Prestige 660H/HW Series 802.11g Wireless ADSL2+ 4-Port Security Gateway User’s Guide Version 3.
Prestige 660H/HW Series User’s Guide Copyright Copyright © 2005 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Prestige 660H/HW Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
Prestige 660H/HW Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device. Please contact your vendor for further information.
Prestige 660H/HW Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
Prestige 660H/HW Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE support@zyxel.com.tw +886-3-578-3942 sales@zyxel.com.tw +886-3-578-2439 www.zyxel.com ZyXEL Communications Corp. www.europe.zyxel.
Prestige 660H/HW Series User’s Guide TELEPHONEA WEB SITE SALES E-MAIL FAX FTP SITE technical@zyxel.co.uk +44 (0) 8702 909090 www.zyxel.co.uk sales@zyxel.co.uk +44 (0) 8702 909091 ftp.zyxel.co.uk METHOD SUPPORT E-MAIL REGULAR MAIL LOCATION UNITED KINGDOM ZyXEL Communications UK Ltd.,11, The Courtyard, Eastern Road, Bracknell, Berkshire, RG12 2XB, United Kingdom (UK) a. “+” is the (prefix) number you enter to make an international telephone call.
Prestige 660H/HW Series User’s Guide Table of Contents Copyright .................................................................................................................. 2 Federal Communications Commission (FCC) Interference Statement ............... 3 Safety Warnings ....................................................................................................... 4 ZyXEL Limited Warranty..........................................................................................
Prestige 660H/HW Series User’s Guide Chapter 3 Wizard Setup for Internet Access ......................................................................... 58 3.1 Introduction to Internet Access Wizard ..............................................................58 3.1.1 Internet Access Wizard Setup ..................................................................58 Chapter 4 Wizard Setup for Media Bandwidth Management ............................................... 66 4.
Prestige 660H/HW Series User’s Guide 7.3.1 WEP Encryption ........................................................................................84 7.4 Configuring MAC Filters .....................................................................................87 7.5 Introduction to WPA ...........................................................................................89 7.5.1 WPA-PSK Application Example ................................................................89 7.5.
Prestige 660H/HW Series User’s Guide 9.4 SIP ALG ...........................................................................................................119 9.5 Selecting the NAT Mode ..................................................................................120 9.6 Configuring SUA Server ...................................................................................120 9.7 Configuring Address Mapping ..........................................................................122 9.
Prestige 660H/HW Series User’s Guide 12.7.2.1 When To Use The Firewall ..........................................................141 Chapter 13 Firewall Configuration ......................................................................................... 144 13.1 Access Methods .............................................................................................144 13.2 Firewall Policies Overview .............................................................................144 13.
Prestige 660H/HW Series User’s Guide 15.1.3 System Timeout ...................................................................................171 15.2 Telnet ..............................................................................................................171 15.3 FTP ................................................................................................................171 15.4 Web ..........................................................................................................
Prestige 660H/HW Series User’s Guide 18.7.2 Maximize Bandwidth Usage With Bandwidth Borrowing ......................200 18.8 Configuring Summary ....................................................................................200 18.9 Configuring Class Setup ................................................................................202 18.9.1 DiffServ .................................................................................................203 18.9.1.1 DSCP and Per-Hop Behavior ..............
Prestige 660H/HW Series User’s Guide 22.2.1 Traffic Redirect Setup ...........................................................................233 Chapter 23 Menu 3 LAN Setup ............................................................................................... 236 23.1 LAN Setup ......................................................................................................236 23.1.1 General Ethernet Setup ........................................................................236 23.
Prestige 660H/HW Series User’s Guide Chapter 27 Static Route Setup ............................................................................................... 260 27.1 IP Static Route Overview ...............................................................................260 27.2 Configuration ..................................................................................................260 Chapter 28 Bridging Setup ...................................................................................
Prestige 660H/HW Series User’s Guide 31.4.2 Generic Filter Rule ................................................................................293 31.5 Filter Types and NAT .....................................................................................295 31.6 Example Filter ................................................................................................295 31.7 Applying Filters and Factory Defaults ............................................................297 31.7.
Prestige 660H/HW Series User’s Guide 35.2.6 Backup Configuration Using TFTP .......................................................324 35.2.7 TFTP Command Example ....................................................................324 35.2.8 GUI-based TFTP Clients ......................................................................324 35.3 Restore Configuration ....................................................................................325 35.3.1 Restore Using FTP .................................
Prestige 660H/HW Series User’s Guide Chapter 39 Call Scheduling .................................................................................................... 352 39.1 Introduction ....................................................................................................352 Chapter 40 Internal SPTGEN .................................................................................................. 356 40.1 Internal SPTGEN Overview ...........................................................
Prestige 660H/HW Series User’s Guide Appendix C IP Subnetting ........................................................................................................ 380 IP Addressing......................................................................................................... 380 IP Classes .............................................................................................................. 380 Subnet Masks ..............................................................................
Prestige 660H/HW Series User’s Guide WEP Authentication Steps ..................................................................................... 400 Dynamic WEP Key Exchange ......................................................................... 401 WPA ....................................................................................................................... 402 User Authentication ........................................................................................ 402 Encryption .....
Prestige 660H/HW Series User’s Guide Configuring What You Want the Prestige to Log ............................................. 447 Displaying Logs ............................................................................................... 447 Log Command Example......................................................................................... 448 Index......................................................................................................................
Prestige 660H/HW Series User’s Guide 23
Prestige 660H/HW Series User’s Guide List of Figures Figure 1 Prestige Internet Access Application .................................................................... 48 Figure 2 Firewall Application ............................................................................................... 49 Figure 3 Prestige LAN-to-LAN Application .......................................................................... 49 Figure 4 P-660H Front Panel ...............................................................
Prestige 660H/HW Series User’s Guide Figure 37 Example Wireless Client OTIST Screen ............................................................. 101 Figure 38 Security Key ........................................................................................................ 101 Figure 39 OTIST in Progress (Prestige) .............................................................................. 101 Figure 40 OTIST in Progress (Client) .......................................................................
Prestige 660H/HW Series User’s Guide Figure 80 Remote Management ......................................................................................... 172 Figure 81 Configuring UPnP ............................................................................................... 175 Figure 82 Add/Remove Programs: Windows Setup: Communication ................................. 177 Figure 83 Add/Remove Programs: Windows Setup: Communication: Components .......... 177 Figure 84 Network Connections ...........
Prestige 660H/HW Series User’s Guide Figure 123 Menu 23.1 Change Password ........................................................................... 226 Figure 124 Menu 1 General Setup ...................................................................................... 229 Figure 125 Menu 1.1 Configure Dynamic DNS .................................................................. 230 Figure 126 Menu 2 WAN Backup Setup .............................................................................
Prestige 660H/HW Series User’s Guide Figure 166 Menu 4 Internet Access & NAT Example .......................................................... 276 Figure 167 NAT Example 2 ................................................................................................. 277 Figure 168 Menu 15.2.1 Specifying an Inside Server ......................................................... 277 Figure 169 NAT Example 3 .................................................................................................
Prestige 660H/HW Series User’s Guide Figure 209 Syslog Example ................................................................................................ 316 Figure 210 Menu 24.4 System Maintenance : Diagnostic ................................................... 317 Figure 211 Telnet in Menu 24.5 ........................................................................................... 322 Figure 212 FTP Session Example .................................................................................
Prestige 660H/HW Series User’s Guide Figure 252 Windows XP: Advanced TCP/IP Settings ......................................................... 374 Figure 253 Windows XP: Internet Protocol (TCP/IP) Properties ......................................... 375 Figure 254 Macintosh OS 8/9: Apple Menu ........................................................................ 376 Figure 255 Macintosh OS 8/9: TCP/IP ................................................................................
Prestige 660H/HW Series User’s Guide 31
Prestige 660H/HW Series User’s Guide List of Tables Table 1 ADSL Standards .................................................................................................... 42 Table 2 Front Panel LEDs .................................................................................................. 50 Table 3 Web Configurator Screens Summary .................................................................... 55 Table 4 Internet Access Wizard Setup: First Screen ........................................
Prestige 660H/HW Series User’s Guide Table 37 ICMP Commands That Trigger Alerts .................................................................. 135 Table 38 Legal NetBIOS Commands ................................................................................. 135 Table 39 Legal SMTP Commands .................................................................................... 136 Table 40 Firewall: Default Policy ........................................................................................
Prestige 660H/HW Series User’s Guide Table 80 Menu 3.5 - Wireless LAN Setup .......................................................................... 240 Table 81 Menu 3.5.1 WLAN MAC Address Filtering .......................................................... 242 Table 82 Menu 3.2.1 IP Alias Setup ................................................................................... 246 Table 83 Menu 4 Internet Access Setup ............................................................................
Prestige 660H/HW Series User’s Guide Table 123 Troubleshooting Internet Access ....................................................................... 362 Table 124 Troubleshooting the Password .......................................................................... 362 Table 125 Troubleshooting the Web Configurator .............................................................. 363 Table 126 Troubleshooting Remote Management .............................................................
Prestige 660H/HW Series User’s Guide Table 166 802.1X Logs ...................................................................................................... 444 Table 167 ACL Setting Notes ............................................................................................. 444 Table 168 ICMP Notes ....................................................................................................... 445 Table 169 Syslog Logs .....................................................................
Prestige 660H/HW Series User’s Guide 37
Prestige 660H/HW Series User’s Guide Preface Congratulations on your purchase of the Prestige 660HW Wireless ADSL Security Gateway or the Prestige 660H ADSL Security Gateway. Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. The Prestige 660HW has the built-in IEEE 802.
Prestige 660H/HW Series User’s Guide The Quick Start Guide is designed to help you get up and running right away. They contain connection information and instructions on getting started. • Web Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information. • ZyXEL Glossary and Web Site Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation. User Guide Feedback Help us help you.
Prestige 660H/HW Series User’s Guide Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twistedpair wire that runs between the local telephone company switching offices and most homes and offices.
Prestige 660H/HW Series User’s Guide 41 Introduction to DSL
Prestige 660H/HW Series User’s Guide CHAPTER 1 Getting To Know Your Prestige This chapter describes the key features and applications of your Prestige. 1.1 Introducing the Prestige Your Prestige integrates high-speed 10/100Mbps auto-negotiating LAN interface(s) and a high-speed ADSL port into a single package. The Prestige is ideal for high-speed Internet browsing and making LAN-to-LAN connections to remote networks. The Prestige is an ADSL router compatible with the ADSL/ADSL2/ADSL2+ standards.
Prestige 660H/HW Series User’s Guide The web browser-based Graphical User Interface (GUI) provides easy management. 1.1.1 Features of the Prestige The following sections describe the features of the Prestige. Note: See the product specifications in the appendix for detailed features and standards support. Built-in Switch The 10/100 Mbps auto-negotiating Ethernet ports allow the Prestige to detect the speed of incoming transmissions and adjust appropriately without manual intervention.
Prestige 660H/HW Series User’s Guide Content Filtering Content filtering allows you to block access to forbidden Internet web sites, schedule when the Prestige should perform the filtering and give trusted LAN IP addresses unfiltered Internet access. Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to the Internet, thus acting as an auxiliary if your regular WAN connection fails.
Prestige 660H/HW Series User’s Guide Dynamic DNS Support With Dynamic DNS support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider. Multiple PVC (Permanent Virtual Circuits) Support Your Prestige supports up to 8 PVC’s. ADSL Standards • Full-Rate (ANSI T1.413, Issue 2; G.dmt (G.992.
Prestige 660H/HW Series User’s Guide Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. • • • • • • • PPP (Point-to-Point Protocol) link layer protocol. Transparent bridging for unsupported network layer protocols.
Prestige 660H/HW Series User’s Guide Diagnostics Capabilities The Prestige can perform self-diagnostic tests. These tests check the integrity of the following circuitry: • • • • FLASH memory ADSL circuitry RAM LAN port Packet Filters The Prestige's packet filtering functions allows added network security and management. Ease of Installation Your Prestige is designed for quick, intuitive and easy installation.
Prestige 660H/HW Series User’s Guide Wireless LAN MAC Address Filtering Your Prestige can check the MAC addresses of wireless stations against a list of allowed or denied MAC addresses. WEP Encryption WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private. Wi-Fi Protected Access Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security specification draft.
Prestige 660H/HW Series User’s Guide 1.1.3 Firewall for Secure Broadband Internet Access The Prestige provides protection from attacks by Internet hackers. By default, the firewall blocks all incoming traffic from the WAN. The firewall supports TCP/UDP inspection and DoS (Denial of Services) detection and prevention, as well as real time alerts, reports and logs. Figure 2 Firewall Application 1.1.3.
Prestige 660H/HW Series User’s Guide Figure 5 P-660HW Front Panel The following table describes the LEDs. Table 2 Front Panel LEDs LED COLOR STATUS DESCRIPTION PWR/SYS Green On The Prestige is receiving power and functioning properly. Blinking The Prestige is rebooting. Red On Power to the Prestige is too low. None Off The system is not ready or has malfunctioned. Green On The Prestige has a successful 10Mb Ethernet connection. Blinking The Prestige is sending/receiving data.
Prestige 660H/HW Series User’s Guide 51 Chapter 1 Getting To Know Your Prestige
Prestige 660H/HW Series User’s Guide CHAPTER 2 Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy Prestige setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled. Recommended screen resolution is 1024 by 768 pixels.
Prestige 660H/HW Series User’s Guide Figure 6 Password Screen 6 It is highly recommended you change the default password! Enter a new password, retype it to confirm and click Apply; alternatively click Ignore to proceed to the main menu if you do not want to change the password now. Note: If you do not change the password, the following screen appears every time you log in. Figure 7 Change Password at Login 7 You should now see the SITE MAP screen.
Prestige 660H/HW Series User’s Guide 2 Press the RESET button for ten seconds or until the PWR/SYS LED begins to blink and then release it. When the PWR/SYS LED begins to blink, the defaults have been restored and the Prestige restarts. 2.1.3 Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the SITE MAP screen. We use the Prestige 660HW-61 web screens in this guide as an example. Screens vary slightly for different Prestige models.
Prestige 660H/HW Series User’s Guide Note: Click the icon (located in the top right corner of most screens) to view embedded help. Table 3 Web Configurator Screens Summary LINK SUB-LINK FUNCTION Wizard Setup Connection Setup Use these screens for initial configuration including general setup, ISP parameters for Internet Access and WAN IP/DNS Server/MAC address assignment. Media Bandwidth Use these screens forto set up bandwidth control quickly.
Prestige 660H/HW Series User’s Guide Table 3 Web Configurator Screens Summary (continued) LINK SUB-LINK UPnP Logs FUNCTION Use this screen to enable UPnP on the Prestige. Log Settings Use this screen to change your Prestige’s log settings. View Log Use this screen to view the logs for the categories that you selected. Media Bandwidth Summary Management Use this screen to allocate an interface's outgoing capacity to specific types of traffic.
