H/HW-D Series User’s Guide Figure 220 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 221 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • 378 If you have a dynamic IP address click Obtain an IP address automatically.
P-662H/HW-D Series User’s Guide • • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 222 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
P-662H/HW-D Series User’s Guide Figure 223 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
P-662H/HW-D Series User’s Guide Figure 224 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.
P-662H/HW-D Series User’s Guide Figure 225 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 226 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
P-662H/HW-D Series User’s Guide 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your ZyXEL Device and restart your computer (if prompted).
P-662H/HW-D Series User’s Guide Figure 228 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window.
P-662H/HW-D Series User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 229 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown.
P-662H/HW-D Series User’s Guide • • If you have a dynamic IP address click Automatically obtain IP address settings with and select dhcp from the drop down list. If you have a static IP address click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields. 3 Click OK to save the changes and close the Ethernet Device General screen. 4 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen.
P-662H/HW-D Series User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfigeth0 configuration file (where eth0 is the name of the Ethernet card). Open the configuration file with any plain text editor. • If you have a dynamic IP address, enter dhcp in the BOOTPROTO= field. The following figure shows an example. Figure 233 Red Hat 9.
P-662H/HW-D Series User’s Guide Figure 236 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: Shutting down loopback interface: Setting network parameters: Bringing up loopback interface: Bringing up interface eth0: [OK] [OK] [OK] [OK] [OK] Verifying Settings Enter ifconfig in a terminal screen to check your TCP/IP properties. Figure 237 Red Hat 9.
P-662H/HW-D Series User’s Guide APPENDIX E IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.
P-662H/HW-D Series User’s Guide The following table shows the network number and host ID arrangement for classes A, B and C. Table 149 Classes of IP Addresses IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class A Network number Host ID Host ID Host ID Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example).
P-662H/HW-D Series User’s Guide Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation). A subnet mask has 32 bits. If a bit in the subnet mask is a “1” then the corresponding bit in the IP address is part of the network number. If a bit in the subnet mask is “0” then the corresponding bit in the IP address is part of the host ID.
P-662H/HW-D Series User’s Guide Table 152 Alternative Subnet Mask Notation (continued) SUBNET MASK SUBNET MASK “1” BITS LAST OCTET BIT VALUE DECIMAL 255.255.255.240 /28 1111 0000 240 255.255.255.248 /29 1111 1000 248 255.255.255.252 /30 1111 1100 252 The first mask shown is the class “C” natural mask. Normally if no mask is specified it is understood that the natural mask is being used. Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.
P-662H/HW-D Series User’s Guide Table 154 Subnet 1 (continued) IP/SUBNET MASK NETWORK NUMBER Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.127 Highest Host ID: 192.168.1.126 LAST OCTET BIT VALUE Table 155 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 128 IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask 255.255.255. 128 Subnet Mask (Binary) 11111111.11111111.11111111.
P-662H/HW-D Series User’s Guide Table 156 Subnet 1 (continued) LAST OCTET BIT VALUE IP/SUBNET MASK NETWORK NUMBER Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: 192.168.1.63 Highest Host ID: 192.168.1.62 Table 157 Subnet 2 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 64 IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.64 Lowest Host ID: 192.
P-662H/HW-D Series User’s Guide The following table shows class C IP address last octet values for each subnet. Table 160 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 The following table is a summary for class “C” subnet planning. Table 161 Class C Subnet Planning NO.
P-662H/HW-D Series User’s Guide The following table is a summary for class “B” subnet planning. Table 162 Class B Subnet Planning 396 NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 1 255.255.128.0 (/17) 2 32766 2 255.255.192.0 (/18) 4 16382 3 255.255.224.0 (/19) 8 8190 4 255.255.240.0 (/20) 16 4094 5 255.255.248.0 (/21) 32 2046 6 255.255.252.0 (/22) 64 1022 7 255.255.254.0 (/23) 128 510 8 255.255.255.0 (/24) 256 254 9 255.255.255.
P-662H/HW-D Series User’s Guide APPENDIX F Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C).
P-662H/HW-D Series User’s Guide Figure 239 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
P-662H/HW-D Series User’s Guide Figure 240 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
P-662H/HW-D Series User’s Guide Figure 241 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
P-662H/HW-D Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
P-662H/HW-D Series User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming.
P-662H/HW-D Series User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another AccessRequest message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting.
P-662H/HW-D Series User’s Guide EAP-TLS (Transport Layer Security) With EAP-TLS, digital certifications are needed by both the server and the wireless stations for mutual authentication. The server presents a certificate to the client. After validating the identity of the server, the client sends a different certificate to the server. The exchange of certificates is done in the open before a secured tunnel is created. This makes user identity vulnerable to passive attacks.
P-662H/HW-D Series User’s Guide For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. The following table is a comparison of the features of authentication types.
P-662H/HW-D Series User’s Guide TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server. AES (Advanced Encryption Standard) is a block cipher that uses a 256-bit mathematical algorithm called Rijndael. They both include a per-packet key mixing function, a Message Integrity Check (MIC) named Michael, an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism.
P-662H/HW-D Series User’s Guide Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 165 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTION ENTER METHOD/ KEY METHOD MANUAL KEY MANAGEMENT PROTOCOL IEEE 802.
P-662H/HW-D Series User’s Guide 408 Appendix F Wireless LANs
P-662H/HW-D Series User’s Guide APPENDIX G Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyXEL Device Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyXEL Device’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
P-662H/HW-D Series User’s Guide 1 In Internet Explorer, double click the lock shown in the following screen. Figure 243 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 244 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard.
P-662H/HW-D Series User’s Guide Figure 245 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 246 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard.
P-662H/HW-D Series User’s Guide Figure 247 Certificate Import Wizard 3 6 Click Yes to add the ZyXEL Device certificate to the root store.
P-662H/HW-D Series User’s Guide Figure 249 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyXEL Device. You must have imported at least one trusted CA to the ZyXEL Device in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
P-662H/HW-D Series User’s Guide Figure 250 ZyXEL Device Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next. Figure 251 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix.
P-662H/HW-D Series User’s Guide Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment. Double-click the personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard. Figure 252 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box.
P-662H/HW-D Series User’s Guide Figure 254 Personal Certificate Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location. Figure 255 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process.
P-662H/HW-D Series User’s Guide Figure 256 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer. Figure 257 Personal Certificate Import Wizard 6 Using a Certificate When Accessing the ZyXEL Device Example Use the following procedure to access the ZyXEL Device via HTTPS. 1 Enter ‘https://ZyXEL Device IP Address/ in your browser’s web address field.
P-662H/HW-D Series User’s Guide Figure 259 SSL Client Authentication 3 You next see the ZyXEL Device login screen.
P-662H/HW-D Series User’s Guide APPENDIX H Command Interpreter The following describes how to use the command interpreter. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable. Command Syntax • • • • • • The command keywords are in courier new font. Enter the command keywords exactly as shown, do not abbreviate. The required fields in a command are enclosed in angle brackets <>. The optional fields in a command are enclosed in square brackets [].
P-662H/HW-D Series User’s Guide 420 Appendix H Command Interpreter
P-662H/HW-D Series User’s Guide APPENDIX I Certificates Commands The following describes the certificate commands. See Appendix H on page 419 for information on the command structure. All of these commands start with certificates. Table 166 Certificates Commands COMMAND DESCRIPTION my_cert create create selfsigned [key size] Create a self-signed local host certificate. specifies a descriptive name for the generated certificate.
P-662H/HW-D Series User’s Guide Table 166 Certificates Commands (continued) COMMAND DESCRIPTION create cmp_enroll [key size] Create a certificate request and enroll for a certificate immediately online using CMP protocol. specifies a descriptive name for the enrolled certificate. specifies the CA server address. specifies the name of the CA certificate. specifies the id and key used for user authentication.
P-662H/HW-D Series User’s Guide Table 166 Certificates Commands (continued) COMMAND DESCRIPTION Create a certificate using your device MAC address that will be specific to this device. The factory default certificate is a common default certificate for all ZyWALL models. replace_fact ory ca_trusted import Import the PEM-encoded certificate from stdin. specifies the name as which the imported CA certificate is to be saved.
P-662H/HW-D Series User’s Guide Table 166 Certificates Commands (continued) COMMAND DESCRIPTION delete Delete the specified trusted remote host certificate. specifies the name of the certificate to be deleted. List all trusted remote host certificate names and basic information. list rename Rename the specified trusted remote host certificate. specifies the name of the certificate to be renamed.
P-662H/HW-D Series User’s Guide APPENDIX J Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your ZyXEL Device, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
P-662H/HW-D Series User’s Guide Figure 262 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
P-662H/HW-D Series User’s Guide APPENDIX K Firewall Commands The following describes the firewall commands. Table 167 Firewall Commands FUNCTION COMMAND DESCRIPTION config edit firewall active This command turns the firewall on or off. config retrieve firewall This command returns the previously saved firewall settings. config save firewall This command saves the current firewall settings.
P-662H/HW-D Series User’s Guide Table 167 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION E-mail config edit firewall e-mail mail-server This command sets the IP address to which the e-mail messages are sent. config edit firewall e-mail return-addr This command sets the source e-mail address of the firewall e-mails.
