ZyXEL Communications P-660H - VERSION 3.40, User Manual

Share

Page: 119 / 465

ZyXEL Communications P-660H - VERSION 3.40 User Manual Download Page 119

P-660H/HW/W-T Series User’ Guide

119

Chapter 10 Firewalls

10.2.2 Application-level Firewalls

Application-level firewalls restrict access by serving as proxies for external servers. Since they
use programs written for specific Internet services, such as HTTP, FTP and telnet, they can
evaluate network packets for valid application-specific data. Application-level gateways have
a number of general advantages over the default mode of permitting application traffic directly
to internal hosts:

Information hiding prevents the names of internal systems from being made known via DNS
to outside systems, since the application gateway is the only host whose name must be made
known to outside systems.

Robust authentication and logging pre-authenticates application traffic before it reaches
internal hosts and causes it to be logged more effectively than if it were logged with standard
host logging. Filtering rules at the packet filtering router can be less complex than they would
be if the router needed to filter application traffic and direct it to a number of specific systems.
The router need only allow application traffic destined for the application gateway and reject
the rest.

10.2.3 Stateful Inspection Firewalls

Stateful inspection firewalls restrict access by screening data packets against defined access
rules. They make access control decisions based on IP address and protocol. They also
"inspect" the session data to assure the integrity of the connection and to adapt to dynamic
protocols. These firewalls generally provide the best speed and transparency, however, they
may lack the granular application level access control or caching that some proxies support.
See

Section 10.5 on page 124

for more information on stateful inspection.

Firewalls, of one type or another, have become an integral part of standard security solutions
for enterprises.

10.3 Introduction to ZyXEL’s Firewall

The Prestige firewall is a stateful inspection firewall and is designed to protect against Denial
of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The
Prestige’s purpose is to allow a private Local Area Network (LAN) to be securely connected
to the Internet. The Prestige can be used to prevent theft, destruction and modification of data,
as well as log events, which may be important to the security of your network. The Prestige
also has packet filtering capabilities.

The Prestige is installed between the LAN and the Internet. This allows it to act as a secure
gateway for all data passing between the Internet and the LAN.

The Prestige has one DSL/ISDN port and one Ethernet LAN port, which physically separate
the network into two areas.

• The DSL/ISDN port connects to the Internet.

«
...
117
118
119
120
121
...
»

Summary of Contents for P-660H - VERSION 3.40

Page 1: ...P 660H HW W T Series ADSL 2 Gateway User s Guide Version 3 40 6 2005...

Page 2: ...ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it...

Page 3: ...occur in a particular installation If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged t...

Page 4: ...ther antenna or transmitter ZyXEL Communications Corporation declared that Prestige 660HW T1 is limited in CH1 11 from 2400 to 2483 5 MHz by specified firmware controlled in USA Certifications Go to w...

Page 5: ...supply is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one will...

Page 6: ...d by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other...

Page 7: ...svej 5 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780...

Page 8: ...yxel co uk ZyXEL Communications UK Ltd 11 The Courtyard Eastern Road Bracknell Berkshire RG12 2XB United Kingdom UK sales zyxel co uk 44 0 1344 303034 ftp zyxel co uk a is the prefix number you enter...

Page 9: ...P 660H HW W T Series User Guide 9 Customer Support...

Page 10: ...Know Your Prestige 42 1 1 Introducing the Prestige 42 1 2 Features 42 1 2 1 Wireless Features P 660HW P 660W 45 1 3 Applications for the Prestige 46 1 3 1 Protected Internet Access 46 1 3 2 LAN to LAN...

Page 11: ...orks 67 4 3 Configuring LAN 68 Chapter 5 Wireless LAN 70 5 1 Wireless LAN Introduction 70 5 2 Wireless Security Overview 70 5 2 1 Encryption 70 5 2 2 Authentication 70 5 2 3 Restricted Access 71 5 2 4...

Page 12: ...on 92 6 1 4 3 IP Assignment with ENET ENCAP Encapsulation 92 6 1 5 Nailed Up Connection PPP 92 6 1 6 NAT 92 6 2 Metric 92 6 3 PPPoE Encapsulation 93 6 4 Traffic Shaping 93 6 5 Zero Configuration Inter...

Page 13: ...Stateful Inspection Firewalls 119 10 3 Introduction to ZyXEL s Firewall 119 10 3 1 Denial of Service Attacks 120 10 4 Denial of Service 120 10 4 1 Basics 120 10 4 2 Types of DoS Attacks 121 10 4 2 1 I...

Page 14: ...Rules 138 11 7 Customized Services 141 11 8 Configuring A Customized Service 141 11 9 Example Firewall Rule 142 11 10 Predefined Services 146 11 11 Anti Probing 148 11 12 DoS Thresholds 149 11 12 1 T...

Page 15: ...ges 179 15 4 1 Example E mail Log 180 Chapter 16 Media Bandwidth Management Advanced Setup 182 16 1 Media Bandwidth Management Overview 182 16 2 Bandwidth Classes and Filters 182 16 3 Proportional Ban...

Page 16: ...17 6 1 General Diagnostic 202 17 6 2 DSL Line Diagnostic 203 17 7 Firmware Upgrade 205 Chapter 18 Introducing the SMT 208 18 1 SMT Introduction 208 18 1 1 Procedure for SMT Configuration via Telnet 2...

Page 17: ...uration 233 Chapter 24 Remote Node Configuration 236 24 1 Remote Node Setup Overview 236 24 2 Remote Node Setup 236 24 2 1 Remote Node Profile 236 24 2 2 Encapsulation and Multiplexing Scenarios 237 2...

Page 18: ...Server behind NAT 260 27 5 General NAT Examples 261 27 5 1 Example 1 Internet Access Only 262 27 5 2 Example 2 Internet Access with an Inside Server 262 27 5 3 Example 3 Multiple Public IP Addresses W...

Page 19: ...and Diagnosis 296 32 1 Overview 296 32 2 System Status 296 32 3 System Information 298 32 3 1 System Information 298 32 3 2 Console Port Speed 299 32 4 Log and Trace 300 32 4 1 Viewing Error Log 300...

Page 20: ...4 1 Command Interpreter Mode 318 34 2 Call Control Support 319 34 2 1 Budget Management 319 34 3 Time and Date Setting 320 34 3 1 Resetting the Time 322 Chapter 35 Remote Management 324 35 1 Remote Ma...

Page 21: ...ns 349 38 4 2 ActiveX Controls in Internet Explorer 351 Appendix A Product Specifications 354 Appendix B Wall mounting Instructions 358 Appendix C Setting up Your Computer s IP Address 360 Windows 95...

Page 22: ...398 Telephone Microfilters 398 Prestige With ISDN 399 Appendix J PPPoE 402 PPPoE in Action 402 Benefits of PPPoE 402 Traditional Dial up Scenario 402 How PPPoE Works 403 Prestige as a PPPoE Client 40...

Page 23: ...23 Table of Contents Appendix M Internal SPTGEN 430 Internal SPTGEN Overview 430 The Configuration Text File Format 430 Internal SPTGEN FTP Download Example 431 Internal SPTGEN FTP Upload Example 432...

Page 24: ...d Setup Connection Tests 60 Figure 15 LAN and WAN IP Addresses 62 Figure 16 Any IP Example 67 Figure 17 LAN Setup 68 Figure 18 Wireless LAN 72 Figure 19 Wireless Security Methods 73 Figure 20 Wireless...

Page 25: ...all Example Edit Rule Select Customized Services 145 Figure 60 Firewall Example Rule Summary My Service 146 Figure 61 Firewall Anti Probing 149 Figure 62 Firewall Threshold 151 Figure 63 Content Filte...