Prestige 660H/HW Series User’s Guide 57 Chapter 2 Introducing the Web Configurator
Prestige 660H/HW Series User’s Guide CHAPTER 3 Wizard Setup for Internet Access This chapter provides information on the Wizard Setup screens for Internet access in the web configurator. 3.1 Introduction to Internet Access Wizard Use the Wizard Setup screens to configure your system for Internet access with the information (provided by your ISP) that you fill in the Internet Account Information table in the Quick Start Guide.
Prestige 660H/HW Series User’s Guide Figure 9 Internet Access Wizard Setup: First Screen The following table describes the fields in this screen. Table 4 Internet Access Wizard Setup: First Screen LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop-down list box.
Prestige 660H/HW Series User’s Guide Figure 10 Internet Connection with PPPoE The following table describes the fields in this screen. Table 5 Internet Connection with PPPoE LABEL DESCRIPTION Service Name Type the name of your PPPoE service here. User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given. Password Enter the password associated with the user name above.
Prestige 660H/HW Series User’s Guide Figure 11 Internet Connection with RFC 1483 The following table describes the fields in this screen. Table 6 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field. Type your ISP assigned IP address in this field. Network Address Translation Select None, SUA Only or Full Feature from the drop-down list box. Refer to NAT chapter for more details.
Prestige 660H/HW Series User’s Guide The following table describes the fields in this screen. Table 7 Internet Connection with ENET ENCAP LABEL DESCRIPTION IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. .
Prestige 660H/HW Series User’s Guide The following table describes the fields in this screen. Table 8 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you. Password Enter the password associated with the user name above. IP Address This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you.
Prestige 660H/HW Series User’s Guide Figure 14 Internet Access Wizard Setup: Third Screen If you want to change your Prestige LAN settings, click Change LAN Configuration to display the screen as shown next.
Prestige 660H/HW Series User’s Guide The following table describes the fields in this screen. Table 9 Internet Access Wizard Setup: LAN Configuration LABEL DESCRIPTION LAN IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default). If you changed the Prestige's LAN IP address, you must use the new IP address if you want to access the web configurator again. LAN Subnet Mask Enter a subnet mask in dotted decimal notation.
Prestige 660H/HW Series User’s Guide CHAPTER 4 Wizard Setup for Media Bandwidth Management This chapter shows you how to configure basic bandwidth management using the wizard screens. 4.1 Introduction to Media Bandwidth Management The web configurator’s Media Bandwidth Magnt. screens under Wizard Setup allows you to specify bandwidth classes based on an application (or service). You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth classes.
Prestige 660H/HW Series User’s Guide Table 10 Media Bandwidth Mgnt. Wizard Setup: Services (continued) SERVICE DESCRIPTION FTP File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail. FTP uses port number 21. E-Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals.
Prestige 660H/HW Series User’s Guide The following table describes the labels in this screen. Table 11 Media Bandwidth Mgnt. Wizard Setup: First Screen LABEL DESCRIPTION Active Select the Active check box to have the Prestige apply bandwidth management to traffic going out through the Prestige’s WAN, LAN or WLAN port. Select the service to These checkboxes are applicable when you select the Active checkbox above.
Prestige 660H/HW Series User’s Guide Table 12 Media Bandwidth Mgnt. Wizard Setup: Second Screen LABEL DESCRIPTION Back Click Back to return to the previous screen. Finish Click Finish to complete and save the bandwidth management setup. 3 Well done! You have finished configuration of Media Bandwidth Management. You may now continue configuring your device. Click Return to Main Menu to return to the Site Map screen. Figure 19 Media Bandwidth Mgnt.
Prestige 660H/HW Series User’s Guide CHAPTER 5 Password Setup This chapter provides information on the Password screen. 5.1 Password Overview It is highly recommended that you change the password for accessing the Prestige. 5.1.1 Configuring Password To change your Prestige’s password (recommended), click Password in the Site Map screen. Figure 20 Password The following table describes the fields in this screen.
Prestige 660H/HW Series User’s Guide 71 Chapter 5 Password Setup
Prestige 660H/HW Series User’s Guide CHAPTER 6 LAN Setup This chapter describes how to configure LAN settings. 6.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. 6.1.
Prestige 660H/HW Series User’s Guide 6.2 DNS Server Address DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses.
Prestige 660H/HW Series User’s Guide 6.4 LAN TCP/IP The Prestige has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. 6.4.1 Factory LAN Defaults The LAN parameters of the Prestige are preset in the factory with the following values: • IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) • DHCP server enabled with 32 client IP addresses starting from 192.168.1.33.
Prestige 660H/HW Series User’s Guide 6.4.3 RIP Setup RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. When set to: • Both - the Prestige will broadcast its routing table periodically and incorporate the RIP information that it receives. • In Only - the Prestige will not send any RIP packets but will accept all RIP packets received.
Prestige 660H/HW Series User’s Guide 6.5 Any IP Traditionally, you must set the IP addresses and the subnet masks of a computer and the Prestige to be in the same subnet to allow the computer to access the Internet (through the Prestige). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the Prestige.
Prestige 660H/HW Series User’s Guide The following lists out the steps taken, when a computer tries to access the Internet for the first time through the Prestige. 1 When a computer (which is in a different subnet) first attempts to access the Internet, it sends packets to its default gateway (which is not the Prestige) by looking at the MAC address in its ARP table. 2 When the computer cannot locate the default gateway, an ARP request is broadcast on the LAN.
Prestige 660H/HW Series User’s Guide Figure 23 LAN Setup The following table describes the fields in this screen. Table 14 LAN Setup LABEL DESCRIPTION DHCP DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Prestige 660H/HW Series User’s Guide Table 14 LAN Setup (continued) LABEL DESCRIPTION Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here. TCP/IP IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default). IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). RIP Direction Select the RIP direction from None, Both, In Only and Out Only.
Prestige 660H/HW Series User’s Guide Figure 24 LAN: Static DHCP The following table describes the labels in this screen. Table 15 LAN: Static DHCP LABEL DESCRIPTION # This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh.
Prestige 660H/HW Series User’s Guide 81 Chapter 6 LAN Setup
Prestige 660H/HW Series User’s Guide CHAPTER 7 Wireless LAN (Prestige 660HW) This chapter discusses how to configure Wireless LAN. 7.1 Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN. Note: See the WLAN appendix for more detailed information on WLANs. 7.
Prestige 660H/HW Series User’s Guide • Use the Local User Database if you have less than 32 wireless clients in your network. The Prestige uses MD5 encryption when a client authenticates with the Local User Database 7.2.3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices (Allow Association) or exclude them from accessing the AP (Deny Association). 7.2.
Prestige 660H/HW Series User’s Guide 6 If you have OTIST-enabled clients, configure OTIST in the OTIST screen. OTIST transfers device SSID and WEP or WPA-PSK key settings (if enabled) to wireless clients. The following figure shows the relative effectiveness of these wireless security methods available on your Prestige. Figure 25 Wireless Security Methods Note: You must enable the same wireless security settings on the Prestige and on all wireless clients that you want to associate with it.
Prestige 660H/HW Series User’s Guide Figure 26 Wireless Screen The following table describes the labels in this screen. Table 16 Wireless LAN 85 LABEL DESCRIPTION Enable Wireless LAN You should configure some wireless security (see Figure 25 on page 84) when you enable the wireless LAN. Select the check box to enable the wireless LAN. Enable Wireless g+ Select this checkbox to allow any ZyXEL WLAN devices that support this feature to associate with the Prestige at higher transmission speeds.
Prestige 660H/HW Series User’s Guide Table 16 Wireless LAN (continued) LABEL DESCRIPTION Hide ESSID Select Yes to hide the ESSID in so a station cannot obtain the ESSID through AP scanning. Select No to make the ESSID visible so a station can obtain the ESSID through AP scanning. Channel ID The radio frequency used by IEEE 802.11a, b or g wireless devices is called a channel. Select a channel from the drop-down list box.
Prestige 660H/HW Series User’s Guide Note: If you are configuring the Prestige from a computer connected to the wireless LAN and you change the Prestige’s ESSID or security settings (see Figure 25 on page 84), you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the Prestige’s new settings. 7.4 Configuring MAC Filters Every Ethernet device has a unique MAC (Media Access Control) address.
Prestige 660H/HW Series User’s Guide Figure 27 MAC Address Filter The following table describes the fields in this menu. Table 17 MAC Address Filter LABEL DESCRIPTION Active Select Yes from the drop down list box to enable MAC address filtering. Action Define the filter action for the list of MAC addresses in the MAC Address table. Select Deny Association to block access to the router, MAC addresses not listed will be allowed to access the Prestige.
Prestige 660H/HW Series User’s Guide Table 17 MAC Address Filter (continued) LABEL DESCRIPTION Back Click Back to go to the main wireless LAN setup screen. Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. 7.5 Introduction to WPA Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA is preferred to WEP as WPA has user authentication and improved data encryption.
Prestige 660H/HW Series User’s Guide Figure 28 WPA - PSK Authentication 7.5.2 WPA with RADIUS Application Example You need the IP address, port number (default is 1812) and shared secret of a RADIUS server. A WPA application example with an external RADIUS server looks as follows. "A" is the RADIUS server. "DS" is the distribution system (wired link to the LAN). 1 The AP passes the wireless client’s authentication request to the RADIUS server.
Prestige 660H/HW Series User’s Guide Figure 29 WPA with RADIUS Application Example2 7.5.3 Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
Prestige 660H/HW Series User’s Guide Figure 30 Wireless LAN: 802.1x/WPA: No Authentication The following table describes the label in these screens. Table 18 Wireless LAN: 802.1x/WPA: No Access/Authentication LABEL DESCRIPTION Wireless Port Control To control wireless station access to the wired network, select a control method from the drop-down list box. Choose from No Access Allowed, No Authentication Required and Authentication Required.
Prestige 660H/HW Series User’s Guide Figure 31 Wireless LAN: 802.1x/WPA: 802.1xl The following table describes the labels in this screen. Table 19 Wireless LAN: 802.1x/WPA: 802.1x LABEL DESCRIPTION Wireless Port Control To control wireless station access to the wired network, select a control method from the drop-down list box. Choose from No Authentication Required, Authentication Required and No Access Allowed. The following fields are only available when you select Authentication Required.
Prestige 660H/HW Series User’s Guide Table 19 Wireless LAN: 802.1x/WPA: 802.1x (continued) LABEL DESCRIPTION Dynamic WEP Key This field is activated only when you select Authentication Required in the Exchange Wireless Port Control field. Also set the Authentication Databases field to RADIUS Only. Local user database may not be used. Select Disable to allow wireless stations to communicate with the access points without using dynamic WEP key exchange.
Prestige 660H/HW Series User’s Guide Figure 32 Wireless LAN: 802.1x/WPA: WPAl The following table describes the labels not previously discussed Table 20 Wireless LAN: 802.1x/WPA: WPAl 95 LABEL DESCRIPTION Key Management Protocol Choose WPA in this field. WPA Mixed Mode The Prestige can operate in WPA Mixed Mode, which supports both clients running WPA and clients running dynamic WEP key exchange with 802.1x in the same Wi-Fi network. Select the check box to activate WPA mixed mode.
Prestige 660H/HW Series User’s Guide 7.6.3 Authentication Required: WPA-PSK Select Authentication Required in the Wireless Port Control field and WPA-PSK in the Key Management Protocol field to display the next screen. Figure 33 Wireless LAN: 802.1x/WPA:WPA-PSKl The following table describes the labels not previously discussed. Table 21 Wireless LAN: 802.1x/WPA: WPAl-PSK LABEL DESCRIPTION Key Management Protocol Choose WPA-PSK in this field.
Prestige 660H/HW Series User’s Guide 7.7 Configuring Local User Authentication By storing user profiles locally, your Prestige is able to authenticate wireless users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way. To change your Prestige’s local user database, click Wireless LAN, Local User Database. The screen appears as shown. Figure 34 Local User Database The following table describes the fields in this screen.
Prestige 660H/HW Series User’s Guide Table 22 Local User Database (continued) LABEL DESCRIPTION Password Enter a password of up to 31 printable characters (including spaces; alphabetic characters are case-sensitive) if you’re using MD5 encryption and maximum 14 if you’re using PEAP. Back Click Back to go to the main wireless LAN setup screen. Apply Click Apply to save these settings back to the Prestige. Cancel Click Cancel to begin configuring this screen again. 7.
Prestige 660H/HW Series User’s Guide Table 23 RADIUS (continued) LABEL DESCRIPTION Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the access points. The key is not sent over the network. This key must be the same on the external authentication server and Prestige. Accounting Server Active Select Yes from the drop-down list box to enable user authentication through an external accounting server.
Prestige 660H/HW Series User’s Guide 7.9.1.1.1 Reset button If you use the Reset button, the default (01234567) or previous saved (through the web configurator) Setup key is used to encrypt the settings that you want to transfer. Hold in the Reset button for one or two seconds. Note: If you hold in the Reset button too long, the device will reset to the factory defaults! 7.9.1.1.2 Web Configurator Click WIRELESS LAN, OTIST to display the next screen.
Prestige 660H/HW Series User’s Guide 7.9.1.2 Wireless Client Start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’s and click Save. Figure 37 Example Wireless Client OTIST Screen 7.9.2 Starting OTIST Note: You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time or writing).
Prestige 660H/HW Series User’s Guide • In the wireless client, you see this screen Figure 41 No AP with OTIST Found if it can't find an OTIST-enabled AP (with the same Setup key). Click OK to go back to the ZyXEL utility main screen. • If there is more than one OTIST-enabled AP within range, you see a screen asking you to select one AP to get settings from. 7.9.3 Notes on OTIST 1 If you enabled OTIST in the wireless client, you see this screen each time you start the utility.
Prestige 660H/HW Series User’s Guide 103 Chapter 7 Wireless LAN (Prestige 660HW)
Prestige 660H/HW Series User’s Guide CHAPTER 8 WAN Setup This chapter describes how to configure WAN settings. 8.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. See Chapter 3 on page 58 for more information on the fields in the WAN screens. 8.2 Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Prestige 660H/HW Series User’s Guide 8.3 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example Radius).
Prestige 660H/HW Series User’s Guide Figure 43 Example of Traffic Shaping 8.5 Zero Configuration Internet Access Once you turn on and connect the Prestige to a telephone jack, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes.
Prestige 660H/HW Series User’s Guide Figure 44 WAN Setup (PPPoE) The following table describes the fields in this screen. Table 25 WAN Setup 107 LABEL DESCRIPTION Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge.
Prestige 660H/HW Series User’s Guide Table 25 WAN Setup (continued) LABEL DESCRIPTION Encapsulation Select the method of encapsulation used by your ISP from the drop-down list box. Choices vary depending on the mode you select in the Mode field. If you select Bridge in the Mode field, select either PPPoA or RFC 1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET ENCAP or PPPoE. Multiplex Select the method of multiplexing used by your ISP from the drop-down list.
