User manual

ManualsBrandsZyXEL Communications ManualsNetworkingRouter 792H

Prestige 792H

G.SHDSL Router with four-port switch

User's Guide

Version 3.40

June 2004

Summary of content (428 pages)

PAGE 1
Prestige 792H G.SHDSL Router with four-port switch User's Guide Version 3.
PAGE 2
PAGE 3
Prestige 792H G.SHDSL Router Copyright Copyright © 2003 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
PAGE 4
PAGE 5
Prestige 792H G.SHDSL Router Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations. This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC Rules.
PAGE 6
PAGE 7
Prestige 792H G.SHDSL Router Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
PAGE 8
PAGE 9
Prestige 792H G.SHDSL Router ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase.
PAGE 10
PAGE 11
Prestige 792H G.SHDSL Router Customer Support Please have the following information ready when you contact customer support. • • • • Product model and serial number. Warranty Information. Date that you received your device. Brief description of the problem and the steps you took to solve it. METHOD E-MAIL SUPPORT/SALES TELEPHONE/FAX WEB SITE/ FTP SITE REGULAR MAIL LOCATION WORLDWIDE support@zyxel.com.tw +886-3-578-3942 www.zyxel.com www.europe.zyxel.
PAGE 12
PAGE 13
Prestige 792H G.SHDSL Router Table of Contents Copyright .........................................................................................................................................................ii Federal Communications Commission (FCC) Interference Statement .....................................................iii Information for Canadian Users...................................................................................................................iv ZyXEL Limited Warranty........
PAGE 14
Prestige 792H G.SHDSL Router 3.7 IP Address and Subnet Mask .....................................................................................................3-6 3.8 IP Address Assignment..............................................................................................................3-7 3.8.1 IP Assignment with PPPoA or PPPoE Encapsulation ...............................................................3-7 3.8.2 IP Assignment with RFC 1483 Encapsulation........................................
PAGE 15
Prestige 792H G.SHDSL Router 5.12 Response Strings ......................................................................................................................5-18 5.13 Configuring Advanced Modem Setup......................................................................................5-18 Chapter 6 Network Address Translation (NAT)........................................................................................6-1 6.1 NAT Overview...........................................................
PAGE 16
Prestige 792H G.SHDSL Router 8.7.2 Firewall ....................................................................................................................................8-13 Chapter 9 Firewall Configuration ..............................................................................................................9-1 9.1 Remote Management and the Firewall ......................................................................................9-1 9.2 Enabling the Firewall..............................
PAGE 17
Prestige 792H G.SHDSL Router 13.2 IPSec Architecture ...................................................................................................................13-3 13.2.1 IPSec Algorithms .....................................................................................................................13-4 13.2.2 Key Management .....................................................................................................................13-4 13.3 Encapsulation ..............................
PAGE 18
Prestige 792H G.SHDSL Router 15.2 Telnet .......................................................................................................................................15-2 15.3 FTP ..........................................................................................................................................15-2 15.4 Web..........................................................................................................................................15-2 15.
PAGE 19
Prestige 792H G.SHDSL Router 21.1.1 Configuring Dial Backup in Menu 2........................................................................................21-1 21.1.2 Advanced WAN Setup .............................................................................................................21-2 21.2 Remote Node Profile (Backup ISP) .........................................................................................21-4 21.2.1 Editing PPP Options....................................................
PAGE 20
Prestige 792H G.SHDSL Router 27.4.3 Example 3: Multiple Public IP Addresses With Inside Servers .............................................27-14 27.4.4 Example 4: NAT Unfriendly Application Programs..............................................................27-18 Chapter 28 Filter Configuration...............................................................................................................28-1 28.1 About Filtering.............................................................................
PAGE 21
Prestige 792H G.SHDSL Router 31.3 Restore Configuration ..............................................................................................................31-7 31.3.1 Restore Using FTP ...................................................................................................................31-8 31.3.2 Restore Using FTP Session Example.......................................................................................31-9 31.3.3 Restore Via Console Port ................................
PAGE 22
Prestige 792H G.SHDSL Router 35.3 Remote Management and NAT ...............................................................................................35-3 35.4 System Timeout .......................................................................................................................35-3 Chapter 36 VPN/IPSec Setup....................................................................................................................36-1 36.1 VPN/IPSec Overview .....................................
PAGE 23
Prestige 792H G.SHDSL Router List of Figures Figure 1-1 Internet Access Application.......................................................................................................... 1-5 Figure 1-2 LAN-to-LAN Application ............................................................................................................ 1-5 Figure 2-1 Password Screen...........................................................................................................................
PAGE 24
Prestige 792H G.SHDSL Router Figure 6-3 Multiple Servers Behind NAT Example........................................................................................6-7 Figure 6-4 NAT Mode.....................................................................................................................................6-7 Figure 6-5 Edit SUA/NAT Server Set.............................................................................................................6-9 Figure 6-6 Address Mapping Rules .........
PAGE 25
Prestige 792H G.SHDSL Router Figure 11-7 Rule Summary Example............................................................................................................11-6 Figure 12-1 Content Filter: Keyword........................................................................................................... 12-2 Figure 12-2 Content Filter: Schedule ........................................................................................................... 12-3 Figure 12-3 Content Filter: Trusted.....
PAGE 26
Prestige 792H G.SHDSL Router Figure 17-5 Diagnostic General....................................................................................................................17-8 Figure 17-6 Diagnostic DSL Line.................................................................................................................17-9 Figure 17-7 Firmware Upgrade ..................................................................................................................
PAGE 27
Prestige 792H G.SHDSL Router Figure 24-2 Remote Node Profile ................................................................................................................ 24-3 Figure 24-3 Remote Node Network Layer Options ..................................................................................... 24-6 Figure 24-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection ................................................. 24-8 Figure 24-5 Remote Node Filter (PPPoA or PPPoE Encapsulation).............
PAGE 28
Prestige 792H G.SHDSL Router Figure 27-14 NAT Example 2 - Menu 15.2.1 .............................................................................................27-14 Figure 27-15 NAT Example 3.....................................................................................................................27-15 Figure 27-16 Example 3 - Menu 11.3 .........................................................................................................27-15 Figure 27-17 Example 3 - Menu 15.1.1.1 .........
PAGE 29
Prestige 792H G.SHDSL Router Figure 28-19 Filtering Ethernet Traffic ...................................................................................................... 28-21 Figure 28-20 Filtering Remote Node Traffic ............................................................................................. 28-21 Figure 29-1 SNMP Management Model ...................................................................................................... 29-1 Figure 29-2 SNMP Configuration...................
PAGE 30
Prestige 792H G.SHDSL Router Figure 31-15 FTP Session Example of Firmware File Upload ...................................................................31-12 Figure 31-16 Menu 24.7.1 as seen using the Console Port.........................................................................31-14 Figure 31-17 Example Xmodem Upload ....................................................................................................31-14 Figure 31-18 Menu 24.7.2 as seen using the Console Port.......................
PAGE 31
Prestige 792H G.SHDSL Router Figure 36-3 Menu 27.1 IPSec Summary...................................................................................................... 36-2 Figure 36-4 Menu 27.1.1 IPSec Setup ......................................................................................................... 36-6 Figure 36-5 Menu 27.1.1.1 IKE Setup ............................................................................................................36-11 Figure 36-6 Menu 27.1.1.2 Manual Setup ....
PAGE 32
PAGE 33
Prestige 792H G.SHDSL Router List of Tables Table 2-1 Password.........................................................................................................................................2-4 Table 3-1 Wizard Screen: WAN Setup............................................................................................................3-4 Table 3-2 Wizard Screen: Internet Access ......................................................................................................
PAGE 34
Prestige 792H G.SHDSL Router Table 9-2 Alert ............................................................................................................................................... 9-6 Table 10-1 Firewall Logs ............................................................................................................................. 10-5 Table 10-2 Firewall Rules Summary: First Screen.......................................................................................
PAGE 35
Prestige 792H G.SHDSL Router Table 14-14 Sample IPSec Logs During Packet Transmission ...................................................................14-29 Table 14-15 RFC-2408 ISAKMP Payload Types .......................................................................................14-30 Table 14-16 Telecommuters Sharing One VPN Rule Example ..................................................................14-31 Table 14-17 Telecommuters Using Unique VPN Rules Example...................................
PAGE 36
Prestige 792H G.SHDSL Router Table 25-1 Edit IP Static Route .................................................................................................................... 25-3 Table 26-1 Remote Node Bridging Options................................................................................................. 26-2 Table 26-2 Edit Bridge Static Route.............................................................................................................
PAGE 37
Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary ........................................................................................................36-2 Table 36-2 Menu 27.1.1 IPSec Setup............................................................................................................36-6 Table 36-3 Menu 27.1.1.1 IKE Setup .............................................................................................................
PAGE 38
PAGE 39
Prestige 792H G.SHDSL Router Preface Congratulations on your purchase of the Prestige 792H G.SHDSL Router. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured through all interfaces. Please visit our web site at www.zyxel.com for the latest release notes and product information. Don’t forget to register your Prestige (fast, easy online registration at www.zyxel.
PAGE 40
Prestige 792H G.SHDSL Router • The Prestige 792H may be referred to as the Prestige in this user’s guide. • Images of Prestige 792H are used throughout this document unless otherwise specified. The following section offers some background information on DSL. Skip to Chapter 1 if you wish to begin working with your router right away.
PAGE 41
Prestige 792H G.SHDSL Router Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices.
PAGE 42
Getting Started Part I: GETTING STARTED This part covers Getting to Know Your Prestige, Hardware Installation, Initial Setup, WAN, LAN and Internet Access.
PAGE 43
PAGE 44
Prestige 792H G.SHDSL Router Chapter 1 Getting to Know Your G.SHDSL Router This chapter covers the key features and main applications of your Prestige. The Prestige 792H is high-performance G.SHDSL Router with four port switch for Internet/LAN access via a telephone line. Your Prestige supports multi-protocol routing for TCP/IP, as well as transparent bridging for other protocols. The Prestige supports symmetrical multi-rate data transmission speeds from 72Kbps up to 2312Kbps.
PAGE 45
Prestige 792H G.SHDSL Router SUPPORTED TRANSMISSION SPEEDS Min (Kbps) Max (Kbps) SDSL 72 136 G.HDSL (G.991.2) 200 2312 IPSec VPN Capability Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site lines. The Prestige’s VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.
PAGE 46
Prestige 792H G.SHDSL Router IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. IP Policy Routing IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator.
PAGE 47
Prestige 792H G.SHDSL Router IRC, ICQ, RealAudio, VDOLive, Quake and PPTP. No extra configuration is needed to support these applications. SUA address mapping can also be used for other LAN-to-LAN connections. Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
PAGE 48
Prestige 792H G.SHDSL Router 1.2 Application Scenarios for the Prestige This section provides examples on how your Prestige can be used. 1.2.1 Internet Access Figure 1-1 Internet Access Application Your Prestige can act as either of the following: • A bridge for multi-computer/MAC bridging (RFC-1483, bridged Ethernet/802.3). 1.2.2 LAN-to-LAN Application You can use the Prestige to connect two geographically dispersed networks over the DSL line. A typical LAN-to-LAN application is shown next.
PAGE 49
Prestige 792H G.SHDSL Router Chapter 2 Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The embedded web configurator (ewc) allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
PAGE 50
Prestige 792H G.SHDSL Router Figure 2-1 Password Screen Step 6. You should now see the Site Map screen. The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you. 2.3 Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the Site Map screen. Select a language from the Language drop-down list box.
PAGE 51
Prestige 792H G.SHDSL Router Wizard Setup Navigation panel Logout Figure 2-2 Web Configurator SITE MAP Screen Click the HELP icon (located in the top right corner of most screens) to view embedded help. 2.4 Configuring Password It is highly recommended that you change the password for accessing the Prestige. To change your Prestige’s password, click Advanced Setup and then Password. The screen appears as shown.
PAGE 52
Prestige 792H G.SHDSL Router Figure 2-3 Password The following table describes the labels in this screen. Table 2-1 Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field. Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. 2.
PAGE 53
Prestige 792H G.SHDSL Router of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to “1234”, also. 2.5.1 Using The Reset Button Step 1. Make sure the SYS LED is on (not blinking). Step 1. Press the RESET button for five seconds, and then release it. When the SYS LED begins to blink, the defaults have been restored and the Prestige restarts. 2.5.2 Uploading a Configuration File Via Console Port Step 1.
PAGE 54
PAGE 55
Prestige 792H G.SHDSL Router Chapter 3 Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. 3.1 Wizard Setup Introduction Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table of the Quick Start Guide or Read Me First. Your ISP may have already configured some of the fields in the wizard screens for you. 3.
PAGE 56
Prestige 792H G.SHDSL Router 3.2.3 Transfer Rates The Prestige supports the following symmetrical multi-rate data transmission speeds: 72, 136, 200, 264, 392, 520, 776, 1032, 1160, 1544, 1736, 2056 and 2312Kbps. You can increase the capacity of the Internet connection (within certain limitations) without changing your ISP or buying new equipment. For back-to-back applications make sure that your Prestige and its peer have the same Transfer Max Rate and the same Transfer Min Rate.
PAGE 57
Prestige 792H G.SHDSL Router ATM PVC (Permanent Virtual Circuit) which connects to ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information on PPPoE, see the appendix. 3.3.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). It provides access control and billing functionality in a manner similar to dial-up services using PPP.
PAGE 58
Prestige 792H G.SHDSL Router is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs. 3.5 VPI and VCI Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you. The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Please see the appendix for more information. 3.
PAGE 59
Prestige 792H G.SHDSL Router Table 3-1 Wizard Screen: WAN Setup LABEL Service Type DESCRIPTION Select Client if your Prestige will act as a client device or Server if your Prestige will act as a server (see Service Type). Transfer Rate Rate Adaption If you enable Rate Adaption, the Prestige connects at the optimal transfer rate between the min and max rates below. If you disable Rate Adaption, the Prestige attempts to connect at the maximum transfer rate configured.
PAGE 60
Prestige 792H G.SHDSL Router Figure 3-2 Wizard Screen: Internet Access The following table describes the labels in this screen. Table 3-2 Wizard Screen: Internet Access LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop-down list box. Choices vary depending on what you select in the Mode field.
PAGE 61
Prestige 792H G.SHDSL Router Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
PAGE 62
Prestige 792H G.SHDSL Router 3.8.2 IP Assignment with RFC 1483 Encapsulation In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above. 3.8.3 IP Assignment with ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP. For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP.
PAGE 63
Prestige 792H G.SHDSL Router Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. 3.9 Nailed-Up Connection (PPP) A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand.
PAGE 64
Prestige 792H G.SHDSL Router Figure 3-3 Internet Connection with PPPoA The following table describes the labels in this screen. Table 3-3 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given. Password Enter the password associated with the user name above.
PAGE 65
Prestige 792H G.SHDSL Router Table 3-3 Internet Connection with PPPoA LABEL IP Address DESCRIPTION This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.
PAGE 66
Prestige 792H G.SHDSL Router 3.11.2 RFC 1483 Select RFC 1483 from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown. Figure 3-4 Internet Connection with RFC 1483 The following table describes the labels in this screen. Table 3-4 Internet Connection with RFC 1483 LABEL IP Address DESCRIPTION This field is available if you select Routing in the Mode field. Type your ISP assigned IP address in this field.
PAGE 67
Prestige 792H G.SHDSL Router Figure 3-5 Internet Connection with ENET ENCAP The following table describes the labels in this screen. Table 3-5 Internet Connection with ENET ENCAP LABEL IP Address DESCRIPTION A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.
PAGE 68
Prestige 792H G.SHDSL Router Table 3-5 Internet Connection with ENET ENCAP LABEL DESCRIPTION Network Address Translation Select None, SUA Only or Full Feature from the drop-sown list box. Refer to the NAT chapter for more details. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen. 3.11.4 PPPoE Select PPPoE from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown.
PAGE 69
Prestige 792H G.SHDSL Router Table 3-6 Internet Connection with PPPoE LABEL DESCRIPTION Service Name Type the name of your PPPoE service here. User Name Configure User Name and Password fields for PPPoA and PPPoE encapsulation only. Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given. Password Enter the password associated with the user name above.
PAGE 70
Prestige 792H G.SHDSL Router disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. 3.12.1 IP Pool Setup The Prestige is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64 for the client machines. This leaves 31 IP addresses, 192.168.1.2 to 192.168.1.
PAGE 71
Prestige 792H G.SHDSL Router Figure 3-7 Wizard Screen: LAN COnfiguration If you want to change your Prestige LAN settings, click Change LAN Configuration to display the screen as shown next. Figure 3-8 Wizard: LAN Configuration The following table describes the labels in this screen. Table 3-7 Wizard: LAN Configuration LABEL LAN IP Address DESCRIPTION Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default).
PAGE 72
Prestige 792H G.SHDSL Router Table 3-7 Wizard: LAN Configuration LABEL DESCRIPTION DHCP Server From the DHCP Server drop-down list box, select On to allow your Prestige to assign IP addresses, an IP default gateway and DNS servers to computer systems that support the DHCP client. Select Off to disable DHCP server. When DHCP server is used, set the following items: Client IP Pool Starting This field specifies the first of the contiguous addresses in the IP address pool.
PAGE 73
Prestige 792H G.SHDSL Router Figure 3-9 Wizard Screen: Connection Tests 3.15 Test Your Internet Connection Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User’s Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.
PAGE 74
PAGE 75
Prestige 792H G.SHDSL Router Chapter 4 LAN Setup This chapter describes how to configure LAN settings. 4.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. 4.1.
PAGE 76
Prestige 792H G.SHDSL Router before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up.
PAGE 77
Prestige 792H G.SHDSL Router 4.4.1 Factory LAN Defaults The LAN parameters of the Prestige are preset in the factory with the following values: IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 4.4.
PAGE 78
Prestige 792H G.SHDSL Router RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
PAGE 79
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 4-1 LAN LABEL DESCRIPTION DHCP DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled. If set to Relay, the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients.
PAGE 80
Prestige 792H G.SHDSL Router Table 4-1 LAN LABEL DESCRIPTION Apply Click this button to save these settings back to the Prestige. Cancel Click this button to reset the fields in this screen.
PAGE 81
Prestige 792H G.SHDSL Router Chapter 5 WAN Setup This chapter describes how to configure WAN settings. 5.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. See the Wizard Setup chapter for more information on the fields in the WAN screens. 5.2 Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
PAGE 82
Prestige 792H G.SHDSL Router If you want the dial-backup route to take first priority over the traffic-redirect route or even the normal route, all you need to do is set the dial-backup route’s metric to "1" and the others to "2" (or greater). IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above (see the IP Policy Routing chapter). 5.3 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet).
PAGE 83
Prestige 792H G.SHDSL Router 5.4 Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections. Peak Cell Rate (PCR) is the maximum rate at which the sender can send cells. This parameter may be lower (but not higher) than the maximum line speed.
PAGE 84
Prestige 792H G.SHDSL Router Figure 5-1 Example of Traffic Shaping 5.5 Configuring WAN Setup To change your Prestige’s WAN remote node settings, click WAN, WAN Setup. The screen differs by the encapsulation.
PAGE 85
Prestige 792H G.SHDSL Router Figure 5-2 WAN Setup The following table describes the labels in this screen.
PAGE 86
Prestige 792H G.SHDSL Router Table 5-1 WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the method of encapsulation used by your ISP from the drop-down list box. Choices vary depending on the mode you select in the Mode field.
PAGE 87
Prestige 792H G.SHDSL Router Table 5-1 WAN Setup LABEL DESCRIPTION Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535. Login Information (PPPoA and PPPoE encapsulation only) Service Name (PPPoE only) Type the name of your PPPoE service here. User Name Enter the user name exactly as your ISP assigned.
PAGE 88
Prestige 792H G.SHDSL Router Table 5-1 WAN Setup LABEL DESCRIPTION Subnet Mask (ENET ENCAP encapsulation only) Enter a subnet mask in dotted decimal notation. ENET ENCAP Gateway (ENET ENCAP encapsulation only) You must specify a gateway IP address (supplied by your ISP) when you select ENET ENCAP in the Encapsulation field. Back Click Back to return to the previous screen. Apply Click Apply to save the changes. Cancel Click Cancel to begin configuring this screen afresh. 5.
PAGE 89
Prestige 792H G.SHDSL Router The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
PAGE 90
Prestige 792H G.SHDSL Router To change your Prestige’s WAN backup settings, click WAN, then WAN Backup. The screen appears as shown. Figure 5-5 WAN Backup The following table describes the fields in this screen.
PAGE 91
Prestige 792H G.SHDSL Router Table 5-2 WAN Backup LABEL DESCRIPTION Backup Type Select the method that the Prestige uses to check the DSL connection. Select DSL Link to have the Prestige check the DSL connection’s physical layer. Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields. Check WAN IP Address1-3 Configure this field to test your Prestige's WAN accessibility.
PAGE 92
Prestige 792H G.SHDSL Router Table 5-2 WAN Backup LABEL DESCRIPTION Backup Gateway Type the IP address of your backup gateway in dotted decimal notation. The Prestige automatically forwards traffic to this IP address if the Prestige's Internet connection terminates. Dial Backup Active Select this check box to turn on dial backup. Metric This field sets this route's priority among the three routes the Prestige uses (normal, traffic redirect and dial backup).
PAGE 93
Prestige 792H G.SHDSL Router peer disconnects right after a successful authentication, make sure that you specify the correct authentication protocol when connecting to such an implementation. 5.9 Configuring Advanced WAN Backup To edit your Prestige’s advanced WAN backup settings, click WAN, WAN Backup and then the Advanced Setup button. The screen appears as shown.
PAGE 94
Prestige 792H G.
PAGE 95
Prestige 792H G.SHDSL Router The following table describes the fields in this screen. Table 5-3 Advanced WAN Backup LABEL DESCRIPTION Basic Login Name Password Retype to Confirm Authentication Type Type the login name assigned by your ISP. Type the password assigned by your ISP. Type your password again to make sure that you have entered is correctly. Use the drop-down list box to select an authentication protocol for outgoing calls.
PAGE 96
Prestige 792H G.SHDSL Router Table 5-3 Advanced WAN Backup LABEL Enable SUA DESCRIPTION Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server. When you select this option the Prestige will use Address Mapping Set 255 in the SMT (see the section on menu 15.1 for more information).
PAGE 97
Prestige 792H G.SHDSL Router Table 5-3 Advanced WAN Backup LABEL DESCRIPTION PPP Options Encapsulation Compression Select CISCO PPP from the drop-down list box if your backup WAN device uses Cisco PPP encapsulation; otherwise select Standard PPP. Select this check box to enable stac compression. Connection Nailed-Up Connection Select Nailed-Up Connection when you want your connection up all the time. The Prestige will try to bring up the connection automatically if it is disconnected.
PAGE 98
Prestige 792H G.SHDSL Router For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both “Dial” and “Init” strings. 5.11 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE.
PAGE 99
Prestige 792H G.SHDSL Router Figure 5-7 Advanced Modem Setup The following table describes the fields in this screen. Table 5-4 Advanced Modem Setup LABEL DESCRIPTION AT Command Strings Dial Drop Answer WAN Type the AT Command string to make a call. Example: atdt Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~+++~~ath" can be used if your modem has a slow response time. Type the AT Command string to answer a call.
PAGE 100
Prestige 792H G.SHDSL Router Table 5-4 Advanced Modem Setup LABEL Drop DTR When Hang Up DESCRIPTION Select this check box to have the Prestige drop the DTR (Data Terminal Ready) signal after the "AT Command String: Drop" is sent out. AT Response Strings CLID Called ID Speed Type the keyword that precedes the CLID (Calling Line Identification) in the AT response string. This lets the Prestige capture the CLID in the AT response string that comes from the WAN device.
PAGE 101
NAT and Dynamic DNS Part II: NAT and Dynamic DNS This part covers NAT (Network Address Translation) and dynamic DNS (Domain Name Sever) II
PAGE 102
PAGE 103
Prestige 792H G.SHDSL Router Chapter 6 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 6.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. 6.1.
PAGE 104
Prestige 792H G.SHDSL Router local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world.
PAGE 105
Prestige 792H G.SHDSL Router Figure 6-2 NAT Application With IP Alias 6.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
PAGE 106
Prestige 792H G.SHDSL Router 5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-to-Many No Overload NAT mapping types. The following table summarizes these types. Table 6-2 NAT Mapping Types TYPE 6.
PAGE 107
Prestige 792H G.SHDSL Router 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. 6.3 SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.
PAGE 108
Prestige 792H G.SHDSL Router Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to your ISP. The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers.
PAGE 109
Prestige 792H G.SHDSL Router Figure 6-3 Multiple Servers Behind NAT Example 6.4 Selecting the NAT Mode Click NAT to open the following screen. Figure 6-4 NAT Mode The following table describes the labels in this screen.
PAGE 110
Prestige 792H G.SHDSL Router Table 6-4 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT. SUA Only Select this radio button if you have just one public WAN IP address for your Prestige. The Prestige uses Address Mapping Set 1 in the NAT - Edit SUA/NAT Server Set screen. Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen. Full Feature Select this radio button if you have multiple public WAN IP addresses for your Prestige.
PAGE 111
Prestige 792H G.SHDSL Router Figure 6-5 Edit SUA/NAT Server Set The following table describes the labels in this screen. Table 6-5 Edit SUA/NAT Server Set LABEL Start Port No. NAT DESCRIPTION Enter a port number in this field. To forward only one port, enter the port number again in the End Port No. field. To forward a series of ports, enter the start port number here and the end port number in the End Port No. field.
PAGE 112
Prestige 792H G.SHDSL Router Table 6-5 Edit SUA/NAT Server Set LABEL DESCRIPTION End Port No. Enter a port number in this field. To forward only one port, enter the port number again in the Start Port No. field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port No. field above. IP Address Enter your server IP address in this field.
PAGE 113
Prestige 792H G.SHDSL Router Figure 6-6 Address Mapping Rules The following table describes the labels in this screen. Table 6-6 Address Mapping Rules LABEL DESCRIPTION Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.
PAGE 114
Prestige 792H G.SHDSL Router Table 6-6 Address Mapping Rules LABEL DESCRIPTION Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
PAGE 115
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 6-7 Address Mapping Rule Edit LABEL DESCRIPTION Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e.
PAGE 116
PAGE 117
Prestige 792H G.SHDSL Router Chapter 7 Dynamic DNS Setup This chapter discusses how to configure your Prestige to use Dynamic DNS. 7.1 Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.
PAGE 118
Prestige 792H G.SHDSL Router Figure 7-1 DDNS The following table describes the labels in this screen. Table 7-1 DDNS LABEL DESCRIPTION Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider. E-mail Address Type your e-mail address. User Type your user name. Password Type the password assigned to you.
PAGE 119
Firewall and Content Filters Part III: Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
PAGE 120
PAGE 121
Prestige 792H G.SHDSL Router Chapter 8 Firewalls This chapter gives some background information on firewalls and introduces the Prestige firewall. 8.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an accesscontrol policy between two networks.
PAGE 122
Prestige 792H G.SHDSL Router i. Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. ii. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
PAGE 123
Prestige 792H G.SHDSL Router Figure 8-1 Prestige Firewall Application 8.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The Prestige is pre-configured to automatically detect and thwart all known DoS attacks. 8.4.
PAGE 124
Prestige 792H G.SHDSL Router Table 8-1 Common IP Ports 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4. IP Spoofing. 1. "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.
PAGE 125
Prestige 792H G.SHDSL Router Figure 8-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response.
PAGE 126
Prestige 792H G.SHDSL Router 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3. A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data.
PAGE 127
Prestige 792H G.SHDSL Router The only legal NetBIOS commands are the following - all others are illegal. Table 8-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: All SMTP commands are illegal except for those displayed in the following tables. Table 8-4 Legal SMTP Commands AUTH DATA EHLO ETRN EXPN HELO HELP MAIL QUIT RCPT RSET SAML SEND SOML TURN VRFY NOOP Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints.
PAGE 128
Prestige 792H G.SHDSL Router Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. Figure 8-5 Stateful Inspection The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked. 8.5.
PAGE 129
Prestige 792H G.SHDSL Router 4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected. 5. The outbound packet is forwarded out through the interface. 6. Later, an inbound packet reaches the interface.
PAGE 130
Prestige 792H G.SHDSL Router Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual connections" created for UDP and ICMP). 8.5.3 TCP Security The Prestige uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.
PAGE 131
Prestige 792H G.SHDSL Router 8.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol. A user on the LAN opens a control connection to a server on the Internet and requests a file.
PAGE 132
Prestige 792H G.SHDSL Router 1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk. Produce lists like this one! 2.
PAGE 133
Prestige 792H G.SHDSL Router Packet filtering only checks the header portion of an IP packet. When To Use Filtering 1. To block/allow LAN packets by their MAC addresses. 2. To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A" and outside host/network "B". If the filter blocks the traffic from A to B, it also blocks the traffic from B to A.
PAGE 134
Prestige 792H G.SHDSL Router 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database.
PAGE 135
Prestige 792H G.SHDSL Router Chapter 9 Firewall Configuration This chapter shows you how to enable and configure the Prestige firewall. 9.1 Remote Management and the Firewall When remote management is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it. • The firewall allows remote management from the LAN. 9.
PAGE 136
Prestige 792H G.SHDSL Router 9.3 Configuring E-mail Alerts To change your Prestige’s E-mail log settings, click Advanced Setup, Firewall, and then E-mail. The screen appears as shown. This screen is not available on all models. Use the E-Mail screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige is to send. An "End of Log" message displays for each mail in which a complete log has been sent.
PAGE 137
Prestige 792H G.SHDSL Router Table 9-1 E-mail LABEL DESCRIPTION E-mail Alerts To Alerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail. Return Address Type an E-mail address to identify the Prestige as the sender of the e-mail messages i.e., a "return-to-sender" address for backup purposes.
PAGE 138
Prestige 792H G.SHDSL Router 9.4.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Alert screen (Figure 9-3 - select the Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen (see Figure 10-5).
PAGE 139
Prestige 792H G.SHDSL Router delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
PAGE 140
Prestige 792H G.SHDSL Router Figure 9-3 Alert The following table describes the labels in this screen. Table 9-2 Alert LABEL Generate alert when attack detected DESCRIPTION Select this check box to generate an alert whenever an attack is detected. Denial of Services Thresholds One Minute Low 9-6 This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
PAGE 141
Prestige 792H G.SHDSL Router Table 9-2 Alert LABEL DESCRIPTION One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts. The Prestige stops deleting half-open sessions when the number is less than the One Minute Low.
PAGE 142
PAGE 143
Prestige 792H G.SHDSL Router Chapter 10 Creating Custom Rules This chapter contains instructions for defining both Local Network and Internet rules. 10.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
PAGE 144
Prestige 792H G.SHDSL Router 3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN. 10.2.
PAGE 145
Prestige 792H G.SHDSL Router Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 10.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to LAN in your firewall. 10.3.
PAGE 146
Prestige 792H G.SHDSL Router 10.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure. Figure 10-2 WAN to LAN Traffic 10.4 Logs A log is a detailed record that you create for packets that either match a rule, don’t match a rule or both when you are creating/editing a firewall rule (see Figure 10-5).
PAGE 147
Prestige 792H G.SHDSL Router Figure 10-3 Firewall Logs The following table describes the labels in this screen. Table 10-1 Firewall Logs LABEL DESCRIPTION No. This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format. You must configure menu 24.10 to have the logs display the correct time.
PAGE 148
Prestige 792H G.SHDSL Router Table 10-1 Firewall Logs LABEL Reason DESCRIPTION EXAMPLE This field states the reason for the log; i.e., was the rule matched, not matched, or was there an attack. The set and rule coordinates ( where X=1,2; Y=00~10) follow with a simple explanation. There are two policy sets; set 1 (X = 1) is for LAN to WAN rules and set 2 (X = 2) for WAN to LAN rules. Y represents the rule in the set. You can configure up to 10 rules in any set (Y = 01 to 10).
PAGE 149
Prestige 792H G.SHDSL Router Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Figure 10-4 Firewall Rules Summary: First Screen The following table describes the labels in this screen.
PAGE 150
Prestige 792H G.SHDSL Router Table 10-2 Firewall Rules Summary: First Screen LABEL DESCRIPTION The default action for packets not matching following rules Use the drop-down list box to select whether to Block (silently discard) or Forward (allow the passage of) packets that do not match the following rules. Default Permit Log Select this check box to log all matched rules in the default set. The following fields summarize the rules you have created. Note that these fields are read only.
PAGE 151
Prestige 792H G.SHDSL Router defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. (UDP/TCP:53) means UDP port 53 and TCP port 53. Up to 128 entries are supported. Custom services may also be configured using the Custom Ports function discussed later. Table 10-3 Predefined Services SERVICE DESCRIPTION AIM/NEW_ICQ(TCP:5190) AOL’s Internet Messenger service, used as a listening port by ICQ.
PAGE 152
Prestige 792H G.SHDSL Router Table 10-3 Predefined Services SERVICE DESCRIPTION NEWS(TCP:144) A protocol for news groups. NFS(UDP:2049) Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments. NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service.
PAGE 153
Prestige 792H G.SHDSL Router Table 10-3 Predefined Services SERVICE DESCRIPTION SSDP(UDP:1900) Simple Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using UDP port 1900. SSH(TCP/UDP:22) Secure Shell Remote Login Program. STRMWORKS(UDP:1558) Stream Works Protocol. SYSLOG(UDP:514) Syslog allows you to send system logs to a UNIX server.
PAGE 154
Prestige 792H G.SHDSL Router Figure 10-5 Creating/Editing A Firewall Rule The following table describes the labels in this screen. Table 10-4 Creating/Editing A Firewall Rule LABEL Source Address 10-12 DESCRIPTION Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to delete one.
PAGE 155
Prestige 792H G.SHDSL Router Table 10-4 Creating/Editing A Firewall Rule LABEL DESCRIPTION Destination Address Click DestAdd to add a new address, DestEdit to edit an existing one or DestDelete to delete one. Services Select a service in the Available Services box on the left, then click >> to select. The selected service shows up on the Selected Services box on the right. To remove a service, click on it in the Selected Services box on the right, then click <<.
PAGE 156
Prestige 792H G.SHDSL Router Figure 10-6 Adding/Editing Source and Destination Addresses The following table describes the labels in this screen. Table 10-5 Adding/Editing Source and Destination Addresses LABEL DESCRIPTION Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.
PAGE 157
Prestige 792H G.SHDSL Router 10.8.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values – see section 9.4.2. Click Timeout for either Local Network or Internet. Figure 10-7 Timeout The following table describes the labels in this screen.
PAGE 158
Prestige 792H G.SHDSL Router Table 10-6 Timeout LABEL DESCRIPTION Back Click Back to return to the previous screen. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return to the previous configuration.
PAGE 159
Prestige 792H G.SHDSL Router Chapter 11 Customized Services This chapter covers creating, viewing and editing custom services. 11.1 Introduction to Customized Services Configure customized services and port numbers not predefined by the Prestige (see Figure 10-5). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read section 10.6.
PAGE 160
Prestige 792H G.SHDSL Router Table 11-1 Customized Services LABEL DESCRIPTION Customized Services No. Name Protocol Port Back This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. This is the name of your customized service. This shows the IP protocol (TCP, UDP or Both) that defines your customized service. This is the port number or range that defines your customized service.
PAGE 161
Prestige 792H G.SHDSL Router Table 11-2 Creating/Editing A Customized Service LABEL DESCRIPTION Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service.
PAGE 162
Prestige 792H G.SHDSL Router Step 1. Click ScrAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Figure 11-4 Configure Source IP Example Step 5. Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 11-5 Customized Service for MyService Example Customized services show up with an “*” before their names in the Services list box and the Rule Summary list box.
PAGE 163
Prestige 792H G.SHDSL Router Step 4. Follow the procedures outlined earlier in this chapter to configure all your rules. Configure the rule configuration screen like the one below and apply it. This is the address range of the MyService computers. This is your MyService custom port. Click Apply when finished.
PAGE 164
Prestige 792H G.SHDSL Router Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a MyService connection from the WAN. Click Apply to save your settings back to the Prestige.
PAGE 165
Prestige 792H G.SHDSL Router Chapter 12 Content Filtering This chapter covers how to configure content filtering. 12.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the Prestige performs content filtering.
PAGE 166
Prestige 792H G.SHDSL Router Figure 12-1 Content Filter: Keyword The following table describes the labels in this screen. Table 12-1 Content Filter: Keyword LABEL DESCRIPTION Enable Keyword Blocking Select this check box to enable this feature. Block Websites that This box contains the list of all the keywords that you have configured the Prestige contain these keywords in to block. the URL: Delete Highlight a keyword in the box and click Delete to remove it.
PAGE 167
Prestige 792H G.SHDSL Router Table 12-1 Content Filter: Keyword LABEL DESCRIPTION Add Keyword Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 127 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige.
PAGE 168
Prestige 792H G.SHDSL Router Table 12-2 Content Filter: Schedule LABEL Days to Block: DESCRIPTION Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active. Back Click Back to return to the previous screen. Apply Click Apply to save your changes.
PAGE 169
Prestige 792H G.SHDSL Router Table 12-3 Content Filter: Trusted LABEL DESCRIPTION To Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to return to the previously saved settings. 12.
PAGE 170
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 12-4 Content Filter Logs LABEL DESCRIPTION Page Choose a page of logs from the drop-down list box to display. No. This is the index number of the content filter log. Time This field displays the time of the log. Source IP This field displays the IP address of the computer accessing the web site. Reason This field shows what type of configuration in content filtering caused the event.
PAGE 171
VPN/IPSec Part IV: VPN/IPSec This part provides information about configuring VPN/IPSec for secure communications.
PAGE 172
PAGE 173
Prestige 792H G.SHDSL Router Chapter 13 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication. 13.1.
PAGE 174
Prestige 792H G.SHDSL Router Figure 13-1 Encryption and Decryption Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets. This service depends on the data integrity service. 13.1.
PAGE 175
Prestige 792H G.SHDSL Router Figure 13-2 VPN Application 13.2 IPSec Architecture The overall IPSec architecture is shown as follows.
PAGE 176
Prestige 792H G.SHDSL Router Figure 13-3 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
PAGE 177
Prestige 792H G.SHDSL Router 13.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 13-4 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
PAGE 178
Prestige 792H G.SHDSL Router A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match. The VPN device at the receiving end doesn't know about the NAT in the middle, so it assumes that the data has been maliciously altered.
PAGE 179
Prestige 792H G.SHDSL Router Chapter 14 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log description 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 14.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.
PAGE 180
Prestige 792H G.SHDSL Router Table 14-1 AH and ESP ESP AH DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. MD5 (default) MD5 (Message Digest 5) produces a 128-bit digest to authenticate packet data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
PAGE 181
Prestige 792H G.SHDSL Router The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 14.5 VPN Summary Screen The following figure helps explain the main fields in the web configurator. Figure 14-1 IPSec Summary Fields Local and remote IP addresses must be static. Click VPN and Setup to open the VPN Summary screen. This is a read-only menu of your IPSec rules (tunnels). The IPSec summary menu is read-only.
PAGE 182
Prestige 792H G.SHDSL Router Figure 14-2 VPN Summary The following table describes the labels in this screen. Table 14-2 VPN Summary LABEL DESCRIPTION No. This is the VPN policy index number. Click a number to edit VPN policies. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not. A "Y" signifies that this VPN policy is active.
PAGE 183
Prestige 792H G.SHDSL Router Table 14-2 VPN Summary LABEL IPSec Algorithm DESCRIPTION This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay). Secure Gateway This is the IP address of the remote IPSec router. This must be a fixed, public IP address IP for traffic going through the Internet. Click Back to return to the previous screen. Back 14.
PAGE 184
Prestige 792H G.SHDSL Router With main mode (see section 14.10.1), the ID type and content are encrypted to provide identity protection. In this case the Prestige can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses.
PAGE 185
Prestige 792H G.SHDSL Router Table 14-5 Matching ID Type and Content Configuration Example PRESTIGE A PRESTIGE B Local ID type: E-mail Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Peer ID type: IP Peer ID type: E-mail Peer ID content: 1.1.1.2 Peer ID content: tom@yourcompany.com The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail.
PAGE 186
Prestige 792H G.
PAGE 187
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 14-7 VPN IKE LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. Keep Alive Select either Yes or No from the drop-down list box. Select Yes to have the Prestige automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic. The remote IPSec router must also have keep alive enabled in order for this feature to work.
PAGE 188
Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION Local Address Type Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige.
PAGE 189
Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION End / Subnet Mask When the Remote Address Type field is configured to Single, enter the IP address in the IP Address Start field again here. When the Remote Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. When the Remote Address Type field is configured to Subnet, enter a subnet mask on the network behind the remote IPSec router.
PAGE 190
Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field. When you select DNS in the Peer ID Type field, type a domain name (up to 31 characters) by which to identify the remote IPSec router.
PAGE 191
Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. Advanced Click Advanced to configure more detailed settings of your IKE key management.
PAGE 192
Prestige 792H G.SHDSL Router Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected. In phase 2 you must: Choose which protocol to use (ESP or AH) for the IKE key exchange. Choose an encryption algorithm.
PAGE 193
Prestige 792H G.SHDSL Router 14.10.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys. The (time-consuming) Diffie-Hellman exchange is the trade-off for this extra security.
PAGE 194
Prestige 792H G.SHDSL Router Figure 14-5 VPN IKE: Advanced The following table describes the labels in this screen. Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
PAGE 195
Prestige 792H G.SHDSL Router Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Protection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select YES from the drop-down menu to enable replay detection, or select NO to disable it. Local Start Port 0 is the default and signifies any port. Type a port number from 0 to 65535.
PAGE 196
Prestige 792H G.SHDSL Router Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION Encryption Select DES or 3DES from the drop-down list box. Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. The DES encryption algorithm uses a 56-bit key. Triple DES (3DES) is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES.
PAGE 197
Prestige 792H G.SHDSL Router Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security. SA Life Time Define the length of time before an IKE SA automatically renegotiates in this field.
PAGE 198
Prestige 792H G.SHDSL Router Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 14.13 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen. This is the VPN Manual Key screen as shown next.
PAGE 199
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 14-9 VPN Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the Prestige drops trailing spaces. IPSec Key Mode Select IKE or Manual from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management.
PAGE 200
Prestige 792H G.SHDSL Router Table 14-9 VPN Manual Key LABEL DESCRIPTION IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your Prestige. When the Local Address Type field is configured to Subnet, this is a (static) IP address on the LAN behind your Prestige.
PAGE 201
Prestige 792H G.SHDSL Router Table 14-9 VPN Manual Key LABEL My IP Address DESCRIPTION Enter the WAN IP address of your Prestige. The Prestige uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with Address which you're making the VPN connection. Set this field to 0.0.0.
PAGE 202
Prestige 792H G.SHDSL Router Table 14-9 VPN Manual Key LABEL DESCRIPTION Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. Delete Click Delete to remove the current rule. 14.14 Viewing SA Monitor Click VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel.
PAGE 203
Prestige 792H G.SHDSL Router Figure 14-7 SA Monitor The following table describes the labels in this screen. Table 14-10 SA Monitor LABEL DESCRIPTION No This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay).
PAGE 204
Prestige 792H G.SHDSL Router Table 14-10 SA Monitor LABEL DESCRIPTION Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige. Refresh Click Refresh to display the current active VPN connection(s). 14.15 Configuring Global Setting To change your Prestige’s global settings, click VPN and then Global Setting. The screen appears as shown. Figure 14-8 Global Setting The following table describes the labels in this screen.
PAGE 205
Prestige 792H G.SHDSL Router 14.16 Configuring IPSec Logs To view IPSec logs in this screen, click Advanced Setup, VPN, and then Logs to open the screen shown next. Figure 14-9 VPN Logs The following table describes the labels in this screen. Table 14-12 VPN Logs LABEL DESCRIPTION Back Click Back to return to the previous screen. Previous Page Click Previous Page to view more logs. Refresh Click Refresh to update the report display.
PAGE 206
Prestige 792H G.SHDSL Router Double exclamation marks (!!) denote an error or warning message. The following table shows sample log messages during IKE key exchange. Table 14-13 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION Cannot find outbound SA for rule <#d> The packet matches the rule index number (#d), but Phase 1 or Phase 2 negotiation for outbound (from the VPN initiator) traffic is not finished yet. Send Main Mode request to The Prestige has started negotiation with the peer.
PAGE 207
Prestige 792H G.SHDSL Router Table 14-13 Sample IKE Key Exchange Logs LOG MESSAGE DESCRIPTION !! Local / remote IPs of incoming request conflict with rule <#d> If the security gateway is “0.0.0.0”, the Prestige will use the peer’s “Local Addr” as its “Remote Addr”. If this IP (range) conflicts with a previously configured rule then the connection is not allowed. !! Invalid IP / The peer’s “Local IP Addr” range is invalid.
PAGE 208
Prestige 792H G.SHDSL Router Table 14-14 Sample IPSec Logs During Packet Transmission LOG MESSAGE DESCRIPTION !! Inbound packet authentication failed The authentication configuration settings are incorrect. Please check them. !! Inbound packet decryption failed The decryption configuration settings are incorrect. Please check them. Rule <#d> idle time out, disconnect If an SA has no packets transmitted for a period of time (configurable via CI command), the Prestige drops the connection.
PAGE 209
Prestige 792H G.SHDSL Router 14.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The Prestige at headquarters has a static public IP address. 14.17.
PAGE 210
Prestige 792H G.SHDSL Router 14.17.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). With aggressive negotiation mode (see section 14.10.1), the Prestige can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters.
PAGE 211
Prestige 792H G.SHDSL Router Table 14-17 Telecommuters Using Unique VPN Rules Example HEADQUARTERS Local ID Content: bob@bigcompanyhq.com TELECOMMUTERS Peer ID Type: E-mail Peer ID Content: bob@bigcompanyhq.com Headquarters Prestige Rule 1: Telecommuter A (telecommutera.dydns.org) Peer ID Type: IP Local ID Type: IP Peer ID Content: 192.168.2.12 Local ID Content: 192.168.2.12 Secure Gateway Address: telecommuter1.com Local IP Address: 192.168.2.12 Remote Address 192.168.2.
PAGE 212
Remote Management and UPnP Part V: Remote Management and UPnP This part contains Remote Management and UPnP V
PAGE 213
Prestige 792H G.SHDSL Router Chapter 15 Remote Management Configuration This chapter provides information on configuring remote management 15.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers.
PAGE 214
Prestige 792H G.SHDSL Router Use the Prestige’s WAN IP address when configuring from the WAN. Use the Prestige’s LAN IP address when configuring from the LAN. 15.1.3 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your Prestige automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
PAGE 215
Prestige 792H G.SHDSL Router 15.5 Configuring Remote Management Click Remote Management to open the following screen. Figure 15-2 Remote Management The following table describes the labels in this screen. Table 15-1 Remote Management LABEL DESCRIPTION Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige. Access Status Select the access interface. Choices are All, LAN Only, WAN Only and Disable.
PAGE 216
Prestige 792H G.SHDSL Router Chapter 16 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 16.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peerto-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
PAGE 217
Prestige 792H G.SHDSL Router All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.
PAGE 218
Prestige 792H G.SHDSL Router Figure 16-1 Configuring UPnP Table 16-1 Configuring UPnP FIELD DESCRIPTION Enable the Universal Plug and Play (UPnP) Service Select this checkbox to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).
PAGE 219
Prestige 792H G.SHDSL Router Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4.
PAGE 220
Prestige 792H G.SHDSL Router Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. Step 1. Click start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. Step 4. Select Networking Service in the Components selection box and click Details. Step 5.
PAGE 221
Prestige 792H G.SHDSL Router 16.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige. Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige. Auto-discover Your UPnP-enabled Network Device Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2.
PAGE 222
Prestige 792H G.SHDSL Router Step 3. In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Step 4. You may edit or delete the port mappings or click Add to manually add port mappings. When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Step 5. UPnP Select Show icon in notification area when connected option and click OK.
PAGE 223
Prestige 792H G.SHDSL Router Step 6. Double-click on the icon to display your current Internet connection status. Web Configurator Easy Access Example With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first. This comes helpful if you do not know the IP address of the Prestige. Follow the steps below to access the web configurator. Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3.
PAGE 224
Prestige 792H G.SHDSL Router Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays. Step 6. Right-click on the icon for your Prestige and select Properties. A properties window displays with basic information about the Prestige.
PAGE 225
Prestige 792H G.SHDSL Router Part VI: Maintenance This part covers the maintenance screens.
PAGE 226
PAGE 227
Prestige 792H G.SHDSL Router Chapter 17 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 17.1 Maintenance Overview Use the maintenance screens to view system information, upload new firmware, manage configuration and restart your Prestige. 17.2 System Status Screen Click System Status to open the following screen, where you can use to monitor your Prestige.
PAGE 228
Prestige 792H G.SHDSL Router Figure 17-1 System Status The following table describes the labels in this screen.
PAGE 229
Prestige 792H G.SHDSL Router Table 17-1 System Status LABEL DESCRIPTION System Status System Name This is the name of your Prestige. It is for identification purposes. ZyNOS F/W Version This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. DSL FW Version This is the DSL firmware version associated with your Prestige. Standard This is the standard that your Prestige is using. WAN Information IP Address This is the WAN port IP address.
PAGE 230
Prestige 792H G.SHDSL Router 17.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 17-2 System Status: Show Statistics The following table describes the labels in this screen.
PAGE 231
Prestige 792H G.SHDSL Router Table 17-2 System Status: Show Statistics LABEL DESCRIPTION WAN Port Statistics This is the WAN port. Link Status This is the status of your WAN link. Transfer Rate This is the transfer rate in kbps. Upstream Speed This is the upstream speed of your Prestige. Downstream Speed This is the downstream speed of your Prestige. Node-Link This field displays the remote node index number and link type. Link types are PPPoA, ENET, RFC 1483 and PPPoE.
PAGE 232
Prestige 792H G.SHDSL Router Table 17-2 System Status: Show Statistics LABEL DESCRIPTION above. Stop Click this button to halt the refreshing of the system statistics. 17.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients.
PAGE 233
Prestige 792H G.SHDSL Router Table 17-3 DHCP Table LABEL MAC Address DESCRIPTION This field displays the MAC (Media Access Control) address of the computer with the displayed host name. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. 17.4 Diagnostic Screens These read-only screens display information to help you identify problems with the Prestige.
PAGE 234
Prestige 792H G.SHDSL Router Figure 17-5 Diagnostic General The following table describes the labels in this screen. Table 17-4 Diagnostic General LABEL DESCRIPTION TCP/IP Address Type the IP address of a computer that you want to ping in order to test a connection. Ping Click this button to ping the IP address that you entered. Reset System Click this button to reboot the Prestige. A warning dialog box is then displayed asking you if you're sure you want to reboot the system. Click OK to proceed.
PAGE 235
Prestige 792H G.SHDSL Router Table 17-4 Diagnostic General LABEL Back DESCRIPTION Click this button to go back to the main Diagnostic screen. 17.4.2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the screen shown next. Figure 17-6 Diagnostic DSL Line The following table describes the labels in this screen. Table 17-5 Diagnostic DSL Line LABEL Reset xDSL Line Maintenance DESCRIPTION Click this button to reinitialize the xDSL line.
PAGE 236
Prestige 792H G.SHDSL Router Table 17-5 Diagnostic DSL Line “Start to reset xDSL... Reset xDSL Line Successfully!” Back Click this button to go back to the main Diagnostic screen. 17.5 Firmware Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "Prestige.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
PAGE 237
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. Table 17-6 Firmware Upgrade LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
PAGE 238
SMT General Configuration Part VII: SMT General Configuration This part covers System Management Terminal configuration for general setup, LAN setup, wireless LAN setup, Internet access, remote nodes, remote node TCP/IP, static routing and NAT. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
PAGE 239
Prestige 792H G.SHDSL Router Chapter 18 Introducing the SMT This chapter explains how to access and navigate the System Management Terminal and gives an overview of its menus. 18.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. 18.1.1 Procedure for SMT Configuration via Console Port Follow the steps below to access your Prestige via the console port.
PAGE 240
Prestige 792H G.SHDSL Router Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 18-1 Login Screen 18.1.4 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige.
PAGE 241
Prestige 792H G.SHDSL Router Prestige 650HW Main Menu Menu 1 General Setup Menu 3 LAN Setup Menu 1.1 Configure Dynamic DNS Menu 3.1 LAN Port Filter Setup Menu 4 Internet Access Setup Menu 3.2 TCP/IP and DHCP Setup Menu 3.2.1 IP Alias Setup Menu 3.5 Wireless LAN Setup Menu 3.5.1 WLAN MAC Address Filter Menu 11 Remote Node Setup Menu 12 Static Routing Setup Menu 11.1 Remote Node Profile Menu 12.1 IP Static Route Menu 12.1.1 Edit IP Static Route Menu 11.
PAGE 242
Prestige 792H G.SHDSL Router 18.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 18-1 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move down to another menu [ENTER] To move forward to a submenu, type in the number of the desired submenu and press [ENTER].
PAGE 243
Prestige 792H G.SHDSL Router Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Prestige 792H Main Menu Getting Started 1. General Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup Advanced Management 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Security 24. System Maintenance 25. IP Routing Policy Setup 26. Schedule Setup 27. VPN/IPSec Setup 99.
PAGE 244
Prestige 792H G.SHDSL Router Table 18-2 Main Menu Summary # MENU TITLE DESCRIPTION 26 Schedule Setup Use this menu to schedule outgoing calls. 27 VPN/IPSec Setup Use this menu to configure VPN connections on the Prestige 650H/HW. 99 Exit Use this to exit from SMT and return to a blank screen. 18.3 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1. Enter 23 in the main menu to display Menu 23 - System Security. Step 2.
PAGE 245
Prestige 792H G.SHDSL Router Chapter 19 General Setup Menu 1 - General Setup contains administrative and system-related information. 19.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name". • In Windows 95/98 click Start, Settings, Control Panel, Network.
PAGE 246
Prestige 792H G.SHDSL Router Menu 1 - General Setup System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Figure 19-1 Menu 1 General Setup Fill in the required fields. Refer to the table shown next for more information about these fields. Table 19-1 Menu 1 General Setup FIELD DESCRIPTION EXAMPLE System Name Enter a descriptive name for identification purposes.
PAGE 247
Prestige 792H G.SHDSL Router 19.2.1 Configuring Dynamic DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next. Menu 1.1 - Configure Dynamic DNS Service Provider = WWW.DynDNS.ORG Active= Yes Host= me.ddns.
PAGE 248
PAGE 249
Prestige 792H G.SHDSL Router Chapter 20 WAN Setup This chapter shows you how to configure the WAN settings of your Prestige. 20.1 WAN Setup Use Menu 2 – WAN Setup to configure G.SHDSL settings for your WAN line. Different telephone companies deploy different types of G.SHDSL service. If you are unsure of any of this information, please check with your telephone company. 20.2 WAN Setup Screen From the main menu, enter 2 to open menu 2.
PAGE 250
Prestige 792H G.SHDSL Router Rate Adaption Press [SPACE BAR] to select Enable (activate) or Disable (deactivate). Transfer Max Rate (2312 Kbps) Press [SPACE BAR] to select a Transfer Max Rate greater than or equal to the Transfer Min Rate and press [ENTER] to continue. Transfer Min Rate (2312 Kbps) Press [SPACE BAR] to select a Transfer Min Rate less than or equal to the Transfer Max Rate and press [ENTER] to continue.
PAGE 251
Prestige 792H G.SHDSL Router Chapter 21 Dial Backup This chapter shows you how to configure Dial Backup for your Prestige. 21.1 Dial Backup Overview To set up the auxiliary port (Dial Backup or CON/AUX) for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Quick Start Guide for the Hardware Installation chapter), then configure: 1. Menu 2 - WAN Setup, 2. Menu 2.1 - Advanced WAN Setup and 3. Menu 11.
PAGE 252
Prestige 792H G.SHDSL Router Table 21-1 Menu 2: Dial Backup Setup FIELD DESCRIPTION EXAMPLE Dial-Backup: Active Port Speed Use this field to turn the dial-backup feature on (Yes) or off (No). Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device. No 115200 Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
PAGE 253
Prestige 792H G.SHDSL Router Menu 2.
PAGE 254
Prestige 792H G.SHDSL Router Table 21-2 Advanced WAN Port Setup: AT Commands Fields FIELD DESCRIPTION Speed Enter the keyword preceding the connection speed. DEFAULT CONNECT Table 21-3 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION DEFAULT Call Control Dial Timeout (sec) Retry Count Enter a number of seconds for the Prestige to keep trying to set up an outgoing call before timing out (stopping).
PAGE 255
Prestige 792H G.SHDSL Router Menu 11.1 - Remote Node Profile (Backup ISP) Rem Node Name= ? Active= Yes Outgoing: My Login= My Password= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Edit PPP Options= No Rem IP Addr= 0.0.0.
PAGE 256
Prestige 792H G.SHDSL Router Table 21-4 Remote Node Profile (Backup ISP) FIELD Pri Phone # Sec Phone # DESCRIPTION EXAMPLE Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Prestige dials the Secondary Phone number if available. Some areas require dialing the pound sign # before the phone number for local calls. Include a # symbol at the beginning of the phone numbers as required.
PAGE 257
Prestige 792H G.SHDSL Router Table 21-4 Remote Node Profile (Backup ISP) FIELD DESCRIPTION EXAMPLE Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 21.2.1 Editing PPP Options The Prestige’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 11.1 - Remote Node Profile, and use the space bar to select Yes.
PAGE 258
Prestige 792H G.SHDSL Router Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Rem IP Addr= 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
PAGE 259
Prestige 792H G.SHDSL Router Table 21-5 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
PAGE 260
Prestige 792H G.SHDSL Router Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 21-7 Menu 11.
PAGE 261
Prestige 792H G.SHDSL Router Chapter 22 LAN Setup This chapter shows you how to configure the LAN settings for your Prestige. 22.1 Ethernet Setup This section describes how to configure the Ethernet using Menu 3 – Ethernet Setup. From the main menu, enter 3 to open the menu as follows. Menu 3 - Ethernet Setup 1. LAN Port Filter Setup 2. TCP/IP and DHCP Setup Enter Menu Selection Number: Figure 22-1 TCP/IP Ethernet Setup 22.1.1 LAN Port Filter Setup In this menu type 1 to open Menu 3.
PAGE 262
Prestige 792H G.SHDSL Router If you need to define filters, please read the Filter Configuration chapter first, then return to this menu. 22.1.2 IP Alias Setup Use Menu 3.2 to configure the first network. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2 — TCP/IP and DHCP Ethernet Setup shown next.
PAGE 263
Prestige 792H G.SHDSL Router Figure 22-4 IP Alias Setup Follow the instructions in the following table to configure IP Alias parameters. Table 22-1 IP Alias Setup FIELD DESCRIPTION IP Alias Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
PAGE 264
Prestige 792H G.SHDSL Router Menu 1 - General Setup System Name= P650HW Location= location Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Press ENTER to Confirm or ESC to Cancel: Figure 22-5 General Setup 22.1.4 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.
PAGE 265
Prestige 792H G.SHDSL Router Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD DESCRIPTION EXAMPLE DHCP Setup DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled. If set to Relay, the Prestige acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients.
PAGE 266
Prestige 792H G.SHDSL Router Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD Multicast 22-6 DESCRIPTION IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The Prestige supports both IGMP version 1 (IGMP-v1) and version 2 ( IGMP-v2). Press the [SPACE BAR] to enable IP Multicasting or select None to disable it.
PAGE 267
Prestige 792H G.SHDSL Router Chapter 23 Internet Access This chapter shows you how to configure your Prestige for Internet Access. 23.1 Internet Access Overview This section provides information on configuring your Prestige for Internet access. It includes information on encapsulation types, IP address assignment and ATM networks. 23.2 Internet Access Setup Menu 4 allows you to enter the Internet Access information in one screen.
PAGE 268
Prestige 792H G.SHDSL Router Table 23-1 Internet Access Setup FIELD DESCRIPTION EXAMPLE ISP’s Name Enter the name of your Internet Service Provider. This information is for identification purposes only. Encapsulation Press [SPACE BAR] to select the method of encapsulation used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP. Multiplexing Press [SPACE BAR] to select the method of multiplexing used by your ISP. Choices are VC-based or LLC-based.
PAGE 269
Prestige 792H G.SHDSL Router Table 23-1 Internet Access Setup FIELD DESCRIPTION EXAMPLE Idle Timeout This value specifies the number of idle seconds that elapse before the Prestige automatically disconnects the PPPoE session. 0 IP Address Assignment Press [SPACE BAR] to select Static or Dynamic address assignment. Dynamic IP Address Enter the IP address supplied by your ISP if applicable. Network Address Translation Press [SPACE BAR] to select None, SUA Only or Full Feature.
PAGE 270
Advanced Applications Part VIII: ADVANCED APPLICATIONS This part shows how to configure Remote Nodes, Static Routes, Bridging and NAT.
PAGE 271
Prestige 791R G.SHDSL Router Chapter 24 Remote Node Configuration This chapter covers remote node configuration. 24.1 Remote Node Overview This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use Menu 4 to set up Internet access, you are configuring one of the remote nodes.
PAGE 272
Prestige 791R G.SHDSL Router Menu 11 - Remote Node Setup 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. MyISP (ISP, SUA) ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ ________ Enter Node # to Edit: Figure 24-1 Remote Node Setup 24.2.1 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP.
PAGE 273
Prestige 791R G.SHDSL Router Menu 11.1 - Remote Node Profile Rem Node Name= myISP Active= Yes Route= IP Bridge= No Encapsulation= RFC-1483 Multiplexing= VC-based Incoming: Rem Login= N/A Rem Password= N/A Outgoing: My Login= N/A My Password= N/A Authen= N/A Edit IP/Bridge= No Edit ATM Options= No Press Space Bar to Toggle.
PAGE 274
Prestige 791R G.SHDSL Router Table 24-1 Remote Node Profile FIELD DESCRIPTION Rem Password EXAMPLE Type the password used when this remote node calls your Prestige. Outgoing: My Login My Password Authen Type the login name assigned by your ISP when the Prestige calls this remote node. Type the password assigned by your ISP when the Prestige calls this remote node. This field sets the authentication protocol used for outgoing calls.
PAGE 275
Prestige 791R G.SHDSL Router Table 24-1 Remote Node Profile FIELD Schedule Sets Nailed up Connection Session Options Edit Filter Sets Idle Timeout (sec) DESCRIPTION EXAMPLE This field is only applicable for PPPoE and PPPoA encapsulation. You can apply up to four schedule sets here. For more details please refer to the Call Schedule Setup chapter. This field is only applicable for PPPoE and PPPoA encapsulation.
PAGE 276
Prestige 791R G.SHDSL Router Figure 24-3 Remote Node Network Layer Options Table 24-2 Remote Node Network Layer Options FIELD DESCRIPTION EXAMPLE IP Options IP Address Assignment Press [SPACE BAR] and then [ENTER] to select Dynamic if the remote node is using a dynamically assigned IP address or Static if it is using a static (fixed) IP address. You will only be able to configure this in the ISP node (also the one you configure in Menu 4). All other nodes are set to Static.
PAGE 277
Prestige 791R G.SHDSL Router Table 24-2 Remote Node Network Layer Options FIELD Private RIP Direction Version Multicast IP Policies DESCRIPTION EXAMPLE This determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts. No Press [SPACE BAR] and then [ENTER] to select the RIP Direction.
PAGE 278
Prestige 791R G.SHDSL Router Figure 24-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection 24.4 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter. Use Menu 11.5 – Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the Prestige and also to prevent certain packets from triggering calls.
PAGE 279
Prestige 791R G.SHDSL Router Figure 24-6 Remote Node Filter (RFC1483 or ENET ENCAP Encapsulation) 24.5 Editing ATM Layer Options Follow these steps to edit Menu 11.6 – Remote Node ATM Layer Options. Step 1. In Menu 11.1, move the cursor to the Edit ATM Options then press [SPACE BAR] to toggle and set the value to Yes. Step 2. Press [ENTER] to open Menu 11.6 – Remote Node ATM Layer Options. There are two versions of Menu 11.
PAGE 280
Prestige 791R G.SHDSL Router 24.5.2 LLC-based Multiplexing or PPP Encapsulation For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 0 VCI #= 38 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 . Only one set of VPI and VCI numbers needs to be specified.
PAGE 281
Prestige 791R G.SHDSL Router Chapter 25 Static Route Setup This chapter shows how to setup IP static routes. 25.1 Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
PAGE 282
Prestige 791R G.SHDSL Router Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next). See the bridging chapter for more information on Bridge Static Routes. Menu 12 - Static Route Setup 1. IP Static Route 3. Bridge Static Route Please enter selection: Figure 25-2 Static Route Setup Step 2. From Menu 12, select 1 to open Menu 12.1 – IP Static Route Setup, as shown next. Menu 12.1 - IP Static Route Setup 1. myIPStatic_Route 2. ________ 3. ________ 4. ________ 5. ________ 6.
PAGE 283
Prestige 791R G.SHDSL Router Menu 12.1.1 - Edit IP Static Route Route #: 1 Route Name= myIPStatic_Route Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: Figure 25-4 Edit IP Static Route Table 25-1 Edit IP Static Route FIELD DESCRIPTION Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only.
PAGE 284
PAGE 285
Prestige 791R G.SHDSL Router Chapter 26 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige. 26.1 Bridging Overview Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another.
PAGE 286
Prestige 791R G.SHDSL Router Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
PAGE 287
Prestige 791R G.SHDSL Router Menu 12.3 - Bridge Static Route Setup 1. 2. 3. 4. ________ ________ ________ ________ Enter selection number: Figure 26-2 Bridge Static Route Setup Choose a static route to edit in menu 12.3. You configure bridge static routes in menu 12.3.1 as shown next. Menu 12.3.
PAGE 288
Prestige 791R G.SHDSL Router FIELD DESCRIPTION When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
PAGE 289
Prestige 791R G.SHDSL Router Chapter 27 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 27.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. See section 27.3.1 for a detailed description of the NAT set for SUA.
PAGE 290
Prestige 791R G.SHDSL Router Menu 4 - Internet Access Setup ISP's Name= test Encapsulation= RFC 1483 Multiplexing= LLC-based VPI #= 1 VCI #= 1 Service Name= N/A My Login= N/A My Password= N/A NAT= SUA Only Address Mapping Set= N/A IP Address Assignment= Static IP Address= 0.0.0.0 ENET ENCAP Gateway= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 27-1 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1.
PAGE 291
Prestige 791R G.SHDSL Router Table 27-1 Applying NAT to the Remote Node FIELD NAT DESCRIPTION Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your Prestige. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section 27.3.1). Select None to disable NAT. When you select SUA Only, the SMT uses Address Mapping Set 255 (menu 15.1 - see section 27.3.1).
PAGE 292
Prestige 791R G.SHDSL Router Menu 15.1 - Address Mapping Sets 1. 2. 3. 4. 5. 6. 7. 8. 255. SUA (read only) Enter Menu Selection Number: Enter Menu Selection Number: Figure 27-4 Address Mapping Sets Enter 255 to display the next screen (see also section 27.1). The fields in this menu cannot be changed. Menu 15.1.255 - Address Mapping Rules Set Name= Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------0.0.0.0 Local End IP --------------255.255.255.255 Global Start IP --------------0.0.0.0 0.
PAGE 293
Prestige 791R G.SHDSL Router Table 27-2 Address Mapping Rules - SUA FIELD DESCRIPTION EXAMPLE Local Start IP Local Start IP is the starting local IP address (ILA) Local End IP Local End IP is the ending local IP address (ILA). If the rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255. 255.255.255.255 Global Start IP This is the starting global IP address (IGA). If you have a dynamic IP, enter 0.0.0.0 as the Global Start IP. 0.0.0.
PAGE 294
Prestige 791R G.SHDSL Router Menu 15.1.1 - Address Mapping Rules Set Name= ? Idx --1. 2 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------- Local End IP --------------- Action= Edit Global Start IP --------------- Global End IP --------------- Type ------ Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 27-6 Address Mapping Rules If the Set Name field is left blank, the entire set will be deleted. The Type, Local and Global Start/End IPs are configured in menu 15.1.1.
PAGE 295
Prestige 791R G.SHDSL Router FIELD DESRIPTION EXAMPLE Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted. NAT_SET Action The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule.
PAGE 296
Prestige 791R G.SHDSL Router Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= End = N/A Global IP: Start= End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 27-7 Editing/Configuring an Individual Rule in a Set Table 27-4 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
PAGE 297
Prestige 791R G.SHDSL Router 27.3.2 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2. Enter 2 to display Menu 15.2 - NAT Server Sets as shown next. Menu 15.2 - NAT Server Sets 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
PAGE 298
Prestige 791R G.SHDSL Router Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 21 25 192.168.1.33 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 27-9 NAT Server Setup Step 4. Enter a port number in an unused Start Port No field.
PAGE 299
Prestige 791R G.SHDSL Router Figure 27-10 Multiple Servers Behind NAT Example 27.4 General NAT Examples This section provides some examples with Network Address Translation. 27.4.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
PAGE 300
Prestige 791R G.SHDSL Router Figure 27-11 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= RFC-1483 Multiplexing= LLC-based VPI #= 1 VCI #= 1 ATM QoS Type= UBR Peak Cell Rate (PCR)= 5500 Sustained Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static IP Address= 0.0.0.
PAGE 301
Prestige 791R G.SHDSL Router From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 27.4. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case. 27.4.2 Example 2: Internet Access with an Inside Server Figure 27-13 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.
PAGE 302
Prestige 791R G.SHDSL Router Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 192.168.1.10 2. 0 0 0.0.0.0 3. 0 0 0.0.0.0 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 27-14 NAT Example 2 - Menu 15.2.1 27.4.
PAGE 303
Prestige 791R G.SHDSL Router Figure 27-15 NAT Example 3 Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3). See the figure below. Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.
PAGE 304
Prestige 791R G.SHDSL Router Step 5. In menu 15.1.1.1, select Type as One-to-One (direct mapping for packets going both ways), and set the local Start IP as 192.168.1.10 (the IP address of FTP Server 1) and the global Start IP as 10.132.50.1 (our first IGA). See the figure below. Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 End = N/A Global IP: Start= 10.132.50.1 End = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
PAGE 305
Prestige 791R G.SHDSL Router Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu. Step 9. Enter 2 in Menu 15 - NAT Setup. Step 10. Enter 1 in Menu 15.2 - NAT Server Sets and enter 1 again to see the following menu. Configure it as shown.
PAGE 306
Prestige 791R G.SHDSL Router Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------1. Default Default 0.0.0.0 2. 80 80 192.168.1.21 3. 25 25 192.168.1.20 4. 0 0 0.0.0.0 5. 0 0 0.0.0.0 6. 0 0 0.0.0.0 7. 0 0 0.0.0.0 8. 0 0 0.0.0.0 9. 0 0 0.0.0.0 10. 0 0 0.0.0.0 11. 0 0 0.0.0.0 12. 0 0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 27-19 Example 3- Menu 15.2 27.4.
PAGE 307
Prestige 791R G.SHDSL Router Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload mapping types. Follow the steps outlined in example 3 to configure these two menus as follows. Menu 15.1.1.1 Address Mapping Rule Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 End = 192.168.1.12 Global IP: Start= 10.132.50.1 End = 10.132.
PAGE 308
Prestige 791R G.SHDSL Router Menu 15.1.1 - Address Mapping Rules Set Name= Example4 Idx --1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Local Start IP --------------192.168.1.10 Local End IP --------------192.168.1.12 Action= Edit Global Start IP --------------10.132.50.1 Global End IP --------------10.132.50.3 Type -----M:M NO OV Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 27-22 Example 4 - Menu 15.1.
PAGE 309
Advanced Management Part IX: ADVANCED MANAGEMENT This part discusses Filter Configuration, SNMP, System Maintenance and IP Policy Routing, Call Scheduling and Remote Management.
PAGE 310
PAGE 311
Prestige 791R G.SHDSL Router Chapter 28 Filter Configuration This chapter shows you how to create and apply filters. 28.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later. Data filtering screens the data to determine if the packet should be allowed to pass.
PAGE 312
Prestige 791R G.
PAGE 313
Prestige 791R G.SHDSL Router Start Packet intoFilter Fetch First Filter Set Filter Set Fetch Next Filter Set Fetch First Filter Rule Fetch Next Filter Rule Yes Yes Yes Next Filter Set Available? No Next filter Rule Available? No Active? Yes No Check Next Rule Execute Filter Rule Forward Drop Drop Packet Accept Packet Figure 28-2 Filter Rule Process You can apply up to four filter sets to a particular port to block various types of packets.
PAGE 314
Prestige 791R G.SHDSL Router For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name.
PAGE 315
Prestige 791R G.SHDSL Router Filter rule sets 11 and 12 are used by the web configurator. Your custom configurator may be lost if you use rule 11 or 12. Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 4. Press [ENTER] at the message “Press ENTER to confirm…” to display Menu 21.1 – Filter Rules Summary (that is, if you selected filter set 1 in menu 21). Menu 21.
PAGE 316
Prestige 791R G.SHDSL Router Menu 21.3 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- --------------------------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: Figure 28-6 Telnet_WAN Filter Rules Summary Menu 21.
PAGE 317
Prestige 791R G.SHDSL Router Menu 21.5 - Filter Rules Summary # 1 2 3 4 5 6 A Type - ---Y IP N N N N N Filter Rules M m n -------------------------------------------------------------- - - PR=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 N D F Enter Filter Rule Number (1-6) to Configure: Figure 28-8 FTP_WAN Filter Rules Summary Menu 21.11 - Filter Rules Summary # 1 2 3 4 5 6 A Y Y N N N N Type Filter Rules M m ---- --------------------------------------------------------------- - IP Pr=17, SA=0.0.0.0, DA=0.0.0.
PAGE 318
Prestige 791R G.SHDSL Router Menu 21.11 - Filter Rules Summary # 1 2 3 4 5 6 A Y Y Y Y N N Type ---IP IP IP IP Filter Rules --------------------------------------------------------------Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69 Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 M N N N N m D D D D n N N N N Enter Filter Rule Number (1-6) to Configure: 1 Figure 28-10 Web Set2 Filter Rules Summary 28.2.
PAGE 319
Prestige 791R G.SHDSL Router FIELD n DESCRIPTION Action Not Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: Table 28-2 Rule Abbreviations Used FILTER TYPE DESCRIPTION IP Pr Protocol SA Source Address SP Source Port Number DA Destination Address DP Destination Port Number Off Offset Len Length GEN 28.
PAGE 320
Prestige 791R G.SHDSL Router 28.3.1 TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1 – TCP/IP Filter Rule, as shown next. Menu 21.1.
PAGE 321
Prestige 791R G.SHDSL Router Table 28-3 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE IP Protocol This is the upper layer protocol, for example, TCP is 6, UDP is 17 and ICMP is 1. The value must be between 0 and 255. A value of O matches ANY protocol. 0 to 255 IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination. If Yes, the rule applies to any packet with an IP source route.
PAGE 322
Prestige 791R G.SHDSL Router Table 28-3 TCP/IP Filter Rule FIELD DESCRIPTION Log EXAMPLE Select the logging option from the following: None – No packets will be logged. None Action Matched – Only packets that match the rule parameters will be logged. Action Not Matched – Only packets that do not match the rule parameters will be logged. Both – All packets will be logged. Action Matched Select the action for a matching packet. Choices are Check Next Rule, Forward or Drop.
PAGE 323
Prestige 791R G.
PAGE 324
Prestige 791R G.SHDSL Router 28.3.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
PAGE 325
Prestige 791R G.SHDSL Router Table 28-4 Generic Filter Rule Menu Fields FIELD DESCRIPTION EXAMPLE Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. 5,1 Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule. Parameters displayed below each type will be different. Choices are Generic Filter Rule or TCP/IP Filter Rule. Active Select Yes to turn on or No to turn off the filter rule.
PAGE 326
Prestige 791R G.SHDSL Router 28.4 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire.
PAGE 327
Prestige 791R G.SHDSL Router Figure 28-15 Sample Telnet Filter Step 1. Enter 21 from the main menu to open Menu 21 — Filter Set Configuration. Step 2. Enter the index number of the filter set you want to configure (in this case 3). Step 3. Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER]. Step 4. Press [ENTER] at the message “Press [ENTER] to confirm or [ESC] to cancel” to open Menu 21.3 — Filter Rules Summary.
PAGE 328
Prestige 791R G.SHDSL Router Menu 21.1 - Filter Rules Summary # 1 2 3 4 5 6 A Type Filter Rules M m n - ---- --------------------------------------------------------------- - - Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 N D F N N N N N Enter Filter Rule Number (1-6) to Configure: 1 This shows you that you have M = N means an action can be taken immediately.
PAGE 329
Prestige 791R G.SHDSL Router Menu 21.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Forward Press [SPACE BAR] to choose this filter rule type.
PAGE 330
Prestige 791R G.SHDSL Router Step 3. This brings you to menu 11.5. Enter the example filter set number in this menu as shown in the following figure. Menu 11.5 – Remote Node Filter Input Filter Sets: protocol filters= 3 device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Figure 28-18 Sample Filter Rules Summary — Applying a Remote Node Filter Set 28.
PAGE 331
Prestige 791R G.SHDSL Router filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 3, 4, 6, 11. The factory default filter set, NetBIOS_LAN, is inserted in the protocol filters field under Input Filter Sets in menu 3.1 in order to prevent local NetBIOS messages from triggering calls to the DNS server. Menu 3.
PAGE 332
PAGE 333
Prestige 791R G.SHDSL Router Chapter 29 SNMP Configuration This chapter explains SNMP Configuration. SNMP is only available if TCP/IP is configured. 29.1 SNMP Overview Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
PAGE 334
Prestige 791R G.SHDSL Router An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
PAGE 335
Prestige 791R G.SHDSL Router Menu 22 - SNMP Configuration SNMP: Get Community= public Set Community= public Trusted Hgst= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 29-2 SNMP Configuration Table 29-1 SNMP Configuration FIELD DESCRIPTION EXAMPLE Get Community Type the Get Community, which is the password for the incoming Get- and GetNext requests from the management station.
PAGE 336
Prestige 791R G.SHDSL Router TRAP # TRAP NAME DESCRIPTION 2 warmStart (defined in RFC-1215) A trap is sent after booting (software reboot). 3 linkUp (defined in RFC-1215) A trap is sent with the port number. 4 authenticationFailure (defined in RFC-1215) A trap is sent to the manager when receiving any SNMP get or set requirements with wrong community (password). 6 linkDown (defined in RFC-1215) A trap is sent with the port number when any of the links are down. See the following table.
PAGE 337
Prestige 791R G.SHDSL Router Chapter 30 System Maintenance This chapter covers the diagnostic tools that help you to maintain your Prestige. 30.1 System Maintenance Overview These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 – System Maintenance, as shown in the following figure. Menu 24 - System Maintenance 1. 2. 3. 4. 5. 6. 7. 8. 9.
PAGE 338
Prestige 791R G.SHDSL Router Menu 24.1 - System Maintenance – Status hh:mm:ss Sat. Jan. 01, 2000 Node-Lnk 1-ENET 2 3 4 5 6 7 8 Status Up N/A N/A N/A N/A N/A N/A N/A TxPkts 211 0 0 0 0 0 0 0 RxPkts 0 0 0 0 0 0 0 0 Errors 0 0 0 0 0 0 0 0 Tx B/s 0 0 0 0 0 0 0 0 Rx B/s 0 0 0 0 0 0 0 0 Up Time 0:26:20 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 0:00:00 My WAN IP (from ISP):0.0.0.0 Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.
PAGE 339
Prestige 791R G.SHDSL Router Table 30-1 System Maintenance — Status FIELD Rx Pkts Collision WAN DESCRIPTION The number of received packets from the LAN. Number of collisions. Shows statistics for the WAN. Line Status Upstream Speed Downstream Speed CPU Load Shows the current status of the xDSL line which can be Up or Down. Shows the upstream transfer rate in kbps. Shows the downstream transfer rate in kbps. Specifies the percentage of CPU utilization. 30.
PAGE 340
Prestige 791R G.SHDSL Router Menu 24.2.1 – System Maintenance – Information Name: Routing: IP ZyNOS F/W Version: V3.40(BQ.0)b1 | 3/24/2003 xDSL F/W Version: R.2.3.1 Standard: ANSI(ANNEX_A) LAN Ethernet Address: 00:a0:c5:01:23:45 IP Address: 192.168.1.1 IP Mask: 255.255.255.0 DHCP: Server Press ESC or RETURN to Exit: Figure 30-4 System Maintenance — Information Table 30-2 System Maintenance — Information FIELD DESCRIPTION Name Displays the system name of your Prestige.
PAGE 341
Prestige 791R G.SHDSL Router 30.3.2 Console Port Speed You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200 and 38400 bps. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure. Menu 24.2.
PAGE 342
Prestige 791R G.SHDSL Router Step 3. Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system. After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
PAGE 343
Prestige 791R G.SHDSL Router Table 30-3 System Maintenance Menu — Syslog Parameters PARAMETER DESCRIPTION UNIX Syslog: Active Syslog IP Address Log Facility Use [SPACE BAR] and then [ENTER] to turn syslog on or off. Type the IP address of your syslog server. Use [SPACE BAR] and then [ENTER] to select one of seven different local options. The log facility lets you log the message in different server files. Refer to your UNIX manual.
PAGE 344
Prestige 791R G.SHDSL Router Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000 3 - Filter Log SdcmdSyslogSend (SYSLOG_FILLOG, SYSLOG_NOTICE, String); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.
PAGE 345
Prestige 791R G.SHDSL Router The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 30-4 System Maintenance Menu — Diagnostic FIELD DESCRIPTION Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Reboot System Reboot the Prestige. Command Mode Type the mode to test and diagnose your Prestige using specified commands.
PAGE 346
PAGE 347
Prestige 792H G.SHDSL Router Chapter 31 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 31.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension.
PAGE 348
Prestige 792H G.SHDSL Router Table 31-1 Filename Conventions FILE TYPE INTERNAL NAME EXTERNAL NAME DESCRIPTION Configuration File Rom-0 This is the configuration filename on the Prestige. Uploading the rom-0 file replaces the entire ROM file system, including your Prestige configurations, system-related data (including the default password), the error log and the trace log. *.rom Firmware Ras This is the generic name for the ZyNOS firmware on the Prestige. *.bin 31.
PAGE 349
Prestige 792H G.SHDSL Router 31.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your computer. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3. Locate the 'rom-0' file. 4. Type 'get rom-0' to back up the current Prestige configuration to your computer.
PAGE 350
Prestige 792H G.SHDSL Router 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit Figure 31-2 FTP Session Example 31.2.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients.
PAGE 351
Prestige 792H G.SHDSL Router 4. You have an SMT console session running. 31.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients. To backup the configuration file, follow the procedure shown next. Step 1.
PAGE 352
Prestige 792H G.SHDSL Router Table 31-3 General Commands for GUI-based TFTP Clients COMMAND DESCRIPTION Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Prestige and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer. Remote File This is the filename on the Prestige.
PAGE 353
Prestige 792H G.SHDSL Router Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen. Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol. Then click Receive. Figure 31-5 Backup Configuration Example Step 4. After a successful backup you will see the following screen. Press any key to return to the SMT menu. ** Backup Configuration completed. OK. ### Hit any key to continue.
PAGE 354
Prestige 792H G.SHDSL Router WARNING! DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. 31.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter. Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file, follow the procedure below: 1. Launch the FTP client on your computer. 2. Type "open" and the IP address of your system.
PAGE 355
Prestige 792H G.SHDSL Router 31.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 31-8 Restore Using FTP Session Example Refer to section 31.2.5 to read about configurations that disallow TFTP and FTP over WAN. 31.3.
PAGE 356
Prestige 792H G.SHDSL Router Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 31-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Save to ROM Hit any key to start system reboot. Figure 31-12 Successful Restoration Confirmation Screen 31.
PAGE 357
Prestige 792H G.SHDSL Router Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested. 3. Type "put firmwarefilename ras" where "firmwarefilename" is the name of your firmware upgrade file on your workstation and "ras" is the remote file name on the system. 4.
PAGE 358
Prestige 792H G.SHDSL Router 31.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (the default is “1234”). Step 5. Enter “bin” to set transfer mode to binary. Step 6. Use “put” to transfer files from the computer to the Prestige, for example, “put firmware.
PAGE 359
Prestige 792H G.SHDSL Router To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address. Step 2.
PAGE 360
Prestige 792H G.SHDSL Router 31.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in the following screen. Menu 24.7.1 - System Maintenance - Upload System Firmware To 1. 2. 3. upload system firmware: Enter "y" at the prompt below to go into debug mode. Enter "atur" after "Enter Debug Mode" message.
PAGE 361
Prestige 792H G.SHDSL Router 31.4.10 Step 1. Uploading Configuration File Via Console Port Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To 1. 2. 3. upload system configuration file: Enter "y" at the prompt below to go into debug mode. Enter "atlc" after "Enter Debug Mode" message.
PAGE 362
Prestige 792H G.SHDSL Router Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 31-19 Example Xmodem Upload After the configuration upload process has completed, restart the Prestige by entering “atgo”.
PAGE 363
Prestige 791R G.SHDSL Router Chapter 32 System Maintenance and Information This chapter leads you through SMT menus 24.8 to 24.10. 32.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands.
PAGE 364
Prestige 792H G.SHDSL Router Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: sys exit device ether wan poe xdsl ip ppp bridge hdap ras> Figure 32-2 Valid Commands 32.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the Prestige within certain times.
PAGE 365
Prestige 791R G.SHDSL Router Menu 24.9.1 - System Maintenance - Budget Management Remote Node 1.MyISP 2.-------3.-------4.-------5.-------6.-------7.-------8.-------- Connection Time/Total Budget No Budget --------------- Elapsed Time/Total Period No Budget --------------- Reset Node (0 to update screen): Figure 32-4 Budget Management The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
PAGE 366
Prestige 792H G.SHDSL Router 32.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige. The real time is then displayed in the Prestige error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 — System Maintenance, as shown next.
PAGE 367
Prestige 791R G.SHDSL Router Table 32-2 Time and Date Setting Fields FIELD DESCRIPTION Use Time Server when Bootup Enter the time service protocol that your time server sends when you turn on the Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format. Daytime (RFC 867) format is day/month/year/time zone of the server.
PAGE 368
PAGE 369
Prestige 791R G.SHDSL Router Chapter 33 IP Policy Routing This chapter covers setting and applying policies used for IP routing. 33.1 IP Policy Routing Overview Traditionally, routing is based on the destination address only and the IAD takes the shortest path to forward a packet. IP Routing Policy (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
PAGE 370
Prestige 792H G.SHDSL Router IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set. 33.2 IP Routing Policy Setup Menu 25 shows all the policies defined.
PAGE 371
Prestige 791R G.SHDSL Router Menu 25.1 - IP Routing Policy Setup # A Criteria/Action - - -------------------------------------------------------------------------1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 |GW=192.168.1.
PAGE 372
Prestige 792H G.SHDSL Router Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Menu 25.1.1 - IP Routing Policy Policy Set Name= test Active= Yes Criteria: IP Protocol = 6 Type of Service= Normal Precedence = 0 Source: addr start= 1.1.1.1 port start= 20 Destination: addr start= 2.2.2.2 port start= 20 Action= Matched Gateway addr = 192.168.1.
PAGE 373
Prestige 791R G.SHDSL Router Table 33-2 IP Routing Policy FIELD Len Comp DESCRIPTION Press [SPACE BAR] and then [ENTER] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source: addr start / end Source IP address range from start to end. port start / end Source port number range from start to end; applicable only for TCP/UDP. Destination: addr start / end Destination IP address range from start to end.
PAGE 374
Prestige 792H G.SHDSL Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= 2,4,7,9 Edit IP Alias= No Type IP Policy sets here.
PAGE 375
Prestige 791R G.SHDSL Router 33.4 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. Figure 33-6 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next. Step 1.
PAGE 376
Prestige 792H G.SHDSL Router Menu 25.1.1 - IP Routing Policy Policy Set Name= set1 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr = 192.168.1.1 Type of Service= No Change Precedence = No Change Packet length= 10 Len Comp= N/A end= 192.168.1.
PAGE 377
Prestige 791R G.SHDSL Router Menu 25.1.1 - IP Routing Policy Policy Set Name= set2 Active= Yes Criteria: IP Protocol = 6 Type of Service= Don't Care Precedence = Don't Care Source: addr start= 0.0.0.0 port start= 0 Destination: addr start= 0.0.0.0 port start= 20 Action= Matched Gateway addr =192.168.1.100 Type of Service= No Change Precedence = No Change Packet length= 10 Len Comp= N/A end= N/A end= N/A end= N/A end= 21 Log= No Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
PAGE 378
PAGE 379
Prestige 791R G.SHDSL Router Chapter 34 Call Scheduling Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a remote node should be called and for how long. 34.1 Call Scheduling Overview The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
PAGE 380
Prestige 792H G.SHDSL Router To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown next. Menu 26.
PAGE 381
Prestige 791R G.SHDSL Router Table 34-1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE How Often Should this schedule set recur weekly or be used just once only? Press the [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.
PAGE 382
Prestige 792H G.SHDSL Router Menu 11.1 - Remote Node Profile Rem Node Name= ? Active= Yes Route= IP Bridge= No Encapsulation= PPPoE Multiplexing=VC-based Service Name= Incoming Rem Login= Rem Password= ******** Outgoing= My Login=? My Password= ******** Authen= CHAP/PAP Edit IP/Bridge= No Edit ATM Options= No Telco Option: Allocated Budget(min)= 0 Period(hr)= 0 Schedules= 1,2,3,4 Nailed-Up Connection= No Apply your schedule sets here.
PAGE 383
Prestige 791R G.SHDSL Router Chapter 35 Remote Management This chapter covers remote management (SMT menu 24.11). 35.1 Remote Management Overview Remote management setup is for managing Telnet, FTP and Web services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility. You may manage your Prestige from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
PAGE 384
Prestige 791R G.SHDSL Router 35.1.3 Remote Management and Web Services You can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details. 35.1.4 Disabling Remote Management To disable remote management of a service, select Disable in the corresponding Server Access field. 35.2 Remote Management Setup Enter 11 in menu 24 to display Menu 24.11 — Remote Management Control (shown next). Menu 24.
PAGE 385
Prestige 791R G.SHDSL Router Table 35-1 Remote Management Control FIELD Secured Client IP DESCRIPTION EXAMPLE The default 0.0.0.0 allows any client to use this service to remotely manage the Prestige. Enter an IP address to restrict access to a client with a matching IP address. 0.0.0.0 Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel" to save your configuration, or press [ESC] to cancel. 35.2.
PAGE 386
SMT VPN/IPSec and Internal SPTGEN Part X: SMT VPN/IPSec and Internal SPTGEN This part provides information about configuring VPN/IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
PAGE 387
Prestige 792H G.SHDSL Router Chapter 36 VPN/IPSec Setup This chapter introduces the VPN SMT menus. 36.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
PAGE 388
Prestige 792H G.SHDSL Router Menu 27 - VPN/IPSec Setup 1. IPSec Summary 2. SA Monitor 3. View IPSec Log Enter Menu Selection Number: Figure 36-2 Menu 27 VPN/IPSec Setup 36.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus. Menu 27.
PAGE 389
Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary FIELD DESCRIPTION Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. A Y signifies that this VPN rule is active. Local Addr Start When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is a static IP address on the LAN behind your Prestige. EXAMPLE Taiwan Y 192.168.1.
PAGE 390
Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary FIELD DESCRIPTION Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote Addr Start When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Single, this is a static IP address on the network behind the remote IPSec router. EXAMPLE IKE 172.16.2.40 When the Addr Type field in Menu 27.1.
PAGE 391
Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary FIELD Select Command DESCRIPTION EXAMPLE Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands. None Select None and then press [ENTER] to go to the “Press ENTER to Confirm…” prompt. Use Edit to create or edit a rule. Use Delete to remove a rule.
PAGE 392
Prestige 792H G.SHDSL Router Menu 27.1.1 – IPSec Setup Index= 1 Name= Taiwan Active= Yes Keep Alive= No Local ID type= IP Content= My IP Addr= 0.0.0.0 Peer ID type= IP Content= Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 DNS Server= 0.0.0.0 Local: Addr Type= SINGLE IP Addr Start= 1.1.1.1 End/Subnet Mask= N/A Port Start= 0 End= N/A Remote: Addr Type= SUBNET IP Addr Start= 4.4.4.4 End/Subnet Mask= 255.255.0.
PAGE 393
Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD Content DESCRIPTION EXAMPLE When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Prestige.
PAGE 394
Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE Secure Gateway Address Type the IP address or the domain name (up to 31 characters) of the IPSec router with which you’re making the VPN connection. Zw50test.com. tw Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol. DNS Server If there is a private DNS server that services the VPN, type its IP address here.
PAGE 395
Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your Prestige. EXAMPLE 192.168.1.38 When the Addr Type field is configured to SUBNET, this is a subnet mask on the LAN behind your Prestige. Port Start 0 is the default and signifies any port.
PAGE 396
Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router. 255.255.0.0 When the Addr Type field is configured to SUBNET, enter a subnet mask on the network behind the remote IPSec router.
PAGE 397
Prestige 792H G.SHDSL Router 36.4 IKE Setup To edit this menu, the Key Management field in Menu 27.1.1 – IPSec Setup must be set to IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup; press [SPACE BAR] to select Yes and then press [ENTER] to display Menu 27.1.1.1 – IKE Setup. Menu 27.1.1.
PAGE 398
Prestige 792H G.SHDSL Router Table 36-3 Menu 27.1.1.1 IKE Setup FIELD Encryption Algorithm DESCRIPTION EXAMPLE When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Prestige DES encryption algorithm uses a 56-bit key. DES Triple DES (3DES), is a variation on DES that uses a 168-bit key. As a result, 3DES is more secure than DES.
PAGE 399
Prestige 792H G.SHDSL Router Table 36-3 Menu 27.1.1.1 IKE Setup FIELD DESCRIPTION Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number. DH2 refers to Diffie-Hellman Group 2 a 1024 bit (1Kb) random number (more secure, yet slower).
PAGE 400
Prestige 792H G.SHDSL Router Menu 27.1.1.2 – Manual Setup Active Protocol= ESP Tunnel ESP Setup SPI (Decimal)= Encryption Algorithm= DES Key1= Key2= N/A Key3= N/A Authentication Algorithm= MD5 Key= N/A AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A Key= Press ENTER to Confirm or ESC to Cancel: Figure 36-6 Menu 27.1.1.2 Manual Setup The following table describes the fields in this menu. Table 36-5 Menu 27.1.1.
PAGE 401
Prestige 792H G.SHDSL Router Table 36-5 Menu 27.1.1.2 Manual Setup FIELD DESCRIPTION Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must be unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 authentication. Any character may be used, including spaces, but trailing spaces are truncated.
PAGE 402
PAGE 403
Prestige 792H G.SHDSL Router Chapter 37 SA Monitor This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 37.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections. When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes.
PAGE 404
Prestige 792H G.SHDSL Router Table 37-1 Menu 27.2 SA Monitor FIELD DESCRIPTION # This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. EXAMPLE Taiwan When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
PAGE 405
Prestige 792H G.SHDSL Router 37.3 Viewing IPSec Log To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Index: Date/Time: Log: -----------------------------------------------------------001 01 Jan 08:02:22 Send Main Mode request to <192.168.100.
PAGE 406
PAGE 407
Prestige 792H G.SHDSL Router Chapter 38 Internal SPTGEN 38.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file – eliminating the need to navigate and configure individual SMT menus for each Prestige. 38.
PAGE 408
Prestige 792H G.SHDSL Router This is the name of the menu. This is the Field Name column. This is the name of the field as seen in the corresponding SMT screen. Example: Configured One “=” sign, followed by one space, must precede everything you input. / Menu 1 General Setup 10000000 10000001 10000002 10000003 10000004 10000005 10000006 = = = = = = = Configured System Name Location Contact Person’s Name Route IP Route IPX Bridge This is the Field Identification Number column.
PAGE 409
Prestige 792H G.SHDSL Router field value is not legal error:-1 ROM-t is not saved, error Line ID:10000000 reboot to get the original configuration Bootbase Version: V2.02 | 2/22/2001 13:33:11 RAM: Size = 8192 Kbytes FLASH: Intel 8M *2 Figure 38-2 Invalid Parameter Entered: Command Line Example The Prestige will display the following if you enter parameter(s) that are valid. Please wait for the system to write SPT text file(ROM-t)... Bootbase Version: V2.
PAGE 410
Prestige 792H G.SHDSL Router You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 38.4 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary. 3. Upload your “rom-t” file from your computer to the Prestige using the “put” command. computer to the Prestige. c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.168.1.
PAGE 411
Appendices and Index Part XI: Appendices and Index This part contains the Appendices and Index.
PAGE 412
PAGE 413
Appendices and Index Chapter 39 Troubleshooting This chapter covers potential problems and the corresponding remedies. 39.1 Problems Starting Up the Prestige Table 39-1 Troubleshooting the Start-Up of Your Prestige PROBLEM None of the LEDs turn on when I turn on the Prestige. CORRECTIVE ACTION Make sure that the Prestige’s power adapter is connected to the Prestige and plugged in to an appropriate power source. Check that the Prestige and the power source are both turned on.
PAGE 414
Header 39.3 Problems with the WAN Interface Table 39-3 Troubleshooting the WAN Interface PROBLEM CORRECTIVE ACTION I cannot get a WAN IP address from the ISP. The WAN IP is provided when the ISP recognizes the user as an authorized user after verifying the MAC address, Host Name or User ID. Find out the verification method used by your ISP. If the ISP checks the host name, enter your computer’s name in the System Name field in Menu 1 — General Setup.
PAGE 415
Appendices and Index 39.5 Problems with the Password Table 39-5 Troubleshooting the Password PROBLEM I cannot access the Prestige. CORRECTIVE ACTION The Password and Username fields are case-sensitive. Make sure that you enter the correct password and username using the proper casing. Restore the factory default configuration file. This will restore all of the factory defaults including the password. Refer to the Reset Button section in the User's Guide for details. 39.
PAGE 416
PAGE 417
Appendices and Index Appendix A PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
PAGE 418
Header The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP. The L2TP tunnel is capable of carrying multiple PPP sessions.
PAGE 419
Appendices and Index Appendix B Virtual Circuit Topology ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate.
PAGE 420
Header Appendix C Power Adapter Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model DV-121AACS Input Power AC120Volts/60Hz/23W max Output Power AC12Volts/1.0A Power Consumption 8W Safety Standards UL, CUL (UL 1310, CSA C22.2 No.223) NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model AA-121A Input Power AC120Volts/60Hz/18W max Output Power AC12Volts/1.0A Power Consumption 8W Safety Standards UL, CUL (UL 1310, CSA C22.2 No.
PAGE 421
Appendices and Index EUROPEAN PLUG STANDARDS AC Power Adapter Model DV-121AACCP-5716 Input Power AC230Volts/50Hz/100mA Output Power AC12Volts/1.0A Power Consumption 8W Safety Standards TUV-GS, CE (EN 60950) EUROPEAN PLUG STANDARDS AC Power Adapter Model AA-121ABN Input Power AC230Volts/50Hz/140mA Output Power AC12Volts/1.
PAGE 422
Header Power Consumption 8W Safety Standards CCEE (GB8898) F Power Adapter Specifications
PAGE 423
Header Index 10/100 MB Auto-negotiation ........................... 1-3 Action for Matched Packets......................... 10-13 Active.................................................... 21-5, 21-7 Address Assignment ........................................ 4-2 Allocated Budget ........................................... 21-6 Application Scenario ....................................... 1-4 Application-level Firewalls.............................. 8-1 AT command ...............................
PAGE 424
Appendices and Index DTR ...................................................... 5-18, 21-3 Dynamic DNS.........................................7-1, 19-2 DYNDNS Wildcard ......................................... 7-1 ECHO............................................................... 6-6 Edit IP ............................................................ 21-6 Encapsulation......................... 1-3, 3-2, 23-2, 24-2 ENET ENCAP ............................................. 3-2 PPP over Ethernet ............
PAGE 425
Header HyperTerminal program ....................... 31-6, 31-9 IANA ............................................................... 3-8 ICMP echo....................................................... 8-6 Idle Timeout .................................................. 21-6 IGMP ........................................................ 4-3, 4-4 IGMP support ................................................ 24-7 Install UPnP................................................... 16-3 Windows Me ...................
PAGE 426
Appendices and Index Metric................................... 5-1, 21-8, 24-6, 25-3 Multicast ........................................4-3, 21-9, 24-7 Multiple Protocol over ATM ........................... 1-3 Multiplexing LLC-based ................................................... 3-3 VC-based ..................................................... 3-3 Multiplexing...................................3-3, 23-2, 24-2 Multiprotocol Encapsulation............................ 3-3 My Login ........................
PAGE 427
Header retry count...................................................... 21-4 retry interval .................................................. 21-4 RFC-1483 ........................................ 1-3, 1-5, 24-2 RFC-2364 ...................................... 1-3, 24-2, 24-3 RIP......21-9, 22-5, 24-7. See Routing Information Protocol Routing Information Protocol.......................... 4-3 Direction...................................................... 4-3 Version .......................................
PAGE 428
Appendices and Index TCP/IP ......8-3, 8-4, 15-2, 21-7, 28-16, 30-9, 35-1 TCP/IP Options.............................................. 24-9 Teardrop........................................................... 8-4 Telnet .................................................... 15-2, 35-1 Telnet Configuration ............................. 15-2, 35-1 Telnet Under NAT ......................................... 35-1 Text File Format ............................................ 38-1 TFTP And FTP Over WAN} .............