P-662H/HW-D Series User’s Guide Table 167 Firewall Commands (continued) FUNCTION Sets COMMAND DESCRIPTION config edit firewall attack minute-high <0-255> This command sets the threshold rate of new half-open sessions per minute where the ZyXEL Device starts deleting old half-opened sessions until it gets them down to the minutelow threshold. config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyXEL Device stops deleting half-opened sessions.
P-662H/HW-D Series User’s Guide Table 167 Firewall Commands (continued) FUNCTION Rules 430 COMMAND DESCRIPTION Config edit firewall set tcp-idle-timeout This command sets how long ZyXEL Device lets an inactive TCP connection remain open before considering it closed. Config edit firewall set log This command sets whether or not the ZyXEL Device creates logs for packets that match the firewall’s default rule set.
P-662H/HW-D Series User’s Guide Table 167 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION config edit firewall set rule destaddrsingle This command sets the rule to have the ZyXEL Device check for traffic with this individual destination address.
P-662H/HW-D Series User’s Guide Table 167 Firewall Commands (continued) FUNCTION 432 COMMAND DESCRIPTION config delete firewall set rule This command removes the specified rule in a firewall configuration set.
P-662H/HW-D Series User’s Guide APPENDIX L NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls.
P-662H/HW-D Series User’s Guide The filter types and their default settings are as follows. Table 168 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN and WAN This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the WAN. Between LAN and DMZ This field displays whether NetBIOS packets are blocked or forwarded Block between the LAN and the DMZ.
P-662H/HW-D Series User’s Guide sys filter netbios config 3 on This command blocks IPSec NetBIOS packets. sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls.
P-662H/HW-D Series User’s Guide 436 Appendix L NetBIOS Filter Commands
P-662H/HW-D Series User’s Guide APPENDIX M Internal SPTGEN Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple ZyXEL Device. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file – eliminating the need to navigate and configure individual SMT menus for each ZyXEL Device.
P-662H/HW-D Series User’s Guide Some parameters are dependent on others. For example, if you disable the Configured field in menu 1 (see Figure 263 on page 437), then you disable every field in this menu. If you enter a parameter that is invalid in the Input column, the ZyXEL Device will not save the configuration and the command line will display the Field Identification Number.
P-662H/HW-D Series User’s Guide Figure 266 Internal SPTGEN FTP Download Example c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.168.1.1:(none)): 331 Enter PASS command Password: 230 Logged in ftp>bin 200 Type I OK ftp> get rom-t ftp>bye c:\edit rom-t (edit the rom-t text file by a text editor and save it) Note: You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your ZyXEL Device.
P-662H/HW-D Series User’s Guide Table 169 Abbreviations Used in the Example Internal SPTGEN Screens Table (continued) ABBREVIATION MEANING PVA Parameter Values Allowed INPUT An example of what you may enter * Applies to the ZyXEL Device. The following are Internal SPTGEN screens associated with the SMT screens of your ZyXEL Device.
P-662H/HW-D Series User’s Guide Table 171 Menu 3 (SMT Menu 3 (continued)) / Menu 3.2 TCP/IP and DHCP Ethernet Setup (SMT Menu 3.2) FIN FN PVA INPUT 30200001 = DHCP <0(None) | 1(Server) | 2(Relay)> = 0 30200002 = Client IP Pool Starting Address = 192.168.1.33 30200003 = Size of Client IP Pool = 32 30200004 = Primary DNS Server = 0.0.0.0 30200005 = Secondary DNS Server = 0.0.0.0 30200006 = Remote DHCP Server = 0.0.0.0 30200008 = IP Address = 172.21.2.
P-662H/HW-D Series User’s Guide Table 171 Menu 3 (SMT Menu 3 (continued)) 30201008 = IP Alias #1 Incoming protocol filters Set 3 = 256 30201009 = IP Alias #1 Incoming protocol filters Set 4 = 256 30201010 = IP Alias #1 Outgoing protocol filters Set 1 = 256 30201011 = IP Alias #1 Outgoing protocol filters Set 2 = 256 30201012 = IP Alias #1 Outgoing protocol filters Set 3 = 256 30201013 = IP Alias #1 Outgoing protocol filters Set 4 = 256 30201014 = IP Alias 2 <0(No) | 1(Yes)> = 0 30201015
P-662H/HW-D Series User’s Guide Table 171 Menu 3 (SMT Menu 3 (continued)) 30500004 = RTS Threshold <0 ~ 2432> = 2432 30500005 = FRAG. Threshold <256 ~ 2432> = 2432 30500006 = WEP <0(DISABLE) | 1(64-bit WEP) | 2(128-bit WEP)> = 0 30500007 = Default Key 30500008 = WEP Key1 = 30500009 = WEP Key2 = 30500010 = WEP Key3 = 30500011 = WEP Key4 30500012 = Wlan Active <1|2|3|4> = 0 = <0(Disable) | 1(Enable)> = 0 */ MENU 3.5.1 WLAN MAC ADDRESS FILTER (SMT MENU 3.5.