Prestige 660H/HW Series User’s Guide Table 25 WAN Setup (continued) LABEL DESCRIPTION Connect on Demand Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field. Max Idle Timeout Specify an idle time-out in the Max Idle Timeout field when you select Connect on Demand. The default setting is 0, which means the Internet session will not timeout. PPPoE Passthrough This field is available when you select PPPoE encapsulation.
Prestige 660H/HW Series User’s Guide Figure 45 Traffic Redirect Example The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Prestige 660H/HW Series User’s Guide Figure 47 WAN Backup The following table describes the fields in this screen. Table 26 WAN Backup LABEL DESCRIPTION Backup Type Select the method that the Prestige uses to check the DSL connection. Select DSL Link to have the Prestige check if the connection to the DSLAM is up. Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields.
Prestige 660H/HW Series User’s Guide Table 26 WAN Backup (continued) LABEL DESCRIPTION Timeout Type the number of seconds (3 recommended) for your Prestige to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request. The WAN connection is considered "down" after the Prestige times out the number of times specified in the Fail Tolerance field. Use a higher value in this field if your network is busy or congested.
Prestige 660H/HW Series User’s Guide 113 Chapter 8 WAN Setup
Prestige 660H/HW Series User’s Guide CHAPTER 9 Network Address Translation (NAT) Screens This chapter discusses how to configure NAT on the Prestige. 9.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. 9.1.
Prestige 660H/HW Series User’s Guide 9.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.
Prestige 660H/HW Series User’s Guide Figure 48 How NAT Works 9.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Prestige 660H/HW Series User’s Guide 9.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address. This is equivalent to SUA (for instance, PAT, port address translation), ZyXEL’s Single User Account feature that previous ZyXEL routers supported (the SUA Only option in today’s routers).
Prestige 660H/HW Series User’s Guide 9.2 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The Prestige also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types as outlined in Table 28 on page 117. • Choose SUA Only if you have just one public WAN IP address for your Prestige.
Prestige 660H/HW Series User’s Guide Table 29 Services and Port Numbers (continued) SERVICES PORT NUMBER SMTP (Simple Mail Transfer Protocol) 25 DNS (Domain Name System) 53 Finger 79 HTTP (Hyper Text Transfer protocol or WWW, Web) 80 POP3 (Post Office Protocol) 110 NNTP (Network News Transport Protocol) 119 SNMP (Simple Network Management Protocol) 161 SNMP trap 162 PPTP (Point-to-Point Tunneling Protocol) 1723 9.3.
Prestige 660H/HW Series User’s Guide 9.5 Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. Click NAT to open the following screen. Figure 51 NAT Mode The following table describes the labels in this screen. Table 30 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT. SUA Only Select this radio button if you have just one public WAN IP address for your Prestige.
Prestige 660H/HW Series User’s Guide Figure 52 Edit SUA/NAT Server Set The following table describes the fields in this screen. Table 31 Edit SUA/NAT Server Set LABEL DESCRIPTION Start Port No. Enter a port number in this field. To forward only one port, enter the port number again in the End Port No. field. To forward a series of ports, enter the start port number here and the end port number in the End Port No. field. End Port No. Enter a port number in this field.
Prestige 660H/HW Series User’s Guide 9.7 Configuring Address Mapping Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Prestige 660H/HW Series User’s Guide Table 32 Address Mapping Rules (continued) LABEL DESCRIPTION Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Prestige 660H/HW Series User’s Guide Table 33 Address Mapping Rule Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. • One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. • Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e.
Prestige 660H/HW Series User’s Guide 125 Chapter 9 Network Address Translation (NAT) Screens
Prestige 660H/HW Series User’s Guide CHAPTER 10 Dynamic DNS Setup This chapter discusses how to configure your Prestige to use Dynamic DNS. 10.1 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.
Prestige 660H/HW Series User’s Guide Figure 55 Dynamic DNS The following table describes the fields in this screen. Table 34 Dynamic DNS 127 LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider. E-mail Address Type your e-mail address. User Type your user name. Password Type the password assigned to you.
Prestige 660H/HW Series User’s Guide C H A P T E R 11 Time and Date This screen is not available on all models. Use this screen to configure the Prestige’s time and date settings. 11.1 Configuring Time and Date To change your Prestige’s time and date, click Time And Date. The screen appears as shown. Use this screen to configure the Prestige’s time based on your local time zone. Figure 56 Time and Date The following table describes the fields in this screen.
Prestige 660H/HW Series User’s Guide Table 35 Time and Date LABEL DESCRIPTION Time Server Use Protocol when Select the time service protocol that your time server sends when you turn on the Bootup Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main difference between them is the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
Prestige 660H/HW Series User’s Guide CHAPTER 12 Firewalls This chapter gives some background information on firewalls and introduces the Prestige firewall. 12.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
Prestige 660H/HW Series User’s Guide Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Prestige 660H/HW Series User’s Guide 12.3.1 Denial of Service Attacks Figure 57 Prestige Firewall Application 12.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Prestige is pre-configured to automatically detect and thwart all known DoS attacks. 12.4.
Prestige 660H/HW Series User’s Guide Table 36 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 12.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing. 5 "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.
Prestige 660H/HW Series User’s Guide Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. • SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response.
Prestige 660H/HW Series User’s Guide Figure 60 Smurf Attack 12.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 37 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY 12.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.
Prestige 660H/HW Series User’s Guide Table 39 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY NOOP 12.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
Prestige 660H/HW Series User’s Guide Figure 61 Stateful Inspection The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 12.5.
Prestige 660H/HW Series User’s Guide temporary entries might be modified, in order to permit only packets that are valid for the current state of the connection. 8 Any additional inbound or outbound packets that belong to the connection are inspected to update the state table entry and to modify the temporary inbound access list entries as required, and are forwarded through the interface.
Prestige 660H/HW Series User’s Guide When the Prestige receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN). 12.5.4 UDP/ICMP Security UDP and ICMP do not themselves contain any connection information (such as sequence numbers).
Prestige 660H/HW Series User’s Guide • Limit who can telnet into your router. • Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk. A determined hacker might be able to find creative ways to misuse the enabled services to access the firewall or the network. • For local services that are enabled, protect against misuse.
Prestige 660H/HW Series User’s Guide • Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in an attack. 12.7 Packet Filtering Vs Firewall Below are some comparisons between the Prestige’s filtering and firewall functions. 12.7.
Prestige 660H/HW Series User’s Guide • A range of source and destination IP addresses as well as port numbers can be specified within one firewall rule making the firewall a better choice when complex rules are required. • To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address.
Prestige 660H/HW Series User’s Guide 143 Chapter 12 Firewalls
Prestige 660H/HW Series User’s Guide CHAPTER 13 Firewall Configuration This chapter shows you how to enable and configure the Prestige firewall. 13.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your Prestige has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall.
Prestige 660H/HW Series User’s Guide Note: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them. For example, you may create rules to: • Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the Internet.
Prestige 660H/HW Series User’s Guide 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 5 Does this rule conflict with any existing rules? 6 Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.
Prestige 660H/HW Series User’s Guide 13.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed nonrestricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN. See the following figure. Figure 62 LAN to WAN Traffic 13.4.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN).
Prestige 660H/HW Series User’s Guide 13.4.3 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Edit Rule screen (select the Send Alert Message to Administrator When Matched checkbox) or when a rule is matched in the Edit Rule screen (see Section 13.6.1 on page 151).
Prestige 660H/HW Series User’s Guide Table 40 Firewall: Default Policy (continued) LABEL DESCRIPTION Default Action Use the radio buttons to select whether to Block (silently discard) or Forward (allow the passage of) packets that are traveling in the selected direction. Log Select the check box to create a log (when the above action is taken) for packets that are traveling in the selected direction and do not match any of the rules below. Back Click Back to return to the previous screen.
Prestige 660H/HW Series User’s Guide The following table describes the labels in this screen. Table 41 Rule Summary LABEL DESCRIPTION Firewall Rules Storage Space in Use This read-only bar shows how much of the Prestige's memory for recording firewall rules it is currently using. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red.
Prestige 660H/HW Series User’s Guide 13.6.1 Configuring Firewall Rules Follow these directions to create a new rule. 1 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 2 Click Insert to display this screen and refer to the following table for information on the labels.
Prestige 660H/HW Series User’s Guide Figure 66 Firewall: Edit Rule Chapter 13 Firewall Configuration 152
Prestige 660H/HW Series User’s Guide The following table describes the labels in this screen. Table 42 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule. Action for Matched Packet Use the radio button to select whether to discard (Block) or allow the passage of (Forward) packets that match this rule. Source/Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.
Prestige 660H/HW Series User’s Guide 13.7 Customized Services Configure customized services and port numbers not predefined by the Prestige. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 13.10 on page 159. Click the Customized Services link while editing a firewall rule to configure a custom service port. This displays the following screen.
Prestige 660H/HW Series User’s Guide Figure 68 Firewall: Configure Customized Services The following table describes the labels in this screen. Table 44 Firewall: Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box.
Prestige 660H/HW Series User’s Guide Figure 69 Firewall Example: Rule Summary 3 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type “6”, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7. 4 Click Insert to display the firewall rule configuration screen. 5 Select Any in the Destination Address box and then click Delete. 6 Configure the destination address screen as follows and click Add.
Prestige 660H/HW Series User’s Guide Figure 70 Firewall Example: Edit Rule: Destination Address 7 In the Edit Rule screen, click the Customized Services link to open the Customized Service screen. 8 Click an index number to display the Customized Services -Config screen and configure the screen as follows and click Apply. Figure 71 Edit Custom Port Example 9 In the Edit Rule screen, use the Add>> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows.
Prestige 660H/HW Series User’s Guide Figure 72 Firewall Example: Edit Rule: Select Customized Services Note: Custom ports show up with an “*” before their names in the Services list box and the Rule Summary list box. Click Apply after you’ve created your custom port. On completing the configuration procedure for this Internet firewall rule, the Rule Summary screen should look like the following.
Prestige 660H/HW Series User’s Guide Rule 2 allows a “My Service” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. Figure 73 Firewall Example: Rule Summary: My Service 13.10 Predefined Services The Available Services list box in the Edit Rule screen (see Section 13.6.1 on page 151) displays all predefined services that the Prestige already supports. Next to the name of the service, two fields appear in brackets.
Prestige 660H/HW Series User’s Guide Table 45 Predefined Services (continued) SERVICE DESCRIPTION CU-SEEME(TCP/UDP:7648, 24032) A popular videoconferencing solution from White Pines Software. DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. FTP(TCP:20.
Prestige 660H/HW Series User’s Guide Table 45 Predefined Services (continued) SERVICE DESCRIPTION SMTP(TCP:25) Simple Mail Transfer Protocol is the message-exchange standard for the Internet. SMTP enables you to move messages from one e-mail server to another. SNMP(TCP/UDP:161) Simple Network Management Program. SNMP-TRAPS (TCP/ UDP:162) Traps for use with the SNMP (RFC:1215).
Prestige 660H/HW Series User’s Guide Figure 74 Firewall: Anti Probing The following table describes the labels in this screen. Table 46 Firewall: Anti Probing LABEL DESCRIPTION Respond to PING on The Prestige does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Prestige 660H/HW Series User’s Guide 13.12.1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters. These default values should work fine for most small offices. Factors influencing choices for threshold values are: • • • • • The maximum number of opened sessions. The minimum capacity of server backlog in your LAN network. The CPU power of servers in your LAN network. Network bandwidth. Type of traffic for certain servers.
Prestige 660H/HW Series User’s Guide Whenever the number of half-open sessions with the same destination host address rises above a threshold (TCP Maximum Incomplete), the Prestige starts deleting half-open sessions according to one of the following methods: • If the Blocking Time timeout is 0 (the default), then the Prestige deletes the oldest existing half-open session for the host for every new connection request to the host.
Prestige 660H/HW Series User’s Guide Table 47 Firewall: Threshold (continued) LABEL DESCRIPTION DEFAULT VALUES One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts. 100 half-open sessions per minute.
Prestige 660H/HW Series User’s Guide CHAPTER 14 Content Filtering This chapter covers how to configure content filtering. 14.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the Prestige performs content filtering.
Prestige 660H/HW Series User’s Guide The following table describes the labels in this screen. Table 48 Content Filter: Keyword LABEL DESCRIPTION Enable Keyword Blocking Select this check box to enable this feature. Block Websites that contain This box contains the list of all the keywords that you have configured the these keywords in the URL: Prestige to block. Delete Highlight a keyword in the box and click Delete to remove it. Clear All Click Clear All to remove all of the keywords from the list.
Prestige 660H/HW Series User’s Guide The following table describes the labels in this screen. Table 49 Content Filter: Schedule LABEL DESCRIPTION Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Block: Use the 24 hour format to configure which time of the day (or select the All day check box) you want the content filtering to be active. Back Click Back to return to the previous screen.
Prestige 660H/HW Series User’s Guide 169 Chapter 14 Content Filtering
Prestige 660H/HW Series User’s Guide CHAPTER 15 Remote Management Configuration This chapter provides information on configuring remote management. 15.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Prestige 660H/HW Series User’s Guide • A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service. • You have disabled that service in one of the remote management screens. • The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the Prestige will disconnect the session immediately. • There is already another remote management session with an equal or higher priority running.
Prestige 660H/HW Series User’s Guide 15.4 Web You can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details. 15.5 Configuring Remote Management Click Remote Management to open the following screen. Figure 80 Remote Management The following table describes the fields in this screen. Table 51 Remote Management LABEL DESCRIPTION Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige.
Prestige 660H/HW Series User’s Guide 173 Chapter 15 Remote Management Configuration
Prestige 660H/HW Series User’s Guide CHAPTER 16 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 16.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Prestige 660H/HW Series User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.
Prestige 660H/HW Series User’s Guide Table 52 Configuring UPnP LABEL DESCRIPTION Enable the Universal Plug and Play (UPnP) Service Select this checkbox to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).
Prestige 660H/HW Series User’s Guide Figure 82 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 83 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted.
Prestige 660H/HW Series User’s Guide Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 84 Network Connections 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details.
Prestige 660H/HW Series User’s Guide Figure 85 Windows Optional Networking Components Wizard 5 In the Networking Services window, select the Universal Plug and Play check box.
Prestige 660H/HW Series User’s Guide Figure 86 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 16.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige. Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige.
Prestige 660H/HW Series User’s Guide Figure 87 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
Prestige 660H/HW Series User’s Guide Figure 88 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Prestige 660H/HW Series User’s Guide Figure 89 Internet Connection Properties: Advanced Settings Figure 90 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Prestige 660H/HW Series User’s Guide Figure 91 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 92 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first. This comes helpful if you do not know the IP address of the Prestige. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel.
Prestige 660H/HW Series User’s Guide Figure 93 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays.
Prestige 660H/HW Series User’s Guide Figure 94 Network Connections: My Network Places 6 Right-click on the icon for your Prestige and select Properties. A properties window displays with basic information about the Prestige.
