P-334WT Support Notes V360(JN0) Last Update: October 8, 2004 FAQ - ZyNOS FAQ - Product FAQ - Firewall FAQ - Content Filtering FAQ - VPN FAQ - Wireless FAQ Application Notes - IPSec VPN Application Notes - WLAN Application Notes - TMSS Application Notes CI Command List Troubleshooting All contents copyright (c) 2004 ZyXEL Communications Corporation.
ZyNOS FAQ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15.
The default console port baud rate is 9600bps, you can change it to 115200bps in Menu 24.2.2 to speed up the SMT access. 3. What is the default console port baud rate? Moreover, how do I change it? The default console port baud rate is 9600bps. When configuring the SMT, please make sure the terminal baud rate is also 9600bps. You can change the console baud rate from 9600bps to 115200bps in SMT menu 24.2.2. 4.
7. How do I backup/restore SMT configurations by using TFTP client program via LAN? a. Use the TELNET client program in your PC to login to your Prestige. b. Enter CI command 'sys stdio 0' in menu 24.8 to disable console idle timeout. c. To backup the SMT configurations, use TFTP client program to get file 'rom-0' from the Prestige. d. To restore the SMT configurations, use the TFTP client program to put your configuration in file rom-0 in the Prestige. 8.
source address and TCP/UDP source port numbers are written into the destination fields of the packet (since it is now moving in the opposite direction), the checksums are recomputed, and the packet is delivered to its true destination. This is because SUA keeps a table of the IP addresses and port numbers of the local systems currently using it. 11. What is the difference between NAT and SUA? NAT is a generic name defined in RFC 1631 'The IP Network Address Translator (NAT)'.
If the firewall is not turned on we can configure a filter set to block the IP spoofing attacks. The basic scheme is as follows: For the input data filter: ● ● Deny packets from the outside that claim to be from the inside Allow everything that is not spoofing us Filter rule setup: ● ● ● ● ● ● Filter type =TCP/IP Filter Rule Active =Yes Source IP Addr =a.b.c.d Source IP Mask =w.x.y.z Action Matched =Drop Action Not Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.
Product FAQ General FAQ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20.
10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. What is the difference between SUA and Multi-NAT? What is BOOTP/DHCP? What is DDNS? When do I need DDNS? What DDNS servers does the Prestige support? What is DDNS wildcard? Does the Prestige support DDNS wildcard? Can the Prestige's SUA handle IPsec packets sent by the IPsec gateway? How do I setup my Prestige for routing IPsec packets over SUA? Why can't I use video conferencing with MSN 4.
two Ethernet ports: LAN port and WAN port. You should connect the computer to the LAN port and connect the external modem to the WAN port. If the ISP uses PPPoE or RoadRunner Authentication you need the user account to enter in the Prestige. 4. What is PPPoE? PPPoE stands for Point-to-Point Protocol Over Ethernet that is an IETF draft standard specifying how a computer interacts with a broadband modem (i.e. xDSL, cable, wireless, etc.
. What network interface does the Prestige support? The Prestige supports 10/100M Ethernet to connect to the computer and 10M Ethernet to connect to the external cable or ADSL modem.. 11. What can we do with Prestige? Browse the World Wide Web (WWW), send and receive individual e-mail, and download software. These are just a few of many benefits you can enjoy when you put the whole office on-line with the Prestige Internet Access Sharing Router. 12.
1. WinGate is a software only solution that needs to be installed in a dedicated Windows 95 PC based server. The total cost and complexity are many times over ATI’s product. The Prestige Internet Access Sharing Router is a plug-n-play internet appliance. 2. WinGate requires all TCP/IP applications such as Netscape Navigator to be reconfigured to have the dedicated server as a proxy. The Prestige Internet Access Sharing Router does not require users to reconfigure any software at all. 3.
19. What to do when when Prestige response nothing via console ? When Prestige responses nothing on your terminal (e.g. embedded HyperTerminal), please try following methods 1. Make sure the CON/AUX (which is close to the power jet) switch of P-334WT is set to CON, not AUX. 2. Please check whether RS-232 cable is well connected between Prestige and your computer. 3. Please try any baud rate between 9600 bps to 115200 bps in case the baud has been changed. 20.
starting with how fast your PC can handle IP traffic, then how fast your PC to cable modem interface is, then how fast the cable modem system runs and how much congestion there is on the cable network, then how big a pipe there is at the head end to the rest of the Internet. Different models of PCs and Macs are able to handle IP traffic at varying speeds. Very few can handle it at 30 Mbps. Ethernet (10baseT) is the most popular cable modem interface standard for the PC.
If you are not able to get the Internet IP from the ISP, check which authentication method your ISP uses and troubleshoot the problem as described below. 1. Your ISP checks the 'MAC address' Some ISPs only provide an IP address to the user with an authorized MAC address. This authorized MAC can be the PC's MAC which is used by the ISP for the authentication.
Menu 1 - General Setup System Name= zyxel Key Setting: ● System Name=, The system name must be the same as the PC's computer name. 3. Your ISP checks 'User ID' This authentication type is used by RoadRunner ISP, currently they use RR-TAS(Toshiba Authentication Service) and RR-Manager authentications. You must configure the correct 'Service Type', username and password for your ISP in menu 4.
● ● ● ● ● ● Service Type.......Currently, there are two authentication types that Road Runner supports, RRTAS and RR-Manager. Choose the correct one for your local ISP. Server IP.............The Prestige will find the Road Runner server IP if this field is blank, otherwise enter the authentication server IP address if you know it. My Login Name...Enter the login name given to you by your ISP My Password.......Enter the password associated with the login name WAN IP Address Assignment...
Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. Thus, users on the same network can not login to the same server simultaneously. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. 9. What IP/Port mapping does Multi-NAT support? NAT supports five types of IP/port mapping.
ILA1<--->IGA1 ILA2<--->IGA1 ... ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many ILA3<--->IGA1 Overload ILA4<--->IGA2 ... ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many No ILA3<--->IGA3 Overload ILA4<--->IGA4 ... Server 1 IP<--->IGA1 Server Server 2 IP<--->IGA1 Many-to-One (SUA/PAT) 10. What is the difference between SUA and Multi-NAT? SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server.
Without DDNS, we always tell the users to use the WAN IP of the Prestige to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the Prestige, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the Prestige.
packets which are used for key managements. Because the remote gateway checks this source port during connections, the port thus is not allowed to be changed. 18. How do I setup my Prestige for routing IPsec packets over SUA? For outgoing IPsec tunnels, no extra setting is required. For forwarding the inbound IPsec ESP tunnel, A 'Default' server set in menu 15 is required. It is because SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users.
Firewall FAQ 1. Geneal 2. Log and Alert Back to Main Menu of the P-334WT Support Note General 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP address and protocol. They also 'inspect' the session data to assure the integrity of the connection and to adapt to dynamic protocols. The flexible nature of Stateful Inspection firewalls generally provides the best speed and transparency, however, they may lack the granular application level access control or caching that some proxies support. 4.
series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. 9. What is SYN Flood attack? SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response, While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on P-334WT box. By default, your connection will be blocked by firewall because of the following reason. Step 1. Being the default gateway of PC, P-334WT will receive all "outgoing" traffic from PC. Step 2. And because of Static route/Traffic Redirect/Policy Routing, P-334WT forwards the traffic to another gateway (ISDN/Router) which is in the same segment as P334WT's LAN. Step 3.
(B) Deploying your second gateway on WAN side. (C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology in both CI command and Web configurator . You can issue this command, "sys firewall ignore triangle all on" , to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall setup page.
General 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
3. Stateful Inspection Firewall Packet Filtering Firewalls generally make their decisions based on the header information in individual packets. These header information include the source, destination addresses and ports of the packets. Application-level Firewalls generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform logging and auditing of traffic passing through them.
Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. There are four types of DoS attacks: 1. Those that exploits bugs in a TCP/IP implementation such as Ping of Death and Teardrop. 2. Those that exploits weaknesses in the TCP/IP specification such as SYN Flood and LAND Attacks. 3.
A Brute-force attack, such as 'Smurf' attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker flood a destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network.
on P-334WT box. By default, your connection will be blocked by firewall because of the following reason. Step 1. Being the default gateway of PC, P-334WT will receive all "outgoing" traffic from PC. Step 2. And because of Static route/Traffic Redirect/Policy Routing, P-334WT forwards the traffic to another gateway (ISDN/Router) which is in the same segment as P-334WT's LAN. Step 3.
(C) To resolve this conflict, we add an option for users to allow/disallow such Triangle Route topology in both CI command and Web configurator . You can issue this command, "sys firewall ignore triangle all on" , to allow firewall bypass triangle route checking. In Web GUI, you can find this option in firewall setup page. But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the protected network through the unprotected gateway.
Log and Alert 1. 2. 3. 4. 5. 6. When does the P-334WT generate the firewall log? What is contained in P-334WT firewall log ? How do I view the firewall log? When does the P-334WT generate the firewall alert? What does the alert show to us? What is the difference between the log and alert? 1. When does the P-334WT generate the firewall log? The P-334WT generates the log immediately when DOS attack is detected. 2.
All logs generated in P-334WT, including firewall logs and system logs are migrated to centralized logs. So you can view firewall logs in Centralized logs. Before you can view firewall logs there are two steps you need to do, 1. Enable log function in Centralized logs setup via either one of the following methods, ● ● Web configuration: Advanced/Logs/Log Settings, check Access Control and Attacks options depending on your real situation. CI command: sys logs category [access | attack] 2.
Content Filter FAQ 1. What types of content filter does P-334WT provide? 2. How many URL keyword does P-334WT support? 3. What kinds of URL checking method does P-334WT support ? 1. What types of content filter does P-334WT provide? P-334WT supports three types of content filterings. - Restrict Web Data including ActiveX, Java Applet, Cookie, Web proxy - URL keywords 2. How many URL keywords does P-334WT support? 64 keywords are supported. 3.
IPSec FAQ VPN Overview 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. What is VPN? Why do I need VPN? What are most common VPN protocols? What is PPTP? What is L2TP? What is IPSec? What secure protocols dose IPSec support? What are the differences between 'Transport mode' and 'Tunnel mode? What is SA? What is IKE? What is Pre-Shared Key? What are the differences between IKE and manual key VPN? What is Phase 1 ID for? What is FQDN? When should I use FQDN? P-334WT VPN 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
There are some reasons to use a VPN. The most common reasons are because of security and cost. Security 1). Authentication With authentication, VPN receiver can verify the source of packets and guarantee the data integrity. 2). Encryption With encryption, VPN guarantees the confidentiality of the original user data. Cost 1).
Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for security gateway to provide IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. There is no restriction that the IPSec hosts and the security gateway must be separate machines.