P-662H/HW-D Series User’s Guide Table 172 Menu 4 Internet Access Setup (SMT Menu 4) (continued) 444 40000002 = Active <0(No) | 1(Yes)> = 1 40000003 = ISP's Name 40000004 = Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA )| 5(ENET ENCAP)> = 2 40000005 = Multiplexing <1(LLC-based) | 2(VC-based) = 1 40000006 = VPI # = 0 40000007 = VCI # = 35 40000008 = Service Name = any 40000009 = My Login = test@pqa 40000010 = My Password = 1234 40000011 = Single User Accou
P-662H/HW-D Series User’s Guide Table 172 Menu 4 Internet Access Setup (SMT Menu 4) (continued) 40000032= RIP Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> = 0 40000033= Nailed-up Connection <0(No) |1(Yes)> = 0 Table 173 Menu 12 (SMT Menu 12) / Menu 12.1.1 IP Static Route Setup (SMT Menu 12.1.1) FIN FN PVA INPUT 120101001 = IP Static Route set #1, Name = 120101002 = IP Static Route set #1, Active <0(No) |1(Yes)> = 0 120101003 = IP Static Route set #1, Destination IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 173 Menu 12 (SMT Menu 12) (continued) / Menu 12.1.4 IP Static Route Setup (SMT Menu 12.1.4) FIN FN PVA INPUT 120104001 = IP Static Route set #4, Name = 120104002 = IP Static Route set #4, Active <0(No) |1(Yes)> = 0 120104003 = IP Static Route set #4, Destination IP address = 0.0.0.0 120104004 = IP Static Route set #4, Destination IP subnetmask = 0 120104005 = IP Static Route set #4, Gateway = 0.0.0.
P-662H/HW-D Series User’s Guide Table 173 Menu 12 (SMT Menu 12) (continued) 120107006 = IP Static Route set #7, Metric 120107007 = IP Static Route set #7, Private = 0 <0(No) |1(Yes)> = 0 / Menu 12.1.8 IP Static Route Setup (SMT Menu 12.1.8) FIN FN PVA INPUT 120108001 = IP Static Route set #8, Name = 120108002 = IP Static Route set #8, Active <0(No) |1(Yes)> = 0 120108003 = IP Static Route set #8, Destination IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 173 Menu 12 (SMT Menu 12) (continued) 120111004 = IP Static Route set #11, Destination IP subnetmask = 0 120111005 = IP Static Route set #11, Gateway = 0.0.0.0 120111006 = IP Static Route set #11, Metric = 0 120111007 = IP Static Route set #11, Private <0(No) |1(Yes)> = 0 */ Menu 12.1.12 IP Static Route Setup (SMT Menu 12.1.
P-662H/HW-D Series User’s Guide Table 173 Menu 12 (SMT Menu 12) (continued) 120115002 = IP Static Route set #15, Active <0(No) |1(Yes)> 120115003 = IP Static Route set #15, Destination IP address = 0.0.0.0 120115004 = IP Static Route set #15, Destination IP subnetmask = 0 120115005 = IP Static Route set #15, Gateway = 0.0.0.0 120115006 = IP Static Route set #15, Metric = 0 120115007 = IP Static Route set #15, Private <0(No) |1(Yes)> = 0 = 0 */ Menu 12.1.
P-662H/HW-D Series User’s Guide Table 174 Menu 15 SUA Server Setup (SMT Menu 15) (continued) 150000014 = SUA Server #4 Port Start = 0 150000015 = SUA Server #4 Port End = 0 150000016 = SUA Server #4 Local IP address = 0.0.0.0 150000017 = SUA Server #5 Active <0(No) | 1(Yes)> = 0 150000018 = SUA Server #5 Protocol <0(All)|6(TCP)|17(U DP)> = 0 150000019 = SUA Server #5 Port Start = 0 150000020 = SUA Server #5 Port End = 0 150000021 = SUA Server #5 Local IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 174 Menu 15 SUA Server Setup (SMT Menu 15) (continued) 150000048 = SUA Server #11 Protocol <0(All)|6(TCP)|17(U DP)> = 0 150000049 = SUA Server #11 Port Start = 0 150000050 = SUA Server #11 Port End = 0 150000051 = SUA Server #11 Local IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 175 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) / Menu 21.1.1.2 set #1, rule #2 (SMT Menu 21.1.1.2) FIN FN PVA INPUT 210102001 = IP Filter Set 1,Rule 2 Type <2(TCP/IP)> = 2 210102002 = IP Filter Set 1,Rule 2 Active <0(No)|1(Yes)> = 1 210102003 = IP Filter Set 1,Rule 2 Protocol = 6 210102004 = IP Filter Set 1,Rule 2 Dest IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 175 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210103013 = IP Filter Set 1,Rule 3 Act Match <1(check next)|2(forward)| 3(drop) = 3 210103014 = IP Filter Set 1,Rule 3 Act Not Match <1(check next)|2(forward)| 3(drop) = 1 / Menu 21.1.1.4 set #1, rule #4 (SMT Menu 21.1.1.