Prestige 660H/HW Series User’s Guide 187 Chapter 16 Universal Plug-and-Play (UPnP)
Prestige 660H/HW Series User’s Guide CHAPTER 17 Logs Screens This chapter contains information about configuring general log settings and viewing the Prestige’s logs. Refer to the appendix for example log message explanations. 17.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the Prestige log and then display the logs or have the Prestige send them to an administrator (as e-mail) or to a syslog server. 17.1.
Prestige 660H/HW Series User’s Guide Figure 96 Log Settings The following table describes the fields in this screen. Table 53 Log Settings LABEL DESCRIPTION Address Info 189 Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the Prestige sends.
Prestige 660H/HW Series User’s Guide Table 53 Log Settings LABEL DESCRIPTION UNIX Syslog Syslog logging sends a log to an external syslog server used to store logs. Active Click Active to enable syslog logging. Syslog IP Address Enter the server name or IP address of the syslog server that will log the selected categories of logs. Log Facility Select a location from the drop down list box. The log facility allows you to log the messages to different files in the syslog server.
Prestige 660H/HW Series User’s Guide Figure 97 View Logs The following table describes the fields in this screen. Table 54 View Logs LABEL DESCRIPTION Display The categories that you select in the Log Settings screen (see Section 17.2 on page 188) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page. Time This field displays the time the log was recorded.
Prestige 660H/HW Series User’s Guide Table 55 SMTP Error Messages -5 means MAIL FROM fail -6 means RCPT TO fail -7 means DATA fail -8 means mail data send fail 17.4.1 Example E-mail Log An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. • • • • You may edit the subject title. The date format here is Day-Month-Year. The date format here is Month-Day-Year. The time format is Hour-Minute-Second.
Prestige 660H/HW Series User’s Guide 193 Chapter 17 Logs Screens
Prestige 660H/HW Series User’s Guide CHAPTER 18 Media Bandwidth Management Advanced Setup This chapter describes the functions and advanced configuration of bandwidth management. 18.1 Bandwidth Management Advanced Setup Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the Prestige forwards certain types of traffic (especially real-time applications) with minimum delay.
Prestige 660H/HW Series User’s Guide you configure child-classes with filters for any classes that you configure without filters. The Prestige leaves the bandwidth budget allocated and unused for a class that does not have a filter itself or child-classes with filters. View your configured bandwidth classes and childclasses in the Class Setup screen (see Section 18.9 on page 202 for details).
Prestige 660H/HW Series User’s Guide Figure 100 Subnet-based Bandwidth Management Example 18.4.3 Application and Subnet-based Bandwidth Management Example The following example uses bandwidth classes based on LAN subnets and applications (specific applications in each subnet are allotted bandwidth).
Prestige 660H/HW Series User’s Guide 18.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The Prestige has two types of scheduler: fairness-based and priority-based. 18.5.1 Priority-based Scheduler With the priority-based scheduler, the Prestige forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority.
Prestige 660H/HW Series User’s Guide 18.6.2 Maximize Bandwidth Usage Example Here is an example of a Prestige that has maximized bandwidth usage enabled on an interface. The first figure shows each bandwidth class’s bandwidth budget and priority. The classes are set up based on subnets. The interface is set to 10 Mbps. Each subnet is allocated 2 Mbps. The unbudgeted 2 Mbps allows traffic not defined in one of the bandwidth filters to go out when you do not select the maximize bandwidth option.
Prestige 660H/HW Series User’s Guide Figure 103 Maximize Bandwidth Usage Example 18.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a child-class to allow the child-class to use its parent class’s unused bandwidth.
Prestige 660H/HW Series User’s Guide Figure 104 Bandwidth Borrowing Example • The Administration and Sales classes cannot borrow unused bandwidth from the Root class because the Administration and Sales classes has bandwidth borrowing disabled. • The Marketing and R&D classes can both borrow unused bandwidth from the Root class because the Marketing and R&D classes both have bandwidth borrowing enabled. 18.7.
Prestige 660H/HW Series User’s Guide Figure 105 Media Bandwidth Management: Summary The following table describes the labels in this screen. Table 57 Media Bandwidth Management: Summary 201 LABEL DESCRIPTION LAN WLAN WAN These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
Prestige 660H/HW Series User’s Guide 18.9 Configuring Class Setup The class setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class. The bandwidth budget of the root class is equal to the speed you configured on the interface (see Section 18.
Prestige 660H/HW Series User’s Guide 18.9.1 DiffServ DiffServ is a class of service (CoS) model that marks packets so that they receive specific perhop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired.
Prestige 660H/HW Series User’s Guide Figure 108 Media Bandwidth Management: Class Configuration The following table describes the labels in this screen Table 59 Media Bandwidth Management: Class Configuration LABEL DESCRIPTION Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. BW Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps.
Prestige 660H/HW Series User’s Guide Table 59 Media Bandwidth Management: Class Configuration (continued) LABEL DESCRIPTION Enable DiffServ Marking Select this option to enable DiffServ marking on the Prestige. DiffServ Mark Select the marking rule from the drop-down list. The first three digits are the DiffServ code point. A packet with the lowest priority mark will be dropped when the line is busy.
Prestige 660H/HW Series User’s Guide Table 59 Media Bandwidth Management: Class Configuration (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh.
Prestige 660H/HW Series User’s Guide Figure 109 Media Bandwidth Management Statistics The following table describes the labels in this screen. Table 61 Media Bandwidth Management Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class. Tx Packets This field displays the total number of packets transmitted.
Prestige 660H/HW Series User’s Guide Figure 110 Media Bandwidth Management: Monitor The following table describes the labels in this screen. Table 62 Media Bandwidth Management: Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes. Class Name This field displays the name of the class. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Prestige 660H/HW Series User’s Guide 209 Chapter 18 Media Bandwidth Management Advanced Setup
Prestige 660H/HW Series User’s Guide CHAPTER 19 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 19.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Prestige. 19.2 System Status Screen Click System Status to open the following screen, where you can use to monitor your Prestige.
Prestige 660H/HW Series User’s Guide Figure 111 System Status The following table describes the fields in this screen. Table 63 System Status LABEL DESCRIPTION System Status System Name 211 This is the name of your Prestige. It is for identification purposes.
Prestige 660H/HW Series User’s Guide Table 63 System Status (continued) LABEL DESCRIPTION ZyNOS Firmware Version This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. DSL FW Version This is the DSL firmware version associated with your Prestige. Standard This is the standard that your Prestige is using. WAN Information IP Address This is the WAN port IP address. IP Subnet Mask This is the WAN port IP subnet mask.
Prestige 660H/HW Series User’s Guide Figure 112 System Status: Show Statistics The following table describes the fields in this screen. Table 64 System Status: Show Statistics LABEL DESCRIPTION System up Time This is the elapsed time the system has been up. CPU Load This field specifies the percentage of CPU utilization. LAN or WAN Port Statistics This is the WAN or LAN port. Link Status This is the status of your WAN link. Upstream Speed This is the upstream speed of your Prestige.
Prestige 660H/HW Series User’s Guide Table 64 System Status: Show Statistics (continued) LABEL DESCRIPTION Poll Interval(s) Type the time interval for the browser to refresh system statistics. Set Interval Click this button to apply the new poll interval you entered in the Poll Interval field above. Stop Click this button to halt the refreshing of the system statistics. 19.
Prestige 660H/HW Series User’s Guide 19.4 Any IP Table Screen Click Maintenance, Any IP. The Any IP table shows current read-only information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the Prestige. Refer to Section 6.5 on page 76 for more information. Figure 114 Any IP Table The following table describes the labels in this screen. Table 66 Any IP Table LABEL DESCRIPTION # This field displays the index number.
Prestige 660H/HW Series User’s Guide Figure 115 Association List The following table describes the fields in this screen. Table 67 Association List LABEL DESCRIPTION # This is the index number of an associated wireless station. MAC Address This field displays the MAC (Media Access Control) address of an associated wireless station. Every Ethernet device has a unique MAC address.
Prestige 660H/HW Series User’s Guide Figure 116 Diagnostic: General The following table describes the fields in this screen. Table 68 Diagnostic: General LABEL DESCRIPTION TCP/IP Address Type the IP address of a computer that you want to ping in order to test a connection. Ping Click this button to ping the IP address that you entered. Reset System Click this button to reboot the Prestige. A warning dialog box is then displayed asking you if you're sure you want to reboot the system.
Prestige 660H/HW Series User’s Guide Figure 117 Diagnostic: DSL Line The following table describes the fields in this screen. Table 69 Diagnostic: DSL Line LABEL Reset ADSL Line DESCRIPTION Click this button to reinitialize the ADSL line. The large text box above then displays the progress and results of this operation, for example: "Start to reset ADSL Loading ADSL modem F/W... Reset ADSL Line Successfully!" ATM Status Click this button to view ATM status.
Prestige 660H/HW Series User’s Guide 19.7 Firmware Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "Prestige.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See Chapter 35 on page 320 in the parts that document the SMT for upgrading firmware using FTP/TFTP commands. Only use firmware for your device’s specific model.
Prestige 660H/HW Series User’s Guide The Prestige automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 119 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen.
Prestige 660H/HW Series User’s Guide 221 Chapter 19 Maintenance
Prestige 660H/HW Series User’s Guide CHAPTER 20 Introducing the SMT This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus. 20.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via Telnet, how to navigate the SMT and how to configure SMT menus. 20.1.
Prestige 660H/HW Series User’s Guide Figure 121 Login Screen Enter Password : **** 20.1.3 Prestige SMT Menu Overview We use the Prestige 660HW-61 SMT menus in this guide as an example. The SMT menus vary slightly for different Prestige models. The following figure gives you an overview of the various SMT menu screens of your Prestige. Figure 122 Prestige SMT Menu Overview 20.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige.
Prestige 660H/HW Series User’s Guide Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 71 Navigating the SMT Interface OPERATION KEY STROKE DESCRIPTION Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER]. Move up to a previous menu [ESC] Press [ESC] to move back to the previous menu.
Prestige 660H/HW Series User’s Guide 20.2.1 System Management Terminal Interface Summary Table 73 Main Menu Summary # MENU TITLE DESCRIPTION 1 General Setup Use this menu to set up your general information. 2 WAN Backup Setup Use this menu to setup traffic redirect and dial-back up. 3 LAN Setup Use this menu to set up your wireless LAN and LAN connection. 4 Internet Access Setup A quick and easy way to set up an Internet connection.
Prestige 660H/HW Series User’s Guide Figure 123 Menu 23.1 Change Password Menu 23.1 - System Security - Change Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 4 Type your new system password in the New Password field (up to 30 characters), and press [ENTER]. 5 Re-type your new system password in the Retype to confirm field for confirmation and press [ENTER]. Note: Note that as you type a password, the screen displays an “*” for each character you type.
Prestige 660H/HW Series User’s Guide 227 Chapter 20 Introducing the SMT
Prestige 660H/HW Series User’s Guide CHAPTER 21 Menu 1 General Setup Menu 1 - General Setup contains administrative and system-related information. 21.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". • In Windows 95/98 click Start, Settings, Control Panel, Network.
Prestige 660H/HW Series User’s Guide Figure 124 Menu 1 General Setup Menu 1 General Setup System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Fill in the required fields. Refer to the table shown next for more information about these fields. Table 74 Menu 1 General Setup FIELD DESCRIPTION System Name Choose a descriptive name for identification purposes. This name can be up to 30 alphanumeric characters long.
Prestige 660H/HW Series User’s Guide Figure 125 Menu 1.1 Configure Dynamic DNS Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.ORG Active= No Host= EMAIL= USER= Password= ******** Enable Wildcard= No Press ENTER to Confirm or ESC to Cancel: Follow the instructions in the next table to configure dynamic DNS parameters. Table 75 Menu 1.1 Configure Dynamic DNS FIELD DESCRIPTION Service Provider This is the name of your dynamic DNS service provider.
Prestige 660H/HW Series User’s Guide 231 Chapter 21 Menu 1 General Setup
Prestige 660H/HW Series User’s Guide CHAPTER 22 Menu 2 WAN Backup Setup This chapter describes how to configure traffic redirect and dial-backup using menu 2 and 2.1. 22.1 Introduction to WAN Backup Setup This chapter explains how to configure the Prestige for traffic redirect and dial backup connections. 22.2 Configuring Dial Backup in Menu 2 From the main menu, enter 2 to open menu 2. Figure 126 Menu 2 WAN Backup Setup Menu 2 - Wan Backup Setup Check Mechanism = DSL Link Check WAN IP Address1 = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 76 Menu 2 WAN Backup Setup (continued) FIELD DESCRIPTION KeepAlive Fail Tolerance Type the number of times (2 recommended) that your Prestige may ping the IP addresses configured in the Check WAN IP Address field without getting a response before switching to a WAN backup connection (or a different WAN backup connection).
Prestige 660H/HW Series User’s Guide Table 77 Menu 2.1Traffic Redirect Setup FIELD DESCRIPTION Metric This field sets this route's priority among the routes the Prestige uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks.
Prestige 660H/HW Series User’s Guide 235 Chapter 22 Menu 2 WAN Backup Setup
Prestige 660H/HW Series User’s Guide CHAPTER 23 Menu 3 LAN Setup This chapter covers how to configure your wired Local Area Network (LAN) settings. 23.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3. Figure 128 Menu 3 LAN Setup Menu 3 - LAN Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup 5. Wireless LAN Setup Enter Menu Selection Number: 23.1.
Prestige 660H/HW Series User’s Guide 23.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. • For TCP/IP Ethernet setup refer to Section 25.6 on page 247. • For bridging Ethernet setup refer to Chapter 28 on page 264. 23.3 CP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3 — LAN Setup.
Prestige 660H/HW Series User’s Guide Follow the instructions in the following table on how to configure the DHCP fields. Table 78 DHCP Ethernet Setup FIELD DESCRIPTION DHCP Setup DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Prestige 660H/HW Series User’s Guide 239 Chapter 23 Menu 3 LAN Setup
Prestige 660H/HW Series User’s Guide CHAPTER 24 Wireless LAN Setup This chapter covers how to configure wireless LAN settings in SMT menu 3.5. 24.1 Wireless LAN Overview Refer to the chapter on the wireless LAN screens for wireless LAN background information. 24.2 Wireless LAN Setup Use menu 3.5 to set up your Prestige as the wireless access point. To edit menu 3.5, enter 3 from the main menu to display Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.
Prestige 660H/HW Series User’s Guide Table 80 Menu 3.5 - Wireless LAN Setup (continued) FIELD DESCRIPTION Channel ID Press [SPACE BAR] to select a channel. This allows you to set the operating frequency/ channel depending on your particular region. RTS Threshold RTS(Request To Send) threshold (number of bytes) enables RTS/CTS handshake. Data with its frame size larger than this value will perform the RTS/CTS handshake.
Prestige 660H/HW Series User’s Guide Figure 132 Menu 3.5.1 WLAN MAC Address Filtering Menu 3.5.
Prestige 660H/HW Series User’s Guide 243 Chapter 24 Wireless LAN Setup
Prestige 660H/HW Series User’s Guide CHAPTER 25 Internet Access This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access. 25.1 Internet Access Overview Refer to the chapters on the web configurator’s wizard, LAN and WAN screens for more background information on fields in the SMT screens covered in this chapter. 25.2 IP Policies Traditionally, routing is based on the destination address only and the router takes the shortest path to forward a packet.
Prestige 660H/HW Series User’s Guide Figure 133 IP Alias Network Example Use menu 3.2.1 to configure IP Alias on your Prestige. 25.4 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network. Figure 134 Menu 3.2 TCP/IP and DHCP Setup Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.
Prestige 660H/HW Series User’s Guide Figure 135 Menu 3.2.1 IP Alias Setup Menu 3.2.
Prestige 660H/HW Series User’s Guide Figure 136 Menu 1 General Setup Menu 1 - General Setup System Name= ? Location= location Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: 25.6 Internet Access Configuration Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11.
Prestige 660H/HW Series User’s Guide . Table 83 Menu 4 Internet Access Setup FIELD DESCRIPTION ISP’s Name Enter the name of your Internet Service Provider (ISP). This information is for identification purposes only. Encapsulation Press [SPACE BAR] to select the method of encapsulation used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP. Multiplexing Press [SPACE BAR] to select the method of multiplexing used by your ISP. Choices are VC-based or LLC-based.
Prestige 660H/HW Series User’s Guide 249 Chapter 25 Internet Access
Prestige 660H/HW Series User’s Guide CHAPTER 26 Remote Node Configuration This chapter covers remote node configuration. 26.1 Remote Node Setup Overview This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use menu 4 to set up Internet access, you are configuring one of the remote nodes.
Prestige 660H/HW Series User’s Guide Figure 138 Menu 11 Remote Node Setup 1. 2. 3. 4. 5. 6. 7. 8. Menu 11 - Remote Node Setup MyISP (ISP, SUA) ________ ________ ________ ________ ________ ________ ________ Enter Node # to Edit: 26.2.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP.
Prestige 660H/HW Series User’s Guide Figure 139 Menu 11.1 Remote Node Profile Menu 11.
Prestige 660H/HW Series User’s Guide Table 84 Menu 11.1 Remote Node Profile (continued) FIELD DESCRIPTION PAP – accept PAP (Password Authentication Protocol) only. Route This field determines the protocol used in routing. Options are IP and None. Bridge When bridging is enabled, your Prestige will forward any packet that it does not route to this remote node; otherwise, the packets are discarded. Select Yes to enable and No to disable.
Prestige 660H/HW Series User’s Guide 26.3 Remote Node Network Layer Options For the TCP/IP parameters, perform the following steps to edit Menu 11.3 – Remote Node Network Layer Options as shown next. 1 In menu 11.1, make sure IP is among the protocols in the Route field. 2 Move the cursor to the Edit IP/Bridge field, press [SPACE BAR] to select Yes, then press [ENTER] to display Menu 11.3 – Remote Node Network Layer Options. Figure 140 Menu 11.3 Remote Node Network Layer Options Menu 11.
Prestige 660H/HW Series User’s Guide Table 85 Menu 11.3 Remote Node Network Layer Options (continued) FIELD DESCRIPTION Address Mapping Set When Full Feature is selected in the NAT field, configure address mapping sets in menu 15.1. Select one of the NAT server sets (2-10) in menu 15.2 (see Chapter 29 on page 268 for details) and type that number here. When SUA Only is selected in the NAT field, the SMT uses NAT server set 1 in menu 15.2 (see Chapter 29 on page 268 for details).
Prestige 660H/HW Series User’s Guide Figure 141 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection 26.4 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter. Use Menu 11.5 – Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls.
Prestige 660H/HW Series User’s Guide Figure 143 Menu 11.5 Remote Node Filter (PPPoA or PPPoE Encapsulation) Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: 26.5 Editing ATM Layer Options Follow the steps shown next to edit Menu 11.6 – Remote Node ATM Layer Options. In menu 11.
Prestige 660H/HW Series User’s Guide Figure 145 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 0 VCI #= 38 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 ENTER here to CONFIRM or ESC to CANCEL: In this case, only one set of VPI and VCI numbers need be specified for all protocols.
Prestige 660H/HW Series User’s Guide Figure 147 Menu 11.8 Advance Setup Options Menu 11.8 - Advance Setup Options PPPoE pass-through= No Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 86 Menu 11.8 Advance Setup Options FIELD DESCRIPTION PPPoE pass-through Press [SPACE BAR] to select Yes and press [ENTER] to enable PPPoE pass through.
Prestige 660H/HW Series User’s Guide CHAPTER 27 Static Route Setup This chapter shows how to setup IP static routes. 27.1 IP Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
Prestige 660H/HW Series User’s Guide Figure 149 Menu 12 Static Route Setup Menu 12 - Static Route Setup 1. IP Static Route 3. Bridge Static Route Please enter selection: From menu 12, select 1 to open Menu 12.1 — IP Static Route Setup (shown next). Figure 150 Menu 12.1 IP Static Route Setup Menu 12.1 - IP Static Route Setup 1. ________ 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ 9. ________ 10. ________ 11. ________ 12. ________ 13. ________ 14. ________ 15.
Prestige 660H/HW Series User’s Guide The following table describes the fields for Menu 12.1.1 – Edit IP Static Route Setup. Table 87 Menu12.1.1 Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only. Active This field allows you to activate/deactivate this static route.
Prestige 660H/HW Series User’s Guide 263 Chapter 27 Static Route Setup
Prestige 660H/HW Series User’s Guide CHAPTER 28 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige. 28.1 Bridging in General Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another.
Prestige 660H/HW Series User’s Guide Figure 152 Menu 11.1 Remote Node Profile Menu 11.
Prestige 660H/HW Series User’s Guide 28.2.2 Bridge Static Route Setup Similar to network layer static routes, a bridging static route tells the Prestige the route to a node before a connection is established. You configure bridge static routes in menu 12.3.1 (go to menu 12, choose option 3, then choose a static route to edit) as shown next. Figure 154 Menu 12.3.1 Edit Bridge Static Route Menu 12.3.
Prestige 660H/HW Series User’s Guide 267 Chapter 28 Bridging Setup
Prestige 660H/HW Series User’s Guide CHAPTER 29 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 29.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. 29.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See Section 29.
Prestige 660H/HW Series User’s Guide Figure 155 Menu 4 Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= RFC 1483 Multiplexing= LLC-based VPI #= 8 VCI #= 35 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static IP Address= 0.0.0.
Prestige 660H/HW Series User’s Guide Table 90 Applying NAT in Menus 4 & 11.3 FIELD DESCRIPTION NAT Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your Prestige. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (seeFigure 158 on page 271). Select None to disable NAT. When you select SUA Only, the SMT uses Address Mapping Set 255 (seeFigure 159 on page 271).
Prestige 660H/HW Series User’s Guide Figure 158 Menu 15.1 Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. 2. 3. 4. 5. 6. 7. 8. 255. SUA (read only) Enter Menu Selection Number: 29.3.1.1 SUA Address Mapping Set Enter 255 to display the next screen (see also Section 29.1.1 on page 268). The fields in this menu cannot be changed. Figure 159 Menu 15.1.255 SUA Address Mapping Rules Set Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Menu 15.1.
Prestige 660H/HW Series User’s Guide Table 91 SUA Address Mapping Rules (continued) FIELD DESCRIPTION Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255. Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. Global End IP This is the ending global IP address (IGA). Type These are the mapping types.
Prestige 660H/HW Series User’s Guide 29.3.1.3 Ordering Your Rules Ordering your rules is important because the Prestige applies the rules in the order that you specify. When a rule matches the current packet, the Prestige takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Prestige 660H/HW Series User’s Guide The following table explains the fields in this menu. Table 93 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in Chapter 9 on page 114. Server allows you to specify multiple servers of different types behind NAT to this computer. See Section 29.5.3 on page 277 for an example.
Prestige 660H/HW Series User’s Guide Figure 163 Menu 15.2.1 NAT Server Setup Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 21 21 192.168.1.33 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: 4 Enter a port number in an unused Start Port No field.
Prestige 660H/HW Series User’s Guide 29.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Prestige 660H/HW Series User’s Guide Figure 167 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure. Figure 168 Menu 15.2.1 Specifying an Inside Server Menu 15.2.1 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 192.168.1.10 2. 0 0 0.0.0.0 3. 0 0 0.0.0.0 4.
Prestige 660H/HW Series User’s Guide Map the other outgoing LAN traffic to IGA3 (Many : 1 mapping). You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN. The example situation looks somewhat like this: Figure 169 NAT Example 3 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets.
Prestige 660H/HW Series User’s Guide Figure 170 Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Options: Bridge Options: IP Address Assignment= Static Ethernet Addr Timeout (min)= 0 Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
Prestige 660H/HW Series User’s Guide Figure 172 Example 3: Final Menu 15.1.1 Set Idx --1. 2 3. 4. 5. 6. 7. 8. 9. 10. Menu 15.1.1 - Address Mapping Rules Name= Example3 Local Start IP Local End IP Global Start IP --------------- ------------- --------------192.168.1.10 10.132.50.1 192.168.1.11 10.132.50.2 0.0.0.0 255.255.255.255 10.132.50.3 10.132.50.
Prestige 660H/HW Series User’s Guide 29.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types. The following figure illustrates this.
Prestige 660H/HW Series User’s Guide Figure 176 Example 4: Menu 15.1.1 Address Mapping Rules Set Idx --1. NO OV 2. 3. 4. 5. 6. 7. 8. 9. 10. Menu 15.1.1 - Address Mapping Rules Name= Example4 Local Start IP Local End IP Global Start IP --------------- -------------------------192.168.1.10 192.168.1.12 10.132.50.1 Action= Edit Global End IP --------------10.132.50.
Prestige 660H/HW Series User’s Guide 283 Chapter 29 Network Address Translation (NAT)
Prestige 660H/HW Series User’s Guide CHAPTER 30 Enabling the Firewall This chapter shows you how to get started with the Prestige firewall. 30.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see Chapter 37 on page 338) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it. • The firewall allows remote management from the LAN. 30.
Prestige 660H/HW Series User’s Guide Figure 177 Menu 21.2 Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2.
Prestige 660H/HW Series User’s Guide CHAPTER 31 Filter Configuration This chapter shows you how to create and apply filters. 31.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens data to determine if the packet should be allowed to pass.
Prestige 660H/HW Series User’s Guide Figure 179 Filter Rule Process You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port. For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. 31.1.
Prestige 660H/HW Series User’s Guide 31.2 Configuring a Filter Set for the Prestige To configure a filter set, follow the steps shown next. 1 Enter 21 in the main menu to display Menu 21 – Filter and Firewall Setup. 2 Enter 1 to display Menu 21.1 – Filter Set Configuration as shown next. Figure 180 Menu 21 Filter Set Configuration Filter Set # -----1 2 3 4 5 6 Menu 21.
Prestige 660H/HW Series User’s Guide Figure 182 NetBIOS_LAN Filter Rules Summary Menu 21.1.3 - Filter Rules Summary # A Type Filter Rules M m n - - ---- ------------------------------------------------------------ - - 1 Y IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number (1-6) to Configure: Figure 183 IGMP Filter Rules Summary # 1 2 3 4 5 6 Menu 21.1.
Prestige 660H/HW Series User’s Guide Table 94 Abbreviations Used in the Filter Rules Summary Menu (continued) FIELD DESCRIPTION m Action Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N“ means to check the next rule. n Action Not Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule.
Prestige 660H/HW Series User’s Guide 31.4.1 TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.x.1 – TCP/IP Filter Rule, as shown next. Figure 184 Menu 21.1.x.1 TCP/IP Filter Rule Menu 21.1.1.
Prestige 660H/HW Series User’s Guide Table 96 Menu 21.1.x.1 TCP/IP Filter Rule (continued) FIELD DESCRIPTION Port # Type the destination port of the packets you want to filter. The field range is 0 to 65535. A 0 field is ignored. Port # Comp Select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Choices are None, Less, Greater, Equal or Not Equal. Source: IP Addr Type the source IP Address of the packet you want to filter. A 0.0.0.
Prestige 660H/HW Series User’s Guide Figure 185 Executing an IP Filter 31.4.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Prestige 660H/HW Series User’s Guide To configure a generic rule select an empty filter set in menu 21, for example 5. Select Generic Filter Rule in the Filter Type field and press [ENTER] to open Menu 21.1.5.1 – Generic Filter Rule, as shown in the following figure. Figure 186 Menu 21.1.5.1 Generic Filter Rule Menu 21.1.5.
Prestige 660H/HW Series User’s Guide Table 97 Menu 21.1.5.1 Generic Filter Rule (continued) FIELD DESCRIPTION Action Not Matched Select the action for a packet not matching the rule. Choices are Check Next Rule, Forward or Drop. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm or ESC to Cancel:” to save your configuration, or press [ESC] at any time to cancel. 31.
Prestige 660H/HW Series User’s Guide Figure 188 Sample Telnet Filter 1 Enter 1 in the menu 21 to display Menu 21.1 — Filter Set Configuration. 2 Enter the index number of the filter set you want to configure (in this case 6). 3 Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER]. 4 Press [ENTER] at the message “Press [ENTER] to confirm or [ESC] to cancel ...” to open Menu 21.1.6 — Filter Rules Summary. 5 Type 1 to configure the first filter rule.
Prestige 660H/HW Series User’s Guide 2 Go to the Edit Filter Sets field, press [SPACE BAR] to choose Yes and press [ENTER]. This brings you to menu 11.5. Apply the example filter set (for example, filter set 3) in this menu as shown in the next section. This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23). M = N means an action can be taken immediately.
Prestige 660H/HW Series User’s Guide 31.7.1 Ethernet Traffic You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 3, 4, 6, 11.
Prestige 660H/HW Series User’s Guide 299 Chapter 31 Filter Configuration
Prestige 660H/HW Series User’s Guide CHAPTER 32 SNMP Configuration This chapter explains SNMP Configuration menu 22. 32.1 About SNMP Simple Network Management Protocol (SNMP) is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Prestige 660H/HW Series User’s Guide The managed devices contain object variables/managed objects that define each piece of information to be collected about a device. Examples of variables include the number of packets received, node port status etc. A Management Information Base (MIB) is a collection of managed objects. SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model.
Prestige 660H/HW Series User’s Guide Figure 194 Menu 22 SNMP Configuration Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The following table describes the SNMP configuration parameters.
Prestige 660H/HW Series User’s Guide Table 100 SNMP Traps (continued) TRAP # TRAP NAME DESCRIPTION 5 authenticationFailure (defined in RFC-1215) A trap is sent to the manager when receiving any SNMP gets or sets requirements with wrong community (password). 6 whyReboot (defined in ZYXEL-MIB) A trap is sent with the reason of restart before rebooting when the system is going to restart (warm start).
Prestige 660H/HW Series User’s Guide CHAPTER 33 System Security This chapter describes how to configure the system security on the Prestige. 33.1 System Security You can configure the system password.. 33.1.1 System Password Enter 23 in the main menu to display Menu 23 – System Security. You should change the default password. If you forget your password you have to restore the default configuration file. Refer to Section 20.3 on page 225 and Section 2.1.2 on page 53 for information.
Prestige 660H/HW Series User’s Guide Figure 196 Menu 23.2 System Security: RADIUS Server Menu 23.2 - System Security - RADIUS Server Authentication Server: Active= No Server Address= 10.11.12.13 Port #= 1812 Shared Secret= ******** Accounting Server: Active= No Server Address= 10.11.12.13 Port #= 1813 Shared Secret= ******** Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 102 Menu 23.
Prestige 660H/HW Series User’s Guide 33.1.3 IEEE802.1x The IEEE802.1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management. Follow the steps below to enable EAP authentication on your Prestige. 1 From the main menu, enter 23 to display Menu23 – System Security. Figure 197 Menu 23 System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: 2 Enter 4 to display Menu 23.
Prestige 660H/HW Series User’s Guide Table 103 Menu 23.4 System Security : IEEE802.1x FIELD DESCRIPTION Wireless Port Control Press [SPACE BAR] and select a security mode for the wireless LAN access. Select No Authentication Required to allow any wireless stations access to your wired network without entering usernames and passwords. This is the default setting. Selecting Authentication Required means wireless stations have to enter usernames and passwords before access to the wired network is allowed.
Prestige 660H/HW Series User’s Guide Table 103 Menu 23.4 System Security : IEEE802.1x (continued) FIELD DESCRIPTION Authentication Databases The authentication database contains wireless station login information. The local user database is the built-in database on the Prestige. The RADIUS is an external server. Use this field to decide which database the Prestige should use (first) to authenticate a wireless station.
Prestige 660H/HW Series User’s Guide Figure 199 Menu 14 Dial-in User Setup Menu 14 - Dial-in User Setup 1. 2. 3. 4. 5. 6. 7. 8. ________ ________ ________ ________ ________ ________ ________ ________ 9. 10. 11. 12. 13. 14. 15. 16. ________ ________ ________ ________ ________ ________ ________ ________ 17. 18. 19. 20. 21. 22. 23. 24. ________ ________ ________ ________ ________ ________ ________ ________ 25. 26. 27. 28. 29. 30. 31. 32.
Prestige 660H/HW Series User’s Guide CHAPTER 34 System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. 34.1 Overview These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 – System Maintenance, as shown in the following figure.
Prestige 660H/HW Series User’s Guide The following table describes the fields present in Menu 24.1 — System Maintenance — Status which are read-only and meant for diagnostic purposes. Figure 202 Menu 24.1 System Maintenance : Status Menu 24.1 - System Maintenance - Status Node-Lnk 1-ENET 2 3 4 5 6 7 8 Status N/A N/A N/A N/A N/A N/A N/A N/A TxPkts 0 0 0 0 0 0 0 0 RxPkts 0 0 0 0 0 0 0 0 Errors 0 0 0 0 0 0 0 0 03:53:21 Sat. Jan.
Prestige 660H/HW Series User’s Guide Table 105 Menu 24.1 System Maintenance : Status (continued) FIELD DESCRIPTION WAN This shows statistics for the WAN. Line Status This shows the current status of the xDSL line, which can be Up or Down. Upstream Speed This shows the upstream transfer rate in kbps. Downstream Speed This shows the downstream transfer rate in kbps. CPU Load This specifies the percentage of CPU utilization. 34.
Prestige 660H/HW Series User’s Guide Figure 204 Menu 24.2.1 System Maintenance: Information Menu 24.2.1 - System Maintenance - Information Name: P660HW Routing: IP ZyNOS F/W Version: V3.40(PE.8) | 12/23/2004 ADSL Chipset Vendor: TI AR7 03.00.09.00 Standard: Multi-Mode LAN Ethernet Address: 00:a0:c5:99:96:23 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: The following table describes the fields in this menu. Table 106 Menu 24.2.
Prestige 660H/HW Series User’s Guide Figure 205 Menu 24.2.2 System Maintenance : Change Console Port Speed Menu 24.2.2 – System Maintenance – Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: Once you change the Prestige console port speed, you must also set the speed parameter for the communication software you are using to connect to the Prestige. 34.4 Log and Trace There are two logging facilities in the Prestige.
Prestige 660H/HW Series User’s Guide Figure 207 Sample Error and Information Messages 53 Sat Jan 01 54 Sat Jan 01 55 Sat Jan 01 56 Sat Jan 01 57 Sat Jan 01 58 Sat Jan 01 59 Sat Jan 01 60 Sat Jan 01 62 Sat Jan 01 63 Sat Jan 01 Clear Error Log 00:00:03 00:00:03 00:00:03 00:00:03 00:00:03 00:03:06 00:03:06 00:23:21 00:23:38 00:23:38 (y/n): 2000 2000 2000 2000 2000 2000 2000 2000 2000 2000 PP01 -WARN PP01 INFO PP01 INFO PP20 INFO PP21 INFO PP19 INFO PP01 INFO PP01 INFO PP19 INFO PP01 INFO SNMP TRAP 0: cold
Prestige 660H/HW Series User’s Guide Figure 209 Syslog Example 1 - CDR SdcmdSyslogSend ( SYSLOG_CDR, SYSLOG_INFO, String); String = board xx line xx channel xx, call xx, str board = the hardware board ID line = the WAN ID in a board Channel = channel ID within the WAN call = the call reference number which starts from 1 and increments by 1 for each new call str = C01 Outgoing Call dev xx ch xx (dev:device No. ch:channel No.
Prestige 660H/HW Series User’s Guide Figure 209 Syslog Example (continued) prot: Protocol (“TCP”, ”UDP”, ”ICMP”) spo: Source port dpo: Destination port Jul 19 14:43:55 192.168.102.2 ZYXEL: IP [Src=202.132.154.123 Dst=255.255.255.255 UDP spo=0208 dpo=0208]} S03>R01mF Jul 19 14:44:00 192.168.102.2 ZYXEL: IP [Src=192.168.102.20 Dst=202.132.154.1 UDP spo=05d4 dpo=0035]} S03>R01mF Jul 19 14:44:04 192.168.102.2 ZYXEL: IP [Src=192.168.102.20 Dst=202.132.154.
Prestige 660H/HW Series User’s Guide The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 108 Menu 24.4 System Maintenance Menu: Diagnostic FIELD DESCRIPTION Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Reboot System Reboot the Prestige. Command Mode Type the mode to test and diagnose your Prestige using specified commands.
Prestige 660H/HW Series User’s Guide 319 Chapter 34 System Information and Diagnosis
Prestige 660H/HW Series User’s Guide CHAPTER 35 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 35.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension.
Prestige 660H/HW Series User’s Guide The following table is a summary. Please note that the internal filename refers to the filename on the Prestige and the external filename refers to the filename not on the Prestige, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 – System Maintenance – Information to confirm that you have uploaded the correct firmware version.
Prestige 660H/HW Series User’s Guide Figure 211 Telnet in Menu 24.5 Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current Prestige configuration to your workstation.
Prestige 660H/HW Series User’s Guide Figure 212 FTP Session Example 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit 35.2.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
Prestige 660H/HW Series User’s Guide 35.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next. 1 Use telnet from your computer to connect to the Prestige and log in.
Prestige 660H/HW Series User’s Guide Table 111 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Prestige and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer.
Prestige 660H/HW Series User’s Guide Figure 213 Telnet into Menu 24.6 Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your Prestige. Then type "root" and SMT password as requested. 3.
Prestige 660H/HW Series User’s Guide 35.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files. You can upload configuration files by following the procedure in Section 35.2 on page 321 or by following the instructions in Menu 24.7.2 – System Maintenance – Upload System Configuration File. Note: Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR Prestige. 35.4.
Prestige 660H/HW Series User’s Guide Figure 216 Telnet Into Menu 24.7.2 System Maintenance Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload the system configuration file, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3.
Prestige 660H/HW Series User’s Guide 35.4.4 FTP Session Example of Firmware File Upload Figure 217 FTP Session Example of Firmware File Upload 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> put firmware.bin ras 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 1103936 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit More commands (found in GUI-based FTP clients) are listed earlier in this chapter. Refer to Section 35.2.
Prestige 660H/HW Series User’s Guide 35.4.6 TFTP Upload Command Example The following is an example TFTP command: tftp [-i] host put firmware.bin ras where “i” specifies binary image transfer mode (use this mode when transferring binary files), “host” is the Prestige’s IP address and “put” transfers the file source on the computer (firmware.bin – name of the firmware on the computer) to the file destination on the remote host (ras - name of the firmware on the Prestige).
Prestige 660H/HW Series User’s Guide 331 Chapter 35 Firmware and Configuration File Maintenance
Prestige 660H/HW Series User’s Guide CHAPTER 36 System Maintenance This chapter leads you through SMT menus 24.8 to 24.10. 36.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands.
Prestige 660H/HW Series User’s Guide 36.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the Prestige within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked. To access the call control menu, select option 9 in menu 24 to go to Menu 24.
Prestige 660H/HW Series User’s Guide The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
Prestige 660H/HW Series User’s Guide Figure 223 Menu 24.10 System Maintenance: Time and Date Setting Menu 24.10 - System Maintenance - Time and Date Setting Use Time Server when Bootup= None Time Server Address= N/A Current Time: 00 : 51 : 24 New Time (hh:mm:ss): 00 : 51 : 19 Current Date: 2000 - 01 - 01 New Date (yyyy-mm-dd): 2000 - 01 - 01 Time Zone= GMT Daylight Saving= No Start Date (mm-dd): 01 - 00 End Date (mm-dd): 01 - 00 Press ENTER to Confirm or ESC to Cancel: Table 113 Menu 24.
Prestige 660H/HW Series User’s Guide • 24-hour intervals after starting.
Prestige 660H/HW Series User’s Guide 337 Chapter 36 System Maintenance
Prestige 660H/HW Series User’s Guide CHAPTER 37 Remote Management This chapter covers remote management (SMT menu 24.11). 37.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for details on configuring firewall rules. 37.
Prestige 660H/HW Series User’s Guide Figure 224 Menu 24.11 Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Server Port = 23 Secured Client IP = 0.0.0.0 FTP Server: Server Port = 21 Secured Client IP = 0.0.0.0 Web Server: Server Port = 80 Secured Client IP = 0.0.0.0 Server Access = LAN only Server Access = LAN only Server Access = LAN only Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu. Table 114 Menu 24.
Prestige 660H/HW Series User’s Guide 37.3 Remote Management and NAT When NAT is enabled: • Use the Prestige’s WAN IP address when configuring from the WAN. • Use the Prestige’s LAN IP address when configuring from the LAN. 37.4 System Timeout There is a default system management idle timeout of five minutes (three hundred seconds). The Prestige automatically logs you out if the management session remains idle for longer than this timeout period.
Prestige 660H/HW Series User’s Guide 341 Chapter 37 Remote Management
Prestige 660H/HW Series User’s Guide CHAPTER 38 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 38.1 IP Policy Routing Overview Traditionally, routing is based on the destination address only and the IAD takes the shortest path to forward a packet. IP Routing Policy (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Prestige 660H/HW Series User’s Guide • routing the packet to a different gateway (and hence the outgoing interface). • setting the TOS and precedence fields in the IP header. IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters.
Prestige 660H/HW Series User’s Guide Figure 226 Menu 25.1 IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup # A Criteria/Action - - ---------------------------------------------------------------------1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 |GW=192.168.1.
Prestige 660H/HW Series User’s Guide Figure 227 Menu 25.1.1 IP Routing Policy Menu 25.1.1 - IP Routing Policy Policy Set Name= test Active= No Criteria: IP Protocol = 0 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 0.0.0.0 port start= N/A Destination: addr start= 0.0.0.0 port start= N/A Action= Matched Gateway addr = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 116 Menu 25.1.1 IP Routing Policy (continued) FIELD DESCRIPTION Gateway addr Defines the outgoing gateway address. The gateway must be on the same subnet as the Prestige if it is on the LAN, otherwise, the gateway must be the IP address of a remote node. The default gateway is specified as 0.0.0.0. Type of Service Set the new TOS value of the outgoing packet.
Prestige 660H/HW Series User’s Guide Figure 228 Menu 3.2 TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.33 Size of Client IP Pool= 32 Primary DNS Server= 0.0.0.0 Secondary DNS Server= 0.0.0.0 Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1 Multicast= None IP Policies= Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Go to menu 11.
Prestige 660H/HW Series User’s Guide Route 1 represents the default IP route and route 2 represents the configured IP route. Figure 230 Example of IP Policy Routing To force packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next. 1 Create a routing policy set in menu 25. 2 Create a rule for this set in Menu 25.1.1 — IP Routing Policy as shown next.
Prestige 660H/HW Series User’s Guide Figure 231 IP Routing Policy Example Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr = 192.168.1.1 Type of Service= No Change Precedence = No Change Packet length= 10 Len Comp= N/A end= end= end= end= Log= 192.168.1.
Prestige 660H/HW Series User’s Guide Figure 232 IP Routing Policy Example Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 0.0.0.0 port start= 0 Destination: addr start= 0.0.0.0 port start= 20 Action= Matched Gateway addr =192.168.1.
Prestige 660H/HW Series User’s Guide 351 Chapter 38 IP Policy Routing
Prestige 660H/HW Series User’s Guide CHAPTER 39 Call Scheduling Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a remote node should be called and for how long. 39.1 Introduction The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record).
Prestige 660H/HW Series User’s Guide To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown next. Figure 235 Menu 26.1 Schedule Set Setup Menu 26.
Prestige 660H/HW Series User’s Guide Table 117 Menu 26.1 Schedule Set Setup (continued) FIELD DESCRIPTION Action Forced On means that the connection is maintained whether or not there is a demand call on the line and will persist for the time period specified in the Duration field. Forced Down means that the connection is blocked whether or not there is a demand call on the line. Enable Dial-On-Demand means that this schedule permits a demand call on the line.
Prestige 660H/HW Series User’s Guide 355 Chapter 39 Call Scheduling
Prestige 660H/HW Series User’s Guide CHAPTER 40 Internal SPTGEN 40.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file – eliminating the need to navigate and configure individual SMT menus for each Prestige. 40.
Prestige 660H/HW Series User’s Guide 40.2.1 Internal SPTGEN File Modification - Important Points to Remember Each parameter you enter must be preceded by one “=”sign and one space. Some parameters are dependent on others. For example, if you disable the Configured field in menu 1 (seeFigure 237 on page 356), then you disable every field in this menu.
Prestige 660H/HW Series User’s Guide Figure 240 Internal SPTGEN FTP Download Example c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.168.1.1:(none)): 331 Enter PASS command Password: 230 Logged in ftp>bin 200 Type I OK ftp> get rom-t ftp>bye c:\edit rom-t (edit the rom-t text file by a text editor and save it) Note: You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 40.
Prestige 660H/HW Series User’s Guide 359 Chapter 40 Internal SPTGEN
Prestige 660H/HW Series User’s Guide CHAPTER 41 Troubleshooting This chapter covers potential problems and the corresponding remedies. 41.1 Problems Starting Up the Prestige Table 118 Troubleshooting the Start-Up of Your Prestige PROBLEM CORRECTIVE ACTION None of the LEDs turn on when I turn on the Prestige. Make sure that the Prestige’s power adaptor is connected to the Prestige and plugged in to an appropriate power source. Check that the Prestige and the power source are both turned on.
Prestige 660H/HW Series User’s Guide 41.3 Problems with the DSL LED Table 120 Troubleshooting the DSL LED PROBLEM CORRECTIVE ACTION The DSL LED is off. Check the telephone wire and connections between the Prestige DSL port and the wall jack. Make sure that the telephone company has checked your phone line and set it up for DSL service. Reset your ADSL line to reinitialize your link to the DSLAM. For details, refer to Chapter 19 on page 210 (web configurator) or Chapter 34 on page 310 (SMT). 41.
Prestige 660H/HW Series User’s Guide 41.6 Problems with Internet Access Table 123 Troubleshooting Internet Access PROBLEM CORRECTIVE ACTION I cannot access the Internet. Make sure the Prestige is turned on and connected to the network. If the DSL LED is off, refer to Section 41.3 on page 361. Verify your WAN settings. Refer to the chapter on WAN setup (web configurator) or the section on Internet Access (SMT). Make sure you entered the correct user name and password.
Prestige 660H/HW Series User’s Guide 41.8 Problems with the Web Configurator Table 125 Troubleshooting the Web Configurator PROBLEM CORRECTIVE ACTION I cannot access the web configurator. Refer to the Quick Start Guide for hardware connections. Make sure that there is not an SMT console session running. Check that you have enabled web service access. If you have configured a secured client IP address, your computer’s IP address must match it. Refer to the chapter on remote management for details.
Prestige 660H/HW Series User’s Guide APPENDIX A Splitters and Microfilters This appendix tells you how to install a POTS splitter or a telephone microfilter. Connecting a POTS Splitter When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals. This allows simultaneous Internet access and telephone service on the same line. A splitter also eliminates the destructive interference conditions caused by telephone sets.
Prestige 660H/HW Series User’s Guide Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz. A microfilter acts as a low-pass filter, for your telephone, to ensure that ADSL transmissions do not interfere with your telephone voice transmissions. The use of a telephone microfilter is optional. 1 Connect a phone cable from the wall jack to the single jack end of the Y- Connector.
Prestige 660H/HW Series User’s Guide Figure 244 Prestige with ISDN Splitters and Microfilters 366
Prestige 660H/HW Series User’s Guide 367 Splitters and Microfilters
Prestige 660H/HW Series User’s Guide APPENDIX B Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Prestige 660H/HW Series User’s Guide Figure 245 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add. 3 Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: 1 In the Network window, click Add.
Prestige 660H/HW Series User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK. 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • • If your IP address is dynamic, select Obtain an IP address automatically.
Prestige 660H/HW Series User’s Guide Figure 247 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • • If you do not know your gateway’s IP address, remove previously installed gateways. If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your Prestige and restart your computer when prompted.
Prestige 660H/HW Series User’s Guide Figure 248 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 249 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Prestige 660H/HW Series User’s Guide Figure 250 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 251 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • 373 If you have a dynamic IP address click Obtain an IP address automatically.
Prestige 660H/HW Series User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 252 Windows XP: Advanced TCP/IP Settings 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Prestige 660H/HW Series User’s Guide • • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them.
Prestige 660H/HW Series User’s Guide Figure 254 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 255 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.
Prestige 660H/HW Series User’s Guide 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration. 7 Turn on your Prestige and restart your computer (if prompted).
Prestige 660H/HW Series User’s Guide Figure 257 Macintosh OS X: Network 4 For statically assigned settings, do the following: • • • • From the Configure box, select Manually. Type your IP address in the IP Address box. Type your subnet mask in the Subnet mask box. Type the IP address of your Prestige in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your Prestige and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window.
Prestige 660H/HW Series User’s Guide 379 Splitters and Microfilters
Prestige 660H/HW Series User’s Guide APPENDIX C IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1. IP addresses are categorized into different classes. The class of an address depends on the value of its first octet. • Class “A” addresses have a 0 in the left most bit.
Prestige 660H/HW Series User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B” address has a valid range of 128 to 191. The first octet of a class “C” address begins with “110”, and therefore has a range of 192 to 223.
Prestige 660H/HW Series User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/” followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128.
Prestige 660H/HW Series User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet. Table 132 Subnet 1 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 0 IP Address (Binary) 11000000.10101000.00000001.
Prestige 660H/HW Series User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
Prestige 660H/HW Series User’s Guide Table 137 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. 192 IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255 Highest Host ID: 192.168.1.254 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110).
Prestige 660H/HW Series User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (Table 127 on page 380) available for subnetting. The following table is a summary for class “B” subnet planning. Table 140 Class B Subnet Planning NO.
Prestige 660H/HW Series User’s Guide 387 Splitters and Microfilters
Prestige 660H/HW Series User’s Guide APPENDIX D PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (Figure 258 on page 389). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Prestige 660H/HW Series User’s Guide Figure 258 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Prestige 660H/HW Series User’s Guide APPENDIX E Virtual Circuit Topology ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate.
Prestige 660H/HW Series User’s Guide 391 Splitters and Microfilters
Prestige 660H/HW Series User’s Guide APPENDIX F Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless stations (A, B, C).
Prestige 660H/HW Series User’s Guide Figure 262 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Prestige 660H/HW Series User’s Guide Figure 263 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference. Interference occurs when radio signals from different access points overlap causing interference and degrading performance.
Prestige 660H/HW Series User’s Guide Figure 264 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations. RTS/CTS is designed to prevent collisions due to hidden nodes.
Prestige 660H/HW Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Prestige 660H/HW Series User’s Guide IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: • User based identification that allows for roaming.
Prestige 660H/HW Series User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another AccessRequest message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: • Accounting-Request Sent by the access point requesting accounting.
Prestige 660H/HW Series User’s Guide 3 The wireless station replies with identity information, including username and password. The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station. Types of Authentication This appendix discusses some popular authentication types: EAP-MD5, EAP-TLS, EAPTTLS, PEAP and LEAP. The type of authentication you use depends on the RADIUS server or the AP.
Prestige 660H/HW Series User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco.
Prestige 660H/HW Series User’s Guide Shared key authentication involves a four-message procedure. A wireless station sends a shared key authentication request to the AP, which will then reply with a challenge text message. The wireless station must then use the AP’s default WEP key to encrypt the challenge text and return it to the AP, which attempts to decrypt the message using the AP’s default WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated.
Prestige 660H/HW Series User’s Guide WPA User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless stations using an external RADIUS database. Encryption WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard (AES), Message Integrity Check (MIC) and IEEE 802.1x. TKIP uses 128-bit keys that are dynamically generated and distributed by the authentication server.
Prestige 660H/HW Series User’s Guide Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 143 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTION ENTER METHOD/ KEY METHOD MANUAL KEY MANAGEMENT PROTOCOL ENABLE IEEE 802.
Prestige 660H/HW Series User’s Guide Figure 267 Roaming Example The steps below describe the roaming process. 1 As wireless station Y moves from the coverage area of access point P1 to that of access point 2 P2, it scans and uses the signal of access point P2. 3 Access point P2 acknowledges the presence of wireless station Y and relays this information to access point P1 through the wired LAN. 4 Access point P1 updates the new position of wireless station.
Prestige 660H/HW Series User’s Guide 405 Splitters and Microfilters
Prestige 660H/HW Series User’s Guide APPENDIX G Antenna Selection and Positioning Recommendation An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Choosing the right antennas and positioning them properly increases the range and coverage area of a wireless LAN.
Prestige 660H/HW Series User’s Guide Types of Antennas For WLAN There are two types of antennas used for wireless LAN applications. • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.
Prestige 660H/HW Series User’s Guide APPENDIX H Example Internal SPTGEN Screens This appendix covers Prestige Internal SPTGEN screens. Table 144 Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION MEANING FIN Field Identification Number (not seen in SMT screens) FN Field Name PVA Parameter Values Allowed INPUT An example of what you may enter * Applies to the Prestige. The following are Internal SPTGEN screens associated with the SMT screens of your Prestige.
Prestige 660H/HW Series User’s Guide Table 146 Menu 3 (SMT Menu 1) 30100007 = Input device filters Set 3 = 256 30100008 = Input device filters Set 4 = 256 30100009 = Output protocol filters Set 1 = 256 30100010 = Output protocol filters Set 2 = 256 30100011 = Output protocol filters Set 3 = 256 30100012 = Output protocol filters Set 4 = 256 30100013 = Output device filters Set 1 = 256 30100014 = Output device filters Set 2 = 256 30100015 = Output device filters Set 3 = 256 3010001
Prestige 660H/HW Series User’s Guide Table 146 Menu 3 (SMT Menu 1) 30201003 = IP Subnet Mask = 0 30201004 = RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> = 0 30201005 = Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> = 0 30201006 = IP Alias #1 Incoming protocol filters Set 1 = 256 30201007 = IP Alias #1 Incoming protocol filters Set 2 = 256 30201008 = IP Alias #1 Incoming protocol filters Set 3 = 256 30201009 = IP Alias #1 Incoming protocol filters Set 4 = 256 30201010 = IP
Prestige 660H/HW Series User’s Guide Table 146 Menu 3 (SMT Menu 1) 30201025 = IP Alias #2 Outgoing protocol filters Set 3 = 256 30201026 = IP Alias #2 Outgoing protocol filters Set 4 = 256 */ Menu 3.5 Wireless LAN Setup (SMT Menu 3.5) 30500001 = ESSID Wireless 30500002 = Hide ESSID <0(No) | 1(Yes)> 30500003 = Channel ID <1|2|3|4|5|6|7 = 1 |8|9|10|11|12| 13> 30500004 = RTS Threshold <0 ~ 2432> = 2432 30500005 = FRAG.
Prestige 660H/HW Series User’s Guide Table 147 Menu 4 Internet Access Setup (SMT Menu 4) / Menu 4 Internet Access Setup (SMT Menu 4) FIN FN PVA INPUT 40000000 = Configured <0(No) | 1(Yes)> = 1 40000001 = ISP <0(No) | 1(Yes)> = 1 40000002 = Active <0(No) | 1(Yes)> = 1 40000003 = ISP's Name 40000004 = Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA )| 5(ENET ENCAP)> = 2 40000005 = Multiplexing <1(LLC-based) | 2(VC-based) = 1 40000006 = VPI # = 0 40000007 = VCI # = 35 40000008 =
Prestige 660H/HW Series User’s Guide Table 147 Menu 4 Internet Access Setup (SMT Menu 4) 40000027 = ATM QoS Type <0(CBR) | (1 (UBR)> = 1 40000028 = Peak Cell Rate (PCR) = 0 40000029 = Sustain Cell Rate (SCR) = 0 40000030 = Maximum Burst Size(MBS) = 0 40000031= RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> = 0 40000032= RIP Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> = 0 40000033= Nailed-up Connection <0(No) |1(Yes)> = 0 Table 148 Menu 12(SMT Menu 12) / Menu 12.1.
Prestige 660H/HW Series User’s Guide Table 148 Menu 12(SMT Menu 12) (continued) 120103002 = IP Static Route set #3, Active <0(No) |1(Yes)> = 0 120103003 = IP Static Route set #3, Destination IP address = 0.0.0.0 120103004 = IP Static Route set #3, Destination IP subnetmask = 0 120103005 = IP Static Route set #3, Gateway = 0.0.0.0 120103006 = IP Static Route set #3, Metric = 0 120103007 = IP Static Route set #3, Private <0(No) |1(Yes)> = 0 / Menu 12.1.4 IP Static Route Setup (SMT Menu 12.
Prestige 660H/HW Series User’s Guide Table 148 Menu 12(SMT Menu 12) (continued) FIN FN PVA INPUT 120107001 = IP Static Route set #7, Name = 120107002 = IP Static Route set #7, Active <0(No) |1(Yes)> = 0 120107003 = IP Static Route set #7, Destination IP address = 0.0.0.0 120107004 = IP Static Route set #7, Destination IP subnetmask = 0 120107005 = IP Static Route set #7, Gateway = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 148 Menu 12(SMT Menu 12) (continued) 120110007 = IP Static Route set #10, Private <0(No) |1(Yes)> = 0 */ Menu 12.1.11 IP Static Route Setup (SMT Menu 12.1.11) FIN FN PVA INPUT 120111001 = IP Static Route set #11, Name = 120111002 = IP Static Route set #11, Active <0(No) |1(Yes)> = 0 120111003 = IP Static Route set #11, Destination IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 148 Menu 12(SMT Menu 12) (continued) 120114004 = IP Static Route set #14, Destination IP subnetmask = 0 120114005 = IP Static Route set #14, Gateway = 0.0.0.0 120114006 = IP Static Route set #14, Metric = 0 120114007 = IP Static Route set #14, Private <0(No) |1(Yes)> = 0 */ Menu 12.1.15 IP Static Route Setup (SMT Menu 12.1.
Prestige 660H/HW Series User’s Guide Table 149 Menu 15 SUA Server Setup (SMT Menu 15) (continued) 150000007 = SUA Server #3 Active <0(No) | 1(Yes)> = 0 150000008 = SUA Server #3 Protocol <0(All)|6(TCP)|17(U DP)> = 0 150000009 = SUA Server #3 Port Start = 0 150000010 = SUA Server #3 Port End = 0 150000011 = SUA Server #3 Local IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 149 Menu 15 SUA Server Setup (SMT Menu 15) (continued) 150000041 = SUA Server #9 Local IP address 150000042 = SUA Server #10 Active = 0.0.0.0 <0(No) | 1(Yes)> = 0 <0(All)|6(TCP)|17(U DP)> = 0 150000043 = SUA Server #10 Protocol 150000044 = SUA Server #10 Port Start = 0 150000045 = SUA Server #10 Port End = 0 150000046 = SUA Server #10 Local IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 150 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210101011 = IP Filter Set 1,Rule 1 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> = 0 210101013 = IP Filter Set 1,Rule 1 Act Match <1(check next)|2(forward)| 3(drop)> = 3 210101014 = IP Filter Set 1,Rule 1 Act Not Match <1(check next)|2(forward)| 3(drop)> = 1 / Menu 21.1.1.2 set #1, rule #2 (SMT Menu 21.1.1.
Prestige 660H/HW Series User’s Guide Table 150 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210103007 = IP Filter Set 1,Rule 3 Dest Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> = 1 210103008 = IP Filter Set 1,Rule 3 Src IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 150 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210105002 = IP Filter Set 1,Rule 5 Active <0(No)|1(Yes)> 210105003 = IP Filter Set 1,Rule 5 Protocol = 17 210105004 = IP Filter Set 1,Rule 5 Dest IP address = 0.0.0.0 210105005 = IP Filter Set 1,Rule 5 Dest Subnet Mask = 0 210105006 = IP Filter Set 1,Rule 5 Dest Port = 138 210105007 = IP Filter Set 1,Rule 5 Dest Port Comp 210105008 = IP Filter Set 1,Rule 5 Src IP Address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 150 Menu 21.1 Filter Set #1 (SMT Menu 21.1) (continued) 210106013 = IP Filter Set 1,Rule 6 Act Match <1(check next)|2(forward)| 3(drop)> = 3 210106014 = IP Filter Set 1,Rule 6 Act Not Match <1(check next)|2(forward)| 3(drop)> = 2 Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) / Menu 21.1 filter set #2, (SMT Menu 21.1) FIN FN PVA INPUT 210200001 = Filter Set 2, Nam = NetBIOS_WAN / Menu 21.1.2.1 Filter set #2, rule #1 (SMT Menu 21.1.2.
Prestige 660H/HW Series User’s Guide Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210202001 = IP Filter Set 2, Rule 2 Type <0(none)|2(TCP/IP)> = 2 210202002 = IP Filter Set 2, Rule 2 Active <0(No)|1(Yes)> 210202003 = IP Filter Set 2, Rule 2 Protocol = 6 210202004 = IP Filter Set 2, Rule 2 Dest IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210203011 = IP Filter Set 2, Rule 3 Src Port Comp <0(none)|1(equal)|2 = 0 (not equal)|3(less)|4(gr eater)> 210203013 = IP Filter Set 2, Rule 3 Act Match <1(check = 3 next)|2(forward)|3( drop)> 210203014 = IP Filter Set 2,Rule 3 Act Not Match <1(check = 1 next)|2(forward)|3( drop)> / Menu 21.1.2.4 Filter set #2, rule #4 (SMT Menu 21.1.2.
Prestige 660H/HW Series User’s Guide Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210205004 = IP Filter Set 2, Rule 5 Dest IP address = 0.0.0.0 210205005 = IP Filter Set 2, Rule 5 Dest Subnet Mask = 0 210205006 = IP Filter Set 2, Rule 5 Dest Port = 138 210205007 = IP Filter Set 2, Rule 5 Dest Port Comp 210205008 = IP Filter Set 2, Rule 5 Src IP address = 0.0.0.
Prestige 660H/HW Series User’s Guide Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 210206013 = IP Filter Set 2,Rule 6 Act Match <1(check = 3 next)|2(forward)|3( drop)> 210206014 = IP Filter Set 2,Rule 6 Act Not Match <1(check = 2 next)|2(forward)|3( drop)> */ Menu 23.1 System Password Setup (SMT Menu 23.1) FIN FN 230000000 = System Password PVA INPUT = 1234 */ Menu 23.2 System security: radius server (SMT Menu 23.
Prestige 660H/HW Series User’s Guide Table 151 Menu 21.1 Filer Set #2, (SMT Menu 21.1) (continued) 241100005 = FTP Server Access <0(all)|1(none)|2(L = 0 an)|3(Wan)> 241100006 = FTP Server Secured IP address = 0.0.0.0 241100007 = WEB Server Port = 80 241100008 = WEB Server Access 241100009 = WEB Server Secured IP address <0(all)|1(none)|2(L = 0 an) |3(Wan)> = 0.0.0.0 Command Examples The following are example Internal SPTGEN screens associated with the Prestige’s command interpreter commands.
Prestige 660H/HW Series User’s Guide 429
Prestige 660H/HW Series User’s Guide APPENDIX I Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Prestige 660H/HW Series User’s Guide 431
Prestige 660H/HW Series User’s Guide APPENDIX J Firewall Commands Sys Firewall Commands The following describes the firewall commands. See Appendix I on page 430 for information on the command structure. Each of these commands must be preceded by sys firewall when you use them. For example, type sys firewall active yes to turn on the firewall. Table 153 Sys Firewall Commands Command Description acl disp Displays ACLs or a specific ACL set # and rule #.
Prestige 660H/HW Series User’s Guide 433
Prestige 660H/HW Series User’s Guide APPENDIX K Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix I on page 430 for information on the command structure. Table 154 Brute-Force Password Guessing Protection Commands COMMAND DESCRIPTION sys pwderrtm This command displays the brute-force guessing password protection settings.
Prestige 660H/HW Series User’s Guide 435
Prestige 660H/HW Series User’s Guide APPENDIX L Boot Commands The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware is started. When you start up your Prestige, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug mode you have access to a series of boot module commands, for example ATUR (for uploading firmware) and ATLC (for uploading the configuration file).
Prestige 660H/HW Series User’s Guide Figure 269 Boot Module Commands AT just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.
Prestige 660H/HW Series User’s Guide APPENDIX M Log Descriptions This appendix provides descriptions of example log messages. Table 155 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server. Time calibration failed The router failed to get information from the time server. WAN interface gets IP: %s A WAN interface got a new IP address from the DHCP, PPPoE, PPTP or dial-up server.
Prestige 660H/HW Series User’s Guide Table 155 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Configuration Change: PC = 0x%x, Task ID = 0x%x The router is saving configuration changes. Successful SSH login Someone has logged on to the router’s SSH server. SSH login failed Someone has failed to log on to the router’s SSH server. Successful HTTPS login Someone has logged on to the router's web configurator interface using HTTPS protocol.
Prestige 660H/HW Series User’s Guide Table 158 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack (the TCP incomplete count is per destination host.) Exceed TCP MAX incomplete, sent TCP RST The router sent a TCP reset packet when the number of TCP incomplete connections exceeded the user configured threshold. (the TCP incomplete count is per destination host.
Prestige 660H/HW Series User’s Guide Table 160 ICMP Logs (continued) LOG MESSAGE DESCRIPTION Triangle route packet forwarded: ICMP The firewall allowed a triangle route session to pass through. Packet without a NAT table entry blocked: ICMP The router blocked a packet that didn’t have a corresponding NAT table entry. Unsupported/out-of-order ICMP: ICMP The firewall does not support this kind of ICMP packets or the ICMP packets are out of order.
Prestige 660H/HW Series User’s Guide Table 163 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall. Table 164 Content Filtering Logs LOG MESSAGE DESCRIPTION %s: Keyword blocking The content of a requested web page matched a user defined keyword. %s: Not in trusted web list The web site is not in a trusted domain, and the router blocks all traffic except trusted domain sites. %s: Forbidden Web site The web site is in the forbidden web site list.
Prestige 660H/HW Series User’s Guide Table 165 Attack Logs 443 LOG MESSAGE DESCRIPTION attack [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. attack ICMP (type:%d, code:%d) The firewall detected an ICMP attack. For type and code details, Table 168 on page 445. land [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF land attack. land ICMP (type:%d, code:%d) The firewall detected an ICMP land attack.
Prestige 660H/HW Series User’s Guide Table 166 802.1X Logs LOG MESSAGE DESCRIPTION Local User Database accepts user. A user was authenticated by the local user database. Local User Database reports user credential error. A user was not authenticated by the local user database because of an incorrect user password. Local User Database does not find user`s credential. A user was not authenticated by the local user database because the user is not listed in the local user database.
Prestige 660H/HW Series User’s Guide Table 167 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/Prestige) LAN to LAN/ Prestige ACL set for packets traveling from the LAN to the LAN or the Prestige. (W to W/Prestige) WAN to WAN/ Prestige ACL set for packets traveling from the WAN to the WAN or the Prestige.
Prestige 660H/HW Series User’s Guide Table 168 ICMP Notes (continued) TYPE CODE DESCRIPTION 0 Information request message Information Reply 16 0 Information reply message Table 169 Syslog Logs LOG MESSAGE DESCRIPTION Mon dd hr:mm:ss hostname src="" dst="" msg="" note="" devID="" cat=" "This message is sent by the system ("RAS" displays as the system name if you haven’t configured one) when the
Prestige 660H/HW Series User’s Guide Log Commands Go to the command interpreter interface (Appendix I on page 430 explains how to access and use the commands). Configuring What You Want the Prestige to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the Prestige is to record. 2 Use sys logs category to view a list of the log categories. Figure 270 Displaying Log Categories Example Copyright (c) 1994 - 2004 ZyXEL Communications Corp.
Prestige 660H/HW Series User’s Guide Log Command Example This example shows how to set the Prestige to record the access logs and alerts and then view the results. Figure 272 Log Command Example ras> sys ras> sys ras> sys ras> sys # .time logs logs logs logs load category access 3 save display access source destination message 7|01/01/2000 09:40:13 |192.168.1.1:3 |192.168.1.33:1 RWARD Router reply ICMP packet: ICMP(type:3, code:1) 8|01/01/2000 09:40:07 |192.168.1.1:3 |192.168.1.
Prestige 660H/HW Series User’s Guide 449
Prestige 660H/HW Series User’s Guide Index Numerics 110V AC 4 230V AC 4 A Abnormal Working Conditions 5 AC 4 Access methods 284 Accessories 4 Acts of God 5 Address Assignment 73 Address mapping 122 Address Resolution Protocol (ARP) 76 ADSL, what is it? 40 ADSLstandards 42 Airflow 4 ALG 119 Alternative Subnet Mask Notation 382 American Wire Gauge 4 Antenna Directional 407 Omni-directional 407 Antenna gain 406 Any IP 43, 76 How it works 76 note 76 Any IP Setup 79 Any IP table 215 AP (access point) 394 appl
Prestige 660H/HW Series User’s Guide C CA 399 Cables, Connecting 4 Call filtering 286 Call filters Built-in 286 User-defined 286 Call Scheduling 352 Maximum Number of Schedule Sets 352 PPPoE 354 Precedence 352 Precedence Example 352 CBR (Continuous Bit Rate) 108 CDR 316 CDR (Call Detail Record) 315 Certificate Authority 399 Certifications 3 change password at login 53 Changes or Modifications 3 Channel 394 Interference 394 Channel ID 241 CHAP 252 Charge 5 Circuit 3 Class B 3 Class Name 204 Class of Service
Prestige 660H/HW Series User’s Guide DiffServ marking rule 203 Disclaimer 2 Discretion 5 Distribution System (DS) 90 DNS 238 Domain Name 73, 119 domain name 228 Domain Name System 73 DoS 132 Basics 132 Types 133 DoS (Denial of Service) 43 DoS attacks, types of 133 DS Field 203 DS field 203 DSCPs 203 DSL (Digital Subscriber Line) 40 DSL line, reinitialize 218 DSL, What Is It? 40 DSLAM (Digital Subscriber Line Access Multiplexer) 48 Dust 4 Dynamic DNS 45, 126, 229 dynamic DNS 45, 229 Dynamic Host Configurati
Prestige 660H/HW Series User’s Guide Guidelines For Enhancing Security 139 Introduction 131 LAN to WAN Rules 147 Policies 144 Remote Management 284 Rule Checklist 145 Rule Logic 145 Rule Security Ramifications 145 Services 159 SMT menus 284 Types 130 When To Use 141 firmware 219, 320 upgrade 219 upload 219 upload error 220 Fitness 5 Fragment Threshold 241 Fragmentation Threshold 395 Fragmentation threshold 395 Frame Relay 48 France, Contact Information 6 FTP 118, 170, 339 Restrictions 339 FTP File Transfer
Prestige 660H/HW Series User’s Guide IP Packet 293 IP Policies 346 IP policy 244 IP policy routing 342 IP Policy Routing (IPPR) 46, 244 Applying an IP Policy 346 Ethernet IP Policies 346 Gateway 346 IP Protocol 345 IP protocol 342 IP protocol type 159 IP Routing Policy (IPPR) 342 Benefits 342 Cost Savings 342 Criteria 342 Load Sharing 342 Setup 343 IP Spoofing 133, 136 IP Static Route 260 IP Static Route Setup 261 ISDN (Integrated Synchronous Digital System) 42 K Key Fields For Configuring Rules 146 Key m
Prestige 660H/HW Series User’s Guide Application 116 Applying NAT in the SMT Menus 268 Configuring 270 Definitions 114 Examples 275 How it works 115 Mapping Types 117 Non NAT Friendly Application Programs 281 Ordering Rules 273 What it does 115 What NAT does 115 NAT (Network Address Translation) 114 NAT mode 120 NAT Traversal 174 navigating the web configurator 54 NetBIOS commands 135 Network Address Translation 248 Network Address Translation (NAT) 44, 268 Network Management 46, 119 New 5 NNTP 119 North A
Prestige 660H/HW Series User’s Guide Protocol filter 295 Protocol Filter Rules 295 PSK 307 Purchase, Proof of 5 Purchaser 5 Q Qualified Service Personnel 4 Quality of Service 342 Quick Start Guide 39 R Radio Communications 3 Radio frequency 86 Radio Frequency Energy 3 Radio Interference 3 Radio Reception 3 Radio Technician 3 RADIUS 397 Configuring 98 Shared Secret Key 398 RADIUS Message Types 397 RADIUS Messages 397 RADIUS server 304 RAS 313, 343 Rate Receiving 311 Transmission 311 real-time application
Prestige 660H/HW Series User’s Guide Summary 149 S Safety Warnings 4 Sample IP Addresses 255 Saving the State 136 Schedule Sets Duration 353 Scheduler 197 SCRSee Sustain Cell Rate 248 Security In General 140 Security Parameters 403 Security Ramifications 145 Separation Between Equipment and Receiver 3 Serial Number 6 Server 117, 270, 272, 274, 275, 276, 277, 278, 335 Server behind NAT 274 Service 4, 5, 146 Service Personnel 4 Service Type 155, 361 Services 118 setup a schedule 353 Shared secret 99, 305 Sh
Prestige 660H/HW Series User’s Guide T Tampering 5 TCP Maximum Incomplete 163, 164 TCP Security 138 TCP/IP 132, 133, 171, 295, 318 Teardrop 133 Telecommunication Line Cord.
Prestige 660H/HW Series User’s Guide WEP encryption 84 Wet Basement 4 Wi-Fi Protected Access 89 Wi-Fi Protected Access (WPA) 48 Wireless Client WPA Supplicants 91 Wireless LAN 240 Configuring 84 Wireless LAN MAC Address Filtering 48 Wireless LAN Setup 240 Wireless port control 92, 307 Wireless security 82 Wizard Setup 67 WLAN Interference 394 Security parameters 403 Workmanship 5 Worldwide Contact Information 6 WPA 89, 307 Supplicants 91 with RADIUS Application Example 90 WPA Mixed Mode 307 WPA -Pre-Shared