E-mail support@zyxel.com.tw Please note that, in P-334WT, if "DNS" or "E-mail" type is chosen, you can still use a random string as the content, such as "this_is_P334WT". It's not necessary to follow the format exactly. By default, P-334WT takes IP as phase 1 ID type for itself and it's remote peer. But if it's remote peer is using DNS or E-mail, you have to adjust the settings to pass phase 1 ID checking. 15.
1. If there is a NAT router running in the front of P-334WT, please make sure the NAT router supports to pass through IPSec. 2. In NAT case (either run on the frond end router, or in P-334WT VPN box), only IPSec ESP tunneling mode is supported since NAT against AH mode. 3. Source IP/Destination IP-- P-334WT only supports SINGLE for Local Addr Type in its VPN rules. Therefore, only one PC assigned in the Local IP Addr of VPN rule can be protected via VPN/IPSec.
Phase 1 ID can be configured in VPN setup menu as following. Note that you can make such configuration in either web configurator or SMT menu. 13. How to configure P-334WT that supports so that it can cooperate with ZyWALL V3.50 ? ZyWALL with firmware version V3.50 in prefix can only support phase 1 ID as IP type. And ID checking mechanism is actually bypassed. So to work smoothly, please apply IP type in P-334WT. The following is an example for your reference.
private IP address as the content of it's phase 1 ID. So you have to configure P-334WT's secure gateway's phase 1 ID as the private IP address of the VPN client. The configuration will be like this, 15. How can I keep a tunnel alive? To keep a tunnel alive, you can check "keep alive" option when configuring your VPN tunnel. With this option, whenever phase 2 SA lifetime is due, IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay.
Wireless FAQ General FAQ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. What is a Wireless LAN ? What are the main advantages of Wireless LANs ? What are the disadvantages of Wireless LANs ? Where can you find wireless 802.11 networks ? What is an Access Point ? What is IEEE 802.11 ? What is IEEE 802.11b ? How fast is 802.11b ? What is IEEE 802.11a ? What is IEEE 802.11g ? Is it possible to use products from a variety of vendors ? What is Wi-Fi ? What types of devices use the 2.
Security FAQ 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. How do I secure the data across an Access Point's radio link? What is WEP ? What is the difference between 40-bit and 64-bit WEP ? What is a WEP key ? Will 128-bit WEP communicate with 64-bit WEP ? Can the SSID be encrypted ? By turning off the broadcast of SSID, can someone still sniff the SSID ? What are Insertion Attacks? What is Wireless Sniffer ? What is the difference between Open System and Shared Key of Authentication Type ? What is 802.
c. Installation Flexibility: Wireless technology allows the network to go where wire cannot go. d. Reduced Cost-of-Ownership: While the initial investment required for wireless LAN hardware can be higher than the cost of wired LAN hardware, overall installation expenses and life-cycle costs can be significantly lower. Long-term cost benefits are greatest in dynamic environments requiring frequent moves and changes. e.
8. How fast is 802.11b ? The IEEE 802.11b standard has a nominal speed of 11 megabits per second (Mbps). However, depending on signal quality and how many other people are using the wireless ethernet through a particular Access Point, usable speed will be much less (on the order of 4 or 5 Mbps, which is still substantially faster than most dialup, cable and DSL modems). 9. What is 802.11a ? 802.11a the second revision of 802.
Both the 802.11b and Bluetooth devices occupy the same2.4-to-2.483-GHz unlicensed frequency rangethe same band. But a Bluetooth device would not interfere with other 802.11 devices much more than another 802.11 device would interefere. While more collisions are possible with the introduction of a Bluetooth device, they are also possible with the introduction of another 802.11 device, or a new 2.4 GHz cordless phone for that matter.
2. What is Infrastructure mode ? Infrastructure mode implies connectivity to a wired communications infrastructure. If such connectivity is required the Access Points must be used to connected to the wired LAN backbone. Wireless clients have their configurations set for "infrastructure mode" in order to utilise access points relaying. 3. How many Access Points are required in a given area ? This depends on the surrounding terrain, the diameter of the client population, and the number of clients.
mobile device must match the ESSID of the AP to communicate with the AP. The ESSID is a 32-character maximum string and is case-sensitive. Security FAQ 1. How do I secure the data across an Access Point's radio link ? Enable Wired Equivalency Protocol (WEP) to encrypt the payload of packets sent across a radio link. 2. What is WEP ? Wired Equivalent Privacy. WEP is a security mechanism defined within the 802.
broadcast beacon packets. Turning off the broadcast of SSID in the beacon message (a common practice) does not prevent getting the SSID; since the SSID is sent in the clear in the probe message when a client associates to an AP, a sniffer just has to wait for a valid user to associate to the network to see the SSID. 8. What are Insertion Attacks? The insertion attacks are based on placing unauthorized devices on the wireless network without going through a security process and review. 9.
13. What is AAA ? AAA is the acronym for Authentication, Authorization, and Accounting and refers to the idea of managing subscribers by controlling their access to the network, verifying that they are who they say they are (via login name and password or MAC address) and accounting for their network usage. 14. What is RADIUS ? RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a standard that has been implemented into several software packages and networking devices.
Prestige 334WT Application Notes Internet Connection Setup Prestige for PPPoE Connections Setup Prestige as a PPTP Client Using Multi-NAT NAT Notes - Configure PPTP Server Behind NAT - Configure Server Behind NAT - Tested NAT Applications About Filter & Filter Examples Setup Syslog on UNIX Using SNMP Using DDNS Using IP Alias Upload Firmware and Configuration Files Using FTP Uploading Firmware and Configuration Files Using TFTP Using Traffic Redirect Using UPnP All contents copyright (c) 2004 ZyXEL Commun
Internet Connection A typical Internet access application of the Prestige is shown below. For a small office, there are some components needs to be checked before accessing the Internet. ● Before you begin Setting up the Windows Setting up the Prestige router Troubleshooting ● Before you begin ● ● ● The Prestige is shipped with the following factory default: 1. IP address = 192.168.1.1, subnet mask = 255.255.255.0 (24 bits) 2. DHCP server enabled with IP pool starting from 192.168.1.33 3.
You must first install TCP/IP software on each PC before you can use it for Internet access. If you have already installed TCP/IP, go to the next section to configure it; otherwise, follow these steps to install: ● ● ● In the Control Panel/Network window, click Add button. In the Select Network Component Type windows, select Protocol and click Add. In the Select Network Protocol windows, select Microsoft from the manufacturers, then select TCP/IP from the Network Protocols and click OK. 3.
Key Settings: Option Encapsulation Service Name User Name Password Idle Timeout Description Select the encapsulation type your ISP supports Enter the 'Service Name' for the ISP Enter the login user name given by the ISP Enter the password given by the ISP This value specifies the time in seconds that can elapse before the Prestige automatically disconnects the PPPoE connection. 4.
5. Check if the connection is up by clicking the ADVANCED/MAINTENANCE menu. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Setup the Prestige for PPPoE Connections ● Introduction PPP over Ethernet is an IETF draft standard specifying how a host personal computer (PC) interacts with a broadband modem (i.e. xDSL, cable, wireless, etc.) to achieve access to the high-speed data networks via a familiar PPP dialer such as 'Dial-Up Networking' user interface. PPPoE supports a broad range of existing applications and service including authentication, accounting, secure access and configuration management.
Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= ras@pppoellc My Password= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA-Only Press ENTER to Confirm or ESC to Cancel: Key Settings for making a PPPoE connection: Option Encapsulation My Login My Password Idle Timeout IP Address Assignment Network Address Translation Description Set 'PPPoE' as the enc
Menu 11.1 - Remote Node Profile Rem Node Name= MyISP Active= Yes Apply Alias= None Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= test My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Route= IP Edit IP= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= Nailed-Up Connection= No Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No All contents copyright (c) 2004 ZyXEL Communications Corporation.
Setup the Prestige 334WT as a PPTP Client ● What is PPTP Client? Microsoft's Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP network. PPTP supports on-demand, multi-protocol, virtual private networking over public networks, such as the Internet.
The PPTP client feature means the PPTP connection is initialized by the Prestige 334WT router, so this connection is transparent to the PPTP clients on the network. This eliminates the settings of every clients and does not matter whether the computers on the network are Windows, Macintosh or even UNIX, all that is required is a standard TCP/IP protocol stack. In fact, users are unaware that they are on a VPN, since the Prestige 324 does all the VPN work.
IP Address Assignment Choose 'Dynamic' if the PPTP server provides the IP dynamically, otherwise choose 'Static'. IP Address Enter the IP address supplied by the PPTP server if it provides the IP stactically. Network Address Translation Set this field to 'Yes' to enable the Single User Account feature for your Prestige 324. Use the space bar to toggle between 'Yes' and 'No'. All contents copyright © 2004 ZyXEL Communications Corporation.
Using Multi-NAT ● ● ● ● ● ● ● ● What is Multi-NAT? How NAT works NAT Mapping Types SUA Versus NAT SMT Menus 1. Applying NAT in the SMT Menus 2. Configuring NAT 3. Address Mapping Sets and NAT Server Sets NAT Server Sets Examples 1. Internet Access Only 2. Internet Access with an Internal Server 3. Using Multiple Global IP addresses for clients and servers 4.
address translation, please refer to RFC 1631, The IP Network Address Translator (NAT). ● How NAT works If we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Address (IGA), see the following figure. The term 'inside' refers to the set of networks that are subject to translation. NAT operates by mapping the ILA to the IGA required for communication with hosts on other networks.
2. Many to One In Many-to-One mode, the P-334WT maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers). 3. Many to Many Overload In Many-to-Many Overload mode, the P-334WT maps the multiple ILA to shared IGA. 4. Many to Many No Overload In Many-to-Many No Overload mode, the P-334WT maps each ILA to unique IGA. 5.
● SUA Versus NAT SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server. The P-334WT now has Full Feature NAT support to map global IP addresses to local IP addresses of clients or servers. With multiple global IP addresses, multiple severs of the same type (e.g., FTP servers) are allowed on the LAN for outside access. In previous ZyNOS versions (that supported SUA 'visible' servers had to be of different types.
Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu 11.3. Menu 11.
Step 1. Enter 11 from the Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the default No to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node Network Layer Options. The following table describes the options for Network Address Translation. Field Options Full Feature None Network Address Translation SUA Only Description When you select this option the SMT will use Address Mapping Set 1 (Menu 15.1-see later for further discussion).
3. Address Mapping Sets and NAT Server Sets Use the Address Mapping Sets menus and submenus to create the mapping table used to assign global addresses to LAN clients. Each remote node must specify which NAT Address Mapping Set to use. The P-334WT has one remote node and so allows you to configure only 1 NAT Address Mapping Set. You can see two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set 255 is used for SUA. When you select Full Feature in menu 4 or 11.3, the SMT will use Set1.