P-662H/HW-D Series User’s Guide Table 175 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210105009 = IP Filter Set 1,Rule 5 Src Subnet Mask = 0 210105010 = IP Filter Set 1,Rule 5 Src Port = 0 210105011 = IP Filter Set 1,Rule 5 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> = 0 210105013 = IP Filter Set 1,Rule 5 Act Match <1(check next)|2(forward)| 3(drop)> = 3 210105014 = IP Filter Set 1,Rule 5 Act Not Match <1(Check Next) |2(Forward)|3(Dro p)> = 1 / Menu 21.1.1.
P-662H/HW-D Series User’s Guide Table 176 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) / Menu 21.1.2.1 Filter set #2, rule #1 (SMT Menu 21.1.2.1) FIN FN PVA INPUT 210201001 = IP Filter Set 2, Rule 1 Type <0(none)|2(TCP/IP)> = 2 210201002 = IP Filter Set 2, Rule 1 Active <0(No)|1(Yes)> 210201003 = IP Filter Set 2, Rule 1 Protocol = 6 210201004 = IP Filter Set 2, Rule 1 Dest IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 176 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210202009 = IP Filter Set 2, Rule 2 Src Subnet Mask = 0 210202010 = IP Filter Set 2,Rule 2 Src Port = 0 210202011 = IP Filter Set 2, Rule 2 Src Port Comp <0(none)|1(equal)|2 = 0 (not equal)|3(less)|4(gr eater)> 210202013 = IP Filter Set 2, Rule 2 Act Match <1(check = 3 next)|2(forward)|3( drop)> 210202014 = IP Filter Set 2, Rule 2 Act Not Match <1(check = 1 next)|2(forward)|3( drop)> / Menu 21.1.2.
P-662H/HW-D Series User’s Guide Table 176 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210204002 = IP Filter Set 2, Rule 4 Active <0(No)|1(Yes )> = 1 210204003 = IP Filter Set 2, Rule 4 Protocol = 17 210204004 = IP Filter Set 2, Rule 4 Dest IP address = 0.0.0.0 210204005 = IP Filter Set 2, Rule 4 Dest Subnet Mask = 0 210204006 = IP Filter Set 2, Rule 4 Dest Port 210204007 = IP Filter Set 2, Rule 4 Dest Port Comp 210204008 = IP Filter Set 2, Rule 4 Src IP address = 0.0.0.
P-662H/HW-D Series User’s Guide Table 176 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210205011 = IP Filter Set 2, Rule 5 Src Port Comp <0(none)|1(equal)|2 = 0 (not equal)|3(less)|4(gr eater)> 210205013 = IP Filter Set 2, Rule 5 Act Match <1(check = 3 next)|2(forward)|3( drop)> 210205014 = IP Filter Set 2, Rule 5 Act Not Match <1(check = 1 next)|2(forward)|3( drop)> / Menu 21.1.2.6 Filter set #2, rule #6 (SMT Menu 21.1.2.
P-662H/HW-D Series User’s Guide Table 177 Menu 23 System Menus (SMT Menu 23) */ Menu 23.1 System Password Setup (SMT Menu 23.1) FIN FN PVA 230000000 = System Password INPUT = 1234 */ Menu 23.2 System security: radius server (SMT Menu 23.2) FIN FN PVA INPUT 230200001 = Authentication Server Configured <0(No) | 1(Yes)> = 1 230200002 = Authentication Server Active <0(No) | 1(Yes)> = 1 230200003 = Authentication Server IP Address = 192.168.1.
P-662H/HW-D Series User’s Guide Table 177 Menu 23 System Menus (SMT Menu 23) (continued) 230400008 = WPA Mixed Mode 230400009 = Data Privacy for Broadcast/ Multicast packets 230400010 = WPA Broadcast/Multicast Key Update Timer <0(Disable) |1(Enable)> <0(TKIP) |1(WEP)> = 0 = 0 = 0 Table 178 Menu 24.11 Remote Management Control (SMT Menu 24.11) / Menu 24.11 Remote Management Control (SMT Menu 24.
