manualshive.com logo in svg

ZyXEL Communications P-2608HWL-D1, User Manual

The ZyXEL Communications P-2608HWL-D1 user manual can be conveniently downloaded for free from our website. This comprehensive manual guides you through the setup and operation of this high-quality product, ensuring you make the most of its features. Get your free download at manualshive.com today!

Share
Download
background image

P-2608HWL-Dx Series User’s Guide

222

Chapter 18 IPSec VPN

Figure 120   

VPN: IKE SA and IPSec SA 

In this example, a computer in network 

A

 is exchanging data with a computer in network 

B

Inside networks 

A

 and 

B

, the data is transmitted the same way data is normally transmitted in 

the networks. Between routers 

X

 and 

Y

, the data is protected by the tunneling, encryption, and 

authentication of the IPSec SA. The IPSec SA is established securely using the IKE SA that 
routers 

X

 and 

Y

 established first.

The rest of this section discusses IKE SA and IPSec SA in more detail.

18.1.1  IKE SA Overview

The IKE SA provides a secure connection between the ZyXEL Device and remote IPSec 
router.

It takes several steps to establish an IKE SA. The negotiation mode determines how many 
steps are required. There are two negotiation modes: main mode and aggressive mode. Main 
mode provides better security, while aggressive mode is faster.

Note: 

Both routers must use the same negotiation mode.

These modes are discussed in more detail in 

Section 18.1.2.1 on page 226

. The examples in 

this section use main mode.

18.1.1.1  IP Addresses of the ZyXEL Device and Remote IPSec Router

In the ZyXEL Device, you have to specify the IP addresses of the ZyXEL Device and the 
remote IPSec router to establish an IKE SA.

You can usually provide a static IP address or a domain name for the ZyXEL Device. 
Sometimes, your ZyXEL Device might also offer another alternative, such as using the IP 
address of a port or interface.

You can usually provide a static IP address or a domain name for the remote IPSec router as 
well. Sometimes, you might not know the IP address of the remote IPSec router (for example, 
telecommuters). In this case, you can still set up the IKE SA, but only the remote IPSec router 
can initiate an IKE SA.

Summary of Contents for P-2608HWL-D1

Page 1: ...P 2608HWL Dx Series 802 11g Wireless ADSL2 VoIP IAD User s Guide Version 3 40 10 2006 Edition 1 ...

Page 2: ......

Page 3: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it convey any license under its patent rights nor the patent rights of others ZyXEL further reserves the right to make changes in any products described herein without notice This publication is subjec...

Page 4: ...e is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiving antenna 2 Increase the separation between the equi...

Page 5: ...le for compliance could void the user s authority to operate the equipment This device has been designed for the WLAN 2 4 GHz network throughout the EC region and Switzerland with restrictions in France This Class B digital apparatus complies with Canadian ICES 003 Cet appareil numérique de la classe B est conforme à la norme NMB 003 du Canada Viewing Certifications 1 Go to http www zyxel com 2 Se...

Page 6: ...all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use the de...

Page 7: ...P 2608HWL Dx Series User s Guide Safety Warnings 7 This product is recyclable Dispose of it properly ...

Page 8: ...placement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness for a particular use or purpose ZyXEL shall in no event be held liable for indirect or consequential damages of any kind to the purchaser To obtain the services of this warranty contact Zy...

Page 9: ...ha 4 Modrany Ceská Republika info cz zyxel com 420 241 091 359 DENMARK support zyxel dk 45 39 55 07 00 www zyxel dk ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel fr 33 4 72 52 97 97 www zyxel f...

Page 10: ...upport zyxel es 34 902 195 420 www zyxel es ZyXEL Communications Arte 21 5ª planta 28033 Madrid Spain sales zyxel es 34 913 005 345 SWEDEN support zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sjöporten 4 41764 Göteborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine sales ua zyxel...

Page 11: ...erview 41 1 1 1 VoIP Features 41 1 1 2 DSL Router 42 1 2 LEDs Lights 42 Chapter 2 Introducing the Web Configurator 45 2 1 Web Configurator Overview 45 2 1 1 Accessing the Web Configurator 45 2 1 2 The RESET Button 48 2 1 2 1 Using The Reset Button 48 2 2 Web Configurator Main Screen 48 2 2 1 Title Bar 49 2 2 2 Navigation Panel 49 2 2 3 Status Bar 52 Chapter 3 Internet and Wireless Setup Wizard 53 ...

Page 12: ... 6 Status Screens 79 6 1 Status Screen 79 6 2 Any IP Table 82 6 3 WLAN Status 83 6 4 Packet Statistics 83 6 5 VoIP Statistics 85 Chapter 7 WAN Setup 89 7 1 WAN Overview 89 7 1 1 Encapsulation 89 7 1 1 1 ENET ENCAP 89 7 1 1 2 PPP over Ethernet 89 7 1 1 3 PPPoA 90 7 1 1 4 RFC 1483 90 7 1 2 Multiplexing 90 7 1 2 1 VC based Multiplexing 90 7 1 2 2 LLC based Multiplexing 90 7 1 3 VPI and VCI 90 7 1 4 I...

Page 13: ...ANs and the ZyXEL Device 105 8 1 2 DHCP Setup 106 8 1 2 1 IP Pool Setup 106 8 1 3 DNS Server Address 106 8 1 4 DNS Server Address Assignment 107 8 2 LAN TCP IP 107 8 2 1 IP Address and Subnet Mask 107 8 2 1 1 Private IP Addresses 108 8 2 2 RIP Setup 108 8 2 3 Multicast 109 8 2 4 Any IP 109 8 2 4 1 How Any IP Works 110 8 3 Configuring LAN IP 111 8 3 1 Configuring Advanced LAN Setup 111 8 4 DHCP Set...

Page 14: ...AT Overview 139 10 1 1 NAT Definitions 139 10 1 2 What NAT Does 140 10 1 3 How NAT Works 140 10 1 4 NAT Application 141 10 1 5 NAT Mapping Types 141 10 2 SUA Single User Account Versus NAT 142 10 3 NAT General Setup 142 10 4 Port Forwarding 143 10 4 1 Default Server IP Address 144 10 4 2 Port Forwarding Services and Port Numbers 144 10 4 3 Configuring Servers Behind Port Forwarding Example 144 10 ...

Page 15: ... 3 Deleting Custom Tones 157 11 1 12 Quality of Service QoS 158 11 1 12 1 Type Of Service ToS 158 11 1 12 2 DiffServ 158 11 1 12 3 DSCP and Per Hop Behavior 158 11 1 12 4 VLAN 159 11 2 SIP Screens 159 11 2 1 SIP Settings Screen 159 11 2 2 Advanced SIP Setup Screen 161 11 2 3 SIP QoS Screen 165 Chapter 12 Phone 167 12 1 Phone Overview 167 12 1 1 Voice Activity Detection Silence Suppression Comfort ...

Page 16: ...o ZyXEL s Firewall 188 15 3 1 Denial of Service Attacks 189 15 4 Denial of Service 189 15 4 1 Basics 189 15 4 2 Types of DoS Attacks 190 15 4 2 1 ICMP Vulnerability 192 15 4 2 2 Illegal Commands NetBIOS and SMTP 192 15 4 2 3 Traceroute 193 15 5 Stateful Inspection 193 15 5 1 Stateful Inspection Process 194 15 5 2 Stateful Inspection on Your ZyXEL Device 194 15 5 3 TCP Security 195 15 5 4 UDP ICMP ...

Page 17: ...les 205 16 6 2 Customized Services 208 16 6 3 Configuring A Customized Service 209 16 7 Example Firewall Rule 209 16 8 DoS Thresholds 213 16 8 1 Threshold Values 213 16 8 2 Half Open Sessions 214 16 8 2 1 TCP Maximum Incomplete and Blocking Time 214 16 8 3 Configuring Firewall Thresholds 215 Chapter 17 Content Filtering 217 17 1 Content Filtering Overview 217 17 2 Configuring Keyword Blocking 217 ...

Page 18: ...PSec Examples 245 18 8 1 Telecommuters Sharing One VPN Rule Example 245 18 8 2 Telecommuters Using Unique VPN Rules Example 246 18 9 VPN and Remote Management 248 Chapter 19 Certificates 249 19 1 Certificates Overview 249 19 1 1 Advantages of Certificates 250 19 2 Self signed Certificates 250 19 3 Configuration Summary 250 19 4 My Certificates 251 19 5 My Certificate Import 253 19 5 1 Certificate ...

Page 19: ...6 2 Maximize Bandwidth Usage Example 280 21 6 2 1 Priority based Allotment of Unused Unbudgeted Bandwidth 280 21 6 2 2 Fairness based Allotment of Unused Unbudgeted Bandwidth 281 21 6 3 Bandwidth Management Priorities 281 21 7 Over Allotment of Bandwidth 282 21 8 Configuring Summary 282 21 9 Bandwidth Management Rule Setup 283 21 9 1 Rule Configuration 285 21 10 Bandwidth Monitor 287 Chapter 22 Dy...

Page 20: ...UPnP and ZyXEL 308 24 2 1 Configuring UPnP 308 24 3 Installing UPnP in Windows Example 309 24 4 Using UPnP in Windows XP Example 312 Chapter 25 System 319 25 1 General Setup and System Name 319 25 1 1 General Setup 319 25 2 Time Setting 321 Chapter 26 Logs 325 26 1 Logs Overview 325 26 1 1 Alerts and Logs 325 26 2 Viewing the Logs 325 26 3 Configuring Log Settings 326 26 4 SMTP Error Messages 329 ...

Page 21: ...on File Uploads 341 27 9 1 FTP File Upload Command from the DOS Prompt Example 341 27 9 2 FTP Session Example of Firmware File Upload 342 27 9 3 TFTP File Upload 342 27 9 4 TFTP Upload Command Example 343 Chapter 28 Diagnostic 345 28 1 General Diagnostic 345 28 2 DSL Line Diagnostic 345 Chapter 29 Troubleshooting 349 29 1 Problems Starting Up the ZyXEL Device 349 29 2 Problems with the LAN 349 29 ...

Page 22: ...ple Eight Subnets 384 Subnetting With Class A and Class B Networks 385 Appendix D Common Services 387 Appendix E Importing Certificates 389 Import Prestige Certificates into Netscape Navigator 389 Importing the Prestige s Certificate into Internet Explorer 389 Enrolling and Importing SSL Client Certificates 393 Installing the CA s Certificate 394 Installing Your Personal Certificate s 395 Using a ...

Page 23: ...12 Displaying Logs 413 Log Command Example 414 Appendix H Internal SPTGEN 415 Internal SPTGEN Overview 415 The Configuration Text File Format 415 Internal SPTGEN File Modification Important Points to Remember 415 Internal SPTGEN FTP Download Example 416 Internal SPTGEN FTP Upload Example 417 Command Examples 438 Index 441 ...

Page 24: ...P 2608HWL Dx Series User s Guide 24 Table of Contents ...

Page 25: ...e 17 Internet Connection with ENET ENCAP 58 Figure 18 Internet Connection with PPPoA 59 Figure 19 Connection Test Failed 1 60 Figure 20 Connection Test Failed 2 60 Figure 21 Connection Test Successful 61 Figure 22 Wireless LAN Setup Wizard 1 61 Figure 23 Wireless LAN 62 Figure 24 Manually Assign a WPA key 63 Figure 25 Manually Assign a WEP key 64 Figure 26 Wireless LAN Setup 3 65 Figure 27 Interne...

Page 26: ...ical Network Partitioned Logical Networks 116 Figure 59 LAN IP Alias 116 Figure 60 Example of a Wireless Network 119 Figure 61 Wireless LAN General 123 Figure 62 Wireless No Security 125 Figure 63 Wireless Static WEP Encryption 126 Figure 64 Wireless WPA 2 PSK 127 Figure 65 Wireless WPA 2 128 Figure 66 Advanced 130 Figure 67 Network Wireless LAN OTIST 131 Figure 68 Example Wireless Client OTIST Sc...

Page 27: ...SYN Flood 191 Figure 103 Smurf Attack 192 Figure 104 Stateful Inspection 193 Figure 105 Firewall General 202 Figure 106 Firewall Rules 204 Figure 107 Firewall Edit Rule 206 Figure 108 Firewall Customized Services 208 Figure 109 Firewall Configure Customized Services 209 Figure 110 Firewall Example Rules 210 Figure 111 Edit Custom Port Example 210 Figure 112 Firewall Example Edit Rule Destination A...

Page 28: ...icates 266 Figure 144 Certificate Details 266 Figure 145 Trusted Remote Host Import 267 Figure 146 Trusted Remote Host Details 268 Figure 147 Directory Servers 271 Figure 148 Directory Server Add 272 Figure 149 Example of Static Routing Topology 273 Figure 150 Static Route 274 Figure 151 Static Route Edit 275 Figure 152 Subnet based Bandwidth Management Example 278 Figure 153 Bandwidth Management ...

Page 29: ...igure 183 System General Setup 320 Figure 184 System Time Setting 321 Figure 185 View Log 326 Figure 186 Log Settings 327 Figure 187 E mail Log Example 330 Figure 188 Firmware Upgrade 333 Figure 189 Firmware Upload In Progress 333 Figure 190 Network Temporarily Disconnected 334 Figure 191 Error Message 334 Figure 192 Configuration 335 Figure 193 Configuration Upload Successful 336 Figure 194 Netwo...

Page 30: ...Import Wizard 2 391 Figure 229 Certificate Import Wizard 3 392 Figure 230 Root Certificate Store 392 Figure 231 Certificate General Information after Import 393 Figure 232 Prestige Trusted CA Screen 394 Figure 233 CA Certificate Example 394 Figure 234 Personal Certificate Import Wizard 1 395 Figure 235 Personal Certificate Import Wizard 2 395 Figure 236 Personal Certificate Import Wizard 3 396 Fig...

Page 31: ...P 2608HWL Dx Series User s Guide List of Figures 31 Figure 253 Internal SPTGEN FTP Download Example 417 Figure 254 Internal SPTGEN FTP Upload Example 417 ...

Page 32: ...P 2608HWL Dx Series User s Guide 32 List of Figures ...

Page 33: ... Configuration 69 Table 16 Media Bandwidth Management Setup Services 73 Table 17 Bandwidth Management Wizard General Information 75 Table 18 Bandwidth Management Wizard Service Configuration 76 Table 19 Status Screen 80 Table 20 Any IP Table 83 Table 21 WLAN Status 83 Table 22 Packet Statistics 84 Table 23 VoIP Statistics 86 Table 24 Internet Access Setup 95 Table 25 Advanced Internet Access Setup...

Page 34: ...le 58 European Type Flash Key Commands 168 Table 59 USA Type Flash Key Commands 170 Table 60 VoIP Phone Analog Phone 172 Table 61 VoIP Phone Analog Phone Advanced 173 Table 62 VoIP Phone Common 174 Table 63 VoIP Phone Region 175 Table 64 Phone Book Speed Dial 178 Table 65 Phone Book Incoming Call Policy 180 Table 66 Phone Book Group Ring 182 Table 67 VoIP PSTN Line General 186 Table 68 Common IP P...

Page 35: ...e 101 Directory Servers 271 Table 102 Directory Server Add 272 Table 103 Static Route 274 Table 104 Static Route Edit 275 Table 105 Application and Subnet based Bandwidth Management Example 278 Table 106 Maximize Bandwidth Usage Example 280 Table 107 Priority based Allotment of Unused Unbudgeted Bandwidth Example 280 Table 108 Fairness based Allotment of Unused Unbudgeted Bandwidth Example 281 Tab...

Page 36: ...ur Device 351 Table 140 Troubleshooting Telephone 359 Table 141 Device Specifications 361 Table 142 Firmware Features 361 Table 143 Firmware Specifications 364 Table 144 P 2608HW HWL Dx Series Power Adaptor Specifications 366 Table 145 Classes of IP Addresses 380 Table 146 Allowed IP Address Range By Class 380 Table 147 Natural Masks 381 Table 148 Alternative Subnet Mask Notation 381 Table 149 Two...

Page 37: ...Logs Caller Side 411 Table 178 FSM Logs Callee Side 411 Table 179 Lifeline Logs 411 Table 180 RFC 2408 ISAKMP Payload Types 412 Table 181 Abbreviations Used in the Example Internal SPTGEN Screens Table 417 Table 182 Menu 1 General Setup 418 Table 183 Menu 3 418 Table 184 Menu 4 Internet Access Setup 421 Table 185 Menu 12 423 Table 186 Menu 15 SUA Server Setup 427 Table 187 Menu 21 1 Filter Set 1 4...

Page 38: ...P 2608HWL Dx Series User s Guide 38 List of Tables ...

Page 39: ...ments and other support materials User Guide Feedback Help us help you E mail all User Guide related comments questions or suggestions for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan Thank you Syntax Conventions Enter means for you to type one or more chara...

Page 40: ... ZyXEL Device or the device in this user s guide This refers to all models ADSL over POTS ADSL over ISDN and ADSL over T ISDN unless specifically identified Graphics Icons Key ZyXEL Device Computer Notebook computer Server Switch Router Telephone DSLAM Trunking gateway Firewall Wireless signal ...

Page 41: ...vers the following models See Appendix A on page 361 for a complete list of software features 1 1 1 VoIP Features You can use the ZyXEL Device to make and receive VoIP telephone calls Figure 1 ZyXEL Device s VoIP Features Peer to Peer calls A Use the ZyXEL Device to make a call to the recipient s IP address without using a SIP proxy server Calls via a VoIP service provider B The ZyXEL Device sends...

Page 42: ... your network are not allowed but you can safely browse the Internet and download files Use content filtering to block access to web sites with URL s containing keywords that you specify You can define time periods and days during which content filtering is enabled and include or exclude particular computers on your network from content filtering For example you could block access to certain web s...

Page 43: ...our device is sending receiving data through the wireless LAN None Off The wireless LAN is not ready or has failed DSL Green On Your device has a DSL connection Blinking Your device is initializing the DSL line None Off The DSL link is down PHONE 1 8 Green On A SIP account is registered for the phone port Blinking A telephone connected to the phone port has its receiver off of the hook Orange On A...

Page 44: ...P 2608HWL Dx Series User s Guide 44 Chapter 1 Getting To Know the ZyXEL Device ...

Page 45: ... pop up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See Chapter 29 on page 349 if you need to make sure these functions are allowed in Internet Explorer 2 1 1 Accessing the Web Configurator 1 Make sure your ZyXEL Device hardware is properly connected refer to the Quick Start Gu...

Page 46: ...lt password Enter a new password retype it to confirm and click Apply alternatively click Ignore to proceed to the main menu if you do not want to change the password now Figure 5 Change Password Screen 6 A screen displays to let you change your default factory certificate Click Apply if you want to create a unique certificate for your ZyXEL Device Click Ignore if you don t want to create a unique...

Page 47: ...u click Apply See Chapter 3 on page 53 for more information Click Go to Advanced setup if you want to configure features that are not available in the wizards Select the check box if you always want to go directly to the advanced screens The main screen appears after you click Apply See Section 2 2 on page 48 for more information Click Exit if you want to log out Note For security reasons the ZyXE...

Page 48: ...t to 1234 2 1 2 1 Using The Reset Button 1 Make sure the POWER light is on not blinking 2 Do one of the following To set the device back to the factory default settings press the RESET button for ten seconds or until the POWER light begins to blink When the POWER light begins to blink the defaults have been restored and the device restarts You can also use the reset button to activate OTIST by pre...

Page 49: ... of the web configurator Table 4 Navigation Panel Summary LINK TAB FUNCTION Status This screen contains administrative and system related information Network WAN Internet Access Setup Use this screen to configure ISP parameters WAN IP address assignment DNS servers and other advanced properties More Connections Use this screen to configure additional WAN connections WAN Backup Setup Use this scree...

Page 50: ...et which phone ports use which SIP accounts Common Use this screen to configure general phone port settings Region Use this screen to select your location and call service mode Phone Book Speed Dial Use this screen to configure speed dial for SIP phone numbers that you call often Incoming Call Policy Use this screen to configure call forwarding Group Ring Use this screen to configure ring tone beh...

Page 51: ...o use a static hostname alias for a dynamic IP address Remote MGMT WWW Use this screen to configure through which interface s and from which IP address es users can use HTTP to manage the ZyXEL Device Telnet Use this screen to configure through which interface s and from which IP address es users can use Telnet to manage the ZyXEL Device FTP Use this screen to configure through which interface s a...

Page 52: ...click Apply or OK to verify that the configuration has been updated Tools Firmware Use this screen to upload firmware to your device Configuration Use this screen to backup and restore your device s configuration settings or reset the factory default settings Restart This screen allows you to reboot the ZyXEL Device without turning the power off Diagnostic General Use this screen to test the conne...

Page 53: ...for Internet access with the information given to you by your ISP Note See the advanced menu chapters for background information on these fields 3 2 Internet Access Wizard Setup 1 After you enter the password to access the web configurator select Go to Wizard setup and click Apply Otherwise click the wizard icon in the top right corner of the web configurator to go to the wizards Figure 9 Select a...

Page 54: ...e wizard welcome screen or click Manually configure your Internet connection if you want to set up the connection manually If you would like to skip your Internet setup and configure the wireless LAN settings leave Yes selected and click Next Figure 11 Auto Detection No DSL Connection b The following screen displays if a PPPoE or PPPoA connection is detected Enter your Internet account information...

Page 55: ...d refer to Section 3 2 1 on page 55 on how to manually configure the ZyXEL Device for Internet access Figure 13 Auto Detection Failed 3 2 1 Manual Configuration 1 If the ZyXEL Device fails to detect your DSL connection type but the physical line is connected enter your Internet access information in the wizard screen exactly as your SIP gave it to you Leave the defaults in any fields for which you...

Page 56: ...n the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplexing Select the multiplexing method used by your ISP from the Multiplex drop down list box either VC based or LLC based Virtual Circuit ID VPI Virtual Path Identifier and VCI Virtual Channel Identifier define a virtual circuit Refer to the appendix for more inf...

Page 57: ...his screen Figure 16 Internet Connection with RFC 1483 Table 6 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the user name above Service Name Type the name of your PPPo...

Page 58: ... saving your changes Table 8 Internet Connection with ENET ENCAP LABEL DESCRIPTION Obtain an IP Address Automatically A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Select Obtain an IP Address Automatically if you have a dynamic IP address Static IP Address Select Static IP Addres...

Page 59: ...along with the IP address and the subnet mask Second DNS Server As above Back Click Back to go back to the previous wizard screen Apply Click Apply to save your changes back to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes Table 9 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the login name that your ISP gives you Password Enter the pass...

Page 60: ...ctivated or click Restart the Internet Wireless Setup Wizard to verify your Internet access settings Figure 20 Connection Test Failed 2 3 3 Wireless Connection Wizard Setup After you configure the Internet access information use the following screens to set up your wireless LAN 1 Select Yes and click Next to configure wireless settings Otherwise select No and skip to Step 6 ...

Page 61: ...e check box to enable OTIST if you want to transfer your ZyXEL Device s SSID and WEP or WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process takes three minutes to complete Setup Key Type an OTIST Setup Key of up to eight ASCII characters in length Be sure to use...

Page 62: ...ces is called a channel Select a channel ID that is not already in use by a neighboring device Security Select Automatically assign a WPA key to allow the ZyXEL Device to configure a WPA key for you based on the setup key you entered on the previous screen This option is only available if you selected Enable OTIST See Section 3 3 1 on page 63 for more information Select Manually assign a WPA PSK k...

Page 63: ...d by OTIST 3 3 2 Manually Assign a WPA key Choose Manually assign a WPA key in the Wireless LAN setup screen to set up a Pre Shared Key Figure 24 Manually Assign a WPA key The following table describes the labels in this screen 3 3 3 Manually Assign a WEP key Choose Manually assign a WEP key to setup WEP Encryption parameters Table 12 Manually Assign a WPA key LABEL DESCRIPTION Pre Shared Key Type...

Page 64: ...WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII characters or 10 26 or 58 hexadecimal characters 0 9 A F for a 64 bit 128 bit or 256 bit WEP key respectively Back Click Back to display the previous screen Next Click Next to proceed to the next screen Exit C...

Page 65: ...tings display if you chose not to configure wireless LAN settings Figure 27 Internet Access and WLAN Wizard Setup Complete 7 Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you cannot access the Internet open the web configurator again to confi...

Page 66: ...P 2608HWL Dx Series User s Guide 66 Chapter 3 Internet and Wireless Setup Wizard ...

Page 67: ...to call someone who is also using a VoIP device Make sure your telephone is connected to the Phone 1 port before you start with our example In the following figure A represents your phone and B represents the phone of the person you would like to call Figure 28 VoIP Phone Calls In order to make VoIP calls you need to register at least one SIP account on your ZyXEL Device You can register your SIP ...

Page 68: ...P 2608HWL Dx Series User s Guide 68 Chapter 4 VoIP Wizard And Example Figure 29 Select a Mode 2 Click VOICE OVER INTERNET SETUP to configure your SIP settings Figure 30 Wizard Welcome ...

Page 69: ...mbol in your SIP account address SIPA Account com is your SIP server domain SIP server address a b c d a b c d is the IP address or domain name of your SIP server Username VoIPUser This is the username you use to login to your SIP account Password Password This is the password you use to login to your SIP account Table 15 VoIP Wizard Configuration LABEL DESCRIPTION SIP Number Enter your SIP number...

Page 70: ...SCII Extended set characters User Name This is the name used to register this SIP account with the SIP register server Type the user name exactly as it was given to you You can use up to 95 ASCII characters Password Type the password associated with the user name above You can use up to 95 ASCII Extended set characters Check here to set up SIP2 settings This screen configures SIP account 1 Select ...

Page 71: ... 7 To call other VoIP users you need to follow a similar process to ensure that their SIP account is registered and active After it is registered they need to provide you with their SIP number You can use your VoIP service provider s dialing plan to call SIP numbers You can also use your VoIP service provider s dialing plan to call regular phone numbers You dial a prefix number provided to you by ...

Page 72: ...P 2608HWL Dx Series User s Guide 72 Chapter 4 VoIP Wizard And Example ...

Page 73: ...e World Wide Web WWW is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser FTP File...

Page 74: ...t port number 1720 VoIP SIP Sending voice signals over the Internet is called Voice over IP or VoIP Session Initiated Protocol SIP is an internationally recognized standard for implementing VoIP SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP is transported primarily over UDP but can...

Page 75: ...dwidth management and select the priorities that you want to apply to the services listed Table 17 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device s WAN LAN or WLAN port Select Auto Classifier to automatically allocate bandwidth to packets based on ...

Page 76: ...y for traffic that matches that service A service with High priority is given as much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated bandwidth after all specified services receive their bandwidth requirements If the rules set up in this wizard are changed ...

Page 77: ...eries User s Guide Chapter 5 Bandwidth Management Wizard 77 5 Follow the on screen instructions and click Finish to complete the wizard setup and save your configuration Figure 39 Bandwidth Management Wizard Complete ...

Page 78: ...P 2608HWL Dx Series User s Guide 78 Chapter 5 Bandwidth Management Wizard ...

Page 79: ...status of the device system resources interfaces LAN and WAN and SIP accounts You can also register and unregister SIP accounts The Status screen also provides detailed information from Any IP and DHCP and statistics from VoIP bandwidth management and traffic 6 1 Status Screen Click Status to open this screen Figure 40 Status Screen ...

Page 80: ...the screen where you can change it IP Subnet Mask This field displays the current subnet mask in the WAN Default Gateway This is the IP address of the default gateway if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the wizard or WAN screen LAN Information IP Address This field displays the current IP address of the ZyXEL Device in the LA...

Page 81: ...evice is probably becoming unstable and you should restart the device Interface Status Interface This column displays each interface the ZyXEL Device has Status For the DSL interface this field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop drop...

Page 82: ...erver to use VoIP If the SIP account is already registered with the SIP server Click Unregister to delete the SIP account s registration in the SIP server This does not cancel your SIP account but it deletes the mapping between your SIP identity and your IP address or domain name The second field displays Registered If the SIP account is not registered with the SIP server Click Register to have th...

Page 83: ...Table 20 Any IP Table LABEL DESCRIPTION This field is a sequential value It is not associated with a specific entry IP Address This field displays the IP address of each computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL Device MAC Address This field displays the MAC address of the computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL ...

Page 84: ...ream speed of your ZyXEL Device Downstream Speed This is the downstream speed of your ZyXEL Device Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Status This field displays Down line is down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial...

Page 85: ...he WLAN port it displays the transmission rate when WLAN is enabled or N A when WLAN is disabled TxPkts This field displays the number of packets transmitted on this interface RxPkts This field displays the number of packets received on this interface Collisions This is the number of collisions on this interfaces Poll Interval s Type the time interval for the browser to refresh system statistics S...

Page 86: ...ting for the SIP account Last Incoming Number This field displays the last number that called the SIP account It displays N A if no number has ever dialed the SIP account Last Outgoing Number This field displays the last number the SIP account called It displays N A if the SIP account has never dialed a number Call Statistics Phone This field displays each phone port in the ZyXEL Device Hook This ...

Page 87: ...ly the ZyXEL Device has received packets in the current call The rate is the average number of bytes transmitted per second Poll Interval s Enter how often you want the ZyXEL Device to update this screen and click Set Interval Set Interval Click this to make the ZyXEL Device update the screen based on the amount of time you specified in Poll Interval Stop Click this to make the ZyXEL Device stop u...

Page 88: ...P 2608HWL Dx Series User s Guide 88 Chapter 6 Status Screens ...

Page 89: ... IP address in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 7 1 1 2 PPP over Ethernet The ZyXEL Device supports PPPoE Point to Point Protocol over Ethernet PPPoE is an IETF Draft standard RFC 2516 specifying how a personal computer PC interacts with a broadband modem DSL cable wireless etc connection The PPPoE option is for a dial up connectio...

Page 90: ... over a separate ATM virtual circuit VC based multiplexing Please refer to RFC 1483 for more detailed information 7 1 2 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexing method required by your ISP 7 1 2 1 VC based Multiplexing In this case by prior mutual agreement each protocol is assigned to a specific virtual ci...

Page 91: ...or dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the ZyXEL Device acts as a DHCP client on the WAN port and so the IP Address and ENET ENCAP Gateway fields are not applicable N A as the DHCP server assigns them to the ZyXEL Device 7 1 5 Nailed Up Connection PPP A nailed up connection is a dial up line w...

Page 92: ... traffic redirect route next In the same manner the ZyXEL Device uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traffic redirect route or even the normal route all you need to do is set the dial backup route s metric to 1 and the others to 2 or greater IP Policy Routing overrides the default routing behavior and...

Page 93: ...ent CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate cells may be dropped Examples of connections that need CBR would be high resolution video and voice 7 3 1 2 Variable Bit Rate VBR The Variable Bit Rate VBR ATM traffic class is used with bursty co...

Page 94: ...7 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and makes the necessary configuration changes In cases where additional account information such as an Internet account user name and password is required or the ZyXEL...

Page 95: ...m the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain identifi...

Page 96: ...dress of a DNS server Enter the DNS server s IP address in the field to the right If you chose User Defined but leave the IP address set to 0 0 0 0 User Defined changes to None after you click Apply If you set a second choice to User Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyXEL Device act as a DNS proxy only ...

Page 97: ...t Apply Click Apply to save the changes Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Click this button to display the Advanced WAN Setup screen and edit more details of your WAN setup Table 24 Internet Access Setup continued LABEL DESCRIPTION Table 25 Advanced Internet Access Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction Select the RIP direction from None ...

Page 98: ...ers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 Zero Configuration This feature is not applicable available when you configure the ZyXEL Device to use a static WAN IP address or in bridge mode Select Yes to set the ZyXEL Device to automatically detect the Internet connection settings such as the VCI VPI numbers and the encapsulation method...

Page 99: ...e This field indicates whether the connection is active or not Name This is the name you gave to the Internet connection VPI VCI This field displays the Virtual Path Identifier VPI and Virtual Channel Identifier VCI numbers configured for this WAN connection Encapsulation This field indicates the encapsulation method of the Internet connection Modify Click the modify icon to edit the Internet conn...

Page 100: ...t Bridge Encapsulation Select the method of encapsulation used by your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulation only Enter the user name exactly as your...

Page 101: ...nly You must specify a gateway IP address supplied by your ISP when you select ENET ENCAP in the Encapsulation field Connection PPPoA and PPPoE encapsulation only Nailed Up Connection Select Nailed Up Connection when you want your connection up all the time The ZyXEL Device will try to bring up the connection automatically if it is disconnected Connect on Demand Select Connect on Demand when you d...

Page 102: ...ing network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet 2 Configure filters that allo...

Page 103: ...P 2608HWL Dx Series User s Guide Chapter 7 WAN Setup 103 Figure 51 Traffic Redirect LAN Setup 7 8 WAN Backup Setup To configure your ZyXEL Device s WAN backup click Network WAN WAN Backup Setup ...

Page 104: ...r the ZyXEL Device to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds 3 recommended for your ZyXEL Device to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request The WAN connection is considered down after the ZyXEL Device times out the number of times spec...

Page 105: ...he immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 8 3 on page 111 to configure the LAN screens 8 1 1 LANs WANs and the ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports There are two separate IP networks one inside the LAN network an...

Page 106: ...SP disseminates the DNS server addresses The first is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protoco...

Page 107: ...uctions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Trans...

Page 108: ...ove For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 8 2 2 RIP Setup RIP Routing Information Protocol allows a router to exchange routing information with other routers The RIP Direction field controls the sending and receiving of RIP packets When set to Both the ZyXEL Device will...

Page 109: ...onnected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the web configurator LAN WAN Select None to disable IP multicasting on these interfaces 8 2 4 Any IP Traditionally you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device...

Page 110: ...ries to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway which is not the ZyXEL Device by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway an ARP request is broadcast on the LAN 3 The ZyXEL Device receives the...

Page 111: ...e Advanced Setup button in the LAN IP screen The screen appears as shown Table 29 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example 192 168 1 1 factory default IP Subnet Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin ...

Page 112: ... dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device Windows Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP Net...

Page 113: ...iguration for the clients When set as a server fill in the IP Pool Starting Address and Pool Size fields If you select Relay the ZyXEL Device forwards TCP IP configuration from an alternate DHCP server Select None to stop the ZyXEL Device from acting as a DHCP server When you select None you must have another DHCP server on your LAN or else the computers must be manually configured IP Pool Startin...

Page 114: ... Defined and enter the same IP address the second User Defined changes to None after you click Apply Select DNS Relay to have the ZyXEL Device act as a DNS proxy only when the ISP uses IPCP DNS server extensions The ZyXEL Device s LAN IP address displays in the field to the right read only The ZyXEL Device tells the DHCP clients on the LAN that the ZyXEL Device itself is the DNS server When a comp...

Page 115: ...Add Click Add to add a static DHCP entry This is the index number of the static IP table entry row Status This field displays whether the client is connected to the ZyXEL Device Host Name This field displays the computer host name IP Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network...

Page 116: ...his screen Table 33 LAN IP Alias LABEL DESCRIPTION IP Alias 1 2 Select the check box to configure another LAN network for the ZyXEL Device IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation Alternatively click the right mouse button to copy and or paste the IP address IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address ...

Page 117: ... RIP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting while RIP 2M uses multicasting Multicastin...

Page 118: ...P 2608HWL Dx Series User s Guide 118 Chapter 8 LAN Setup ...

Page 119: ... access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set IDentity If two wireless networks overlap they should use a different channel Like ra...

Page 120: ...A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other documentation You can use the MAC address filter to tell the ZyXEL Device which devices are allowed or not allowed to use the wireless network If a device is allowed to use the wireless network it still has to have the correct information SSID channel and security If a device is not...

Page 121: ...rs do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest encryption that every device in the wireless network supports For example suppose you have a wireless network with the ZyXEL Device and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A ...

Page 122: ...in the wireless network QoS gives high priority to voice and video which makes them run more smoothly Similarly it gives low priority to many large file downloads so that they do not reduce the quality of other applications 9 4 Additional Wireless Terms The following table describes wireless network terms and acronyms used in the ZyXEL Device TERM DESCRIPTION RTS CTS Threshold In a wireless networ...

Page 123: ...ether a wireless device is allowed to use the wireless network Max Frame Burst Enable this to improve the performance of both pure IEEE 802 11g and mixed IEEE 802 11b g networks Maximum Frame Burst sets the maximum time that the ZyXEL Device transmits IEEE 802 11g wireless traffic only Fragmentation Threshold A small fragmentation threshold is recommended for busy networks while a larger threshold...

Page 124: ...SCII characters for the wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confirm You must then change the wireless settings of your computer to match the ZyXEL Device s new settings Hide SSID Select this check box to hide the S...

Page 125: ...ibes the labels in this screen 9 5 2 WEP Encryption Screen In order to configure and enable WEP encryption click Network Wireless LAN to display the General screen Select Static WEP from the Security Mode list Table 36 Wireless No Security LABEL DESCRIPTION Security Mode Choose No Security from the drop down list box ...

Page 126: ... 37 Wireless Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop down list box Passphrase Enter a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP key is used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission If you want to...

Page 127: ...d passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless station authentication is done using a RADIUS server the reauthentication timer on the RADIUS server has priority Idle Timeout The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity ...

Page 128: ...A 2 LABEL DESCRIPTION Security Mode Choose WPA or WPA2 from the drop down list box WPA Compatible This field is only available for WPA2 Select this if you want the ZyXEL Device to support WPA and WPA2 simultaneously ReAuthentication Timer in seconds Specify how often wireless stations have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 second...

Page 129: ...the IP address of the external authentication server in dotted decimal notation Port Number Enter the port number of the external authentication server The default port number is 1812 You need not change this value unless your network administrator instructs you to do so with additional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the ...

Page 130: ...or Dynamic The default setting is Long See the appendix for more information 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Select 802 11g Only to allow only IEEE 802 11g compliant WLAN devices to associate with the ZyXEL Device Select Mixed to allow either IEEE 802 11b or IEEE 802 11g compliant WLAN devices to associate with th...

Page 131: ...T setup key in the ZyXEL Device you must change it on the wireless devices too Yes Select this if you want the ZyXEL Device to automatically generate a pre shared key for the wireless network Before you do this click Network Wireless LAN General and set the Security Mode to No Security Clear this if you want the ZyXEL Device to use a pre shared key that you enter Before you do this click Network W...

Page 132: ...ach other You can start OTIST in the wireless devices and the ZyXEL Device in any order After you click Start in the ZyXEL Device the following screen appears in the ZyXEL Device Figure 69 OTIST Settings You can use the key in this screen to set up WPA PSK encryption manually for non OTIST devices in the wireless network Review the settings and click OK The following screen displays on the web con...

Page 133: ...to one minute If you manually have the wireless device search for an OTIST enabled AP there is no timeout click Cancel in the OTIST progress screen to stop the search 3 After the wireless device finds an OTIST enabled AP you must click Start in the ZyXEL Device s Network Wireless LAN OTIST screen or hold in the Reset button on the ZyXEL Device for one or two seconds to transfer the settings again ...

Page 134: ...he filter action for the list of MAC addresses in the MAC Address table Select Deny to block access to the ZyXEL Device MAC addresses not listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of the MAC address MAC Address Enter the MAC addresses of the wire...

Page 135: ...reen Table 42 MAC Address Filter LABEL DESCRIPTION Table 43 Wireless LAN QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device WMM QoS Policy Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends Select Application Priority from the drop down list box to dis...

Page 136: ...ned service to which you want to apply WMM QoS Dest Port This field displays the destination port number to which the application sends traffic Priority This field displays the WMM QoS priority for traffic bandwidth Modify Click the Edit icon to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the Application Priority Configur...

Page 137: ...inked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Chat and Newsgroups The Web is accessed through use of a browser User Defined User defined services are user specific services configured using kno...

Page 138: ...P 2608HWL Dx Series User s Guide 138 Chapter 9 Wireless LAN ...

Page 139: ...ress refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the location of a host while global local refers to the IP address of a host used in a packet Thus an inside local address ILA is the IP address of an inside host in a packe...

Page 140: ...s the additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 10 1 3 How NAT Works Each packet has two addresses a source address and a destination address For outgoing packets the I...

Page 141: ...al IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the ZyXEL Device maps the multiple local IP ad...

Page 142: ...ing mapping types as outlined in Table 46 on page 142 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device 10 3 NAT General Setup You must create a firewall rule in addition to setting up SUA NAT to allow traffic from the WAN to be forwarded through the ZyXEL Device Click Network NAT ...

Page 143: ...tions such as file sharing applications they need to establish NAT sessions If you do not limit the number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may not be able to access the Internet Each NAT session establishes a corresponding firewall session Use this fiel...

Page 144: ...ddress In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in this screen Note If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup 10 4 2 Port Forwarding Services and Port Numbe...

Page 145: ...rvers for specified services NAT supports a default server A default server receives packets from ports that are not specified in this screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Addres...

Page 146: ... the previous configuration Table 48 Port Forwarding LABEL DESCRIPTION Table 49 Port Forwarding Rule Setup LABEL DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter the port number again in the End Port field To forward a series of ports enter the start...

Page 147: ... to 6 in your current set and now you configure rule number 9 In the set summary screen the new rule will be rule 7 not 9 Now if you delete rule 4 rules 5 to 7 will be pushed up by 1 rule so old rules 5 6 and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT Address Mapping to open the following screen Figure 81 Address Mapping Rules The followin...

Page 148: ...ny to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numbers do not change for the One to one NAT mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only...

Page 149: ...ny to Many Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addresses Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP addr...

Page 150: ...is described in the following table Table 52 Network NAT ALG LABEL DESCRIPTION Enable SIP ALG Select this to make sure SIP VoIP works correctly with port forwarding and address mapping rules Apply Click this to save your changes and to apply them to the ZyXEL Device Reset Click this to return to previously saved configuration ...

Page 151: ...1 2 Introduction to SIP The Session Initiation Protocol SIP is an application layer control signaling protocol that handles the setting up altering and tearing down of voice and multimedia sessions over the Internet SIP signaling is separate from the media for which it handles sessions The media that is exchanged during the session can use a different path from that of the signaling SIP handles te...

Page 152: ...t the telephone is ringing 7 B sends an OK response after the call is answered 8 A then sends an ACK message to acknowledge that B has answered the call 9 Now A and B exchange voice media talk 10After talking A hangs up and sends a BYE request 11B replies with an OK response confirming receipt of the BYE request and the call is terminated 11 1 5 SIP Client Server SIP is a client server protocol A ...

Page 153: ...gent client to initiate a call A and B can also both act as a SIP user agent to receive the call Figure 84 SIP User Agent 11 1 5 2 SIP Proxy Server A SIP proxy server receives requests from clients and forwards them to another server In the following example you want to use client device A to call someone who is using client device C 1 The client device A in the figure sends a call invitation to t...

Page 154: ... client device A to call someone who is using client device C 1 Client device A sends a call invitation for C to the SIP redirect server B 2 The SIP redirect server sends the invitation back to A with C s IP address or domain name 3 Client device A then sends the call invitation to client device C Figure 86 SIP Redirect Server 11 1 5 4 SIP Register Server A SIP register server maintains a database...

Page 155: ...T If you know the NAT router s public IP address and SIP port number you can use the Use NAT feature to manually configure the ZyXEL Device to use them in the SIP messages This eliminates the need for STUN or a SIP ALG You must also configure the NAT router to forward traffic with this port number to the ZyXEL Device 11 1 7 3 STUN STUN Simple Traversal of User Datagram Protocol UDP through Network...

Page 156: ...eform codec PCM measures analog signal amplitudes at regular time intervals and converts them into bits G 711 provides very good sound quality but requires 64kbps of bandwidth G 729 is an Analysis by Synthesis AbS hybrid waveform codec that uses a filter based on information about how the human vocal tract produces sounds G 729 provides good sound quality and reduces the required bandwidth to 8kbp...

Page 157: ...t for the message that says you are in the configuration menu 2 Press a number from 1101 1108 on your phone followed by the key 3 Play your desired music or voice recording into the receiver s mouthpiece Press the key 4 You can continue to add listen to or delete tones or you can hang up the receiver when you are done 11 1 11 2 Listening to Custom Tones Do the following to listen to a custom tone ...

Page 158: ...hat they receive specific per hop treatment at DiffServ compliant network devices along the route based on the application types and traffic flow Packets are marked with DiffServ Code Points DSCPs indicating the level of service desired This allows the intermediary DiffServ compliant network devices to handle the packets differently depending on the code points without the need to negotiate paths ...

Page 159: ...networks Only stations within the same group can communicate with each other Your ZyXEL Device can add IEEE 802 1Q VLAN ID tags to voice frames that it sends to the network This allows the ZyXEL Device to communicate with a SIP server that is a member of the same VLAN group Some ISPs use the VLAN tag to identify voice traffic and give it priority over other traffic 11 2 SIP Screens 11 2 1 SIP Sett...

Page 160: ...IP address or domain name of the SIP server provided by your VoIP service provider You can use up to 95 printable ASCII characters It does not matter whether the SIP server is a proxy redirect or register server SIP Server Port Enter the SIP server s listening port number if your VoIP service provider gave you one Otherwise keep the default value REGISTERServer Address Enter the IP address or doma...

Page 161: ...r the user name for registering this SIP account exactly as it was given to you You can use up to 95 printable ASCII characters Password Enter the user name for registering this SIP account exactly as it was given to you You can use up to 95 printable ASCII Extended set characters Apply Click this to save your changes and to apply them to the ZyXEL Device Cancel Click this to set every field in th...

Page 162: ...er 11 SIP Figure 90 VoIP SIP SIP Settings Advanced Each field is described in the following table Table 56 VoIP SIP Settings Advanced LABEL DESCRIPTION SIP Account This field displays the SIP account you see in this screen SIP Server Set tings ...

Page 163: ... enter the port number in the Start Port and End Port fields To enter a range of ports enter the port number at the beginning of the range in the Start Port field enter the port number at the end of the range in the End Port field Voice Compres sion Select the type of voice coder decoder codec that you want the ZyXEL Device to use G 711 provides higher voice quality but requires more bandwidth 64 ...

Page 164: ...t also use G 711 T 38 Fax Relay Select this if the ZyXEL Device should send fax messages as UDP or TCP IP packets through IP networks This provides better quality but it may have inter operability problems The peer devices must also use T 38 Call Forward Call Forward Table Select which call forwarding table you want the ZyXEL Device to use for incoming calls You set up these tables in VoIP Phone B...

Page 165: ...transmits RTP TOS Priority Setting Enter the priority for RTP voice transmissions The ZyXEL Device creates Type of Service priority tags with this priority to RTP traffic that it transmits Voice VLAN ID Select this if the ZyXEL Device has to be a member of a VLAN to communicate with the SIP server Ask your network administrator if you are not sure Enter the VLAN ID provided by your network adminis...

Page 166: ...P 2608HWL Dx Series User s Guide 166 Chapter 11 SIP ...

Page 167: ...itting silent packets when you are not speaking When using VAD the ZyXEL Device generates comfort noise when the other party is not speaking The comfort noise lets you know that the line is still connected as total silence could easily be mistaken for a lost connection 12 1 2 Echo Cancellation G 168 is an ITU T standard for eliminating the echo caused by the sound of your voice reverberating in th...

Page 168: ...for supplementary services are listed in the table below After pressing the flash key if you do not issue the sub command before the default sub command timeout 2 seconds expires or issue an invalid sub command the current operation will be aborted 12 1 3 2 1 European Call Hold Call hold allows you to put a call A on hold by pressing the flash key If you have another call press the flash key and t...

Page 169: ...the first call on hold and answer the second call Press the flash key and then 2 12 1 3 2 3 European Call Transfer Do the following to transfer an incoming call that you have answered to another phone 1 Press the flash key to put the caller on hold 2 When you hear the dial tone dial 98 followed by the number to which you want to transfer the call to operate the Intercom 3 After you hear the ring s...

Page 170: ...while you answer another incoming call on the same telephone directory number If there is a second call to your telephone number you will hear a call waiting tone Press the flash key to put the first call on hold and answer the second call 12 1 3 3 3 USA Call Transfer Do the following to transfer an incoming call that you have answered to another phone 1 Press the flash key to put the caller on ho...

Page 171: ...and press 3 to create a three way conversation 4 Hang up the phone to drop the connection 5 If you want to separate the activated three way conference into two individual connections one is on line the other is on hold press the flash key wait for the sub command tone and press 2 12 2 Phone Screens Use these screens to configure your phone settings 12 2 1 Analog Phone Screen Use this screen to con...

Page 172: ...L Device will try to use the lower numbered SIP account first Incoming Call apply to SIP1 SIP8 Select which SIP accounts you want to receive phone calls from on this phone port If you select more than one source for incoming calls there is no way to distinguish between them when you receive phone calls PSTN Line Select this if you want to receive phone calls from the PSTN line that do not use the ...

Page 173: ...echo caused by the sound of your voice reverberating in the telephone receiver while you talk Dialing Interval Select Dialing Interval Select Enter the number of seconds the ZyXEL Device should wait after you stop dialing numbers before it makes the phone call The value depends on how quickly you dial phone numbers If you select Active Immediate Dial in VoIP Phone Common you can press the pound ke...

Page 174: ...en click VoIP Phone Region Table 62 VoIP Phone Common LABEL DESCRIPTION Active Immediate Dial Select this if you want to use the pound key to tell the ZyXEL Device to make the phone call immediately instead of waiting the number of seconds you selected in the Dialing Interval Select in VoIP Phone Analog Phone If you select this dial the phone number and then press the pound key The ZyXEL Device ma...

Page 175: ...ntary phone services call hold call waiting call transfer and three way conference calls that your VoIP service provider supports Europe Type use supplementary phone services in European mode USA Type use supplementary phone services American mode You might have to subscribe to these services to use them Contact your VoIP service provider Apply Click this to save your changes and to apply them to ...

Page 176: ...P 2608HWL Dx Series User s Guide 176 Chapter 12 Phone ...

Page 177: ... in the phone book in order to do this Select Non Proxy Use IP or URL in the Type column and enter the callee s IP address or domain name The ZyXEL Device sends SIP INVITE requests to the peer VoIP device when you use the speed dial entry You do not need to configure a SIP account in order to make a peer to peer VoIP call 13 2 Speed Dial Screen You have to create speed dial entries if you want to ...

Page 178: ...Proxy if you want to use one of your SIP accounts to call this phone number Select Non Proxy Use IP or URL if you want to use a different SIP server or if you want to make a peer to peer call In this case enter the IP address or domain name of the SIP server or the other party in the field below Add Click this to use the information in the Speed Dial section to update the Speed Dial Phone Book sec...

Page 179: ...s field shows the IP address or domain name of the SIP server or other party This field corresponds with the Type field in the Speed Dial section Modify Use this field to edit or erase the speed dial entry Click the Edit icon to copy the information for this speed dial entry into the Speed Dial section where you can change it Click the Remove icon to erase this speed dial entry Clear Click this to...

Page 180: ... regardless of other rules in the Forward to Number section Specify the phone number in the field on the right Busy Forward to Number Select this if you want the ZyXEL Device to forward incoming calls to the specified phone number if the phone port is busy Specify the phone number in the field on the right If you have call waiting the incoming call is forwarded to the specified phone number if you...

Page 181: ...r Enter the phone number to which this rule applies Forward to Number Enter the phone number to which you want to forward incoming calls from the Incoming Call Number You may leave this field blank depending on the Condition Condition Select the situations in which you want to forward incoming calls from the Incoming Call Number or select an alternative action Unconditional The ZyXEL Device immedi...

Page 182: ...ck this to listen to the ring All the phones connected to the ZyXEL Device ring when you click this button Ring Select Use this section to first assign rings to groups and then assign phone numbers to those groups Family Select the ring for callers in your family group Workmate Select the ring for callers in your workmate group Friend Select the ring for callers in your friend group VIP Select the...

Page 183: ...unts you have configured on your ZyXEL Device Select a ring type for each of your configured SIP accounts Note The ZyXEL Device will check whether the incoming phone number is part of any of the groups assigned above before checking which SIP account the call is coming to PSTN Call Select a ring for PSTN calls Internal Call Select a ring for internal calls Apply Click this to save your changes and...

Page 184: ...P 2608HWL Dx Series User s Guide 184 Chapter 13 Phone Book ...

Page 185: ...ower you can make regular calls without dialing a prefix number You can also specify phone numbers that should always use the regular phone service without having to dial a prefix number Do this for emergency numbers like those for contacting police fire or emergency medical services Note When the ZyXEL Device does not have power only the phone connected to the PHONE 1 port can be used for making ...

Page 186: ...EL Device that you want to make a regular phone call It is not recommended to use the key however because it is also used in Immediate Dial See VoIP Phone Common Relay to PSTN Line Enter phone numbers for regular calls not VoIP calls that you want to dial without the prefix number For example you should enter emergency numbers The number 1 9 is not a speed dial number It is just a sequential value...

Page 187: ... to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be implemented within the firewall itself Refer to Section 16 5 on page 202 to configure default firewall settings Refer to Section 16 6 on page 203 to view firewall rules Refer to Section 16 6 1 on page 205 to configur...

Page 188: ...firewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access control or cac...

Page 189: ...red to automatically detect and thwart all known DoS attacks 15 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traff...

Page 190: ...t Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the original IP packet except that it contains an offset field that says for instance This fragment is carrying bytes 200 through 400 of the original non fragmented IP packet The Teardrop program creates...

Page 191: ...tack hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable while the target system tries to respond to itself 7 A brute force attack such as a Smurf attack targets a feature in the IP specification known as directed or subnet broadcasting to quickly flo...

Page 192: ...al NetBIOS commands are the following all others are illegal All SMTP commands are illegal except for those displayed in the following tables Table 69 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTAMP_REQUEST 14 TIMESTAMP_REPLY 17 ADDRESS_MASK_REQUEST 18 ADDRESS_MASK_REPLY Table 70 Legal NetBIOS Commands MESSAGE REQUEST POSITIVE VE RETARGET KEEPALIVE Table 71 Legal SMTP Commands AUTH DATA ...

Page 193: ...lowed through the router or firewall The ZyXEL Device blocks all IP Spoofing attempts 15 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For example if you access some outside service the proxy server remembers things about your original request like the port number and source and destination addresses This rememberi...

Page 194: ... list entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected 5 The outbound packet is forwarded out through the interface 6 Later an inbound packet reaches the interface This packet is part of the connection previously established ...

Page 195: ...tiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets are dropped and logged If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet Assuming that this is an acceptable part of...

Page 196: ...nternet would normally be rejected In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipated data connection This can be done safely since the PORT command contains address and port information which can be used to uniquely identify the connection Any protoco...

Page 197: ... your company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Also use passwords that are not easy to figure out The most difficult passwords to crack are those with upper and lower case letters numbers and a symbol such as or Upgrade your software regularly Many...

Page 198: ...with the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e smart rules that enhance the filtering process and control the network session rather than control individual packets in a session The firewall provides e mail service to notify you of routine repo...

Page 199: ...o which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to manage the ZyXEL Device and communicate between networks or subnets connected to the LAN interface LAN to WAN By default the ZyXEL Device s stateful packet inspecti...

Page 200: ...view Note Study these points carefully before configuring rules 16 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server 1 Is the intent of the rule to forward or block traffic 2 What direction of traffic does the rule apply to 3 Wha...

Page 201: ...Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Appendix D on page 387 for more information on predefined services 16 3 3 3 Source Address What is the connection s source address is it on the LAN or WAN Is it a single IP a range of IPs or a subnet 16 3 3 4 Destination Address What is the connection s destination add...

Page 202: ... you will need to create custom rules to allow it 16 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is matched in the Edit Rule screen see Figure 107 on page 206 When an event generates an alert a message can be immediately sent to an e mail account that you specify in the Log Settings screen Refer ...

Page 203: ...his is the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the ZyXEL Device or the ZyXEL Device itself Default Action Use ...

Page 204: ... the general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in turn Active This field displays whether a firewall rule is turned on or not Select the check box to enable the rule Clear the check box to disable the rule Source IP This drop down list box displays the source addresses or ranges of addresses...

Page 205: ...elete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move up by one when you take this action Order Click the Move icon to display the Move the rule to field Type a number in the Move the rule to field and click the Move button to move the rule to the number that you typed The ordering of your rules is...

Page 206: ...P 2608HWL Dx Series User s Guide 206 Chapter 16 Firewall Configuration Figure 107 Firewall Edit Rule ...

Page 207: ...ation Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delete Highlight an existing source or destination address from the Source or Destination Address box above and click Delete to remove it Service Available Selected Services Please see Appendix D on page 387 for more inform...

Page 208: ...ustomized Services The following table describes the labels in this screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 74 Firewall Edit Rule continued LABEL DESCRIPTION Table 75 Customized Services LABEL DESCRIPTION No This is the number of your customized port Click a rule s number of a service to go to the F...

Page 209: ...1 Click Security Firewall Rules Table 76 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configuration Type Click Single to specify one port only or Port Range to specify a span of ports that define your customized servi...

Page 210: ...revious rule 7 if there is one becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 111 Edit Custom Port Example 7 Select Any in the Destina...

Page 211: ... Example Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom services show up with an before their names in the Services list box and the Rules list box ...

Page 212: ...3 Firewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService connection from the WAN to IP addresses 10 0 0 10 through 10 0 0 15 on the LAN ...

Page 213: ... 215 to configure thresholds 16 8 1 Threshold Values Tune these parameters when something is not working and after you have checked the firewall counters These default values should work fine for most small offices Factors influencing choices for threshold values are The maximum number of opened sessions The minimum capacity of server backlog in your LAN network The CPU power of servers in your LA...

Page 214: ...w When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts deleting half open sessions as required to accommodate new connection requests The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detected in the las...

Page 215: ...deleting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute High This is the rate of new half open sessions that causes the firewall to start deleting half open sessions When the rate of new connection attempts rises above this number the ZyXEL Device del...

Page 216: ...deleting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general rule you should choose a smaller number fo...

Page 217: ...when the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 17 2 Configuring Keyword Blocking Use this screen to block sites containing certain keywords in the URL For example if you enable the keyword bad the ZyXEL Device blocks all sites containing this keyword including the URL http www websi...

Page 218: ... list of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type a keyword in this field You may use any character up to 127 characters Wildcards are not allowed Add Keyword Click Add Keyword after you have typed a keyword Repeat this pr...

Page 219: ...check box to have the content filtering to be active on the selected day Start TIme Enter the time when you want the content filtering to take effect in hour minute format End Time Enter the time when you want the content filtering to stop in hour minute format Apply Click Apply to save your changes Cancel Click Cancel to return to the previously saved settings Table 80 Content Filter Trusted LABE...

Page 220: ...P 2608HWL Dx Series User s Guide 220 Chapter 17 Content Filtering ...

Page 221: ...ound a number of standardized cryptographic techniques to provide confidentiality data integrity and authentication at the IP layer The following figure is one example of a VPN tunnel Figure 119 VPN Example The VPN tunnel connects the ZyXEL Device X and the remote IPSec router Y These routers then connect the local network A and remote network B A VPN tunnel is usually established in two phases Ea...

Page 222: ...re are two negotiation modes main mode and aggressive mode Main mode provides better security while aggressive mode is faster Note Both routers must use the same negotiation mode These modes are discussed in more detail in Section 18 1 2 1 on page 226 The examples in this section use main mode 18 1 1 1 IP Addresses of the ZyXEL Device and Remote IPSec Router In the ZyXEL Device you have to specify...

Page 223: ...ectly the ZyXEL Device and remote IPSec router cannot establish an IKE SA Note Both routers must use the same encryption algorithm authentication algorithm and DH key group See the field descriptions for information about specific encryption algorithms authentication algorithms and DH key groups You can also see Section 18 1 1 3 on page 223 for more information about the role of DH key groups 18 1...

Page 224: ...nd the ID content is a specific IP address domain name or e mail address The ID content is only used for identification the IP address domain name or e mail address that you enter does not have to actually exist The ZyXEL Device and the remote IPSec router each has its own identity so each one must store two sets of information one for itself and one for the other router Local ID type and ID conte...

Page 225: ...te You must set up the certificates for the ZyXEL Device and remote IPSec router before you can use certificates in IKE SA See Chapter 19 on page 249 for more information about certificates 18 1 1 5 Extended Authentication Extended authentication is often used when multiple IPSec routers use the same VPN tunnel to connect to a single IPSec router For example this might be used with telecommuters E...

Page 226: ... In contrast aggressive mode only takes three steps to establish an IKE SA Step 1 The ZyXEL Device sends its proposals to the remote IPSec router It also starts the Diffie Hellman key exchange and sends its unencrypted identity to the remote IPSec router for authentication Step 2 The remote IPSec router selects an acceptable proposal and sends it back to the ZyXEL Device It also finishes the Diffi...

Page 227: ... NAT traversal router X and router Y add an extra header to the IKE SA and IPSec SA packets If you configure router A to forward these packets unchanged router X and router Y can establish a VPN tunnel You have to do the following things to set up NAT traversal Enable NAT traversal on the ZyXEL Device and remote IPSec router Configure the NAT router to forward packets with the extra header unchang...

Page 228: ... recommended because AH does not support encryption and ESP is more suitable with NAT Use AH only if the remote IPSec router does not support ESP 18 1 3 3 Encapsulation There are two ways to encapsulate packets These modes are illustrated below In tunnel mode the ZyXEL Device encapsulates the entire IP packet As a result there are two IP headers as well as the header for the active protocol Outsid...

Page 229: ...H key exchange every time an IPSec SA is established changing the shared secret from which encryption keys are generated As a result if one encryption key is compromised other encryption keys are secure because they are created from different shared secrets If you do not enable PFS the ZyXEL Device and remote IPSec router use the same shared secret that was generated when the IKE SA was establishe...

Page 230: ...ec router must use the same encryption key and authentication key 18 1 4 1 2 Authentication and the Security Parameter Index SPI In IPSec SAs using manual keys the ZyXEL Device and remote IPSec router use the SPI instead of pre shared keys ID type and ID content for authentication The SPI is an arbitrary number that is used to help identify the IPSec SA Note The ZyXEL Device and remote IPSec route...

Page 231: ...displays the identification name for this VPN policy Local Address This is the IP address es of computer s on your local network behind your ZyXEL Device The same static IP address is displayed twice when the Local Address Type field in the VPN IKE or VPN Manual Key screen is configured to Single The beginning and ending static IP addresses in a range of computers are displayed when the Local Addr...

Page 232: ...VPN Manual Key screen is configured to Range A static IP address and a subnet mask are displayed when the Remote Address Type field in the VPN IKE or VPN Manual Key screen is configured to Subnet Encap This field displays Tunnel or Transport mode Tunnel is the default selection IPSec Algorithm This field displays the security protocols used for an SA Both AH and ESP increase ZyXEL Device processin...

Page 233: ... this check box to activate this VPN policy This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select Yes to have the ZyXEL Device automatically reinitiate the SA after the SA lifetime times out even if there is no traffic The remote IPSec router must also have keep alive enabled in order for this ...

Page 234: ...igured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as only one is active at any time In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you ...

Page 235: ...ind the remote IPSec router Address Information Local ID Type Select IP to identify this ZyXEL Device by its IP address Select DNS to identify this ZyXEL Device by a domain name Select E mail to identify this ZyXEL Device by an e mail address Content When you select IP in the Local ID Type field type the IP address of your computer in the local Content field The ZyXEL Device automatically uses the...

Page 236: ...r has a dynamic WAN IP address the Key Management field must be set to IKE In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addresses cannot overlap between rules If you configure an active rule with 0 0 0 0 in the Secure Gateway Address field and the LAN s full IP address range as the local IP address then you cannot config...

Page 237: ...cessing power resulting in increased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an encryption key Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to au...

Page 238: ... or select NO to disable it Local Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 POP3 End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field If Local Start Port is left at 0 End will also remain at 0...

Page 239: ... Authentication Algorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA 1 for maximum security SA Life Time Seconds Define the length of time before an IPSec SA automatically rene...

Page 240: ... short SA Life Time increases security by forcing the two VPN gateways to update the encryption and authentication keys However every time the VPN tunnel renegotiates all users accessing remote resources are temporarily disconnected Encapsulation Select Tunnel mode or Transport mode from the drop down list box Perfect Forward Secrecy PFS Perfect Forward Secrecy PFS is disabled NONE by default in p...

Page 241: ...e Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list box Manual is a useful option for troubleshooting if you have problems using IKE key management SPI Type a number base 10 from 1 to 999999 for the Security Parameter Index Encapsulation Mode Select T...

Page 242: ...Local Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this is a subnet mask on the LAN behind your ZyXEL Device Remote Remote IP addresses must be static and correspond to the remote IPSec router s configured local IP addresses Two active SAs cannot have t...

Page 243: ...hm and Authentication Algorithm fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message authentication code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a ...

Page 244: ...affic Figure 130 VPN SA Monitor The following table describes the fields in this screen Table 87 VPN SA Monitor LABEL DESCRIPTION No This is the security association index number Name This field displays the identification name for this VPN policy Encapsulation This field displays Tunnel or Transport mode IPSec Algorithm This field displays the security protocol encryption algorithm and authentica...

Page 245: ...e figure to use one VPN rule to simultaneously access a ZyXEL Device at headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local IP addresses or ranges of addresses should not overlap Table 88 VPN Global Setting LABEL DESCRIPTION Windows Networking NetBIOS ov...

Page 246: ...elecommuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located at headquarters The ZyXEL Device at headquarters HQ in the figure identifies each incoming SA by its ID type and content and uses the appropriate VPN rule to establish the VPN connection The ZyXEL De...

Page 247: ...ZyXEL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192 168 2 12 Telecommuter B telecommuterb dydns org Headquarters ZyXEL Device Rule 2 Local ID Type DNS Peer ID Type DNS Local ID Content telecommuterb com Peer ID Content telecommuterb com Local IP Addr...

Page 248: ...Series User s Guide 248 Chapter 18 IPSec VPN 18 9 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Advanced Remote Management to allow access for that service ...

Page 249: ...e key is public and can be made openly available the other key is private and must be kept secure Public key encryption in general works as follows 1 Tim wants to send a private message to Jenny Tim generates a public key pair What is encrypted with one key can only be decrypted using the other 2 Tim keeps the private key and makes the public key openly available 3 Tim uses his private key to encr...

Page 250: ... servers software procedures and policies that handles keys is called PKI Public Key Infrastructure 19 1 1 Advantages of Certificates Certificates offer the following benefits The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust no matter how many devices you need to authenticate Key distribution is simple and very secure since you can freel...

Page 251: ...tificates and certification requests Certificates display in black and certification requests display in gray Figure 135 My Certificates The following table describes the labels in this screen Table 91 My Certificates LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the ZyXEL Device s PKI storage space that is currently in use The bar turns from green to red when the ...

Page 252: ...ncludes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate expires The text displays in red and includes an Expiring or Expired message if the certificate is about to expire or has already expired Modify Click the details icon to open a screen with an in depth list of information about the certificate Click the delete...

Page 253: ...t 19 5 1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats Binary X 509 This is an ITU T recommendation that defines the formats for X 509 certificates PEM Base 64 encoded X 509 This Privacy Enhanced Mail format uses 64 ASCII characters to convert a binary X 509 certificate into a printable form Binary PKCS 7 This is a s...

Page 254: ...tificate enroll a certificate with a certification authority or generate a certification request Figure 137 My Certificate Create Table 92 My Certificate Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the certificate file you want to upload Back Click Back to return to the previous screen A...

Page 255: ...ice drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the key should use 512 to 2048 The longer the key the more secure it is A longer key also uses more PKI storage space Enrollment Options These radio buttons deal with how and when the certificate is to be generated Create a self signed certificate Select Create a self signed certificate to h...

Page 256: ...Device Enrollment Protocol Select the certification authority s enrollment protocol from the drop down list box Simple Certificate Enrollment Protocol SCEP is a TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509 working group of the Internet Engineeri...

Page 257: ...P 2608HWL Dx Series User s Guide Chapter 19 Certificates 257 Figure 138 My Certificate Details ...

Page 258: ...lay the certification path Certificate Information These read only fields display detailed information about the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was ...

Page 259: ...authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm Certificate in PEM Base 64 Encoded Format This read only text box displays the certificate or certification request in Privacy Enhance...

Page 260: ...anizational unit or department organization or company and country With self signed certificates this is the same information as in the Subject field Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicable Valid To This field displays the date that the certificate ...

Page 261: ... table describes the labels in this screen Import Click Import to open a screen where you can save the certificate of a certification authority that you trust from your computer to the ZyXEL Device Refresh Click this button to display the current validity status of the certificates Table 95 Trusted CAs continued LABEL DESCRIPTION Table 96 Trusted CA Import LABEL DESCRIPTION File Path Type in the l...

Page 262: ...con to open the Trusted CA Details screen Use this screen to view in depth information about the certification authority s certificate change the certificate s name and set whether or not you want the ZyXEL Device to check a certification authority s list of revoked certificates before trusting a certificate issued by the certification authority Figure 141 Trusted CA Details ...

Page 263: ...ut the certificate Type This field displays general information about the certificate CA signed means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate was created and signed according to the ITU T X 509 recommendation that defines the formats for public key cer...

Page 264: ...ers with Lists of revoked certificates the issuing certification authority of this certificate makes available This field also displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the MD5 algorithm You can use this value to verify with the certification authority over the phone for example that this...

Page 265: ...formation about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Valid From This field displays the date that the certificate becomes applicable The text displays in red and includes a Not Yet Valid message if the certificate has not yet become applicab...

Page 266: ...mote Host Certificate Fingerprints A certificate s fingerprints are message digests calculated using the MD5 or SHA1 algorithms The following procedure describes how to use a certificate s fingerprint to verify that you have the remote host s actual certificate 1 Browse to where you have the remote host s certificate saved on your computer 2 Make sure that the certificate has a cer or crt file nam...

Page 267: ...you can import it Figure 145 Trusted Remote Host Import The following table describes the labels in this screen 19 14 Trusted Remote Host Certificate Details Click Security Certificates Trusted Remote Hosts to open the Trusted Remote Hosts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host ...

Page 268: ...P 2608HWL Dx Series User s Guide 268 Chapter 19 Certificates Figure 146 Trusted Remote Host Details ...

Page 269: ... information that identifies the owner of the certificate such as Common Name CN Organizational Unit OU Organization O and Country C Issuer This field displays identifying information about the default self signed certificate on the ZyXEL Device that the ZyXEL Device uses to sign the trusted remote host certificates Signature Algorithm This field displays the type of algorithm that the ZyXEL Devic...

Page 270: ...SHA1 Fingerprint This is the certificate s message digest that the ZyXEL Device calculated using the SHA1 algorithm You cannot use this value to verify that this is the remote host s actual certificate because the ZyXEL Device has signed the certificate thus causing this value to be different from that of the remote hosts actual certificate See Section 19 12 on page 266 for how to verify a remote ...

Page 271: ...ing expired or unnecessary certificates before adding more certificates The index number of the directory server The servers are listed in alphabetical order Name This field displays the name used to identify this directory server Address This field displays the IP address or domain name of the directory server Port This field displays the port number that the directory server uses Protocol This f...

Page 272: ...tted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may change the server port number if needed however you must use the same server port number that the directory server uses 389 is the default server port number for LDAP Login Setting Login The ZyXEL Device...

Page 273: ...s beyond For instance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t know that there is a route through the same remote node Router 1 via gateway Router 2 The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes Figure 149 Exam...

Page 274: ...te is active Yes or not No Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to their d...

Page 275: ...ation Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical to the host ID IP Subnet Mask Enter the IP subnet mask here Gateway IP Address Enter the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN o...

Page 276: ...P 2608HWL Dx Series User s Guide 276 Chapter 20 Static Route ...

Page 277: ...traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the ZyXEL Device and be managed by bandwidth management The sum of the bandwidth allotments that apply to the WAN interface LAN to WAN WLAN to WAN must be less than or equal to the WAN speed that you configure in the Bandwidth Management Summary screen The sum of the bandwidth allotments that apply to the LA...

Page 278: ...ides up an interface s bandwidth among the bandwidth classes The ZyXEL Device has two types of scheduler fairness based and priority based 21 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes The larger a bandwidth class s priority number is the higher the prio...

Page 279: ...unbudgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra bandwidth to that class When multiple classes require more bandwidth the ZyXEL Device gives the highest priority classes the available bandwidth first as much as they require if there is enough avail...

Page 280: ...d Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration class only uses 1024 kbps of its budgeted 2048 kbps The sales and marketing are first to get extra bandwidth b...

Page 281: ...1 6 3 Bandwidth Management Priorities Traffic with a higher priority gets through faster while traffic with a lower priority is dropped if the network is congested The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface Table 108 Fairness based Allotment of Unused Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENT...

Page 282: ...NetMeeting do not use all of their allocated bandwidth Suppose you try to browse the web too In this case VoIP NetMeeting and FTP all have higher priority so they get to use the bandwidth first You can only browse the web when VoIP NetMeeting and FTP do not use all 1000 Kbps of available bandwidth 21 8 Configuring Summary Click Advanced Bandwidth MGMT to open the screen as shown next Enable bandwi...

Page 283: ...smission speed of 1 Mbps You can set this number higher than the interface s actual transmission speed This will stop lower priority traffic from being sent if higher priority traffic uses all of the actual bandwidth You can also set this number lower than the interface s actual transmission speed If you do not enable Max Bandwidth Usage this will cause the ZyXEL Device to not use some of the inte...

Page 284: ...d 20000 kbps for an individual rule If you want to leave some bandwidth for traffic that does not match a bandwidth filter make sure that the interface s root class has more bandwidth than the sum of the bandwidths of the interface s bandwidth management rules Add Click this button to save your rule It displays in the following table This is the number of an individual bandwidth management rule Ac...

Page 285: ...the screen where you can edit the rule Click the Remove icon to delete an existing rule Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Table 112 Bandwidth Management Rule Setup continued LABEL DESCRIPTION Table 113 Bandwidth Management Rule Configuration LABEL DESCRIPTION Rule Configuration Active Select this check box to...

Page 286: ... for uploading and downloading files Select FTP from the drop down list box to configure this bandwidth filter for FTP traffic H 323 is a standard teleconferencing protocol suite that provides audio data and video conferencing It allows for real time point to point and multipoint communication between client computers over a packet based network that does not provide a guaranteed quality of servic...

Page 287: ... view the bandwidth usage of its bandwidth rules Figure 156 Bandwidth Management Monitor Protocol Select the protocol TCP or UDP or select User defined and enter the protocol service type number 0 means any protocol number Back Click Back to go to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Table 11...

Page 288: ...P 2608HWL Dx Series User s Guide 288 Chapter 21 Bandwidth Management ...

Page 289: ...en if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a domain name The Dynamic DNS service provider will give you a password or key 22 1 1 DYNDNS Wildcard Enabling the wildcard feature for your host causes yourhost dyndns org to be ali...

Page 290: ... Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the password assigned to you Enable Wildcard Option Select the check box to enable DynDNS Wildcard Enable off line option This option is available when CustomDNS is selected in the DDNS Type field Ch...

Page 291: ...IP address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS server Use specified IP Address Type the IP address of the host name s Use this if you have a static IP address Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to beg...

Page 292: ...P 2608HWL Dx Series User s Guide 292 Chapter 22 Dynamic DNS Setup ...

Page 293: ...evice from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable Note When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a service select Disable in the corresponding Access Status field You may only have one remote management session running at a time The ZyXEL Device automatically disconnects ...

Page 294: ...TP over SSL is a web protocol that encrypts and decrypts web pages Secure Socket Layer SSL is an application level protocol that enables secure transactions of data by ensuring confidentiality an unauthorized party cannot read the transferred data authentication one party can identify the other party and data integrity you know if data has been changed It relies upon certificates public keys and p...

Page 295: ... on the ZyXEL Device s WS web server Figure 158 HTTPS Implementation Note If you disable HTTP Server Access Disable in the REMOTE MGMT WWW screen then the ZyXEL Device blocks all HTTP connection attempts 23 3 WWW To change your ZyXEL Device s World Wide Web settings click Advanced Remote MGMT to display the WWW screen Figure 159 Remote Management WWW ...

Page 296: ...ZyXEL Device Authenticate Client Certificates Select Authenticate Client Certificates optional to require the SSL client to authenticate itself to the ZyXEL Device by sending the ZyXEL Device a certificate To do that the SSL client must have a CA signed certificate from a CA that has been imported as a trusted CA on the ZyXEL Device see Appendix E on page 389 on importing certificates for details ...

Page 297: ...st use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyXEL Device using this service Choo...

Page 298: ...ION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which a computer may access the ZyXEL Device using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this servic...

Page 299: ...sides in a managed device the ZyXEL Device An agent translates the local management information from the managed device into a form compatible with SNMP The manager is the console through which network administrators perform network management functions It executes applications that control and monitor managed devices The managed devices contain object variables managed objects that define each pi...

Page 300: ...hen any one of the following events occurs 23 7 3 Configuring SNMP To change your ZyXEL Device s SNMP settings click Advanced Remote MGMT SNMP The screen appears as shown Table 118 SNMP Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 4 authenticationFailure defined in...

Page 301: ... ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SNMP Configuration Get Community Enter the Get Community which is the password for the incoming Get and GetNext requests from the management station The default is public and allows all requests Set Community Enter the Set community which is...

Page 302: ...is screen 23 9 Configuring ICMP To change your ZyXEL Device s security settings click Advanced Remote MGMT ICMP The screen appears as shown Table 120 Remote Management DNS LABEL DESCRIPTION Port The DNS service port number is 53 and cannot be changed here Access Status Select the interface s through which a computer may send DNS queries to the ZyXEL Device Secured Client IP A secured client is a t...

Page 303: ...ble is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports If you select this option the ZyXEL Device will not respon...

Page 304: ...r IP address or domain name See Table 122 on page 304 for detailed descriptions of the commands Figure 167 Enabling TR 069 The following table gives a description of TR 069 commands ras wan tr069 load ras wan tr069 acsUrl a b c d Auto Configuration Server URL http a b c d ras wan tr069 periodicEnable 1 ras wan tr069 informInterval 2400 TR069 Informinterval 2400 ras wan tr069 active 1 ras wan tr069...

Page 305: ...lue to 1 in order for the ZyXEL Device to send information to CNM Access informInterval sec The duration in seconds of the interval for which the device MUST attempt to connect with CNM Access to send information and check for configuration updates Enter a value between 30 and 2147483647 seconds save Save the TR 069 settings to your ZyXEL Device Table 122 TR 069 Commands Root Command or Subdirecto...

Page 306: ...P 2608HWL Dx Series User s Guide 306 Chapter 23 Remote Management Configuration ...

Page 307: ...ow do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 24 1 2 NAT Traversal UPnP NAT traversal automates the process of allowing an application to o...

Page 308: ...essage For security reasons the ZyXEL Device allows multicast messages on the LAN only All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention 24 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports Internet Gat...

Page 309: ... to activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyXEL Device s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applications to automatically configure the ZyXEL Device so that the...

Page 310: ... Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 170 Add Remove Programs Windows Setup Communication Components 4 Click OK to go back to the Add Remove Programs Properties window and click Next 5 Restart the computer when prompted ...

Page 311: ...ions 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 171 Network Connections 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Details Figure 172 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Univer...

Page 312: ...on shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the computer is connected to a LAN port of the ZyXEL Device Turn on your computer and the ZyXEL Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Connections An icon displays under Interne...

Page 313: ...hapter 24 Universal Plug and Play UPnP 313 Figure 174 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figure 175 Internet Connection Properties ...

Page 314: ...appings Figure 176 Internet Connection Properties Advanced Settings Figure 177 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray ...

Page 315: ... Status Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections 3 Select My Network Places unde...

Page 316: ...ersal Plug and Play UPnP Figure 180 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select Invoke The web configurator login screen displays ...

Page 317: ...UPnP 317 Figure 181 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device Figure 182 Network Connections My Network Places Properties Example ...

Page 318: ...P 2608HWL Dx Series User s Guide 318 Chapter 24 Universal Plug and Play UPnP ...

Page 319: ... Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it as the System Name In Windows XP click start My Computer View system information and then click the Computer Name tab Note the entry in the Full computer name field and enter it as the ZyXEL Device ...

Page 320: ...Type how many minutes a management session either via the web configurator or telnet can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts may have security risks A value of 0 means a management session never times out no matter how long it has been left idle not recommended Password Old Passwor...

Page 321: ...PTION Current Time Current Time This field displays the time of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the time with the time server Current Date This field displays the date of your ZyXEL Device Each time you reload this page the ZyXEL Device synchronizes the date with the time server Time and Date Setup Manual Select this to enter the time and date manuall...

Page 322: ...gth of your time server Check with your ISP network administrator if you are unsure of this information Time Zone Setup Time Zone Choose the time zone of your location This will set the time difference between your time zone and Greenwich Mean Time GMT Daylight Savings Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one ...

Page 323: ...day October and type 2 in the o clock field Daylight Saving Time ends in the European Union on the last Sunday of October All of the time zones in the European Union stop using Daylight Saving Time at the same moment 1 A M GMT or UTC So in the European Union you would select Last Sunday October The time you type in the o clock field depends on your time zone In Germany for instance you would type ...

Page 324: ...P 2608HWL Dx Series User s Guide 324 Chapter 25 System ...

Page 325: ... of log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black 26 2 Viewing the Logs Click Maintenance Logs to open the View Log screen Use the...

Page 326: ...lect a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Email Log Now Click Email Log Now to send the log screen to the e mail address specified in the Log Settings page make sure that you have first filled in the E mail Log Settings fields in Log Settings Refresh Click Refresh to renew the log screen Clear Log Click Cl...

Page 327: ...s The following table describes the fields in this screen Table 127 Log Settings LABEL DESCRIPTION E mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via E mail Mail Subject Type a title that you want to be in the subject line of the log e mail messa...

Page 328: ...f you select Weekly or Daily specify a time of day when the E mail should be sent If you select Weekly then also specify which day of the week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log ...

Page 329: ...h a complete log has been sent The following is an example of a log sent by e mail You may edit the subject title The date format here is Day Month Year The date format here is Month Day Year The time format is Hour Minute Second End of Log message shows that a complete log has been sent Table 128 SMTP Error Messages 1 means ZyXEL Device out of socket 2 means tcp SYN fail 3 means smtp server OK fa...

Page 330: ...55 default policy forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10 10 10 10 match forward 09 54 19 UDP src port 03516 dest port 00053 1 01 snip snip 126 Apr 7 00 From 192 168 1 1 To 192 168 1 255 match forward 10 05 00 UDP src port 00520 dest port 00520 1 02 127 Apr 7 00 From 192 168 1 131 To 192 168 1 255 match forward 10 05 17 UDP src port 00520 dest por...

Page 331: ...tionality You can download new firmware releases from your nearest ZyXEL FTP site or www zyxel com to use to upgrade your device s performance Note Only use firmware for your device s specific model Refer to the label on the bottom of your ZyXEL Device 27 2 Filename Conventions The configuration file often called the romfile or rom 0 contains the factory default settings in the menus such as passw...

Page 332: ...allow access from the WAN 2 You have disabled Telnet service in menu 24 11 3 You have applied a filter in menu 3 1 LAN or in menu 11 5 WAN to block Telnet service 4 The IP you entered in the Secured Client IP field in menu 24 11 does not match the client IP If it does not match the device will disconnect the Telnet session immediately 27 4 Firmware Upgrade Screen Click Maintenance Tools to open th...

Page 333: ...y restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Table 130 Firmware Upgrade LABEL DESCRIPTION Current Firmware Version This is the present Firmware version and the date created File Path Type in the location of the file you want to upload in this field or click Browse to find it Browse Click Browse to find the b...

Page 334: ... successful the following screen will appear Click Return to go back to the Firmware screen Figure 191 Error Message 27 5 Backup and Restore See Section 27 7 on page 337 and Section 27 8 on page 340 for transferring configuration files using FTP TFTP commands Click Maintenance Tools Configuration Information related to factory defaults backup configuration and restoring configuration appears as sh...

Page 335: ...ious settings Click Backup to save the ZyXEL Device s current configuration to your computer 27 5 2 Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your ZyXEL Device Note Do not turn off the ZyXEL Device while configuration file upload is in progress Table 131 Restore Configuration LABEL DESCRIPTION File Path Type ...

Page 336: ...lowing icon on your desktop Figure 194 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 See Appendix B on page 367 for details on how to set up your computer s IP address 27 5 3 Reset to Factory Defaults Click the Reset button to clear ...

Page 337: ...ut turning the power off Click Maintenance Tools Restart Click Restart to have the ZyXEL Device reboot This does not affect the ZyXEL Device s configuration Figure 197 Restart Screen 27 7 Using FTP or TFTP to Back Up Configuration This section covers how to use FTP or TFTP to save your device s configuration file to your computer 27 7 1 Using the FTP Commands to Back Up Configuration 1 Launch the ...

Page 338: ...wing table describes some of the commands that you may see in GUI based FTP clients 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16384 bytes sent in 1 10Seconds 297 89Kbytes sec ftp quit Table 132 General Commands for GUI based FTP Clients COMMAND DESCRIPTION Host ...

Page 339: ...e file transfer is complete 3 Launch the TFTP client on your computer and connect to the ZyXEL Device Set the transfer mode to binary before starting data transfer 4 Use the TFTP client see the example below to transfer files between the ZyXEL Device and the computer The file name for the configuration file is rom 0 rom zero not capital o Note that the telnet connection must be active before and d...

Page 340: ...P is faster Please note that you must wait for the system to automatically restart after the file transfer is complete Note WARNING Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR device When the Restore Configuration process is complete the device will automatically restart Table 133 General Commands for GUI based TFTP Clients COMMAND DESCRIPTION Host Enter the IP a...

Page 341: ...TP client on your computer 2 Enter open followed by a space and the IP address of your device 3 Press ENTER when prompted for a username 4 Enter your password as requested the default is 1234 5 Enter bin to set transfer mode to binary 6 Use put to transfer files from the computer to the device for example put firmware bin ras transfers the firmware on your computer firmware bin to the device and r...

Page 342: ... address 2 Enter the command sys stdio 0 to disable the management idle timeout so the TFTP transfer will not be interrupted Enter command sys stdio 5 to restore the five minute management idle timeout default when the file transfer is complete 3 Launch the TFTP client on your computer and connect to the device Set the transfer mode to binary before starting data transfer 4 Use the TFTP client see...

Page 343: ...cifies binary image transfer mode use this mode when transferring binary files host is the device s IP address put transfers the file source on the computer firmware bin name of the firmware on the computer to the file destination on the remote host ras name of the firmware on the device Commands that you may see in GUI based TFTP clients are listed earlier in this chapter ...

Page 344: ...P 2608HWL Dx Series User s Guide 344 Chapter 27 Tools ...

Page 345: ...ostic to open the screen shown next Figure 201 Diagnostic General The following table describes the fields in this screen 28 2 DSL Line Diagnostic Click Maintenance Diagnostic DSL Line to open the screen shown next Table 134 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP...

Page 346: ...4Pkts is the number of ATM Operations Administration and Management OAM F4 cells that have been received See ITU recommendation I 610 for more on OAM for ATM outF4Pkts is the number of ATM OAM F4 cells that have been sent inF5Pkts is the number of ATM OAM F5 cells that have been received outF5Pkts is the number of ATM OAM F5 cells that have been sent openChan is the number of times that the ZyXEL ...

Page 347: ...xadecimal format of bits transmitted for each tone This can be used to determine the quality of the connection whether a given sub carrier loop has sufficient margins to support certain ADSL transmission rates and possibly to determine whether particular specific types of interference or line attenuation exist Refer to the ITU T G 992 1 recommendation for more information on DMT The better or shor...

Page 348: ...P 2608HWL Dx Series User s Guide 348 Chapter 28 Diagnostic ...

Page 349: ...ake sure that the ZyXEL Device s power adaptor is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure that the ZyXEL Device and the power source are both turned on Turn the ZyXEL Device off and on If the error persists you may have a hardware problem In this case you should contact your vendor Table 137 Troubleshooting the LAN PROBLEM CORRECTIVE ACTION I cannot ac...

Page 350: ...henticating you Authentication may be through the user name and password the MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the correct case Refer to Section 7 5 on page 94 I cannot access the Internet Make sure the ZyXEL Device is turned on and connect...

Page 351: ... configured a secured client IP address your computer s IP address must match it Refer to Chapter 23 on page 293 for details Your computer s and the ZyXEL Device s IP addresses must be on the same subnet for LAN access If you changed the ZyXEL Device s LAN IP address then enter the new one as the URL See the following section to check that pop up windows JavaScripts and Java permissions are allowe...

Page 352: ...in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address 29 4 1 1 1 Disable pop up Blockers 1 In Internet Explorer select Tools Pop up Blocker and then select Turn Off Pop up Blocker Figure 203 Pop up Blocker You can also check if pop up blocking is disabled in the Pop up Blocker section in the Privacy tab 1 In Internet Explorer select Tools Int...

Page 353: ... to save this setting 29 4 1 1 2 Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options and then the Privacy tab 2 Select Settings to open the Pop up Blocker Settings screen ...

Page 354: ...29 Troubleshooting Figure 205 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP address to the list of Allowed sites ...

Page 355: ...ngs 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting 29 4 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab ...

Page 356: ...igure 207 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is selected the default 6 Click OK to close the window ...

Page 357: ...ttings Java Scripting 29 4 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make sure that a safety level is selected 5 Click OK to close the window ...

Page 358: ...9 Troubleshooting Figure 209 Security Settings Java 29 4 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Click OK to close the window ...

Page 359: ...You can also check the VoIP status in the Status screen If the VoIP settings are correct use speed dial to make peer to peer calls If you can make a call using speed dial there may be something wrong with the SIP server contact your VoIP service provider I cannot call from one of the ZyXEL Device s phone ports to the other phone port You cannot call the SIP number of the SIP account that you are u...

Page 360: ...P 2608HWL Dx Series User s Guide 360 Chapter 29 Troubleshooting ...

Page 361: ...witch Four auto negotiating auto MDI MDI X 10 100 Mbps RJ 45 Ethernet ports PHONE Ports 8 RJ 11 FXS POTS ports RESET Button Restores factory defaults Antenna One attached external dipole antenna 2dBi Operation Temperature 0º C 40º C Storage Temperature 30º 60º C Operation Humidity 20 95 RH Storage Humidity 20 95 RH Table 142 Firmware Features FEATURE DESCRIPTION Device Management Use the web confi...

Page 362: ...ver mail or web server for example on your network then use this feature to let people access it from the Internet DHCP Dynamic Host Configuration Protocol Use this feature to have the ZyXEL Device assign IP addresses an IP default gateway and DNS servers to computers on your network Dynamic DNS Support With Dynamic DNS Domain Name System support you can use a fixed URL www zyxel com for example w...

Page 363: ...at contain key words that you specify in the URL You can also schedule when to perform the filtering and give trusted LAN IP addresses unfiltered Internet access Media Bandwidth Management Media Bandwidth Management allows you to specify bandwidth classes based on an application and or subnet You can allocate specific amounts of bandwidth capacity bandwidth budgets to different bandwidth classes A...

Page 364: ...based and LLC based multiplexing Up to 8 PVCs Permanent Virtual Circuits I 610 F4 F5 OAM Zero configuration Other Protocol Support PPP Point to Point Protocol link layer protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Management Embedd...

Page 365: ...vent Denial of Service attacks such as Ping of Death SYN Flood LAND Smurf etc Access Control of Service Content Filtering IP Generic Packet Filtering Real time Attack Alerts and Logs Reports and logs SIP ALG passthrough NAT SUA Port Forwarding 2048 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN 20 Configurable IPSec tunnels Maximum 2 simultaneous I...

Page 366: ...dialing number and destination URL Multiple SIP number registration and multiple signaling handling capability per POTS port Caller ID support Flexible Dial Plan RFC3525 section 7 1 14 Multiple SIP Accounts Phone Numbers Freely assignable Numbers to Each Phone Port 8 SIP accounts supported PSTN Line allows you to make calls via your regular phone line even when the ZyXEL Device loses power Other F...

Page 367: ...3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are installed configure the TCP IP settings in order to communicate with your network If you manually assign IP information instead of using dynamic assignment make sure that...

Page 368: ... for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft from the list of manufacturers 4 Select TCP IP from the list of network protocols and then clic...

Page 369: ...rk adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 212 Windows 95 98 Me TCP IP Properties IP Address 3 Click the DNS Configuration tab If you do not know your DNS infor...

Page 370: ... OK to save and close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window type winipcfg and then click OK to open the IP Configuration window 3 Select your network adapter You should see your computer s IP address su...

Page 371: ...r Computer s IP Address 371 Figure 214 Windows XP Start Menu 2 For Windows XP click Network Connections For Windows 2000 NT click Network and Dial up Connections Figure 215 Windows XP Control Panel 3 Right click Local Area Connection and then click Properties ...

Page 372: ...ork Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and click Properties Figure 217 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address click Obtain an IP address automatically ...

Page 373: ...ings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the IP Settings tab by clicking Add in Default gateways In TCP IP Gateway Address type the IP address of the default gateway in Gateway To manually configure ...

Page 374: ... them Figure 219 Windows XP Internet Protocol TCP IP Properties 8 Click OK to close the Internet Protocol TCP IP Properties window 9 Click OK to close the Local Area Connection Properties window 10Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Command Prompt window type ipconfig and then pre...

Page 375: ...Address 375 Figure 220 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 221 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list 4 For statically assigned settings do the following ...

Page 376: ... save changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu and click System Preferences to open the System Preferences window Figure 222 Macintosh OS X Apple Menu 2 Click Network in the icon bar Select Automatic from the Location list S...

Page 377: ...ng From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the Network window ...

Page 378: ...P 2608HWL Dx Series User s Guide 378 Appendix B Setting up Your Computer s IP Address ...

Page 379: ...it binary number Therefore each octet has a possible range of 00000000 to 11111111 in binary or 0 to 255 in decimal There are several classes of IP addresses The first network number 192 in the above example defines the class of IP address These are defined as follows Class A 0 to 127 Class B 128 to 191 Class C 192 to 223 Class D 224 to 239 Class E 240 to 255 IP Address Classes and Hosts The class...

Page 380: ...tmost bit Class B addresses have a 1 in the leftmost bit and a 0 in the next leftmost bit Class C addresses start with 1 1 0 in the first three leftmost bits Class D addresses begin with 1 1 1 0 Class D addresses are used for multicasting which is used to send information to groups of computers There is also a class E It is reserved for future use The following table shows the allowed ranges for t...

Page 381: ...to network number bits By convention subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask followed by a continuous sequence of zeros for a total number of 32 bits Since the mask is always a continuous number of ones beginning from the left followed by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the num...

Page 382: ...ded last octet bit values indicate host ID bits borrowed to make network ID bits The number of borrowed host ID bits determines the number of subnets you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet 255 255 255 240 28 1111 0000 240 255 255 255 248 29 1111 1000 248 255 255 255 252 30 1111 1100 252 Table 148 Alternative Subn...

Page 383: ...you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host ID bits giving 26 2 or 62 hosts for each subnet all zeroes is the subnet itself all ones is the broadcast address on the subnet Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192...

Page 384: ...ess 192 168 1 127 Highest Host ID 192 168 1 126 Table 154 Subnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 155 Subnet 4 IP SUBNET...

Page 385: ...ID octets available for subnetting and a class A address has three host ID octets see Table 145 on page 380 available for subnetting Table 156 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST ADDRESS 1 0 1 30 31 2 32 33 62 63 3 64 65 94 95 4 96 97 126 127 5 128 129 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 157 Class C Subnet Planning NO BORROWED HO...

Page 386: ... SUBNET 1 255 255 128 0 17 2 32766 2 255 255 192 0 18 4 16382 3 255 255 224 0 19 8 8190 4 255 255 240 0 20 16 4094 5 255 255 248 0 21 32 2046 6 255 255 252 0 22 64 1022 7 255 255 254 0 23 128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2...

Page 387: ...r a service that matches web names e g www zyxel com to IP numbers FINGER TCP 79 Finger is a UNIX or Internet related command that can be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeting uses this protocol HTTP TCP 80 Hyper Text Transfer Protocol ...

Page 388: ...Protocol RTSP is a remote control for multimedia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Stru...

Page 389: ...ity Certificate Importing the Prestige s Certificate into Internet Explorer For Internet Explorer to trust a self signed certificate from the Prestige simply import the self signed certificate into your operating system as a trusted certification authority To have Internet Explorer trust a Prestige certificate issued by a certificate authority import the certificate authority s certificate into yo...

Page 390: ...0 Appendix E Importing Certificates Figure 225 Login Screen 2 Click Install Certificate to open the Install Certificate wizard Figure 226 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard ...

Page 391: ...ix E Importing Certificates 391 Figure 227 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next Figure 228 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard ...

Page 392: ...2608HWL Dx Series User s Guide 392 Appendix E Importing Certificates Figure 229 Certificate Import Wizard 3 6 Click Yes to add the Prestige certificate to the root store Figure 230 Root Certificate Store ...

Page 393: ...eeds a certificate if Authenticate Client Certificates is selected on the Prestige You must have imported at least one trusted CA to the Prestige in order for the Authenticate Client Certificates to be active see the Certificates chapter for details Apply for a certificate from a Certification Authority CA that is trusted by the Prestige see the Prestige s Trusted CA web configurator screen ...

Page 394: ... CA s trusted certificate s your personal certificate s and a password to install the personal certificate s Installing the CA s Certificate 1 Double click the CA s trusted certificate to produce a screen similar to the one shown next Figure 233 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix ...

Page 395: ...personal certificate given to you by the CA to produce a screen similar to the one shown next 1 Click Next to begin the wizard Figure 234 Personal Certificate Import Wizard 1 2 The file name and path of the certificate you double clicked should automatically appear in the File name text box Click Browse if you wish to import a different certificate Figure 235 Personal Certificate Import Wizard 2 3...

Page 396: ...e Import Wizard 3 4 Have the wizard determine where the certificate should be saved on your computer or select Place all certificates in the following store and choose a different location Figure 237 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process ...

Page 397: ...6 Using a Certificate When Accessing the Prestige Example Use the following procedure to access the Prestige via HTTPS 1 Enter https Prestige IP Address in your browser s web address field Figure 240 Access the Prestige Via HTTPS 2 When Authenticate Client Certificates is selected on the Prestige the following screen asks you to select a personal certificate to send to the Prestige This screen dis...

Page 398: ...P 2608HWL Dx Series User s Guide 398 Appendix E Importing Certificates Figure 241 SSL Client Authentication 3 You next see the Prestige login screen Figure 242 Prestige Secure Login Screen ...

Page 399: ...iving data packets between two Ethernet devices Some companies have more than one alternate route to one or more ISPs If the LAN and ISP s are in the same subnet the triangle route problem may occur The steps below describe the triangle route problem 1 A computer on the LAN initiates a connection by sending out a SYN packet to a receiving server on the WAN 2 The ZyXEL Device reroutes the SYN packe...

Page 400: ...to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyXEL Device to your LAN The following steps describe such a scenario 1 A computer on the LAN initiates a connection by sending a SYN packet to a receiving server on the WAN 2 The ZyXEL Device rer...

Page 401: ...WAN Side A second solution to the triangle route problem is to put all of your network gateways on the WAN side as the following figure shows This ensures that all incoming network traffic passes through your ZyXEL Device to your LAN Therefore your LAN is protected Figure 246 Gateways on the WAN Side ...

Page 402: ...P 2608HWL Dx Series User s Guide 402 Appendix F Triangle Route ...

Page 403: ...via telnet Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table entries has been exceeded and the table is full Starting Connectivity Monitor Starting Connectivity Monitor Time initialized by Daytime Server The router got the time and date from the Dayti...

Page 404: ...interface Table 162 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was blocked or forwarded according to the default policy s setting Firewall rule NOT match TCP UDP IGMP ESP GRE OSPF Packet Direction rule d Attempted TCP UDP IGMP ESP GRE OSPF access matched or ...

Page 405: ... s 3600 Exceed MAX incomplete sent TCP RST The router sent a TCP reset packet when the number of incomplete connections TCP and UDP exceeded the user configured threshold Incomplete count is for all TCP and UDP connections through the firewall Note When the number of incomplete connections TCP UDP Maximum Incomplete High the router sends TCP RST packets for TCP connections and destroys TOS firewal...

Page 406: ...le board 0 line 0 channel 0 call 3 C01 Outgoing Call dev 6 ch 0 Means the router has dialed to the PPPoE server 3 times board d line d channel d call d s C02 OutCall Connected d s The PPPoE PPTP or dial up call is connected board d line d channel d call d s C02 Call Terminated The PPPoE PPTP or dial up call was disconnected Table 167 PPP Logs LOG MESSAGE DESCRIPTION ppp LCP Starting The PPP connec...

Page 407: ...MP type d code d The firewall detected an ICMP land attack ip spoofing WAN TCP UDP IGMP ESP GRE OSPF The firewall detected an IP spoofing attack on the WAN port ip spoofing WAN ICMP type d code d The firewall detected an ICMP IP spoofing attack on the WAN port icmp echo ICMP type d code d The firewall detected an ICMP echo attack syn flood TCP The firewall detected a TCP syn flood attack ports sca...

Page 408: ...es not support authentication method The local user database only supports the EAP MD5 method A user tried to use another authentication method and was not authenticated User logout because of session timeout expired The router logged out a user whose session expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authenticatio...

Page 409: ...evice WAN to WAN ZyXEL Device ACL set for packets traveling from the WAN to the WAN or the ZyXEL Device Table 173 ICMP Notes TYPE CODE DESCRIPTION 0 Echo Reply 0 Echo reply message 3 Destination Unreachable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4 S...

Page 410: ... web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined in the various log charts throughout this appendix The devID is the last three characters of the MAC address of the router s LAN port The cat is the same as the category in the router s logs Table 175 SIP Logs LOG MESSAGE DESCRIPTION SIP Registration Success by SIP SIP Phon...

Page 411: ...ing Call Number Someone used a phone connected to the listed phone port to make a VoIP call to the listed destination VoIP Call End Phone Phone Port A VoIP phone call made from a phone connected to the listed phone port has terminated Table 178 FSM Logs Callee Side LOG MESSAGE DESCRIPTION VoIP Call Start from SIP SIP Port Number A VoIP phone call came to the ZyXEL Device from the listed SIP number...

Page 412: ...ogs the ZyXEL Device is to record 2 Use sys logs category to view a list of the log categories Figure 247 Displaying Log Categories Example 3 Use sys logs category followed by a log category to display the parameters that are available for the category Table 180 RFC 2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE SA Security Association PROP Proposal TRANS Transform KE Key Exchange ID Identific...

Page 413: ...rameter is available with every category 5 Use the sys logs save command to store the settings in the ZyXEL Device you must do this in order to record logs Displaying Logs Use the sys logs display command to show all of the logs in the ZyXEL Device s log Use the sys logs category display command to show the log settings for all of the log categories Use the sys logs display log category command to...

Page 414: ...ion notes message 7 01 01 2000 09 40 13 192 168 1 1 3 192 168 1 33 1 ACCESS FO RWARD Router reply ICMP packet ICMP type 3 code 1 8 01 01 2000 09 40 07 192 168 1 1 3 192 168 1 33 1 ACCESS FO RWARD Router reply ICMP packet ICMP type 3 code 1 9 01 01 2000 09 40 04 192 168 1 1 3 192 168 1 33 1 ACCESS FO RWARD Router reply ICMP packet ICMP type 3 code 1 10 01 01 2000 09 40 04 192 168 1 33 1199 207 69 1...

Page 415: ...es allowed input where input is your input conforming to parameter values allowed The figure shown next is an example of an Internal SPTGEN text file Figure 250 Configuration Text File Format Column Descriptions Note DO NOT alter or delete any field except parameters in the Input column This appendix introduces Internal SPTGEN All menus shown in this appendix are example menus meant to show SPTGEN...

Page 416: ... Example The ZyXEL Device will display the following if you enter parameter s that are valid Figure 252 Valid Parameter Entered Command Line Example Internal SPTGEN FTP Download Example 1 Launch your FTP application 2 Enter bin The command bin sets the transfer mode to binary 3 Get rom t file The command get transfers files from the ZyXEL Device to your computer The name rom t is the configuration...

Page 417: ...n Figure 254 Internal SPTGEN FTP Upload Example Example Internal SPTGEN Screens This section covers ZyXEL Device Internal SPTGEN screens c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 none 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom t ftp bye c edit rom t edit the rom t text file by a text editor and save it c ftp 192...

Page 418: ... 183 Menu 3 Menu 3 1 General Ethernet Setup FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256 30100003 Input Protocol filters Set 3 256 30100004 Input Protocol filters Set 4 256 30100005 Input device filters Set 1 256 30100006 Input device filters Set 2 256 30100007 Input device filters Set 3 256 30100008 Input device filters Set 4 256 30100009 Outp...

Page 419: ...In Only 3 Out Only 0 30200011 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12 256 30200016 IP Policies Set 4 1 12 256 Menu 3 2 1 IP Alias Setup FIN FN PVA INPUT 30201001 IP Alias 1 0 No 1 Yes 0 30201002 IP Address 0 0 0 0 30201003 IP Subnet Mask 0 30201004 RIP...

Page 420: ...ction 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alias 2 Incoming protocol filters Set 3 256 30201022 IP Alias 2 Incoming protocol filters Set 4 256 30201023 IP Alias 2 Outgoing protocol filters Set 1 256 30201024 IP Alias 2 Outgoing pro...

Page 421: ...500012 Wlan Active 0 Disable 1 Enable 0 MENU 3 5 1 WLAN MAC ADDRESS FILTER FIN FN PVA INPUT 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 0 0 00 30501004 Address 2 00 00 00 00 0 0 00 30501005 Address 3 00 00 00 00 0 0 00 Continued 30501034 Address 32 00 00 00 00 0 0 00 Table 183 Menu 3 Table 184 Menu 4 Internet Access Setup Menu 4 In...

Page 422: ...P subnet mask 0 40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020 ISP outgoing protocol filter set 1 256 40000021 ISP outgoing protocol filter set 2 256 40000022 ISP outgoing protocol filter set 3 256 40000023 ISP outgoing protocol filter set 4 256 40...

Page 423: ...o 1 Yes 0 Menu 12 1 2 IP Static Route Setup FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destination IP address 0 0 0 0 120102004 IP Static Route set 2 Destination IP subnetmask 0 120102005 IP Static Route set 2 Gateway 0 0 0 0 120102006 IP Static Route set 2 Metric 0 120102007 IP Static Route set 2 Privat...

Page 424: ...ination IP subnetmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 120105006 IP Static Route set 5 Metric 0 120105007 IP Static Route set 5 Private 0 No 1 Yes 0 Menu 12 1 6 IP Static Route Setup FIN FN PVA INPUT 120106001 IP Static Route set 6 Name Str 120106002 IP Static Route set 6 Active 0 No 1 Yes 0 120106003 IP Static Route set 6 Destination IP address 0 0 0 0 120106004 IP Static Route s...

Page 425: ...0109003 IP Static Route set 9 Destination IP address 0 0 0 0 120109004 IP Static Route set 9 Destination IP subnetmask 0 120109005 IP Static Route set 9 Gateway 0 0 0 0 120109006 IP Static Route set 9 Metric 0 120109007 IP Static Route set 9 Private 0 No 1 Yes 0 Menu 12 1 10 IP Static Route Setup FIN FN PVA INPUT 120110001 IP Static Route set 10 Name 120110002 IP Static Route set 10 Active 0 No 1 ...

Page 426: ...p FIN FN PVA INPUT 120113001 IP Static Route set 13 Name Str 120113002 IP Static Route set 13 Active 0 No 1 Yes 0 120113003 IP Static Route set 13 Destination IP address 0 0 0 0 120113004 IP Static Route set 13 Destination IP subnetmask 0 120113005 IP Static Route set 13 Gateway 0 0 0 0 120113006 IP Static Route set 13 Metric 0 120113007 IP Static Route set 13 Private 0 No 1 Yes 0 Menu 12 1 14 IP ...

Page 427: ... subnetmask 0 120116005 IP Static Route set 16 Gateway 0 0 0 0 120116006 IP Static Route set 16 Metric 0 120116007 IP Static Route set 16 Private 0 No 1 Yes 0 Table 185 Menu 12 continued Table 186 Menu 15 SUA Server Setup Menu 15 SUA Server Setup FIN FN PVA INPUT 150000001 SUA Server IP address for default port 0 0 0 0 150000002 SUA Server 2 Active 0 No 1 Yes 0 150000003 SUA Server 2 Protocol 0 Al...

Page 428: ...ol 0 All 6 TCP 17 U DP 0 0 0 0 150000029 SUA Server 7 Port Start 0 150000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA Server 8 Protocol 0 All 6 TCP 17 U DP 0 150000034 SUA Server 8 Port Start 0 150000035 SUA Server 8 Port End 0 150000036 SUA Server 8 Local IP address 0 0 0 0 150000037 SUA Server 9 Active 0 No 1...

Page 429: ...set 1 rule 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filter Set 1 Rule 1 Active 0 No 1 Yes 1 210101003 IP Filter Set 1 Rule 1 Protocol 6 210101004 IP Filter Set 1 Rule 1 Dest IP address 0 0 0 0 210101005 IP Filter Set 1 Rule 1 Dest Subnet Mask 0 210101006 IP Filter Set 1 Rule 1 Dest Port 137 210101007 IP Filter Set 1 Rule 1 Dest Port Comp 0 none 1 equal 2 not...

Page 430: ...ual 2 not equal 3 less 4 greater 0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set 1 rule 3 FIN FN PVA INPUT 210103001 IP Filter Set 1 Rule 3 Type 2 TCP IP 2 210103002 IP Filter Set 1 Rule 3 Active 0 No 1 Yes 1 210103003 IP Filter Set 1 Rule 3 Protocol 6 210103004 IP Filter S...

Page 431: ...P address 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 0 210104013 IP Filter Set 1 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210104014 IP Filter Set 1 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 5 set 1 rule 5 FIN FN PVA IN...

Page 432: ...106004 IP Filter Set 1 Rule 6 Dest IP address 0 0 0 0 210106005 IP Filter Set 1 Rule 6 Dest Subnet Mask 0 210106006 IP Filter Set 1 Rule 6 Dest Port 139 210106007 IP Filter Set 1 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 1 210106008 IP Filter Set 1 Rule 6 Src IP address 0 0 0 0 210106009 IP Filter Set 1 Rule 6 Src Subnet Mask 0 210106010 IP Filter Set 1 Rule 6 Src Port 0 21...

Page 433: ...0 IP Filter Set 2 Rule 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210201014 IP Filter Set 2 Rule 1 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 2 Filter set 2 rule 2 FIN FN PVA INPUT 210202001 IP Filter Set 2 Rule 2 Type 0 none 2 TCP IP 2 210202002...

Page 434: ...ocol 6 210203004 IP Filter Set 2 Rule 3 Dest IP address 0 0 0 0 210203005 IP Filter Set 2 Rule 3 Dest Subnet Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210203008 IP Filter Set 2 Rule 3 Src IP address 0 0 0 0 210203009 IP Filter Set 2 Rule 3 Src Subnet Mask 0 210203010 IP Filter Set 2 Rule 3 Sr...

Page 435: ...ot equal 3 less 4 gr eater 0 210204013 IP Filter Set 2 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210204014 IP Filter Set 2 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 5 Filter set 2 rule 5 FIN FN PVA INPUT 210205001 IP Filter Set 2 Rule 5 Type 0 none 2 TCP IP 2 210205002 IP Filter Set 2 Rule 5 Active 0 No 1 Yes 1 210205003 IP Filter Set 2 Rule 5 Protocol 17 210205004 IP...

Page 436: ...k 0 210206006 IP Filter Set 2 Rule 6 Dest Port 139 210206007 IP Filter Set 2 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210206008 IP Filter Set 2 Rule 6 Src IP address 0 0 0 0 210206009 IP Filter Set 2 Rule 6 Src Subnet Mask 0 210206010 IP Filter Set 2 Rule 6 Src Port 0 210206011 IP Filter Set 2 Rule 6 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210206013...

Page 437: ... Accounting Server Configured 0 No 1 Yes 1 230200007 Accounting Server Active 0 No 1 Yes 1 230200008 Accounting Server IP Address 192 168 1 44 230200009 Accounting Server Port 1823 230200010 Accounting Server Shared Secret 1234 Menu 23 4 System security IEEE802 1x FIN FN PVA INPUT 230400001 Wireless Port Control 0 Authentication Required 1 No Access Allowed 2 No Authentication Required 2 230400002...

Page 438: ... 24 11 Remote Management Control FIN FN PVA INPUT 241100001 TELNET Server Port 23 241100002 TELNET Server Access 0 all 1 none 2 L an 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0 0 241100004 FTP Server Port 21 241100005 FTP Server Access 0 all 1 none 2 L an 3 Wan 0 241100006 FTP Server Secured IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Access 0 all 1 none 2 L a...

Page 439: ...P 2608HWL Dx Series User s Guide Appendix H Internal SPTGEN 439 FIN FN PVA INPUT 990000001 ADSL OPMD 0 etsi 1 normal 2 gdmt 3 multimo de 3 Table 191 Command Examples continued FIN FN PVA INPUT ...

Page 440: ...P 2608HWL Dx Series User s Guide 440 Appendix H Internal SPTGEN ...

Page 441: ...ypes and firewalls 192 authentication algorithms 223 and active protocol 223 Authentication Header See AH automatic log out 47 Auto negotiating Rate Adaptation 364 B backup configuration 335 backup gateway 102 104 backup type 104 bandwidth management 277 279 281 allocating 277 and rules 283 capacity 277 classes 279 configuration 282 example 278 limits 277 maximizing 279 maximizing example 280 moni...

Page 442: ...d remote management 293 contact information 9 content filtering 217 categories 217 configuration 217 schedule 218 trusted computers 219 URL keyword blocking 217 copyright 3 CoS 158 cost of transmission 92 creating certificates 254 custom ports creating editing 209 custom ports and firewalls 208 custom services and firewalls 208 customer support 9 D daylight saving 321 decoder 156 default LAN IP ad...

Page 443: ...ms 223 and active protocol 223 encryption wireless 128 errors types of logs 325 ESP 228 and transport mode 229 Ethernet lights 349 Europe type call service mode 168 Europe type supplementary services 168 extended authentication IKE SA 225 Extended Service Set IDentification 124 extended wireless security 63 External RADIUS 365 F F4 F5 OAM 364 factory defaults 336 fairness based bandwidth managemen...

Page 444: ... general setup 319 configuration 320 graphics icons 40 group ring 181 H half open sessions and firewall 214 hardware problems 349 HTTP 188 189 190 and firmware 332 and remote management 293 HTTPS 294 and remote management 293 294 implementation 295 introduction 294 Humidity 361 hybrid waveform codec 156 I IAD Integrated Access Device 41 IANA 108 IANA IP address assignment 108 ICMP and anti probing...

Page 445: ...poofing 190 IP Spoofing and firewalls 193 IP PBX 151 IPSec 221 IPSec Passthrough 365 IPSec SA active protocol 228 authentication algorithms 223 authentication key manual keys 230 encapsulation 228 encryption algorithms 223 encryption key manual keys 230 local policy 228 manual keys 229 Perfect Forward Secrecy PFS 229 proposal 229 remote policy 228 Security Parameter Index SPI manual keys 230 trans...

Page 446: ...94 and SIP 155 and STUN 155 and UPnP 307 and VPN 226 application 141 definitions 139 how it works 140 mapping types 141 modes 143 port forwarding 144 rules 148 server mapping 141 services 144 traversal 307 what it does 140 NAT Network Address Translation 139 NAT routers 155 NAT Sessions 365 NAT traversal 227 NAT vs SUA 142 NetBIOS commands 192 O OAM 364 Operation Humidity 361 Operation Temperature...

Page 447: ... 364 Q QoS and VoIP 158 QoS wireless 135 Quality of Service 158 Quick Dialing 366 quick start guide 39 45 R RADIUS 365 and IKE SA 225 Reach Extended ADSL 364 Real Time E mail Alerts 365 Real Time Transport Protocol 154 recommended browser settings 351 redirect server SIP 154 register server SIP 154 registration product 8 reinitialize the ADSL line 347 related documentation 39 remote hosts and cert...

Page 448: ... SIP 151 Silence Suppression 366 silence suppression 167 silent packets 167 Simple Network Management Protocol SNMP 299 Simple Network Management Protocol See SNMP SIP 151 SIP account 151 SIP accounts 67 SIP ALG 149 155 SIP ALG Passthrough 365 SIP Application Layer Gateway 149 SIP call progression 152 SIP client 152 SIP client server 152 SIP identities 151 SIP INVITE request 152 SIP number 69 151 ...

Page 449: ...t 415 three way conference 169 170 three way handshake and firewalls 190 threshold values and firewall 213 time 321 daylight saving 321 server 321 settings 321 zone 321 time server 321 TLS 365 tools for management 331 ToS 158 Touch Tone 156 traceroute and firewalls 193 trademarks 3 traffic priority wireless 135 traffic redirect 102 103 104 traffic redirect example 102 traffic shaping 92 transferri...

Page 450: ...ocol 228 and NAT 226 established in two phases 221 IKE SA See IKE SA IPSec 221 IPSec SA See IPSec SA local network 221 proposal 223 remote IPSec router 221 remote network 221 security association SA 221 VPN See also IKE SA IPSec SA 221 W WAN and bandwidth management 277 and configuration file 332 and dynamic DNS 289 and ICMP 303 and remote management 293 file maintenance 332 firewall policy 199 pr...

Page 451: ...P 2608HWL Dx Series User s Guide Index 451 Z zero configuration Internet access 94 ZyNOS 332 ZyNOS ZyXEL Network Operating System 331 ZyNOS firmware version 332 ZyXEL s firewall introduction 188 ...

Reviews:

No comments

Related manuals for P-2608HWL-D1

D-Link DSL-500 Quick Start Manual preview
DSL-500
Brand: D-Link Pages: 11
D-Link DHP?P309AV Setup Manual preview
DHP?P309AV
Brand: D-Link Pages: 8
D-Link AirPlus DWL-810 Quick Installation Manual preview
AirPlus DWL-810
Brand: D-Link Pages: 8
D-Link DHP-601AV Quick Installation Manual preview
DHP-601AV
Brand: D-Link Pages: 84
Makita RF1101 Parts Breakdown preview
RF1101
Brand: Makita Pages: 2
Abocom MH200 Quick Installation Manual preview
MH200
Brand: Abocom Pages: 11
Abocom CWB1000 Quick Installation Manual preview
CWB1000
Brand: Abocom Pages: 19
Watchguard Firebox SOHO 6 Wireless Instructions Manual preview
Firebox SOHO 6 Wireless
Brand: Watchguard Pages: 8
Dialogic DM/IP601-CPCI-100BT Quick Install Card preview
DM/IP601-CPCI-100BT
Brand: Dialogic Pages: 2
MA lighting 8Port Node Quick Manual preview
8Port Node
Brand: MA lighting Pages: 49
Dynamix UM-S User Manual preview
UM-S
Brand: Dynamix Pages: 102
Intellinet 720564 Instructions preview
720564
Brand: Intellinet Pages: 2
Matrix Switch Corporation MSC-XD88S Product Manual preview
MSC-XD88S
Brand: Matrix Switch Corporation Pages: 60
rtd IDAN-ID5915 User Manual preview
IDAN-ID5915
Brand: rtd Pages: 28
Comnet CNGE28FX4TX24MS2 Installation And Operation Manual preview
CNGE28FX4TX24MS2
Brand: Comnet Pages: 154
R.V.R. Elettronica PTX30-UHT Installation, Technical And Maintenance Manual preview
PTX30-UHT
Brand: R.V.R. Elettronica Pages: 171
IBA ibaBM-FOX-i-3o-D Manual preview
ibaBM-FOX-i-3o-D
Brand: IBA Pages: 13
NAUTICAST 300 2001 Product Manual preview
300 2001
Brand: NAUTICAST Pages: 20

Brands by name

Popular brands

Load more brands