0.0.0.0 3. 4. 5. 6. 7. 8. 9. 10. Server Press ESC or RETURN to Exit: The following table explains the fields in this screen. Please note that the fields in this menu are readonly. Field Description Option/Example This is the name of the set you selected in Menu 15.1 or enter SUA Set Name the name of a new set you want to create. Idx This is the index or rule number. 1 0.0.0.0 for the Many-toLocal Start IP This is the starting local IP address (ILA). One type. This is the starting local IP address (ILA).
Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Idx Local Start IP Local End IP IP Type --- --------------- ----------------------------- -----1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Action= Edit Global Start IP Global End --------------- , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel: We will just look at the differences from the previous menu. Note that, this screen is not read only, so we have extra Action and Select Rule fields.
When you choose Edit, Insert Before or Save Set in the previous field Select Rule the cursor jumps to this field to allow you to select the rule to apply the 1 action in question. Note: Save Set in the Action field means to save the whole set. You must do this if you make any changes to the set-including deleting a rule. No changes to the set take place until this action is taken. Be careful when ordering your rules as each rule is executed in turn beginning from the first rule.
IP This is the ending local IP address (ILA). If the rule is for all End local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255. This field is N/A for One-to-One type. This is the starting global IP address (IGA). If you have a Start dynamic IP, enter 0.0.0.0 as the Global Start IP. Global IP This is the ending global IP address (IGA). This field is N/A End for One-to-One, Many-to-One and Server types. 255.255.255.255 0.0.0.0 172.16.23.
The following procedures show how to configure a server behind NAT. Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup. Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup. Step 3. Enter the service port number in the Port# field and the inside IP address of the server in the IP Address field. Step 4. Press [SPACEBAR] at the 'Press ENTER to confirm...' prompt to save your configuration after you define all the servers or press ESC at any time to cancel. Menu 15.
www-http (Web) PPTP (Point-to-Point Tunneling Protocol) ● 1. 2. 3. 4. 80 1723 Examples Internet Access Only Internet Access with an Internal Server Using Multiple Global IP addresses for clients and servers Support Non NAT Friendly Applications 1. Internet Access Only In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP. See the following figure.
Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From Menu 4 shown above simply choose the SUA Only option from the NAT field. This is the Manyto-One mapping discussed earlier. The SUA read only option from the NAT field in menu 4 and 11.
In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below. Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.33 3. 21 21 192.168.1.34 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.
3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules. ■ ■ ■ ■ Rule 1 (One-to-One type) to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1.
Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= Full Feature Press ENTER to Confirm or ESC to Cancel: Step 2: Go to menu 15.1 and choose 1 (not 255, SUA this time) to begin configuring this new set. Enter a Set Name, choose the Edit Action and then select 1 from Select Rule field.
Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 End = N/A Global IP: Start= [Enter IGA2] End = N/A Press ENTER to Confirm or ESC to Cancel: Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3. Menu 15.1.1.3 - - Rule 3 Type: Many-to-One Local IP: Start= 0.0.0.0 End = 255.255.255.
Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu 15.1.1.4 - - Rule 4 Type: Server Local IP: Start= N/A End = N/A Global IP: Start=[Enter IGA3] End = N/A Press ENTER to Confirm or ESC to Cancel: When we have configured all four rules Menu 15.1.1 should look as follows. Menu 15.1.
1 4. [IGA3] 5. 6. 7. 8. 9. 10. Server Press ESC or RETURN to Exit: Step 3: Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15.2.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case). Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.10 3. 21 21 192.168.1.11 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.
4. Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this. One rule configured for using Many-to-Many No Overload mapping type is shown below. Menu 15.1.1.
The three rules configured for using One-to-One mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= [Enter IGA1] End = N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.
Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.12 End = N/A Global IP: Start= [Enter IGA3] End = N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright (c) 2004 ZyXEL Communications Corporation.
Configure a PPTP server behind SUA ● Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. In order to run the Windows9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.
This application note explains how to establish a PPTP connection with a remote private network in the Prestige 324 SUA case. In ZyNOS, all PPTP packets can be forwarded to the internal PPTP Server (WinNT server) behind SUA. The port number of the PPTP has to be entered in the SMT Menu 15 for Prestige 324 to forward to the appropriate private IP address of Windows NT server.
Menu 15 - SUA Server Setup Port # -----1.Default 2. 1723 3. 0 4. 0 5. 0 6. 0 7. 0 8. 0 9. 0 IP Address --------------0.0.0.0 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 When you have finished the above settings, you can ping to the remote Win9x client from WinNT. This ping command is used to demonstrate that remote the Win9x can be reached across the Internet. If the Internet connection between two LANs is achive, you can place a VPN call from the remote Win9x client.
All contents copyright © 2004 ZyXEL Communications Corporation.
Configure an Internal Server Behind SUA ● Introduction If you wish, you can make internal servers (e.g., Web, ftp or mail server) accessible for outside users, even though SUA makes your LAN appear as a single machine to the outside world. A service is identified by the port number. Also, since you need to specify the IP address of a server in the Prestige, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on.
Menu 15 - SUA Server Setup Port # -----1.Default 2. 80 3. 0 4. 0 5. 0 6. 0 7. 0 8. 0 ● IP Address --------------0.0.0.0 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Port numbers for some services Service FTP Telnet SMTP DNS (Domain Name Server) www-http (Web) Port Number 21 23 25 53 80 All contents copyright (c) 2004 ZyXEL Communications Corporation.
Tested SUA/NAT Applications (e.g., Cu-SeeMe, ICQ, NetMeeting) ● Introduction Generally, SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. However, some applications such as Cu-SeeMe, and ICQ will need to connect to the local user behind the Prestige. In such case, a SUA server must be entered in menu 15 to forward the incoming packets to the true destination behind SUA.
None for Chat. For DCC, please set Default/Client IP mIRC . Windows PPTP ICQ 99a None None for Chat. For DCC, please set: ICQ -> preference -> connections -> firewall and set the firewall time out to 80 seconds in firewall setting. 1723/client IP Default/client IP ICQ 2000b ICQ Phone 2000b Cornell 1.1 Cu-SeeMe None for Chat None None 7648/client IP & 24032/client IP None for Chat 6701/client IP 7648/client IP Default/client IP White Pine 4.
Microsoft Xbox Live7 None N/A 1 Since SUA enables your LAN to appear as a single computer to the Internet, it is not possible to configure similar servers on the same LAN behind SUA. For example, you can have two WEB servers using TCP:80 in the same LAN. They must have different port numbers. 2 Because White Pine Cu-SeeMe uses dedicate ports (port 7648 & port 24032) to transmit and receive data, therefore only one local Cu-SeeMe is allowed within the same LAN.
7. 0 8. 0 0.0.0.0 0.0.0.0 All contents copyright (c) 2004 ZyXEL Communications Corporation.
Using UPnP 1. What is UPnP 2. Use UPnP in ZyXEL devices 3. View dynamic ports opened by UPnP 1. What is UPnP UPnP (Universal Plug and Play) makes connecting PCs of all form factors, intelligent appliances, and wireless devices in the home, office, and everywhere in between easier and even automatic by leveraging TCP/IP and Web technologies. UPnP can be supported on essentially any operating system and works with essentially any type of physical networking media ¡V wired or wireless.
UPnP Operations ● ● ● ● ● ● Addressing: UPnPv1 devices MAY support IPv4, IPv6, or both. For IPv4, each devices should have DHCP client, when the device gets connected to the network, it will discover DHCP server on network to get an IP address. If not, then Auto-IP mechanism should be supported so that the device can give itself an IP address. (169.254.0.0/16) Discovery: Whenever a device is added on the network, it will advertise it's service over the network.
Device: PPPoE Dial-up Router Service: NAT function provided by PPPoE Dial-up Router Control Point: PC1 1. Enable UPnP function in ZyXEL device Go to Advanced->UPnP, check two boxes, Enable PnP feature and Allow users to make... The first check box enables UPnP function in this device. The second check box allow users' application to change configuration in this device. For instance, if you enable this item, then user's MSN application can assign dynamic port mapping to the router.
2. After getting IP address, you can go to open MSN application on PC and sign in MSN server.
3. Start a Video conversation with one online user.
4. On the opposite side, your partner select Accept to accept your conversation request.
5. Finally, your video conversation is achieved.
3. View dynamic ports opened by UPnP When using UPnP, if the ZyXEL device is configured as "Allow users to make configuration changes through UPnP", the device will accept any port opening request sent by UPnP protocol. And actually, such behaviour also add some risks to your internal LAN. For security sake, we provide a CI command for users to view currently opened ports. Please go to SMT menu, and type this command, "ip nat server disp" to display the dynamic port mappings.
ras> ip nat server disp Server Set: 1 Rule name Svr P Range Server IP LeasedTime Active protocol Int Svr P Range Remote Host IP Range -------------------------------------------------1 DMZ default 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 2 0 - 0 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 3 0 - 0 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 4 0 - 0 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 5 0 - 0 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 6 0 - 0 0.0.0.0 0 No ALL 0 - 0 0.0.0.0 - 0.0.0.0 7 0 - 0 0.0.0.
Filter ● ● How does ZyXEL filter work? Filter Examples ❍ A filter for blocking the web service ❍ A Filter for blocking the FTP connection from WAN ❍ A filter for blocking a specific client ❍ A filter for blocking a specific MAC address ❍ A filter for blocking the NetBIOS packets All contents copyright (c) 2004 ZyXEL Communications Corporation.
Filter How does ZyXEL filter work? ● Filter Structure The P-334WT allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. The following diagram illustrates the logic flow when executing a filter rule.
● Filter Types and SUA Conceptually, there are two categories of filter rules: device and protocol. The Generic filter rules belong to the device category; they act on the raw data from/to LAN and WAN. The IP and IPX filter rules belong to the protocol category; they act on the IP and IPX packets.
Generic and TCP/IP (and IPX) filter rules are in different filter sets. The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21. In the following example, you will receive an error message 'Protocol and device filter rules cannot be active together' if you try to activate a TCP/IP (or IPX) filter rule in a filter set that has already had one or more active Generic filter rules.
Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Check Next Rule Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Saving to ROM. Please wait...
Menu 11.1 - Remote Node Profile Rem Node Name= LAN Active= Yes Route= IP Bridge= No Encapsulation= PPP No Incoming: Rem Login= test Bridge= No Rem Password= ******** Outgoing: My Login= testt Sets= Yes My Password= ***** Authen= CHAP/PAP Edit PPP Options= Rem IP Addr= ? Edit IP/IPX/ Session Options: Edit Filter Press ENTER to Confirm or ESC to Cancel: Menu 11.5: Menu 11.
In order to avoid operational problems later, the P-334WT will disable its routing/bridging functions if there is an inconsistency among its filter rules.
Filter Example A filter for blocking the web service ● Configuration Before configuring a filter, you need to know the following information: 1. The outbound packet type (protocol & port number) 2. The source IP address Generally, the outbound packets for Web service could be as following: a. HTTP packet, TCP (06) protocol with port number 80 b. DNS packet, TCP (06) protocol with port number 53 or c.
Menu 21 - Filter Set Configuration Filter Set # -----1 2 3 4 5 6 Comments ----------------Web Request _______________ Filter Set # -----7 8 9 10 11 12 Comments ----------------_______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: 2. Rule one for (a). http packet, TCP(06)/Port number 80 Menu 21.1.
Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: 3.Rule 2 for (b).DNS request, TCP(06)/Port number 53 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: 5. After the three rules are completed, you will see the rule summary in Menu 21. Menu 21.
Menu 11.
Filter Example A filter for blocking the FTP connections from WAN ● Introduction The P-334WT supports the firmware and configuration files upload using FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-334WT. To prevent outside users from connecting to your P-334WT via FTP, you can configure a filter to block FTP connections from WAN. ● Before you begin Before configuring a filter, you need to know the following information: 1.
Menu 21 - Filter Set Configuration Filter Set # Comments ------ --------------------------------1 NetBIOS_WAN _______________ 2 NetBIOS_LAN _______________ 3 Telnet_WAN _______________ 4 FTP_WAN _______________ 5 _______________ _______________ 6 _______________ _______________ Filter Set # ------ Comments 7 8 9 10 11 12 Enter Filter Set Number to Configure= 4 Edit Comments= FTP_WAN Press ENTER to Confirm or ESC to Cancel: ● Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20 M
IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ● Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21 Menu 21.4.2 - TCP/IP Filter Rule Filter #: 4,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 21 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Menu 21.4 - Filter Rules Summary # 1 2 3 4 5 6 ● ● A Y Y N N N N Type Filter Rules M m n ---- ------------------------------------------- - - IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=20 N D N IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 N D F Choose the remote node number where you want to block the inbound FTP connections and apply the filter set in menu 11.5 by selecting the 'Edit Filter Sets' to 'Yes'. Put the filter set number '4' to the 'Input Protocol Filter Set' in menu 11.
Filter Example A filter for blocking a specific client Configuration 1. Create a filter set in Menu 21, e.g.
Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None Source: IP Addr= 192.168.1.5 IP Mask= 255.255.255.255 Port #= Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: Key Settings: Source IP addr................Enter the client IP in this field IP Mask.......................
Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: After this filter set is applied to this field, the client (192.168.1.5) will not be allowed to access the Internet. All contents copyright © 2004 ZyXEL Communications Corporation.
Filter Example A filter for blocking a specific MAC address This configuration example shows you how to use a Generic Filter to block a specific MAC address of the LAN. Before you Begin Before you configure the filter, you need to know the MAC address of the client first. The MAC address can be provided by the NICs. If there is the LAN packet passing through the P-334WT you can identify the uninteresting MAC address from the P-334WT's LAN packet trace.
The detailed format of the Ethernet Version II: + Ethernet Version II - Address: 00-80-C8-4C-EA-63 (Source MAC) ----> 00-A0-C5-23-45 (Destination MAC) - Ethernet II Protocol Type: IP + Internet Protocol - Version (MSB 4 bits): 4 - Header length (LSB 4 bits): 5 - Service type: Precd=Routine, Delay=Normal, Thrput=Normal, Reli=Normal - Total length: 60 (Octets) - Fragment ID: 60172 - Flags: May be fragmented, Last fragment, Offset=0 (0x00) - Time to live: 32 seconds/hops - IP protocol type: ICMP (0x01) - Chec
TIME: 37c060 enet0-RECV len:74 call=0 0000: [00 a0 c5 01 23 45] [00 80 c8 4c 0010: 00 3c eb 0c 00 00 20 01 e3 ea ca 0020: 9b 63 08 00 45 5c 03 00 05 00 61 0030: 67 68 69 6a 6b 6c 6d 6e 6f 70 71 0040: 77 61 62 63 64 65 66 67 68 69 ea 84 62 72 63] 08 00 45 00 9b 5d ca 84 63 64 65 66 73 74 75 76 2. We are now ready to configure the 'Generic Filter Rule' as below. Menu 21.1.
case, we intent to set to 'ffffffffffff' to mask the incoming source MAC address, [00 80 c8 4c ea 63]. ● ● ● Value (in hexadecimal) Specify the MAC address [00 80 c8 4c ea 63] that the P-334WT should use to compare with the masked packet. If the result from the masked packet matches the 'Value', then the packet is considered matched. Action Matched= Enter the action you want if the masked packet matches the 'Value'. In this case, we will drop it.
Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= device filters= 1 Output Filter Sets: protocol filters= device filters= All contents copyright © 2004 ZyXEL Communications Corporation.
Filter Example A filter for blocking the NetBIOS packets ● Introduction The NETBIOS protocol is used to share a Microsoft comupter of a workgroup. For the security concern, the NetBIOS connection to a outside host is blocked by P-334WT router as factory defaults. Users can remove the filter sets applied to menu 3.1 and menu 4.1 for activating the NetBIOS services. The details of the filter settings are described as follows. ● Configuration The packets need to be blocked are as follows.
Menu 21 - Filter Set Configuration Filter Set # -----1 2 3 4 5 6 Comments ----------------NetBIOS_WAN NetBIOS_LAN _______________ _______________ _______________ _______________ Filter Set # -----7 8 9 10 11 12 Comments ----------------_______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: Configure the first filter set 'NetBIOS_WAN' by selecting the Filter Set number
Press ENTER to Confirm or ESC to Cancel: ● Rule 2-Destination port number 137 with protocol number 17 (UDP) Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Menu 21.1.3 - TCP/IP Filter Rule Filter #: 1,3 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 138 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ● Rule 4-Destination port number 138 with protocol number 17 (UDP) Menu 21.1.
Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ● Rule 5-Destination port number 139 with protocol number 6 (TCP) Menu 21.1.5 - TCP/IP Filter Rule Filter #: 1,5 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Menu 21.1.6 - TCP/IP Filter Rule Filter #: 1,6 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: ● After the first filter set is finished, you will get the complete rules summary as below. Menu 21.
● Apply the first filter set 'NetBIOS_WAN' to the 'Output Protocol Filter' in menu 11.5 for activating it. Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Configure the second filter set 'NetBIOS_LAN' by selecting the Filter Set number 2.
TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: ● Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP) Menu 21.2.2 - TCP/IP Filter Rule Filter #: 2,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.
Menu 21.2 - Filter Rules Summary # 1 2 ● A Y Y Type Filter Rules M m ---- ---------------------------------------------- - IP Pr=6, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D IP Pr=17, SA=0.0.0.0, SP=137, DA=0.0.0.0, DP=53 N D n N F Apply the filter set 'NetBIOS_LAN' in the 'Input protocol filters=' in the Menu 3 for blocking the packets from LAN Menu 3.
Setting Up the Syslog ● ● Prestige Setup UNIX Setup The Prestige is able to send four types of system log to a Syslog deamon such as Unix Syslogd. ● Prestige Setup Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= Yes Syslog Server IP Address= 192.168.1.34 Log Facility= Local 1 Configuration: 1. Active, use the space bar to turn on the syslog option. 2. Syslog IP Address, enter the IP address of the UNIX server that you wish to send the syslog. ● UNIX Setup 1.
2. Edit the file /etc/syslog.conf by adding the following line at the end of the /etc/syslog.conf file. local1.* /var/log/zyxel.log Where /var/log/zyxel.log is the full path of the log file. 3. Restart syslogd. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Network Management Using SNMP 1. SNMP Overview The Simple Network Management Protocol (SNMP) is an applications-layer protocol used to exchange the management information between network devices (e.g., routers). By using SNMP, network administrators can more easily manage network performance, find and solve network problems. The SNMP is a member of the TCP/IP protocol suite, it uses the UDP to exchange messages between a management Client and an Agent, residing in a network node.
The Internet Management Model is as shown in figure 1. Interactions between the NMS and managed devices can be any of four different types of commands: 1. Reads Read is used to monitor the managed devices, NMSs read variables that are maintained by the devices. 2. Writes Write is used to control the managed devices, NMSs write variables that are stored in the managed devices. 3.
2. ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some Prestige routers. It is implemented based on the SNMPv1, so it will be able to communicate with SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to monitor and control additional system variables. The ZyXEL's private MIB tree is shown in figure 3.
If the machine coldstarts, the trap will be sent after booting. 2. warmStart (defined in RFC-1215) : If the machine warmstarts, the trap will be sent after booting. 3. linkDown (defined in RFC-1215) : If any link of IDSL or WAN is down, the trap will be sent with the port number . The port number is its interface index under the interface group. 4. linkUp (defined in RFC-1215) : If any link of IDSL or WAN is up, the trap will be sent with the port number .
3. Configure the Prestige for SNMP The SNMP related settings in Prestige are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings.
Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Host= 192.168.1.33 Trap: Community= public Destination= 192.168.1.33 Press ENTER to Confirm or ESC to Cancel: Key Settings: Option Descriptions Enter the correct Get Community. This Get Community must match the 'Get-' and Get Community 'GetNext' community requested from the NMS. The default is 'public'. Enter the correct Set Community.
Using the Dynamic DNS (DDNS) ● What is DDNS? The DDNS service, an IP Registry provides a public central database where information such as email addresses, hostnames, IPs etc. can be stored and retrieved. This solves the problems if your DNS server uses an IP associated with dynamic IPs. Without DDNS, we always tell the users to use the WAN IP of the Prestige to access the internal server. It is inconvenient for the users if this IP is dynamic.
Menu 1 - General Setup System Name= P-334WT Domain Name= First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= Yes Menu 1.1 - Configure Dynamic DNS Service Provider= WWW.DynDNS.
Service Provider Active Host User Password Enable Wildcard Enter the DDNS server in this field. Currently, we support WWW.DYNDNS. ORG. Toggle to 'Yes'. Enter the hostname you subscribe from the above DDNS server. For example, zyxel.com.tw. Enter the user name that Enter the password that the DDNS server gives to you. Enter the hostname for the wildcard function that the WWW.DYNDNS.ORG supports. Note that Wildcard option is available only when the provider is WWW.DYNDNS.ORG.
Using IP Alias ● What is IP Alias ? In a typical environment, a LAN router is required to connect two local networks. The Prestige supports to connect three local networks to the ISP or a remote node, we call this function as 'IP Alias'. In this case, an internal router is not required. For example, the network manager can divide the local network into three networks and connect them to the Internet using Prestige's single user account. See the figure below.
Copyright (c) 1994 - 1999 ZyXEL Communications Corp. ras> ip ro st Dest FF Len Interface Gateway Metric Use 192.168.3.0 00 24 enif0:1 192.168.3.1 1 192.168.2.0 00 24 enif0:0 192.168.2.1 1 192.168.1.0 00 24 enif0 192.168.1.1 1 ras> stat Timer 041b 0 041b 0 041b 0 0 0 0 Two new protocol filter interfaces in menu 3.2.1 allow you to accept or deny LAN packets from/to the IP alias 1 and IP alias 2 go through the Prestige. The filter set in menu 3.1 is used for main network configured in menu 3.2.
TCP/IP Setup Edit IP Alias Enter the first LAN IP address for the Prestige. This will create the first route in the enif0 interface. Toggle to 'Yes' to enter menu 3.2.1 for setting up the second and third networks. 2. Edit the second and third networks in menu 3.2.1 by configuring the Prestige's second and third LAN IP addresses. Menu 3.2.1 - IP Alias Setup IP Alias 1= Yes IP Address= 192.168.2.1 IP Subnet Mask= 255.255.255.
Using FTP to Upload the Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TFTP client, you can also upload the firmware and configuration files to the Prestige using FTP. To use this feature, your workstation must have a FTP client software. There are two examples as shown below. 1. Using FTP command in terminal 2. Using FTP client software 1.
ftp: 924512 bytes sent in 4.83Seconds 191.41Kbytes/sec. ftp> Here, the 'p312.bin' is the local file and 'ras' is the remote file that will be saved in the Prestige. The Prestige reboots automatically after the uploading is finished. 2. Using FTP client software Rename the local firmware and configuration files to 'ras' and 'rom-0', because we can not specify the remote file name in the FTP client software.
2. Press 'OK' to ignore the 'Username' prompt. 3. To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file.
4.The Prestige reboots automatically after the uploading is finished. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Firmware/Configurations Uploading and Downloading using TFTP ● ● ● ● ● Using TFTP client software Using TFTP command on Windows NT Using TFTP command on UNIX Downloading Walusoft TFTP from http://www.walusoft.co.
The 192.168.1.1 is the IP address of the Prestige. The local file is the source file of the ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in Prestige. Check the port number 69 and 512-Octet blocks for TFTP. Check 'Binary' mode for file transfering.
1. TELNET to your Prestige first before using TFTP command 2. Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.
[cppwu@faelinux cppwu]$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Password: **** Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Prestige 334WT Main Menu Getting Started 1. General Setup Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Management 21. Filter and Firewall 22. 23. 24. 26. 27. SNMP Configuration System Security System Maintenance Schedule Setup VPN/IPSec Setup Advanced Applications 11. Remote Node Setup 12.
5. Backup Configuration 6. Restore Configuration 7. Firmware Upload 8. Command Interpreter Mode 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: 8 Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> sys stdio 0 ras> (press Ctrl+] to escape to Telnet prompt) telnet> z [1]+ Stopped telnet 192.168.1.1 [cppwu@faelinux cppwu]$ tftp tftp> connect 192.168.1.
Using Traffic Redirect ● What is Traffic Redirect ? How to deploy backup gateway? Are you using Prestige family? ● What is Traffic Redirect ? ● ● Traffic redirect forwards WAN traffic to a backup gateway when Prestige cannot connect to the Internet through it's normal gateway. Thus make your backup gateway as an auxiliary backup of your WAN connection.
Traffic Redirect on LAN port ● Traffic Redirect Setup Configure parameters that determine when Prestige will forward WAN traffic to the backup gateway using SMT Menu 11.6Traffic Redirect Setup. Menu 11.1 - Remote Node Profile Menu 11.6 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 192.168.1.50 Metric= 15 Check WAN IP Address= 202.132.154.
Fail Tolerance Period Timeout Specify the number of times your Prestige may attempt and fail to connect to Internet before triggering traffic redirect connection. Specify the period that Prestige would check it's WAN connectivity. Specify the seconds that Prestige would wait for a response from the reliable server. You can also configure traffic redirect via web configuration. The configuration page is in ADVANCED/WAN/Traffic Redirect.
VPN Application Notes ● Using P-334WT IPSec VPN ■ P-334WT to ZyWALL Tunneling ■ Suecure Gateway with Dynamic WAN IP Address ■ Configure NAT for internal servers ■ Configure P-334WT behind a NAT router ■ Relaying NetBIOS Broadcast over IPSec tunnel All contents copyright (c) 2004 ZyXEL Communications Corporation.
P-334WT to ZyWALL Tunneling 1. 2. 3. 4. Setup P-334WT Setup ZyWALL Troubleshooting View Log This page guides us to setup a VPN connection between P-334WT and ZyWALL router. Please note that, in addition to P-334WT to ZyWALL, P-334WT can also talk to other VPN hardwards. The tested VPN hardware are shown below. ● ● ● ● ● ● ● ● Cisco 1720 Router, IOS 12.2(2)XH, IP/ADSL/FW/IDS PLUS IPSEC 3DES NetScreen 5, ScreenOS 2.6.
2. In this example, we presume that P-334WT's model name is P-334WT. And since it's P-334WT, so only 1 PC can use the tunnel. 3. In this example, we presume that ZyWALL's model name is ZyWALL10W. 1. Setup P-334WT 1. Using a web browser, login P-334WT by giving the LAN IP address of P-334WT in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234. 2. Click Advanced, and click VPN tab on the left. 3. On the SUMMARY menu, Select a policy to edit by clicking Edit. 4.
2. Setup ZyWALL Similar to the settings for P-334WT, ZyWALL is configured in the same way. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Using a web browser, login ZyWALL by giving the LAN IP address of ZyWALL in URL field. Click Advanced, and click VPN tab on the left. On the SUMMARY menu, Select a policy to edit by clicking Edit. On the CONFIGURE-IKE menu, check Active check box and give a name to this policy. Select IPSec Keying Mode to IKE and Negotiation Mode to Main, as we configured in P-334WT.
3. Troubleshooting Q: How do we know the above tunnel works? A: If the connection between PC 1 and PC 2 is ok, we know the tunnel works. Please try to ping from PC 1 to PC 2 (or PC 2 to PC 1). If PC 1 and PC 2 can ping to each other, it means that the IPSec tunnel has been established successfully. If the ping fail, there are two methods to troubleshoot IPSec in P-334WT. ● Menu 27.2, SA Monitor Through menu 27.2, you can monitor every IPSec connections running in P-334WT presently.
● Using CI command 'ipsec debug 1' Please enter 'ipsec debug 1' in Menu 24.8. There should be lots of detailed messages printed out to show how negotiations are taken place. If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages.
Secure Gateway with Dynamic WAN IP Address ● ● P-334WT static WAN IP v.s. peer side dynamic IP P-334WT dynamic WAN IP v.s. peer side static IP Most of the cases, static IP addresses are used for VPN tunneling endpoints. But for SOHO users, generally, it is a dynamic case. In this case, this IP will not be available to pre-defined in the VPN box. There are some tips when configuring ZyWALL in any dynamic case. ● ZyWALL static WAN IP v.s. peer side dynamic IP 1.
2. In remote side, generally speaking, most VPN clients will bind PPP/Ethernet adapter's dynamic IP address to IPSec automatically . The only thing you need to concern is to specify the interface you want to apply IPSec/VPN correctly. The rest parts are similar with that in static cases. 3. Afterward, the VPN connection can ONLY be initiated from dynamic side to static side in order to update its dynamic IP to the static side. 4.
1. In VPN settings of P-334WT, please specify the IP address of My IP as 0.0.0.0. P-334WT will automatically bind it's current WAN IP address to IPSec.
2. IPSec tunnel in this case, can ONLY be initiated from P-334WT.
Configure NAT for Internal Servers Some tips for this application: Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. The NAT router then will forward the incoming connections to the internal server according to the service port and private IP entered in SUA/ NAT Server Table.
Configure P-334WT Behind a NAT Router Some tips for this application: 1. The NAT router must support to pass through IPSec protocol. Only ESP tunnel mode is possible to work in NAT case. If the NAT router is ZyXEL NAT router (P300 series, P643, P642, or P202) supporting IPSec pass through, default port and the P-334WT WAN IP must be configured in their SUA/NAT Server Table. 2. WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of P-334WT. 3.
Relaying NetBIOS Broadcast over IPSec tunnel. ¡@ By NetBIOS broadcast supported in VPN tunnel, users of Microsoft Windows can search computers in remote VPN network by "Computer Name". Users don¡¦t need to pre-edit lmhosts in his/her local computer nor setup WINS server in between. ras> ipsec load 1 ras> ipsec disp ---------- IPSec Setup ---------Index #= 1 Active= Yes KeepAlive= No Protocol= 0 Name= 1 My IP Addr= 0.0.0.0 Local ID Type = IP Addr Peer ID Type = IP Addr Local ID Content = 0.0.0.
Phase 2 - Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None ---------- NetBios Setup ---------Broadcast Pass Through turned on yet.
Wireless Application Notes ● ● ● ● ● Infrastructure Mode Wireless MAC Address Filtering WEP Configurations IEEE 802.1x Site Survey All contents copyright (c) 2004 ZyXEL Communications Corporation.
Configuring Infrastructure mode ● Infrastructure Introduction Configure wireless access point to Infrastructure mode with SMT Configure wireless access point to Infrastructure mode with Web configurator Configure wireless station to Infrastructure mode ● Introduction ● ● ● ¡@ What is Infrastructure mode ? Infrastructure mode, sometimes referred to as Access Point mode, is an operating mode of an 802.11b/Wi-Fi client unit. In infrastructure mode, the client unit can associate with an 802.
2. Enter 5 to display Menu 3.5 ¡V Wireless LAN Setup. Menu 3.5 - Wireless LAN Setup ESSID= ZyXEL Hide ESSID= No Channel ID= CH01 2412MHz RTS Threshold= 4096 Frag. Threshold= 4096 WEP Encryption= N/A Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Authen. Method= N/A Edit MAC Address Filter= No Edit Roaming Configuration= No Preamble= Long 802.11Mode= Mixed ¡@ 3. Configure ESSID, Channel ID, WEP, Default Key and Keys as you desire.
3. Configure the desired configuation on P-334WT. 4. Finished. ● Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B-100/B-200/B-300 wireless NIC card please follow the following steps. 1. Double click on the utility icon in your windows task bar the utility will pop up on your windows screen. 2. Select configuration tab.
3. Select Infrastructure from the operation mode pull down menu, fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect. 4. Click on Site Survey tab, and press search all the available AP will be listed.
5. Double click on the AP you want to associated with.
6. After the client have associated with the selected AP. The linked AP's channel, current linkup rate, SSID, link quality, and signal strength will show on the Link Info page. You now successfully associate with the selected AP with Infrastructure Mode.