P-662H/HW-D Series User’s Guide Table 179 Command Examples (continued) FIN FN PVA INPUT FIN FN PVA INPUT 990000001 = ADSL OPMD <0(etsi)|1(normal) |2(gdmt)|3(multimo de)> = 3 Appendix M Internal SPTGEN 461
P-662H/HW-D Series User’s Guide 462 Appendix M Internal SPTGEN
P-662H/HW-D Series User’s Guide APPENDIX N Splitters and Microfilters This appendix tells you how to install a POTS splitter or a telephone microfilter. Connecting a POTS Splitter When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals. This allows simultaneous Internet access and telephone service on the same line. A splitter also eliminates the destructive interference conditions caused by telephone sets.
P-662H/HW-D Series User’s Guide 1 Connect a phone cable from the wall jack to the single jack end of the Y- Connector. 2 Connect a cable from the double jack end of the Y-Connector to the “wall side” of the microfilter. 3 Connect another cable from the double jack end of the Y-Connector to the ZyXEL Device. 4 Connect the “phone side” of the microfilter to your telephone as shown in the following figure.
P-662H/HW-D Series User’s Guide APPENDIX O Log Descriptions This appendix provides descriptions of example log messages. Table 180 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP:%s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
P-662H/HW-D Series User’s Guide Table 180 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol. HTTPS login failed Someone has failed to log on to the router's web configurator interface using HTTPS protocol. Table 181 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max.
P-662H/HW-D Series User’s Guide Table 183 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.
P-662H/HW-D Series User’s Guide Table 185 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICMP , , ICMP access matched the default policy and was blocked or forwarded according to the user's setting. For type and code details, see Table 197 on page 477.
P-662H/HW-D Series User’s Guide Table 187 PPP Logs (continued) LOG MESSAGE DESCRIPTION ppp:LCP Closing The PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. Table 188 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall.
P-662H/HW-D Series User’s Guide Table 189 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION Connecting to content filter server fail The connection to the external content filtering server failed. License key is invalid The external content filtering license key is invalid. Table 190 Attack Logs 470 LOG MESSAGE DESCRIPTION attack [TCP | UDP | IGMP | ESP | GRE | OSPF] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack.
P-662H/HW-D Series User’s Guide Table 191 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router received and discarded a packet with an incorrect sequence number. Inbound packet authentication failed The router received a packet that has been altered. A third party may have altered or tampered with the packet. Receive IPSec packet, but no corresponding tunnel exists The router dropped an inbound packet for which SPI could not find a corresponding phase 2 SA.
P-662H/HW-D Series User’s Guide Table 192 IKE Logs (continued) 472 LOG MESSAGE DESCRIPTION Cannot resolve Secure Gateway Addr for rule <%d> The router couldn’t resolve the IP address from the domain name that was used for the secure gateway address. Peer ID: - The displayed ID information did not match between the two ends of the connection. vs.
P-662H/HW-D Series User’s Guide Table 192 IKE Logs (continued) LOG MESSAGE DESCRIPTION XAUTH fail! Username: The router was not able to use extended authentication to authenticate the listed username. Rule[%d] Phase 1 negotiation mode mismatch The listed rule’s IKE phase 1 negotiation mode did not match between the router and the peer. Rule [%d] Phase 1 encryption algorithm mismatch The listed rule’s IKE phase 1 encryption algorithm did not match between the router and the peer.
P-662H/HW-D Series User’s Guide Table 192 IKE Logs (continued) LOG MESSAGE DESCRIPTION Rule [%d] phase 2 mismatch The listed rule’s IKE phase 2 did not match between the router and the peer. Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) did not match between the router and the peer. Table 193 PKI Logs 474 LOG MESSAGE DESCRIPTION Enrollment successful The SCEP online certificate enrollment was successful.
P-662H/HW-D Series User’s Guide Table 193 PKI Logs (continued) LOG MESSAGE DESCRIPTION Rcvd data too large! Max size allowed: The router received directory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field. The maximum size of directory data that the router allows is also recorded. Cert trusted: The router has verified the path of the certificate with the listed subject name.
P-662H/HW-D Series User’s Guide Table 194 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 195 802.1X Logs LOG MESSAGE DESCRIPTION Local User Database accepts user. A user was authenticated by the local user database. Local User Database reports user credential error. A user was not authenticated by the local user database because of an incorrect user password.
P-662H/HW-D Series User’s Guide Table 196 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN. (D to L) DMZ to LAN ACL set for packets traveling from the DMZ to the LAN. (D to W) DMZ to WAN ACL set for packets traveling from the DMZ to the WAN. (W to D) WAN to DMZ ACL set for packets traveling from the WAN to the DMZ.
P-662H/HW-D Series User’s Guide Table 197 ICMP Notes (continued) TYPE CODE DESCRIPTION Time Exceeded 11 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded Parameter Problem 12 0 Pointer indicates the error Timestamp 13 0 Timestamp request message Timestamp Reply 14 0 Timestamp reply message Information Request 15 0 Information request message Information Reply 16 0 Information reply message Table 198 Syslog Logs LOG MESSAGE DESCRIPTION Mon dd hr:
P-662H/HW-D Series User’s Guide Table 199 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE SIG Signature NONCE Nonce NOTFY Notification DEL Delete VID Vendor ID Log Commands Go to the command interpreter interface. Configuring What You Want the ZyXEL Device to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record. 2 Use sys logs category to view a list of the log categories.
P-662H/HW-D Series User’s Guide Use 0 to not record logs for that category, 1 to record only logs for that category, 2 to record only alerts for that category, and 3 to record both logs and alerts for that category. Not every parameter is available with every category. 5 Use the sys logs save command to store the settings in the ZyXEL Device (you must do this in order to record logs). Displaying Logs • Use the sys logs display command to show all of the logs in the ZyXEL Device’s log.
P-662H/HW-D Series User’s Guide APPENDIX P Triangle Route The Ideal Setup When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks. Figure 273 Ideal Setup The “Triangle Route” Problem A traffic route is a path for sending or receiving data packets between two Ethernet devices.
P-662H/HW-D Series User’s Guide Figure 274 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network.
P-662H/HW-D Series User’s Guide Figure 275 IP Alias Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyXEL Device to your LAN. Therefore your LAN is protected.
P-662H/HW-D Series User’s Guide 484 Appendix P Triangle Route
P-662H/HW-D Series User’s Guide Index A Address Assignment 111 Address Resolution Protocol (ARP) 114 ADSL standards 42 Advanced Encryption Standard 405 AH 235 AH Protocol 239 alternative subnet mask notation 391 antenna gain 134 Anti-virus Online update 207 Registration 207 Anti-virus packet scan Configuration 205 Anti-virus scan packet types 205 Any IP 42, 113 How it works 114 note 114 Any IP Setup 116 AP (access point) 399 applicaions Internet access 46 Application-level Firewalls 170 ATM Adaptation Laye
P-662H/HW-D Series User’s Guide BSS 397 BW Budget 299 C CA 404 CAC 215 CBR (Continuous Bit Rate) 93, 98 certificate 251 Certificate Authority 404 change password at login 50 Channel 399 Interference 399 Channel ID 128 compact 44 compact guide 49 Computer virus 203 Computer virus infection and prevention 204 Computer virus types 203 Configuration 110 Content Access Control activation 216 Administrator Login 231 Application 215 configuration steps 215 Content Filtering Service 217 create user groups 216 Cus
P-662H/HW-D Series User’s Guide Content filtering 211 content filtering 42, 222 CTS (Clear to Send) 400 Custom Ports Creating/Editing 191 Customized Services 190 Customized services 190 D Data Confidentiality 234 Data Integrity 234 Data Origin Authentication 234 Default 349 default LAN IP address 49 Denial of Service 170, 171, 199 Destination Address 183 device model number 345 DH 254 DHCP 44, 110, 111, 305, 333 DHCP client 44 DHCP relay 44 DHCP server 44 diagnostic 351 Diffie-Hellman Key Groups 254 DMZ 1
P-662H/HW-D Series User’s Guide E EAP Authentication 403 ECHO 162 E-mail virus 203 embedded help 53 Encapsulated Routing Link Protocol (ENET ENCAP) 85 Encapsulation 85, 235 ENET ENCAP 85 PPP over Ethernet 85 PPPoA 86 RFC 1483 86 Encapsulation Security Payload 239 Encryption 233, 405 ESP 235 ESP Protocol 239 ESS 398 Ethernet 366 Extended Service Set 398 Extended Service Set IDentification 128 Extended wireless security 75 F Fairness-based Scheduler 295 FCC 4 FCC Rules 4 Federal Communications Commission 4
P-662H/HW-D Series User’s Guide upload 345 upload error 346 Fragmentation Threshold 400 Fragmentation threshold 400 Frame Relay 46 FTP 162, 309, 312 FTP Restrictions 309 Full Rate 463 G General Setup 333 General wireless LAN screen 127 H Half-Open Sessions 199 Hidden node 399 Host 63, 334, 335 How ZyXEL Device virus scan works 205 HTTP 162, 170, 171, 172 HTTP (Hypertext Transfer Protocol) 345 I IANA 112 IANA (Internet Assigned Number Authority) 190 IBSS 397 ICMP echo 173 ID Type and Content 245 IEEE 802
P-662H/HW-D Series User’s Guide Internet Access 42, 46 Internet access 65 Internet Access Setup 354 Internet access wizard setup 65 Internet Assigned Numbers AuthoritySee IANA 112 Internet Control Message Protocol (ICMP) 173, 197 Internet Key Exchange 252 Internet Protocol Security 233 IP Address 111, 162, 163, 164 IP Address Assignment 87 ENET ENCAP 87 PPPoA or PPPoE 87 RFC 1483 87 IP alias 44 IP Policy Routing (IPPR) 44 IP Pool 117 IP Pool Setup 110 IP protocol type 195 IP Spoofing 172, 175 IPSec 233 IPS
P-662H/HW-D Series User’s Guide MAC Address Filtering 139 MAC Filter 139 Macro virus 203 Management Information Base (MIB) 314 Manually Update Virus Information 208 Maximize Bandwidth Usage 295 Maximum Burst Size (MBS) 89, 94, 98 Max-incomplete High 199 Max-incomplete Low 199 Media Bandwidth Management 43 Message Integrity Check (MIC) 405 Metric 88 Multicast 113 Multiplexing 86 multiplexing 86 LLC-based 86 VC-based 86 Multiprotocol Encapsulation 86 My IP Address 240 N Nailed-Up Connection 87 NAT 111, 162,
P-662H/HW-D Series User’s Guide P Packet Filtering 180 Packet filtering When to use 180 Packet Filtering Firewalls 169 Pairwise Master Key (PMK) 406 Parental Control 215 Pattern file 203 Peak Cell Rate (PCR) 88, 94, 98 Perfect Forward Secrecy 254 PFS 254 Ping of Death 172 Point to Point Protocol over ATM Adaptation Layer 5 (AAL5) 86 Point-to-Point 369 Point-to-Point Tunneling Protocol 162 POP3 162, 171, 172 PPPoE 85 Benefits 85 PPPoE (Point-to-Point Protocol over Ethernet) 43 PPTP 162 Preamble Mode 401 Pre
P-662H/HW-D Series User’s Guide RF (Radio Frequency) 45 RFC 1483 86 RFC 1631 157 RFC2516 43 RIPSee Routing Information Protocol 112 Routing Information Protocol 112 Direction 112 Version 112 RTS (Request To Send) 400 RTS Threshold 399, 400 Rules 184 Checklist 182 Key Fields 183 LAN to WAN 184 Logic 182 Predefined Services 195 S SA 233 Safety Warnings 6 Saving the State 175 Scanning engine 203 Scheduler 294 Secure Gateway Address 241 Security Association 233 Security In General 179 Security Parameter Index
P-662H/HW-D Series User’s Guide Static Route 289 SUA 160 SUA (Single User Account) 160 SUA vs NAT 160 subnet 389 Subnet Mask 111, 189 subnet mask 391 subnetting 391 Supporting Disk 39 Sustain Cell Rate (SCR) 94, 98 Sustained Cell Rate (SCR) 88 SYN Flood 172, 173 SYN-ACK 173 Syntax Conventions 39 Syslog 194 System Name 334 System Parameter Table Generator 437 System Timeout 310 T TCP Maximum Incomplete 199, 200 TCP Security 177 TCP/IP 171, 172 Teardrop 172 Telnet 311 Temporal Key Integrity Protocol (TKIP)
P-662H/HW-D Series User’s Guide Universal Plug and Play (UPnP) 43 Update Schedule 208 Update the virus scan 209 UPnP 321 Forum 322 security issues 322 Upper Layer Protocols 177, 178 URL keyword blocking 222 User Authentication 406 User Name 306 V VBR (Variable Bit Rate) 93, 98 Viewing Certifications 5 Virtual Channel Identifier (VCI) 86 virtual circuit (VC) 86 Virtual Path Identifier (VPI) 86 Virtual Private Network 43, 233 Virus attack 203 Virus life cycle 204 VPI & VCI 86 VPN 233 VPN Applications 234 W
P-662H/HW-D Series User’s Guide WPA2-PSK 405 WPA-PSK 405 Z Zero Configuration Internet Access 42 Zero configuration Internet access 90 ZyXEL Device anti-virus packet scan 204 ZyXEL_s Firewall Introduction 170 496 Index
