ZyXEL Communications 802.11g HomePlug AV ADSL2+ Gateway P-660HWP-Dx User Manual Download Page 160 | Manualshive

Page: 160 / 402

background image

Chapter 10 Firewalls

P-660HWP-Dx User’s Guide

38

10.4.2 Types of DoS Attacks

There are four types of DoS attacks:

1

Those that exploit bugs in a TCP/IP implementation.

2

Those that exploit weaknesses in the TCP/IP specification.

3

Brute-force attacks that flood a network with useless data.

4

IP Spoofing.

5

"

Ping of Death

" and "

Teardrop

" attacks exploit bugs in the TCP/IP implementations of

various computer and host systems.

• Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum

65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an
unsuspecting system. Systems may crash, hang or reboot.

• Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is

transmitted through a network, IP packets are often broken up into smaller chunks. Each
fragment looks like the original IP packet except that it contains an offset field that says,
for instance, "This fragment is carrying bytes 200 through 400 of the original (non
fragmented) IP packet." The Teardrop program creates a series of IP fragments with
overlapping offset fields. When these fragments are reassembled at the destination, some
systems will crash, hang, or reboot.

6

Weaknesses in the TCP/IP specification leave it open to "

SYN Flood

" and "

LAND

"

attacks. These attacks are executed during the handshake that initiates a communication
session between two applications.

Figure 93

Three-Way Handshake

Under normal circumstances, the application that initiates a session sends a SYN
(synchronize) packet to the receiving server. The receiver sends back an ACK
(acknowledgment) packet and its own SYN, and then the initiator responds with an ACK
(acknowledgment). After this handshake, a connection is established.

•

SYN Attack

floods a targeted system with a series of SYN packets. Each packet causes

the targeted system to issue a SYN-ACK response. While the targeted system waits for the
ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on
what is known as a backlog queue. SYN-ACKs are moved off the queue only when an
ACK comes back or when an internal timer (which is set at relatively long intervals)
terminates the three-way handshake. Once the queue is full, the system will ignore all
incoming SYN requests, making the system unavailable for legitimate users.

«
...
158
159
160
161
162
...
»

Summary of Contents for 802.11g HomePlug AV ADSL2+ Gateway P-660HWP-Dx

Page 1: ...www zyxel com P 660HWP Dx 802 11g HomePlug AV ADSL2 Gateway User s Guide Version 3 40 7 2007 Edition 1 ...

Page 2: ......

Page 3: ... Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information It is recommended you use the web configurator to configure the P 660HWP Dx Supporting Disk Refer to the included CD for support documents ZyXEL Web Site Please refer to www zyxel com for additional support documentation and product certifications User Guide Feedback Help us help you Se...

Page 4: ... stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key Select or choose means for you to use one of the predefined choices A right angle bracket within a screen name denotes a mouse click For example Maintenance Log Log Setting means you first click Mai...

Page 5: ...de 37 Icons Used in Figures Figures in this User s Guide may use the following generic icons The P 660HWP Dx icon is not an exact representation of your device P 660HWP Dx Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ...

Page 6: ...LY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the device if the power adaptor or cord is damaged as it might cause elect...

Page 7: ...Safety Warnings P 660HWP Dx User s Guide 39 ...

Page 8: ...Safety Warnings P 660HWP Dx User s Guide 40 ...

Page 9: ...etup 81 LAN Setup 99 Wireless LAN 111 Powerline 135 Network Address Translation NAT 143 Security 155 Firewalls 157 Firewall Configuration 169 Content Filtering 191 Certificates 195 Advanced 217 Static Route 219 Bandwidth Management 223 Dynamic DNS Setup 235 Remote Management Configuration 239 Universal Plug and Play UPnP 251 Maintenance and Troubleshooting 263 System 265 Logs 271 Tools 289 Diagnos...

Page 10: ...Contents Overview P 660HWP Dx User s Guide 36 ...

Page 11: ...Good Habits for Managing the P 660HWP Dx 37 1 4 LEDs 37 1 5 Hardware Connections 38 1 5 1 Connecting a POTS Splitter 39 1 5 2 Telephone Microfilters 39 1 5 3 P 660HWP Dx With ISDN 40 Chapter 2 Introducing the Web Configurator 43 2 1 Web Configurator Overview 43 2 2 Accessing the Web Configurator 43 2 2 1 User Access 44 2 2 2 Administrator Access 44 2 3 Resetting the P 660HWP Dx 46 2 3 1 Using the ...

Page 12: ... Connection Wizard Setup 67 3 3 1 Manually assign a WPA PSK key 70 3 3 2 Manually assign a WEP key 70 Chapter 4 Bandwidth Management Wizard 73 4 1 Introduction 73 4 2 Predefined Media Bandwidth Management Services 73 4 3 Bandwidth Management Wizard Setup 74 Part III Network 79 Chapter 5 WAN Setup 81 5 1 WAN Overview 81 5 1 1 Encapsulation 81 5 1 2 Multiplexing 82 5 1 3 Encapsulation and Multiplexi...

Page 13: ... 101 6 2 1 IP Address and Subnet Mask 101 6 2 2 RIP Setup 102 6 2 3 Multicast 102 6 2 4 Any IP 103 6 3 Configuring LAN IP 104 6 3 1 Configuring Advanced LAN Setup 105 6 4 DHCP Setup 106 6 5 LAN Client List 107 6 6 LAN IP Alias 108 Chapter 7 Wireless LAN 111 7 1 Wireless Network Overview 111 7 2 Wireless Network Setup 112 7 2 1 Requirements 112 7 2 2 Setup Information 112 7 3 Wireless Security Over...

Page 14: ...ting Up Multiple Powerline Networks 137 8 3 Configuring Local Settings 138 8 4 Configuring Remote Settings 139 8 5 Powerline Network Status 140 Chapter 9 Network Address Translation NAT 143 9 1 NAT Overview 143 9 1 1 NAT Definitions 143 9 1 2 What NAT Does 144 9 1 3 How NAT Works 144 9 1 4 NAT Application 144 9 1 5 NAT Mapping Types 145 9 2 SUA Single User Account Versus NAT 146 9 3 SIP ALG 146 9 ...

Page 15: ... 164 10 5 4 UDP ICMP Security 165 10 5 5 Upper Layer Protocols 165 10 6 Guidelines for Enhancing Security with Your Firewall 166 10 6 1 Security In General 166 10 7 Packet Filtering Vs Firewall 167 10 7 1 Packet Filtering 167 10 7 2 Firewall 167 Chapter 11 Firewall Configuration 169 11 1 Access Methods 169 11 2 Firewall Policies Overview 169 11 3 Rule Logic Overview 170 11 3 1 Rule Checklist 170 1...

Page 16: ...es of Certificates 196 13 2 Self signed Certificates 196 13 3 Verifying a Certificate 196 13 3 1 Checking the Fingerprint of a Certificate on Your Computer 196 13 4 Configuration Summary 197 13 5 My Certificates 198 13 6 My Certificates Details 199 13 7 My Certificates Create 202 13 8 My Certificates Import 204 13 8 1 Certificate File Formats 205 13 9 Trusted CAs 206 13 10 Trusted CA Details 207 1...

Page 17: ...width Usage Example 226 15 6 3 Bandwidth Management Priorities 227 15 7 Over Allotment of Bandwidth 227 15 8 Configuring Summary 228 15 9 Bandwidth Management Rule Setup 229 15 10 DiffServ 230 15 10 1 DSCP and Per Hop Behavior 230 15 10 2 Rule Configuration 231 15 11 Bandwidth Monitor 234 Chapter 16 Dynamic DNS Setup 235 16 1 Dynamic DNS Overview 235 16 1 1 DYNDNS Wildcard 235 16 2 Configuring Dyn...

Page 18: ...3 1 Installing UPnP in Windows Me 253 18 3 2 Installing UPnP in Windows XP 254 18 4 Using UPnP in Windows XP Example 255 18 4 1 Auto discover Your UPnP enabled Network Device 256 18 4 2 Web Configurator Easy Access 259 Part VI Maintenance and Troubleshooting 263 Chapter 19 System 265 19 1 General Setup 265 19 1 1 General Setup and System Name 265 19 1 2 General Setup 265 19 2 Time Setting 267 Chap...

Page 19: ...ess and Login 298 23 3 Internet Access 299 23 4 Powerline Issues 301 Part VII Appendices and Index 303 Appendix A Product Specifications and Wall Mounting 305 Appendix B Wireless LANs 311 Appendix C Internal SPTGEN 325 Appendix D Setting up Your Computer s IP Address 341 Appendix E IP Subnetting 357 Appendix F Command Interpreter 365 Appendix G Firewall Commands 369 Appendix H Pop up Windows JavaS...

Page 20: ...Table of Contents P 660HWP Dx User s Guide 44 ...

Page 21: ...rline 53 Figure 18 Status Packet Statistics 54 Figure 19 System General 55 Figure 20 Select a Mode 60 Figure 21 Wizard Welcome 60 Figure 22 Auto Detection No DSL Connection 61 Figure 23 Auto Detection Failed 61 Figure 24 Auto Detection PPPoE 62 Figure 25 Internet Access Wizard Setup ISP Parameters 62 Figure 26 Internet Connection with PPPoE 63 Figure 27 Internet Connection with RFC 1483 64 Figure ...

Page 22: ...105 Figure 57 DHCP Setup 106 Figure 58 LAN Client List 108 Figure 59 Physical Network Partitioned Logical Networks 109 Figure 60 LAN IP Alias 109 Figure 61 Example of a Wireless Network 111 Figure 62 Wireless LAN General 116 Figure 63 Wireless No Security 117 Figure 64 Wireless Static WEP Encryption 118 Figure 65 Wireless WPA PSK WPA2 PSK 119 Figure 66 Wireless WPA WPA2 120 Figure 67 Advanced 122 ...

Page 23: ... Firewall Example Edit Rule Destination Address 181 Figure 105 Firewall Example Edit Rule Select Customized Services 182 Figure 106 Firewall Example Rules MyService 183 Figure 107 Firewall Anti Probing 185 Figure 108 Firewall Threshold 188 Figure 109 Content Filter Keyword 191 Figure 110 Content Filter Schedule 192 Figure 111 Content Filter Trusted 193 Figure 112 Certificates on Your Computer 196 ...

Page 24: ...8 Figure 144 Enabling TR 069 249 Figure 145 Configuring UPnP 252 Figure 146 Add Remove Programs Windows Setup Communication 253 Figure 147 Add Remove Programs Windows Setup Communication Components 254 Figure 148 Network Connections 254 Figure 149 Windows Optional Networking Components Wizard 255 Figure 150 Networking Services 255 Figure 151 Network Connections 256 Figure 152 Internet Connection P...

Page 25: ... 95 98 Me Network Configuration 342 Figure 190 Windows 95 98 Me TCP IP Properties IP Address 343 Figure 191 Windows 95 98 Me TCP IP Properties DNS Configuration 344 Figure 192 Windows XP Start Menu 345 Figure 193 Windows XP Control Panel 345 Figure 194 Windows XP Control Panel Network Connections Properties 346 Figure 195 Windows XP Local Area Connection Properties 346 Figure 196 Windows XP Intern...

Page 26: ... 366 Figure 214 Pop up Blocker 375 Figure 215 Internet Options Privacy 376 Figure 216 Internet Options Privacy 377 Figure 217 Pop up Blocker Settings 377 Figure 218 Internet Options Security 378 Figure 219 Security Settings Java Scripting 379 Figure 220 Security Settings Java 379 Figure 221 Java Sun 380 Figure 222 Ideal Setup 383 Figure 223 Triangle Route Problem 384 Figure 224 IP Alias 384 ...