MAC Filter ● ● ● MAC Filter Overview ZyXEL MAC Filter Implementation Configure the WLAN MAC Filter 1. MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs. ZyXEL's APs provide the capability for checking MAC address of the station before allowing it to connect to the network. This provides an additional layer of control layer in that only stations with registered MAC addresses can connect.
Menu 3.5.
All contents copyright (c) 2004 ZyXEL Communications Corporation.
Setup WEP (Wired Equivalent Privacy) ● ● ● Introduction Setting up the Access Point Setting up the Station Introduction The 802.11 standard describes the communication that occurs in wireless LANs.
Setting up the Access Point Most access points and clients have the ability to hold up to 4 WEP keys simultaneously. You need to specify one of the 4 keys as default Key for data encryption.
● Setting up the Access Point from SMT Menu 3.5 B1000 hold up to 4 WEP Keys. You have to specify one of the 4 keys as default Key which be used to encrypt wireless data transmission. For example, Menu 3.5 - Wireless LAN Setup ESSID= B1000 Hide ESSID= No Channel ID= CH01 2412MHz RTS Threshold= 2432 Frag.
So, the Key 3 of station has to equal to the Key 3 of access point. Though access point use Key 3 as default key, but the station can use the other Key as its default key to encrypt wireless data transmission. Access Point (encrypt data by Key 3) --------> Station (decrypt data by Key 3) Access Point (decrypt data by Key 2) <-------- Station (encrypt data by Key 2) In this case, access point transmits data to station which encrypt data by Key 3 of access point.
The utility will pop up on your windows screen. Note: If the utility icon doesn't exist in your task bar, click Start -> Programs -> IEEE802.11b WLAN Card -> IEEE802.11b WLAN Card. 2. Select the 'Encryption' tab. Select encryption type correspond with access point. Set up 4 Keys which correspond with the WEP Keys of access point. And select on WEP key as default key to encrypt wireless data transmission.
Key settings The WEP Encryption type of station has to equal to the access point. Check 'ASCII' field for characters WEP key or uncheck 'ASCII' field for Hexadecimal digits WEP key.
Hexadecimal digits don't need to preceded by '0x'. For example, 64-bits with characters WEP key : Key1= 2e3f4 Key2= 5y7js Key3= 24fg7 Key4= 98jui 64-bits with hexadecimal digits WEP key : Key1= 123456789A Key2= 23456789AB Key3= 3456789ABC Key4= 456789ABCD All contents copyright (c) 2004 ZyXEL Communications Corporation.
Setup IEEE 802.1x Access Control (Authentication and Accounting) ● What is IEEE 802.1x ? ● IEEE 802.1x Introduction Authentication Port State and Authentication Control ■ Re-Authentication ■ EAPOL Setup 802.1x in Wireless Access Point ● Enable 802.1x ■ Using Internal Authentication Server ■ Using External RADIUS Authentication Server Setup 802.1x client in the Station ● IEEE 802.1x Introduction ■ ■ ■ IEEE 802.
The device (i.e. Wireless AP) facilitates authentication for the supplicant (Wireless client) attached on the Wireless network. Authenticator controls the physical access to the network based on the authentication status of the client. The authenticator acts as an intermediary (proxy) between the client and the authentication server (i.e. RADIUS server), requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. 2.
1. Force Authorized : Disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default port control setting. While AP is setup as Force Authorized, Wireless client (supported 802.1x client or none-802.1x client) can always access the network. 2.
However, if during bootup, the supplicant does not receive an EAP-request/identity frame from the Wireless AP, the client can initiate authentication by sending an EAPOL-Start frame, which prompts the switch to request the supplicant’s identity. In above case, authenticator co-locate with authentication server. When the supplicant supplies its identity, the authenticator directly exchanges EAPOL to the supplicant until authentication succeeds or fails.
● ● ● ● EAP-Packet : Both the supplicant and the authenticator send this packet when authentication is taking place. This is the packet that contains either the MD5-Challenge or TLS information required for authentication. EAPOL-Start : This supplicant sends this packet when it wants to initiate the authentication process. EAPOL-Logoff : The supplicant sends this packet when it wants to terminate its 802.1x session. EAPOL-Key : This is used for TLS authentication method.
Press [SPACE BAR] to select from Force Authorized, Force UnAuthorized or Auto. The default is Force Authorized. Authentication Control Auto : Enables 802.1x function to authorize all wireless client, only the wireless client supported 802.1x client can access the network. Force Authorized : Disable 802.1x function, allow any wireless client access to your wireless network without authentication. Force UnAuthorized : Deny all wireless client access to your wireless network.
● Using External RADIUS Authentication Server In addition to the internal authentication server inside ZyXEL AP, you can use external RADIUS authentication server to centrally manage the user account profile. RADIUS is based on a client-server model that supports authentication, authorization and accounting. The wireless AP is the client and the server is the RADIUS server.
1. From the SMT main menu, enter Menu 23.2 to setup System Security - RADIUS Server to setup the RADIUS authentication server. Menu 23.2 - System Security - RADIUS Server Authentication Server: Active= Yes Server Address= 192.168.1.100 Port #= 1812 Shared Secret= ***** Accounting Server: Active= Yes Server Address= 192.168.1.
Active Server Address Port Shared Secret Press [SPACE BAR] to select Yes and press [Enter] to enable 802.1x user authentication through an external RADIUS authentication server. Select No to enable authentication using ZyXEL AP internal authentication server. Enter the IP address of the external RADIUS authentication server. The default port of RADIUS server for authentication is 1812. You need not change this value unless your network administrator instructs you to do so.
All contents copyright © 2004 ZyXEL Communications Corporation.
Setup 802.1x client in the station ● Setup Windows XP 802.1x client ● Setup MeetingHouse AEGIS 802.1x client ● Setup 802.1x client in the station The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token Card, TLS and TTLS etc. So far, ZyXEL Wireless AP only supports MD-5 challenge authentication mechanism, but will support TLS and TTLS in the future. Here we just take MD-5 challenge authentication mechanism as a example.
4. In Authentication tab, check Enable network access control using IEEE 8021.x and choose the MD5-Challenge in the EAP type: list, as shown below.
5.
6. In the Connect to Wireless Network window, select the AP you would like to connect in the Available networks field then click Connect button for connection.
7. Windows XP will show you the message "Click here to enter your user name and password for the network " where the is the AP's name you chose on previous step. Click on the message box or the icon shown on the icon list. 8. In the Wireless Network Connection window, enter the in the User name field and in the Password field that are already set in AP for login. Click OK to finish the connection.
9. Windows XP completes the negotiation and changes the status for you automatically as shown on following figure. ● Setup MeetingHouse AEGIS 802.
1. Please connect your wireless client to AP before configuring AEGIS 802.1x client. 2. Open AEGIS Client- Running window, choose Client --> Configure --> Select User settings tag -> Type the username into the Identity field --> Select MD5-Challenge authentication type --> Type password into Password field --> Click Apply button to save your configuration and return to AEGIS Client window.
3. Right click the specified wireless client adapter in the AEGIS Client --> Select Start to start the 802.1x authentication on the specified wireless clinet adapter. 4. AEGIS 8021.x client completes the negotiation and changes status automatically. Before 802.1x authentication : After 802.
5. If AEGIS 802.1x client does not start to negotiate with wireless AP, please perform Step 1 again. All contents copyright © 2004 ZyXEL Communications Corporation.
Site Survey ● Site survey introduction Preparation Survey on site ● Introduction ● ● What is Site Survey? An RF site survey is a MAP to RF contour of RF coverage in a particular facility. With wireless system it is very difficult to predict the propagation of radio waves and detect the presence of interfering signals. Walls, doors, elevator shafts, and other obstacles offer different degree of attenuation. This will cause the RF coverage pattern be irregular and hard to predict.
2. Install an access point at the preliminary location. 3. User a notebook with wireless client installed and run it's utility. An utility will provide information such as connection speed, current used channel, associated rate, link quality, signal strength and etc information as shown in utility below. 4. It's always a good idea to start with putting the access point at the corner of the room and walk away from the access point in a systematic manner.
5. When you reach the farthest point of connection mark the spot. Now you move the access point to this new spot as have already determine the farthest point of the access point installation spot if wireless service is required from corner of the room. 6. Repeat step 1~5 and now you should be able to mark an RF coverage area as illustrated in above picutre. 7. You may need more than one access point is the RF coverage area have not cover all the wireless service area you needed. 8.
Note: If there are more than one access point is needed be sure to make the adjacent access point service area over lap one another. So the wireless station are able to roam.
TMSS Application Notes ● ● Registration Steps(Demo) FAQ All contents copyright (c) 2004 ZyXEL Communications Corporation.
TMSS ● TMSS Introduction TMSS Registration Demo ● TMSS Introduction ● What is TMSS? Help to identify vulnerabilities and to protect PCs and networks that are connected to the Internet via a router. Integrated with chosen hardware partners, TMSS is designed to address the security needs of PCs that access the Internet via broadband routers. TMSS provides benefits which includes the following : 1. Security Report via Security Scan 2. Trend Micro Internet Security 3.
3. When you apply "Continue" button, the web page will redirect to TMSS dashboard as below.
4. Click "Service Summary", in this page you can activate the TMSS service.
5. Click "Activate My Services", you will receive the pages below. (Please follow instruction in the page to finish the steps of registration.
6. After you receive the registration mail from TMSS, please follow the instruction in the mail to validate your account. After you validate your account, you will be redirect to the page below and you can download TIS 60 days trial version.
7. You can back to TMSS dashboard, you can see the status already change. (If you want extend you TMSS service after Trial expired, please check the Online Support or press "?" mark for more detail information.
8. You can use "Security Scan" for security scan on your PC or the entire PCs in your network (under LAN of the device.) After security scan is finished, the TMSS will generate a report to indicate the result of security scan.
9. Before you validate your account, the status of Parental Control will like below.
10. Below is the page which you validate your account.
11. After you finish your TMSS registration and install the TIS software, in Web GUI will display as below. (the information of Client Antivirus Protection Status and the setting column of Parental Control.
TMSS FAQ 1. Entire network result will never be "Risk Free". 2. If user sets incorrect DNS setting for router, parental controls will not work. 3. If router's web server does not use port 80, TMSS service will not work. 4. The scanning result will be sent to default gateway. 5. If the client is in exception list but router reboots, web console will not display this client. 6. Downloading Internet Security (27MB) will cost much time. 7. VA did not localized into DE and FR. 8.
4. The scanning result will be sent to default gateway. If our network topology is using multiple routers, e.g. ADSL-----TMSS router------ router2(default gateway)------PC It will assume that the default gateway is the TMSS router. In hence, data will not go to the true TMSS router. 5. If the client is in exception list but router reboots, web console will not display this client. Until it has first http traffic via router. 6. Downloading Internet Security (27MB) will cost much time.
TMSS will not send DQM to query client status before DQM time(30 mins) out reach. 13. If port 40116(UDP) is used by another program, discovery would be failed. 14. When Box's client table is full, new client is not allowed to access internet. 15. Redirected page will be blocked by google's tool & XP sp2. Google's tool will block any "pop up" window by default. Windows XP sp2 will release at 8/04/2004 that it will also block the pop up window TMSS 1.0 introduced. 16.
CI Command List Command Class List Table System Related Command Exit Command Device Related Command Ethernet Related Command POE Related Command PPTP Related Command Configuration Related Command IP Related Command IPSec Related Command Firewall Related Command Radius Related Command Wireless LAN Related Command 802.1x Related Command Bridge Related Command To issue the CI commands, you can either use telnet or console connection, and then go to SMT menu 24.8.
System Related Command Home Command Description sys adjtime retrive date and time from Internet callhist display remove display call history remove entry from call history countrycode [countrycode] set country code date [year month date] set/display date domainname display domain name edit extraphnum maintain extra phone numbers for outcalls add <1st phone num> [2nd phone num] display add extra phone numbers display extra phone numbers node set al
hostname [hostname] display system hostname logs category access [0:none/1:log/2:alert/3:both] record the access control logs attack [0:none/1:log/2:alert/3:both] record and alert the firewall attack logs display display the category setting error [0:none/1:log/2:alert/3:both] record and alert the system error logs ipsec [0:none/1:log/2:alert/3:both] record the access control logs ike [0:none/1:log/2:alert/3:both] record the access control logs javablocked [0:none/1:log] record the java etc.
disp clear log error online turn on/off error log online display load load the log setting buffer mail alertAddr [mail address] send alerts to this mail address display display mail setting logAddr [mail address] send logs to this mail address schedule display display mail schedule schedule hour [0-23] hour time to send the logs schedule minute [0-59] minute time to send the logs schedule policy [0:full/1:hourly/2: mail schedule policy daily/3:weekly/4:none] schedule week [0:sun/1:mon/2: t
server [domainName/IP] syslog server to send the logs log clear clear log error disp display log error online [on|off] resolve turn on/off error log online display Resolve mail server and syslog server address mbuf link link list system mbuf link pool [type] list system mbuf pool status disp display system mbuf status display mbuf status disp display system mbuf count clear clear system mbuf count cnt debug pwderrtm [on|off] [minute] Set or display the password error
nat config remote node nat nailup config remote node nailup mtu set remote node mtu save [entry no.
romreset restore default romfile server access set server access type load load server information disp display server information port save secureip set server port save server information set server secure ip addr fwnotify load load fwnotify entry from spt save save fwnotify entry to spt url set fwnotify url days set fwnotify days active turn on/off fwnotif
cnt disp show the connection trace of this channel clear clear the connection trace of this channel show channel connection related counter socket display system socket information filter netbios roadrunner debug enable/disable roadrunner service 0: diable 1: enable display display roadrunner information iface-name: enif0, wanif0 restart restart roadrunner debug enable/disable ddns service display
netbios upnp active [0:no/1:yes] Activate or deactivate the saved upnp settings config [0:deny/1:permit] Allow users to make configuration changes. through UPnP display display upnp information firewall [0:deny/1:pass] Allow UPnP to pass through Firewall.
dial dial to remote node Ethernet Related Command Home Command Description ether config display LAN configuration information driver cnt disp display ether driver counters ioctl Useless in this stage.
disp display ethernet debug infomation level set the ethernet debug level level 0: disable debug log level 1:enable debug log (default) load
dial dial a remote node drop drop a remote node call tunnel display pptp tunnel information Configuration Related Command Command config Home Description The parameters of config are listed below.
e-mail attack mail-server Edit the mail server IP to send the alert return-addr Edit the mail address for returning an email alert e-mail-to Edit the mail address to send the alert policy Edit email schedule when log is full or per hour, day, week.
minute-high <0~255> The threshold to start to delete the old half-opened sessions to minute-low minute-low <0~255> The threshold to stop deleting the old half-opened session maxincompletehigh <0~255> The threshold to start to delete the old half-opened sessions to max-incompletelow maxincomplete-low <0~255> The threshold to stop deleting the halfopened session tcp-maxincomplete <0~255> The threshold to start executing the block field set name Edit the name for a set default
pnc PNC is allowed when 'yes' is set even there is a rule to block PNC log Switch on/off sending the log for matching the default permit rule permit Edit whether a packet is dropped or allowed when it matches this rule active Edit whether a rule is enabled or not protocol <0~255> Edit the protocol number for a rule. 1=ICMP, 6=TCP, 17=UDP...
destaddr-range rule. tcp destport-single Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers. tcp destport-range a packet which comply to this rule.
set rule cli Insert a specified rule in a set to the firewall configuration Display the choices of command list. debug <1|0> Turn on|off trace for firewall debug information.
server [secondary] [third] set dns server clear clear dns statistics disp display dns statistics stats httpd icmp status discovery ifconfig display icmp statistic counter [on|off] set icmp router discovery flag [iface] [ipaddr] [broadcast configure network interface |mtu |dynamic] ping ping remote host status [if] display routing table add [/] [] add route addiface [/]
stroute display [rule # | buf] display rule index or detail message in rule. load load static route rule in buffer save save rule from buffer to spt. config name set name for static route. destination [/] set static route destination address and [] gateway. mask set static route subnet mask. gateway set static route gateway address. metric set static route metric number.
reginfo display display urlfilter registration information name set urlfilter registration name eMail set urlfilter registration email addr country set urlfilter registration country clearAll clear urlfilter register information display display urlfilter category category webFeature [block/nonblock] block or unblock webfeature [activex/java/cookei/webproxy] logAndBlock [log/ logAndBlock] set log only or log and block blockCategory [block/nonblock] block or unblock type [all/type
time [pending] set time clearAll clear all listupdate information display display exemptzone information actionFlags [type(1-3)][enable/ disable] set action flags add [ip1] [ip2] add exempt range delete [ip1] [ip2] delete exempt range clearAll clear exemptzone information display display customize action flags logFlags [type(1-3)][enable/ disable] set log flags exemptZone customize add [string] [trust/untrust/ keyword] add url string delete [string] [trust/untrust/ keyword] delete url
tredir failcount set tredir failcount partner set tredir partner target set tredir target timeout set tredir timeout checktime set tredir checktime active set tredir active save save tredir information disp display tredir information debug set tredir debug value disp display nat server table load load nat server information from ROM save save nat server information to ROM clear clear nat server in
edit remotehost [end ip] set nat server remote host ip edit leasetime [time] set nat server lease time edit rulename [name] set nat server rule name edit forwardip [ip] set nat server server ip edit protocol [protocol id] set nat server protocol edit clear clear one rule in the set irc [on|off] turn on/off irc flag service resetport reset all nat server table entries incikeport [on|off] turn on/off increase ike port flag debug [level] set igmp debug level forwardall [on|of
robustness query send query on iface rsptime [time] set igmp response time start turn on of igmp on iface stop turn off of igmp on iface ttl set ttl threshold v1compat [on|off] turn on/off v1compat on iface set igmp robustness variable status dump igmp status pr IPSec Related Command Home Command Description ipsec debug <1|0> turn on|off trace for IPsec debug information ipsec_log_disp route show IPSec log, same as me
wan After a packet is IPSec processed and will be sent to WAN side, this switch is to control if this packet can be applied IPSec again. Remark: Command available since 3.50(WA.3) show_runtime sa display runtime phase 1 and phase 2 SA information spd When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to peer local IP address. This command is to show these runtime SPD.
- 0 means never timeout update_peer <0~255> - Adjust auto-timer to update IPSec rules which use domain name as the secure gateway IP. - Interval is in minutes - Default is 30 minutes - 0 means never update Remark: Command available since 3.50(WA.3) updatePeerIp Force system to update IPSec rules which use domain name as the secure gateway IP right away. Remark: Command available since 3.50(WA.3) dial Initiate IPSec rule <#> from ZyWALL box Remark: Command available since 3.50(WA.
keep_alive load Load ipsec rule save config Set ipsec keep_alive flag Save ipsec rules netbios active Set netbios active flag group Set netbios group name Set rule name name Set rule name keeyAlive Set keep alive or not lcIdType <0:IP | 1:DNS | 2:Email> Set local ID type lcIdContent Set local ID content myIpAddr Set my IP address peerIdType <0:IP | 1:DNS | 2:Ema
lcPortEnd Set local end port rmAddrType <0:single | 1:range | 2:subnet> Set remote address type rmAddrStart Set remote start address rmAddrEndMask Set remote end address or mask rmPortStart Set remote start port rmPortEnd Set remote end port antiReplay Set anitreplay or not keyManage <0:IKE | 1:Manual> Set key manage ike negotiationMode <0:Main | 1: Set negotiation mode in phase 1 in Aggressive> IKE preShareKey Set pre shared key in
p2SaLifeTime Set sa life time in phase 2 in IKE encap <0:Tunnel | 1: Transport> set encapsulation in phase 2 in IKE pfs <0:None | 1:DH1 | 2:DH2> set pfs in phase 2 in IKE manual activeProtocol <0:AH | 1: ESP> Set active protocol in manual manual ah encap <0:Tunnel | 1: Transport> Set encapsulation in ah in manual spi Set spi in ah in manual authAlgo <0:MD5 | 1:SHA1> Set authentication algorithm in ah in manual manual esp authKey Set authentication key in ah in man
Command sys Description Firewall acl active disp Display specific ACL set # rule #, or all ACLs. Active firewall or deactivate firewall clear Clear firewall log cnt disp Display firewall log type and count. clear Clear firewall log count. disp Display firewall log online Set firewall log online. pktdump Dump the 64 bytes of dropped packet by firewall update Update firewall dynamicrule tcprst icmp dos rst Set TCP reset sending on/off.
smtp Set SMTP DoS defender on/off display Display SMTP DoS defender setting.
Bridge cnt related to bridge routing statistic table Disp display bridge route counter Clear clear bridge route counter stat related to bridge packet statistic table Disp display bridge route packet counter Clear clear bridge route packet counter Radius Related Command Command Description Radius auth show current radius authentication server configuration acct show current radius accounting server configuration 802.
Trace User show all supplications in the supplication table [username] show the specified user status in the supplicant table All contents copyright (c) 2004 ZyXEL Communications Corporation.
Prestige 334WT Troubleshooting ● ● ● ● Unable to get the WAN IP from the ISP Unable to run applications Embedded packet trace Debug PPPoE connection
My P-334WT can not get an IP address from the ISP to connect to the Internet, what can I do? Currently, there are various ways that ISPs control their users. That is, the WAN IP is provided only when the user is checked as an authorized user. The ISPs currently use three ways: 1. Check if the 'MAC address' is valid 2. Check if the 'Host Name' is valid, e.g., @home 3. Check if the 'User ID' is valid, e.g.
Menu 2 - WAN Setup Link Mode= Half Duplex MAC Address: Assigned By= IP address attached on LAN IP Address= 192.168.1.33 ¡@ Key settings: ● ● Assigned By=, IP Address=, installation. Choose 'IP address attached on LAN'. Enter the IP address of the PC which is installed by the ISP at the first ¡@ 2. Your ISP checks the 'Host Name' Some ISPs take advantage of the 'host name' message in a DHCP packet such as @home to do the authentication.
¡@ 3. Your ISP checks 'User ID' This authentication type is used by RoadRunner ISP, currently they use RR-TAS(Toshiba Authentication Service) and RR-Manager authentications. You must configure the correct 'Service Type', username and password for your ISP in menu 4. ¡@ Menu 4 - Internet Access Setup ISP's Name= ChangeMe Service Type= RR-Toshiba Authentication Service Server IP= 0.0.0.
● otherwise, select Static. IP Address & Subnet Mask & Gateway IP Address...Enter the IP address, subnet mask & gateway IP when Static Assignment is selected above.
If any application does not work behind P-334WT's SUA 1. Currently, the applications supported in SUA mode are listed in the ZyXEL SUA Support Table. Please check all the required settings suggested in the table to configure your P-334WT. 2. If your application is not in the table or it is in the table but still does not work, please configure the workstation which runs the applications as the SUA default server in SMT 15 and try again. 3.
Embedded Packet Trace The P-334WT packet trace records and analyzes packets running on LAN and WAN interfaces. It is designed for users with technical backgrounds who are interested in the details of the packet flow on LAN or WAN end of P-334WT. It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule. The format of the display is as following: Packet: 0 11880.160 ENET0-R[0062] TCP 192.168.1.
P324> sys trcp channel enet1 none P324> sys trcp channel enet0 bothway P324> sys trcp sw on P324> sys trcl sw on P324> sys trcd brief 0 11880.160 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80 1 11883.100 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80 2 11883.330 ENET0-T[0058] TCP 192.31.7.130:80->192.168.1.2:1108 3 11883.340 ENET0-R[0060] TCP 192.168.1.2:1108->192.31.7.130:80 4 11883.340 ENET0-R[0339] TCP 192.168.1.2:1108->192.31.7.130:80 5 11883.610 ENET0-T[0054] TCP 192.31.7.130:80->192.168.1.
Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 05 B4 01 = 0x0050 (80) = 0x00BD15A7 (12391847) = 0x00000000 (0) = 28 = 0x02 (....S.) = 0x2000 (8192) = 0xBEC3 (48835) = 0x0000 (0) = 01 04 02 RAW DATA: 0000: 00 A0 C5 92 13 11 00 80-C8 4C EA 63 08 00 45 00 .........L. c..E. 0010: 00 30 33 0B 40 00 80 06-3E 71 C0 A8 01 02 C0 1F .03.@... >q...... 0020: 07 82 04 5C 00 50 00 BD-15 A7 00 00 00 00 70 02 ...\. P........p.
TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 05 B4 = = = = = = = = = = 0x0050 (80) 0x045C (1116) 0x4AD1B57F (1255257471) 0x00BD15A8 (12391848) 24 0x12 (.A..S.) 0xFAF0 (64240) 0xF877 (63607) 0x0000 (0) RAW DATA: 0000: 00 80 C8 4C EA 63 00 A0-C5 92 13 11 08 00 45 00 ...L. c........E. 0010: 00 2C 57 F3 40 00 ED 06-AC 8C C0 1F 07 82 C0 A8 .,W. @........... 0020: 01 02 00 50 04 5C 4A D1-B5 7F 00 BD 15 A8 60 12 ...P.
Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr = 0xC0A80102 (192.168.1.2) = 0xC01F0782 (192.31.7.130) = = = = = = = = = 0x045C (1116) 0x0050 (80) 0x00BD15A8 (12391848) 0x4AD1B580 (1255257472) 20 0x10 (.A....) 0x2238 (8760) 0xE8ED (59629) 0x0000 (0) TCP Data: (Length=6, Captured=6) 0000: 20 20 20 20 20 20 RAW DATA: 0000: 00 A0 c..E. 0010: 00 28
P324> sys trcp channel enet0 none P324> sys trcp channel enet1 bothway P324> sys trcp sw on P324> sys trcl sw on P324> sys trcd brief 0 12367.680 ENET1-R[0070] UDP 202.132.155.95:520>202.132.155.255:520 1 12370.980 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 2 12373.940 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 3 12374.930 ENET1-R[0064] TCP 192.31.7.130:80->202.132.155.97:10261 4 12374.940 ENET1-T[0054] TCP 202.132.155.97:10261->192.31.7.130:80 5 12374.940 ENET1-T[0438] TCP 202.
Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr TCP Data: (Length=1127, 0000: DF 33 AF 62 58 37 +Y.x 0010: A7 98 8F 3F A9 09 X>.>. 0020: FC 2A 4C 2F FB BE = = = = = = = 0xD3E95985 (3555285381) 0x00C18F63 (12685155) 20 0x19 (.AP..F) 0xFAF0 (64240) 0x3735 (14133) 0x0000 (0) Captured=42) 52 3D-79 99 A5 3C 2B 59 E2 78 .3.bX7R=y..< E4 0F-26 14 9C 58 3E 95 3E E7 ...?....&.. 2F FE-EF D0 .*L/../... RAW DATA: 0000: 00 A0 C5 92 13 12 00 A0-C5 01 23 45 08 00 45 00 .......... #E.
Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr = = = = = = = = 0x7A0C (31244) 0x02 0x00 0x7F (127) 0x06 (TCP) 0x543C (21564) 0xCA849B61 (202.132.155.97) 0xC01F0782 (192.31.7.130) = = = = = = = = = 0x281E (10270) 0x0050 (80) 0x00C18F63 (12685155) 0xD3E95DE9 (3555286505) 20 0x10 (.A....
Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr RAW DATA: 0000: 00 A0 #E........E. 0010: 00 28 a.. 0020: 07 82 c..].P. 0030: 1D D5 P324> = = = = = = = = 0x7B0C (31500) 0x02 0x00 0x7F (127) 0x06 (TCP) 0x533C (21308) 0xCA849B61 (202.132.155.97) 0xC01F0782 (192.31.7.
1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.6 Display the trace briefly by entering: sys trcp brief 1.7 Display specific packets by using: sys trcp parse Exmaple: P324> P324> P324> P324> P324> P324> P324> 0 1 2 3 4 5 sys trcp channel enet1 none sys trcp channel enet0 bothway sys trcp sw on sys trcl sw on sys trcp sw off sys trcl sw off sys trcp brief 10855.790 ENET0-T[0141] TCP 192.31.7.130:80->192.168.1.2:1102 10855.800 ENET0-R[0060] TCP 192.168.1.
Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr Options 0000: 02 04 05 B4 RAW DATA: 0000: 00 80 c........E. 0010: 00 2C @....}...... 0020: 01 02 @_`. 0030: FA F0 P324> = 0xC01F0782 (192.31.7.130) = 0xC0A80102 (192.168.1.2) = = = = = = = = = = 0x0050 (80) 0x044F (1103) 0xD91B1826 (3642431526) 0x00AA405F (11157599) 24 0x12 (.A..S.
P324> sys trcp channel enet0 none P324> sys trcp channel enet1 bothway P324> sys trcl sw on P324> sys trcp sw on P324> sys trcl sw off P324> sys trcp sw off P324> sys trcp brief 0 12864.800 ENET1-T[0411] TCP 202.132.155.97:10278>204.217.0.2:80 1 12864.890 ENET1-R[0247] TCP 204.217.0.2:80>202.132.155.97:10282 2 12864.900 ENET1-T[0416] TCP 202.132.155.97:10282>204.217.0.2:80 3 12865.120 ENET1-R[0247] TCP 204.217.0.2:80>202.132.155.97:10278 4 12865.130 ENET1-T[0411] TCP 202.132.155.97:10278>204.217.0.
TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr = = = = = = = = = 0x0050 (80) 0x2826 (10278) 0x4D713D8A (1299266954) 0x00C8C015 (13156373) 20 0x18 (.AP...) 0x2238 (8760) 0xAB57 (43863) 0x0000 (0) TCP Data: (Length=193, Captured=42) 0000: 48 54 54 50 2F 31 2E 31-20 33 30 34 20 4E 6F 74 Not 0010: 20 4D 6F 64 69 66 69 65-64 0D 0A 44 61 74 65 3A Date: 0020: 20 57 65 64 2C 20 30 37-20 4A HTTP/1.1 304 Modified..
IP Version Header Length Type of Service Total Length Idetification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size Checksum Urgent Ptr = = = = = = = = = = = = 4 20 0x00 (0) 0x018D (397) 0xF20C (61964) 0x02 0x00 0x7F (127) 0x06 (TCP) 0xD59C (54684) 0xCA849B61 (202.132.155.97) 0xCCD90002 (204.217.0.
bestoftimes.gi P324> ¡@ All contents copyright ?1999 ZyXEL Communications Corporation.
Debug PPPoE Connection The P-334WT supports traces when there is problem to connect your ISP using PPPoE protocol. Please follow the procedure below to collect the trace for our troubleshooting. 1. 2. 3. 4. Remove the LAN cable attached on the P-334WT Enter SMT using console port Enter Menu 24.
bdcastSendInit: l1.pktTx() failed, pch poe0 ch enet0 poePut1SrvcName: '' len 0 host-uniq 31303030 len 4 putPoeHdr: ver 1 type 1 code x09 sess-id 0 len 12(x000C) ### Hit any key to continue.### $$$ DIALING dev=6 ch=0..........
0x00000000 r12=0x56FF54FF sp= 0x0001EDBC lr= 0x00004F64 0x00013954 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F e5bdbfe0: e2 8f 00 06 e5 d5 20 06 e5 d5 20 0a e5 d5 20 j...n e5bdbff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed j...n e5bdc000: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed j...n e5bdc010: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed j...n e5bdc020: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed j...n e5bdc030: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed j...
Enter Debug Mode atgo Bootbase Version: V1.12 | 1/27/2000 11:00:09 RAM: Size = 4096 Kbytes FLASH: Intel 8M RAS Version: V3.20(M.01)b2 | 8/18/2000 14:05:08 Press any key to enter debug mode within 3 seconds. ............................................................ initialize ch =0, ethernet address: 00:a0:c5:e1:ee:d8 initialize ch =1, ethernet address: 00:a0:c5:e1:ee:d9 Press ENTER to continue...