Page 26: ...98 System Status 197 Figure 99 System Status Show Statistics 199 Figure 100 DHCP Table 200 Figure 101 Any IP Table 201 Figure 102 Association List 202 Figure 103 Diagnostic General 203 Figure 104 Diag...

Page 27: ...Internet Access 255 Figure 142 Applying NAT in Menus 4 11 3 255 Figure 143 Menu 15 NAT Setup 256 Figure 144 Menu 15 1 Address Mapping Sets 257 Figure 145 Menu 15 1 255 SUA Address Mapping Rules 257 Fi...

Page 28: ...intenance Status 297 Figure 189 Menu 24 2 System Information and Console Port Speed 298 Figure 190 Menu 24 2 1 System Maintenance Information 299 Figure 191 Menu 24 2 2 System Maintenance Change Conso...

Page 29: ...Controls 353 Figure 233 WIndows 95 98 Me Network Configuration 361 Figure 234 Windows 95 98 Me TCP IP Properties IP Address 362 Figure 235 Windows 95 98 Me TCP IP Properties DNS Configuration 363 Figu...

Page 30: ...figuration 403 Figure 262 Prestige as a PPPoE Client 403 Figure 263 Displaying Log Categories Example 418 Figure 264 Displaying Log Parameters Example 418 Figure 265 Peer to Peer Communication in an A...

Page 31: ...P 660H HW W T Series User Guide 31 List of Figures...

Page 32: ...eless LAN 802 1x WPA No Access Authentication 80 Table 16 Wireless LAN 802 1x WPA 802 1x 81 Table 17 Wireless LAN 802 1x WPA WPA 83 Table 18 Wireless LAN 802 1x WPA WPA PSK 84 Table 19 Local User Data...

Page 33: ...ement Class Setup 190 Table 58 Media Bandwidth Management Class Configuration 191 Table 59 Services and Port Numbers 192 Table 60 Media Bandwidth Management Statistics 193 Table 61 Media Bandwidth Man...

Page 34: ...nent Virtual Circuits 289 Table 102 Menu 23 2 System Security RADIUS Server 291 Table 103 Menu 23 4 System Security IEEE 802 1x 293 Table 104 Menu 14 1 Edit Dial in User 295 Table 105 Menu 24 1 System...

Page 35: ...406 Table 144 Packet Filter Logs 406 Table 145 ICMP Logs 407 Table 146 CDR Logs 407 Table 147 PPP Logs 407 Table 148 UPnP Logs 408 Table 149 Content Filtering Logs 408 Table 150 Attack Logs 409 Table...

Page 36: ...erver Setup SMT Menu 15 442 Table 169 Menu 21 1 Filter Set 1 SMT Menu 21 1 444 Table 170 Menu 21 1 Filer Set 2 SMT Menu 21 1 447 Table 171 Menu 23 System Menus SMT Menu 23 452 Table 172 Menu 24 11 Rem...

Page 37: ...P 660H HW W T Series User Guide 37 List of Tables...

Page 38: ...Not all features can be configured through all interfaces Syntax Conventions Enter means for you to type one or more characters Select or Choose means for you to use one predefined choices The SMT me...

Page 39: ...s and additional support documentation User Guide Feedback Help us help you E mail all User Guide related comments questions or suggestions for improvement to techwriters zyxel com tw or send regular...

Page 40: ...pstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start an...

Page 41: ...P 660H HW W T Series User Guide 41 Introduction to DSL...

Page 42: ...device that works over ISDN Integrated Services Digital Network Models ending in 7 denote a device that works over T ISDN UR 2 Note Only use firmware for your Prestige s specific model Refer to the l...

Page 43: ...Internet and the Prestige without changing the network settings such as IP address and subnet mask of the computer when the IP addresses of the computer and the Prestige are not in the same subnet Fi...

Page 44: ...work for example a public IP address used on the Internet Dynamic DNS Support With Dynamic DNS support you can have a static hostname alias for a dynamic IP address allowing the host to be more easily...

Page 45: ...eaning that you can have both IEEE 802 11b and IEEE 802 11g wireless clients in the same wireless network Note The Prestige may be prone to RF Radio Frequency interference from other 2 4 GHz devices s...

Page 46: ...n the Prestige allows wireless clients access to your network resources The Prestige provides protection from attacks by Internet hackers By default the firewall blocks all incoming traffic from the W...

Page 47: ...tion Blinking The Prestige is sending receiving data Amber On The Prestige has a successful 100Mb Ethernet connection Blinking The Prestige is sending receiving data Off The LAN is not connected WLAN...

Page 48: ...XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Explorer 2...

Page 49: ...Note The Prestige automatically times out after five minutes of inactivity Simply log back into the Prestige if this happens to you 2 1 2 Resetting the Prestige If you forget your password or cannot a...

Page 50: ...rmware and back up restore or upload a configuration file Click Site Map to go to the Site Map screen Click Logout in the navigation panel when you have finished a Prestige management session Figure 5...

Page 51: ...ch to apply the rule Rule Summary This screen shows a summary of the firewall rules and allows you to edit add a firewall rule Anti Probing Use this screen to change your anti probing settings Thresho...

Page 52: ...Protocol related information and is READ ONLY Any IP Table Use this screen to view the IP and MAC addresses of LAN computers communicating with the Prestige Wireless LAN P 660W P 660HW only Associati...

Page 53: ...d Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Retype to Confirm Type the new password again in this f...

Page 54: ...troduction Use the Wizard Setup screens to configure your system for Internet access with the information given to you by your ISP Note See the advanced menu chapters for background information on the...

Page 55: ...drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPP...

Page 56: ...Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds in the Max Idle Timeout field The default setting selects Connection on...

Page 57: ...matically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Subnet Mask Enter a subnet mask in dotted decimal n...

Page 58: ...and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds i...

Page 59: ...n the Prestige click Change LAN Configurations Otherwise click Save Settings to save the configuration and skip to the section 3 13 Figure 12 Internet Access Wizard Setup Third Screen If you want to c...

Page 60: ...P address of your Prestige in dotted decimal notation for example 192 168 1 1 factory default If you changed the Prestige s LAN IP address you must use the new IP address if you want to access the web...

Page 61: ...P 660H HW W T Series User Guide 61 Chapter 3 Wizard Setup for Internet Access...

Page 62: ...the immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 4 3 on page 68 to configure the LAN sc...

Page 63: ...s up If your ISP gives you the DNS server addresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensio...

Page 64: ...then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established If this is the case it is recommended that you select a network numb...

Page 65: ...lines above For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 4 2 2 RIP Setup RIP...

Page 66: ...all directly connected networks to gather group membership After that the Prestige periodically updates this information IP multicasting can be enabled disabled on the Prestige LAN and or WAN interfac...

Page 67: ...uter tries to access the Internet for the first time through the Prestige 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway...

Page 68: ...ult gateway and DNS servers to Windows 95 Windows NT and other systems that support the DHCP client If set to None the DHCP server will be disabled If set to Relay the Prestige acts as a surrogate DHC...

Page 69: ...the RIP version from RIP 1 RIP 2B and RIP 2M Multicast IGMP Internet Group Multicast Protocol is a network layer protocol used to establish membership in a multicast group The Prestige supports both I...

Page 70: ...access points and the wired network Wireless security methods available on the Prestige are data encryption wireless client authentication restricting access by device MAC address and hiding the Prest...

Page 71: ...2 3 Restricted Access The MAC Filter screen allows you to configure the AP to give exclusive access to devices Allow Association or exclude them from accessing the AP Deny Association 5 2 4 Hide Pres...

Page 72: ...If you configure WEP you can t configure WPA or WPA PSK MAC Filter Click this link to go to a screen where you can restrict access to your wireless network by MAC address 802 1x WPA Click this link t...

Page 73: ...Configuring the Wireless Screen 5 4 1 WEP Encryption WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private It encryp...

Page 74: ...cluding spaces alphabetic characters are case sensitive Hide ESSID Select Yes to hide the ESSID in so a station cannot obtain the ESSID through AP scanning Select No to make the ESSID visible so a sta...

Page 75: ...ate four different WEP keys At the time of writing you cannot use passphrase to generate 256 bit WEP keys Generate After you enter the passphrase click Generate to have the Prestige generate four diff...

Page 76: ...e describes the fields in this menu Table 14 MAC Filter LABEL DESCRIPTION Active Select Yes from the drop down list box to enable MAC address filtering Action Define the filter action for the list of...

Page 77: ...t enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must be between 8 and 63 printable characters including spaces alphabetic characters are case sensitive 2 The AP...

Page 78: ...system wired link to the LAN 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants...

Page 79: ...ity to Windows XP s built in Zero Configuration wireless client However you must run Windows XP to use it See Section 5 7 3 on page 82 and Section 5 7 4 on page 84 for configuration instruction 5 7 Co...

Page 80: ...network select a control method from the drop down list box Choose from No Access Allowed No Authentication Required and Authentication Required No Access Allowed blocks all wireless stations access...

Page 81: ...creen Figure 26 Wireless LAN 802 1x WPA 802 1xl The following table describes the labels in this screen Table 16 Wireless LAN 802 1x WPA 802 1x LABEL DESCRIPTION Wireless Port Control To control wirel...

Page 82: ...ication Databases The authentication database contains wireless station login information The local user database is the built in database on the Prestige The RADIUS is an external server Use this dro...

Page 83: ...group traffic if the Key Management Protocol is WPA and WPA Mixed Mode is disabled WEP is used automatically if you have enabled WPA Mixed Mode All unicast traffic is automatically encrypted by TKIP w...

Page 84: ...agement Protocol Choose WPA PSK in this field Pre Shared Key The encryption mechanisms used for WPA and WPA PSK are the same The only difference between the two is that WPA PSK uses a simple common pa...

Page 85: ...ess LAN Local User Database The screen appears as shown Group Data Privacy Group Data Privacy allows you to choose TKIP recommended or WEP for broadcast and multicast group traffic if the Key Manageme...

Page 86: ...er name of up to 31 alphanumeric characters case sensitive hyphens and underscores _ if you re using MD5 encryption and maximum 14 if you re using PEAP Password Enter a password of up to 31 printable...

Page 87: ...tted decimal notation Port Number The default port of the RADIUS server for authentication is 1812 You need not change this value unless your network administrator instructs you to do so with addition...

Page 88: ...a password up to 31 alphanumeric characters as the key to be shared between the external accounting server and the access points The key is not sent over the network This key must be the same on the e...

Page 89: ...P 660H HW W T Series User Guide 89 Chapter 5 Wireless LAN...

Page 90: ...ateway field in the second wizard screen You can get this information from your ISP 6 1 1 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up ser...

Page 91: ...ing information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carried...

Page 92: ...n is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connectio...

Page 93: ...vice provider PPPoE offers an access and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing Mic...

Page 94: ...s time more cells up to the MBS can be sent at the PCR again If the PCR SCR or MBS is set to the default of 0 the system will assign a maximum value that correlates to your upstream line rate The foll...

Page 95: ...n 6 7 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN and WAN Setup The screen differs by the encapsulation See Section 6 1 on page 90 for more information Table 21...

Page 96: ...ds in this screen Table 22 WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider e g MyISP This information is for identification purposes only Mode Select Routing default...

Page 97: ...ll Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Type...

Page 98: ...e to NAT for application where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP Subn...

Page 99: ...three logical networks with the Prestige itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Subnet...

Page 100: ...er traffic redirect or dial backup you must configure at least one IP address here When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other W...

Page 101: ...irect you must configure at least one Check WAN IP Address Metric This field sets this route s priority among the routes the Prestige uses The metric represents the cost of transmission A router deter...

Page 102: ...fers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that insid...

Page 103: ...105 NAT offers the additional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more info...

Page 104: ...NAT Works 7 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinct...

Page 105: ...e Prestige maps the multiple local IP addresses to shared global IP addresses Many to Many No Overload In Many to Many No Overload mode the Prestige maps each local IP address to a unique global IP ad...

Page 106: ...t 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of p...

Page 107: ...st on the Internet IP address assigned by ISP Figure 39 Multiple Servers Behind NAT Example 7 4 Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA NAT to allow traffi...

Page 108: ...n page 106 for more information See Table 26 on page 106 for port numbers commonly used for particular services Table 27 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT SUA Onl...

Page 109: ...of ports enter the start port number here and the end port number in the End Port No field End Port No Enter a port number in this field To forward only one port enter the port number again in the Sta...

Page 110: ...e your Prestige s address mapping settings click NAT Select Full Feature and click Edit Details to open the following screen Figure 42 Address Mapping Rules The following table describes the fields in...

Page 111: ...e local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only M M Ov Overload...

Page 112: ...ype allows you to specify inside servers of different services behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A...

Page 113: ...13 Chapter 7 Network Address Translation NAT Screens Cancel Click Cancel to return to the previously saved settings Delete Click Delete to exit this screen without saving Table 30 Edit Address Mapping...

Page 114: ...u even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that wou...

Page 115: ...ovider This is the name of your Dynamic DNS service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type yo...

Page 116: ...screen to configure the Prestige s time and date settings 9 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to conf...

Page 117: ...the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Daylight Savings...

Page 118: ...never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security...

Page 119: ...strict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integrity of t...

Page 120: ...red to automatically detect and thwart all known DoS attacks 10 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application pr...

Page 121: ...hang or reboot Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment...

Page 122: ...n as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the queue...

Page 123: ...the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making communi...

Page 124: ...er or firewall The Prestige blocks all IP Spoofing attempts 10 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For exa...

Page 125: ...rmine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for this...

Page 126: ...wall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall rules...

Page 127: ...d in through the firewall simply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they could be used to reroute...

Page 128: ...ckers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e mail Never e mail sensitive information s...

Page 129: ...work B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters can not distinguish traffic originating from an inside host or an outside host by IP address To block...

Page 130: ...between inside host networks and outside host networks Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address The firewall performs better...

Page 131: ...P 660H HW W T Series User Guide 131 Chapter 10 Firewalls...

Page 132: ...tion of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN By default the Prestige s stateful packet inspection allows packets traveling in the following direct...

Page 133: ...w Note Study these points carefully before configuring rules 11 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a...

Page 134: ...s 11 3 3 3 Source Address What is the connection s source address is it on the LAN WAN Is it a single IP a range of IPs or a subnet 11 3 3 4 Destination Address What is the connection s destination ad...

Page 135: ...il account that you specify in the Log Settings screen see the chapter on logs 11 5 Configuring Default Firewall Policy Click Firewall and then Default Policy to display the following screen Activate...

Page 136: ...ts to which they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the Prestige or the Prestige it...

Page 137: ...fic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the general firewall action settings above Rule This is your firewall rule numb...

Page 138: ...r a log is created when packets match this rule Enabled or not Disable Alert This field tells you whether this rule generates an alert Yes or not No when the rule is matched Insert Append Type the ind...

Page 139: ...P 660H HW W T Series User Guide 139 Chapter 11 Firewall Configuration Figure 53 Firewall Edit Rule The following table describes the labels in this screen...

Page 140: ...move it Services Available Selected Services Please see Section 11 10 on page 146 for more information on services available Highlight a service from the Available Services box on the left then click...

Page 141: ...ll Customized Services The following table describes the labels in this screen 11 8 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new cust...

Page 142: ...figure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop dow...

Page 143: ...number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 4 Click Insert to display the firewall rule c...

Page 144: ...es link to open the Customized Service screen 8 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 58 Edit Custom Port Ex...

Page 145: ...ect Customized Services Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom port On completing the...

Page 146: ...he IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the default configu...

Page 147: ...cast Protocol is used when sending packets to a specific group of hosts NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that pr...

Page 148: ...DP 161 Simple Network Management Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types o...

Page 149: ...es Select this option to prevent hackers from finding the Prestige by probing for unused ports If you select this option the Prestige will not respond to port request s for unused ports thus leaving t...

Page 150: ...gure 47 on page 122 For UDP half open means that the firewall has detected no return traffic The Prestige measures both the total number of existing half open sessions and the rate of session establis...

Page 151: ...mber of half open sessions to a given host will never exceed the threshold If the Blocking Time timeout is greater than 0 then the Prestige blocks all new connection requests to the host giving the se...

Page 152: ...equests as necessary until the number of existing half open sessions drops below this number 80 existing half open sessions Maximum Incomplete High This is the number of existing half open sessions th...

Page 153: ...block new connection requests when TCP Maximum Incomplete is reached Enter the length of blocking time in minutes between 1 and 256 Back Click Back to return to the previous screen Apply Click Apply t...

Page 154: ...sted IP addresses on the LAN for which the Prestige will not perform content filtering 12 2 The Main Content Filter Screen Click Content Filter to display the main Content Filtering screen Figure 63 C...

Page 155: ...k box to enable this feature Block Websites that contain these keywords in the URL This box contains the list of all the keywords that you have configured the Prestige to block Delete Highlight a keyw...

Page 156: ...LAN from content filtering on your Prestige click Content Filter and Trusted The screen appears as shown Table 47 Content Filter Schedule LABEL DESCRIPTION Days to Block Select a check box to configu...

Page 157: ...beginning IP address of a specific range of computers on the LAN that you want to exclude from content filtering To Type the ending IP address of a specific range of users on your LAN that you want to...

Page 158: ...r Prestige from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you Choose WAN only or ALL LAN WAN you still need to configure a firewall rule to allow access To...

Page 159: ...ave one remote management session running at one time There is a firewall rule that blocks it 13 1 2 Remote Management and NAT When NAT is enabled Use the Prestige s WAN IP address when configuring fr...

Page 160: ...in this screen Table 49 Remote Management LABEL DESCRIPTION Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige Access Status Select the access interfac...

Page 161: ...P 660H HW W T Series User Guide 161 Chapter 13 Remote Management Configuration...

Page 162: ...How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate ico...

Page 163: ...UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports IGD 1 0 Internet Gateway Device At the time of writing ZyXEL s UPnP im...

Page 164: ...tige s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applicati...

Page 165: ...etup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 71 Add Remove Programs Windows Setup Communication Components 4 Cl...

Page 166: ...ws XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 72 Network...

Page 167: ...HW W T Series User Guide 167 Chapter 14 Universal Plug and Play UPnP Figure 73 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Universal Plug and Play che...

Page 168: ...ection shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of th...

Page 169: ...Series User Guide 169 Chapter 14 Universal Plug and Play UPnP Figure 75 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatic...

Page 170: ...660H HW W T Series User Guide Chapter 14 Universal Plug and Play UPnP 170 Figure 76 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mapping...

Page 171: ...rties Advanced Settings Figure 78 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically...

Page 172: ...tion Status Web Configurator Easy Access With UPnP you can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do not k...

Page 173: ...versal Plug and Play UPnP Figure 81 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your Prestige and select...

Page 174: ...ay UPnP 174 Figure 82 Network Connections My Network Places 6 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige Fig...

Page 175: ...P 660H HW W T Series User Guide 175 Chapter 14 Universal Plug and Play UPnP...

Page 176: ...control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display...

Page 177: ...rver name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert messages will not be sent via e mail Mail Subject Type a title that y...

Page 178: ...log server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to configure the frequency of log messages being sent as E mail Daily We...

Page 179: ...This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packet Destination...

Page 180: ...Prestige Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP src port 00520 dest port 00520 1 00 2 Apr...

Page 181: ...P 660H HW W T Series User Guide 181 Chapter 15 Logs Screens...

Page 182: ...antee delivery Bandwidth management also allows you to configure the allowed output for an interface to match what the network can handle This helps reduce delays and dropped packets at the next routi...

Page 183: ...not exceed the configured bandwidth budget speed of the parent class 16 3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets however the act...

Page 184: ...wing example uses bandwidth classes based on LAN subnets and applications specific applications in each subnet are allotted bandwidth Figure 89 Application and Subnet based Bandwidth Management Exampl...

Page 185: ...is not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the Prestige first makes sure that each bandwidth class gets up to its bandwidth allotment...

Page 186: ...e classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total of unbudgeted and unused bandwidth among the classes that require more bandwidth In this case suppose that...

Page 187: ...The Prestige uses the scheduler to divide a parent class s unused bandwidth among the child classes 16 7 1 Maximize Bandwidth Usage With Bandwidth Borrowing If you configure both maximize bandwidth us...

Page 188: ...16 9 Configuring Summary Click Media Bandwidth Management Summary to open the screen as shown next Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface...

Page 189: ...as the bandwidth budget of the interface s root class The recommendation is to set this speed to match what the interface s connection can handle For example set the WAN interface speed to 10000 kbps...

Page 190: ...mple classes Figure 94 Media Bandwidth Management Class Setup The following table describes the labels in this screen 16 10 1 Media Bandwidth Management Class Configuration Configure a bandwidth manag...

Page 191: ...ass Priority Enter a number between 0 and 7 to set the priority of this class The higher the number the higher the priority The default setting is 3 Borrow bandwidth from parent class Select this opti...

Page 192: ...you select None the bandwidth class applies to all services unless you specify one by configuring the Destination Port Source Port and Protocol ID fields Destination IP Address Enter the destination...

Page 193: ...110 NNTP Network News Transport Protocol 119 SNMP Simple Network Management Protocol 161 SNMP trap 162 PPTP Point to Point Tunneling Protocol 1723 Table 59 Services and Port Numbers SERVICES PORT NUMB...

Page 194: ...the new update period you entered in the Update Period field above Stop Update Click Stop Update to stop the browser from refreshing bandwidth management statistics Clear Counter Click Clear Counter...

Page 195: ...P 660H HW W T Series User Guide 195 Chapter 16 Media Bandwidth Management Advanced Setup...

Page 196: ...ffic statistics 17 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 17 2 System Status Screen Clic...

Page 197: ...hapter 17 Maintenance Figure 98 System Status The following table describes the fields in this screen Table 62 System Status LABEL DESCRIPTION System Status System Name This is the name of your Presti...

Page 198: ...if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control or...

Page 199: ...RFC 1483 and PPPoE Interface This field displays the type of port Status For the WAN port this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is down...

Page 200: ...MAC Address of all network clients using the DHCP server Figure 100 DHCP Table The following table describes the fields in this screen Poll Interval s Type the time interval for the browser to refresh...

Page 201: ...ssociation List This screen displays the MAC address es of the wireless stations that are currently logged in to the network Click Wireless LAN and then Association List to open the screen shown next...

Page 202: ...tion List LABEL DESCRIPTION This is the index number of an associated wireless station MAC Address This field displays the MAC Media Access Control address of an associated wireless station Every Ethe...

Page 203: ...le 67 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that you e...

Page 204: ...atus Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin this...

Page 205: ...to upload firmware to your Prestige Figure 105 Firmware Upgrade The following table describes the labels in this screen Note Do NOT turn off the Prestige while firmware upload is in progress After yo...

Page 206: ...In some operating systems you may see the following icon on your desktop Figure 106 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System St...

Page 207: ...P 660H HW W T Series User Guide 207 Chapter 17 Maintenance...

Page 208: ...estige 1 In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default IP address and click OK 2 Enter 1234 in the Password field 3 After entering the passw...

Page 209: ...le 11 3 Remote Node Network Layer Options 11 5 Remote Node Filter 11 6 Remote Node ATM Layer Options 11 8 Advance Setup Options PPPoE passthrough 12 Static Routing Setup 12 1 Edit Static Route Setup 1...

Page 210: ...agement 24 10 Time and Date Setting 24 11 Remote Management Control 25 IP Routing Policy Setup 25 1 IP Routing Policy Setup 25 1 1 IP Routing Policy 26 Schedule Setup 26 1 Schedule Set Setup Table 70...

Page 211: ...onfiguration by pressing ENTER at the message Press ENTER to confirm or ESC to cancel Saving the data on the screen will take you in most cases to the previous menu Exit the SMT Type 99 then press ENT...

Page 212: ...up the Remote Node for LAN to LAN connection including Internet connection 12 Static Routing Setup Use this menu to set up static routes 14 Dial in User Setup Use this menu to set up local user profil...

Page 213: ...P 660H HW W T Series User Guide 213 Chapter 18 Introducing the SMT Note Note that as you type a password the screen displays an for each character you type...

Page 214: ...indows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it...

Page 215: ...ocation up to 31 characters of your Prestige Contact Person s Name optional Enter the name up to 30 characters of the person in charge of this Prestige Domain Name Enter the domain name if you know it...

Page 216: ...our dynamic DNS service provider Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Host Enter the domain name assigned to your Prestige by your dynamic DNS provider...

Page 217: ...P 660H HW W T Series User Guide 217 Chapter 19 Menu 1 General Setup...

Page 218: ...pAlive Fail Tolerance 0 Recovery Interval sec 0 ICMP Timeout sec 0 Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Table 76 Menu 2 WAN Backup Setup FIELD DESCRIPTION Check Mechanism Press...

Page 219: ...e if your destination IP address handles lots of traffic ICMP Timeout Type the number of seconds for an ICMP session to wait for the ICMP response Traffic Redirect Press SPACE BAR to select Yes or No...

Page 220: ...th the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the link...

Page 221: ...P 660H HW W T Series User Guide 221 Chapter 20 Menu 2 WAN Backup Setup...

Page 222: ...pply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 115 Menu 3 1...

Page 223: ...the main menu to display Menu 3 LAN Setup When menu 3 appears press 2 and press ENTER to display Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Figure 116 Menu 3 2 TCP IP and DHCP Ethernet Setu...

Page 224: ...HCP Serve If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here Table 79 TCP IP Ethernet Setup FIELD DESCRIPTION TCP IP Setup IP Address Enter th...

Page 225: ...P 660H HW W T Series User Guide 225 Chapter 21 Menu 3 LAN Setup...

Page 226: ...u 3 5 Wireless LAN Setup The following table describes the fields in this menu Menu 3 5 Wireless LAN Setup ESSID Wireless Hide ESSID No Channel ID CH06 2437MHz RTS Threshold 2432 Frag Threshold 2432 W...

Page 227: ...ovides data encryption to prevent wireless stations from accessing data transmitted over the wireless network Select Disable allows wireless stations to communicate with the access points without any...

Page 228: ...0 00 00 00 11 00 00 00 00 00 00 23 00 00 00 00 00 00 12 00 00 00 00 00 00 24 00 00 00 00 00 00 Enter here to CONFIRM or ESC to CANCEL Table 81 Menu 3 5 1 WLAN MAC Address Filtering FIELD DESCRIPTION A...

Page 229: ...P 660H HW W T Series User Guide 229 Chapter 22 Wireless LAN Setup...

Page 230: ...based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 and...

Page 231: ...the second and third network Figure 120 Menu 3 2 TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP P...

Page 232: ...LD DESCRIPTION IP Alias Choose Yes to configure the LAN network for the Prestige IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automatic...

Page 233: ...Encapsulation Gateway IP address if you are using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 123 Menu 4 Internet Access Setup The f...

Page 234: ...he mean cell rate of a bursty on off traffic source that can be sent at the peak rate and a parameter for burst traffic Type the SCR it must be less than the PCR Maximum Burst Size MBS 0 Refers to the...

Page 235: ...P 660H HW W T Series User Guide 235 Chapter 23 Internet Access...

Page 236: ...you are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in thr...

Page 237: ...n Here are some examples of more suitable combinations in such an application 24 2 2 1 Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combinat...

Page 238: ...11 Encapsulation PPPoA refers to RFC 2364 PPP Encapsulation over ATM Adaptation Layer 5 If RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 of ENET ENCAP are selected then the Rem Logi...

Page 239: ...s and press ENTER to display Menu 11 8 Advance Setup Options Telco Option Allocated Budget min This sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning n...

Page 240: ...ble 85 Menu 11 3 Remote Node Network Layer Options FIELD DESCRIPTION IP Address Assignment Press SPACE BAR and then ENTER to select Dynamic if the remote node is using a dynamically assigned IP addres...

Page 241: ...t for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This determines if the Prestige will include the route to this remote...

Page 242: ...e Prestige and also to prevent certain packets from triggering calls You can specify up to 4 filter sets separated by comma for example 1 5 9 12 in each filter field Note that spaces are accepted in t...

Page 243: ...xample VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Figure 130 Menu 11 6 for VC based Multiplexing 24 5 2 LLC based Multiplexing or PPP Encapsulation For LLC base...

Page 244: ...ct Yes then press ENTER to display Menu 11 8 Advance Setup Options Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation VPI 0 VCI 38 ATM QoS Type UBR Peak Cell Rate PC...

Page 245: ...t you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige Each host can have a separate account and...

Page 246: ...ch remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the fo...

Page 247: ...atic Route Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Menu 12 1 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 ________ 7...

Page 248: ...estination Gateway IP Address Type the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to thei...

Page 249: ...P 660H HW W T Series User Guide 249 Chapter 25 Static Route Setup...

Page 250: ...protocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing if...

Page 251: ...Options Authen N A Edit Filter Sets No Idle Timeout sec N A Press ENTER to Confirm or ESC to Cancel Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Static...

Page 252: ...ancel Table 89 Menu 12 3 1 Edit Bridge Static Route FIELD DESCRIPTION Route This is the route index number you typed in Menu 12 3 Bridge Static Route Setup Route Name Type a name for the bridge static...

Page 253: ...P 660H HW W T Series User Guide 253 Chapter 26 Bridging Setup...

Page 254: ...ts two types of mapping Many to One and Server See Section 27 3 on page 256 or a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP addre...

Page 255: ...options for Network Address Translation Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation RFC 1483 Multiplexing LLC based VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Rate...

Page 256: ...er information on these menus To configure NAT enter 15 from the main menu to bring up the following screen Figure 143 Menu 15 NAT Setup 27 3 1 Address Mapping Sets Enter 1 to bring up Menu 15 1 Addre...

Page 257: ...d only Menu 15 1 Address Mapping Sets 1 2 3 4 5 6 7 8 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name Idx Local Start IP Local End IP Global Start IP Global...

Page 258: ...End IP is the ending local IP address ILA If the rule is for all local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 Global Start IP This is the starting global IP address IGA If...

Page 259: ...eld and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs An End IP a...

Page 260: ...e starting local IP address ILA End This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for On...

Page 261: ...ing as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC at a...

Page 262: ...he Many to One mapping discussed in Section 27 5 on page 261 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle this...

Page 263: ...the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two b...

Page 264: ...ose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 inFigure 156 on page 265 1 Enter 15 from the main menu 2 Enter 1 to configure the Address Mapping Sets 3 E...

Page 265: ...s IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction Both...

Page 266: ...Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4 10...

Page 267: ...ome gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many to Many No Overload ma...

Page 268: ...Menu 15 1 1 Address Mapping Rules Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10 132...

Page 269: ...P 660H HW W T Series User Guide 269 Chapter 27 Network Address Translation NAT...

Page 270: ...prehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters for instructi...

Page 271: ...attacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Policy...

Page 272: ...WAN side or the Ethernet side Call filtering is used to determine if a packet should be allowed to trigger a call Outgoing packets must undergo data filtering before they encounter call filtering Cal...

Page 273: ...ming packets your Prestige applies data filters only Packets are processed depending on whether a match is found The following sections describe how to configure filter sets 29 1 1 The Filter Structur...

Page 274: ...1 in menu 21 1 Figure 167 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 _______________ 3...

Page 275: ...f Value 01005e N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Table 94 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number 1 to 6 A Active...

Page 276: ...of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol...

Page 277: ...ER to Confirm or ESC to Cancel Table 96 Menu 21 1 x 1 TCP IP Filter Rule FIELD DESCRIPTION Filter This is the filter set filter rule coordinates for instance 2 3 refers to the second filter set and th...

Page 278: ...s only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want to establish TCP connection s SYN 1 and ACK 0 else it is ignored More If Yes a matching packet is passed to the nex...

Page 279: ...uration Figure 171 Executing an IP Filter 29 4 2 Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP packets...

Page 280: ...ve No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 97 Menu 21 1 5 1 Generic Fil...

Page 281: ...is receiving and sending the packets for instance the interface The interface can be an Ethernet or any other hardware port The following figure illustrates this Figure 173 Protocol and Device Filter...

Page 282: ...le Make the entries in this menu as shown next When you press ENTER to confirm the following screen appears Note that there is only one filter rule in this set Figure 175 Menu 21 1 6 1 Sample Filter A...

Page 283: ...r Rules Summary 29 7 Applying Filters and Factory Defaults This section shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in menu...

Page 284: ...ic 29 7 2 Remote Node Filters Go to menu 11 5 shown next and type the number s of the filter set s as appropriate You can cascade up to four filter sets by typing their numbers separated by commas The...

Page 285: ...P 660H HW W T Series User Guide 285 Chapter 29 Filter Configuration...

Page 286: ...twork The Prestige supports SNMP version one SNMPv1 and version two c SNMPv2c The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured Figure 179 SNMP Ma...

Page 287: ...trieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements of...

Page 288: ...t station Trusted Host If you enter a trusted host your Prestige will only respond to SNMP messages from this address A blank default field means your Prestige will respond to all SNMP messages it rec...

Page 289: ...6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message Sys...

Page 290: ...rd Enter 23 in the main menu to display Menu 23 System Security You should change the default password If you forget your password you have to restore the default configuration file Figure 181 Menu 23...

Page 291: ...Shared Secret Specify a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access points The key is not sent over the network This ke...

Page 292: ...em Security IEEE 802 1x Figure 184 Menu 23 4 System Security IEEE 802 1x The following table describes the fields in this menu Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x En...

Page 293: ...ic WEP Key Exchange This field is activated only when you select Authentication Required in the Wireless Port Control field Also set the Authentication Databases field to RADIUS Only Local user databa...

Page 294: ...se with 802 1x Key Management Protocol Select Local User Database Only to have the Prestige just check the built in user database on the Prestige for a wireless station s username and password Select...

Page 295: ...22 ________ 30 ________ 7 ________ 15 ________ 23 ________ 31 ________ 8 ________ 16 ________ 24 ________ 32 ________ Enter Menu Selection Number Menu 14 1 Edit Dial in User User Name test Active Yes...

Page 296: ...es you information on the status and statistics of the ports as shown next System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your DSL telephone...

Page 297: ...x Pkts 8314 Upstream Speed 0 kbps CPU Load 25 52 Downstream Speed 0 kbps Press Command COMMANDS 1 Reset Counters TAB Next Page ESC Exit Table 105 Menu 24 1 System Maintenance Status FIELD DESCRIPTION...

Page 298: ...formation Enter 1 in menu 24 2 to display the screen shown next Collision This is the number of collisions WAN This shows statistics for the WAN Line Status This shows the current status of the xDSL l...

Page 299: ...0 13 49 11 11 35 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 106 Menu 24 2 1 System Maintenance Information FIELD DESCRIPTION Name Displays the system na...

Page 300: ...ething goes wrong is the error log Follow the procedures to view the local error trace log 1 Type 24 in the main menu to display Menu 24 System Maintenance 2 From menu 24 type 3 to display Menu 24 3 S...

Page 301: ...ask pause 1 day 57 Sat Jan 01 00 00 03 2000 PP21 INFO monitoring WAN connectivity 58 Sat Jan 01 00 03 06 2000 PP19 INFO SMT Password pass 59 Sat Jan 01 00 03 06 2000 PP01 INFO SMT Session Begin 60 Sat...

Page 302: ...2 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 Call Terminated 2 Packet Triggered SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String Pac...

Page 303: ...55 192 168 102 2 ZYXEL IP Src 202 132 154 123 Dst 255 255 255 255 UDP spo 0208 dpo 0208 S03 R01mF Jul 19 14 44 00 192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S03...

Page 304: ...nce Menu Diagnostic FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Reboot...

Page 305: ...P 660H HW W T Series User Guide 305 Chapter 32 System Information and Diagnosis...

Page 306: ...of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames are si...

Page 307: ...mmended once your Prestige is functioning properly FTP is the preferred methods for backing up your current configuration to your computer since they are faster Any serial communications program shoul...

Page 308: ...names it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt 33 2 3 Example of FTP Commands from the Command Line Menu 24 5 System M...

Page 309: ...e session running 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp 16...

Page 310: ...transfer is complete 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below to...

Page 311: ...rt after the file transfer is complete Note Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR Prestige 33 3 1 Restore Using FTP For details about backup using T FTP please...

Page 312: ...to Section 33 2 5 on page 309 to read about configurations that disallow TFTP and FTP over WAN Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to yo...

Page 313: ...rmware and the configuration file using FTP Figure 201 Telnet Into Menu 24 7 1 Upload System Firmware 33 4 2 Configuration File Upload You see the following screen when you telnet into menu 24 7 2 Men...

Page 314: ...rs the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt The Pr...

Page 315: ...the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter sys...

Page 316: ...as where i specifies binary image transfer mode use this mode when transferring binary files host is the Prestige s IP address and put transfers the file source on the computer firmware bin name of th...

Page 317: ...P 660H HW W T Series User Guide 317 Chapter 33 Firmware and Configuration File Maintenance...

Page 318: ...mmands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Figure 204 Command M...

Page 319: ...eds the limit the current call will be dropped and any future outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Contr...

Page 320: ...r get the current time and date from an external server when you turn on your Prestige Menu 24 10 allows you to update the time and date settings of your Prestige The real time is then displayed in th...

Page 321: ...Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 Press ENTER to Confirm or ESC to Cancel Table 113 Menu 24 10 System...

Page 322: ...ly when you re enter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean Ti...

Page 323: ...P 660H HW W T Series User Guide 323 Chapter 34 System Maintenance...

Page 324: ...onfiguring firewall rules 35 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Remote Ma...

Page 325: ...LAN only Secured Client IP 0 0 0 0 FTP Server Server Port 21 Server Access LAN only Secured Client IP 0 0 0 0 Web Server Server Port 80 Server Access LAN only Secured Client IP 0 0 0 0 Press ENTER to...

Page 326: ...ess when configuring from the LAN 35 4 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out if the management...

Page 327: ...P 660H HW W T Series User Guide 327 Chapter 35 Remote Management...

Page 328: ...edence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive traf...

Page 329: ...the main menu to open Menu 25 IP Routing Policy Setup 2 Type the index of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set inc...

Page 330: ..._________________________________________________________ ______________________________________________________________________ 5 N ___________________________________________________________________...

Page 331: ...es are displayed with a minus sign in SMT menu 25 Criteria IP Protocol IP layer 4 protocol for example UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Care...

Page 332: ...e LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming network...

Page 333: ...See the next figure Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0...

Page 334: ...P route Figure 216 Example of IP Policy Routing To force packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige fol...

Page 335: ...any host with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care Pre...

Page 336: ...0 Destination addr start 0 0 0 0 port start 20 Action Matched Gateway addr 192 168 1 100 Type of Service No Change Precedence No Change Packet length 10 Len Comp N A end N A end N A end N A end 21 Lo...

Page 337: ...P 660H HW W T Series User Guide 337 Chapter 36 IP Policy Routing...

Page 338: ...ts take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and 4...

Page 339: ...es or No Choose Yes and press ENTER to activate the schedule set Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2036...

Page 340: ...eans that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means that...

Page 341: ...P 660H HW W T Series User Guide 341 Chapter 37 Call Scheduling...

Page 342: ...propriate power source Make sure that the Prestige and the power source are both turned on Turn the Prestige off and on If the error persists you may have a hardware problem In this case you should co...

Page 343: ...MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the co...

Page 344: ...and Username fields are case sensitive Make sure that you enter the correct password and username using the proper casing If you have changed the password and have now forgotten it you will need to u...

Page 345: ...op ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 224 Internet Options 3 Click Apply to save this setting 38 4 1 1 2 Enable...

Page 346: ...ubleshooting 346 Figure 225 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to mov...

Page 347: ...gs 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting 38 4 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaSc...

Page 348: ...ure 227 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure t...

Page 349: ...tings Java Scripting 38 4 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Jav...

Page 350: ...bleshooting 350 Figure 229 Security Settings Java 38 4 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java...

Page 351: ...to download ActiveX controls or to use Trend Micro Security Services Make sure that ActiveX controls are allowed in Internet Explorer Screen shots for Internet Explorer 6 are shown Steps may vary depe...

Page 352: ...re 231 Internet Options Security 3 Scroll down to ActiveX controls and plug ins 4 Under Download signed ActiveX controls select the Prompt radio button 5 Under Run ActiveX controls and plug ins make s...

Page 353: ...P 660H HW W T Series User Guide 353 Chapter 38 Troubleshooting Figure 232 Security Setting ActiveX Controls...

Page 354: ...Address 192 168 1 1 Default Subnet Mask 255 255 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 32 to 192 168 1 64 Dimensions W x D x H 180 x 128 x 36 mm Power Specification 12VDC 1A Built in...

Page 355: ...ent Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Management Embedded Web Configurator Menu driven SMT System Management T...

Page 356: ...ort Forwarding 1024 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN passthrough Content Filtering Web page blocking by URL keyword Static Routes 16 IP...

Page 357: ...P 660H HW W T Series User Guide 357 Appendix A...

Page 358: ...ance between the centers of the holes matches what is listed in the product specifications appendix Note Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for th...

Page 359: ...P 660H HW W T Series User Guide 359 Appendix B...

Page 360: ...rchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP comp...

Page 361: ...rks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In...

Page 362: ...entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your...

Page 363: ...operties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying Settings 1 Click Start and then Run 2...

Page 364: ...364 Figure 236 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 237 Windows XP Control Panel 3 Right click Local...

Page 365: ...XP and then click Properties Figure 239 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP addre...

Page 366: ...P IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways i...

Page 367: ...n Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and t...

Page 368: ...window Network and Dial up Connections in Windows 2000 NT 11Turn on your Prestige and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Promp...

Page 369: ...de 369 Appendix C Figure 243 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 244 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP S...

Page 370: ...ted to save changes to your configuration 7 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS...

Page 371: ...net mask box Type the IP address of your Prestige in the Router address box 5 Click Apply Now and close the window 6 Turn on your Prestige and restart your computer if prompted Verifying Settings Chec...

Page 372: ...re your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 247 Red Hat 9 0 KDE Network Configuration Devices...

Page 373: ...dress es click the DNS tab in the Network Configuration screen Enter the DNS server information in the fields provided Figure 249 Red Hat 9 0 KDE Network Configuration DNS 5 Click the Devices tab 6 Cl...

Page 374: ...an example where the static IP address is 192 168 1 10 and the subnet mask is 255 255 255 0 Figure 252 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 2 If you know your DNS server IP address e...

Page 375: ...interface OK Setting network parameters OK Bringing up loopback interface OK Bringing up interface eth0 OK root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19...

Page 376: ...the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets m...

Page 377: ...ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangement of...

Page 378: ...168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two separ...

Page 379: ...e directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly...

Page 380: ...s Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID...

Page 381: ...111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 135 Eight Subnets SUBNET SUBNET ADDRESS FIR...

Page 382: ...netting The following table is a summary for class B subnet planning Table 137 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255...

Page 383: ...P 660H HW W T Series User Guide 383 Appendix D...

Page 384: ...ge boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the colon in...

Page 385: ...dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run program...

Page 386: ...d possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in...

Page 387: ...P 660H HW W T Series User Guide 387 Appendix F...

Page 388: ...rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information ab...

Page 389: ...59 This command sets the minute of the hour for the firewall log to be sent via e mail if the Prestige is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send alert...

Page 390: ...onfig edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp...

Page 391: ...alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule srcaddr single ip address This command sets the rule to have the Prestige check for tr...

Page 392: ...set rule rule UDP destport single port This command sets a rule to have the Prestige check for UDP traffic with this destination address You may repeat this command to enter various non consecutive po...

Page 393: ...P 660H HW W T Series User Guide 393 Appendix G...

Page 394: ...AN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from the WAN to the...

Page 395: ...his field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0 3...

Page 396: ...H HW W T Series User Guide Appendix H 396 sys filter netbios config 3 on This command blocks IPSec NetBIOS packets sys filter netbios config 4 off This command stops NetBIOS commands from initiating c...

Page 397: ...P 660H HW W T Series User Guide 397 Appendix H...

Page 398: ...phone sets Install the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Figure 258 Connecting a POTS Splitter 1 Connect the side labeled Phone...

Page 399: ...onnect another cable from the double jack end of the Y Connector to the Prestige 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Figure 259 Connecting a...

Page 400: ...P 660H HW W T Series User Guide Appendix I 400...

Page 401: ...P 660H HW W T Series User Guide 401 Appendix I...

Page 402: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Page 403: ...Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is betwee...

Page 404: ...TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the router via ftp...

Page 405: ...ter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 142 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP...

Page 406: ...s UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 minut...

Page 407: ...ply packet to the sender Table 146 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the r...

Page 408: ...ntent filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked cate...

Page 409: ...l detected an ICMP echo attack For type and code details see Table 157 on page 416 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attac...

Page 410: ...during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remot...

Page 411: ...emote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID T...

Page 412: ...ter and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase...

Page 413: ...bject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subjec...

Page 414: ...orithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5...

Page 415: ...ired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which th...

Page 416: ...ACL set for packets traveling from the WAN to the WAN or the Prestige D to D ZW DMZ to DMZ Prestige ACL set for packets traveling from the DMZ to the DM or the Prestige Table 157 ICMP Notes TYPE CODE...

Page 417: ...st dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when the router ge...

Page 418: ...d by a log category to display the parameters that are available for the category Figure 264 Displaying Log Parameters Example 4 Use sys logs category followed by a log category and a parameter to dec...

Page 419: ...ear command to erase all of the Prestige s logs Log Command Example This example shows how to set the Prestige to record the access logs and alerts and then view the results ras sys logs load ras sys...

Page 420: ...r Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 265 Peer to Peer Communication in an Ad...

Page 421: ...connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network bu...

Page 422: ...rlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and...

Page 423: ...ssion It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the...

Page 424: ...eamble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP and the w...

Page 425: ...eless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS s...

Page 426: ...ix discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP The type of authentication you use depends on the RADIUS server or the AP Consult your network administrator for m...

Page 427: ...s client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TTLS server...

Page 428: ...hael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used twice The...

Page 429: ...two is that WPA PSK uses a simple common password instead of user specific credentials The common password approach makes WPA PSK susceptible to brute force password guessing attacks but it s still an...

Page 430: ...er field name parameter values allowed input where input is your input conforming to parameter values allowed The figure shown next is an example of an Internal SPTGEN text file Figure 269 Configurati...

Page 431: ...The Prestige will display the following if you enter parameter s that are valid Figure 271 Valid Parameter Entered Command Line Example Internal SPTGEN FTP Download Example 1 Launch your FTP applicat...

Page 432: ...EN FTP Upload Example Example Internal SPTGEN Screens This section covers Prestige Internal SPTGEN screens c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 192 168 1 1 n...

Page 433: ...0 Table 165 Menu 3 SMT Menu 3 Menu 3 1 General Ethernet Setup SMT menu 3 1 FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256 30100003 Input Protocol f...

Page 434: ...1 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12 256 302000...

Page 435: ...ly 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alias 2 Incomin...

Page 436: ...0 MENU 3 5 1 WLAN MAC ADDRESS FILTER SMT MENU 3 5 1 FIN FN PVA INPUT 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 0 0 00 30501004 Addr...

Page 437: ...40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256 40000020...

Page 438: ...s 0 Menu 12 1 2 IP Static Route Setup SMT Menu 12 1 2 FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active 0 No 1 Yes 0 120102003 IP Static Route set 2 Destinat...

Page 439: ...etmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 120105006 IP Static Route set 5 Metric 0 120105007 IP Static Route set 5 Private 0 No 1 Yes 0 Menu 12 1 6 IP Static Route Setup SMT Menu 12 1 6...

Page 440: ...c Route set 9 Destination IP address 0 0 0 0 120109004 IP Static Route set 9 Destination IP subnetmask 0 120109005 IP Static Route set 9 Gateway 0 0 0 0 120109006 IP Static Route set 9 Metric 0 120109...

Page 441: ...UT 120113001 IP Static Route set 13 Name Str 120113002 IP Static Route set 13 Active 0 No 1 Yes 0 120113003 IP Static Route set 13 Destination IP address 0 0 0 0 120113004 IP Static Route set 13 Desti...

Page 442: ...6005 IP Static Route set 16 Gateway 0 0 0 0 120116006 IP Static Route set 16 Metric 0 120116007 IP Static Route set 16 Private 0 No 1 Yes 0 Table 167 Menu 12 SMT Menu 12 continued Table 168 Menu 15 SU...

Page 443: ...17 U DP 0 0 0 0 150000029 SUA Server 7 Port Start 0 150000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA Server 8...

Page 444: ...set 1 rule 1 SMT Menu 21 1 1 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filter Set 1 Rule 1 Active 0 No 1 Yes 1 210101003 IP Filter Set 1 Rule 1 Protocol 6 21010...

Page 445: ...less 4 greater 0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set 1 rule 3 S...

Page 446: ...210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 0 210104013 I...

Page 447: ...1 Rule 6 Dest IP address 0 0 0 0 210106005 IP Filter Set 1 Rule 6 Dest Subnet Mask 0 210106006 IP Filter Set 1 Rule 6 Dest Port 139 210106007 IP Filter Set 1 Rule 6 Dest Port Comp 0 none 1 equal 2 not...

Page 448: ...Rule 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210201014 IP...

Page 449: ...IP Filter Set 2 Rule 3 Dest IP address 0 0 0 0 210203005 IP Filter Set 2 Rule 3 Dest Subnet Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port Comp 0 non...

Page 450: ...0 210204013 IP Filter Set 2 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210204014 IP Filter Set 2 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 5 Filter set 2 rule 5 SMT Menu...

Page 451: ...206006 IP Filter Set 2 Rule 6 Dest Port 139 210206007 IP Filter Set 2 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210206008 IP Filter Set 2 Rule 6 Src IP address 0 0 0 0 21020...

Page 452: ...006 Accounting Server Configured 0 No 1 Yes 1 230200007 Accounting Server Active 0 No 1 Yes 1 230200008 Accounting Server IP Address 192 168 1 44 230200009 Accounting Server Port 1823 230200010 Accoun...

Page 453: ...1 Remote Management Control SMT Menu 24 11 FIN FN PVA INPUT 241100001 TELNET Server Port 23 241100002 TELNET Server Access 0 all 1 none 2 L an 3 Wan 0 241100003 TELNET Server Secured IP address 0 0 0...

Page 454: ...P 660H HW W T Series User Guide Appendix M 454 FIN FN PVA INPUT 990000001 ADSL OPMD 0 etsi 1 normal 2 gdmt 3 multimo de 3 Table 173 Command Examples continued FIN FN PVA INPUT...

Page 455: ...P 660H HW W T Series User Guide 455 Appendix M...

Page 456: ...ication databases 294 Authentication protocol 239 AWG 5 B Backup 307 Backup Typ 100 Bandwidth Borrowing 187 bandwidth budget 182 bandwidth capacity 182 Bandwidth Class 182 bandwidth class 182 Bandwidt...

Page 457: ...3 Corrosive Liquids 5 Cost Of Transmission 241 248 Country Code 299 Covers 5 CPU Load 298 CTS Clear to Send 423 Custom Ports Creating Editing 141 Customer Support 7 Customized Services 141 Customized...

Page 458: ...structure 273 Generic Filter Rule 279 Remote Node 242 Remote Node Filter 242 Remote Node Filters 284 Sample 282 SUA 281 TCP IP Filter Rule 277 Filter Log 302 Filter Rule Process 273 Filter Rule Setup...

Page 459: ...Statement 3 Internal SPTGEN 430 FTP Upload Example 432 Points to Remember 430 Text File 430 Internet Access 43 46 230 233 234 Internet access 54 230 Internet Access Setup 254 343 Internet access wizar...

Page 460: ...st Size MBS 94 97 Max incomplete High 150 Max incomplete Low 150 MBSSee Maximum Burst Size 234 Media Access Control 250 Media Bandwidth Management 43 Merchantability 6 Message Integrity Check MIC 428...

Page 461: ...r 5 Power Cord 5 Power Outlet 5 Power Supply 5 Power Supply repair 5 PPP Encapsulation 243 PPP Log 303 PPP session over Ethernet PPP over Ethernet RFC 2516 90 PPPoA 237 PPPoE 93 402 Benefits 93 PPPoE...

Page 462: ...uthorization RMA Number 6 Returned Products 6 Returns 6 RF Radio Frequency 45 RFC 1483 91 RFC 1631 102 RFC 1483 237 RFC 2364 237 238 RFC2516 44 Rights 2 Rights Legal 6 RIP 224 241 RIPSee Routing Infor...

Page 463: ...IP Address 301 Syslog Server 301 System Console Port Speed 299 Diagnostic 303 Log and Trace 300 Syslog and Accounting 301 System Information 298 System Status 296 System Information 298 System Informa...

Page 464: ...r IP VoIP 182 Voltage Supply 5 Voltage High 5 VPI VCI 91 W Wall Mount 5 WAN Wide Area Network 90 WAN backup 99 WAN Setup 218 WAN to LAN Rules 134 Warnings 5 Warranty 6 Warranty Information 7 Warranty...

Page 465: ...n Internet Access 43 Zero configuration Internet access 94 ZyNOS 2 307 ZyNOS ZyXEL Network Operating System 306 ZyNOS F W Version 307 ZyXEL Communications Corporation 2 ZyXEL Home Page 4 ZyXEL Limited...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands