SBG3300-N Series Wireless N VDSL2 Combo WAN Small Business Security Gateway Version 1.00 Edition 3, 1/2014 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 User Name www.zyxel.
IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate. Related Documentation • Quick Start Guide The Quick Start Guide shows how to connect the Device and access the Web Configurator wizards.
Contents Overview Contents Overview User’s Guide ........................................................................................................................... 15 Introducing the Device ...............................................................................................................17 The Web Configurator ................................................................................................................23 Quick Start ..................................................
Contents Overview Configuration ............................................................................................................................279 Diagnostic ................................................................................................................................283 Troubleshooting .......................................................................................................................
Table of Contents Table of Contents Contents Overview .................................................................................................................. 3 Table of Contents ..................................................................................................................... 5 Part I: User’s Guide ................................................................................15 Chapter 1 Introducing the Device ................................................................
Table of Contents 4.1 Overview ..............................................................................................................................37 4.2 The Status Screen ................................................................................................................37 Chapter 5 Broadband............................................................................................................................... 41 5.1 Overview ..................................................
Table of Contents 6.10.2 Additional Wireless Terms ........................................................................................92 6.10.3 Wireless Security Overview ......................................................................................92 6.10.4 Signal Problems .......................................................................................................94 6.10.5 BSS ..........................................................................................................
Table of Contents 9.4 The Queue Setup Screen ..................................................................................................134 9.4.1 Adding a QoS Queue ..............................................................................................136 9.5 The Class Setup Screen ....................................................................................................136 9.5.1 Add/Edit QoS Class .....................................................................................
Table of Contents 12.2.1 Interface Group Configuration ................................................................................170 12.2.2 Interface Grouping Criteria ....................................................................................172 Chapter 13 USB Service .......................................................................................................................... 175 13.1 Overview ....................................................................................
Table of Contents 18.1.1 What You Can Do in this Chapter ...........................................................................197 18.2 What You Need to Know ..................................................................................................197 18.3 The Local Certificates Screen ..........................................................................................198 18.3.1 Create Certificate Request ...................................................................................
Table of Contents 21.2 L2TP VPN Screen ............................................................................................................232 21.3 The L2TP VPN Monitor Screen ........................................................................................233 21.4 L2TP VPN Troubleshooting Tips ......................................................................................233 Chapter 22 Log ..............................................................................................
Table of Contents 28.2.1 Add/Edit a Users Account ......................................................................................256 Chapter 29 Remote Management............................................................................................................ 259 29.1 Overview ..........................................................................................................................259 29.2 The Remote MGMT Screen .............................................................
Table of Contents Chapter 37 Diagnostic ............................................................................................................................. 283 37.1 Overview ..........................................................................................................................283 37.1.1 What You Can Do in this Chapter ...........................................................................283 37.2 What You Need to Know ........................................................
Table of Contents 14 SBG3300-N Series User’s Guide
P ART I User’s Guide 15
C HAPT ER 1 Introducing the Device 1.1 Overview The SBG3300-N Series is a wireless VDSL router and Gigabit Ethernet gateway. It has one DSL port and Gigabit Ethernet for super-fast Internet access over analog (POTS) telephone lines. The Device supports both Packet Transfer Mode (PTM) and Asynchronous Transfer Mode (ATM). It is backward compatible with ADSL, ADSL2 and ADSL2+ in case VDSL is not available. The Device also provides IEEE 802.
Chapter 1 Introducing the Device 1.4 Applications for the Device Here are some example uses for which the Device is well suited. 1.4.1 Internet Access Your Device provides shared Internet access by connecting the DSL port to the DSL or MODEM jack on a splitter or your telephone jack. You can have multiple WAN services over one ADSL or VDSL. The Device cannot work in ADSL and VDSL mode at the same time. You can also use a 3G dongle for cellular backup WAN (Internet) connections.
Chapter 1 Introducing the Device Figure 3 Device’s Internet Access Application: 3G WAN Backup WLAN LAN ADSL / VDSL A You can also configure IP filtering on the Device for secure Internet access. When the IP filter is on, all incoming traffic from the Internet to your network is blocked by default unless it is initiated from your network. This means that probes from the outside to your network are not allowed, but you can safely browse the Internet and download files. 1.4.
Chapter 1 Introducing the Device 1.5 LEDs (Lights) The following graphic displays the labels of the LEDs. Figure 5 LEDs on the Device None of the LEDs are on if the Device is not receiving power. Table 1 LED Descriptions LED COLOR STATUS DESCRIPTION POWER Green On The Device is receiving power and ready for use. Blinking The Device is self-testing. On The Device detected an error while self-testing, or there is a device malfunction. Off The Device is not receiving power.
Chapter 1 Introducing the Device Table 1 LED Descriptions (continued) LED COLOR MOBILE Green USB WLAN/WPS Green Green Green and Orange STATUS DESCRIPTION On The 3G WAN connection is working. Blinking The Device is sending or receiving data to/from the 3G WAN connection. Off There is no 3G WAN connection. On The Device recognizes a USB connection. Blinking The Device is sending/receiving data to /from the USB device connected to it. Off The Device does not detect a USB connection.
Chapter 1 Introducing the Device You can configure your wireless network in either the built-in Web Configurator. Figure 6 Wireless Access Example 1.7.1 Using the WLAN Button If the wireless network is turned off, press the WLAN button at the front of the Device for one second. Once the WLAN LED turns green, the wireless network is active. Use the Network Setting > Wireless > General screen to enable or disable this button.
C HAPT ER 2 The Web Configurator 2.1 Overview The web configurator is an HTML-based management interface that allows easy device setup and management via Internet browser. Use Internet Explorer 8.0 and later versions\, Mozilla Firefox 3 and later versions, Chrome, or Safari 2.0 and later versions. The recommended screen resolution is 1024 by 768 pixels. In order to use the web configurator you need to allow: • Web browser pop-up windows from your device.
Chapter 2 The Web Configurator 4 The following screen displays if you have not yet changed your password from the default. It is strongly recommended you change the default password. Enter a new password, retype it to confirm and click Apply; alternatively click Skip to proceed to the main menu if you do not want to change the password now. Figure 8 Change Password Screen 5 The Status page appears, where you can view the Device’s interface and system information.
Chapter 2 The Web Configurator 2.2 Web Configurator Layout Figure 10 Screen Layout A B C As illustrated above, the main screen is divided into these parts: • A - title bar • B - main window • C - navigation panel 2.2.1 Title Bar The title bar provides some icons in the upper right corner. The icons provide the following functions.
Chapter 2 The Web Configurator 2.2.2 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. See Chapter 4 on page 37 for more information about the Status screen. If you click Virtual Device on the System Info screen, a graphic shows the connection status of the Device’s ports. The connected interfaces are in color and disconnected interfaces are gray. Figure 11 Virtual Device 2.2.
Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK Wireless LAN Routing QoS NAT DNS TAB FUNCTION General Use this screen to configure the wireless LAN settings and WLAN authentication/security settings. More AP Use this screen to configure multiple BSSs on the Device. MAC Authentication Use this screen to block or allow wireless traffic from wireless devices of certain SSIDs and MAC addresses to the Device.
Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK TAB FUNCTION General Use this screen to configure the Device’s basic firewall settings. Service Use this screen to add Internet services and configure firewall rules. Access Control Use this screen to configure incoming/outgoing filtering rules. DoS Use this screen to activate protection against Denial of Service (DoS) attacks.
Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK TAB FUNCTION TR-069 Client Use this screen to configure the Device to be managed by an Auto Configuration Server (ACS). SNMP Use this screen to enable/disable and configure settings for SNMP. Time Use this screen to change your Device’s time and date. Email Notification Use this screen to configure up to two mail servers and sender addresses on the Device.
Chapter 2 The Web Configurator 30 SBG3300-N Series User’s Guide
C HAPT ER 3 Quick Start 3.1 Overview Use the Quick Start screens to configure the Device’s time zone, basic Internet access, and wireless settings. Note: See the technical reference chapters (starting on page 35) for background information on the features in this chapter. 3.2 Quick Start Setup 1 The Quick Start Wizard appears automatically after login. Or you can click the Click Start icon in the top right corner of the web configurator to open the quick start screens.
Chapter 3 Quick Start 2 Select your current WAN interface to configure its settings. Figure 13 WAN Interface Selection 3 Enter your Internet connection information in this screen. The screen and fields to enter may vary depending on your current connection type. Click Next. Click Next.
Chapter 3 Quick Start 4 Turn the wireless LAN on or off. If you keep it on, record the security settings so you can configure your wireless clients to connect to the Device. Click Save. Figure 15 Internet Connection 5 Your Device saves your settings and attempts to connect to the Internet.
Chapter 3 Quick Start 34 SBG3300-N Series User’s Guide
P ART II Technical Reference 35
C HAPT ER 4 Status Screens 4.1 Overview After you log into the Web Configurator, the Status screen appears. You can use the Status screen to look at the current status of the Device, system resources, and interfaces (LAN, WAN, and WLAN). 4.2 The Status Screen Use this screen to view the status of the Device. Click Status to open this screen.
Chapter 4 Status Screens Each field is described in the following table. Table 4 Status Screen LABEL DESCRIPTION Refresh Interval Select how often you want the Device to update this screen. Device Information Host Name This field displays the Device system name. It is used for identification. Model Number This shows the model number of your Device. Firmware Version This is the current version of the firmware inside the Device. WAN Information (These fields display when you have a WAN connection.
Chapter 4 Status Screens Table 4 Status Screen (continued) LABEL DESCRIPTION CPU Usage This field displays what percentage of the Device’s processing ability is currently used. When this percentage is close to 100%, the Device is running at full load, and the throughput is not going to improve anymore. If you want some applications to have more throughput, you should turn off other applications (for example, using QoS; see Chapter 9 on page 131).
Chapter 4 Status Screens 40 SBG3300-N Series User’s Guide
C HAPT ER 5 Broadband 5.1 Overview This chapter discusses the Device’s Broadband screens. Use these screens to configure your Device for Internet access. A WAN (Wide Area Network) connection is an outside connection to another network or the Internet. It connects your private networks, such as a LAN (Local Area Network) and other networks, so that a computer in one location can communicate with computers in other locations.
Chapter 5 Broadband • Use the Add New 3G Dongle screen to view or add a new 3G dongle (Section 5.4 on page 58). • Use the Advanced screen to enable or disable PTM over ADSL, Annex M, and DSL PhyR functions (Section 5.4.1 on page 59). • Use the 802.1x screen to view and configure the IEEE 802.1x settings on the Device (Section 5.6 on page 60). • Use the multi-WAN screen to configure the multiple WAN load balancing and failover rules to distribute traffic among different interfaces (Section 5.7 on page 62).
Chapter 5 Broadband ATM Asynchronous Transfer Mode (ATM) is a WAN networking technology that provides high-speed data transfer. ATM uses fixed-size packets of information called cells. With ATM, a high QoS (Quality of Service) can be guaranteed. ATM uses a connection-oriented model and establishes a virtual circuit (VC) between Finding Out More PTM Packet Transfer Mode (PTM) is packet-oriented and supported by the VDSL2 standard.
Chapter 5 Broadband compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. IPv6 Subnet Masking Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F).
Chapter 5 Broadband Figure 20 Dual Stack Lite WAN - IPv6 - IPv4 in IPv6 LAN - IPv6 - IPv4 ISP (IPv6) IPv6 IPv6 + IPv4 IPv6 Internet IPv4 in IPv6 AFTR IPv4 Internet 5.1.3 Before You Begin You need to know your Internet access settings such as encapsulation and WAN IP address. Get this information from your ISP. 5.2 The Broadband Screen Use this screen to change your Device’s Internet access settings. Click Network Setting > Broadband from the menu.
Chapter 5 Broadband Table 6 Network Setting > Broadband (continued) LABEL DESCRIPTION 802.1p This indicates the IEEE 802.1p priority level assigned to traffic sent through this connection. This displays N/A when there is no priority level assigned. 802.1q This indicates the VLAN ID number assigned to traffic sent through this connection. This displays N/A when there is no VLAN ID number assigned. IGMP Proxy This shows whether the Device act as an IGMP proxy on this connection.
Chapter 5 Broadband 5.2.1 Add/Edit Internet Connection Click Add new WAN Interface in the Broadband screen or the Edit icon next to an existing WAN interface to configure a WAN connection. The screen varies depending on the interface type, mode, encapsulation, and IPv6/IPv4 mode you select. 5.2.1.1 Routing Mode Use Routing mode if your ISP give you one IP address only and you want multiple computers to share an Internet account.
Chapter 5 Broadband Table 7 Routing Mode (continued) LABEL DESCRIPTION Type Select whether it is ADSL/VDSL over PTM, ADSL over ATM, or Ethernet connection. • • • ADSL/VDSL over PTM: The Device uses the VDSL technology for data transmission over the DSL port. ADSL over ATM: The Device uses the ADSL technology for data transmission over the DSL port. Ethernet: The Device transmits data over the Ethernet WAN port. Select this if you have a DSL router or modem in your network already.
Chapter 5 Broadband Table 7 Routing Mode (continued) LABEL DESCRIPTION Encapsulation Mode Select the method of multiplexing used by your ISP from the drop-down list box. Choices are: • • • • Service Category LLC/SNAP-BRIDGING: In LCC encapsulation, bridged PDUs are encapsulated by identifying the type of the bridged media in the SNAP header. This is available only when you select IPoE or PPPoE in the Select DSL Link Type field.
Chapter 5 Broadband Table 7 Routing Mode (continued) LABEL DESCRIPTION PPPoE Passthrough This field is available when you select PPPoE encapsulation. In addition to the Device’s built-in PPPoE client, you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Device. Each host can have a separate account and a public WAN IP address.
Chapter 5 Broadband Table 7 Routing Mode (continued) LABEL DESCRIPTION IPv6 Address Select Automatic if you want to have the Device use the IPv6 prefix from the connected router’s Router Advertisement (RA) to generate an IPv6 address. Select the Get IPv6 Address From DHCPv6 Server check box if you want to obtain an IPv6 address from a DHCPv6 server. The IP address assigned by a DHCPv6 server has priority over the IP address automatically generated by the Device using the IPv6 prefix from an RA.
Chapter 5 Broadband Table 7 Routing Mode (continued) LABEL DS-Lite Relay Server IP DESCRIPTION Specify the transition router’s IPv6 address. VLAN These fields appear when the Type is set to ADSL/VDSL over PTM. Active Select this option to add the VLAN tag (specified below) to the outgoing traffic through this connection. 802.1p IEEE 802.1p defines up to 8 separate traffic types by inserting a tag into a MAC-layer frame that contains bits to define class of service. Select the IEEE 802.
Chapter 5 Broadband The following table describes the fields in this screen. Table 8 Bridge Mode (ADSL/VDSL over PTM) LABEL DESCRIPTION General Active Select this to activate the WAN configuration settings. Name Enter a service name of the connection. Type Select ADSL/VDSL over PTM as the interface that you want to configure. The Device uses the VDSL technology for data transmission over the DSL port.
Chapter 5 Broadband The following table describes the fields in this screen. Table 9 Bridge Mode (ADSL over ATM) LABEL DESCRIPTION General Active Select this to activate the WAN configuration settings. Name Enter a service name of the connection. Type Select ADSL over ATM as the interface for which you want to configure here. The Device uses the ADSL technology for data transmission over the DSL port.
Chapter 5 Broadband Table 9 Bridge Mode (ADSL over ATM) (continued) LABEL DESCRIPTION Sustainable Cell Rate The Sustainable Cell Rate (SCR) sets the average cell rate (long-term) that can be transmitted. Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec. This field is available only when you select Non Realtime VBR or Realtime VBR. Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate.
Chapter 5 Broadband Figure 25 Network Setting > Broadband > 3G WAN 56 SBG3300-N Series User’s Guide
Chapter 5 Broadband The following table describes the labels in this screen. Table 10 Network Setting > Broadband > 3G WAN LABEL DESCRIPTION 3G Connection Settings Card description This field displays the manufacturer and model name of your 3G card if you inserted one in the Device. Otherwise, it displays N/A. Username Type the user name (of up to 64 ASCII printable characters) given to you by your service provider.
Chapter 5 Broadband 5.4 The Add New 3G Dongle Screen Use the Add New 3G Dongle screen to view and manage the list of 3G dongles the Device can use for a 3G backup connection. Section 1.1 on page 17 explains to which USB port you need to connect the 3G USB dongle. Click Network Setting > Broadband > Add New 3G Dongle to display the following screen. Figure 26 Network Setting > Broadband > Add New 3G Dongle The following table describes the labels in this screen.
Chapter 5 Broadband 5.4.1 Add 3G Dongle Information Click Add New Entry in the Add New 3G Dongle screen to show the following. Enter the information for a new 3G dongle to add it. Figure 27 Add 3G Dongle Information The following table describes the labels in this screen. Table 12 Add 3G Dongle Information LABEL DESCRIPTION Default VID Enter the default vendor ID of the 3G dongle. Default PID Enter the default product ID of the 3G dongle. Target VID Enter the target vendor ID of the 3G dongle.
Chapter 5 Broadband Click Network Setting > Broadband > Advanced to display the following screen. Figure 28 Network Setting > Broadband > Advanced The following table describes the labels in this screen. Table 13 Network Setting > Network Setting > Advanced LABEL DESCRIPTION PTM over ADSL Select Enable to use PTM over ADSL. Since PTM has less overhead than ATM, some ISPs use PTM over ADSL for better performance.
Chapter 5 Broadband The following table describes the labels in this screen. Table 14 Network Setting > Network Setting > 802.1x LABEL DESCRIPTION # This is the index number of the entry. Status This field displays whether the authentication is active or not. A yellow bulb signifies that this authentication is active. A gray bulb signifies that this authentication is not active. Interface This is the interface that uses the authentication. This displays N/A when there is no interface assigned.
Chapter 5 Broadband Table 15 802.1x: Add/Edit (Sheet 2 of 2) LABEL DESCRIPTION EAP method This is the EAP method used for this authentication. Enable Bidirectional Authentication Select this to allow bidirectional authentication. Certificate Select the certificate you want to assign to the authentication. You need to import the certificate in the Security > Certificates > Local Certificates screen. Trusted CA Select the Trusted CA you want to assign to the authentication.
Chapter 5 Broadband 5.7.1 Add/Edit multi-WAN Click Add New Entry in the multi-WAN screen or the Edit icon next to an existing multi-WAN rule to configure it. Figure 32 multi-WAN: Add/Edit The following table describes the labels in this screen. Table 17 multi-WAN: Add/Edit LABEL DESCRIPTION Interface If you are adding a new entry, select the interface that you want to configure this rule for. The list shows the interfaces that have not configured multi-WAN rules.
Chapter 5 Broadband Table 17 multi-WAN: Add/Edit (continued) LABEL DESCRIPTION Check Method Select the connectivity check method that the gateway allows. Select ICMP to have the Device regularly ping the gateway you specify to make sure it is still available. Select TCP to have the Device regularly perform a TCP handshake with the gateway you specify to make sure it is still available. Period Enter the number of seconds between connection check attempts.
Chapter 5 Broadband 3 Click the Edit icon next to the ETHWAN WAN connection. This brings up the edit window. Change the weight field to 3 and click the Apply button. 4 You have finished the configuration. When both the ETHWAN and ADSL connections are up, the Device will send traffic over these two connections in a 3:1 ratio. When only one of these two connections are up, the Device will use that connection exclusively.
Chapter 5 Broadband Encapsulation Be sure to use the encapsulation method required by your ISP. The Device can work in bridge mode or routing mode. When the Device is in routing mode, it supports the following methods. IP over Ethernet IP over Ethernet (IPoE) is an alternative to PPPoE. IP packets are being delivered across an Ethernet network, without using PPP encapsulation.
Chapter 5 Broadband Variable Bit Rate (VBR) The Variable Bit Rate (VBR) ATM traffic class is used with bursty connections. Connections that use the Variable Bit Rate (VBR) traffic class can be grouped into real time (VBR-RT) or non-real time (VBR-nRT) connections. The VBR-RT (real-time Variable Bit Rate) type is used with bursty connections that require closely controlled delay and delay variation.
Chapter 5 Broadband across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier), residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information), starts after the source address field of the Ethernet frame). The CFI (Canonical Format Indicator) is a single-bit flag, always set to zero for Ethernet switches.
Chapter 5 Broadband IPv6 Addressing The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways: • Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. • Any number of consecutive blocks of zeros can be replaced by a double colon.
Chapter 5 Broadband 70 SBG3300-N Series User’s Guide
C HAPT ER 6 Wireless 6.1 Overview This chapter describes the Device’s Network Setting > Wireless screens. Use these screens to set up your Device’s wireless connection. 6.1.1 What You Can Do in this Chapter This section describes the Device’s Wireless screens. Use these screens to set up your Device’s wireless connection. • Use the General screen to enable the Wireless LAN, enter the SSID and select the wireless security mode (Section 6.2 on page 72).
Chapter 6 Wireless 6.1.2 What You Need to Know Wireless Basics “Wireless” is essentially radio communication. In the same way that walkie-talkie radios send and receive information over the airwaves, wireless networking devices exchange information with one another. A wireless networking device is just like a radio that lets your computer exchange information with radios attached to other computers.
Chapter 6 Wireless Click Network Setting > Wireless to open the General screen. Figure 33 Network Setting > Wireless > General The following table describes the general wireless LAN labels in this screen. Table 18 Network Setting > Wireless > General LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field. Disable/Enable wifi button Select Enable to be able to use the WLAN hardware button to tun the wireless LAN on or off.
Chapter 6 Wireless Table 18 Network Setting > Wireless > General (continued) LABEL DESCRIPTION more.../less Click more... to show more information. Click less to hide them. Bandwidth Select whether the Device uses a wireless channel width of 20MHz or 40MHz. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300 Mbps.
Chapter 6 Wireless 6.2.1 No Security Select No Security to allow wireless stations to communicate with the access points without any data encryption or authentication. Note: If you do not enable any wireless security on your Device, your network is accessible to any wireless networking device that is within range. Figure 34 Wireless > General: No Security The following table describes the labels in this screen.
Chapter 6 Wireless In order to configure and enable WEP encryption, click Network Setting > Wireless to display the General screen, then select Basic as the security level. Figure 35 Wireless > General: Basic (WEP) The following table describes the labels in this screen. Table 20 Wireless > General: Basic (WEP) LABEL DESCRIPTION Security Level Select Basic to enable WEP data encryption. Generate password automatically Select this option to have the Device automatically generate a password.
Chapter 6 Wireless 6.2.3 More Secure (WPA(2)-PSK) The WPA-PSK security mode provides both improved data encryption and user authentication over WEP. Using a Pre-Shared Key (PSK), both the Device and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA, WPA2 or even WPA2-PSK. The WPA2-PSK security mode is a newer, more robust version of the WPA encryption standard.
Chapter 6 Wireless Table 21 Wireless > General: More Secure: WPA(2)-PSK (continued) LABEL DESCRIPTION Encryption Select the encryption type (AES or TKIP+AES) for data encryption. Select AES if your wireless clients can all use AES. Select TKIP+AES to allow the wireless clients to use either TKIP or AES. Group Key Update Timer The Group Key Update Timer is the rate at which the RADIUS server sends a new group key out to all clients. 6.2.
Chapter 6 Wireless Table 22 Wireless > General: More Secure: WPA(2) (continued) LABEL DESCRIPTION IP Address Enter the IP address of the external authentication server in dotted decimal notation. Port Number Enter the port number of the external authentication server. The default port number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.
Chapter 6 Wireless The following table describes the labels in this screen. Table 23 Network Setting > Wireless > More AP LABEL DESCRIPTION # This is the index number of the entry. Status This field indicates whether this SSID is active. A yellow bulb signifies that this SSID is active. A gray bulb signifies that this SSID is not active. SSID An SSID profile is the set of parameters relating to one of the Device’s BSSs.
Chapter 6 Wireless 6.3.1 Edit More AP Use this screen to edit an SSID profile. Click the Edit icon next to an SSID in the More AP screen. The following screen displays. Figure 39 More AP: Edit The following table describes the fields in this screen. Table 24 More AP: Edit LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field.
Chapter 6 Wireless Table 24 More AP: Edit (continued) LABEL DESCRIPTION Enhanced Multicast Forwarding Select this check box to allow the Device to convert wireless multicast traffic into wireless unicast traffic. Guest WLAN Select this to allow this SSID’s wireless clients to access the Internet but not directly connect to the LAN or the wireless clients in any of the Device’s other SSIDs. Access Scenario This displays when you make the SSID a guest WLAN.
Chapter 6 Wireless 6.4 MAC Authentication This screen allows you to configure the ZyXEL Device to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen.
Chapter 6 Wireless 6.5 The WPS Screen Use this screen to configure WiFi Protected Setup (WPS) on your Device. WPS allows you to quickly set up a wireless network with strong security, without having to configure security settings manually. Set up each WPS connection between two devices. Both devices must support WPS. See Section 6.10.8.3 on page 98 for more information about WPS. Note: To use the WPS feature, make sure you have wireless enabled in the Network Setting > Wireless > General screen.
Chapter 6 Wireless Table 26 Network Setting > Wireless > WPS (continued) LABEL Connect DESCRIPTION Click this button to add another WPS-enabled wireless device (within wireless range of the Device) to your wireless network. This button may either be a physical button on the outside of device, or a menu button similar to the Connect button on this screen. Note: You must press the other wireless device’s WPS button within two minutes of pressing this button.
Chapter 6 Wireless The following table describes the labels in this screen. Table 27 Network Setting > Wireless > WMM LABEL DESCRIPTION WMM Select On to have the Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends. WMM QoS (Wifi MultiMedia Quality of Service) gives high priority to voice and video, which makes them run more smoothly.
Chapter 6 Wireless Table 28 Network Setting > Wireless > Others (continued) LABEL DESCRIPTION Auto Channel Timer If you set the channel to Auto in the Network Setting > Wireless > General screen, specify the interval in minutes for how often the Device scans for the best channel. Enter 0 to disable the periodical scan. Output Power Set the output power of the Device. If there is a high density of APs in an area, decrease the output power to reduce interference with other APs.
Chapter 6 Wireless 6.8 The Channel Status Screen Use the Channel Status screen to scan wireless LAN channel noises and view the results. Click Network Setting > Wireless > Channel Status. The screen appears as shown. Click Scan to scan the wireless LAN channels. You can view the results in the Channel Scan Result section. Figure 44 Network Setting > Wireless > Channel Status 6.
Chapter 6 Wireless Click Network Setting > Wireless > Scheduling. The following screen displays. Figure 45 Network Setting > Wireless > Scheduling The following table describes the labels in this screen. Table 29 Network Setting > Wireless > Scheduling LABEL DESCRIPTION # This is the index number of the entry. Rule Name This field shows the name configured for the scheduling rule. Days This field displays to which days of the week the schedule applies.
Chapter 6 Wireless Table 30 More AP: Edit (continued) LABEL DESCRIPTION Time of Day Range Enter the wireless LAN service start and end times in 24-hour time format. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 6.10 Technical Reference This section discusses wireless LANs in depth. 6.10.1 Wireless Network Overview Wireless networks consist of wireless clients, access points and bridges. • A wireless client is a radio connected to a user’s computer.
Chapter 6 Wireless The following figure provides an example of a wireless network. Figure 47 Example of a Wireless Network The wireless network is the part in the blue circle. In this wireless network, devices A and B use the access point (AP) to interact with the other devices (such as the printer) or with the Internet. Your Device is the AP. Every wireless network must follow these basic guidelines. • Every device in the same wireless network must use the same SSID.
Chapter 6 Wireless 6.10.2 Additional Wireless Terms The following table describes some wireless network terms and acronyms used in the Device’s Web Configurator. Table 31 Additional Wireless Terms TERM DESCRIPTION RTS/CTS Threshold In a wireless network which covers a large area, wireless devices are sometimes not aware of each other’s presence. This may cause them to send information to the AP at the same time and result in information colliding and not getting through.
Chapter 6 Wireless and does not include real words. For example, if your mother owns a 1970 Dodge Challenger and her favorite movie is Vanishing Point (which you know was made in 1971) you could use “70dodchal71vanpoi” as your security key. The following sections introduce different types of wireless security you can set up in the wireless network. 6.10.3.1 SSID Normally, the Device acts like a beacon and regularly broadcasts the SSID in the area.
Chapter 6 Wireless 6.10.3.4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network. Encryption is like a secret code. If you do not know the secret code, you cannot understand the message. The types of encryption you can choose depend on the type of authentication. (See Section 6.10.3.3 on page 93 for information about this.
Chapter 6 Wireless 6.10.5 BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP). Intra-BSS traffic is traffic between wireless stations in the BSS. When Intra-BSS traffic blocking is disabled, wireless station A and B can access the wired network and communicate with each other.
Chapter 6 Wireless • MBSSID should not replace but rather be used in conjunction with 802.1x security. 6.10.7 Preamble Type Preamble is used to signal that data is coming to the receiver. Short and long refer to the length of the synchronization field in a packet. Short preamble increases performance as less time sending preamble means more time for sending data. All IEEE 802.11 compliant wireless adapters support long preamble, but not all support short preamble.
Chapter 6 Wireless 3 Press the button on one of the devices (it doesn’t matter which). For the Device you must press the WPS button for more than three seconds. 4 Within two minutes, press the button on the other device. The registrar sends the network name (SSID) and security key through an secure connection to the enrollee. If you need to make sure that WPS worked, check the list of associated wireless clients in the AP’s configuration utility.
Chapter 6 Wireless The following figure shows a WPS-enabled wireless client (installed in a notebook computer) connecting to the WPS-enabled AP via the PIN method. Figure 49 Example WPS Process: PIN Method ENROLLEE REGISTRAR WPS This device’s WPS PIN: 123456 WPS Enter WPS PIN from other device: WPS START WPS START WITHIN 2 MINUTES SECURE EAP TUNNEL SSID WPA(2)-PSK COMMUNICATION 6.10.8.3 How WPS Works When two WPS-enabled devices connect, each device must assume a specific role.
Chapter 6 Wireless The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point. Figure 50 How WPS works ACTIVATE WPS ACTIVATE WPS WITHIN 2 MINUTES WPS HANDSHAKE ENROLLEE REGISTRAR SECURE TUNNEL SECURITY INFO COMMUNICATION The roles of registrar and enrollee last only as long as the WPS setup process is active (two minutes). The next time you use WPS, a different device can be the registrar if necessary.
Chapter 6 Wireless is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is unconfigured and has no existing information. Figure 51 WPS: Example Network Step 1 ENROLLEE REGISTRAR SECURITY INFO AP1 CLIENT 1 In step 2, you add another wireless client to the network.
Chapter 6 Wireless In step 3, you add another access point (AP2) to your network. AP2 is out of range of AP1, so you cannot use AP1 for the WPS handshake with the new access point. However, you know that Client 2 supports the registrar function, so you use it to perform the WPS handshake instead. Figure 53 WPS: Example Network Step 3 EXISTING CONNECTION CLIENT 1 E CO ING T XIS ION CT E NN AP1 REGISTRAR CLIENT 2 SE CU RIT Y ENROLLEE INF O AP2 6.10.8.
Chapter 6 Wireless • When you use the PBC method, there is a short period (from the moment you press the button on one device to the moment you press the button on the other device) when any WPS-enabled device could join the network. This is because the registrar has no way of identifying the “correct” enrollee, and cannot differentiate between your enrollee and a rogue device. This is a possible way for a hacker to gain access to a network. You can easily check to see if this has happened.
C HAPT ER 7 LAN 7.1 Overview A Local Area Network (LAN) is a shared communication system to which many networking devices are connected. It is usually located in one immediate area such as a building or floor of a building. Use the LAN screens to help you configure a LAN DHCP server and manage IP addresses. LAN DSL 7.1.1 What You Can Do in this Chapter • Use the LAN Setup screen to set the LAN IP address, subnet mask, and DHCP settings of your Device (Section 7.2 on page 105).
Chapter 7 LAN 7.1.2 What You Need To Know 7.1.2.1 About LAN IP Address IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet Mask Subnet masks determine the maximum number of possible hosts on a network. You can also use subnet masks to divide one network into multiple sub-networks.
Chapter 7 LAN • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the Chapter 10 on page 149 for more information on NAT. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Chapter 7 LAN 3 Click Apply to save your settings. Figure 54 Network Setting > LAN > LAN Setup The following table describes the fields in this screen. Table 33 Network Setting > LAN > LAN Setup LABEL DESCRIPTION Interface Group Group Name Select the interface group name for which you want to configure LAN settings. See Chapter 12 on page 169 for how to create a new interface group/VLAN. Zone Select the security zone (LAN, WLAN, DMZ, or EXTRA) in which to include the LAN interface.
Chapter 7 LAN Table 33 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION IGMP Mode Select Standard Mode to have the Device forward multicast packets to a port that joins the multicast group and broadcast unknown multicast packets from the WAN to all LAN ports. Select Blocking Mode to have the Device block all unknown multicast packets from the WAN. DHCP Server State DHCP Select Enable to have the Device act as a DHCP server or DHCP relay agent.
Chapter 7 LAN Table 33 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION Delegate prefix from WAN Select this option to automatically obtain an IPv6 network prefix from the service provider or an uplink router. Static Select this option to configure a fixed IPv6 address for the Device’s LAN IPv6 address. Note: This fixed address is for local hosts to access the Web Configurator only as the global LAN IPv6 address might be changed by your ISP any time.
Chapter 7 LAN Table 33 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION IPv6 End Address If DHCPv6 is enabled, specify the last IPv6 address in the pool of addresses that can be assigned to DHCPv6 clients. IPv6 Domain Name If DHCPv6 is enabled, specify the domain name to be assigned to DHCPv6 clients. IPv6 Router Advertisement State RADVD State This shows the status of RADVD. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. 7.
Chapter 7 LAN If you click Add new static lease in the Static DHCP screen or the Edit icon next to a static DHCP entry, the following screen displays. Figure 56 Static DHCP: Add/Edit The following table describes the labels in this screen. Table 35 Static DHCP: Add/Edit LABEL DESCRIPTION Active Select this to activate the connection between the client and the Device. Group Name Select the interface group name for which you want to configure static DHCP settings.
Chapter 7 LAN Use the following screen to configure the UPnP settings on your Device. Click Network Setting > LAN > UPnP to display the screen shown next. Figure 57 Network Setting > LAN > UPnP The following table describes the labels in this screen. Table 36 Network Setting > LAN > UPnP LABEL DESCRIPTION UPnP Select Enable to activate UPnP.
Chapter 7 LAN 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box.
Chapter 7 LAN 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Network Connections 4 The Windows Optional Networking Components Wizard window displays.
Chapter 7 LAN 5 In the Networking Services window, select the Universal Plug and Play check box. Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 7.6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Device. Make sure the computer is connected to a LAN port of the Device. Turn on your computer and the Device.
Chapter 7 LAN 2 Right-click the icon and select Properties. Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created.
Chapter 7 LAN 4 You may edit or delete the port mappings or click Add to manually add port mappings. Internet Connection Properties: Advanced Settings Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Chapter 7 LAN 7 Double-click on the icon to display your current Internet connection status. Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the Device without finding out the IP address of the Device first. This comes helpful if you do not know the IP address of the Device. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections.
Chapter 7 LAN 3 Select My Network Places under Other Places. Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your Device and select Invoke. The web configurator login screen displays.
Chapter 7 LAN 6 Right-click on the icon for your Device and select Properties. A properties window displays with basic information about the Device.
Chapter 7 LAN 7.7 The Additional Subnet Screen Use the Additional Subnet screen to configure IP alias and public static IP. IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Device supports multiple logical LAN interfaces via its physical Ethernet interface with the Device itself as the gateway for the LAN network. When you use IP alias, you can also configure firewall rules to control access to the LAN's logical network (subnet).
Chapter 7 LAN Table 37 Network Setting > LAN > Additional Subnet (continued) LABEL DESCRIPTION Offer Public IP by DHCP Select the check box to enable the Device to provide public IP addresses by DHCP server. Enable ARP Proxy Select the checkbox to enable the ARP (Address Resolution Protocol) proxy. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 7.
Chapter 7 LAN 7.9.1 LANs, WANs and the Device The actual physical connection determines whether the Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next. Figure 60 LAN and WAN IP Addresses LAN WAN 7.9.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.
Chapter 7 LAN • Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The Device supports the IPCP DNS server extensions through the DNS proxy feature. Please note that DNS proxy works only when the ISP uses the IPCP DNS server extensions.
Chapter 7 LAN You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.
C HAPT ER 8 Routing 8.1 Overview The Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Device send data to devices not reachable through the default gateway, use static routes. For example, the next figure shows a computer (A) connected to the Device’s LAN interface. The Device routes most traffic from A to the Internet through the Device’s default gateway (R1).
Chapter 8 Routing 8.2 The Routing Screen Use this screen to view and configure the static route rules on the Device. Click Network Setting > Routing > Static Route to open the following screen. Figure 62 Network Setting > Routing > Static Route The following table describes the labels in this screen. Table 39 Network Setting > Routing > Static Route LABEL DESCRIPTION Add new static route Click this to configure a new static route. # This is the index number of the entry.
Chapter 8 Routing 8.2.1 Add/Edit Static Route Use this screen to add or edit a static route. Click Add new static route in the Routing screen or the Edit icon next to the static route you want to edit. The screen shown next appears. Figure 63 Routing: Add/Edit The following table describes the labels in this screen. Table 40 Routing: Add/Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Select this to enable the static route.
Chapter 8 Routing You can use source-based policy forwarding to direct traffic from different users through different connections or distribute traffic among multiple paths for load sharing. The Policy Forwarding screen let you view and configure routing policies on the Device. Click Network Setting > Routing > Policy Forwarding to open the following screen. Figure 64 Network Setting > Routing > Policy Forwarding The following table describes the labels in this screen.
Chapter 8 Routing 8.3.1 Add/Edit Policy Forwarding Click Add new Policy Forward Rule in the Policy Forwarding screen or click the Edit icon next to a policy. Use this screen to configure the required information for a policy route. Figure 65 Policy Forwarding: Add/Edit The following table describes the labels in this screen. Table 42 Policy Forwarding: Add/Edit LABEL DESCRIPTION Policy Name Enter a descriptive name of up to 8 printable English keyboard characters, not including spaces.
Chapter 8 Routing Click Network Setting > Routing > RIP to open the RIP screen. Figure 66 RIP The following table describes the labels in this screen. Table 43 Network Setting > Routing > RIP LABEL DESCRIPTION Interface This is the name of the interface in which the RIP setting is used. Version The RIP version controls the format and the broadcasting method of the RIP packets that the Device sends (it recognizes both formats when receiving).
C HAPT ER 9 Quality of Service (QoS) 9.1 Overview Quality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely to be dropped when the network is congested. This can cause a reduction in network performance and make the network inadequate for time-critical application such as video-ondemand.
Chapter 9 Quality of Service (QoS) 9.2 What You Need to Know The following terms and concepts may help as you read through this chapter. QoS versus Cos QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority. CoS (class of service) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types.
Chapter 9 Quality of Service (QoS) Traffic Policing Traffic policing is the limiting of the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Traffic policing methods measure traffic flows against user-defined criteria and identify it as either conforming, exceeding or violating the criteria.
Chapter 9 Quality of Service (QoS) The following table describes the labels in this screen. Table 44 Network Setting > QoS > General LABEL DESCRIPTION QoS Select the Enable check box to turn on QoS to improve your network performance. WAN Managed Upstream Bandwidth Enter the amount of upstream bandwidth for the WAN interfaces that you want to allocate using QoS. The recommendation is to set this speed to match the interfaces’ actual transmission speed.
Chapter 9 Quality of Service (QoS) Use this screen to configure QoS queue assignment. Figure 68 Network Setting > QoS > Queue Setup The following table describes the labels in this screen. Table 45 Network Setting > QoS > Queue Setup LABEL DESCRIPTION Add new Queue Click this button to create a new queue entry. # This is the index number of the entry. Status This field displays whether the queue is active or not. A yellow bulb signifies that this queue is active.
Chapter 9 Quality of Service (QoS) 9.4.1 Adding a QoS Queue Click Add new Queue or the edit icon in the Queue Setup screen to configure a queue. Figure 69 Queue Setup: Add The following table describes the labels in this screen. Table 46 Queue Setup: Add LABEL DESCRIPTION Active Select to enable or disable this queue. Name Enter the descriptive name of this queue. Interface Select the interface to which this queue is applied. This field is read-only if you are editing the queue.
Chapter 9 Quality of Service (QoS) You can give different priorities to traffic that the Device forwards out through the WAN interface. Give high priority to voice and video to make them run more smoothly. Similarly, give low priority to many large file downloads so that they do not reduce the quality of other applications. Click Network Setting > QoS > Class Setup to open the following screen. Figure 70 Network Setting > QoS > Class Setup The following table describes the labels in this screen.
Chapter 9 Quality of Service (QoS) 9.5.1 Add/Edit QoS Class Click Add new Classifier in the Class Setup screen or the Edit icon next to a classifier to open the following screen.
Chapter 9 Quality of Service (QoS) The following table describes the labels in this screen. Table 48 Class Setup: Add/Edit LABEL DESCRIPTION Active Select this to enable this classifier. Class Name Enter a descriptive name of up to 15 printable English keyboard characters, not including spaces. Classification Order Select an existing number for where you want to put this classifier to move the classifier to the number you selected after clicking Apply.
Chapter 9 Quality of Service (QoS) Table 48 Class Setup: Add/Edit (continued) LABEL Service DESCRIPTION This field is available only when you select IP in the Ether Type field. This field simplifies classifier configuration by allowing you to select a predefined application. When you select a predefined application, you do not configure the rest of the filter fields. IP Protocol This field is available only when you select IP in the Ether Type field.
Chapter 9 Quality of Service (QoS) Table 48 Class Setup: Add/Edit (continued) LABEL DESCRIPTION To Queue Index Select a queue that applies to this class. You should have configured a queue in the Queue Setup screen already. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 9.6 The QoS Policer Setup Screen Use this screen to configure QoS policers that allow you to limit the transmission rate of incoming traffic.
Chapter 9 Quality of Service (QoS) 9.6.1 Add/Edit a QoS Policer Click Add new Policer in the Policer Setup screen or the Edit icon next to a policer to show the following screen. Figure 73 Policer Setup: Add/Edit The following table describes the labels in this screen. Table 50 Policer Setup: Add/Edit LABEL DESCRIPTION Active Select the check box to activate this policer. Name Enter the descriptive name of this policer. Meter Type This shows the traffic metering algorithm used in this policer.
Chapter 9 Quality of Service (QoS) Table 50 Policer Setup: Add/Edit (continued) LABEL DESCRIPTION NonConforming Action Specify what the Device does for packets that exceed the excess burst size or peak rate and burst size (red-marked packets). Available Class Select a QoS classifier to apply this QoS policer to traffic that matches the QoS classifier. Selected Class Highlight a QoS classifier in the Available Class box and use the > button to move it to the Selected Class box.
Chapter 9 Quality of Service (QoS) Table 51 Network Setting > QoS > Monitor (continued) LABEL DESCRIPTION Pass Rate This shows how many packets assigned to this queue are transmitted successfully. Drop Rate This shows how many packets assigned to this queue are dropped. 9.8 Technical Reference The following section contains additional technical information about the Device features described in this chapter. IEEE 802.1Q Tag The IEEE 802.
Chapter 9 Quality of Service (QoS) negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. DSCP and Per-Hop Behavior DiffServ defines a new Differentiated Services (DS) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels.
Chapter 9 Quality of Service (QoS) Table 53 Internal Layer2 and Layer3 QoS Mapping LAYER 2 LAYER 3 PRIORITY QUEUE IEEE 802.1P USER PRIORITY (ETHERNET PRIORITY) TOS (IP PRECEDENCE) DSCP 4 4 2 010110 IP PACKET LENGTH (BYTE) 010100 010010 010000 5 5 3 011110 <250 011100 011010 011000 6 6 4 100110 100100 100010 100000 5 101110 101000 7 7 6 110000 7 111000 Token Bucket The token bucket algorithm uses tokens in a bucket to control when traffic can be transmitted.
Chapter 9 Quality of Service (QoS) Configure the bucket size to be equal to or less than the amount of the bandwidth that the interface can support. It does not help if you set it to a bucket size over the interface’s capability. The smaller the bucket size, the lower the data transmission rate and that may cause outgoing packets to be dropped. A larger transmission rate requires a big bucket size. For example, use a bucket size of 10 kbytes to get the transmission rate up to 10 Mbps.
Chapter 9 Quality of Service (QoS) All packets are evaluated against the PIR. If a packet exceeds the PIR it is marked red. Otherwise it is evaluated against the CIR. If it exceeds the CIR then it is marked yellow. Finally, if it is below the CIR then it is marked green. The following shows how tokens work with incoming packets in trTCM: • A packet arrives.
C HAPTER 10 Network Address Translation (NAT) 10.1 Overview This chapter discusses how to configure NAT on the Device. NAT (Network Address Translation NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network. 10.1.
Chapter 10 Network Address Translation (NAT) WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
Chapter 10 Network Address Translation (NAT) third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 75 Multiple Servers Behind NAT Example A=192.168.1.33 LAN WAN B=192.168.1.34 192.168.1.1 IP Address assigned by ISP C=192.168.1.3 D=192.168.1.36 Click Network Setting > NAT > Port Forwarding to open the following screen.
Chapter 10 Network Address Translation (NAT) Table 54 Network Setting > NAT > Port Forwarding (continued) LABEL DESCRIPTION Protocol This shows the IP protocol supported by this virtual server, whether it is TCP, UDP, or TCP/ UDP. Modify Click the Edit icon to edit this rule. Click the Delete icon to delete an existing rule. 10.2.1 Add/Edit Port Forwarding Click Add new rule in the Port Forwarding screen or click the Edit icon next to an existing rule to open the following screen.
Chapter 10 Network Address Translation (NAT) Table 55 Port Forwarding: Add/Edit (continued) LABEL DESCRIPTION End Port Enter the last port of the original destination port range. To forward only one port, enter the port number in the Start Port field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port field above.
Chapter 10 Network Address Translation (NAT) 10.3.1 Add New Application This screen lets you create new NAT application rules. Click Add new application in the Applications screen to open the following screen. Figure 79 Applications: Add The following table describes the labels in this screen. Table 57 Applications: Add LABEL DESCRIPTION WAN Interface Select the WAN interface that you want to apply this NAT rule to. Server IP Address Enter the inside IP address of the application here.
Chapter 10 Network Address Translation (NAT) For example: Figure 80 Trigger Port Forwarding Process: Example 1 Jane requests a file from the Real Audio server (port 7070). 2 Port 7070 is a “trigger” port and causes the Device to record Jane’s computer IP address. The Device associates Jane's computer IP address with the "open" port range of 6970-7170. 3 The Real Audio server responds using a port number ranging between 6970-7170. 4 The Device forwards the traffic to Jane’s computer IP address.
Chapter 10 Network Address Translation (NAT) Table 58 Network Setting > NAT > Port Triggering (continued) LABEL DESCRIPTION Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Device forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. This is the first port number that identifies a service.
Chapter 10 Network Address Translation (NAT) Table 59 Port Triggering: Configuration Add/Edit (continued) LABEL DESCRIPTION Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Device forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service. Type a port number or the starting port number in a range of port numbers.
Chapter 10 Network Address Translation (NAT) 10.6 The ALG Screen Some NAT routers may include a SIP Application Layer Gateway (ALG). A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When the Device registers with the SIP register server, the SIP ALG translates the Device’s private IP address inside the SIP data stream to a public IP address. You do not need to use STUN or an outbound proxy if your Device is behind a SIP ALG.
Chapter 10 Network Address Translation (NAT) The following table describes the fields in this screen. Table 62 Network Setting > NAT > Address Mapping LABEL DESCRIPTION Add new rule Click this to create a new rule. Set This is the index number of the address mapping set. Local Start IP This is the starting Inside Local IP Address (ILA). Local End IP This is the ending Inside Local IP Address (ILA). This field is blank for One-to-One mapping types. Type This is the address mapping type.
Chapter 10 Network Address Translation (NAT) The following table describes the fields in this screen. Table 63 Address Mapping: Add/Edit LABEL DESCRIPTION Type Choose the IP/port mapping type from one of the following. One-to-One: This mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. Many-to-One: This mode maps multiple local IP addresses to one global IP address.
Chapter 10 Network Address Translation (NAT) Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side. The following table summarizes this information.
Chapter 10 Network Address Translation (NAT) 10.8.3 How NAT Works Each packet has two addresses – a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN. For incoming packets, the ILA is the destination address on the LAN, and the IGA is the destination address on the WAN.
Chapter 10 Network Address Translation (NAT) 10.8.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the Device can communicate with three distinct WAN networks. Figure 88 NAT Application With IP Alias Port Forwarding: Services and Port Numbers The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers.
Chapter 10 Network Address Translation (NAT) Port Forwarding Example Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 89 Multiple Servers Behind NAT Example A=192.168.1.33 192.168.1.1 B=192.168.1.
C HAPTER 11 Dynamic DNS Setup 11.1 Overview DNS DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. In addition to the system DNS server(s), each WAN interface (service) is set to have its own static or dynamic DNS server list.
Chapter 11 Dynamic DNS Setup 11.1.2 What You Need To Know DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname. If you have a private WAN IP address, then you cannot use Dynamic DNS. 11.2 The DNS Entry Screen Use this screen to view and configure a domain name and DNS routes on the Device.
Chapter 11 Dynamic DNS Setup 11.2.1 Add/Edit DNS Entry You can manually add or edit the Device’s DNS name and IP address entry. Click Add new DNS entry in the DNS Entry screen or the Edit icon next to the entry you want to edit. The screen shown next appears. Figure 91 DNS Entry: Add/Edit The following table describes the labels in this screen. Table 67 DNS Entry: Add/Edit LABEL DESCRIPTION FQDN Enter the host name of the DNS entry. IP Address Enter the IP address of the DNS entry.
Chapter 11 Dynamic DNS Setup The following table describes the fields in this screen. Table 68 Network Setting > DNS > > Dynamic DNS LABEL DESCRIPTION Dynamic DNS Select Enable to use dynamic DNS. Service Provider Select your Dynamic DNS service provider from the drop-down list box. Hostname Type the domain name assigned to your Device by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma (","). 168 Username Type your user name.
C HAPTER 12 Interface Group/VLAN 12.1 Overview By default, the four LAN interfaces on the Device are in the same group and can communicate with each other. Creating a new interface will create a new LAN bridge interface (subnet) (for example, 192.168.2.0/24) that acts as a dependent LAN network, and is a different subnet from default LAN subnet (192.168.1.0/24). 12.2 The Interface Group/VLAN Screen You can manually add a LAN interface to a new group.
Chapter 12 Interface Group/VLAN The following table describes the fields in this screen. Table 69 Network Setting > Interface Group/VLAN LABEL DESCRIPTION Add New Interface Group Click this button to create a new interface group. Status The icon shows whether the interface group is active or not. An inactive interface group does not pass or accept traffic through its member ports. A yellow bulb signifies an active interface group. A gray bulb signifies an inactive interface group.
Chapter 12 Interface Group/VLAN The following table describes the fields in this screen. Table 70 Interface Group Configuration LABEL DESCRIPTION Group Name Enter a name to identify this group. You can enter up to 30 characters. You can use letters, numbers, hyphens (-) and underscores (_). Spaces are not allowed. 802.1p IEEE 802.1p defines up to 8 separate traffic types by inserting a tag into a MAC layer frame that contains bits to define class of service. Select the IEEE 802.
Chapter 12 Interface Group/VLAN 12.2.2 Interface Grouping Criteria Click the Add button in the Interface Grouping Configuration screen to open the following screen. Figure 95 Interface Grouping Criteria The following table describes the fields in this screen. Table 71 Interface Grouping Criteria LABEL DESCRIPTION Source MAC Address Enter the source MAC address of the packet.
Chapter 12 Interface Group/VLAN Table 71 Interface Grouping Criteria (continued) LABEL DESCRIPTION Enterprise Number Enter the vendor’s 32-bit enterprise number registered with the IANA (Internet Assigned Numbers Authority). Manufactur er OUI Specify the vendor’s OUI (Organization Unique Identifier). It is usually the first three bytes of the MAC address. Product Class Enter the product class of the device. Model Name Enter the model name of the device.
Chapter 12 Interface Group/VLAN 174 SBG3300-N Series User’s Guide
C HAPTER 13 USB Service 13.1 Overview The Device has a USB port used to share files via a USB memory stick or a USB hard drive. In the USB Service screens, you can enable the file-sharing server. 13.1.1 What You Can Do in this Chapter • Use the File Sharing screen to enable file-sharing server (Section 13.2 on page 176). 13.1.2 What You Need To Know The following terms and concepts may help as you read this chapter.
Chapter 13 USB Service Samba SMB is a client-server protocol used by Microsoft Windows systems for sharing files, printers, and so on. Samba is a free SMB server that runs on most Unix and Unix-like systems. It provides an implementation of an SMB client and server for use with non-Microsoft operating systems. It allows file and print sharing between computers running Windows and computers running Unix. 13.
Chapter 13 USB Service 2 The Device detects the USB device and makes its contents available for browsing. If you are connecting a USB hard drive that comes with an external power supply, make sure it is connected to an appropriate power source that is on. Note: If your USB device cannot be detected by the Device, see the troubleshooting for suggestions. Use this screen to set up file sharing using the Device. To access this screen, click Network Setting > USB Service.
Chapter 13 USB Service 178 SBG3300-N Series User’s Guide
C HAPTER 14 Firewall 14.1 Overview This chapter shows you how to enable and configure the Device’s security settings. Use the firewall to protect your Device and network from attacks by hackers on the Internet and control access to it. By default the firewall: • allows traffic that originates from your LAN computers to go to all other networks. • blocks traffic that originates on other networks from going to the LAN. The following figure illustrates the default firewall action.
Chapter 14 Firewall 14.1.2 What You Need to Know SYN Attack A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYNACKs are moved off the queue only when an ACK comes back or when an internal timer terminates the three-way handshake.
Chapter 14 Firewall 14.2 The Firewall Screen Use this screen to configure the Device’s basic firewall settings including permitting or dropping traffic traveling in specific directions between specific security zones. Click Security > Firewall to display the General screen. Figure 99 Security > Firewall > General The following table describes the labels in this screen.
Chapter 14 Firewall Click Security > Firewall > Service to display the following screen. Figure 100 Security > Firewall > Service The following table describes the labels in this screen. Table 74 Security > Firewall > Service LABEL DESCRIPTION Add new service entry Click this to add a new service. Name This is the name of your customized service. Description This is the description of your customized service.
Chapter 14 Firewall 14.3.1 Add/Edit a Service Use this screen to add a customized service rule that you can use in the firewall’s ACL rule configuration. Click Add new service entry or the edit icon next to an existing service rule in the Service screen to display the following screen. Figure 101 Service: Add/Edit The following table describes the labels in this screen.
Chapter 14 Firewall Table 75 Service: Add/Edit (continued) LABEL DESCRIPTION Service Description Enter a description for your customized port. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 14.4 The Access Control Screen Click Security > Firewall > Access Control to display the following screen. This screen displays a list of the configured incoming or outgoing filtering rules.
Chapter 14 Firewall Table 76 Security > Firewall > Access Control (continued) LABEL DESCRIPTION Name This displays the name of the rule. From This displays the source security zone of traffic to which the rule applies. To This displays the destination security zone of traffic to which the rule applies. Src IP This displays the source IP addresses to which this rule applies. Please note that a blank source address is equivalent to Any.
Chapter 14 Firewall The following table describes the labels in this screen. Table 77 Access Control: Add/Edit LABEL DESCRIPTION Enable Select this to turn on the ACL rule. Logging Select this to have the Device log when it performs the ACL rule’s selected action on the traffic traveling between the two zones. Filter Name Enter a descriptive name of up to 16 alphanumeric characters, not including spaces, underscores, and dashes. You must enter the filter name to add an ACL rule.
Chapter 14 Firewall Table 77 Access Control: Add/Edit (continued) LABEL DESCRIPTION Enable Rate Limit Select this check box to set a limit on the upstream/downstream transmission rate for the specified protocol. Specify how many packets per minute or second the transmission rate is. Scheduler Rules Select a schedule rule for this ACL rule form the drop-down list box. You can configure a new schedule rule by click Add New Rule. This will bring you to the Security > Scheduler Rules screen.
Chapter 14 Firewall 188 SBG3300-N Series User’s Guide
C HAPTER 15 MAC Filter 15.1 Overview You can configure the Device to permit access to clients based on their MAC addresses in the MAC Filter screen. This applies to wired and wireless connections. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen. 15.
Chapter 15 MAC Filter The following table describes the labels in this screen. Table 79 Security > MAC Filter LABEL DESCRIPTION MAC Address Filter Select Enable to activate the MAC filter function. Set This is the index number of the MAC address. Allow Select Allow to permit access to the Device. MAC addresses not listed will be denied access to the Device. If you clear this, the MAC Address field for this set clears.
C HAPTER 16 User Access Control 16.1 Overview User Access control allows you to block web sites with the specific URL. You can also define time periods and days during which the Device performs User Access control on a specific user. 16.2 The User Access Control Screen Use this screen to enable User Access control, view the User Access control rules and schedules. Click Security > User Access Control to open the following screen.
Chapter 16 User Access Control Table 80 Security > User Access Control (continued) LABEL DESCRIPTION Network Service This shows whether the network service is configured. If not, None will be shown. Website Block This shows whether the website block is configured. If not, None will be shown. Modify Click the Edit icon to go to the screen where you can edit the rule. Click the Delete icon to delete an existing rule. Apply Click Apply to save your changes.
Chapter 16 User Access Control The following table describes the fields in this screen. Table 81 User Access Control Rule: Add/Edit LABEL DESCRIPTION General Active Select the check box to activate this User Access control rule. User Access Control Profile Name Enter a descriptive name for the rule. Network User Select the LAN user that you want to apply this rule to from the drop-down list box. If you select Custom, enter the LAN user’s MAC address.
Chapter 16 User Access Control 194 SBG3300-N Series User’s Guide
C HAPTER 17 Scheduler Rules 17.1 Overview You can define time periods and days during which the Device performs scheduled rules of certain features (such as Firewall Access Control, User Access Control) on a specific user in the Scheduler Rules screen. 17.2 The Scheduler Rules Screen Use this screen to view, add, or edit time schedule rules. Click Security > Scheduler Rules to open the following screen. Figure 108 Security > Scheduler Rules The following table describes the fields in this screen.
Chapter 17 Scheduler Rules 17.2.1 Add/Edit a Schedule Click the Add button in the Scheduler Rules screen or click the Edit icon next to a schedule rule to open the following screen. Use this screen to configure a restricted access schedule for a specific user on your network. Figure 109 Scheduler Rules: Add/Edit The following table describes the fields in this screen.
C HAPTER 18 Certificates 18.1 Overview The Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 18.1.1 What You Can Do in this Chapter • The Local Certificates screen lets you generate certification requests and import the Device's CA-signed certificates (Section 18.4 on page 201).
Chapter 18 Certificates 18.3 The Local Certificates Screen Click Security > Certificates to open the Local Certificates screen. This is the Device’s summary list of certificates and certification requests. Figure 110 Security > Certificates > Local Certificates The following table describes the labels in this screen.
Chapter 18 Certificates 18.3.1 Create Certificate Request Click Security > Certificates > Local Certificates and then Create Certificate Request to open the following screen. Use this screen to have the Device generate a certification request. Figure 111 Create Certificate Request The following table describes the labels in this screen. Table 85 Create Certificate Request LABEL DESCRIPTION Certificate Name Type up to 63 ASCII characters (not including spaces) to identify this certificate.
Chapter 18 Certificates Figure 112 Certificate Request Created 18.3.2 Load Signed Certificate After you create a certificate request and have it signed by a Certificate Authority, in the Local Certificates screen click the certificate request’s Load Signed icon to import the signed certificate into the Device. Note: You must remove any spaces from the certificate’s filename before you can import it.
Chapter 18 Certificates The following table describes the labels in this screen. Table 86 Load Signed Certificate LABEL DESCRIPTION Certificate Name This is the name of the signed certificate. Certificate Copy and paste the signed certificate into the text box to store it on the Device. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 18.4 The Trusted CA Screen Click Security > Certificates > Trusted CA to open the following screen.
Chapter 18 Certificates 18.4.1 View Trusted CA Certificate Click the View icon in the Trusted CA screen to open the following screen. Use this screen to view in-depth information about the certification authority’s certificate. Figure 115 Trusted CA: View The following table describes the fields in this screen. Table 88 Trusted CA: View LABEL DESCRIPTION Name This field displays the identifying name of this certificate. Type This field displays general information about the certificate.
Chapter 18 Certificates 18.4.2 Import Trusted CA Certificate Click the Import Certificate button in the Trusted CA screen to open the following screen. The Device trusts any valid certificate signed by any of the imported trusted CA certificates. Figure 116 Trusted CA: Import Certificate The following table describes the fields in this screen.
Chapter 18 Certificates 204 SBG3300-N Series User’s Guide
C HAPTER 19 IPSec VPN 19.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Chapter 19 IPSec VPN 19.3 What You Need To Know A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the Device and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the Device and remote IPSec router.
Chapter 19 IPSec VPN Click VPN > IPSec VPN to display the Setup screen. This is a read-only menu of your IPSec VPN rules (tunnels). Edit a VPN rule by clicking the Edit icon. Note: The default IPsec rule Default_L2TPVPN cannot be disconnected on the VPN > IPSec VPN > Monitor screen. However, you may disconnect L2TP tunnels in the VPN > L2TP > Monitor screen. Figure 120 VPN > IPSec VPN > Setup The following table describes the fields in this screen.
Chapter 19 IPSec VPN 19.4.2 The VPN Connection Add/Edit Screen Configure the VPN connection settings in the IPSec VPN > Setup > Edit screen. Figure 121 VPN > IPSec VPN > Setup > Edit The following table describes the labels in this screen. Table 91 VPN > IPSec VPN > Setup > Edit LABEL DESCRIPTION General Enable 208 Select the checkbox to activate this VPN policy.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Connection Name Enter a name to identify this VPN policy. If you are editing an existing policy, this field is not editable. Note: The Connection Name of an IPsec rule must be unique and cannot be changed once it has been created. Nailed-up Select this if you want the Device to automatically renegotiate the IPSec SA when the VPN connection is down.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the Device and remote IPSec router use a pre-shared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right. The pre-shared key can be • • 8 - 32 keyboard characters except (=) equals sign, (-) dash, (/) slash, (\) backslash, or (",') quotation marks.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Phase 1 Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You cannot use phase 1 Encryption, Authentication, and Key Group pairs that already exist in other enabled IPsec rules with Remote Access selected as the Application Scenario. AES is considered as the same encryption regardless of bit length. The following are two examples: 1.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to encrypt and decrypt information. Both routers must use the same DH key group.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Encapsulation Select which type of encapsulation the IPSec SA uses. Choices are: Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data. If you set Encapsulation to Transport, Policy (Local and Remote) is not applicable. The Device and remote IPSec router must use the same encapsulation.
Chapter 19 IPSec VPN Table 91 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Local/Remote IP Address If you select Single in the Local/Remote IP Type field, specify the IP addresses of the devices behind the Device that can use the VPN tunnel. The local IP addresses must correspond to the remote IPSec router's configured remote IP addresses. Two active SAs cannot have the local and remote IP address(es) both the same.
Chapter 19 IPSec VPN 19.5 The IPSec VPN Monitor Screen In the Web Configurator, click VPN > IPSec VPN > Monitor. Use this screen to display and manage active VPN connections. Figure 122 VPN > IPSec VPN > Monitor The following table describes the labels in this screen. Table 93 VPN > IPSec VPN > Monitor LABEL DESCRIPTION Name This field displays the identification name for this IPSec VPN policy. Status This field displays whether the IPSec VPN connection is up (yellow bulb) or down (gray bulb).
Chapter 19 IPSec VPN The following table describes the labels in this screen. Table 94 VPN > IPSec VPN > Radius LABEL DESCRIPTION Radius Setup Server Address Enter the address of the RADIUS server. Authentication Port Specify the port number on the RADIUS server to which the Device sends authentication requests. Enter a number between 1 and 65535. Backup Server Address If the RADIUS server has a backup server, enter its address here.
Chapter 19 IPSec VPN 19.7.1 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 124 IPSec Architecture IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Chapter 19 IPSec VPN 19.7.2 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. At the time of writing, the Device supports Tunnel mode only. Figure 125 Transport and Tunnel Mode IPSec Encapsulation Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Chapter 19 IPSec VPN 19.7.3 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec. Figure 126 Two Phases to Set Up the IPSec SA In phase 1 you must: • Choose a negotiation mode. • Authenticate the connection by entering a pre-shared key. • Choose an encryption algorithm. • Choose an authentication algorithm.
Chapter 19 IPSec VPN • Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Chapter 19 IPSec VPN NAT is not normally compatible with ESP in transport mode either, but the Device’s NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers. Figure 127 NAT Router Between IPSec Routers A B NAT Router Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet.
Chapter 19 IPSec VPN distinguish incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 19.4 on page 206). The ID type and content act as an extra level of identification for incoming SAs. The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address.
Chapter 19 IPSec VPN 19.7.9 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated.
Chapter 19 IPSec VPN 224 SBG3300-N Series User’s Guide
C HAPTER 20 PPTP VPN 20.1 Overview Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a VPN using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. PPTP sets up two sessions and uses Generic Routing Encapsulation (GRE, RFC 2890) to transfer information between the computers.
Chapter 20 PPTP VPN 20.3 PPTP VPN Setup Use this screen to configure settings for a Point to Point Tunneling Protocol (PPTP) server. Click VPN > PPTP VPN to open the Setup screen as shown next. Figure 129 VPN > PPTP VPN > Setup This screen contains the following fields: Table 100 VPN > PPTP VPN > Setup LABEL DESCRIPTION PPTP Setup Enable Use this field to turn the Device’S PPTP VPN function on or off. Local WAN Interface Select an interface from the drop-down list and its IP address will be shown.
Chapter 20 PPTP VPN Table 100 VPN > PPTP VPN > Setup (continued) LABEL DESCRIPTION Keep Alive Timer The Device sends a Hello message after waiting this long without receiving any traffic from the remote user. The Device disconnects the VPN tunnel if the remote user does not respond. DNS Server (Optional) Specify the IP addresses of DNS servers to assign to the remote users.
Chapter 20 PPTP VPN Action: Check the client device’s Internet connection. b. Incorrect server address configured on the client device. (1) If the Local WAN Interface is “Any”: From the Device’s GUI, click Status. The client device should be configured with one of the WAN interface IP addresses. (2) If the Local WAN Interface is an interface (IP address shown to the right): Use that IP address for the client device to connect. c. The WAN interface which the Device’s PPTP VPN is using is not connected.
Chapter 20 PPTP VPN b. The access group is not configured correctly. From the Device’s GUI, go to VPN > PPTP VPN > Setup to check. Note that all local hosts are by default accessible unless access group is configured. c. IP Address Pool for PPTP VPN conflicts with any WAN, LAN, DMZ, WLAN, or L2TP VPN subnet configured on the Device. Note that the IP Address Pool for PPTP VPN has a 24-bit netmask and should not conflict with any others listed above even if they are not in use.
Chapter 20 PPTP VPN 230 SBG3300-N Series User’s Guide
C HAPTER 21 L2TP VPN 21.1 Overview The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel (defined by the IPSec VPN rule Default_L2TPVPN, refer to Section 19.4.3 on page 214) is established first and then an L2TP tunnel is built inside it. See Chapter 19 on page 205 for information on IPSec VPN.
Chapter 21 L2TP VPN 21.2 L2TP VPN Screen Click VPN > L2TP VPN to open the Setup screen. Use this screen to configure the Device’s L2TP VPN settings. Figure 132 VPN > L2TP VPN > Setup The following table describes the fields in this screen. Table 102 VPN > L2TP VPN > Setup LABEL DESCRIPTION Enable Select the check box to enable the Device’s L2TP VPN function. VPN Connection This is the WAN interface where L2TP VPN listens for a client connection request.
Chapter 21 L2TP VPN Table 102 VPN > L2TP VPN > Setup (continued) LABEL DESCRIPTION DNS Server (Optional) Specify the IP addresses of DNS servers to assign to the remote users. WINS Server (Optional) The WINS (Windows Internet Naming Service) server keeps a mapping table of the computer names on your network and the IP addresses that they are currently using.
Chapter 21 L2TP VPN b. Incorrect server address configured on the client device. Action: From the Device’s GUI, click VPN > IPSec VPN > Setup. (1) If the Local Gateway Address for Default_L2TPVPN is set to “Any”: From the Device’s GUI, click Status. The client device should be configured with one of the WAN interface IP addresses. (2) If the Local Gateway Address for Default_L2TPVPN is an IP address: Use that IP address for the client device to connect. c.
Chapter 21 L2TP VPN 4 An L2TP client is disconnected unexpectedly. Tip: An L2TP connection will be dropped when one of the followings occurs on the Device: (1) Client has no activity for a period of time. (2) Client loses connectivity to the Device for a period of time. (3) Any IPSec VPN configuration change is applied on the Device. (4) Either Default_L2TPVPN IPSec configuration or L2TP VPN is disabled on the Device.
Chapter 21 L2TP VPN Device. The algorithms in red in Table 104 on page 236 indicate the ones that will be accepted based on Table 92 on page 214. Table 104 Phase 1 IPSec proposals provided by the built-in L2TP client in popular operating systems (Encryption/Authentication/Key Group) WINDOWS XP WINDOWS VISTA WINDOWS 7 IOS 5.1 ANDROID 4.
C HAPTER 22 Log 22.1 Overview The web configurator allows you to choose which categories of events and/or alerts to have the Device log and then display the logs or have the Device send them to an administrator (as e-mail) or to a syslog server. 22.1.1 What You Can Do in this Chapter • Use the System Log screen to see the system logs (Section 22.2 on page 238). • Use the Security Log screen to see the security-related logs for the categories that you select (Section 22.3 on page 239). 22.1.
Chapter 22 Log Table 106 Syslog Severity Levels CODE SEVERITY 5 Notice: There is a normal but significant condition on the system. 6 Informational: The syslog contains an informational message. 7 Debug: The message is intended for debug-level purposes. 22.2 The System Log Screen Use the System Log screen to see the system logs. Click System Monitor > Log to open the System Log screen. Figure 134 System Monitor > Log > System Log The following table describes the fields in this screen.
Chapter 22 Log 22.3 The Security Log Screen Use the Security Log screen to see the security-related logs for the categories that you select. Click System Monitor > Log > Security Log to open the following screen. Figure 135 System Monitor > Log > Security Log The following table describes the fields in this screen. Table 108 System Monitor > Log > Security Log LABEL DESCRIPTION Level Select a severity level from the drop-down list box.
Chapter 22 Log 240 SBG3300-N Series User’s Guide
C HAPTER 23 Network Status 23.1 Overview Use the Network Status screens to look at network Network Status and statistics of the WAN and LAN interfaces. 23.1.1 What You Can Do in this Chapter • Use the WAN screen to view the WAN traffic statistics (Section 23.2 on page 241). • Use the LAN screen to view the LAN traffic statistics (Section 23.3 on page 242). 23.2 The WAN Status Screen Click System Monitor > Network Status to open the WAN screen.
Chapter 23 Network Status The following table describes the fields in this screen. Table 109 System Monitor > Network Status > WAN LABEL DESCRIPTION Connected Interface This shows the name of the WAN interface that is currently connected. Packets Sent Data This indicates the number of transmitted packets on this interface. Error This indicates the number of frames with errors transmitted on this interface. Drop This indicates the number of outgoing packets dropped on this interface.
Chapter 23 Network Status The following table describes the fields in this screen. Table 110 System Monitor > Network Status > LAN LABEL DESCRIPTION Refresh Interval Select how often you want the Device to update this screen. Interface This shows the LAN or WLAN interface. Bytes Sent This indicates the number of bytes transmitted on this interface. more...hide more Click more... to show more information. Click hide more to hide them. Interface This shows the LAN or WLAN interface.
Chapter 23 Network Status 244 SBG3300-N Series User’s Guide
C HAPTER 24 ARP Table 24.1 Overview Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. An IP (version 4) address is 32 bits long. In an Ethernet LAN, MAC addresses are 48 bits long. The ARP Table maintains an association between each MAC address and its corresponding IP address. 24.1.
Chapter 24 ARP Table Table 111 System Monitor > ARP Table (continued) 246 LABEL DESCRIPTION MAC Address This is the MAC address of the device with the listed IP address. Device This is the type of interface used by the device. You can click on the device type to go to its configuration screen.
C HAPTER 25 Routing Table 25.1 Overview Routing is based on the destination address only and the Device takes the shortest path to forward a packet. 25.2 The Routing Table Screen Click System Monitor > Routing Table to open the following screen. Figure 139 System Monitor > Routing Table The following table describes the labels in this screen. Table 112 System Monitor > Routing Table LABEL DESCRIPTION Destination This indicates the destination IP address of this route.
Chapter 25 Routing Table Table 112 System Monitor > Routing Table (continued) LABEL DESCRIPTION Service This indicates the name of the service used to forward the route. Interface This indicates the name of the interface through which the route is forwarded. br0 indicates the LAN interface. ptm0 indicates the WAN interface using IPoE or in bridge mode. ppp0 indicates the WAN interface using PPPoE.
C HAPTER 26 IGMP Status 26.1 Overview Use the IGMP Status screens to look at IGMP group status and traffic statistics. 26.2 The IGMP Group Status Screen Use this screen to look at the current list of multicast groups the Device has joined and which ports have joined it. To open this screen, click System Monitor > IGMP Group Status. Figure 140 System Monitor > IGMP Group Status The following table describes the labels in this screen.
Chapter 26 IGMP Status 250 SBG3300-N Series User’s Guide
C HAPTER 27 xDSL Statistics 27.1 The xDSL Statistics Screen Use this screen to view detailed DSL statistics. Click System Monitor > xDSL Statistics to open the following screen.
Chapter 27 xDSL Statistics The following table describes the labels in this screen. Table 114 System Monitor > xDSL Statistics LABEL DESCRIPTION Refresh Interval Select the time interval for refreshing statistics. xDSL Training Status This displays the current state of setting up the DSL connection. Mode This displays the ITU standard used for this connection. Traffic Type This displays the type of traffic the DSL port is sending and receiving.
Chapter 27 xDSL Statistics Table 114 System Monitor > xDSL Statistics (continued) LABEL DESCRIPTION Downstream These are the statistics for the traffic direction coming into the port from the service provider. Upstream These are the statistics for the traffic direction going out from the port to the service provider. FEC This is the number of Far End Corrected blocks. CRC This is the number of Cyclic Redundancy Checks.
Chapter 27 xDSL Statistics 254 SBG3300-N Series User’s Guide
C HAPTER 28 User Account 28.1 Overview Use the User Account screen to manage user accounts, which includes configuring the username, password, retry times, file sharing, captive portal, and customizing the login message. 28.2 The User Account Screen Click Maintenance > User Account to open the following screen. Figure 142 Maintenance > User Account The following table describes the labels in this screen.
Chapter 28 User Account Table 115 Maintenance > User Account (continued) LABEL DESCRIPTION Lock Period This field indicates the number of minutes for the lockout period. A user cannot log into the Device during the lockout period, even if he/she enters correct account information. Group This field displays the login account type of the user. Different login account types have different privilege levels. The web configurator screens and privileges vary depending on which account type you use to log in.
Chapter 28 User Account The following table describes the labels in this screen. Table 116 Users Configuration: Add/Edit LABEL DESCRIPTION User Name This field is read-only if you are editing the user account. Enter a descriptive name for the user account. The user name can be up to 15 alphanumeric characters (0-9, A-Z, a-z, -, _ with no spaces). With advanced account security enabled, the user names must be a minimum length of six characters and include both letters and numbers.
Chapter 28 User Account 258 SBG3300-N Series User’s Guide
C HAPTER 29 Remote Management 29.1 Overview Remote management controls through which interface(s), which services can access the Device. Note: The Device is managed using the Web Configurator. 29.2 The Remote MGMT Screen Use this screen to configure through which interfaces, which services can access the Device. You can also specify the port numbers the services must use to connect to the Device. Click Maintenance > Remote MGMT to open the following screen.
Chapter 29 Remote Management The following table describes the fields in this screen. Table 117 Maintenance > Remote MGMT LABEL DESCRIPTION Services This is the service you may use to access the Device. LAN/WLAN Select the Enable check box for the corresponding services that you want to allow access to the Device from the LAN/WLAN. WAN Select the Enable check box for the corresponding services that you want to allow access to the Device from the WAN.
C HAPTER 30 TR-069 Client 30.1 Overview This chapter explains how to configure the Device’s TR-069 auto-configuration settings. 30.2 The TR-069 Client Screen TR-069 defines how Customer Premise Equipment (CPE), for example your Device, can be managed over the WAN by an Auto Configuration Server (ACS). TR-069 is based on sending Remote Procedure Calls (RPCs) between an ACS and a client device. RPCs are sent in Extensible Markup Language (XML) format over HTTP or HTTPS.
Chapter 30 TR-069 Client The following table describes the fields in this screen. Table 118 Maintenance > TR-069 Client 262 LABEL DESCRIPTION Inform Select Enable for the Device to send periodic inform via TR-069 on the WAN. Otherwise, select Disable. Inform Interval Enter the time interval (in seconds) at which the Device sends information to the autoconfiguration server. ACS URL Enter the URL or IP address of the auto-configuration server.
C HAPTER 31 SNMP 31.1 The SNMP Agent Screen Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your Device supports SNMP agent functionality, which allows a manager station to manage and monitor the Device through the network. The Device supports SNMP version one (SNMPv1) and version two (SNMPv2c). The next figure illustrates an SNMP management operation.
Chapter 31 SNMP • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events.
C HAPTER 32 Time 32.1 Overview This chapter shows you how to configure system related settings, such as system time, password, name, the domain name and the inactivity timeout interval. 32.2 The Time Screen To change your Device’s time and date, click Maintenance > Time. The screen appears as shown. Use this screen to configure the Device’s time based on your local time zone.
Chapter 32 Time The following table describes the fields in this screen. Table 120 Maintenance > Time LABEL DESCRIPTION Current Date/Time Current Time This field displays the time of your Device. Each time you reload this page, the Device synchronizes the time with the time server. Current Date This field displays the date of your Device. Each time you reload this page, the Device synchronizes the date with the time server.
Chapter 32 Time Table 120 Maintenance > Time (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving.
Chapter 32 Time 268 SBG3300-N Series User’s Guide
C HAPTER 33 E-mail Notification 33.1 Overview A mail server is an application or a computer that runs such an application to receive, forward and deliver e-mail messages. To have the Device send reports, logs or notifications via e-mail, you must specify an e-mail server and the e-mail addresses of the sender and receiver. 33.2 The Email Notification Screen Click Maintenance > Email Notification to open the Email Notification screen.
Chapter 33 E-mail Notification 33.2.1 Email Notification Edit Click the Add button in the Email Notification screen. Use this screen to configure the required information for sending e-mail via a mail server. Figure 150 Email Notification > Add The following table describes the labels in this screen. Table 122 Email Notification > Add LABEL DESCRIPTION Mail Server Address Enter the server name or the IP address of the mail server for the e-mail address specified in the Account Email Address field.
C HAPTER 34 Logs Setting 34.1 Overview You can configure where the Device sends logs and which logs and/or immediate alerts the Device records in the Logs Setting screen. 34.2 The Log Setting Screen To change your Device’s log settings, click Maintenance > Logs Setting. The screen appears as shown.
Chapter 34 Logs Setting The following table describes the fields in this screen. Table 123 Maintenance > Logs Setting LABEL DESCRIPTION Syslog Setting Syslog Logging The Device sends a log to an external syslog server. Select Enable to enable syslog logging. Mode Select the syslog destination from the drop-down list box. If you select Remote, the log(s) will be sent to a remote syslog server. If you select Local File, the log(s) will be saved in a local file.
Chapter 34 Logs Setting • The date format here is Day-Month-Year. • The date format here is Month-Day-Year. The time format is Hour-Minute-Second. • "End of Log" message shows that a complete log has been sent. Figure 152 E-mail Log Example Subject: Firewall Alert From Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com To: user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy |forward | 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> | 2|Apr 7 00 |From:192.168.1.131 To:192.
Chapter 34 Logs Setting 274 SBG3300-N Series User’s Guide
C HAPTER 35 Firmware and WWAN Package Upgrade 35.1 Overview This chapter explains how to upload new firmware or a WWAN (Wireless Wide Area Network) package, to update USB 3G dongle support, to your Device. You can download new firmware releases and USB 3G dongle support packages from your nearest ZyXEL FTP site (or www.zyxel.com) to use to upgrade your device’s performance. Only use firmware for your device’s specific model. Refer to the label on the bottom of your Device. 35.
Chapter 35 Firmware and WWAN Package Upgrade The following table describes the labels in this screen. Table 124 Maintenance > Firmware Upgrade LABEL DESCRIPTION Current Firmware Version This is the present firmware version File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click this to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Chapter 35 Firmware and WWAN Package Upgrade If the upload was not successful, the following screen will appear. Click OK to go back to the Firmware Upgrade screen.
Chapter 35 Firmware and WWAN Package Upgrade 278 SBG3300-N Series User’s Guide
C HAPTER 36 Configuration 36.1 Overview The Configuration screen allows you to backup and restore device configurations. You can also reset your device settings back to the factory default. 36.2 The Configuration Screen Click Maintenance > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears in this screen, as shown next.
Chapter 36 Configuration Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your Device. Table 125 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click this to find the file you want to upload. Remember that you must decompress compressed (.ZIP) files before you can upload them.
Chapter 36 Configuration Reset to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the Device to its factory defaults. The following warning screen appears. Figure 160 Reset Warning Message Figure 161 Reset In Process Message You can also press the RESET button on the rear panel to reset the factory defaults of your Device. Refer to Section 1.6 on page 21 for more information on the RESET button. 36.
Chapter 36 Configuration 282 SBG3300-N Series User’s Guide
C HAPTER 37 Diagnostic 37.1 Overview The Diagnostic screens display information to help you identify problems with the Device. The route between a CO VDSL switch and one of its CPE may go through switches owned by independent organizations. A connectivity fault point generally takes time to discover and impacts subscriber’s network access. In order to eliminate the management and maintenance efforts, IEEE 802.
Chapter 37 Diagnostic 37.3 Ping & TraceRoute & NsLookup Use this screen to ping, traceroute, or nslookup an IP address. Click Maintenance > Diagnostic > Ping & TraceRoute & NsLookup to open the screen shown next. Figure 163 Maintenance > Diagnostic > Ping & TraceRoute & NsLookup The following table describes the fields in this screen.
Chapter 37 Diagnostic 37.4 802.1ag Click Maintenance > Diagnostic > 8.2.1ag to open the following screen. Use this screen to perform CFM actions. Figure 164 Maintenance > Diagnostic > 802.1ag The following table describes the fields in this screen. Table 127 Maintenance > Diagnostic > 802.1ag LABEL DESCRIPTION 802.1ag Connectivity Fault Management Maintenance Domain (MD) Level Select a level (0-7) under which you want to create an MA.
Chapter 37 Diagnostic 37.5 OAM Ping Test Click Maintenance > Diagnostic > OAM Ping to open the screen shown next. Use this screen to perform an OAM (Operation, Administration and Maintenance) F4 or F5 loopback test on a PVC. The Device sends an OAM F4 or F5 packet to the DSLAM or ATM switch and then returns it to the Device. The test result then displays in the text box. ATM sets up virtual circuits over which end systems communicate.
Chapter 37 Diagnostic Note: This screen is available only when you configure an ATM layer-2 interface. Figure 166 Maintenance > Diagnostic > OAM Ping The following table describes the fields in this screen. Table 128 Maintenance > Diagnostic > OAM Ping LABEL DESCRIPTION Select a PVC on which you want to perform the loopback test. F4 segment Press this to perform an OAM F4 segment loopback test. F4 end-end Press this to perform an OAM F4 end-to-end loopback test.
Chapter 37 Diagnostic 288 SBG3300-N Series User’s Guide
C HAPTER 38 Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • Device Access and Login • Internet Access • Wireless Internet Access • USB Device Connection • UPnP 38.1 Power, Hardware Connections, and LEDs The Device does not turn on. None of the LEDs turn on. 1 Make sure the Device is turned on.
Chapter 38 Troubleshooting 5 If the problem continues, contact the vendor. 38.2 Device Access and Login I forgot the IP address for the Device. 1 The default LAN IP address is 192.168.1.1. 2 If you changed the IP address and have forgotten it, you might get the IP address of the Device by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig.
Chapter 38 Troubleshooting 5 Reset the device to its factory defaults, and try to access the Device with the default IP address. See Section 1.6 on page 21. 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • Make sure you have logged out of any earlier management sessions using the same user account even if they were through a different interface or using a different browser.
Chapter 38 Troubleshooting 38.3 Internet Access I cannot access the Internet. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page 20. 2 Make sure you entered your ISP account information correctly in the Network Setting > Broadband screen. These fields are case-sensitive, so make sure [Caps Lock] is not on.
Chapter 38 Troubleshooting 2 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page 20. 3 Turn the Device off and on. 4 If the problem continues, contact your ISP. 38.4 Wireless Internet Access What factors may cause intermittent or unstabled wireless connection? How can I solve this problem? The following factors may cause interference: • Obstacles: walls, ceilings, furniture, and so on.
Chapter 38 Troubleshooting The available security modes in your Device are as follows: • WPA2-PSK: (recommended) This uses a pre-shared key with the WPA2 standard. • WPA-PSK: This has the device use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses. • WPA2: WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. It requires the use of a RADIUS server and is mostly used in business networks.
Chapter 38 Troubleshooting The Local Area Connection icon for UPnP disappears in the screen. Restart your computer. I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. 1 Wait more than three minutes. 2 Restart the applications.
Chapter 38 Troubleshooting 296 SBG3300-N Series User’s Guide
A PPENDIX A Customer Support In the event of problems that cannot be solved by using this manual, you should contact your vendor. If you cannot contact your vendor, then contact a ZyXEL office for the region in which you bought the device. Regional websites are listed below (see also http://www.zyxel.com/ about_zyxel/zyxel_worldwide.shtml). Please have the following information ready when you contact an office. Required Information • Product model and serial number. • Warranty Information.
Appendix A Customer Support Korea • ZyXEL Korea Corp. • http://www.zyxel.kr Malaysia • ZyXEL Malaysia Sdn Bhd. • http://www.zyxel.com.my Pakistan • ZyXEL Pakistan (Pvt.) Ltd. • http://www.zyxel.com.pk Philippines • ZyXEL Philippines • http://www.zyxel.com.ph Singapore • ZyXEL Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Thailand • ZyXEL Thailand Co., Ltd • http://www.zyxel.co.
Appendix A Customer Support Belgium • ZyXEL Communications B.V. • http://www.zyxel.com/be/nl/ Bulgaria • ZyXEL България • http://www.zyxel.com/bg/bg/ Czech • ZyXEL Communications Czech s.r.o • http://www.zyxel.cz Denmark • ZyXEL Communications A/S • http://www.zyxel.dk Estonia • ZyXEL Estonia • http://www.zyxel.com/ee/et/ Finland • ZyXEL Communications • http://www.zyxel.fi France • ZyXEL France • http://www.zyxel.fr Germany • ZyXEL Deutschland GmbH • http://www.zyxel.
Appendix A Customer Support Lithuania • ZyXEL Lithuania • http://www.zyxel.com/lt/lt/homepage.shtml Netherlands • ZyXEL Benelux • http://www.zyxel.nl Norway • ZyXEL Communications • http://www.zyxel.no Poland • ZyXEL Communications Poland • http://www.zyxel.pl Romania • ZyXEL Romania • http://www.zyxel.com/ro/ro Russia • ZyXEL Russia • http://www.zyxel.ru Slovakia • ZyXEL Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • ZyXEL Spain • http://www.zyxel.
Appendix A Customer Support Turkey • ZyXEL Turkey A.S. • http://www.zyxel.com.tr UK • ZyXEL Communications UK Ltd. • http://www.zyxel.co.uk Ukraine • ZyXEL Ukraine • http://www.ua.zyxel.com Latin America Argentina • ZyXEL Communication Corporation • http://www.zyxel.com/ec/es/ Ecuador • ZyXEL Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Egypt • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml Middle East • ZyXEL Communication Corporation • http://www.zyxel.
Appendix A Customer Support Oceania Australia • ZyXEL Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.
A PPENDIX B Legal Information Copyright Copyright © 2014 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation.
Appendix B Legal Information 注意 ! 依據 低功率電波輻射性電機管理辦法 第十二條 經型式認證合格之低功率射頻電機,非經許可,公司、商號或使用 者均不得擅自變更頻率、加大功率或變更原設計之特性及功能。 第十四條 低功率射頻電機之使用不得影響飛航安全及干擾合法通信;經發現 有干擾現象時,應立即停用,並改善至無干擾時方得繼續使用。 前項合法通信,指依電信規定作業之無線電信。低功率射頻電機須忍 受合法通信或工業、科學及醫療用電波輻射性電機設備之干擾。 本機限在不干擾合法電臺與不受被干擾保障條件下於室內使用。 減少電磁波影響,請妥適使用。 Notices Changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. This Class [*] digital apparatus complies with Canadian ICES-003.
Appendix B Legal Information Declaration of Conformity with Regard to EU Directive 1999/5/EC (R&TTE Directive) Compliance Information for 2.4GHz and 5GHz Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999/5/EC (R&TTE Directive) [Czech] ZyXEL tímto prohlašuje, že tento zařízení je ve shodě se základními požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/EC.
Appendix B Legal Information Ce produit peut être utilisé dans tous les pays de l’UE (et dans tous les pays ayant transposés la directive 1999/ 5/CE) sans aucune limitation, excepté pour les pays mentionnés ci-dessous: Questo prodotto è utilizzabile in tutte i paesi EU (ed in tutti gli altri paesi che seguono le direttive EU 1999/5/EC) senza nessuna limitazione, eccetto per i paesii menzionati di seguito: Das Produkt kann in allen EU Staaten ohne Einschränkungen eingesetzt werden (sowie in anderen Staaten
Appendix B Legal Information Notes: 1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 1999/5/EC has also been implemented in those countries. 2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).
Appendix B Legal Information • This product is for indoor use only (utilisation intérieure exclusivement). Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately.
Index Index A ACL rule 185 ACS 261 activation firewalls 181 SIP ALG 158 SSID 80 Address Resolution Protocol 245 administrator password 24 AH 217 algorithms 217 applications Internet access 18 applications, NAT 163 ARP Table 245, 247 authentication 92, 93 RADIUS server 93 Auto Configuration Server, see ACS 261 factory default 198 certificates 197 authentication 197 CA creating 199 public key 197 replacing 198 storage space 198 Certification Authority 197 Certification Authority.
Index default server address 157 Denials of Service, see DoS F DH 223 FCC interference statement 303 DHCP 104, 122 File Sharing 176 Differentiated Services, see DiffServ 144 file sharing 19 Diffie-Hellman key groups 223 filters MAC address 83, 93 DiffServ 144 marking rule 145 digital IDs 197 disclaimer 303 DMZ 157 DNS 104, 122 DNS server address assignment 68 documentation related 2 Domain Name 163 Finger 163 firewalls 179 add protocols 181 configuration 181 DDoS 180 DoS 180 LAND attack 180 Ping
Index ILA 161 Inside Global Address, see IGA Layer 2 Tunneling Protocol Virtual Private Network, see L2TP VPN 231 inside header 218 LBR 283 Inside Local Address, see ILA limitations wireless LAN 94 WPS 101 interface group 169 Internet wizard setup 31 Internet access 18 wizard setup 31 Internet Key Exchange 219 Internet Protocol Security. See IPSec.
Index example 162 global 161 IGA 161 ILA 161 inside 161 IPSec 220 local 161 outside 161 port forwarding 150 port number 163 services 163 SIP ALG 158 activation 158 traversal 221 PPTP 163 PPTP VPN 225 preamble 87, 92 preamble mode 96 prefix delegation 45 pre-shared key 222 private IP address 123 product registration 304 protocol 42 push button 22 Push Button Configuration, see PBC push button, WPS 96 NAT example 164 negotiation mode 219 Network Address Translation, see NAT Q Network Map 37 NNTP 163 O
Index RTS threshold 86, 92 status indicators 20 subnet mask 104, 123 SYN attack 180 S security wireless LAN 92 security associations. See VPN.
Index example 111 installation 111 NAT traversal 104 USB features 19 V VID Virtual Local Area Network See VLAN Virtual Private Network. See VPN. VLAN 67 Introduction 67 number of possible VIDs priority frame static VLAN ID 67 VLAN Identifier See VID VLAN tag 67 VPN 205 established in two phases 206 IPSec 205 local network 205 remote IPSec router 205 remote network 205 security associations (SA) 206 VPN. See also IKE SA, IPSec SA.
Index SBG3300-N Series User’s Guide 315