Page 27: ...anually assign a WEP key 71 Table 17 Media Bandwidth Management Setup Services 73 Table 18 Bandwidth Management Wizard General Information 75 Table 19 Bandwidth Management Wizard Configuration 76 Table 20 Internet Connection 87 Table 21 Advanced Internet Connection Setup 89 Table 22 More Connections 91 Table 23 More Connections Edit 92 Table 24 More Connections Advanced Setup 94 Table 25 WAN Backu...

Page 28: ...ll Rules 174 Table 61 Firewall Edit Rule 177 Table 62 Customized Services 178 Table 63 Firewall Configure Customized Services 179 Table 64 Predefined Services 183 Table 65 Firewall Anti Probing 186 Table 66 Firewall Threshold 188 Table 67 Content Filter Keyword 192 Table 68 Content Filter Schedule 193 Table 69 Content Filter Trusted 193 Table 70 Security Certificates My Certificates 198 Table 71 S...

Page 29: ...le 95 Services and Port Numbers 233 Table 96 Bandwidth Management Monitor 234 Table 97 Dynamic DNS 236 Table 98 Remote Management WWW 241 Table 99 Remote Management Telnet 242 Table 100 Remote Management FTP 243 Table 101 SNMP Traps 245 Table 102 Remote Management SNMP 246 Table 103 Remote Management DNS 247 Table 104 Remote Management ICMP 248 Table 105 TR 069 Commands 249 Table 106 Configuring U...

Page 30: ... 142 Wireless Security Relational Matrix 322 Table 143 Abbreviations Used in the Example Internal SPTGEN Screens Table 328 Table 144 Menu 1 General Setup 328 Table 145 Menu 3 328 Table 146 Menu 4 Internet Access Setup 330 Table 147 Menu 12 332 Table 148 Menu 15 SUA Server Setup 332 Table 149 Menu 21 1 Filter Set 1 334 Table 150 Menu 21 1 Filter Set 2 335 Table 151 Menu 23 System Menus 337 Table 15...

Page 31: ...List of Tables P 660HWP Dx User s Guide 39 Table 168 Firewall Commands 369 Table 169 NetBIOS Filter Default Settings 382 ...

Page 32: ...List of Tables P 660HWP Dx User s Guide 40 ...

Page 33: ...35 PART I Introduction Introducing the P 660HWP Dx 35 Introducing the Web Configurator 43 ...

Page 34: ...36 ...

Page 35: ...hone Service Model names ending in 3 denote a device that works over ISDN Integrated Services Digital Network The DSL RJ 11 ADSL over POTS models or RJ 45 ADSL over ISDN models connects to your ADSL or ISDN enabled telephone line The included power cable and plug connects to your power line enabled home wiring 1 Only use firmware for your P 660HWP Dx s specific model Refer to the label on the bott...

Page 36: ...s follows Figure 2 LAN to LAN Application Example The P 660HWP Dx is compatible with the ADSL ADSL2 ADSL2 standards Maximum data rates attainable for each standard are shown in the next table If your P 660HWP Dx does not support Annex M the maximum ADSL2 2 upstream data rate is 1 2 Mbps P 660HWP Dxs which work over ISDN do not support Annex M Table 1 ADSL Standards DATARATESTANDARD UPSTREAM DOWNST...

Page 37: ...n SPTGEN file This is especially convenient if you need to configure many devices of the same type TR 069 This is an auto configuration server used to remotely configure your device 1 3 Good Habits for Managing the P 660HWP Dx Do the following things regularly to make the P 660HWP Dx more secure and to manage the P 660HWP Dx more effectively Change the password Use a password that s not easy to gu...

Page 38: ...a Off The LAN is not connected WLAN Green On The P 660HWP Dx is ready but is not sending receiving data through the wireless LAN Blinking The P 660HWP Dx is sending receiving data through the wireless LAN Off The wireless LAN is not ready or has failed DSL Green On The DSL line is up Blinking The P 660HWP Dx is initializing the DSL line Off The DSL line is down INTERNET Green On The Internet conne...

Page 39: ...to your P 660HWP Dx 3 Connect the side labeled Line to the telephone wall jack 1 5 2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4KHz while ADSL transmissions take place in the higher bandwidth range above 4KHz A microfilter acts as a low pass filter for your telephone to ensure that ADSL transmissions do not interfere with your telephone voice tr...

Page 40: ...r 2 Connect a cable from the double jack end of the Y Connector to the wall side of the microfilter 3 Connect another cable from the double jack end of the Y Connector to the P 660HWP Dx 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Figure 6 Connecting a Microfilter and Y Connector 1 5 3 P 660HWP Dx With ISDN This section relates to people who use t...

Page 41: ...Chapter 1 Introducing the P 660HWP Dx P 660HWP Dx User s Guide 41 Figure 7 P 660HWP Dx with ISDN ...

Page 42: ...Chapter 1 Introducing the P 660HWP Dx P 660HWP Dx User s Guide 42 ...

Page 43: ...p windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Explorer 2 2 Accessing the Web Configurator Even though you can connect to the P 660HWP Dx wirelessly it is recommended that you con...

Page 44: ...administrator access enter the default admin password 1234 to configure the wizards and the advanced features 2 Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password 3 If you entered the admin password it is highly recommended you change the default admin password Enter a new password between 1 and 30 characters retype it to confirm...

Page 45: ...hange Password at Login 4 Select Go to Wizard setup and click Apply to display the wizard main screen Otherwise select Go to Advanced setup and click Apply to display the Status screen Figure 11 Select a Mode The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires default five minutes Simply log back into the P 660HWP Dx if this h...

Page 46: ...eset Button 1 Make sure the POWER LED is on not blinking 2 Press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defaults have been restored and the P 660HWP Dx restarts 2 4 Navigating the Web Configurator 2 4 1 Navigation Panel After you enter the admin password use the sub menus on the navigation panel to configur...

Page 47: ...up Use this screen to configure your traffic redirect properties and WAN backup settings LAN IP Use this screen to configure LAN TCP IP settings enable Any IP and other advanced properties DHCP Setup Use this screen to configure LAN DHCP settings Client List Use this screen to view current DHCP client information and to always assign an IP address to a MAC address and host name IP Alias Use this s...

Page 48: ... screen to configure IP static routes Bandwidth MGMT Summary Use this screen to enable bandwidth management on an interface Rule Setup Use this screen to define a bandwidth rule Monitor Use this screen to view the P 660HWP Dx s bandwidth usage and allotments Dynamic DNS Dynamic DNS Use this screen to set up dynamic DNS Remote MGMT WWW Use this screen to configure through which interface s and from...

Page 49: ...P 660HWP Dx s time and date Logs View Log Use this screen to view the logs for the categories that you selected Log Settings Use this screen to change your P 660HWP Dx s log settings Tools Firmware Use this screen to upload firmware to your P 660HWP Dx Configuration Use this screen to backup and restore the configuration or reset the factory defaults to your P 660HWP Dx Restart This screen allows ...

Page 50: ...WAN Information DSL Mode This is the standard that your P 660HWP Dx is using IP Address This is the WAN port IP address IP Subnet Mask This is the WAN port IP subnet mask Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the wizard or WAN screen LAN Information IP Address This i...

Page 51: ...p or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation Rate For the LAN ports this displays the port speed and duplex setting Ethernet port connections can be in half duplex or full duplex mode Full duplex refers to a device s ability to se...

Page 52: ...ntage of bandwidth in use Table 5 Status Any IP Table LABEL DESCRIPTION This is the index number of the host computer IP Address This field displays the IP address of the network device MAC Address This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address The MAC address is assigned at the factory and consi...

Page 53: ...en will appear Figure 17 Status Powerline See Figure 46 on page 140 for information on the headings on this screen 2 4 7 Status Packet Statistics Click the Packet Statistics hyperlink in the Status screen Read only information here includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configurable Not all fields are av...

Page 54: ... or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if you re using PPPoE encapsulation TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the number of packets received on this port Errors This field displays the number of ...

Page 55: ...Maintenance System to display the screen shown next See Table 107 on page 266 for detailed field descriptions Figure 19 System General Collisions This is the number of collisions on this port Poll Interval s Type the time interval for the browser to refresh system statistics Set Interval Click this button to apply the new poll interval you entered in the Poll Interval field above Stop Click this b...

Page 56: ...Chapter 2 Introducing the Web Configurator P 660HWP Dx User s Guide 48 ...

Page 57: ...35 PART II Wizards Wizard Setup for Internet Wireless Access 59 Bandwidth Management Wizard 73 ...

Page 58: ...36 ...

Page 59: ...s to configure your system for Internet Wireless access with the information given to you by your ISP See the advanced menu chapters for background information on these fields 3 2 Internet Wireless Access Wizard Setup 1 After you enter the admin password to access the web configurator select Go to Wizard setup and click Apply Otherwise click the wizard icon in the top right corner of the web confi...

Page 60: ... WAN connection type you are using If the wizard detects your connection type and your ISP uses PPPoE or PPPoA go to Section 3 2 1 on page 37 The screen varies depending on the connection type you use If the wizard does not detect a connection type and the following screen appears see Figure 22 on page 37 check your hardware connections and click Restart the Internet Wireless Setup Wizard to have ...

Page 61: ...appears see Figure 23 on page 37 click Next and refer to Section 3 2 2 on page 38 on how to configure the P 660HWP Dx for Internet access manually Figure 23 Auto Detection Failed 3 2 1 Automatic Detection 1 If you have a PPPoE or PPPoA connection a screen displays prompting you to enter your Internet account information Enter the username password and or service name exactly as provided 2 Click Ne...

Page 62: ...etection PPPoE 3 2 2 Manual Configuration 1 If the P 660HWP Dx fails to detect your DSL connection type enter the Internet access information given to you by your ISP exactly in the wizard screen If not given leave the fields set to the default Figure 25 Internet Access Wizard Setup ISP Parameters ...

Page 63: ...oices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplexing Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtua...

Page 64: ...iven Password Enter the password associated with the user name above Service Name Type the name of your PPPoE service here Back Click Back to go back to the previous wizard screen Apply Click Apply to save your changes to the P 660HWP Dx Exit Click Exit to close the wizard screen without saving your changes Table 10 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is avail...

Page 65: ... Address if your ISP gives you a fixed IP address IP Address Enter your ISP assigned IP address Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address You must specify a gateway IP address supplied by your ISP when you use ENET ENCAP in the Encapsulation field in the previous screen First D...

Page 66: ...you can modify them Figure 30 Connection Test Failed 1 If the following screen displays check if your account is activated or click Restart the Internet Wireless Setup Wizard to verify your Internet access settings Table 12 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the password associated with the user name above Back Cli...

Page 67: ...onfigure the Internet access information use the following screens to set up your wireless LAN This section is available on the wireless devices only 1 Select Yes and click Next to configure wireless settings Otherwise select No and skip to Step 6 Figure 32 Connection Test Successful 2 Use this screen to activate the wireless LAN and OTIST Click Next to continue ...

Page 68: ...60HWP Dx s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process takes three minutes to complete Note Enable OTIST only if your wireless clients support WPA and OTIST Setup Key Type an OTIST Setup Key of up to eight English keyboard characters in length B...

Page 69: ...ess clients support WPA and OTIST This option is available only when you enable OTIST in the previous wizard screen Select Manually assign a WPA PSK key to configure a pre shared key WPA PSK Choose this option only if your wireless clients support WPA See Section 3 3 1 on page 46 for more information Select Manually assign a WEP key to configure a WEP Key See Section 3 3 2 on page 46 for more info...

Page 70: ...s LAN setup screen to set up a Pre Shared Key Figure 35 Manually assign a WPA key The following table describes the labels in this screen 3 3 2 Manually assign a WEP key Choose Manually assign a WEP key to setup WEP Encryption parameters Table 15 Manually assign a WPA key LABEL DESCRIPTION Pre Shared Key Type from 8 to 63 case sensitive English keyboard characters You can set up the most secure wi...

Page 71: ... Click Finish to complete and save the wizard setup Table 16 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the P 660HWP Dx and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 English keyboard characters or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit 128 bit or 256 bit WEP key respectively Back Click...

Page 72: ...nch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of P 660HWP Dx features If you cannot access the Internet open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct ...

Page 73: ... Wide Web WWW is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser FTP File Transf...

Page 74: ...ort number 1720 VoIP SIP Sending voice signals over the Internet is called Voice over IP or VoIP Session Initiated Protocol SIP is an internationally recognized standard for implementing VoIP SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is transported primarily over UDP but can al...

Page 75: ... second wizard screen to select the services that you want to apply bandwidth management and select the priorities that you want to apply to the services listed Table 18 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the P 660HWP Dx apply bandwidth management to traffic going out through the P 660HWP Dx s port s Select Services Setup to...

Page 76: ... priority for traffic that matches that service A service with High priority is given as much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated bandwidth after all specified services receive their bandwidth requirements If the rules set up in this wizard are ...

Page 77: ...Chapter 4 Bandwidth Management Wizard P 660HWP Dx User s Guide 53 Figure 43 Bandwidth Management Wizard Complete ...

Page 78: ...Chapter 4 Bandwidth Management Wizard P 660HWP Dx User s Guide 54 ...

Page 79: ...35 PART III Network WAN Setup 81 LAN Setup 99 Wireless LAN 111 Powerline 135 Network Address Translation NAT 143 ...

Page 80: ...36 ...

Page 81: ...E Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial up services using PPP PPPoE is an IETF standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable etc connection For the service provider PPPoE offers an access and authentication method that works with existing access control systems for exa...

Page 82: ...ominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 5 1 2 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carried pr...

Page 83: ...es your choices for IP address and ENET ENCAP gateway 5 1 5 1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and ENET ENCAP Gateway fields are not applicable N A If you have a static IP then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field 5 1 5 2 IP Assignment with RFC 1483 Encapsulation In this case the IP Address As...

Page 84: ...e Section 5 8 on page 49 For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the normal route acts as the primary default route If the normal route fails to connect to the Internet the P 660HWP Dx tries the traffic redirect route next In the same manner the P 660HWP Dx uses the dial backup route if the traf...

Page 85: ...Constant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate cells may be dropped Examples of connections that need CBR would be high resolution video and voic...

Page 86: ...transfer 5 4 Zero Configuration Internet Access Once you turn on and connect the P 660HWP Dx to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and makes the necessary configuration changes In cases where additional account information such as an Internet account user name and password is required or t...

Page 87: ...Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password PPPoA a...

Page 88: ...ss to use enter it here Subnet Mask ENET ENCAP encapsulation only Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address ENET ENCAP encapsulation only You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Connection PPPoA and PPPoE encapsulatio...

Page 89: ... Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Pe...

Page 90: ...ethod from the ISP and make the necessary configuration changes Select No to disable this feature You must manually configure the P 660HWP Dx for Internet access PPPoE Passthrough This feature is available when you select PPPoE encapsulation In addition to the P 660HWP Dx s built in PPPoE client you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on t...

Page 91: ...lect the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of encapsulation used for this connection Modify The first ISP connection is read only in this screen Use the WAN Internet Connection screen to edit it Click the edit icon to go to the screen where you can edit the co...

Page 92: ...ernet account If you select Bridge the P 660HWP Dx will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices are PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned...

Page 93: ... use enter it here Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address Specify a gateway IP address supplied by your ISP Connection Nailed Up Connection Select Nailed Up Connection when you want your connection up all the time The P 660HWP Dx will try to bring up the connection automatic...

Page 94: ...ct CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Real Time or VBR RT Variable Bit Rate Real Time for bursty traffic and bandwidth sharing with other applications Peak Cell Rate Divide the DSL line rate bps by 424 the size of an AT...

Page 95: ...ay is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the P 660HWP Dx itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Figure 51 Traffic Red...

Page 96: ...ctivate either traffic redirect or dial backup you must configure at least one IP address here When using a WAN backup connection the P 660HWP Dx periodically pings the addresses configured here and uses the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your P 660HWP Dx may ping the IP addresses configured in the Check ...

Page 97: ... If you activate traffic redirect you must configure at least one Check WAN IP Address Metric This field sets this route s priority among the routes the P 660HWP Dx uses The metric represents the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly conn...

Page 98: ...Chapter 5 WAN Setup P 660HWP Dx User s Guide 52 ...

Page 99: ...area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 6 3 on page 40 to configure the LAN screens 6 1 1 LANs WANs and the P 660HWP Dx The actual physical connection determines whether the P 660HWP Dx ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and the other outs...

Page 100: ...ddresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the connection is up If your ISP did not give you explicit DNS servers chances are the DNS servers are conveyed through IPCP negotiation The P 660HWP Dx supports the IPCP DNS server extensions through t...

Page 101: ...Address Translation NAT feature of the P 660HWP Dx The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 are reserved In other words the first ...

Page 102: ...IP packets but will not accept any RIP packets received None the P 660HWP Dx will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broadcasting method of the RIP packets that the P 660HWP Dx sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for m...

Page 103: ...WP Dx In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to access the Internet via the P 660HWP Dx With the Any IP feature and NAT enabled the P 660HWP Dx allows a computer to access the Internet without changing the network settings such as IP address and subnet mask of...

Page 104: ...ends packets to its default gateway which is not the P 660HWP Dx by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway an ARP request is broadcast on the LAN 3 The P 660HWP Dx receives the ARP request and replies to the computer with its own MAC address 4 The computer updates the MAC address for the default gateway to the ARP table Once the ARP table ...

Page 105: ... Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to save your changes to the P 660HWP Dx Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup Table 27 Advanced LAN Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction Select the RIP direction...

Page 106: ...ws Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS packets cause unwanted calls However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN Allow between LAN and W...

Page 107: ... of the actual remote DHCP server in the Remote DHCP Server field in this case When DHCP is used the following items need to be set IP Pool Starting Address This field specifies the first of the contiguous addresses in the IP address pool Pool Size This field specifies the size or count of the IP address pool Remote DHCP Server If Relay is selected in the DHCP field above then enter the IP address...

Page 108: ...ble entry row Status This field displays whether the client is connected to the P 660HWP Dx Host Name This field displays the computer host name IP Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of hexadecimal notation A network interface card...

Page 109: ...AN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 59 Physical Network Partitioned Logical Networks To change your P 660HWP Dx s IP alias settings click Network LAN IP Alias The screen appears as shown Figure 60 LAN IP Alias ...

Page 110: ...routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets received RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the P 660HWP Dx sends it recognizes both formats when receiving RIP 1 is universally suppor...

Page 111: ...ess network devices A and B are called wireless clients The wireless clients use the access point AP to interact with other devices such as the printer or with the Internet Your P 660HWP Dx is the AP Every wireless network must follow these basic guidelines Every wireless client in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service S...

Page 112: ...B adapter or a wireless CardBus card 3 a RADIUS server only if you want to use IEEE802 1x WPA or WPA2 To have two or more computers communicate with each other wirelessly without an AP or wireless router make sure you have the following 1 two or more wireless network cards adapters which vary according to your computers If you have a desktop use either a wireless USB adapter or a wireless PCI adap...

Page 113: ...irly weak however because there are ways for unauthorized devices to get the SSID In addition unauthorized devices can still see the information that is sent in the wireless network 7 3 2 MAC Address Filter Every wireless client has a unique identification number called a MAC address 1 A MAC address is usually written using twelve hexadecimal characters2 for example 00A0C5000002 or 00 A0 C5 00 00 ...

Page 114: ...more there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network Local user databases also have an additional limitation that is explained in the next section 7 3 4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network Encryption is like a sec...

Page 115: ...y to protect the information in the wireless network The longer the key the stronger the encryption Every wireless client in the wireless network must have the same key 7 3 5 One Touch Intelligent Security Technology OTIST With ZyXEL s OTIST you set up the SSID and WPA PSK on the P 660HWP Dx Then the P 660HWP Dx transfers them to the devices in the wireless networks As a result you do not have to ...

Page 116: ... printable 7 bit English keyboard characters for the wireless LAN Note If you are configuring the P 660HWP Dx from a computer connected to the wireless LAN and you change the P 660HWP Dx s SSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the P 660HWP Dx s new settings Hide SSID Select th...

Page 117: ...wireless clients and the access points must use the same WEP key Your P 660HWP Dx allows you to configure up to four 64 bit 128 bit or 256 bit WEP keys but only one key can be enabled at any one time In order to configure and enable WEP encryption click Network Wireless LAN to display the General screen Select Static WEP from the Security Mode list Table 33 Wireless No Security LABEL DESCRIPTION S...

Page 118: ...Passphrase up to 32 printable characters and clicking Generate The P 660HWP Dx automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the P 660HWP Dx and the wireless clients must use the same WEP key for data transmission If you want to manually set the WEP key enter any 5 13 or 29 characters English keyboard string or 10 26 or 58 hexadecimal characters 0 9 A F for a...

Page 119: ...eless clients have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless client authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout In Seconds The P 660HWP Dx automatically disconnects a wireless station fr...

Page 120: ...y management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Apply Click Apply to save your changes to the P 660HWP Dx Cancel Click Cancel to relo...

Page 121: ... all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Authentication Server IP Address Enter the IP address of the external authentication server in dotted decimal notation Port Number Enter the port number of the external authentication server The default port number is 1812 You need not ...

Page 122: ...thin an area decrease the output power of the P 660HWP Dx to reduce interference with other APs The options are Maximum Middle and Minimum Preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support and to provide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more eff...

Page 123: ... The AP and wireless client s MUST use the same Setup key 7 5 1 1 AP You can enable OTIST using the RESET button or the web configurator 7 5 1 1 1 Reset button If you use the RESET button the default 01234567 or previous saved through the web configurator Setup key is used to encrypt the settings that you want to transfer Hold in the RESET button for three to eight seconds Max Frame Burst Enable M...

Page 124: ...st also make the same change on the wireless client s Yes If you want OTIST to automatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN General screen Select the Yes checkbox in the OTIST screen and click Start The wireless screen displays an auto generated WPA PSK and is now in WPA PSK security mode The WPA PSK security settings are ass...

Page 125: ...wireless clients and AP in any order but they must all be within range and have OTIST enabled 1 In the AP a web configurator screen pops up showing you the security settings to transfer You can use the key in this screen to set up WPA PSK encryption manually for non OTIST devices in the wireless network After reviewing the settings click OK Figure 70 Security Key 2 This screen appears while OTIST ...

Page 126: ...oses its wireless connection for more than ten seconds it will search for an OTIST enabled AP for up to one minute If you manually have the wireless client search for an OTIST enabled AP there is no timeout click Cancel in the OTIST progress screen to stop the search 3 When the wireless client finds an OTIST enabled AP you must still click Start in the AP OTIST web configurator screen or hold in t...

Page 127: ...the devices to configure this screen To change your P 660HWP Dx s MAC filter settings click Network Wireless LAN MAC Filter The screen appears as shown Figure 75 MAC Address Filter The following table describes the labels in this menu Table 39 MAC Address Filter LABEL DESCRIPTION Active MAC Filter Select the check box to enable MAC address filtering Filter Action Define the filter action for the l...

Page 128: ...ress MAC Address Enter the MAC addresses of the wireless client that are allowed or denied access to the P 660HWP Dx in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecimal character pairs for example 12 34 56 78 9a bc Apply Click Apply to save your changes to the P 660HWP Dx Cancel Click Cancel to reload the previous configuration for this screen Tabl...

Page 129: ...r further information about port numbers Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the DNS service UDP TCP 53 means UDP port 53 and TCP port 53 ...

Page 130: ..._TUNNEL AH 0 The IPSEC AH Authentication Header tunneling protocol uses this service IPSEC_TUNNEL ESP 0 The IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6667 This is another popular Internet chat program MSN Messenger TCP 1863 Microsoft Networks messenger service uses this protocol MULTICAST IGMP 0 Internet Group Multicast Protocol is used when sending...

Page 131: ...Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems including mainframes midrange syste...

Page 132: ...which you want to apply WMM QoS This is the number of an individual application entry Name This field displays a description given to an application entry Service This field displays either FTP WWW E mail or a User Defined service to which you want to apply WMM QoS Dest Port This field displays the destination port number to which the application sends traffic Priority This field displays the WMM ...

Page 133: ...s of messages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 WWW The World Wide Web is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Interne...

Page 134: ...Dx User s Guide 58 Apply Click Apply to save your changes back to the P 660HWP Dx Cancel Click Cancel to return to the previous screen without saving your changes Table 43 Application Priority Configuration continued LABEL DESCRIPTION ...

Page 135: ...ing section shows you a typical application Figure 78 Expand Your Network 1 Connect your P 660HWP Dx to the Internet 2 Then plug your P 660HWP Dx into a power outlet and turn it on The P 660HWP Dx is ready for connection on a powerline network 3 Connect another HomePlug AV compatible adapter to a computer and then plug it in on the same home or office wiring After configuring the settings on all a...

Page 136: ...gured with the network password HomePlugAV This allows all HomePlug AV powerline adapters and the P 660HWP Dx to communicate with each other without any software configuration This also means that if you don t change the network password any HomePlug AV powerline adapter connected to your powerline circuit can see your network data Change the network password on your powerline adapters to ensure s...

Page 137: ...his powerline adapter Add additional powerline adapters to your network by plugging them into your powerline outlets and assigning them the same network password Password1 This completes the configuration of your first powerline network Connect another powerline adapter to a router or switch on the second Ethernet network and assign a different network password for example Password2 to this powerl...

Page 138: ... network The default network password of the P 660HWP Dx is HomePlugAV The P 660HWP Dx must use the same network password to recognize and communicate with other adapters over the powerline network If you change the password of one device on the network it will no longer be recognized as part of that network If you change the network password make sure you change the password for all of the powerl...

Page 139: ...enter the correct Device Access Key DAK for the selected powerline adapter before you can make changes to it Cancel Click this button to cancel any changes you have made LABEL DESCRIPTION LABEL DESCRIPTION Network Remote Stations Setting This section describes the configuration of the other HomePlug AV adapters on your power line network Remote Stations In The Same Network This field shows the MAC...

Page 140: ...el Click this button to cancel any changes you have made LABEL DESCRIPTION LABEL DESCRIPTION General This section provides general information on your network useful for technical troubleshooting CCo Information CCo refers to Central Coordinator The Central Coordinator of the powerline network is the powerline adapter which keeps track of which devices are part of the network as well as synchroniz...

Page 141: ...your powerline network Bridged MAC Address Your P 660HWP Dx may also connect to an Ethernet network such as a LAN or the Internet Your powerline network will then be able to connect to an Ethernet network through your P 660HWP Dx So the Bridged MAC Address refers to the MAC address which your P 660HWP Dx uses when connecting to an Ethernet network and transmitting to your powerline network from an...

Page 142: ...Chapter 8 Powerline P 660HWP Dx User s Guide 42 ...

Page 143: ...ost when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packet when the packet is still in the lo...

Page 144: ...ting intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the ILA Inside Local Address is the source address on the LAN and the IGA Inside Global Address is the source address on the WAN For incoming ...

Page 145: ...e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the P 660HWP Dx maps the multiple local IP addresses to shared global IP addresses Many to Many No Overload In Many to Many No Overload mode the P 660HWP Dx maps each local IP address to a unique global I...

Page 146: ...ecause they embed IP addresses and port numbers in their packets data payload Some NAT routers may include a SIP Application Layer Gateway ALG An Application Layer Gateway ALG manages a specific protocol such as SIP H 323 or FTP at the application layer A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream When the P 660HWP Dx register...

Page 147: ... limit the number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may not be able to access the Internet Each NAT session establishes a corresponding firewall session Use this field to limit the number of NAT firewall sessions each client computer can establish through...

Page 148: ... Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP 9 5 1 Default Server IP Address In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen If you do not assign a Default ...

Page 149: ...rs as a single host on the Internet Figure 87 Multiple Servers Behind NAT Example 9 6 Configuring Port Forwarding The Port Forwarding screen is available only when you select SUA Only in the NAT General screen If you do not assign a Default Server IP address the P 660HWP Dx discards all packets received for ports that are not specified here or in the remote management setup Click Network NAT Port ...

Page 150: ...or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Click this button to add a rule to the table below This is the rule index number read only Active Click this check box to enable the rule Service Name This is a service s name Start Port This is the first port...

Page 151: ...DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter the port number again in the End Port field To forward a series of ports enter the start port number here and the end port number in the End Port field End Port Enter a port number in this field To for...

Page 152: ...s is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP You can only do this for Many to One and Server mapping types Global End IP This is the ending Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port nu...

Page 153: ...o Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local IP...

Page 154: ...s Translation NAT P 660HWP Dx User s Guide 46 Apply Click Apply to save your changes to the P 660HWP Dx Cancel Click Cancel to begin configuring this screen afresh Table 54 Edit Address Mapping Rule continued LABEL DESCRIPTION ...

Page 155: ...35 PART IV Security Firewalls 157 Firewall Configuration 169 Content Filtering 191 Certificates 195 ...

Page 156: ...36 ...

Page 157: ...he only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself Refer to Section 11 5 on page 50 to configure default firewall settings Refer to Section 11 6 on page 51 to view firewall rule...

Page 158: ... to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access control or caching that some proxies support See Section 10 5 on page 40 for more information on stateful inspection Firewalls of one type or another have become an integral part of standard securi...

Page 159: ...ific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP port 80 When computers communicate on the Internet they are using the client server model where the server listens on a specific TCP UDP port for information requests from remote client computers on the...

Page 160: ... series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 6 Weaknesses in the TCP IP specification leave it open to SYN Flood and LAND attacks These attacks are executed during the handshake that initiates a communication session between two applications Figure 93 Three Way Handshake Under normal circumstan...

Page 161: ...er floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadcast the ICMP echo request packet to all hosts on the network If there are numerous hosts this will create a large amount of ICMP echo request and response traffic If a hacker chooses to spoof the sour...

Page 162: ...cking a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall The P 660HWP Dx blocks all IP Spoofing attempts 10 5 Stateful Inspection With stateful inspection fields of ...

Page 163: ... packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 The packet travels from the firewall s LAN to the WAN 2 The packet is evaluated against the interface s existing outbound access list and the packet is permitted a denied packet would simply be droppe...

Page 164: ...ow certain types of traffic from the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users on the LAN These custom rules work by evaluating the network traffic s Source IP address Destination IP address IP protocol type and comparing these to rules set by the administrator The ability to d...

Page 165: ...ve Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timestamp replies No other ICMP packets are allowed in through the firewall simply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never all...

Page 166: ...ticularly vulnerable because they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e mail Never e mail sensitive information such as passwords credit card information etc without encrypting the information first Never submit sensitive information via a web pa...

Page 167: ...ilters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 10 7 2 Firewall The firewall inspects packet contents as well as their source and destination addresses Firewalls of this type employ an inspection module applicable to all protocols that understands data in the packet is intended for other layers from the network layer...

Page 168: ...ish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail reports about your system or need to be alerted when attacks occur The firewall can block specific URL traffic that might occur in the future The URL can be saved in an Access Control List ACL database ...

Page 169: ...travel of packets to which they apply By default the P 660HWP Dx s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to manage the P 660HWP Dx and communicate between networks or subnets connected to the LAN interface LAN to WAN By default the P 660HWP Dx s stateful packet inspection drops packets traveling in the fol...

Page 170: ...precedence and override the P 660HWP Dx s default rules 11 3 Rule Logic Overview Study these points carefully before configuring rules 11 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server 1 Is the intent of the rule to forward or...

Page 171: ...s an ICMP destination unreachable message to the sender 11 3 3 2 Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Section Table 64 on page 61 for more information on predefined services 11 3 3 3 Source Address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet...

Page 172: ...you will need to create custom rules to allow it 11 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is matched in the Edit Rule screen see Figure 99 on page 54 When an event generates an alert a message can be immediately sent to an e mail account that you specify in the Log Settings screen Refer to ...

Page 173: ...s the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the P 660HWP Dx or the P 660HWP Dx itself Default Action Use the dro...

Page 174: ...nfigure summarized below take priority over the general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn Active This field displays whether a firewall is turned on or not Select the check box to enable the rule Clear the check box to disable the rule Source IP This drop down list box displays the s...

Page 175: ...can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click the Move icon to display the Move the rule to field Type a number in the Move the rule to field and click the Move button to move the rule to the number ...

Page 176: ...Chapter 11 Firewall Configuration P 660HWP Dx User s Guide 54 Figure 99 Firewall Edit Rule ...

Page 177: ...the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it Services Available Selected Services Please see Section 11 8 on p...

Page 178: ...omized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action displays the following screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 61 Firewall Edit Rule continued LABEL DESCRIPTION Table 62 Customized Services LABEL DESCRIPTIO...

Page 179: ...vices LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service Port Number Type a single port number or the range of port numbers that defi...

Page 180: ...e becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 103 Edit Custom Port Example 7 Select Any in the Destination Address box and then cli...

Page 181: ...xample Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Custom services show up with an before their names in the Services list box and the Rules list box ...

Page 182: ...ewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN ...

Page 183: ...m service ports may also be configured using the Edit Customized Services function discussed previously Table 64 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AOL s Internet Messenger service used as a listening port by ICQ AUTH TCP 113 Authentication protocol used by some servers BGP TCP 179 Border Gateway Protocol BOOTP_CLIENT UDP 68 DHCP Client BOOTP_SERVER UDP 67 DHCP Server CU ...

Page 184: ... from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_TUNNEL GRE 0 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the data channel RCMD TCP 512 Remote Command Service REAL_AUDIO TCP 7070 A streaming audio ...

Page 185: ...on user Refer to Section 10 1 on page 35 for more information Click Security Firewall Anti Probing to display the screen as shown Figure 107 Firewall Anti Probing SSH TCP UDP 22 Secure Shell Remote Login Program STRMWORKS UDP 1558 Stream Works Protocol SYSLOG UDP 514 Syslog allows you to send system logs to a UNIX server TACACS UDP 49 Login Host Protocol used for Terminal Access Controller Access ...

Page 186: ...wall rules Table 65 Firewall Anti Probing LABEL DESCRIPTION Respond to PING on The P 660HWP Dx does not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do Not Respond to Requests for Unauthorized Services Sel...

Page 187: ... The P 660HWP Dx continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the last one minute sample period 11 10 2 1 TCP Maximum Incomplete and Blocking Time An unusually high number of half open sessions with the same destination host address could indicate that a ...

Page 188: ...eleting half open sessions When the rate of new connection attempts rises above this number the P 660HWP Dx deletes half open sessions as required to accommodate new connection attempts 100 half open sessions per minute The above numbers cause the P 660HWP Dx to start deleting half open sessions when more than 100 session establishment attempts have been detected in the last minute and to stop del...

Page 189: ...P sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule you should choose a smaller number for a smaller network a slower system or limited bandwidth 10 existing half open TCP sessions Action taken when the TCP Maximum Incomplete threshold is reache...

Page 190: ...Chapter 11 Firewall Configuration P 660HWP Dx User s Guide 68 ...

Page 191: ... Dx performs content filtering You can also specify trusted IP addresses on the LAN for which the P 660HWP Dx will not perform content filtering 12 2 Configuring Keyword Blocking Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the P 660HWP Dx blocks all sites containing this keyword including the URL http www website com bad html even...

Page 192: ...list of all the keywords that you have configured the P 660HWP Dx to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 127 characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this proc...

Page 193: ...to Block Select this option to filter websites according to the day s and time s configured Active Select the check box to have the content filtering active on the selected day Start TIme Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time when you want the content filtering to stop in hour minute format Apply Click Apply to sav...

Page 194: ...Chapter 12 Content Filtering P 660HWP Dx User s Guide 72 ...

Page 195: ...t secure Public key encryption for authentication works as follows 1 Tim wants to send a private message to Jenny Tim generates a public private key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encrypt the message and sends it to Jenny 4 Jenny receives the message and us...

Page 196: ...s 13 2 Self signed Certificates You can have the P 660HWP Dx act as a certification authority and sign its own certificates 13 3 Verifying a Certificate Before you import a trusted CA or trusted remote host certificate into the P 660HWP Dx you should verify that you have the actual certificate This is especially true of trusted CA certificates since the P 660HWP Dx also trusts any valid certificat...

Page 197: ... certificates on the P 660HWP Dx Figure 114 Certificate Configuration Overview Use the My Certificate screens to generate and export self signed certificates or certification requests and import the P 660HWP Dx s CA signed certificates Use the Trusted CA screens to save the certificates of trusted CAs to the P 660HWP Dx You can also export the certificates to a computer Use the Trusted Remote Host...

Page 198: ...e The factory default certificate is common to all P 660HWP Dxs that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your P 660HWP Dx s MAC address My certificate Setting This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this c...

Page 199: ...ith an in depth list of information about the certificate or certification request Click the export icon to save the certificate to a computer For a certification request click the export icon and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Click the delete icon to remove the certificate or certification request A window...

Page 200: ...you must select this check box in another self signed certificate s details screen This automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates Refresh Click Refresh to display the certification path Certification Path Click the Refresh button to have this read only text box display the hierarchy of c...

Page 201: ...e certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the P 660HWP Dx uses RSA encryption and the length of the key set in bits 1024 bits for example Subject Alternative Name This field displays the certificate owner s IP address IP domain name DNS or e mail address EMAIL Key Usage This f...

Page 202: ...ficates My Certificates Create Back Click Back to go the previous screen Export Click Export to export a file containing your certificate details Apply Click Apply to save your changes back to the P 660HWP Dx You can only change the name except in the case of a self signed certificate which you can also set to be the default self signed certificate that signs the imported trusted remote host certi...

Page 203: ...ertificate owner is located You may use any character including spaces but the P 660HWP Dx drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be ...

Page 204: ...a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineering Task Force IETF and is specified in RFC 2510 CA Server Address Enter the IP address or URL of the certification authority server CA Certificate Select the c...

Page 205: ... X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The P 660HWP Dx currently allows the importation of a PKS 7 file that contains a single certificate PEM Base 64 encoded PKCS 7 This Privacy Enhanced Mail PEM format uses 64 ASCII characters to convert a binary PKCS 7 certificate into ...

Page 206: ...ct This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or...

Page 207: ... icon to open a screen with an in depth list of information about the certificate Use the export icon to save the certificate to a computer Click the icon and then Save in the File Download screen The Save As screen opens browse to the location that you want to use and click Save Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the cer...

Page 208: ...gned means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key certificates Version This field displays the X 509 version number Serial Number This field dis...

Page 209: ...o displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the P 660HWP Dx calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this is actually their certificate SHA1 Fingerprint This is the certificate s message digest that the P 660HWP Dx calculated using...

Page 210: ...ate that is signed by one of the certification authorities on the Trusted CAs screen since the P 660HWP Dx automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy Figure 121 Security Certificates Trusted Remote Hosts Table 77 Security Certificates Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload ...

Page 211: ...ertificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate...

Page 212: ...sts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certificate s name Table 79 Security Certificates Trusted Remote Hosts Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Brows...

Page 213: ...s issuing certification authority For a trusted host the list consists of the end entity s own certificate and the default self signed certificate that the P 660HWP Dx uses to sign remote host certificates Refresh Click Refresh to display the certification path Certificate Information These read only fields display detailed information about the certificate Type This field displays general informa...

Page 214: ... authority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the P 660HWP Dx calculated using the MD5 algorithm The P 660HWP Dx uses one of its own self signed certificates to sign the imported trusted remote host certificates This changes the fingerprint value ...

Page 215: ...n about a directory server that the P 660HWP Dx can access Table 81 Security Certificates Directory Servers LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the P 660HWP Dx s PKI storage space that is currently in use When the storage space is almost full you should consider deleting expired or unnecessary certificates before adding more certificates The index number ...

Page 216: ... dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The P 660HWP ...

Page 217: ...35 PART V Advanced Static Route 219 Bandwidth Management 223 Dynamic DNS Setup 235 Remote Management Configuration 239 Universal Plug and Play UPnP 251 ...

Page 218: ...36 ...

Page 219: ...tance the P 660HWP Dx knows about network N2 in the following figure through remote node Router 1 However the P 660HWP Dx is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the P 660HWP Dx about the networks beyond the remote nodes Figure 126 Example of Static Routi...

Page 220: ... check box Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their destinations Subn...

Page 221: ...ion Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or ...

Page 222: ...Chapter 14 Static Route P 660HWP Dx User s Guide 38 ...

Page 223: ...raffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the P 660HWP Dx and be managed by bandwidth management The sum of the bandwidth allotments that apply to any interface must be less than or equal to the speed allocated to that interfac...

Page 224: ...The P 660HWP Dx has two types of scheduler fairness based and priority based 15 5 1 Priority based Scheduler With the priority based scheduler the P 660HWP Dx forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes The larger a bandwidth class s priority number is the higher the priority Assign real time applications like those using audio or vi...

Page 225: ...geted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the P 660HWP Dx gives extra bandwidth to that class When multiple classes require more bandwidth the P 660HWP Dx gives the highest priority classes the available bandwidth first as much as they require if there is enough available ba...

Page 226: ...the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth because they have the highest priority 6 If they each require 1536 kbps or more of extra bandw...

Page 227: ... available bandwidth This could stop lower priority traffic from being sent The following is an example Table 88 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class 10240 kbps Administration 1024 kbps Sales 3072 kbps Marketing 3072 kbps Research 3072 kbps Table 89 Bandwidth Management Priorities PRIORITY LEVELS TRAFFIC WITH A HIGHER PRIOR...

Page 228: ...l interfaces Select an interface s check box to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the P 660HWP Dx and be managed by bandwidth management Active Select an interface s check box to enable b...

Page 229: ...andwidth among the bandwidth classes that require bandwidth Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the speed of this interface see the Speed field description Apply Click Apply to save your settings to the P 660HWP Dx Cancel Click Cancel to begin configuring this screen afresh Table 91 Media Bandwidth Management Su...

Page 230: ...Serv Differentiated Service Field The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds of traffic can be marked for different priorities of forwarding Resources can then be allocated according to the DSCP values and the configured policies This is the number of an individual bandwidth ...

Page 231: ... Configuration Click the Edit icon or select User Defined from the Service drop down list in the Rule Setup screen to configure a bandwidth management rule Use bandwidth rules to allocate specific amounts of bandwidth capacity bandwidth budgets to specific applications and or subnets Figure 133 Bandwidth Management Rule Configuration Table 93 Sub Classes of AF Services DIFFSERV PRIORITY LOW DROP P...

Page 232: ... the lowest priority mark will be dropped when the line is busy Filter Configuration Service This field simplifies bandwidth class configuration by allowing you to select a predefined application When you select a predefined application you do not configure the rest of the bandwidth filter fields other than enabling or disabling the filter SIP Session Initiation Protocol is a signaling protocol us...

Page 233: ...t the protocol TCP or UDP or select User defined and enter the protocol service type number 0 means any protocol number TOS Type of Service TOS defines the DS Differentiated Service field in the IP header Enter the new TOS value of the outgoing packet between 0 and 255 0 is the lowest priority TOS Mask The TOS mask is used to compare the specified or entire bits in the TOS IP header with the value...

Page 234: ...dwidth rules The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use The screen refreshes every few seconds Figure 134 Bandwidth Management Monitor Table 96 Bandwidth Management Monitor LABEL DESCRIPTION Monitor This section allows you to select which network to monitor You may select either a LAN WLAN or WAN After ...

Page 235: ...now your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 16 1 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be aliased to the same I...

Page 236: ... Type the domain name assigned to your P 660HWP Dx by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the password assigned to you Enable Wildcard Option Select the check box to enable DynDNS Wildcard Enable off line option This option is available when Custom DNS is selected in the DDNS Type field Check w...

Page 237: ...P address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the P 660HWP Dx and the DDNS server Use specified IP Address Type the IP address of the host name s Use this if you have a static IP address Apply Click Apply to save your changes to the P 660HWP Dx Cancel Click Cancel to begin confi...

Page 238: ...Chapter 16 Dynamic DNS Setup P 660HWP Dx User s Guide 38 ...

Page 239: ...ss You may manage your P 660HWP Dx from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Access Status field You may only have one remote management session running at a time The P 660HWP Dx aut...

Page 240: ...nagement session running at one time There is a firewall rule that blocks it 17 1 2 Remote Management and NAT When NAT is enabled Use the P 660HWP Dx s WAN IP address when configuring from the WAN Use the P 660HWP Dx s LAN IP address when configuring from the LAN 17 1 3 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The P 660HWP Dx automatica...

Page 241: ...ificate that the P 660HWP Dx will use to identify itself The P 660HWP Dx is the SSL server and must always authenticate itself to the SSL client the computer which requests the HTTPS connection with the P 660HWP Dx Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the P 660HWP Dx by sending the P 660HWP Dx a certif...

Page 242: ...pears as shown Table 99 Remote Management Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the P 660HWP Dx using this service Secured Client IP A secured client is a trusted computer that is ...

Page 243: ...ly available if TCP IP is configured Table 100 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the P 660HWP Dx using this service Secured Client IP A secured client is a trust...

Page 244: ...nformation Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based on the manager agent model The manager issues a request and the agent returns responses using the following protocol operations Get Allows the manager to retrieve an object variable from the agent G...

Page 245: ... DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done int...

Page 246: ... using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the P 660HWP Dx using this service Select All to allow any computer to access the P 660HWP Dx using this service Choose Selected to just allow the computer with the IP address that you specify to access the P 660HWP Dx using this service SNMP Configuration Get Community Enter the Get Co...

Page 247: ...ponse packet from being sent This keeps outsiders from discovering your P 660HWP Dx when unsupported ports are probed Table 103 Remote Management DNS LABEL DESCRIPTION Port The DNS service port number is 53 Access Status Select the interface s through which a computer may send DNS queries to the P 660HWP Dx Secured Client IP A secured client is a trusted computer that is allowed to send DNS querie...

Page 248: ...cation user Respond to Ping on The P 660HWP Dx will not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding ...

Page 249: ...ON wan tr069 All TR 069 related commands must be preceded by wan tr069 load Start configuring TR 069 on your P 660HWP Dx active 0 no 1 yes Enable disable TR 069 operation acsUrl URL Set the IP address or domain name of CNM Access username maxlength 15 Username used to authenticate the device when making a connection to CNM Access This username is set up on the server and must be provided by the CN...

Page 250: ...Chapter 17 Remote Management Configuration P 660HWP Dx User s Guide 46 ...

Page 251: ...work will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 18 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to operate through NAT UPnP network devices can automatically configure network addressing announce their presence in the network to other UPnP devices and enable excha...

Page 252: ...UPnP to display the screen shown next See Section 18 1 on page 47 for more information Figure 145 Configuring UPnP The following table describes the fields in this screen Table 106 Configuring UPnP LABEL DESCRIPTION Active the Universal Plug and Play UPnP Feature Select this check box to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen wit...

Page 253: ... Components selection box Click Details Figure 146 Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Allow UPnP to pass through Firewall Select this check box to allow traffic from UPnP enabled applications to bypass the firewall Clear this check box to have the firewall block all UPnP applica...

Page 254: ...ompted 18 3 2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 148 Network Connections 4 The Windows Optional Networking Components Wizard window displays Select Networking Servi...

Page 255: ...select the Universal Plug and Play check box Figure 150 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 18 4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the P 660HWP Dx ...

Page 256: ... P 660HWP Dx 18 4 1 Auto discover Your UPnP enabled Network Device 1 Click start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and select Properties Figure 151 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created ...

Page 257: ...nd Play UPnP P 660HWP Dx User s Guide 53 Figure 152 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 153 Internet Connection Properties Advanced Settings ...

Page 258: ...dd When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connected option and click OK An icon displays in the system tray Figure 155 System Tray Icon 6 Double click on the icon to display your current Internet connection status ...

Page 259: ...an access the web based configurator on the P 660HWP Dx without finding out the IP address of the P 660HWP Dx first This comes helpful if you do not know the IP address of the P 660HWP Dx Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places under Other Places ...

Page 260: ...P Dx User s Guide 56 Figure 157 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your P 660HWP Dx and select Invoke The web configurator login screen displays ...

Page 261: ...e 57 Figure 158 Network Connections My Network Places 6 Right click on the icon for your P 660HWP Dx and select Properties A properties window displays with basic information about the P 660HWP Dx Figure 159 Network Connections My Network Places Properties Example ...

Page 262: ...Chapter 18 Universal Plug and Play UPnP P 660HWP Dx User s Guide 58 ...

Page 263: ...35 PART VI Maintenance and Troubleshooting System 265 Logs 271 Tools 289 Diagnostic 295 Troubleshooting 297 ...

Page 264: ...36 ...

Page 265: ...indows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the P 660HWP Dx Sys...

Page 266: ...ype how many minutes a management session can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how long it has been left idle not recommended Password User Password If you log in with the user password you...

Page 267: ...r the existing password you use to access the system for configuring advanced features New Password Type your new system password up to 30 characters Note that as you type a password the screen displays a for each character you type After you change the password use the new password to access the P 660HWP Dx Retype to Confirm Type the new password again for confirmation Apply Click Apply to save y...

Page 268: ...nd Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the P 660HWP Dx get the time and date from the time server you specified below Time Protocol Select the time service protocol that your time server uses Not all time servers support all protocols so you may have to check with your ISP network administrator or use tria...

Page 269: ...e zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are a couple of examples Daylight Saving Time ends in the United States on the last Sunday of October Each time zone in the United States stops using Daylight Saving Time at 2 A M local time So in the U...

Page 270: ...Chapter 19 System P 660HWP Dx User s Guide 40 ...

Page 271: ...warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black 20 2 Viewing the Logs Click Maintenance Logs to open the View Log screen Use the View Log scr...

Page 272: ...SCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in...

Page 273: ...subject line of the log e mail message that the P 660HWP Dx sends Not all ZyXEL models have this field Send Log To The P 660HWP Dx sends logs to the e mail address specified in this field If this field is left blank the P 660HWP Dx does not send logs via e mail Send Alerts To Alerts are real time notifications that are sent as soon as an event such as a DoS attack system error or forbidden web acc...

Page 274: ... is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11 00 pm to send the logs Clear log after sending mail Select the checkbox to delete all the logs after the P 660HWP Dx se...

Page 275: ...src port 00520 dest port 00520 1 02 End of Firewall Log Table 111 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information from the time server Time calibration failed The router failed to get information from the time server WAN interface gets IP s A WAN interface got a new IP address from the DHCP PPPoE PPTP or dial up s...

Page 276: ...using HTTPS protocol HTTPS login failed Someone has failed to log on to the router s web configurator interface using HTTPS protocol Table 112 System Error Logs LOG MESSAGE DESCRIPTION s exceeds the max number of session per host This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host setNetBIOSFilter calloc error The router faile...

Page 277: ... session time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out The default timeout values are as follows ICMP idle timeout 3 minutes UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 minutes TCP reset timeout 10 ...

Page 278: ...annel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the reference count number of the call dev is the device type 3 is for dial up 6 is for PPPoE 10 is for PPTP channel or ch is the call channel ID For example board 0 line 0 channel 0 call 3 C01 Outgoing Call dev 6 ch 0 Means the router has dialed to the PPPoE server 3 times board d line d ...

Page 279: ...responded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache but does not know the category type s s cache hit The system detected that the web site is in blocked list from the local cache and knows the category type s Trusted Web site The web site is in a trusted domain s Wh...

Page 280: ...rewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack For type and code details see Table 127 on page 50 illegal command TCP The firewall detected a TCP illegal command attack NetBIOS TCP The firewall detected a TCP NetBIOS attack ip spoofing no routing entry TCP UDP IGMP ESP GRE OSPF The firewall classified a packet with no source routing...

Page 281: ...SA process done The phase 1 IKE SA process has been completed Duplicate requests with the same cookie The router received multiple requests from the same peer while still processing the first IKE packet from the peer IKE Negotiation is in process The router has already started negotiating with the peer for the connection but the IKE process has not finished yet No proposal chosen Phase 1 or phase ...

Page 282: ... ID contents do not match Configured Peer ID Content Configured Peer ID Content The phase 1 ID contents do not match and the configured Peer ID Content is displayed Incoming ID Content Incoming Peer ID Content The phase 1 ID contents do not match and the incoming packet s ID content is displayed Unsupported local ID Type d The phase 1 ID type is not supported by the router Build Phase 1 ID The rou...

Page 283: ... 1 hash mismatch The listed rule s IKE phase 1 hash did not match between the router and the peer Rule d Phase 1 preshared key mismatch The listed rule s IKE phase 1 pre shared key did not match between the router and the peer Rule d Tunnel built successfully The listed rule s IPSec tunnel has been built successfully Rule d Peer s public key not found The listed rule s IKE phase 1 peer s public ke...

Page 284: ...name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer name as recorded from the LDAP server whose address and port are recorded in the Source field Failed to decode the received ca cert The router received a corrupted certification authority certificate fro...

Page 285: ...specific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding failed 21 CRL is not currently valid but in the future 22 CRL contains duplicate serial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to...

Page 286: ...ed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams for the Type of Service and Network 3 Redirect datagrams for the Type of Service and Host 8 Echo 0 Echo message 11 Time Exceeded 0 Time to live exceeded in transit 1 Fragment reassembly time exceeded ...

Page 287: ...gured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this appendix The devID is the last three characters of the MAC address of the router s LAN port The cat is the same as the category in the router s logs Table 12...

Page 288: ...Chapter 20 Logs P 660HWP Dx User s Guide 52 ...

Page 289: ...er a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware screen Follow the instructions in this screen to upload firmware to your P 660HWP Dx Figure 165 Firmware Upgrade The following table describes the labels in this screen Table 130 Firmware Upgrade LABEL DESCRIPT...

Page 290: ...tems you may see the following icon on your desktop Figure 167 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click Return to go back to the Firmware screen Browse Click Browse to find the bin file you want to upload Remember that you must decompress compresse...

Page 291: ... Tools Configuration Backup configuration allows you to back up save the P 660HWP Dx s current configuration to a file on your computer Once your P 660HWP Dx is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configuration file will be useful in case you need to return to your previous settings Tab...

Page 292: ...work disconnect In some operating systems you may see the following icon on your desktop Upload Restore your router to a previous configuration by uploading a previously saved configuration file from your computer Reset to FactoryDefault Settings Reset Clear all settings entered by the user and return the router to its original factory specified configuration LABEL DESCRIPTION Table 132 Maintenanc...

Page 293: ... 172 Configuration Restore Error 21 2 3 Back to Factory Defaults Pressing the RESET button in this section clears all user entered configuration information and returns the P 660HWP Dx to its factory defaults You can also press the RESET button on the rear panel to reset the factory defaults of your P 660HWP Dx Refer to the chapter about introducing the web configurator for more information on the...

Page 294: ...Chapter 21 Tools P 660HWP Dx User s Guide 40 ...

Page 295: ...gnostic Click Maintenance Diagnostic to open the screen shown next Figure 174 Diagnostic General The following table describes the fields in this screen Table 133 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that you entered ...

Page 296: ...s VCIs before you begin this test The P 660HWP Dx sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the P 660HWP Dx The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network DSL Line Status Click this button to view the DSL port s line operating values and line bit allocation Reset ADSL Line Click this button to reinitialize the A...

Page 297: ...are using the power adaptor or cord included with the P 660HWP Dx 3 Make sure the power adaptor or cord is connected to the P 660HWP Dx and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the P 660HWP Dx off and on 5 If the problem continues contact the vendor V One of the LEDs does not behave as expected 1 Make sure you understand the normal behavior of th...

Page 298: ... or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 If you changed the IP address Section 6 2 1 on page 101 use the new IP address If you changed the IP address and have forgotten it see the troubleshooting suggestions for I forgot the IP address for the P 660HWP Dx 2 Check the hardware connections and make sure...

Page 299: ... entered the user name and password correctly The default password is 1234 This field is case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using Telnet to access the P 660HWP Dx Log out of the P 660HWP Dx in the other session or ask the person who is logged in to log out 3 Turn the P 660HWP Dx off and on 4 If this does not work you have to...

Page 300: ... Address Translation NAT make sure that Enable SIP ALG is activated in the NAT General screen See Section 9 3 on page 146 4 Ensure STUN is turned off on your VoIP device 5 If you are using a new VoIP account contact your Internet Telephony Service Provider ITSP to ensure that it is activated V I cannot access the Internet anymore I had access to the Internet with the P 660HWP Dx but my Internet co...

Page 301: ...and see if the Link LED lights up This checks whether the P 660HWP Dx can detect the powerline adapters on your electrical circuit V I cannot access my powerline network 1 Make sure that the devices on your network are all on the same electrical wire 2 Check also that the network does not extend past the power meter Powerline signals cannot pass this 3 Make sure that all the powerline adapters you...

Page 302: ...Chapter 23 Troubleshooting P 660HWP Dx User s Guide 40 4 Avoid wiring that is old low quality or with a long wiring path as this may affect the quality of your powerline signal ...

Page 303: ... LANs 311 Internal SPTGEN 325 Setting up Your Computer s IP Address 341 IP Subnetting 357 Command Interpreter 365 Firewall Commands 369 Pop up Windows JavaScripts and Java Permissions 375 NetBIOS Filter Commands 381 Triangle Route 383 Legal Information 385 Customer Support 389 Index 395 ...

Page 304: ...36 ...

Page 305: ...ure 0º C 40º C Storage Temperature 20º 60º C Operation Humidity 20 85 RH Storage Humidity 10 90 RH Distance between the centers of the holes for wall mounting on the device s back 215 5 mm Screw size for wall mounting M4 Tap Screw Antenna The P 660HWP Dx is equipped with one 3dBi detachable antenna Table 136 Firmware Specifications FEATURE DESCRIPTION Default IP Address 192 168 1 1 Default Subnet ...

Page 306: ...HomePlug 1 0 devices but do not detect each other The range of a HomePlug AV network is 300 meters 984 feet HomePlug AV is compatible with all OSs IP Multicast IP multicast is used to send traffic to a specific group of computers The P 660HWP Dx supports versions 1 and 2 of IGMP Internet Group Management Protocol used to join multicast groups see RFC 2236 IP Alias IP alias allows you to subdivide ...

Page 307: ...is is done without changing the network settings such as IP address and subnet mask of the computer Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the P 660HWP Dx cannot connect to the Internet thus acting as an auxiliary if your regular WAN connection fails Triple Play The P 660HWP Dx is capable of simultaneously transferring data voice and video over the Internet...

Page 308: ...l version 2 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator NAT RFC 1661 The Point to Point Protocol PPP RFC 1723 RIP 2 Routing Information Protocol RFC 1994 PPP Challenge Handshake Authentication Protocol CHAP RFC 2236 Internet Group Management Protocol Version 2 RFC 2364 PPP over AAL5 PPP over ATM over ADSL RFC 2408 Internet Security Associ...

Page 309: ...back of the P 660HWP Dx with the screws on the wall Hang the P 660HWP Dx on the screws IEEE 802 1x Port Based Network Access Control ANSI T1 413 Issue 2 Asymmetric Digital Subscriber Line ADSL standard G dmt G 992 1 G 992 1 Asymmetrical Digital Subscriber Line ADSL Transceivers ITU G 992 1 G DMT ITU standard for ADSL using discrete multitone modulation ITU G 992 3 G dmt bis ITU standard also refer...

Page 310: ...all Mounting P 660HWP Dx User s Guide 40 Figure 176 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm Figure 177 Masonry Plug and M4 Tap Screw ...

Page 311: ...pendent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 178 Peer to Peer Communication in an Ad hoc Network BSS A Basic Service Set BSS exists when all communications between wireless clients or between a wireless client and a wired network client go through one access point AP Intra BSS traffic is tr...

Page 312: ...ired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood An ESSID ESS IDentification uniquely identifies each ESS All access points and their associated wireless clients within the s...

Page 313: ... overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and an adjacent AP is using channel 1 then you need to select a channel between 6 or 11 RTS CTS A hidden node occurs when two stations are within range of the same access point but are not within rang...

Page 314: ...requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if the possibility of hidden nodes exists on your network and the cost of resending large frames is more than the extra network overhead involved in the RTS Request To Send CTS Clear to Send handshake If ...

Page 315: ...t and to provide more efficient communications Select Dynamic to have the AP automatically use short preamble when wireless adapters support it otherwise the AP uses long preamble The AP and the wireless adapters MUST use the same preamble mode in order to communicate IEEE 802 11g Wireless LAN IEEE 802 11g is fully compatible with the IEEE 802 11b standard This means an IEEE 802 11b adapter can in...

Page 316: ...ntages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting management on a network RADIUS server Support for EAP Extensible Authentication Protocol RFC 2486 that allows additional authentication methods to be deployed with no changes to the access point or the wi...

Page 317: ...nt and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped accounting In order to ensure network security the access point and the RADIUS server use a shared secret key which is a password they both know The key is not sent over the network In addition to the...

Page 318: ...wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate is an electronic ID card that authenticates the s...

Page 319: ...stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients support WPA2 and you have an external RADIUS server use WPA2 for stronger data encryption If you don t have an external RADIUS server you should use WPA2 PSK WPA2 Pre Shared Key that only requires a si...

Page 320: ... with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt data on a Wi Fi network than WEP and difficult for an intruder to break into the network The encryption mechanisms used for WPA 2 and WPA 2 PSK are the same The only difference between the two is that W...

Page 321: ...thentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes a Pairwise Master Key PMK key to the AP that then sets up a key hierarchy and management system using the pair wise key to dynamically generate unique data encryption keys to encrypt every data packe...

Page 322: ...RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals from the air Table 142 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTIO N METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic WEP K...

Page 323: ... isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Antennas for WLAN There are two types of antennas used for wireless LAN applications Omni directional antennas send the RF signal out in all directions on a horizontal plane The coverage area is torus sh...

Page 324: ...so on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the coverage area as possible For directional antennas point the antenna in the direction of the desired coverage area ...

Page 325: ...ou can use FTP to get the Internal SPTGEN file Then edit the file in a text editor and use FTP to upload it again to the same device or another one See the following sections for details The Configuration Text File Format All Internal SPTGEN text files conform to the following format field identification number field name parameter values allowed input where input is your input conforming to param...

Page 326: ...you enter a value other than 0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 184 on page 35 Figure 185 Invalid Parameter Entered Command Line Example The P 660HWP Dx will display the following if you enter parameter s that are valid Figure 186 Valid Parameter Entered Command Line Example Internal SPTGEN FTP Download Example 1 Launch your FTP application 2 Enter bi...

Page 327: ...r computer to the P 660HWP Dx using the put command computer to the P 660HWP Dx 4 Exit this FTP application Figure 188 Internal SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom t ftp bye c edit rom t edit the rom t text file by a text editor and ...

Page 328: ... Route IP 0 No 1 Yes 1 10000006 Bridge 0 No 1 Yes 0 Table 145 Menu 3 Menu 3 1 General Ethernet Setup FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256 30100003 Input Protocol filters Set 3 256 30100004 Input Protocol filters Set 4 256 30100005 Input device filters Set 1 256 30100006 Input device filters Set 2 256 30100007 Input device filters Set 3 ...

Page 329: ... None 1 Both 2 In Only 3 Out Only 0 30200011 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12 256 30200016 IP Policies Set 4 1 12 256 Menu 3 2 1 IP Alias Setup FIN FN PVA INPUT 30201001 IP Alias 1 0 No 1 Yes 0 30201002 IP Address 0 0 0 0 30201003 IP Subnet Mask...

Page 330: ...1017 RIP Direction 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alias 2 Incoming protocol filters Set 3 256 30201022 IP Alias 2 Incoming protocol filters Set 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2...

Page 331: ...e IP address 0 0 0 0 40000015 Remote IP subnet mask 0 40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP...

Page 332: ... Route set 1 Gateway 0 0 0 0 120101006 IP Static Route set 1 Metric 0 120101007 IP Static Route set 1 Private 0 No 1 Yes 0 Menu 12 1 2 IP Static Route Setup FIN FN PVA INPUT 120108001 IP Static Route set 8 Name Str 120108002 IP Static Route set 8 Active 0 No 1 Yes 0 120108003 IP Static Route set 8 Destination IP address 0 0 0 0 120108004 IP Static Route set 8 Destination IP subnetmask 0 120108005 ...

Page 333: ...0 All 6 TCP 17 U DP 0 150000019 SUA Server 5 Port Start 0 150000020 SUA Server 5 Port End 0 150000021 SUA Server 5 Local IP address 0 0 0 0 150000022 SUA Server 6 Active 0 No 1 Yes 0 0 150000023 SUA Server 6 Protocol 0 All 6 TCP 17 U DP 0 150000024 SUA Server 6 Port Start 0 150000025 SUA Server 6 Port End 0 150000026 SUA Server 6 Local IP address 0 0 0 0 150000027 SUA Server 7 Active 0 No 1 Yes 0 ...

Page 334: ... 0 150000052 SUA Server 12 Active 0 No 1 Yes 0 150000053 SUA Server 12 Protocol 0 All 6 TCP 17 U DP 0 150000054 SUA Server 12 Port Start 0 150000055 SUA Server 12 Port End 0 150000056 SUA Server 12 Local IP address 0 0 0 0 Table 148 Menu 15 SUA Server Setup continued Table 149 Menu 21 1 Filter Set 1 Menu 21 Filter set 1 FIN FN PVA INPUT 210100001 Filter Set 1 Name Str Menu 21 1 1 1 set 1 rule 1 FI...

Page 335: ...Rule 2 Dest IP address 0 0 0 0 210102005 IP Filter Set 1 Rule 2 Dest Subnet Mask 0 210102006 IP Filter Set 1 Rule 2 Dest Port 138 210102007 IP Filter Set 1 Rule 2 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210102008 IP Filter Set 1 Rule 2 Src IP address 0 0 0 0 210102009 IP Filter Set 1 Rule 2 Src Subnet Mask 0 210102010 IP Filter Set 1 Rule 2 Src Port 0 210102011 IP Filter Set 1...

Page 336: ... 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 g reater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210201014 IP Filter Set 2 Rule 1 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 2 Filter set 2 rule 2 FIN FN PVA INPUT 210202001 IP Filter Set 2 Rule 2 Type 0 none 2 TCP IP 2 210202002 IP Filter Set 2 Rule ...

Page 337: ...1234 Menu 23 2 System security radius server FIN FN PVA INPUT 230200001 Authentication Server Configured 0 No 1 Yes 1 230200002 Authentication Server Active 0 No 1 Yes 1 230200003 Authentication Server IP Address 192 168 1 32 230200004 Authentication Server Port 1822 230200005 Authentication Server Shared Secret 111111111111 111 111111111111 1111 230200006 Accounting Server Configured 0 No 1 Yes 1...

Page 338: ... Privacy for Broadcast Multicast packets 0 TKIP 1 WEP 0 230400010 WPA Broadcast Multicast Key Update Timer 0 Table 151 Menu 23 System Menus continued Table 152 Menu 24 11 Remote Management Control Menu 24 11 Remote Management Control FIN FN PVA INPUT 241100001 TELNET Server Port 23 241100002 TELNET Server Access 0 all 1 none 2 Lan 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0 0 24110000...

Page 339: ...ted with the P 660HWP Dx s command interpreter commands Table 153 Command Examples FIN FN PVA INPUT ci command for annex a wan adsl opencmd FIN FN PVA INPUT 990000001 ADSL OPMD 0 glite 1 t1 413 2 gdmt 3 multim ode 3 ci command for annex B wan adsl opencmd FIN FN PVA INPUT 990000001 ADSL OPMD 0 etsi 1 normal 2 gdmt 3 multimo de 3 ...

Page 340: ...Appendix C Internal SPTGEN P 660HWP Dx User s Guide 50 ...

Page 341: ...a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that your computers have IP addre...

Page 342: ...hen click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then click OK If you need Client for Microsoft Networks 1 Click Add 2 Select Client and then click Add 3 Select M...

Page 343: ...select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 190 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS information select Disable DNS If you know your DNS information select Enable DNS and type the information in...

Page 344: ...e the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your P 660HWP Dx and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address subnet mask and default...

Page 345: ...P Dx User s Guide 39 Figure 192 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 193 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 346: ...b in Win XP and then click Properties Figure 195 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically If you have a static IP address click Use the following IP Address and fill in the IP address Subnet mask and Default gateway fields Click Advanced ...

Page 347: ...dd In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a default metric the number of t...

Page 348: ...he General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type them in the Preferred DNS server and Alternate DNS server fields If you have previously configured DNS servers click Advanced and then the DNS tab to order them ...

Page 349: ...k Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your P 660HWP Dx and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then press ENTER You can also open Network Connections right click a network connection click Status and then click the Support tab...

Page 350: ...acintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 200 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following From the Configure box select Manually ...

Page 351: ...nfiguration 7 Turn on your P 660HWP Dx and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 201 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list Select Built in Ethernet f...

Page 352: ...sk in the Subnet mask box Type the IP address of your P 660HWP Dx in the Router address box 5 Click Apply Now and close the window 6 Turn on your P 660HWP Dx and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window Linux This section shows you how to configure your computer s TCP IP settings in Red Hat Linux 9 0 Procedure screens and file location...

Page 353: ...ow to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 203 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network card you wish to configure The Ethernet Device General screen displays as shown Figure 204 Red Hat 9 0 KDE Ethernet Device General ...

Page 354: ... 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 206 Red Hat 9 0 KDE Network Configuration Activate 7 After the network card restart process is complete make sure the Status is Active in the Network Configuration screen Using Configuration Files Follow the step...

Page 355: ...the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 209 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration files you must restart the network card Enter network restart in the etc rc d init d directory The following figure shows an example Figure 210 Red Hat 9 0 Restart Ethernet Card DEVICE eth0 ONBOOT yes ...

Page 356: ... root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717 errors 0 dropped 0 overruns 0 frame 0 TX packets 13 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 100 RX bytes 730412 713 2 Kb TX bytes 1570 1 5 Kb Interrupt 10 Base address 0x1000...

Page 357: ...he first two octets make up the network number and the two remaining octets make up the host ID In a class C address the first three octets make up the network number and the last octet is the host ID The following table shows the network number and host ID arrangement for classes A B and C An IP address with host IDs of all zeros is the IP address of the network An IP address with host IDs of all...

Page 358: ...ration A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bit in the IP address is part of the host ID Subnet masks are expressed in dotted decimal notation just like IP addresses The natural masks for class A B and C IP addresses are as follows Subnetting Wi...

Page 359: ...derstood that the natural mask is being used Example Two Subnets As an example you have a class C address 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C To make two networks divide the network 192 168 1 0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit The borrowed host...

Page 360: ...e first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second subnet is 192 168 1 129 to 192 168 1 254 Table 159 Subnet 1 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 0 IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask 25...

Page 361: ...dcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 162 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 64 Lowest Host ID 192 168 1 65 Broadcast Address 192 168 1 127 Highest Host ID 192 168 1 126 Table 163 Subnet 3 IP S...

Page 362: ...ctets see Table 154 on page 35 available for subnetting The following table is a summary for class B subnet planning Table 165 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 166 Class C Subnet Planning NO BORROWED HOST BITS SUBNET M...

Page 363: ...3 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Table 167 Class B Subnet Planning continued NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET ...

Page 364: ...Appendix E IP Subnetting P 660HWP Dx User s Guide 42 ...

Page 365: ...e same subnet In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default P 660HWP Dx IP address and click OK 3 A login screen displays Enter the default admin password 1234 Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle bra...

Page 366: ...og Parameters Example 4 Use sys logs category followed by a log category and a parameter to decide what to record Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Not every parameter is available with every category 5 Use the sys logs save command to store the settings...

Page 367: ...gs display access time source destination notes message 0 06 08 2004 05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default policy IGMP W to W 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W 2 06 08 2004 05 58 20 172 21 0 2 239 255 255 254 ACCESS BLOCK Firewall default policy IGMP W to W 3 06 08 2004 05 58 20 172 21 3 191 224 0 1 22 ACCESS...

Page 368: ...Appendix F Command Interpreter P 660HWP Dx User s Guide 38 ...

Page 369: ... of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information about all of the sets rules appears config display firewall set set rule rule This command shows the current entries of a rule in a fire...

Page 370: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the P 660HWP Dx is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the P 660HWP Dx is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send aler...

Page 371: ...h the same destination where the P 660HWP Dx starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set...

Page 372: ...ICMP Config edit firewall set set rule rule log none match not match both This command sets the P 660HWP Dx to log traffic that matches the rule doesn t match both or neither Config edit firewall set set rule rule alert yes no This command sets whether or not the P 660HWP Dx sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule sr...

Page 373: ...and to enter various non consecutive port numbers config edit firewall set set rule rule TCP destport range start port end port This command sets a rule to have the P 660HWP Dx check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the P 660HWP Dx check for UDP traffic with this destination addres...

Page 374: ...ll Commands P 660HWP Dx User s Guide 40 config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set Table 168 Firewall Commands continued FUNCTION COMMAND DESCRIPTION ...

Page 375: ...rnet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 214 Pop up Blocker You c...

Page 376: ... web pop up blockers you may have enabled Figure 215 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 377: ...uide 37 Figure 216 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to move the IP address to the list of Allowed sites Figure 217 Pop up Blocker Settings ...

Page 378: ...play properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 218 Internet Options Security 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Cli...

Page 379: ...tings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window Figure 220 Security Settings Java ...

Page 380: ...a Permissions P 660HWP Dx User s Guide 40 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window Figure 221 Java Sun ...

Page 381: ... configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets through VPN connections Allow or disallow NetBIOS packets to initiate calls Display NetBIOS Filter Settings This command gives a read only list of the current NetBIOS filter modes for The P 660HWP Dx Net...

Page 382: ... initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and block NetBIOS packets Use off to disable the filter and forward NetBIOS packets For type 3 use on to block NetBIOS packets from being sent through a VPN connection Use off to allow NetBIOS pa...

Page 383: ... Ethernet devices Some companies have more than one route to one or more ISPs If the alternate gateway is on the LAN and it s IP address is in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The P 660HWP Dx reroutes the SYN packet th...

Page 384: ...cal LAN interfaces with the P 660HWP Dx being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the P 660HWP Dx to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The P 660HWP Dx reroutes the packet...

Page 385: ...ice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners Certifications Federal Communications Commission FCC Interference Statement The device complies with Part 15 of FCC rules Operation is subject to the follow...

Page 386: ...1 To comply with FCC RF exposure compliance requirements a separation distance of at least 20 cm must be maintained between the antenna of this device and all persons 注意依據低功率電波輻射性電機管理辦法第十二條經型式認證合格之低功率射頻電機非經許可公司商號或使用者均不得擅自變更頻率加大功率或變更原設計之特性及功能第十四條低功率射頻電機之使用不得影響飛航安全及干擾合法通信經發現有干擾現象時應立即停用並改善至無干擾時方得繼續使用前項合法通信指依電信規定作業之無線電信低功率射頻電機須忍受合法通信或工業科學及醫療用電波輻射性電機設備之干擾本機限在不干擾合法電臺與不受被干擾保障條件下於室內使用...

Page 387: ...lacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact ZyX...

Page 388: ...Appendix K Legal Information P 660HWP Dx User s Guide 38 ...

Page 389: ...mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica Support E mail soporte zyxel co cr Sales E mail sales zyxel co cr Telephone 506 2017878 Fax 506 2015098 Web www zyxel...

Page 390: ...8448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E mail support zyxel de Sales E mail sales zyxel de Telephone 49 2405 6909 69 Fax 49 2405 6909 99 Web www zyxel de Regul...

Page 391: ...nagawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk Ave Office 414 Dostyk Business Centre 050010 Almaty Republic of Kazakhstan Malaysia Support E mail support zyxel com my Sales E mail sales zyxel com my Telephone 603 8076 9933 Fax 603 8076 9833 Web h...

Page 392: ...Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova 37a Str Moscow 117279 Russia Singapore Support E mail support zyxel com sg Sales E mail sales zyxel com sg Telephone 65 6899 6678 Fax 65 6899 8887 Web http www zyxel com sg Regular Mail ZyXEL Singap...

Page 393: ...il ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United Kingdom Support E mail support zyxel co uk Sales E mail sales zyxel co uk Telephone 44 13...

Page 394: ...Appendix L Customer Support P 660HWP Dx User s Guide 40 ...

Page 395: ... test 296 attack alert 188 attack types 162 attacks 271 auxiliary gateway 307 B backup gateway 307 backup settings 291 backup type 96 bandwidth 73 budget 230 bandwidth management 73 223 bandwidth manager class configuration 229 monitor 234 summary 228 Basic Service Set See BSS 311 Basic wireless security 70 blocking time 187 brute force attack 161 BSS 311 C CA 195 318 CBR 89 94 Certificate Authori...

Page 396: ... Access Multiplexer see DSLAM dimensions 305 disclaimer 385 DNS 100 246 domain name 100 148 265 266 Domain Name System see DNS DoS 158 159 187 basics 159 types 160 downstream 35 36 DS Field 230 DS field 230 DSCPs 230 DSL reinitialize 296 DSLAM 35 dynamic DNS 235 dynamic WEP key exchange 319 DYNDNS wildcard 235 E EAP Authentication 317 ECHO 148 E Mail 133 e mail 73 log example 274 Encapsulated Rout...

Page 397: ...IANA 101 102 178 IBSS 311 ICMP 161 185 ICMP echo 161 IEEE 802 11g 315 IGMP 102 103 Independent Basic Service Set See IBSS 311 initialization vector IV 320 Integrated Services Digital Network see ISDN internal SPTGEN 325 FTP upload example 327 points to remember 326 text file 325 Internet access 36 59 wizard setup 59 Internet Assigned Numbers Authority see IANA 101 Internet Control Message Protocol...

Page 398: ... 145 mode 147 what it does 144 NAT traversal 251 navigating the web configurator 46 NetBIOS 381 commands 162 Network Address Translation see NAT Network Basic Input Output System see NetBIOS network disconnect icon 290 292 network management 148 NMK changing 136 NNTP 148 O one minute high 187 one minute low 187 P packet filtering 167 when to use 167 packet filtering firewalls 157 Pairwise Master K...

Page 399: ...warnings 6 save settings 291 saving the state 162 scheduler 224 fairness based 225 priority based 224 SCR 85 89 94 screws 309 security general 166 ramifications 170 Server 146 server 145 146 268 service 171 service set 116 Service Set IDentity See SSID service type 179 services 148 settings backup 291 defaults 291 restore 292 setup general 265 Single User Account see SUA SIP ALG 146 SIP applicatio...

Page 400: ... UBR UPnP 251 application 251 Forum 252 security issues 251 UPnP installation 253 Windows Me 253 Windows XP 254 upper layer protocols 164 165 upstream 35 36 user authentication 114 local user database 114 RADIUS server 114 weaknesses 114 user name 236 V Vantage CNM Access 307 Variable Bit Rate see VBR VBR 89 94 VC 82 VC based multiplexing 82 VCI 83 Virtual Channel Identifier see VCI virtual circui...

Page 401: ... pre authentication 320 user authentication 320 vs WPA PSK 320 wireless client supplicant 321 with RADIUS application example 321 WPA compatibility 115 WPA2 319 user authentication 320 vs WPA2 PSK 320 wireless client supplicant 321 with RADIUS application example 321 WPA2 Pre Shared Key 319 WPA2 PSK 319 320 application example 321 WPA PSK 319 320 application example 321 WWW 133 Z zero configuratio...

Page 402: ...Index P 660HWP Dx User s Guide 42 ...

Reviews:

No comments

Related manuals for 802.11g HomePlug AV ADSL2+ Gateway P-660HWP-Dx

Brand: ECKELMANN Pages: 34

Brand: IFM Electronic Pages: 9

ShareLink 200 N

Brand: Extron electronics Pages: 45

Brand: THOMSON Pages: 4

Brand: Grandstream Networks Pages: 54

Brand: Gree Pages: 31

Brand: Profibus Pages: 42

PowerConnect J-SRX240

Brand: Dell Pages: 160

PowerConnect J-SRX210

Brand: Dell Pages: 182

Dell Edge Gateway 3002

Brand: Dell Pages: 22

PowerConnect J-SRX100S

Brand: Dell Pages: 44

SonicWall SRA 1600

Brand: Dell Pages: 57

Brand: Bticino Pages: 4

Harmony Platinum 6005A

Brand: Smartenit Pages: 2

Brand: Alcatel-Lucent Pages: 4

Brand: Zoom Pages: 54

Brand: Zoom Pages: 87

Brand: 2Wire Pages: 30

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands