manualshive.com logo in svg

ZyXEL Communications P-2602HWLNI, User Manual, Page: 241 / 496

Share
Download
ZyXEL Communications P-2602HWLNI User Manual Download Page 241

 Chapter 14 Firewalls

P-2602HWLNI User’s Guide

241

If an initiation packet originates on the LAN, this means that someone is trying to make a 
connection from the LAN to the Internet. Assuming that this is an acceptable part of the 
security policy (as is the case with the default policy), the connection will be allowed. A cache 
entry is added which includes connection information such as IP addresses, TCP ports, 
sequence numbers, etc.
When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN), 
its connection information is extracted and checked against the cache. A packet is only 
allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a 
connection which originated on the LAN).

14.5.4  UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence 
numbers). However, at the very minimum, they contain an IP address pair (source and 
destination). UDP also contains port pairs, and ICMP has type and code information. All of 
this data can be analyzed in order to build "virtual connections" in the cache. 
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP 
address and port pairs will be stored. For a short period of time, UDP packets from the WAN 
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. 
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask 
requests will allow incoming address mask replies, and outgoing timestamp requests will 
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, 
simply because they are too dangerous and contain too little tracking information. For 
instance, ICMP redirect packets are never allowed in, since they could be used to reroute 
traffic through attacking machines. 

14.5.5  Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network 
connections simultaneously. In general terms, they usually have a "control connection" which 
is used for sending commands between endpoints, and then "data connections" which are used 
for transmitting bulk information. 
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the 
Internet and requests a file. At this point, the remote server will open a data connection from 
the Internet. For FTP to work properly, this connection must be allowed to pass through even 
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyXEL Device inspects the application-level FTP data. 
Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a 
cache entry for the anticipated data connection. This can be done safely, since the PORT 
command contains address and port information, which can be used to uniquely identify the 
connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use 
the web configurator’s Custom Ports feature to do this.

Summary of Contents for P-2602HWLNI

Page 1: ...LNI Series 802 11g Wireless ADSL2 4 Port VoIP IAD User s Guide Version 3 40 9 2007 Edition 2 DEFAULT LOGIN IP Address http 192 168 1 1 Administrator Name admin Administrator Password admin User Name u...

Page 2: ......

Page 3: ...Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information It is recommended you use the web configurator to configure the ZyXEL Device Supporting...

Page 4: ...A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENT...

Page 5: ...e 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer Notebook computer S...

Page 6: ...vice before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America...

Page 7: ...Safety Warnings P 2602HWLNI User s Guide 7...

Page 8: ...Safety Warnings P 2602HWLNI User s Guide 8...

Page 9: ...Status Screens 87 Network 99 WAN Setup 101 LAN Setup 117 Wireless LAN 129 Network Address Translation NAT Screens 155 VoIP 167 Voice 169 VoIP Trunking 211 Phone Usage 227 Security 231 Firewalls 233 F...

Page 10: ...Overview P 2602HWLNI User s Guide 10 Maintenance and Troubleshooting 373 System 375 Call History 381 Logs 387 Troubleshooting 401 Tools 407 Diagnostic 419 Product Specifications 423 Appendices and In...

Page 11: ...he ZyXEL Device 42 1 4 Applications for the ZyXEL Device 43 1 4 1 Internet Access 43 1 4 2 Making Calls via Internet Telephony Service Provider 43 1 4 3 Make Peer to peer Calls 44 1 4 4 Firewall for S...

Page 12: ...Wireless Connection Wizard Setup 71 3 3 1 Manually Assign a WPA PSK Key 74 3 3 2 Manually Assign a WEP Key 74 Chapter 4 VoIP Wizard 77 4 1 Introduction 77 4 2 VoIP Wizard Setup 77 Chapter 5 Bandwidth...

Page 13: ...nections Edit Advanced 113 7 9 Traffic Redirect 114 7 10 WAN Backup Setup 114 Chapter 8 LAN Setup 117 8 1 LAN Overview 117 8 1 1 LANs WANs and the ZyXEL Device 117 8 1 2 DHCP Setup 118 8 2 DNS Server...

Page 14: ...1 Application Priority Configuration 147 9 10 WDS Screen 148 9 10 1 Static WEP 149 9 10 2 WPA PSK 150 9 10 3 WPA2 PSK 152 Chapter 10 Network Address Translation NAT Screens 155 10 1 NAT General Overv...

Page 15: ...creen 179 11 6 SIP QoS Screen 182 11 7 Phone 183 11 7 1 PSTN Line 183 11 7 2 ISDN Line 184 11 7 3 Voice Activity Detection Silence Suppression 184 11 7 4 Comfort Noise Generation 184 11 7 5 Echo Cance...

Page 16: ...ng Scenarios 213 12 4 1 VoIP Phone To PSTN Phone 213 12 4 2 PSTN Phone To VoIP Phone 213 12 4 3 PSTN Phone To PSTN Phone via VoIP 214 12 5 Trunking General Screen 214 12 6 Trunking Peer Call Screen 21...

Page 17: ...e 235 14 4 1 Basics 235 14 4 2 Types of DoS Attacks 236 14 5 Stateful Inspection 238 14 5 1 Stateful Inspection Process 239 14 5 2 Stateful Inspection on Your ZyXEL Device 240 14 5 3 TCP Security 240...

Page 18: ...1 Content Filtering Overview 265 16 2 Configuring Keyword Blocking 265 16 3 Configuring the Schedule 266 16 4 Configuring Trusted Computers 267 Chapter 17 Introduction to IPSec 269 17 1 VPN Overview 2...

Page 19: ...8 16 Viewing SA Monitor 295 18 17 Configuring Global Setting 297 18 18 Telecommuter VPN IPSec Examples 297 18 18 1 Telecommuters Sharing One VPN Rule Example 297 18 18 2 Telecommuters Using Unique VPN...

Page 20: ...idth Management 332 21 5 Application and Subnet based Bandwidth Management 333 21 5 1 Bandwidth Management Priorities 333 21 6 Configuring Bandwidth Management General 333 21 7 Bandwidth Management Ru...

Page 21: ...e 2 Linux 357 23 15 Secure FTP Using SSH Example 358 Chapter 24 Universal Plug and Play UPnP 361 24 1 Introducing Universal Plug and Play 361 24 1 1 How do I know if I m using UPnP 361 24 1 2 NAT Trav...

Page 22: ...kup and Restore 410 29 5 1 Backup Configuration 411 29 5 2 Restore Configuration 411 29 5 3 Reset to Factory Defaults 412 29 6 Restart 413 29 7 Using FTP or TFTP to Back Up Configuration 413 29 7 1 Us...

Page 23: ...3 Voice Specifications 427 31 4 Wireless Features Wireless Devices Only 429 31 4 1 IEEE 802 11g Wireless LAN 430 31 5 Power Adaptor Specifications 431 Part VIII Appendices and Index 433 Appendix A Se...

Page 24: ...Table of Contents P 2602HWLNI User s Guide 24...

Page 25: ...s Wizard Setup ISP Parameters 67 Figure 18 Internet Connection with PPPoE 68 Figure 19 Internet Connection with RFC 1483 68 Figure 20 Internet Connection with ENET ENCAP 69 Figure 21 Internet Connecti...

Page 26: ...AN Backup Setup 115 Figure 58 LAN and WAN IP Addresses 117 Figure 59 Any IP Example 121 Figure 60 LAN IP 122 Figure 61 Advanced LAN Setup 123 Figure 62 DHCP Setup 124 Figure 63 LAN Client List 126 Fig...

Page 27: ...ough Proxy Servers 174 Figure 101 DiffServ Differentiated Service Field 177 Figure 102 SIP SIP Settings 178 Figure 103 VoIP SIP Settings Advanced 180 Figure 104 SIP QoS 183 Figure 105 Phone Analog Pho...

Page 28: ...ices 254 Figure 144 Firewall Configure Customized Services 255 Figure 145 Firewall Example Rules 256 Figure 146 Edit Custom Port Example 256 Figure 147 Firewall Example Edit Rule Destination Address 2...

Page 29: ...sed Bandwidth Management Example 332 Figure 188 Bandwidth Management General 333 Figure 189 Bandwidth Management Rule Setup 334 Figure 190 Bandwidth Management Rule Configuration 335 Figure 191 Bandwi...

Page 30: ...re 228 Call History Call History 383 Figure 229 Call History Call History Settings 384 Figure 230 View Log 388 Figure 231 Log Settings 389 Figure 232 E mail Log Example 391 Figure 233 Firmware Upgrade...

Page 31: ...ker 447 Figure 263 Internet Options Privacy 448 Figure 264 Internet Options Privacy 449 Figure 265 Pop up Blocker Settings 449 Figure 266 Internet Options Security 450 Figure 267 Security Settings Jav...

Page 32: ...List of Figures P 2602HWLNI User s Guide 32...

Page 33: ...Wizard Configuration 80 Table 16 Bandwidth Management Wizard General Information 84 Table 17 Status Screen 88 Table 18 Any IP Table 91 Table 19 WLAN Status 92 Table 20 Packet Statistics 93 Table 21 Vo...

Page 34: ...it Address Mapping Rule 165 Table 58 SIP Call Progression 173 Table 59 SIP Call Progression 174 Table 60 Custom Tones Details 176 Table 61 SIP SIP Settings 178 Table 62 VoIP SIP Settings Advanced 180...

Page 35: ...t Filter Trusted 267 Table 101 VPN and NAT 273 Table 102 AH and ESP 276 Table 103 VPN Setup 278 Table 104 VPN and NAT 280 Table 105 Local ID Type and Content Fields 282 Table 106 Peer ID Type and Cont...

Page 36: ...ote Management FTP 349 Table 141 SNMP Traps 351 Table 142 Remote Management SNMP 352 Table 143 Remote Management DNS 353 Table 144 Remote Management ICMP 354 Table 145 ADVANCED REMOTE MGMT SSH 356 Tab...

Page 37: ...dware Specifications 423 Table 184 Firmware Specifications 423 Table 185 Voice Features 427 Table 186 Wireless Features 429 Table 187 IEEE 802 11g 430 Table 188 P 2602HWL Series Power Adaptor Specific...

Page 38: ...List of Tables P 2602HWLNI User s Guide 38...

Page 39: ...39 PART I Introduction Introducing the ZyXEL Device 41 Introducing the Web Configurator 49...

Page 40: ...40...

Page 41: ...g this guide covers the following models In the ZyXEL Device product name H denotes an integrated 4 port switch hub W denotes wireless functionality There is an embedded mini PCI module for IEEE 802 1...

Page 42: ...n file that allows you to configure the device by uploading an SPTGEN file This is especially convenient if you need to configure many devices of the same type Vantage CNM Centralized Network Manageme...

Page 43: ...hown below Figure 1 Internet Access Application 1 4 1 1 Internet Single User Account For a SOHO Small Office Home Office environment your device offers the Single User Account SUA feature that allows...

Page 44: ...re shows a basic example of how you would make a peer to peer VoIP call You use your analog phone A in the figure and your device B changes the call into VoIP and sends the call through the Internet t...

Page 45: ...User s Guide 45 Figure 4 Firewall Application 1 4 5 LAN to LAN Application You can use your device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application...

Page 46: ...ing a self test Red On Your device is not ready or there is a malfunction None Off Your device is not turned on ETHERNET 1 4 Green On Your device has a successful Ethernet connection Blinking The ZyXE...

Page 47: ...has an IP connection but no traffic Your device has a WAN IP address either static or assigned by a DHCP server PPP negotiation was successfully completed if used and the DSL connection is up Blinking...

Page 48: ...five seconds and release it The WLAN LED should flash while the device uses OTIST to send wireless settings to OTIST clients W models only To set the device back to the factory default settings press...

Page 49: ...screen resolution is 1024 by 768 pixels In order to use the web configurator you need to allow Web browser pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Se...

Page 50: ...the default password in the password field If you have changed the password enter your password and click Login 3 Follow steps from step 3 in Section 2 2 2 on page 50 The default user name and passwo...

Page 51: ...Replace Certificate Screen 5 A screen displays to let you choose whether to go to the wizard or the advanced screens Click Go to Wizard setup if you are logging in for the first time or if you want t...

Page 52: ...ZyXEL Device automatically logs you out if you do not use the web configurator for five minutes default If this happens log in again Figure 10 Wizard or Advanced Screen 2 3 Web Configurator Main Scree...

Page 53: ...on to go to the configuration wizards See Chapter 3 on page 63 for more information Logout Click this icon to log out of the web configurator Table 4 Navigation Panel Summary LINK TAB FUNCTION Status...

Page 54: ...n to set which Phone 1 and Phone 2 port settings ISDN Phone Use this screen to configure the ISDN phone port settings Common Use this screen to configure general phone port settings Ext Table Use this...

Page 55: ...lobal Setting Use this screen to allow NetBIOS traffic through VPN tunnels Certificates My Certificates Use this screen to generate and export self signed certificates or certification requests and im...

Page 56: ...eneral Use this screen to configure your device s name domain name management inactivity timeout and password Time Setting Use this screen to change your ZyXEL Device s time and date Logs View Log Use...

Page 57: ...up Wizard O O VoIP Setup Wizard O O Bandwidth Management Wizard O O System Statistics O O Network WAN Internet Access Setup O O More Connections O WAN Backup Setup O LAN IP O DHCP Setup O Client List...

Page 58: ...up O Monitor O VPN Global Setting O Certificates My Certificates O Trusted CAs O Trusted Remote Hosts O Directory Servers O Advanced Static Route Static Route O Bandwidth MGMT General O O Rule Setup O...

Page 59: ...the Status screen is displayed See Chapter 6 on page 87 for more information about the Status screen 2 3 4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration...

Page 60: ...Chapter 2 Introducing the Web Configurator P 2602HWLNI User s Guide 60...

Page 61: ...61 PART II Wizards and Status Internet and Wireless Setup Wizard 63 VoIP Wizard 77 Bandwidth Management Wizard 83 Status Screens 87...

Page 62: ...62...

Page 63: ...up screens to configure your system for Internet access with the information given to you by your ISP See the advanced menu chapters for background information on these fields 3 2 Internet Access Wiza...

Page 64: ...screen appears if a connection is not detected Check your hardware connections and click Restart the Internet Wireless Setup Wizard to return to the wizard welcome screen If you still cannot connect c...

Page 65: ...unt information username password and or service name exactly as provided by your ISP Then click Next and see Section 3 3 on page 71 for wireless connection wizard setup Figure 15 Auto Detection PPPoE...

Page 66: ...2 1 Manual Configuration 1 If the ZyXEL Device fails to detect your DSL connection type but the physical line is connected enter your Internet access information in the wizard screen exactly as your...

Page 67: ...ncapsulation drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode fie...

Page 68: ...ter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password...

Page 69: ...tic IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Select Obtain an IP Address Automatical...

Page 70: ...them Apply Click Apply to save your changes back to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes Table 10 Internet Connection with PPPoA LABEL DESCRIPTION U...

Page 71: ...ted or click Restart the Internet Wireless Setup Wizard to verify your Internet access settings Figure 23 Connection Test Failed 2 3 3 Wireless Connection Wizard Setup After you configure the Internet...

Page 72: ...e check box to enable OTIST if you want to transfer your ZyXEL Device s SSID and WEP or WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also...

Page 73: ...e range of radio frequencies used by IEEE 802 11b g wireless devices is called a channel Select a channel ID that is not already in use by a neighboring device Security Select Automatically assign a W...

Page 74: ...ey Choose Manually assign a WEP key to setup WEP Encryption parameters Figure 28 Manually Assign a WEP Key Table 13 Manually Assign a WPA key LABEL DESCRIPTION Pre Shared Key Type from 8 to 63 case se...

Page 75: ...eless LAN settings display if you chose not to configure wireless LAN settings Table 14 Manually Assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and...

Page 76: ...r web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you ca...

Page 77: ...o use up to two SIP based VoIP accounts The ZyXEL Device provides ten SIP accounts although you can configure only 2 via the VoIP wizard See Chapter 11 on page 178 to configure the others In the follo...

Page 78: ...web page for example http www zyxel com You must have a SIP account before you setup the VoIP wizard 1 After you enter the password to access the web configurator select Go to Wizard setup and click...

Page 79: ...rovider is not in the list select None and click Apply Figure 34 SIP Server Profile Selection 4 Fill in the fields with the information provided by your VoIP service provider When you are finished cli...

Page 80: ...ce domain name in this field the domain name that comes after the symbol in a SIP account like 11223344 SIPA Account com You can use up to 127 ASCII Extended set characters User Name This is the usern...

Page 81: ...on page 401 for troubleshooting Figure 37 VoIP Wizard Fail 7 The congratulations screen displays if your SIP account registration was successful You are ready to make and receive VoIP phone calls Cli...

Page 82: ...ce provider s dialing plan to call regular phone numbers You dial a prefix number provided to you by your VoIP service provider followed by a regular phone number To find out more information about co...

Page 83: ...itize the distribution of the bandwidth according to service bandwidth requirements This helps keep one service from using all of the available bandwidth and shutting out other users 5 2 Bandwidth Man...

Page 84: ...een instructions and click Finish to complete the wizard setup and save your configuration Table 16 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box...

Page 85: ...Chapter 5 Bandwidth Management Wizard P 2602HWLNI User s Guide 85 Figure 42 Bandwidth Management Wizard Complete...

Page 86: ...Chapter 5 Bandwidth Management Wizard P 2602HWLNI User s Guide 86...

Page 87: ...of the device system resources interfaces LAN and WAN and SIP accounts You can also register and unregister SIP accounts The Status screen also provides detailed information from Any IP and DHCP and...

Page 88: ...resh Interval Enter how often you want the ZyXEL Device to update this screen Apply Click this to update this screen immediately Device Information Host Name This field displays the ZyXEL Device syste...

Page 89: ...field displays what DHCP services the ZyXEL Device is providing to the LAN Choices are Server The ZyXEL Device is a DHCP server in the LAN It assigns IP addresses to other computers in the LAN Relay T...

Page 90: ...call if you re using PPPoE encapsulation For the LAN interface this field displays Up when the ZyXEL Device is using the interface and Down when the ZyXEL Device is not using the interface For the WL...

Page 91: ...XEL Device attempt to register the SIP account with the SIP server The second field displays the reason the account is not registered Inactive The SIP account is not active You can activate it in VoIP...

Page 92: ...o access this screen Read only information here includes port status and packet specific statistics Also provided are system up time and poll interval s The Poll Interval s field is configurable Table...

Page 93: ...This is the downstream speed of your ZyXEL Device Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Status This field displays Down...

Page 94: ...s disabled TxPkts This field displays the number of packets transmitted on this interface RxPkts This field displays the number of packets received on this interface Collisions This is the number of c...

Page 95: ...he SIP account has never dialed a number Call Statistics Phone This field displays each phone port in the ZyXEL Device Hook This field indicates whether the phone is on the hook or off the hook On The...

Page 96: ...Stop Click this to make the ZyXEL Device stop updating the screen Table 21 VoIP Statistics LABEL DESCRIPTION Table 22 LED Status LABEL STATUS DESCRIPTION Connection DSL Green The DSL port has a succe...

Page 97: ...e outgoing VoIP calls Off This phone port does not have a successful SIP account registration This field displays the number of the SIP account used to make outgoing calls on the corresponding phone p...

Page 98: ...Chapter 6 Status Screens P 2602HWLNI User s Guide 98...

Page 99: ...99 PART III Network WAN Setup 101 LAN Setup 117 Wireless LAN 129 Network Address Translation NAT Screens 155...

Page 100: ...100...

Page 101: ...ZyXEL Device supports PPPoE Point to Point Protocol over Ethernet PPPoE is an IETF Draft standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wireless etc...

Page 102: ...iplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual circuit for example VC1 carries IP etc VC based multiplexing may be dominant in environments where dynam...

Page 103: ...imeout is disabled The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down A nailed up connection can be very expensive for obvious r...

Page 104: ...ATM network This agreement helps eliminate congestion which is important for transmission of real time data such as audio and video connections Peak Cell Rate PCR is the maximum rate at which the send...

Page 105: ...me data transfers and the bandwidth requirement varies in proportion to the video image s changing dynamics The VBR nRT non real time Variable Bit Rate type is used with bursty connections that do not...

Page 106: ...an Internet account Otherwise select Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode fie...

Page 107: ...ddress of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply...

Page 108: ...details of your WAN setup Table 23 Internet Access Setup continued LABEL DESCRIPTION Table 24 Advanced Internet Access Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction RIP Routing Information...

Page 109: ...S refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 Zero Configuration This feature is not applicable available when you configure the ZyXEL...

Page 110: ...or not Name This is the name you gave to the Internet connection VPI VCI This field displays the Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers configured for this WAN connecti...

Page 111: ...t box if your ISP allows multiple computers to share an Internet account If you select Bridge the ZyXEL Device will forward any packet that it does not route to this remote node otherwise the packets...

Page 112: ...e IP address given by your ISP in the IP Address field Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting...

Page 113: ...Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR Variable Bit...

Page 114: ...ackup gateway is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network Put the protected LAN in one...

Page 115: ...s the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your ZyXEL Device may ping the IP addresses configured in the Check W...

Page 116: ...e cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directl...

Page 117: ...y the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 8 4 on page 122 for information on configuring the LAN screens 8...

Page 118: ...that an ISP disseminates the DNS server addresses The ISP tells you the DNS server addresses usually in the form of an information sheet when you sign up If your ISP gives you DNS server addresses ent...

Page 119: ...other device on your network is using that IP address The subnet mask specifies the network number portion of an IP address Your ZyXEL Device will compute the subnet mask automatically based on the IP...

Page 120: ...t or Broadcast 1 sender everybody on the network Multicast delivers IP packets to a group of hosts on the network not everybody and not just 1 IGMP Internet Group Multicast Protocol is a network layer...

Page 121: ...er to the ZyXEL Device and access the Internet The following figure depicts a scenario where a computer is set to use a static private IP address in the corporate environment In a residential house wh...

Page 122: ...routing table so it can properly forward packets intended for the computer After all the routing information is updated the computer can access the ZyXEL Device and the Internet as if it is in the sam...

Page 123: ...d to establish membership in a multicast group The ZyXEL Device supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it Any IP Setup Select the Active check box to enable the Any IP...

Page 124: ...etBIOS packets going from the LAN to the WAN and from the WAN to the LAN Back Click Back to return to the previous screen Apply Click Apply to save the changes Cancel Click Cancel to begin configuring...

Page 125: ...DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to Use...

Page 126: ...s This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pairs of...

Page 127: ...cal networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 64 Physical Network Partitioned Logical Ne...

Page 128: ...outing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets receive...

Page 129: ...ample of a Wireless Network The wireless network is the part in the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer...

Page 130: ...et the MAC address for each device in the wireless network see the device s User s Guide or other documentation You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or...

Page 131: ...you have a wireless network with the ZyXEL Device and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A only supports WEP and...

Page 132: ...oS gives high priority to voice and video which makes them run more smoothly Similarly it gives low priority to many large file downloads so that they do not reduce the quality of other applications 9...

Page 133: ...its for a CTS Clear To Send before it transmits This stops wireless clients from transmitting packets at the same time and causing data collisions A wireless client sends an RTS for all packets larger...

Page 134: ...Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change...

Page 135: ...cessible to any wireless networking device that is within range Figure 69 Wireless No Security The following table describes the labels in this screen 9 5 2 WEP Encryption Screen Select Static WEP fro...

Page 136: ...38 Wireless Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop down list box Passphrase Enter a Passphrase up to 32 printable characters and click Generate The ZyXEL...

Page 137: ...swords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS...

Page 138: ...f you want the ZyXEL Device to support WPA and WPA2 simultaneously ReAuthentication Timer in seconds Specify how often wireless stations have to resend usernames and passwords in order to stay connect...

Page 139: ...entication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up...

Page 140: ...le type from the drop down list menu Choices are Long Short or Dynamic The default setting is Long See the appendix for more information 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b comp...

Page 141: ...up key in the ZyXEL Device you must change it on the wireless devices too Yes Select this if you want the ZyXEL Device to automatically generate a pre shared key for the wireless network Before you do...

Page 142: ...less devices and the ZyXEL Device in any order After you click Start in the ZyXEL Device the following screen appears in the ZyXEL Device Figure 76 OTIST Settings You can use the key in this screen to...

Page 143: ...ss device finds an OTIST enabled AP you must click Start in the ZyXEL Device s Network Wireless LAN OTIST screen or hold in the Reset button on the ZyXEL Device for one or two seconds to transfer the...

Page 144: ...listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of t...

Page 145: ...f an associated wireless station MAC Address This field displays the MAC address of a wireless station that is currently associated with the ZyXEL Device Association Time When a wireless station is ac...

Page 146: ...you want to apply WMM QoS The table appears only if you select Application Priority in WMM QoS Policy This is the number of an individual application entry Name This field displays a description give...

Page 147: ...g table describes the fields in this screen Modify Click the Edit icon to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the A...

Page 148: ...default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 FTP File Transfer Protocol enables fast transfer of files including large files that it may not be possible to send via...

Page 149: ...ou do not select the check box this link is down MAC Address Type the MAC address of the peer device in a valid MAC address format six hexadecimal character pairs 12 34 56 78 9a bc for example Securit...

Page 150: ...cters including spaces and symbols are allowed Eight character reception key rx this must be the same as the next AP s transmission key All ASCII characters including spaces and symbols are allowed Th...

Page 151: ...the same common key 0123456789123456 The transmission key 22222222 of AP 1 is exactly the same as the reception key 22222222 of AP 2 The transmission key 33333333 of AP 2 is exactly the same as the re...

Page 152: ...PA Pre Shared Key for data transmission When you choose this the Pre Share Key you enter must have the following format Sixteen character common key common all APs in the WDS share the same common key...

Page 153: ...A2 PSK LABEL DESCRIPTION Security Mode Choose WPA PSK from the drop down list box Pre Shared Key The Pre Shared key PSK is used to encrypt data All the wireless APs including the ZyXEL Device must use...

Page 154: ...Chapter 9 Wireless LAN P 2602HWLNI User s Guide 154...

Page 155: ...ess of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to...

Page 156: ...oming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 10 1 3 How NAT Works Each pac...

Page 157: ...stance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode...

Page 158: ...le 52 on page 158 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device 10 3 NAT Gener...

Page 159: ...you have just one public WAN IP address for your ZyXEL Device Full Feature Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device Max NAT Firewall Session Per Use...

Page 160: ...iscards all packets received for ports that are not specified here or in the remote management setup 10 4 2 Port Forwarding Services and Port Numbers Use the Port Forwarding screen to forward incoming...

Page 161: ...Default Server Setup Default Server In addition to the servers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen...

Page 162: ...54 Port Forwarding LABEL DESCRIPTION Table 55 Port Forwarding Rule Setup LABEL DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rul...

Page 163: ...rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change...

Page 164: ...ne to one NAT mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature...

Page 165: ...s of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP Th...

Page 166: ...Chapter 10 Network Address Translation NAT Screens P 2602HWLNI User s Guide 166...

Page 167: ...167 PART IV VoIP Voice 169 VoIP Trunking 211 Phone Usage 227...

Page 168: ...168...

Page 169: ...P is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP signaling is separate from the media f...

Page 170: ...vice can act as both a SIP client and a SIP server 11 2 2 1 SIP User Agent A SIP user agent can make and receive VoIP telephone calls This means that SIP can be used for peer to peer communications ev...

Page 171: ...at originally sent the request can send requests to the IP address that it received back from the redirect server Redirect servers do not initiate SIP requests In the following example you want to use...

Page 172: ...dress to which the SIP requests and responses should be sent Registration is initiated by the User Agent Client UAC running in the VoIP gateway the ZyXEL Device The gateway must be configured with inf...

Page 173: ...ge to acknowledge that B has answered the call 7 Now A and B exchange voice media talk 8 After talking A hangs up and sends a BYE request 9 B replies with an OK response confirming receipt of the BYE...

Page 174: ...telephone call Proxy 1 sends a response indicating that it is trying to complete the request 2 Proxy 1 sends a SIP INVITE request to Proxy 2 Proxy 2 sends a response indicating that it is trying to co...

Page 175: ...dio into digital signals based on the difference between each audio sample and a prediction based on previous samples The more similar the audio sample is to the prediction the less space needed to de...

Page 176: ...d and wait for the message that says you are in the configuration menu 2 Press a number from 1201 1208 followed by the key to listen to the tone 3 You can continue to add listen to or delete tones or...

Page 177: ...n the IP header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following figure illustrates the DS field DSCP is backward compatible wit...

Page 178: ...can make up the SIP numbers However you should still activate a SIP account and configure its number and map it to a phone port so that the person you call knows what SIP number you are using and the...

Page 179: ...n name of the SIP register server if your VoIP service provider gave you one Otherwise enter the same address you entered in the SIP Server Address field You can use up to 95 printable ASCII character...

Page 180: ...ide 180 Figure 103 VoIP SIP Settings Advanced Each field is described in the following table Table 62 VoIP SIP Settings Advanced LABEL DESCRIPTION SIP Account This field displays the SIP account you s...

Page 181: ...he Start Port and End Port fields To enter a range of ports enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port fi...

Page 182: ...subscribes to the service Before this time passes the ZyXEL Device automatically subscribes again Call Forward Call Forward Table Select which call forwarding table you want the ZyXEL Device to use fo...

Page 183: ...gency you can make outgoing calls Table 63 SIP QoS LABEL DESCRIPTION SIP TOS Priority Setting Enter the priority for SIP voice transmissions The ZyXEL Device creates Type of Service priority tags with...

Page 184: ...ndwidth that a call uses by not transmitting silent packets when you are not speaking 11 7 4 Comfort Noise Generation When using VAD the ZyXEL Device generates comfort noise when the other party is no...

Page 185: ...e ISDN phone line see Section 11 23 1 on page 208 If you have MSNs from your ISDN service provider you can use the Analog Phone screen to have the phone s connected to the analog PHONE ports make and...

Page 186: ...is phone port to use the analog PSTN phone line You need to enter the prefix number you configure in the VoIP PSTN Line screen when you want to make an analog call ISDN Line Select this to allow outgo...

Page 187: ...lect more than one source for incoming calls there is no way to distinguish between them when you receive phone calls MSN Select the MSNs you want the phone s connected to this phone port to receive W...

Page 188: ...es for speech that it receives from the peer device 1 is the quietest and 1 is the loudest Echo Cancellation G 168 Active Select this if you want to eliminate the echo caused by the sound of your voic...

Page 189: ...vice ISDN Integrated Services Digital Network phone calls These calls are made and received using an ISDN line connected to the PSTN ISDN port on the ZyXEL Device Dialing Interval Select Enter the num...

Page 190: ...figure the SIP account you want to use for outgoing calls with the MSN you selected SIP Account You must configure a SIP account in the VoIP SIP screen before you can make VoIP phone calls Select whic...

Page 191: ...ou select this dial the phone number and then press the pound key The ZyXEL Device makes the call immediately instead of waiting You can still wait if you want Call Fallback Force to PSTN if SIP unreg...

Page 192: ...ISDN port You must also configure your ISDN phone s to use these MSNs You can use the MSN to call an ISDN phone from another phone connected to the ZyXEL Device If an ISDN phone already has a MSN conf...

Page 193: ...b number is four digits When the Enable Group Number is not selected the extension number is simply the sub number Extension Number This read only field displays the extension number which is a combin...

Page 194: ...XEL Device to forward all incoming internal calls Busy Forward to Number Specify the extension number to which you want the ZyXEL Device to forward incoming internal calls if the phone port is busy If...

Page 195: ...his section describes how to use supplementary phone services with the Europe Type Call Service Mode Commands for supplementary services are listed in the table below After pressing the flash key if y...

Page 196: ...2 3 European Call Transfer Do the following to transfer an incoming call that you have answered to another phone 1 Press the flash key to put the caller on hold 2 When you hear the dial tone dial 98 f...

Page 197: ...e dial 98 followed by the number to which you want to transfer the call 3 After you hear the ring signal or the second party answers it hang up the phone 11 14 3 4 USA Three Way Conference Use the fol...

Page 198: ...a speed dial rule you can use a shortcut the speed dial number 01 for example on your phone s keypad to call the phone number Use this screen to add edit or remove speed dial numbers for outgoing cal...

Page 199: ...o call when you dial the speed dial number Name Enter a name to identify the party you call when you dial the speed dial number You can use up to 127 printable ASCII characters Type Select Use Proxy i...

Page 200: ...speed dial entry uses one of your SIP accounts Otherwise this field shows the IP address or domain name of the SIP server or other party This field corresponds with the Type field in the Speed Dial se...

Page 201: ...wait for you to answer an incoming call before it considers the call is unanswered Advanced Setup The ZyXEL Device checks these rules before it checks the rules in the Forward to Number section This f...

Page 202: ...ng call comes in the ZyXEL Device checks whether it is from any of the phone numbers you set up in this screen If the number matches an enabled entry the ZyXEL Device sends the corresponding ring to y...

Page 203: ...this to listen to the ring All the phones connected to the ZyXEL Device ring when you click this button Ring Select Use this section to first assign rings to groups and then assign phone numbers to th...

Page 204: ...ne number you entered You can select Family Workmate Friend or VIP You can also select distinctive rings based on whether a call comes from the registered SIP accounts the PSTN line or another phone c...

Page 205: ...in the SIP Selection by Prefix section to update the SIP Prefix Phone Book section SIP Prefix Phone Book This section displays all SIP prefix numbers currently configured on the ZyXEL Device This is...

Page 206: ...mergency you can make outgoing calls You can also use the PSTN Line screen to specify phone numbers that should always use the regular phone service without having to dial a prefix number Do this for...

Page 207: ...he prefix number For example you should enter emergency numbers The number 1 9 is not a speed dial number It is just a sequential value that is not associated with any phone number Apply Click this to...

Page 208: ...N 777 and Bob configures his phone to use the other 888 When someone calls 123456777 only Alice s phone rings and when someone calls 123456888 only Bob s phone rings When you use MSNs with ISDN device...

Page 209: ...configure this prefix number see Section 11 22 on page 207 11 23 2 Receiving Analog Calls With Digital Phones The ZyXEL Device enables you to receive analog PSTN calls with a digital ISDN phone as fo...

Page 210: ...ur ISDN phone to use the same number see your ISDN phone s documentation for details on how to do this When the ZyXEL Device receives a PSTN call your ISDN phone rings ISDN Item This is the MSN index...

Page 211: ...s to PSTN subscribers at reduced cost Connect to the ZyXEL Device via VoIP and the ZyXEL Device forwards the call to a PSTN phone Creating a link over the IP network requires two VoIP devices VoIP tru...

Page 212: ...device B via the IP address of B Figure 119 Peer Devices Connecting A peer to peer call doesn t require any authentication however authentication is required when you request the remote peer device to...

Page 213: ...nt to configure and the rule you want to set up 12 4 VoIP Trunking Scenarios There are several different VoIP trunking scenarios 12 4 1 VoIP Phone To PSTN Phone A VoIP phone A makes a call to the ZyXE...

Page 214: ...rwards the call to a PSTN phone D Figure 122 PSTN Phone To PSTN Phone via VoIP 12 5 Trunking General Screen Use this screen to enable VoIP trunking Click VoIP Trunking General VoIP Trunking requires t...

Page 215: ...default Enter a value from 1 to 255 seconds When the auto attendant times out the phone directly connected to the ZyXEL Device rings Dialing Interval sec Enter the number of seconds the ZyXEL Device s...

Page 216: ...with the remote peer device This is an index number of your outgoing authentication accounts Name Enter a descriptive name for the remote peer device of this account For example if the peer device is...

Page 217: ...value unless the remote peer device does not follow the standard Incoming Authentication You can set up multiple accounts which are allowed to use your ZyXEL Device for VoIP trunking When peer devices...

Page 218: ...call to a peer VoIP device For example if you want to use trunking to call phone numbers which start with the number 555 then enter 555 in this field Enter up to 32 numeric characters If the number yo...

Page 219: ...head office has a public IP address a b c d and the branch office has a public IP address w x y z Figure 126 VoIP to PSTN Example The proposed solution is to establish a peer to peer call between the...

Page 220: ...XEL Device The name of this rule is CityB referring to the branch office ZyXEL Device In this example the username is headquarters and the password is password This can be configured in the VoIP Trunk...

Page 221: ...mple shows how to configure a PSTN to PSTN call with a VoIP link It also shows how call rules can be used to automate VoIP trunking Table 85 VoIP Trunking Call Progression HEADQUARTERS BRANCH OFFICE S...

Page 222: ...ution is to configure a call rule which will allow the sales manager to call into the headquarters via PSTN establish a VoIP link between the two ZyXEL Devices and have the remote peer device forward...

Page 223: ...ample the username is headquarters and the password is password This can be configured in the VoIP Trunking Peer Call screen Figure 132 PSTN to PSTN Example Outgoing Authentication 3 A call rule needs...

Page 224: ...must match the username and password of the outgoing authentication account of the headquarters ZyXEL Device This can be configured in the VoIP Trunking Peer Call screen Figure 134 PSTN to PSTN Exampl...

Page 225: ...er dials the PIN 12345 The ZyXEL Device confirms the password and allows for VoIP trunking The ZyXEL Device inspects the phone number against call rules Since the number starts with the pattern 5555 i...

Page 226: ...Chapter 12 VoIP Trunking P 2602HWLNI User s Guide 226...

Page 227: ...uring the speed dial entry and adding it to the phonebook press the speed dial entry s key combination on your phone s keypad 13 3 Internal Calls When you have more than one phone connected to the ZyX...

Page 228: ...on hold 2 When you hear the dial tone dial 98 followed by the number to which you want to transfer the call 3 After you hear the ring signal or the second party answers it hang up the phone 13 3 3 Cal...

Page 229: ...owed by the extension number of the ringing phone to receive the call 2 If the ringing phone belongs to the same group of your phone press 97 to receive the call 13 4 Checking the Device s IP Address...

Page 230: ...Chapter 13 Phone Usage P 2602HWLNI User s Guide 230...

Page 231: ...231 PART V Security Firewalls 233 Firewall Configuration 245 Content Filtering 265 Introduction to IPSec 269 VPN Screens 275 Certificates 301...

Page 232: ...232...

Page 233: ...only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In ad...

Page 234: ...assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access c...

Page 235: ...cific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP p...

Page 236: ...series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 6 Weaknesses in the TCP IP specification leave it o...

Page 237: ...r floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadca...

Page 238: ...king a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the...

Page 239: ...P packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1...

Page 240: ...w certain types of traffic from the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users...

Page 241: ...ve Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timest...

Page 242: ...e they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e m...

Page 243: ...Filters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 14 7 2 Firewall The firewall inspects packet contents as well as the...

Page 244: ...ish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail rep...

Page 245: ...on the direction of travel of packets to which they apply The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the foll...

Page 246: ...address Destination IP address and IP protocol type of network traffic to rules set by the administrator Your customized rules take precedence and override the ZyXEL Device s default rules 15 3 Rule L...

Page 247: ...Reject means the firewall discards packets and sends an ICMP destination unreachable message to the sender 15 3 3 2 Service Select the service from the Service scrolling list box If the service is no...

Page 248: ...will need to create custom rules to allow it 15 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is ma...

Page 249: ...ter LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets traveling from a comp...

Page 250: ...e general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn Active This field displays whether a fir...

Page 251: ...an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click th...

Page 252: ...this screen Table 93 Firewall Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule Action for Matched Packet Use the drop down list box to select whether to discard Drop...

Page 253: ...ion on services available Highlight a service from the Available Services box on the left then click Add to add it to the Selected Services box on the right To remove a service highlight it in the Sel...

Page 254: ...escribes the labels in this screen 15 6 3 Configuring a Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This actio...

Page 255: ...mized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box P...

Page 256: ...becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index n...

Page 257: ...ample Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Custom service...

Page 258: ...ewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService c...

Page 259: ...une these parameters when something is not working and after you have checked the firewall counters These default values should work fine for most small offices Factors influencing choices for thresho...

Page 260: ...The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts dete...

Page 261: ...leting half open sessions When the rate of new connection attempts rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection attempts 100 half open...

Page 262: ...e This is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address...

Page 263: ...nding on off rst113 Turns TCP reset sending for port 113 on off display Displays the TCP reset sending settings icmp This rule is not in use dos smtp Enables disables the SMTP DoS defender display Dis...

Page 264: ...Chapter 15 Firewall Configuration P 2602HWLNI User s Guide 264...

Page 265: ...e performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 16 2 Configuring Keyword Blocking Use this screen to blo...

Page 266: ...the list of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywo...

Page 267: ...the content filtering to be active on the selected day Start TIme Enter the time when you want the content filtering to take effect in hour minute format End Time Enter the time when you want the cont...

Page 268: ...Chapter 16 Content Filtering P 2602HWLNI User s Guide 268...

Page 269: ...ommunications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP l...

Page 270: ...e following VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when co...

Page 271: ...Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provide an...

Page 272: ...Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely A Tunnel mode is required for gateway services to provide access to internal systems Tunnel mode is fundamentally an...

Page 273: ...ding headers in a new IP packet The new IP packet s source address is the outbound address of the sending VPN gateway and its destination address is the inbound address of the VPN device at the receiv...

Page 274: ...Chapter 17 Introduction to IPSec P 2602HWLNI User s Guide 274...

Page 275: ...uthentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or not sanctione...

Page 276: ...ing a private secret key DES applies a 56 bit key to each 64 bit block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant...

Page 277: ...Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the secure gateway s address In this case only the remote secure gateway can in...

Page 278: ...lays the identification name for this VPN policy Local Address This is the IP address es of computer s on your local network behind your ZyXEL Device The same static IP address is displayed twice when...

Page 279: ...ta has been maliciously altered Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway Address fiel...

Page 280: ...For NAT traversal to work you must Use ESP security protocol in either transport or tunnel mode Use IKE keying mode Enable NAT traversal on both IPSec endpoints Set the NAT router to forward UDP port...

Page 281: ...emote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers with dynamic IP addresses seeSection 18...

Page 282: ...6 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the ZyXEL Device automaticall...

Page 283: ...IKE negotiation seeSection 18 12 on page 288for more on IKE phases It is called pre shared because you have to share it with another party before you can communicate with them over a secure connectio...

Page 284: ...the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this feature to work NAT Traversal This function is available...

Page 285: ...ddress on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Range enter the beginning static IP address in a range of computers on your LAN behind your ZyXEL Device W...

Page 286: ...is for identification purposes only and can be any string My IP Address Enter the WAN IP address of your ZyXEL Device The VPN tunnel has to be rebuilt if this IP address changes The following applies...

Page 287: ...self Both ends of the VPN tunnel must use the same pre shared key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Certificate Click the b...

Page 288: ...field allows you to determine how long an IKE SA should stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already estab...

Page 289: ...n remote access situations where the address of the initiator is not know by the responder and both parties want to use pre shared key authentication 18 12 2 Diffie Hellman DH Key Groups Diffie Hellma...

Page 290: ...rt Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port numbe...

Page 291: ...Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IPSec SA automatically renegotiates in this field It may range from 60 to 3 000...

Page 292: ...screen as shown next SA Life Time Seconds Define the length of time before an IKE SA automatically renegotiates in this field It may range from 60 to 3 000 000 seconds almost 35 days A short SA Life...

Page 293: ...pe up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box...

Page 294: ...Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is...

Page 295: ...and Authentication Algorithm fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know...

Page 296: ...Figure 165 VPN SA Monitor The following table describes the fields in this screen Table 112 VPN SA Monitor LABEL DESCRIPTION No This is the security association index number Name This field displays t...

Page 297: ...igure to use one VPN rule to simultaneously access a ZyXEL Device at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The...

Page 298: ...mmuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located at h...

Page 299: ...EL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192 1...

Page 300: ...18 VPN Screens P 2602HWLNI User s Guide 300 18 19 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for that...

Page 301: ...be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted us...

Page 302: ...o matter how many devices you need to authenticate Key distribution is simple and very secure since you can freely distribute public keys and you never need to transmit private keys 19 2 Self signed C...

Page 303: ...use this button to replace the factory default certificate with one that uses your ZyXEL Device s MAC address This field displays the certificate index number The certificates are listed in alphabeti...

Page 304: ...information about the certificate Click the delete icon to remove the certificate A window displays asking you to confirm that you want to delete the certificate You cannot delete a certificate that...

Page 305: ...ertificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The ZyXEL Device currently allows the impo...

Page 306: ...te Name Type up to 31 ASCII characters not including spaces to identify this certificate Subject Information Use these fields to record information that identifies the owner of the certificate You do...

Page 307: ...cation request and enroll for a certificate immediately online to have the ZyXEL Device generate a request for a certificate and apply to a certification authority for a certificate You must have the...

Page 308: ...rtificate Create screen Make sure that the certification authority information is correct and that your Internet connection is working properly if you want the ZyXEL Device to enroll a certificate onl...

Page 309: ...Chapter 19 Certificates P 2602HWLNI User s Guide 309 Figure 173 My Certificate Details...

Page 310: ...the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner...

Page 311: ...evice calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format T...

Page 312: ...bject information Issuer This field displays identifying information about the certificate s issuing certification authority such as a common name organizational unit or department organization or com...

Page 313: ...te icon to remove the certificate A window displays asking you to confirm that you want to delete the certificates Note that subsequent certificates move up by one when you take this action Import Cli...

Page 314: ...o open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXE...

Page 315: ...ation Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed acco...

Page 316: ...le This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You can us...

Page 317: ...tion about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject infor...

Page 318: ...ssage digests calculated using the MD5 or SHA1 algorithms The following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse...

Page 319: ...table describes the labels in this screen 19 14 Trusted Remote Host Certificate Details Click Security Certificates Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon...

Page 320: ...Chapter 19 Certificates P 2602HWLNI User s Guide 320 Figure 181 Trusted Remote Host Details...

Page 321: ...rmation that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the default sel...

Page 322: ...Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate bec...

Page 323: ...xpired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to ident...

Page 324: ...n dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may...

Page 325: ...325 PART VI Advanced Static Route 327 Bandwidth Management 331 Dynamic DNS Setup 339 Remote Management Configuration 343 Universal Plug and Play UPnP 361...

Page 326: ...326...

Page 327: ...ance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t know that there...

Page 328: ...meter specifies the IP network address of the final destination Routing is always based on network number Netmask This parameter specifies the IP network subnet mask of the final destination Gateway T...

Page 329: ...Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to...

Page 330: ...Chapter 20 Static Route P 2602HWLNI User s Guide 330...

Page 331: ...urce Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management 21 2 Application based Bandwidth Management You can create bandwi...

Page 332: ...vice sends traffic with smaller packets before traffic with larger packets if the network is congested ATC assigns priority to packets as shown in the following table 21 4 Subnet based Bandwidth Manag...

Page 333: ...anced Bandwidth MGMT to open the screen as shown next Use this screen to enable or disable bandwidth management and to enable or disable automatic traffic classification Figure 188 Bandwidth Managemen...

Page 334: ...sensitive applications such as VoIP tend to have smaller packet sizes than non time sensitive applications such as FTP When ATC is enabled traffic with a smaller packet size is assigned a higher prior...

Page 335: ...a bandwidth filter make sure that the interface s root class has more bandwidth than the sum of the bandwidths of the interface s bandwidth management rules Add Click this button to save your rule It...

Page 336: ...nd over TCP IP networks A system running the FTP server accepts commands from a system running an FTP client The service allows users to send commands to the server for uploading and downloading files...

Page 337: ...represents the percentage of bandwidth in use Figure 191 Bandwidth Management Monitor Source Port Enter the port number of the source See Appendix E on page 475 for some common services and port numb...

Page 338: ...Chapter 21 Bandwidth Management P 2602HWLNI User s Guide 338...

Page 339: ...ow your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a...

Page 340: ...Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the...

Page 341: ...dress of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server...

Page 342: ...Chapter 22 Dynamic DNS Setup P 2602HWLNI User s Guide 342...

Page 343: ...h computers The following figure shows secure and insecure management of the ZyXEL Device coming in from the WAN HTTPS and SSH access are secure HTTP and Telnet access are not secure Figure 193 Secure...

Page 344: ...mote management screen You have disabled that service in one of the remote management screens The IP address in the Secured Client IP field does not match the client IP address If it does not match th...

Page 345: ...e SSL server the ZyXEL Device must always authenticate itself to the SSL client the computer which requests the HTTPS connection with the ZyXEL Device whereas the SSL client only should authenticate i...

Page 346: ...w the computer with the IP address that you specify to access the ZyXEL Device using this service HTTPS Server Host Key Select the certificate that the ZyXEL Device will use to identify itself The ZyX...

Page 347: ...access is allowed You can allow only secure web configurator access by setting the HTTP Access Status field to Disable and setting the HTTPS Access Status field to an interface s Secure Client IP A se...

Page 348: ...ON Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s...

Page 349: ...y available if TCP IP is configured Table 140 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in or...

Page 350: ...formation Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based...

Page 351: ...er on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in RFC 1215 A trap is sent to the manager when receiving any SNMP get or set requirem...

Page 352: ...ice using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the Z...

Page 353: ...upported ports are probed If you want your device to respond to pings and requests for unauthorized services you may also need to configure the firewall anti probing settings to match Table 143 Remote...

Page 354: ...ot respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply...

Page 355: ...host key and server key and sends the result back to the server The client automatically saves any new server public keys In subsequent connections the server public key is checked against the saved...

Page 356: ...onfiguring SSH Click ADVANCED REMOTE MGMT SSH to change your ZyXEL Device s Secure Shell settings It is recommended that you disable Telnet and FTP when you configure SSH for secure connections Figure...

Page 357: ...s to continue Figure 206 SSH Example 1 Store Host Key Enter the password to log in to the ZyXEL Device The SMT main menu displays next 23 14 2 Example 2 Linux This section describes how to access the...

Page 358: ...on file transfer using the OpenSSH client program The configuration and connection steps are similar for other SSH client programs Refer to your SSH client program user s guide 1 Enter sftp 1 192 168...

Page 359: ...192 168 1 1 can t be established RSA1 key fingerprint is 21 6c 07 25 7e f4 75 80 ec af bd d4 3d 80 53 d1 Are you sure you want to continue connecting yes no yes Warning Permanently added 192 168 1 1 R...

Page 360: ...Chapter 23 Remote Management Configuration P 2602HWLNI User s Guide 360...

Page 361: ...work will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 24 1 2 NAT Traversal UPnP NAT traversal automates the pro...

Page 362: ...4 1 on page 361 for more information Figure 210 Configuring UPnP The following table describes the fields in this screen Table 146 Configuring UPnP LABEL DESCRIPTION Active the Universal Plug and Play...

Page 363: ...onents selection box Click Details Figure 211 Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection bo...

Page 364: ...prompted Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window...

Page 365: ...5 Figure 214 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Universal Plug and Play check box Figure 215 Networking Services 6 Click OK to go back to the...

Page 366: ...Make sure the computer is connected to a LAN port of the ZyXEL Device Turn on your computer and the ZyXEL Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double...

Page 367: ...Chapter 24 Universal Plug and Play UPnP P 2602HWLNI User s Guide 367 Figure 217 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings...

Page 368: ...s Advanced Settings Figure 219 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6...

Page 369: ...us Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not kn...

Page 370: ...NI User s Guide 370 Figure 222 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select I...

Page 371: ...371 Figure 223 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device Fi...

Page 372: ...Chapter 24 Universal Plug and Play UPnP P 2602HWLNI User s Guide 372...

Page 373: ...373 PART VII Maintenance and Troubleshooting System 375 Call History 381 Logs 387 Troubleshooting 401 Tools 407 Diagnostic 419 Product Specifications 423...

Page 374: ...374...

Page 375: ...click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the Syste...

Page 376: ...how many minutes a management session either via the web configurator or telnet can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your p...

Page 377: ...stem Time Setting The following table describes the fields in this screen Table 148 System Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyXEL...

Page 378: ...C 868 format displays a 4 byte integer giving the total number of seconds since 1970 1 1 at 0 0 0 The default NTP RFC 1305 is similar to Time RFC 868 Time Server Address Enter the IP address or URL up...

Page 379: ...irst Sunday November and 2 00 Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same mome...

Page 380: ...Chapter 25 System P 2602HWLNI User s Guide 380...

Page 381: ...ail or to a mail server This feature allows you to trace all of your PSTN and VoIP call records and see details of how many calls you missed dialed and received You can also see call timers showing ho...

Page 382: ...lick Maintenance Call History Call History The following screen displays Table 149 Call History Summary LABEL DESCRIPTION Type of Summary This field displays the time period for which the entry applie...

Page 383: ...E mail Call History Settings fields in the Call History Settings screen Refresh Click Refresh to renew the screen Clear Call History Click Clear Call History to delete all call history records Next p...

Page 384: ...ttings screen to configure where the ZyXEL Device is to send call history records and the schedule for saving and sending the records To change your ZyXEL Device s call history settings click Maintena...

Page 385: ...n Log is Full Hourly Daily Weekly None If you select Weekly or Daily specify a time of day when the e mail should be sent If you select Weekly then also specify which day of the week the e mail should...

Page 386: ...2602HWLNI User s Guide 386 Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to return to the previously saved settings Table 151 Call History Call History S...

Page 387: ...on They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their...

Page 388: ...The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selec...

Page 389: ...erver for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via E mail Mail Subject Type a title that you want to be in the subject line of the...

Page 390: ...ify a time of day when the E mail should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fil...

Page 391: ...6 means RCPT TO fail 7 means DATA fail 8 means mail data send fail Subject Firewall Alert From Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 1...

Page 392: ...the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Connectivity Monitor Starting Connectivity Monitor Time in...

Page 393: ...he firewall allowed a triangle route session to pass through Packet without a NAT table entry blocked TCP UDP IGMP ESP GRE OSPF The router blocked a packet that didn t have a corresponding NAT table e...

Page 394: ...et Direction type d code d ICMP access matched the default policy and was blocked or forwarded according to the user s setting Firewall rule NOT match ICMP Packet Direction rule d type d code d ICMP a...

Page 395: ...ion s Internet Protocol Control Protocol stage is opening ppp LCP Closing The PPP connection s Link Control Protocol stage is closing ppp IPCP Closing The PPP connection s Internet Protocol Control Pr...

Page 396: ...vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack traceroute ICMP type d code d The firewall detected an ICMP traceroute attack Table 166 802 1X Logs LOG MESSAGE DES...

Page 397: ...er to authenticate user There is no authentication server to authenticate a user Local User Database does not find user s credential A user was not authenticated by the local user database because the...

Page 398: ...DESCRIPTION Facility 8 Severity Mon dd hr mm ss hostname src srcIP srcPort dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS...

Page 399: ...hone port to initiate a VoIP call to the listed destination VoIP Call Established Ph Phone Port Outgoing Call Number Someone used a phone connected to the listed phone port to make a VoIP call to the...

Page 400: ...efer to RFC 2408 for detailed information on each type Table 175 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identif...

Page 401: ...are using the power adaptor or cord included with the ZyXEL Device 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the p...

Page 402: ...creen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 If you changed the IP address Section 8 3 1 on page 118 use the new IP address If y...

Page 403: ...ice 1 Make sure you have entered the user name and password correctly The default password is 1234 These fields are case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web confi...

Page 404: ...ure the LEDs are behaving as expected See the Quick Start Guide and Section 1 5 on page 46 2 Turn the ZyXEL Device off and on 3 If the problem continues contact your ISP V The Internet connection is s...

Page 405: ...with the SIP server contact your VoIP service provider V I cannot call from one of the ZyXEL Device s phone ports to the other phone port If you are using extension numbers to call from one phone to...

Page 406: ...Chapter 28 Troubleshooting P 2602HWLNI User s Guide 406...

Page 407: ...ernately upload the factory default configuration file if you want to return the device to the original default settings The firmware determines the device s available features and functionality You c...

Page 408: ...L Device that is on your computer local network or FTP site and so the name but not the extension may vary After uploading new firmware see the Status screen to confirm that you have uploaded the corr...

Page 409: ...d is in progress Figure 233 Firmware Upgrade The following table describes the labels in this screen After you see the Firmware Upload in Progress screen wait two minutes before logging into the ZyXEL...

Page 410: ...og in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click Return to go back to the Firmware screen Figure 236 Error M...

Page 411: ...uration to your computer 29 5 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device 1 Do not turn off...

Page 412: ...P address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See Appendix A on page 435 for details on how to set up your computer s IP address If the uploa...

Page 413: ...evice s configuration Figure 243 Restart Screen 29 7 Using FTP or TFTP to Back Up Configuration This section covers how to use FTP or TFTP to save your device s configuration file to your computer 29...

Page 414: ...mended To use TFTP your computer must have both telnet and TFTP clients To backup the configuration file follow the procedure shown next 331 Enter PASS command Password 230 Logged in ftp bin 200 Type...

Page 415: ...ary transfer mode 29 7 5 TFTP Command Configuration Backup Example The following is an example TFTP command tftp i host get rom 0 config rom where i specifies binary image transfer mode use this mode...

Page 416: ...iguration process is complete the device automatically restarts 29 8 1 Restore Using FTP Session Example Figure 245 Restore Using FTP Session Example Refer to Section 29 3 on page 408 to read about co...

Page 417: ...9 9 2 FTP Session Example of Firmware File Upload Figure 246 FTP Session Example of Firmware File Upload More commands found in GUI based FTP clients are listed earlier in this chapter Refer to Sectio...

Page 418: ...and the device in CI mode before and during the TFTP transfer For details on TFTP commands see following example please consult the documentation of your TFTP client program For UNIX use get to transf...

Page 419: ...e screen shown next Figure 247 Diagnostic General The following table describes the fields in this screen 30 2 DSL Line Diagnostic Click Maintenance Diagnostic DSL Line to open the screen shown next T...

Page 420: ...cards is the number of ATM cells sent that were rejected inF4Pkts is the number of ATM Operations Administration and Management OAM F4 cells that have been received See ITU recommendation I 610 for mo...

Page 421: ...ine the quality of the connection whether a given sub carrier loop has sufficient margins to support certain ADSL transmission rates and possibly to determine whether particular specific types of inte...

Page 422: ...Chapter 30 Diagnostic P 2602HWLNI User s Guide 422...

Page 423: ...hernet ports PHONE Ports 2 RJ 11 FXS POTS ports ISDN PHONE Port 1 RJ 45 FXS ISDN port PSTN ISDN Port 1 RJ 45 FXO PSTN or ISDN port RESET Button Restores factory defaults Antenna One attached external...

Page 424: ...rs The ZyXEL Device supports versions 1 and 2 of IGMP Internet Group Management Protocol used to join multicast groups see RFC 2236 Time and Date Get the current time and date from an external server...

Page 425: ...Sec connections Universal Plug and Play UPnP Your device and other UPnP enabled devices can use the standard TCP IP protocol to dynamically join a network obtain an IP address and convey their capabil...

Page 426: ...ging for unsupported network layer protocols RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy Management Embedded Web Configurator CLI C...

Page 427: ...u to set the ZyXEL Device to automatically use the PSTN ISDN connection for outgoing calls if the SIP account is not working or to use the SIP account for outgoing calls if the PSTN ISDN port is unplu...

Page 428: ...onnected to the ZyXEL Device an extension number and place a internal call to a specific phone HTTP Pincode When new firmware is available for your ZyXEL Device you hear a recorded message when you pi...

Page 429: ...prioritized over the network MSNs You can use MSNs Multiple Subscriber Numbers to identify individual ISDN phone connected to the ZyXEL Device for internal calls Configure MSNs in the ZyXEL Device all...

Page 430: ...defines stronger encryption authentication and key management than WPA WDS Use the WDS Wireless Distribution System to secure the link between the ZyXEL Device and other APs on your network At the tim...

Page 431: ...W 180100 MU18 2180100 A1 Input Power AC 100 240Volts 50 60Hz 0 5A AC 100 240Volts 50 60Hz 0 6A Output Power DC 18Volts 1A DC 18Volts 1A Power Consumption 12 Watt max 12 Watt max Safety Standards UL C...

Page 432: ...Chapter 31 Product Specifications P 2602HWLNI User s Guide 432...

Page 433: ...es and Index Setting up Your Computer s IP Address 435 Pop up Windows JavaScripts and Java Permissions 447 IP Addresses and Subnetting 453 Wireless LANs 461 Services 475 Legal Information 479 Customer...

Page 434: ...434...

Page 435: ...third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are...

Page 436: ...en click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft...

Page 437: ...elect Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 250 Windows 95 98 Me T...

Page 438: ...o save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Set...

Page 439: ...HWLNI User s Guide 439 Figure 252 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 253 Windows XP Control Panel 3 Right...

Page 440: ...tab in Win XP and click Properties Figure 255 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP...

Page 441: ...ure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure a defau...

Page 442: ...lick OK to close the Local Area Connection Properties window 10 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Comma...

Page 443: ...ess P 2602HWLNI User s Guide 443 Figure 258 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 259 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings sele...

Page 444: ...k Save if prompted to save changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel w...

Page 445: ...om the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click...

Page 446: ...Appendix A Setting up Your Computer s IP Address P 2602HWLNI User s Guide 446...

Page 447: ...rnet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking...

Page 448: ...web pop up blockers you may have enabled Figure 263 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up wi...

Page 449: ...de 449 Figure 264 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to mov...

Page 450: ...lay properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 266 Internet Options Security 2 Click the Cust...

Page 451: ...tings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permiss...

Page 452: ...Permissions P 2602HWLNI User s Guide 452 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Cl...

Page 453: ...hare a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host...

Page 454: ...the IP address is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet mas...

Page 455: ...by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a follow...

Page 456: ...ows the company network before subnetting Figure 271 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The su...

Page 457: ...8 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to...

Page 458: ...bnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet A...

Page 459: ...T BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252...

Page 460: ...entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address If...

Page 461: ...endent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 273 Peer to Peer Communication in an Ad hoc Net...

Page 462: ...red connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired networ...

Page 463: ...ially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 chan...

Page 464: ...equested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if th...

Page 465: ...it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the Product Name short uses lo...

Page 466: ...ices Some advantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and a...

Page 467: ...nt and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped...

Page 468: ...wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchan...

Page 469: ...defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless...

Page 470: ...with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt dat...

Page 471: ...lient s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 A 256 bit Pairwise...

Page 472: ...to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure these...

Page 473: ...oor site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how m...

Page 474: ...d in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on a...

Page 475: ...ervice is used Table 204 Examples of Services NAME PROTOCOL PORT S DESCRIPTION AH IPSEC_TUNNEL User Defined 51 The IPSEC AH Authentication Header tunneling protocol uses this service AIM TCP 5190 AOL...

Page 476: ...ger service uses this protocol NetBIOS TCP UDP TCP UDP TCP UDP TCP UDP 137 138 139 445 The Network Basic Input Output System is used for communication between computers in a LAN NEW ICQ TCP 5190 An In...

Page 477: ...sages from one e mail server to another SMTPS TCP 465 This is a more secure version of SMTP that runs over SSL SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use w...

Page 478: ...e transfer protocol similar to FTP but uses the UDP User Datagram Protocol rather than TCP Transmission Control Protocol VDOLIVE TCP UDP 7000 user defined A videoconferencing solution The UDP port num...

Page 479: ...ce Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and ma...

Page 480: ...not be co located or operating in conjunction with any other antenna or transmitter IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comp...

Page 481: ...God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties exp...

Page 482: ...Appendix F Legal Information P 2602HWLNI User s Guide 482...

Page 483: ...mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL...

Page 484: ...448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mai...

Page 485: ...agawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk...

Page 486: ...Okrzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanov...

Page 487: ...il ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 F...

Page 488: ...Appendix G Customer Support P 2602HWLNI User s Guide 488...

Page 489: ...e adaptation 426 auto provisioning 229 425 B backup 411 backup type 115 bandwidth management 331 bandwidth manager class configuration 334 bandwidth manager monitor 337 bandwidth manager summary 333 B...

Page 490: ...LAN IP address 49 Denial of Service 234 235 260 destination address 247 DH 289 DHCP 118 339 375 diagnostic 419 Differential Binary Phase Shift Keyed Modulation 430 Differential Quadrature Phase Shift...

Page 491: ...o WAN rules 248 policies 245 rule checklist 246 rule logic 246 rule security ramifications 246 types 233 when to use 243 firmware 408 upload 409 upload error 410 firmware upgrade 428 flash key 195 fla...

Page 492: ...426 IP network and PSTN connection 211 IP Policy Routing IPPR 425 IP pool 125 IP pool setup 118 IP spoofing 236 238 IP to IP Calls 44 IPSec 269 IPSec algorithms 271 275 IPSec and NAT 272 IPSec archit...

Page 493: ...Cell Rate PCR 104 109 113 peer call authentication VoIP trunking 212 peer IP 217 peer port 217 peer to peer calls 44 Perfect Forward Secrecy 289 per hop behavior 177 Permanent Virtual Circuits 426 PF...

Page 494: ...nfiguration 416 RF Radio Frequency 431 RFC 1483 102 426 RFC 1631 155 RFC 1889 173 429 RFC 1890 429 RFC 2327 429 RFC 2364 426 RFC 2516 425 426 RFC 2684 426 RFC 3261 429 Ringer Equivalence Number 428 ri...

Page 495: ...SUA Single User Account 158 SUA vs NAT 158 subnet 453 subnet mask 118 253 454 subnetting 456 supplementary services 194 Sustain Cell Rate SCR 109 113 Sustained Cell Rate SCR 104 SYN flood 236 237 SYN...

Page 496: ...214 VPI VCI 102 VPN 269 VPN applications 270 W WAN Wide Area Network 101 WAN to LAN rules 248 warranty 481 note 481 Web 346 Web Configurator 49 241 242 247 and VoIP trunking 214 WEP Wired Equivalent...

Reviews:

No comments