Prestige 2602H-6xC ADSL VoIP IAD Support Notes Version 3.40 March.
Prestige 2602H-6xC Support Notes INDEX Application Notes .........................................................................................................8 General Application Notes.....................................................................................8 Internet Connection................................................................................................8 Setup the Prestige as a DHCP Relay............................................................
Prestige 2602H-6xC Support Notes What is SUA? When should I use SUA?...................................................103 What is the difference between NAT and SUA? .......................................103 How many network users can the SUA/NAT support? .............................104 What are Device filters and Protocol filters?.............................................104 Why can't I configure device filters or protocol filters? ............................104 Product FAQ ........................
Prestige 2602H-6xC Support Notes What DDNS servers does the Prestige support?........................................112 What is DDNS wildcard?...........................................................................112 Does the Prestige support DDNS wildcard?.............................................. 112 Can the Prestige SUA handle IPsec packets sent by the VPN gateway behind Prestige? .........................................................................................
Prestige 2602H-6xC Support Notes What is SYN Flood attack?........................................................................119 What is LAND attack?...............................................................................120 What is Brute-force attack? .......................................................................120 What is IP Spoofing attack?.......................................................................120 What are the default ACL firewall rules in Prestige? ................
Prestige 2602H-6xC Support Notes Why does VPN throughput decrease when staying in SMT menu 24.1? ..129 Where can I configure Phase 1 ID in Prestige? .........................................130 If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?..............................................130 How can I keep a tunnel alive? ..................................................................
Prestige 2602H-6xC Support Notes What is an ESSID ?.................................................. 錯誤! 尚未定義書籤。 How do I secure the data across an Access Point's radio link ?錯誤! 尚未定義書籤。 What is WEP ? ......................................................... 錯誤! 尚未定義書籤。 What is the difference between 40-bit and 64-bit WEP ?錯誤! 尚未定義書籤。 What is a WEP key ? ............................................ 錯誤! 尚未定義書籤。 A WEP key is a user defined string of characters used to encrypt and decrypt data ? ............
Prestige 2602H-6xC Support Notes Application Notes General Application Notes Internet Connection A typical Internet access application of the Prestige is shown below. For a small office, there are some components needs to be checked before accessing the Internet. • • Before you begin Setting up the Windows Setting up the Prestige router Troubleshooting • Before you begin • • The Prestige is shipped with the following factory default: 1. IP address = 192.168.1.1, subnet mask = 255.255.255.
Prestige 2602H-6xC Support Notes • • If you only have one PC, connect the PC's Ethernet adapter to the Prestige's LAN port with a crossover (red one) Ethernet cable. If you have more than one PC, both the PC's Ethernet adapters and the Prestige's LAN port must be connected to an external hub with straight Ethernet cable. 2. TCP/IP Installation You must first install TCP/IP software on each PC before you can use it for Internet access.
Prestige 2602H-6xC Support Notes The following procedure is for the most typical usage of the Prestige where you have a single-user account (SUA). The Prestige supports embedded web server that allows you to use Web browser to configure it. Before configuring the router using Browser please be sure there is no Telnet or Console login. 1. Retrieve Prestige Web Please enter the LAN IP address of the Prestige router in the URL location to retrieve the web screen from the Prestige.
Prestige 2602H-6xC Support Notes Select “Dynamic" if the ISP provides the IP dynamically, otherwise select “Use Fixed IP address" and enter the static IP given by ISP in the box following“MY WAN IP Address"field. Setup the Prestige as a DHCP Relay • What is DHCP Relay? DHCP stands for Dynamic Host Configuration Protocol. In addition to the DHCP server feature, the P2602 supports the DHCP relay function. When it is configured as DHCP server, it assigns the IP addresses to the LAN clients.
Prestige 2602H-6xC Support Notes • Setup the Prestige as a DHCP Client 1. Toggle the DHCP to Relay in menu 3.2 and enter the IP address of the DHCP server in the 'Relay Server Address' field. Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup DHCP= Relay Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= 192.168.1.2 TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.
Prestige 2602H-6xC Support Notes Press ENTER to Confirm or ESC to Cancel: Configure an Internal Server Behind SUA • Introduction If you wish, you can make internal servers (e.g., Web, ftp or mail server) accessible for outside users, even though SUA makes your LAN appear as a single machine to the outside world. A service is identified by the port number.
Prestige 2602H-6xC Support Notes • For example (Configuring an internal Web server for outside access) : Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 192.168.1.
Prestige 2602H-6xC Support Notes Configure a PPTP server Behind SUA • Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. In order to run the Windows 9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.
Prestige 2602H-6xC Support Notes The PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade. • Configuration This application note explains how to establish a PPTP connection with a remote private network in the Prestige SUA case. In ZyNOS, all PPTP packets can be forwarded to the internal PPTP Server (WinNT server) behind SUA.
Prestige 2602H-6xC Support Notes o • • Set the Internet gateway to the router that is connecting to ISP Prestige router setup Before making a VPN connection from Win9x to WinNT server, you need to connect Prestige router to your ISP first. Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below. Menu 15.2 - NAT Server Setup (Used for SUA Only) Rule Start Port No. End Port No. IP Address --------------------------------------------------1.
Prestige 2602H-6xC Support Notes C:\ping 203.66.113.2 When a dial-up connection to ISP is established, a default gateway is assigned to the router traffic through that connection. Therefore, the output below shows the default gateway of the Win9x client after the dial-up connection has been established.
Prestige 2602H-6xC Support Notes Using NAT / Multi-NAT • What is Multi-NAT? NAT (Network Address Translation-NAT RFC 1631) is the translation of an Internet Protocol address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside.
Prestige 2602H-6xC Support Notes 1. NAT Mapping Types NAT supports five types of IP/port mapping. They are: 2. One to One In One-to-One mode, the Prestige maps one ILA to one IGA. 3. Many to One In Many-to-One mode, the Prestige maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers). 4.
Prestige 2602H-6xC Support Notes The following table summarizes these types. NAT Type IP Mapping Mapping Direction One-to-One ILA1<--->IGA1 Both Many-to-One (SUA/PAT) ILA1---->IGA1 ILA2---->IGA1 ... Outgoing Many-to-Many Overload ILA1---->IGA1 ILA2---->IGA2 ILA3---->IGA1 ILA4---->IGA2 ... Outgoing ILA1---->IGA1 Many-to-Many No ILA2---->IGA3 Overload ILA3---->IGA2 (Allocate by Connections) ILA4---->IGA4 ...
Prestige 2602H-6xC Support Notes You apply NAT via menus 4 and 11.3 as displayed next. The next figure how you apply NAT for Internet access in menu 4. Enter 4 from the Main Menu to go to Menu 4-Internet Access Setup.
Prestige 2602H-6xC Support Notes Overload mapping. Select Full Feature when you require other mapping types. It is a convenient, pre-configured, read only, Many-to-One mapping set, sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions. Note that there is also a Server type whose IGA is 0.0.0.0 in this set. Table: Applying NAT in Menu 4 and Menu 11.3 2. Configuring NAT To configure NAT, enter 15 from the Main Menu to bring up the following screen.
Prestige 2602H-6xC Support Notes Menu 15.1 - Address Mapping Sets 1. 2. 3. 4. 5. 6. 7. 8. 255. SUA (read only) Enter Set Number to Edit: Let's first look at Option 255. Option 255 is equivalent to SUA in previous ZyXEL routers. The fields in this menu cannot be changed. Entering 255 brings up this screen. Menu 15.1.1 - Address Mapping Rules Set Name= SUA Idx Local Start IP Local End IP Global Start IP Global End IP Type --- --------------- --------------- --------------- --------------- -----1. 0.
Prestige 2602H-6xC Support Notes The following table explains the fields in this screen. Please note that the fields in this menu are read-only. Field Description Option/Example Set Name This is the name of the set you selected in Menu 15.1 or enter SUA the name of a new set you want to create. Idx This is the index or rule number. Local Start IP This is the starting local IP address (ILA). 1 0.0.0.0 for Many-to-One type. the This is the starting local IP address (ILA).
Prestige 2602H-6xC Support Notes 9. 10. Action= Edit , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel: We will just look at the differences from the previous menu. Note that, this screen is not read only, so we have extra Action and Select Rule fields. Not also that the [?] in the Set Name field means that this is a required field and you must enter a name for the set. The description of the other fields is as described above. The Type, Local and Global Start/End IPs are configured in Menu 15.1.
Prestige 2602H-6xC Support Notes Local IP: Start= 0.0.0.0 End = N/A Global IP: Start= 0.0.0.0 End = N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen. Field Description Type One-to-One Many-to-One Press [SPACEBAR] to toggle through a total of 5 types. These Many-to-Many Overload are the mapping types discussed above plus a server type. Some Many-to-Many No examples follow to clarify these a little more.
Prestige 2602H-6xC Support Notes The NAT Server Set is a list of LAN side servers mapped to external ports (similar to the old SUA menu of before). If you wish, you can make inside servers for different services, e.g., Web or FTP, visible to the outside users, even though NAT makes your network appears as a single machine to the outside world. A server is identified by the port number, e.g., Web service is on port 80 and FTP on port 21.
Prestige 2602H-6xC Support Notes 2. 21 21 192.168.1.33 3. 80 80 192.168.1.36 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: The most often used port numbers are shown in the following table. Please refer RFC 1700 for further information about port numbers.
Prestige 2602H-6xC Support Notes Menu 4 - Internet Access Setup ISP's Name= MyISP Encapsulation= PPPoE Multiplexing= LLC-based VPI #= 0 VCI #= 33 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= cso@zyxel My Password= ******** Idle Timeout (sec)= 0 IP Address Assignment= Dynamic IP Address= N/A Network Address Translation= SUA Only Address Mapping Set= 1 Press ENTER to Confirm or ESC to Cancel: 30 All contents copyright (c) 2005 ZyXEL Communicati
Prestige 2602H-6xC Support Notes From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Many-to-One mapping discussed earlier. The SUA read only option from the NAT field in menu 4 and 11.3 is specifically pre-configured to handle this case. 2. Internet Access with an Internal Server In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.
Prestige 2602H-6xC Support Notes 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: 3.Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail.
Prestige 2602H-6xC Support Notes Step 1: In this case, we need to configure Address Mapping Set 1 from Menu 15.1-Address Mapping Sets. Therefore we must choose the Full Feature option from the NAT field in menu 4 or menu 11.3, and assign IGA3 to Prestige WAN IP Address.
Prestige 2602H-6xC Support Notes Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Press ENTER to Confirm or ESC to Cancel: Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Press ENTER to Confirm or ESC to Cancel: Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Menu 15.1.1.
Prestige 2602H-6xC Support Notes Press ENTER to Confirm or ESC to Cancel: Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu 15.1.1.4 - - Rule 4 Type: Server Local IP: Start= N/A End = N/A Global IP: Start= [Enter IGA3] End = N/A Press ENTER to Confirm or ESC to Cancel: When we have configured all four rules Menu 15.1.1 should look as follows. Menu 15.1.
Prestige 2602H-6xC Support Notes 9. 10. Press ESC or RETURN to Exit: Step 3: Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case). Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.20 3. 25 25 192.168.1.20 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7.
Prestige 2602H-6xC Support Notes Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this. One rule configured for using Many-to-Many No Overload mapping type is shown below. Menu 15.1.1.
Prestige 2602H-6xC Support Notes Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.
Prestige 2602H-6xC Support Notes Press ENTER to Confirm or ESC to Cancel: Prestige supports multiple type of NAT mapping rules • • • • • • SUA One to One Many to One Many to Many overload Many One to One Server The following table summarizes these types. NAT Type IP Mapping One-to-One ILA1<--->IGA1 Many-to-One (SUA/PAT) ILA1<--->IGA1 ILA2<--->IGA1 ...
Prestige 2602H-6xC Support Notes ... Server (SUA) Server 1 IP<--->IGA1 Server 2 IP<--->IGA1 About Filter & Filter Examples How does ZyXEL filter work? • Filter Structure The Prestige allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Prestige 2602H-6xC Support Notes • Filter Types and SUA Conceptually, there are two categories of filter rules: device and protocol. The Generic filter rules belong to the device category; they act on the raw data from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category; they act on the IP and IPX packets. 41 All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes In order to allow users to specify the local network IP address and port number in the filter rules with SUA connections, the TCP/IP filter function has to be executed before SUA for WAN outgoing packets and after the SUA for WAN incoming IP packets. But at the same time, the Generic filter rules must be applied at the point when the Prestige is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed.
Prestige 2602H-6xC Support Notes same error if you try to activate a Generic filter rule in a filter set that has already had one or more active TCP/IP (or IPX) filter rules. Menu 21.1.1: Menu 21.1.1 - Generic Filter Rule Filter #: 1,1 Filter Type= Generic Filter Rule Active= Yes Offset= 0 Length= 0 Mask= N/A Value= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Menu 21.1.2: Menu 21.1.
Prestige 2602H-6xC Support Notes More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Saving to ROM. Please wait... Protocol and device rule cannot be active together To separate the device and protocol filter categories; two new menus, Menu 11.5 and Menu 13.1, have been added, as well as some changes made to the Menu 3.1, Menu 11.1, and Menu 13. The new fields are shown below. Menu 3.1: Menu 3.
Prestige 2602H-6xC Support Notes Outgoing: Session Options: My Login= testt Edit Filter Sets= Yes My Password= ***** Authen= CHAP/PAP Press ENTER to Confirm or ESC to Cancel: Menu 11.5: Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= SMT will also prevent you from entering a protocol filter set configured in Menu 21 to the device filters field in Menu 3.1, 11.
Prestige 2602H-6xC Support Notes 1. The outbound packet type (protocol & port number) 2. The source IP address Generally, the outbound packets for Web service could be as following: a. HTTP packet, TCP (06) protocol with port number 80 b. DNS packet, TCP (06) protocol with port number 53 or c. DNS packet, UDP (17) protocol with port number 53 For all workstation on the LAN, the source IP address will be 0.0.0.0. Otherwise, you have to enter an IP Address for the workstation you want to block.
Prestige 2602H-6xC Support Notes 2. Rule one for (a). http packet, TCP(06)/Port number 80 Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 80 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: 3.
Prestige 2602H-6xC Support Notes Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: 4. Rule 3 for (c). DNS packet UDP(17)/Port number 53 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Prestige 2602H-6xC Support Notes Menu 21.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- -------------------------------------- - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=53 N D N 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0,DP=53 N D F 6. Apply the filter set to the 'Output Protocol Filter Set' in the remote node setup. A filter for blocking a specific client Configuration 1. Create a filter set in Menu 21, e.g.
Prestige 2602H-6xC Support Notes 2. One rule for blocking all packets from this client Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None Source: IP Addr= 192.168.1.5 IP Mask= 255.255.255.
Prestige 2602H-6xC Support Notes This configuration example shows you how to use a Generic Filter to block a specific MAC address of the LAN. Before you Begin Before you configure the filter, you need to know the MAC address of the client first. The MAC address can be provided by the NICs. If there is the LAN packet passing through the Prestige you can identify the uninteresting MAC address from the Prestige's LAN packet trace.
Prestige 2602H-6xC Support Notes + Internet Protocol - Version (MSB 4 bits): 4 - Header length (LSB 4 bits): 5 - Service type: Precd=Routine, Delay=Normal, Thrput=Normal, Reli=Normal - Total length: 60 (Octets) - Fragment ID: 60172 - Flags: May be fragmented, Last fragment, Offset=0 (0x00) - Time to live: 32 seconds/hops - IP protocol type: ICMP (0x01) - Checksum: 0xE3EA - IP address 202.132.155.93 (Source IP address) ----> 202.132.155.
Prestige 2602H-6xC Support Notes Menu 21.1.
Prestige 2602H-6xC Support Notes • Action Matched= Enter the action you want if the masked packet matches the 'Value'. In this case, we will drop it. • Action Not Matched= Enter the action you want if the masked packet does not match the 'Value'. In this case, we will forward it. If you want to configure more rules please select 'Check Next Rule' to start configuring the next new rule. However, please note that the 'Filter Type' must be also 'Generic Filter Rule' but not others.
Prestige 2602H-6xC Support Notes A filter for blocking the NetBIOS packets • Introduction The NETBIOS protocol is used to share a Microsoft comupter of a workgroup. For the security concern, the NetBIOS connection to a outside host is blocked by Prestige router as factory defaults. Users can remove the filter sets applied to menu 3.1 and menu 4.1 for activating the NetBIOS services. The details of the filter settings are described as follows.
Prestige 2602H-6xC Support Notes Set # Comments Set # ------ ----------------- Comments ------ ----------------- 1 NetBIOS_WAN 7 _______________ 2 NetBIOS_LAN 8 _______________ 3 _______________ 9 _______________ 4 _______________ 10 _______________ 5 _______________ 11 _______________ 6 _______________ 12 _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: Configure the first filter set 'NetBIOS_WAN' by selecting th
Prestige 2602H-6xC Support Notes • Rule 2-Destination port number 137 with protocol number 17 (UDP) Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Prestige 2602H-6xC Support Notes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 138 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: • Rule 4-Destination port number 138 with protocol number 17 (UDP) Menu 21.1.
Prestige 2602H-6xC Support Notes Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: • Rule 5-Destination port number 139 with protocol number 6 (TCP) Menu 21.1.5 - TCP/IP Filter Rule Filter #: 1,5 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Prestige 2602H-6xC Support Notes Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: • After the first filter set is finished, you will get the complete rules summary as below. Menu 21.
Prestige 2602H-6xC Support Notes • Apply the first filter set 'NetBIOS_WAN' to the 'Output Protocol Filter' in the remote node setup. Configure the second filter set 'NetBIOS_LAN' by selecting the Filter Set number 2. • Rule 1-Source port number 137, Destination port number 53 with protocol number 6 (TCP) Menu 21.2.1 - TCP/IP Filter Rule Filter #: 2,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Prestige 2602H-6xC Support Notes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: 1. After the first filter set is finished, you will get the complete rules summary as below. Menu 21.
Prestige 2602H-6xC Support Notes protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters= Using the Dynamic DNS (DDNS) 1. What is DDNS? The DDNS service, an IP Registry provides a public central database where information such as email addresses, hostnames, IPs etc. can be stored and retrieved. This solves the problems if your DNS server uses an IP associated with dynamic IPs.
Prestige 2602H-6xC Support Notes Menu 1 - General Setup System Name= Prestige Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= Yes Route IP= Yes Bridge= No Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.ORG Active= Yes Host=[the local server's host name] EMAIL= USER= Password= ******** Enable Wildcard= No Key Settings for using DDNS function: Option Description Service Provider Enter the DDNS server WWW.DYNDNS.ORG. Active Toggle to 'Yes'.
Prestige 2602H-6xC Support Notes Password Enter the password that the DDNS server gives to you. Enable Wildcard Enter the hostname for the wildcard function that the WWW.DYNDNS.ORG supports. Note that Wildcard option is available only when the provider is WWW.DYNDNS.ORG. Network Management Using SNMP 1. SNMP Overview The Simple Network Management Protocol (SNMP) is an applications-layer protocol used to exchange the management information between network devices (e.g., routers).
Prestige 2602H-6xC Support Notes The current Internet-standard MIB, MIB-II, is defined in RFC 1213 and contains 171 objects. These objects are grouped by protocol (including TCP, IP, UDP, SNMP, and other categories, including 'system' and 'interface.' The Internet Management Model is as shown in figure 1. Interactions between the NMS and managed devices can be any of four different types of commands: 6.
Prestige 2602H-6xC Support Notes 2. SNMPv1 Operations SNMP itself is a simple request/response protocol. 4 SNMPv1 operations are defined as below. • Get Allows the NMS to retrieve an object variable from the agent. • GetNext Allows the NMS to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a NMS wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Prestige 2602H-6xC Support Notes so on) and the object values involved in the operation. The following figure shows the SNMPv1 message format. The SNMP PDU contains the following fields: • • • • • PDU type Specifies the type of PDU. Request ID Associates requests with responses. Error status Indicates an error and an error type. Error index Associates the error with a particular object variable. Variable-bindings Associates particular object with their value. 3.
Prestige 2602H-6xC Support Notes • warmStart (defined in RFC-1215) : If the machine warmstarts, the trap will be sent after booting. • linkDown (defined in RFC-1215) : If any link of IDSL or WAN is down, the trap will be sent with the port number . The port number is its interface index under the interface group. • linkUp (defined in RFC-1215) : If any link of IDSL or WAN is up, the trap will be sent with the port number . The port number is its interface index under the interface group.
Prestige 2602H-6xC Support Notes 4. Configure the Prestige for SNMP The SNMP related settings in Prestige are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings. Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 192.168.1.33 70 All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes Trap: Community= public Destination= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: Key Settings: Option Descriptions Get Community Enter the correct Get Community. This Get Community must match the 'Get-' and 'GetNext' community requested from the NMS. The default is 'public'. Set Community Enter the correct Set Community. This Set Community must match the 'Set-community requested from the NMS. The default is 'public'. Enter the IP address of the NMS.
Prestige 2602H-6xC Support Notes Configuration: 1. Active, use the space bar to turn on the syslog option. 2. Syslog IP Address, enter the IP address of the UNIX server that you wish to send the syslog. 3. Log Facility, use the space bar to toggle between the 7 different local options. • UNIX Setup 1. Make sure that your syslogd starts with -r argument. -r, this option will enable the facility to receive message from the network using an Internet domain socket with the syslog services.
Prestige 2602H-6xC Support Notes L02 Call Terminated C02 Call Terminated Example: Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call OK Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.
Prestige 2602H-6xC Support Notes prot: Protocol (TCP,UDP,ICMP) spo: Source port dpo: Destination port Example: Jul 19 14:44:09 192.168.1.1 ZyXEL Communications Corp.: IP[Src=202.132.154.1 Dst=192.168.1.33 UDP spo=0035 dpo=05d4]}S03>R01mF Jul 19 14:44:13 192.168.1.1 ZyXEL Communications Corp.: IP[Src=192.168.1.33 Dst=202.132.154.
Prestige 2602H-6xC Support Notes Using IP Alias • What is IP Alias ? In a typical environment, a LAN router is required to connect two local networks. The Prestige can connect three local networks to the ISP or a remote node, we call this function as 'IP Alias'. In this case, an internal router is not required. For example, the network manager can divide the local network into three networks and connect them to the Internet using Prestige's single user account. See the figure below.
Prestige 2602H-6xC Support Notes Two new protocol filter interfaces in menu 3.2.1 allow you to accept or deny LAN packets from/to the IP alias 1 and IP alias 2 go through the Prestige. The filter set in menu 3.1 is used for main network configured in menu 3.2. • IP Alias Setup 1. Edit the first network in menu 3.2 by configuring the Prestige's first LAN IP address. Menu 3.2 - TCP/IP and DHCP Setup DHCP Setup DHCP= Server Client IP Pool Starting Address= 192.168.1.
Prestige 2602H-6xC Support Notes Edit IP Alias Toggle to 'Yes' to enter menu 3.2.1 for setting up the second and third networks. 2. Edit the second and third networks in menu 3.2.1 by configuring the Prestige's second and third LAN IP addresses. Menu 3.2.1 - IP Alias Setup IP Alias 1= Yes IP Address= 192.168.2.1 IP Subnet Mask= 255.255.255.0 RIP Direction= None Version= RIP-1 Incoming protocol filters= Outgoing protocol filters= IP Alias 2= Yes IP Address= 192.168.3.1 IP Subnet Mask= 255.255.255.
Prestige 2602H-6xC Support Notes Call scheduling enables the mechanisim for the Prestige to run the remote node connection according to the pre-defined schedule.This feature is just like the scheduler ina video recorder which records the program according to the specified time. Users can apply at most 4 schedule sets in Menu 11 ( Remote Node Setup), and configure each schedule in Menu 26(Schedule Setup).
Prestige 2602H-6xC Support Notes 4 _______________ 10 _______________ 5 _______________ 11 _______________ 6 _______________ 12 _______________ Enter Schedule Set Number to Configure= 1 Edit Name= ZyXEL Press ENTER to Confirm or ESC to Cancel: 3. The Menu 26.1 Schedule Set Setup is as follows: Menu 26.
Prestige 2602H-6xC Support Notes Start Date Start date of this schedule rule. It can be unmatched with weekday setting. For example, if Start Date is 2004/10/02(Monday), but Monday setting in weekday can be No. How Often If once is selected, all weekday settings will ne marked as N/A. After the rule is completely, it will be deleted automatically. Forced On The node will always keep up during the setting period. It is equivalent to diable the idel timeout.
Prestige 2602H-6xC Support Notes Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No Press ENTER to Confirm or ESC to Cancel: • Time Service in Prestige There is no RTC (Real-Time Clock) chip so the Prestige should launch a mechanism to get current time and date from external server in boot time. Time service is implemented by the Daytime protocol(RFC-867), Time protocol(RFC-868), and NTP protocol(RFC-1305).
Prestige 2602H-6xC Support Notes Press ENTER to Confirm or ESC to Cancel: Using IP Multicast • What is IP Multicast ? Traditionally, IP packets are transmitted in two ways - unicast or broadcast. Multicast is a third way to deliver IP packets to a group of hosts. Host groups are identified by class D IP addresses, i.e., those with "1110" as their higher-order bits. In dotted decimal notation, host group addresses range from 224.0.0.0 to 239.255.255.255. Among them, 224.0.0.
Prestige 2602H-6xC Support Notes IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Enable IGMP in Prestige's remote node in menu 11.3: Menu 11.3 - Remote Node Network Layer Options IP Options: Bridge Options: IP Address Assignment = Dynamic Ethernet Addr Timeout(min)= N/A Rem IP Addr = 0.0.0.0 Rem Subnet Mask= 0.0.0.
Prestige 2602H-6xC Support Notes Using Prestige traffic redirect • What is Traffic Redirect ? Traffic redirect forwards WAN traffic to a backup gateway when Prestige cannot connect to the Internet through it's normal gateway. Thus make your backup gateway as an auxiliary backup of your WAN connection. Once Prestige detects it's WAN connectivity is broken, Prestige will try to forward outgoing traffic to backup gateway that users specify in traffic redirect configuration menu.
Prestige 2602H-6xC Support Notes Check Mechanism = DSL Link Check WAN IP Address1 = 0.0.0.0 Check WAN IP Address2 = 0.0.0.0 Check WAN IP Address3 = 0.0.0.0 KeepAlive Fail Tolerance = 5 Recovery Interval(sec) = 60 ICMP Timeout(sec) = 0 Traffic Redirect = Yes Key Settings: Label Description Backup Select the method that the Prestige uses to check the DSL connection. Type Select DSL Link to have the Prestige check if the connection to the DSLAM is up.
Prestige 2602H-6xC Support Notes Label Description Redirect Active Select this check box to have the Prestige use traffic redirect if the normal WAN connection goes down. If you activate traffic redirect, you must configure at least one Check WAN IP Address. Metric This field sets this route's priority among the routes the Prestige uses. The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Prestige 2602H-6xC Support Notes Using Universal Plug n Play (UPnP) • 1. What is UPnP UPnP (Universal Plug and Play) makes connecting PCs of all form factors, intelligent appliances, and wireless devices in the home, office, and everywhere in between easier and even automatic by leveraging TCP/IP and Web technologies. UPnP can be supported on essentially any operating system and works with essentially any type of physical networking media – wired or wireless.
Prestige 2602H-6xC Support Notes UPnP Operations • Addressing: UPnPv1 devices MAY support IPv4, IPv6, or both. For IPv4, each devices should have DHCP client, when the device gets connected to the network, it will discover DHCP server on network to get an IP address. If not, then Auto-IP mechanism should be supported so that the device can give itself an IP address.(169.254.0.0/16) • • • • • • Discovery: Whenever a device is added on the network, it will advertise it's service over the network.
Prestige 2602H-6xC Support Notes In the diagram, suppose PC1 and PC2 both sign in MSN server, and they would like to establish a video conference. PC1 is behind PPPoE dial-up router which supports UPnP. Since the router supports UPnP, we don't need to setup NAT mapping for PC1. As long as we enable UPnP function on the router, PC1 will assign the mapping to the router dynamically. Note that since PC1 must support UPnP, we presume that it's OS is Microsoft WinME or WinXP.
Prestige 2602H-6xC Support Notes 2. After getting IP address, you can go to open MSN application on PC and sign in MSN server. 3. Start a Video conversation with one online user. 4. On the opposite side, your partner select Accept to accept your conversation request. 90 All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes 5. Finally, your video conversation is achieved. 91 All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes VoIP Application Notes Setup SIP Account VoIP is the sending of voice signals over the Internet Protocol. This allows you to make phone calls and send faxes over the Internet at a fraction of the cost of using the traditional circuit-switched telephone network. The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.
Prestige 2602H-6xC Support Notes Note: You should have a voice account already set up and have VoIP information from your VoIP service provider prior to configure SIP account on to the unit. With the account information your ITSP provider provided now you may start. Step 1. Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige (LAN IP address). The default management IP of Prestige is 192.168.1.1. Step 2.
Prestige 2602H-6xC Support Notes Step 3. On the left column click on Voice to bring you to Voice configuration menu than click on SIP Settings. While in the SIP Settings page use the account selector on upper right of the page to select the SIP account you will like to configure. Step 4. Check active sip box if you like to use this account and fill in the account information the ITSP provided you in the SIP setting category.
Prestige 2602H-6xC Support Notes SIP Local Port Use this field to configure the Prestige’s listening port for SIP. Leave this field set to the default if you were not given a local port number for SIP. SIP Server Type the IP address of the SIP server in this field. Address SIP Port Server Enter the SIP server’s listening port for SIP in this field. Leave this field set to the default if your VoIP service provider did not give you a local port number for SIP.
Prestige 2602H-6xC Support Notes SIP account on Phone 1, Phone 2 or both. If you select both, you will not know which SIP account a call is coming in on. Advanced Settings Click Settings to open a screen where you can configure the Prestige’s advanced VoIP settings like SIP server settings, the RTP port range and the coding type. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh.
Prestige 2602H-6xC Support Notes To configure the phone port setting please follow the below step. Step 1. Open the web browser from your workstation to connect to the Prestige by entering the Management IP address of the Prestige. The default management IP of Prestige is 192.168.1.1. Step 2. Enter the administrator password appear on the page of login and click on login. The default is '1234' Step 3. On the left column click on Voice to bring you to voice function menu.
Prestige 2602H-6xC Support Notes Dialing Interval When you are dialing a telephone number the Prestige waits this long after you stop pressing the buttons before initiating the call. Select how many seconds you want the Prestige to wait after the last input on the telephone’s keypad before dialing (making) a call. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh.
Prestige 2602H-6xC Support Notes Step 2. Enter the administrator password appear on the page of login and click on login. The default is '1234' Step 3. On the left column click on Speed Dial to bring you to Speed Dial page to enter speed dial configuration page. Step 4. Select the entry number you wish to add to the phone book by the entry selector located under add new entry category on the speed dial field. Step 5.
Prestige 2602H-6xC Support Notes Speed Dial This is the entry’s speed dial key combination. Press this key combination on a telephone attached to the Prestige in order to call the party named in this entry. Name This is the descriptive name of the party that you will use this speed dial entry to call. SIP Number This is the SIP number of the party that you will call. Type This field displays Use Proxy if calls to this party use one of your SIP accounts.
Prestige 2602H-6xC Support Notes The Web configurator a user friendly configuration interface via user's web browser, which can be access by typing in the LAN IP address of the Prestige in users web browser. To access the Prestige's web configurator via web browser, the configuration PC must be in the same IP segment of Prestige and Prestige must be reachable to the configuration station. (By default the Prestige LAN IP is 192.168.1.
Prestige 2602H-6xC Support Notes How do I upload or backup ROMFILE via web configurator? In some situations, you may need to upload the ROMFILE, restore to previous saved configuration, orthe need of resetting SMT to factory default. The procedure for uploading ROMFILE via the web configurator is as follows. a. b. c. d. Log on into the web configurator. Press "MAINTENANCE" from the left menu. Press "Configuration" tab.
Prestige 2602H-6xC Support Notes c. The default filter rule 3 (Telnet_FTP_WAN) is applied in the Input Protocol field in menu 11.5. What should I do if I forget the system password? In case you forget the system password. You can reset the unit back to factory default. You can reset the unit by using a sharp pointed object such as a pen and press and hold down the “reset" button for 5 second or until the power LED starts to blink than release. The unit is than reset back to factory default.
Prestige 2602H-6xC Support Notes The design goal of ZyXEL's SUA is to minimize the Internet access cost in a small office environment by using a single IP address to represent the multiple hosts inside. It does more than IP address translation, so that multiple hosts on the LAN can access the Internet at the same time. How many network users can the SUA/NAT support? The Prestige does not limit the number of the users but the number of the sessions.
Prestige 2602H-6xC Support Notes Will the Prestige work with my Internet connection? The Prestige is designed to be compatible major ISP utilize ADSL as a broadband service. Prestige IAD offers an Ethernet port to connect to your computer so the Prestige is placed in the line between the computer and your ISP. If your ISP supports PPPoE/PPPoA you can also use the Prestige, because PPPoE/PPPoA had been supported in the Prestige.
Prestige 2602H-6xC Support Notes Why does my provider use PPPoE? PPPoE emulates a familiar Dial-Up connection. It allows your ISP to provide services using their existing network configuration over the broadband connections. Besides, PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management.
Prestige 2602H-6xC Support Notes How does e-mail work through the Prestige? It depends on what kind of IP you have: Static or Dynamic. If your company has a domain name, it means that you have a static IP address. Suppose your company's e-mail address is xxx@mycompany.com. Joe and Debbie will be able to send e-mail through Prestige Internet Access Device using jane@mycompany.com and debbie@mycompany.com respectively as their e-mail addresses.
Prestige 2602H-6xC Support Notes What network interface does the new Prestige series support? The new Prestige series support auto MDX/MDIX 10/100M Ethernet LAN port to connect to the computer or Switch on LAN and ADSL port on WAN. How does the Prestige support TFTP? In addition to the direct console port connection, the Prestige supports the uploading/download of the firmware and configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Prestige 2602H-6xC Support Notes To create the appearance of faster network access, service companies plan to store or "cache" frequently requested web sites and Usenet newsgroups on a server at their head-end. Storing data locally will remove some of the bottleneck at the backbone connection. How fast can they go? In a perfect world (or lab) they can receive data at speeds up to 30 Mbps. In the real world, with cost conscious cable companies running the systems, the speed will probably fall to about 1.
Prestige 2602H-6xC Support Notes What IP/Port mapping does Multi-NAT support? NAT supports five types of IP/port mapping. They are: One to One, Many to One, Many to Many Overload, Many to Many No Overload and Server. The details of the mapping between ILA and IGA are described as below.Here we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), 1. One to One In One-to-One mode, the Prestige maps one ILA to one IGA. 2.
Prestige 2602H-6xC Support Notes Overload ILA2<--->IGA2 ILA3<--->IGA1 ILA4<--->IGA2 ... ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many No ILA3<--->IGA3 Overload ILA4<--->IGA4 ... Server Server 1 IP<--->IGA1 Server 2 IP<--->IGA1 What is the difference between SUA and Multi-NAT? SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server. The Prestige now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers.
Prestige 2602H-6xC Support Notes (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the 312. When the ISP assigns the Prestige a new IP, the Prestige updates this IP to DDNS server so that the server can update its IP-to-DNS entry. Once the IP-to-DNS table in the DDNS server is updated, the DNS name for your web server (i.e., www.zyxel.com.tw) is still usable.
Prestige 2602H-6xC Support Notes How do I setup my Prestige for routing IPsec packets over SUA? For outgoing IPsec tunnels, no extra setting is required. For forwarding the inbound IPsec ESP tunnel, A 'Default' server set in menu 15 is required. It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. So, to make an internal server for outside access, we must specify the service port and the LAN IP of this server in Menu 15.
Prestige 2602H-6xC Support Notes What is the relationship between codec and VoIP? In order to transfer voice (analog signal) over IP it first need to be digitized. Codec is a technic to digitize analog signal to digital and vice versa. There are various speech codec available and can be used with VoIP each with it's advantage and disadvantage.
Prestige 2602H-6xC Support Notes What is codec? Codec is a algorithm which converts analog signal into digital signal and vice versa. There are three main type of waveform codec, source codec, and hybrid codec. Each consume different amount of bandwidth and provide different voice quality level.
Prestige 2602H-6xC Support Notes 2. A PC with VoIP software installed or a hardware VoIP box such as ATA or device like Prestige 2602 VoIP station router. 3. An account with a VoIP provider such as an ITSP. The account can be configured to recognize your calls automatically, or you can require the users to enter their unique account numbers issued. Unable to register with the SIP server? If you are unable to register with SIP server. 1.
Prestige 2602H-6xC Support Notes If all the about have been tried, but register still fail what should I do? In such case, please contact your local vendor for support. If they can't help out the problem they will escalate your problem to ZyXEL tech center. To report a problem please prepared below info. 1. Serial number of the device. 2. SIP Call server type and vendor. 3. Your device firmware version and romfile with password. 4. Detail information what you have tried to resolve the problem.
Prestige 2602H-6xC Support Notes What are the basic types of firewalls? Conceptually, there are three types of firewalls: 1. Packet Filtering Firewall 2. Application-level Firewall 3. Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These header information include the source, destination addresses and ports of the packets.
Prestige 2602H-6xC Support Notes Why do you need a firewall when your router has packet filtering and NAT built-in? With the spectacular growth of the Internet and online access, companies that do business on the Internet face greater security threats. Although packet filter and NAT restrict access to particular computers and networks, however, for the other companies this security may be insufficient, because packets filters typically cannot maintain session state.
Prestige 2602H-6xC Support Notes SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set a relatively long intervals) terminates the TCP three-way handshake. Once the queue is full , the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.
Prestige 2602H-6xC Support Notes How can I protect against IP spoofing attacks? The Prestige's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on. If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks.
Prestige 2602H-6xC Support Notes • • • • • Active =Yes Destination IP Addr =a.b.c.d Destination IP Mask =w.x.y.z Action Matched =Drop Action No Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask. Content Filter FAQ What types of content filter does Prestige provide? Can I have different policies in effect for different times of the day or week? Yes, but only one blocking period of time is supported currently on ZyXEL appliance.
Prestige 2602H-6xC Support Notes Why do I need VPN? There are some reasons to use a VPN. The most common reasons are because of security and cost. Security 1). Authentication With authentication, VPN receiver can verify the source of packets and guarantee the data integrity. 2). Encryption With encryption, VPN guarantees the confidentiality of the original user data. Cost 1).
Prestige 2602H-6xC Support Notes PPTP is supported in Windows NT and Windows 98 already. For Windows 95, it needs to be upgraded by the Dial-Up Networking 1.2 upgrade. What is L2TP? Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used by an Internet service provider (ISP) to enable the operation of a virtual private network (VPN) over the Internet.
Prestige 2602H-6xC Support Notes What is SA? A Security Association (SA) is a contract between two parties indicating what security parameters, such as keys and algorithms they will use. What is IKE? IKE is short for Internet Key Exchange. Key Management allows you to determine whether to use IKE (ISAKMP) or manual key configuration to set up a VPN. There are two phases in every IKE negotiation- phase 1 (Authentication) and phase 2 (Key Exchange).
Prestige 2602H-6xC Support Notes What are Local ID and Peer ID? Local ID and Peer ID are used in IKE phase 1 negotiation. It’s in FQDN(Fully Qualified Domain Name) format, IKE standard takes it as one type of Phase 1 ID. Phase 1 ID is an identification for each VPN peer. The type of Phase 1 ID may be IP/FQDN(DNS)/Ueser FQDN(E-mail). The content of Phase 1 ID depends on the Phase 1 ID type. The following is an example for how to configure phase 1 ID.
Prestige 2602H-6xC Support Notes is ready in your Prestige. You then can configure VPN via web configurator. Please download the firmware from our web site. NOTE: For updating from ZyNOS V3.2x to V3.5x, please use console or TFTP update. This is because the memory allocation difference between these two versions. How do I configure Prestige VPN? You can configure Prestige for VPN using SMT or Web configurator. Prestige 1 supports Web only.
Prestige 2602H-6xC Support Notes If your Prestige is capable of VPN, you can find the VPN options in Advanced>VPN tab. For configuring a 'box-to-box VPN', there are some tips: 1. If there is a NAT router running in the front of Prestige, please make sure the NAT router supports to pass through IPSec. 2. In NAT case (either run on the frond end router, or in Prestige VPN box), only IPSec ESP tunneling mode is supported since NAT againsts AH mode. 3.
Prestige 2602H-6xC Support Notes What VPN software that has been tested with Prestige successfully? We have tested Prestige successfully with the following third party VPN software. • • • • • • • • • • • SafeNet Soft-PK, 3DES edition Checkpoint Software SSH Sentinel, 1.4 SecGo IPSec for Windows F-Secure IPSec for Windows KAME IPSec for UNIX Nortel IPSec for UNIX Intel VPN, v. 6.90 FreeS/WAN for Linux SSH Remote ISAKMP Testing Page, (http://isakmp-test.ssh.
Prestige 2602H-6xC Support Notes Where can I configure Phase 1 ID in Prestige? Phase 1 ID can be configured in VPN setup menu as following. Note that you can make such configuration in either web configurator or SMT menu. If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know? We presume your environment may look like this, 130 All contents copyright (c) 2005 ZyXEL Communications Corporation.
Prestige 2602H-6xC Support Notes VPN client: 10.1.33.33 NAT router WAN IP: 202.132.154.2 Prestige WAN: 202.132.154.3 Since the VPN client is behind a NAT router, it must have a private IP address in most case. This may cause the VPN client to send it's private IP address as the content of it's phase 1 ID. So you have to configure Prestige's secure gateway's phase 1 ID as the private IP address of the VPN client.
Prestige 2602H-6xC Support Notes If the VPN connection is initiated from the security gateway behind Prestige, no configuration is necessary for NAT nor Firewall. If the VPN connection is initiated from the security gateway outside of Prestige, NAT port forwarding and Firewall forwarding are necessary. To configure NAT port forwarding, please go to WEB interface, Setup/ "SUA/NAT", put the secure gateway's IP address in default server.
Prestige 2602H-6xC Support Notes 0 11880.160 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80 [index] [timer/second][channel-receive/transmit][length] [protocol] [sourceIP/port] [destIP/port] There are two ways to dump the trace: 1. Online Trace--display the trace real time on screen 2. Offline Trace--capture the trace first and display later The details for capturing the trace in SMT menu 24.8 are as follows. Online Trace 1. Trace LAN packet 2. Trace WAN packet 1. Trace LAN packet 1.
Prestige 2602H-6xC Support Notes 4 11883.340 ENET0-R[0339] TCP 192.168.1.2:1108->192.31.7.130:80 5 11883.610 ENET0-T[0054] TCP 192.31.7.130:80->192.168.1.2:1108 6 11883.620 ENET0-T[0102] TCP 192.31.7.130:80->192.168.1.2:1108 7 11883.630 ENET0-T[0054] TCP 192.31.7.130:80->192.168.1.2:1108 8 11883.630 ENET0-R[0060] TCP 192.168.1.2:1108->192.31.7.130:80 9 11883.650 ENET0-R[0060] TCP 192.168.1.2:1108->192.31.7.130:80 10 11883.650 ENET0-R[0062] TCP 192.168.1.2:1109->192.31.7.
Prestige 2602H-6xC Support Notes Ack Number = 0x00000000 (0) Header Length = 28 Flags = 0x02 (....S.) Window Size = 0x2000 (8192) Checksum = 0xBEC3 (48835) Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 05 B4 01 01 04 02 RAW DATA: 0000: 00 A0 C5 92 13 11 00 80-C8 4C EA 63 08 00 45 00 .........L.c..E. 0010: 00 30 33 0B 40 00 80 06-3E 71 C0 A8 01 02 C0 1F .03.@...>q...... 0020: 07 82 04 5C 00 50 00 BD-15 A7 00 00 00 00 70 02 ...\.P........p. 0030: 20 00 BE C3 00 00 02 04-05 B4 01 01 04 02 .....
Prestige 2602H-6xC Support Notes Destination IP = 0xC0A80102 (192.168.1.2) TCP Header: Source Port = 0x0050 (80) Destination Port = 0x045C (1116) Sequence Number = 0x4AD1B57F (1255257471) Ack Number = 0x00BD15A8 (12391848) Header Length = 24 Flags = 0x12 (.A..S.) Window Size = 0xFAF0 (64240) Checksum = 0xF877 (63607) Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 05 B4 RAW DATA: 0000: 00 80 C8 4C EA 63 00 A0-C5 92 13 11 08 00 45 00 ...L.c........E.
Prestige 2602H-6xC Support Notes Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x80 (128) Protocol = 0x06 (TCP) Header Checksum = 0x3C79 (15481) Source IP = 0xC0A80102 (192.168.1.2) Destination IP = 0xC01F0782 (192.31.7.130) TCP Header: Source Port = 0x045C (1116) Destination Port = 0x0050 (80) Sequence Number = 0x00BD15A8 (12391848) Ack Number = 0x4AD1B580 (1255257472) Header Length = 20 Flags = 0x10 (.A....
Prestige 2602H-6xC Support Notes Example: Prestige> sys trcp channel enet0 none Prestige> sys trcp channel enet1 bothway Prestige> sys trcp sw on Prestige> sys trcl sw on Prestige> sys trcd brief 0 12367.680 ENET1-R[0070] UDP 202.132.155.95:520->202.132.155.255:520 1 12370.980 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 2 12373.940 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 3 12374.930 ENET1-R[0064] TCP 192.31.7.130:80->202.132.155.97:10261 4 12374.
Prestige 2602H-6xC Support Notes Source IP = 0xC01F0782 (192.31.7.130) Destination IP = 0xCA849B61 (202.132.155.97) TCP Header: Source Port = 0x0050 (80) Destination Port = 0x281E (10270) Sequence Number = 0xD3E95985 (3555285381) Ack Number = 0x00C18F63 (12685155) Header Length = 20 Flags = 0x19 (.AP..F) Window Size = 0xFAF0 (64240) Checksum = 0x3735 (14133) Urgent Ptr = 0x0000 (0) TCP Data: (Length=1127, Captured=42) 0000: DF 33 AF 62 58 37 52 3D-79 99 A5 3C 2B 59 E2 78 .3.bX7R=y..
Prestige 2602H-6xC Support Notes IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x0028 (40) Idetification = 0x7A0C (31244) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x7F (127) Protocol = 0x06 (TCP) Header Checksum = 0x543C (21564) Source IP = 0xCA849B61 (202.132.155.97) Destination IP = 0xC01F0782 (192.31.7.
Prestige 2602H-6xC Support Notes Ethernet Header: Destination MAC Addr = 00A0C5012345 Source MAC Addr = 00A0C5921312 Network Type = 0x0800 (TCP/IP) IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x0028 (40) Idetification = 0x7B0C (31500) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x7F (127) Protocol = 0x06 (TCP) Header Checksum = 0x533C (21308) Source IP = 0xCA849B61 (202.132.155.97) Destination IP = 0xC01F0782 (192.31.7.
Prestige 2602H-6xC Support Notes 0030: 1D D5 7A 11 00 00 ..z... Prestige> Offline Trace 1. Trace LAN packet 2. Trace WAN packet 1. Trace LAN packet 1.1 Disable to capture the WAN packet by entering: sys trcp channel enet1 none 1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0 bothway 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through Prestige over LAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.
Prestige 2602H-6xC Support Notes 5 10856.030 ENET0-T[0058] TCP 192.31.7.130:80->192.168.1.2:1103 6 10856.040 ENET0-R[0060] TCP 192.168.1.2:1103->192.31.7.130:80 Prestige> sys trcp parse 5 5 ---<0005>---------------------------------------------------------------LAN Frame: ENET0-XMIT Size: 58/ 58 Time: 10856.030 sec Frame Type: TCP 192.31.7.130:80->192.168.1.
Prestige 2602H-6xC Support Notes Header Length = 24 Flags = 0x12 (.A..S.) Window Size = 0xFAF0 (64240) Checksum = 0xDCEF (56559) Urgent Ptr = 0x0000 (0) Options = 0000: 02 04 05 B4 RAW DATA: 0000: 00 80 C8 4C EA 63 00 A0-C5 92 13 11 08 00 45 00 ...L.c........E. 0010: 00 2C 7F 02 40 00 ED 06-85 7D C0 1F 07 82 C0 A8 .,..@....}...... 0020: 01 02 00 50 04 4F D9 1B-18 26 00 AA 40 5F 60 12 ...P.O...&..@_`. 0030: FA F0 DC EF 00 00 02 04-05 B4 .......... Prestige> 2. Trace WAN packet 1.
Prestige 2602H-6xC Support Notes 2 12864.900 ENET1-T[0416] TCP 202.132.155.97:10282->204.217.0.2:80 3 12865.120 ENET1-R[0247] TCP 204.217.0.2:80->202.132.155.97:10278 4 12865.130 ENET1-T[0411] TCP 202.132.155.97:10278->204.217.0.2:80 5 12865.220 ENET1-R[0247] TCP 204.217.0.2:80->202.132.155.97:10282 Prestige> sys trcp parse 3 4 ---<0003>---------------------------------------------------------------LAN Frame: ENET1-RECV Size: 247/ 96 Time: 12865.120 sec Frame Type: TCP 204.217.0.2:80->202.132.
Prestige 2602H-6xC Support Notes Window Size = 0x2238 (8760) Checksum = 0xAB57 (43863) Urgent Ptr = 0x0000 (0) TCP Data: (Length=193, Captured=42) 0000: 48 54 54 50 2F 31 2E 31-20 33 30 34 20 4E 6F 74 HTTP/1.1 304 Not 0010: 20 4D 6F 64 69 66 69 65-64 0D 0A 44 61 74 65 3A Modified..Date: 0020: 20 57 65 64 2C 20 30 37-20 4A Wed, 07 J RAW DATA: 0000: 00 A0 C5 92 13 12 00 A0-C5 59 12 84 08 00 45 00 .........Y....E. 0010: 00 E5 E9 3B 40 00 F0 06-6E 15 CC D9 00 02 CA 84 ...;@...n.......
Prestige 2602H-6xC Support Notes Header Checksum = 0xD59C (54684) Source IP = 0xCA849B61 (202.132.155.97) Destination IP = 0xCCD90002 (204.217.0.2) TCP Header: Source Port = 0x2826 (10278) Destination Port = 0x0050 (80) Sequence Number = 0x00C8C015 (13156373) Ack Number = 0x4D713E47 (1299267143) Header Length = 20 Flags = 0x18 (.AP...
Prestige 2602H-6xC Support Notes The Prestige supports traces when there is problem to connect your ISP using PPPoE protocol. Please follow the procedure below to collect the trace for our troubleshooting. 1. 2. 3. 4. Remove the LAN cable attached on the Prestige Enter SMT using console port Enter Menu 24.
Prestige 2602H-6xC Support Notes putPoeHdr: ver 1 type 1 code x09 sess-id 0 len 12(x000C) bdcastSendInit: l1.pktTx() failed, pch poe0 ch enet0 poePut1SrvcName: '' len 0 host-uniq 31303030 len 4 putPoeHdr: ver 1 type 1 code x09 sess-id 0 len 12(x000C) ### Hit any key to continue.### $$$ DIALING dev=6 ch=0..........
Prestige 2602H-6xC Support Notes Undefined Address : 0xE3F045C4 Undefined Data : 0x56FF54FF r0= 0xE3F045C4 r1= 0x0001FFC0 r2= 0x000000E5 r3= 0x56FF54FF r4= 0xE3F045C4 r5= 0xE5BDBFEC r6= 0x0001C468 r7= 0x60000093 r8= 0x00000000 r9= 0xE3550000 r12=0x56FF54FF sp= 0x0001EDBC r10=0xE3550000 lr= 0x00004F64 fp= 0x00000000 pc= 0x00013954 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F e5bdbfe0: e2 8f 00 06 e5 d5 20 06 e5 d5 20 0a e5 d5 20 0e ...b...f...j...
Prestige 2602H-6xC Support Notes initialize ch = 0, ethernet address: 00:a0:c5:d1:78:e9 Wan Channel init ........ done ........................................ done VC5402 Init...OK Press ENTER to continue... Enter Password : XXXX LAN/WAN Packet Trace The Prestige packet trace records and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of Prestige.
Prestige 2602H-6xC Support Notes 1. Trace LAN packet 1.1 Disable to capture the WAN packet by entering: sys trcp channel mpoa00 none 1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0 bothway 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Display the brief trace online by entering: sys trcd brief or 1.
Prestige 2602H-6xC Support Notes IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x0030 (48) Idetification = 0x330B (13067) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x80 (128) Protocol = 0x06 (TCP) Header Checksum = 0x3E71 (15985) Source IP = 0xC0A80102 (192.168.1.2) Destination IP = 0xC01F0782 (192.31.7.
Prestige 2602H-6xC Support Notes Frame Type: TCP 192.31.7.130:80->192.168.1.2:1116 Ethernet Header: Destination MAC Addr = 0080C84CEA63 Source MAC Addr = 00A0C5921311 Network Type = 0x0800 (TCP/IP) IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Idetification = 0x57F3 (22515) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0xED (237) Protocol = 0x06 (TCP) Header Checksum = 0xAC8C (44172) Source IP = 0xC01F0782 (192.31.7.
Prestige 2602H-6xC Support Notes 0000: 00 80 C8 4C EA 63 00 A0-C5 92 13 11 08 00 45 00 ...L.c........E. 0010: 00 2C 57 F3 40 00 ED 06-AC 8C C0 1F 07 82 C0 A8 .,W.@........... 0020: 01 02 00 50 04 5C 4A D1-B5 7F 00 BD 15 A8 60 12 ...P.\J.......`. 0030: FA F0 F8 77 00 00 02 04-05 B4 ...w...... ---<0002>---------------------------------------------------------------LAN Frame: ENET0-RECV Size: 60/ 60 Time: 12090.210 sec Frame Type: TCP 192.168.1.2:1116->192.31.7.
Prestige 2602H-6xC Support Notes Checksum = 0xE8ED (59629) Urgent Ptr = 0x0000 (0) TCP Data: (Length=6, Captured=6) 0000: 20 20 20 20 20 20 RAW DATA: 0000: 00 A0 C5 92 13 11 00 80-C8 4C EA 63 08 00 45 00 .........L.c..E. 0010: 00 28 35 0B 40 00 80 06-3C 79 C0 A8 01 02 C0 1F .(5.@...
Prestige 2602H-6xC Support Notes Source MAC Addr = 00A0C5012345 Network Type = 0x0800 (TCP/IP) IP Header: IP Version = 4 Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x048B (1163) Idetification = 0xB139 (45369) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0xEE (238) Protocol = 0x06 (TCP) Header Checksum = 0xA9AB (43435) Source IP = 0xC01F0782 (192.31.7.130) Destination IP = 0xCA849B61 (202.132.155.
Prestige 2602H-6xC Support Notes 0010: 04 8B B1 39 40 00 EE 06-A9 AB C0 1F 07 82 CA 84 ...9@........... 0020: 9B 61 00 50 28 1E D3 E9-59 85 00 C1 8F 63 50 19 .a.P(...Y....cP. 0030: FA F0 37 35 00 00 DF 33-AF 62 58 37 52 3D 79 99 ..75...3.bX7R=y. 0040: A5 3C 2B 59 E2 78 A7 98-8F 3F A9 09 E4 0F 26 14 .<+Y.x...?....&. 0050: 9C 58 3E 95 3E E7 FC 2A-4C 2F FB BE 2F FE EF D0 .X>.>..*L/../... Offline Trace 1. Trace LAN packet 2. Trace WAN packet 1. Trace LAN packet 1.
Prestige 2602H-6xC Support Notes CLI Command List The latest CI command list is available in release notes of every ZyXEL firmware release. Please go to ZyXEL public WEB site http://www.zyxel.com/support/download.php to download firmware package (*.zip), you should unzip the package to get the release note in PDF format. 159 All contents copyright (c) 2005 ZyXEL Communications Corporation.
