manualshive.com logo in svg

ZyXEL Communications P-660HW-D1 V2, User Manual

Share
Download
ZyXEL Communications P-660HW-D1 V2 User Manual Download Page 151

 Chapter 9 Firewalls

P-660HW-Dx v2 User’s Guide

151

If an initiation packet originates on the LAN, this means that someone is trying to make a 
connection from the LAN to the Internet. Assuming that this is an acceptable part of the 
security policy (as is the case with the default policy), the connection will be allowed. A cache 
entry is added which includes connection information such as IP addresses, TCP ports, 
sequence numbers, etc.
When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN), 
its connection information is extracted and checked against the cache. A packet is only 
allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a 
connection which originated on the LAN).

9.5.4  UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence 
numbers). However, at the very minimum, they contain an IP address pair (source and 
destination). UDP also contains port pairs, and ICMP has type and code information. All of 
this data can be analyzed in order to build "virtual connections" in the cache. 
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP 
address and port pairs will be stored. For a short period of time, UDP packets from the WAN 
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. 
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask 
requests will allow incoming address mask replies, and outgoing timestamp requests will 
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, 
simply because they are too dangerous and contain too little tracking information. For 
instance, ICMP redirect packets are never allowed in, since they could be used to reroute 
traffic through attacking machines. 

9.5.5  Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network 
connections simultaneously. In general terms, they usually have a "control connection" which 
is used for sending commands between endpoints, and then "data connections" which are used 
for transmitting bulk information. 
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the 
Internet and requests a file. At this point, the remote server will open a data connection from 
the Internet. For FTP to work properly, this connection must be allowed to pass through even 
though a connection from the Internet would normally be rejected.
In order to achieve this, the ZyXEL Device inspects the application-level FTP data. 
Specifically, it searches for outgoing "PORT" commands, and when it sees these, it adds a 
cache entry for the anticipated data connection. This can be done safely, since the PORT 
command contains address and port information, which can be used to uniquely identify the 
connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use 
the web configurator’s Custom Ports feature to do this.

Summary of Contents for P-660HW-D1 V2

Page 1: ...www zyxel com P 660HW Dx v2 802 11g Wireless ADSL2 4 port Gateway User s Guide Version 3 40 3 2007 Edition 2...

Page 2: ......

Page 3: ...Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information It is recommended you use the web configurator to configure the ZyXEL Device Supporting...

Page 4: ...stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more characters and then press the ENTER key...

Page 5: ...de 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The ZyXEL Device icon is not an exact representation of your device ZyXEL Device Computer Notebook computer...

Page 6: ...LY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to...

Page 7: ...Safety Warnings P 660HW Dx v2 User s Guide 7...

Page 8: ...Safety Warnings P 660HW Dx v2 User s Guide 8...

Page 9: ...3 WAN Setup 75 LAN Setup 93 Wireless LAN 105 Network Address Translation NAT Screens 129 Security 141 Firewalls 143 Firewall Configuration 155 Content Filtering 177 Advanced 181 Static Route 183 Bandw...

Page 10: ...Contents Overview P 660HW Dx v2 User s Guide 10...

Page 11: ...Good Habits for Managing the ZyXEL Device 35 1 4 LEDs 35 1 5 Hardware Connections 36 1 5 1 Splitters and Microfilters 36 Chapter 2 Introducing the Web Configurator 39 2 1 Web Configurator Overview 39...

Page 12: ...idth Management Wizard 67 4 1 Introduction 67 4 2 Predefined Media Bandwidth Management Services 67 4 3 Bandwidth Management Wizard Setup 68 Part III Network 73 Chapter 5 WAN Setup 75 5 1 WAN Overview...

Page 13: ...P 97 6 3 Configuring LAN IP 98 6 3 1 Configuring Advanced LAN Setup 99 6 4 DHCP Setup 100 6 5 LAN Client List 101 6 6 LAN IP Alias 102 Chapter 7 Wireless LAN 105 7 1 Wireless Network Overview 105 7 2...

Page 14: ...132 8 3 SIP ALG 132 8 4 NAT General Setup 133 8 5 Port Forwarding 133 8 5 1 Default Server IP Address 134 8 5 2 Port Forwarding Services and Port Numbers 134 8 5 3 Configuring Servers Behind Port For...

Page 15: ...ic Overview 156 10 3 1 Rule Checklist 156 10 3 2 Security Ramifications 156 10 3 3 Key Fields For Configuring Rules 157 10 4 Connection Direction 157 10 4 1 LAN to WAN Rules 158 10 4 2 Alerts 158 10 5...

Page 16: ...Usage 189 13 6 1 Reserving Bandwidth for Non Bandwidth Class Traffic 189 13 6 2 Maximize Bandwidth Usage Example 189 13 6 3 Bandwidth Management Priorities 191 13 7 Over Allotment of Bandwidth 191 13...

Page 17: ...2 UPnP and ZyXEL 214 16 2 1 Configuring UPnP 214 16 3 Installing UPnP in Windows Example 215 16 3 1 Installing UPnP in Windows Me 215 16 3 2 Installing UPnP in Windows XP 216 16 4 Using UPnP in Windo...

Page 18: ...1 1 Power Hardware Connections and LEDs 259 21 2 ZyXEL Device Access and Login 260 21 3 Internet Access 261 Part VII Appendices and Index 263 Appendix A Product Specifications and Wall Mounting 265 Ap...

Page 19: ...Table of Contents P 660HW Dx v2 User s Guide 19 Index 351...

Page 20: ...Table of Contents P 660HW Dx v2 User s Guide 20...

Page 21: ...Packet Statistics 49 Figure 18 System General 50 Figure 19 Select a Mode 53 Figure 20 Wizard Welcome 54 Figure 21 Auto Detection No DSL Connection 54 Figure 22 Auto Detection Failed 55 Figure 23 Auto...

Page 22: ...HCP Setup 100 Figure 57 LAN Client List 102 Figure 58 Physical Network Partitioned Logical Networks 103 Figure 59 LAN IP Alias 103 Figure 60 Example of a Wireless Network 105 Figure 61 Wireless LAN Ge...

Page 23: ...ure 101 Firewall Threshold 174 Figure 102 Content Filter Keyword 177 Figure 103 Content Filter Schedule 178 Figure 104 Content Filter Trusted 179 Figure 105 Example of Static Routing Topology 183 Figu...

Page 24: ...re 143 Firmware 251 Figure 144 Firmware Upload In Progress 252 Figure 145 Network Temporarily Disconnected 252 Figure 146 Error Message 253 Figure 147 Configuration 253 Figure 148 Configuration Restor...

Page 25: ...t 9 0 Restart Ethernet Card 299 Figure 184 Red Hat 9 0 Checking TCP IP Properties 300 Figure 185 Network Number and Host ID 302 Figure 186 Subnetting Example Before Subnetting 304 Figure 187 Subnettin...

Page 26: ...List of Figures P 660HW Dx v2 User s Guide 26...

Page 27: ...Manually assign a WEP key 64 Table 17 Media Bandwidth Management Setup Services 67 Table 18 Bandwidth Management Wizard General Information 69 Table 19 Bandwidth Management Wizard Configuration 70 Tab...

Page 28: ...irewall Configure Customized Services 165 Table 61 Predefined Services 169 Table 62 Firewall Anti Probing 172 Table 63 Firewall Threshold 174 Table 64 Content Filter Keyword 178 Table 65 Content Filte...

Page 29: ...e 101 PPP Logs 240 Table 102 UPnP Logs 241 Table 103 Content Filtering Logs 241 Table 104 Attack Logs 242 Table 105 IPSec Logs 242 Table 106 IKE Logs 243 Table 107 PKI Logs 246 Table 108 Certificate P...

Page 30: ...Planning 307 Table 135 16 bit Network Number Subnet Planning 307 Table 136 Firewall Commands 311 Table 137 Abbreviations Used in the Example Internal SPTGEN Screens Table 320 Table 138 Menu 1 General...

Page 31: ...31 PART I Introduction Introducing the ZyXEL Device 33 Introducing the Web Configurator 39...

Page 32: ...32...

Page 33: ...ames ending in 3 denote a device that works over ISDN Integrated Services Digital Network The DSL RJ 11 ADSL over POTS models or RJ 45 ADSL over ISDN models connects to your ADSL enabled telephone lin...

Page 34: ...ADSL ADSL2 ADSL2 standards Maximum data rates attainable for each standard are shown in the next table If your ZyXEL Device does not support Annex M the maximum ADSL2 2 upstream data rate is 1 2 Mbps...

Page 35: ...configure many devices of the same type 1 3 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage the ZyXEL Device more effecti...

Page 36: ...reen On The ZyXEL Device is receiving power and functioning properly Blinking The ZyXEL Device is rebooting or performing diagnostics Red On Power to the ZyXEL Device is too low Off The system is not...

Page 37: ...re with your telephone voice transmissions The use of a telephone microfilter is optional 1 Locate and disconnect each telephone 2 Connect a cable from the wall jack to the wall side of the microfilte...

Page 38: ...Y Connector to the ZyXEL Device 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Figure 6 Connecting a Microfilter and Y Connector 1 5 1 3 ZyXEL Device W...

Page 39: ...up windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshoo...

Page 40: ...administrator access enter the default admin password 1234 to configure the wizards and the advanced features 2 Click Login to proceed to a screen asking you to change your password or click Cancel to...

Page 41: ...hange Password at Login 4 Select Go to Wizard setup and click Apply to display the wizard main screen Otherwise select Go to Advanced setup and click Apply to display the Status screen Figure 11 Selec...

Page 42: ...ot blinking 2 Press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defaults have been restored and the ZyXEL Device...

Page 43: ...nable Any IP and other advanced properties DHCP Setup Use this screen to configure LAN DHCP settings Client List Use this screen to view current DHCP client information and to always assign an IP addr...

Page 44: ...gure your ZyXEL Device s settings for Simple Network Management Protocol management DNS Use this screen to configure through which interface s and from which IP address es users can send DNS queries t...

Page 45: ...evice s model name MAC Address This is the MAC Media Access Control or Ethernet address unique to your ZyXEL Device ZyNOS Firmware Version This is the ZyNOS firmware version and the date created ZyNOS...

Page 46: ...s total heap memory in kilobytes The bar displays what percent of the ZyXEL Device s heap memory is in use The bar turns from green to red when the maximum is being approached Interface Status Interf...

Page 47: ...lick the WLAN Status hyperlink in the Status screen to view the wireless stations that are currently associated to the ZyXEL Device Figure 15 Status WLAN Status Table 5 Status Any IP Table LABEL DESCR...

Page 48: ...dwidth Status 2 4 6 Status Packet Statistics Click the Packet Statistics hyperlink in the Status screen Read only information here includes port status and packet specific statistics Also provided are...

Page 49: ...Downstream Speed This is the downstream speed of your ZyXEL Device Node Link This field displays the remote node index number and link type Link types are PPPoA ENET RFC 1483 and PPPoE Status This fie...

Page 50: ...down Up line is up or connected if you re using Ethernet encapsulation and Down line is down Up line is up or connected Idle line ppp idle Dial starting to trigger a call and Drop dropping a call if y...

Page 51: ...51 PART II Wizards Wizard Setup for Internet Access 53 Bandwidth Management Wizard 67...

Page 52: ...52...

Page 53: ...h the information given to you by your ISP See the advanced menu chapters for background information on these fields 3 2 Internet Access Wizard Setup 1 After you enter the admin password to access the...

Page 54: ...ype you use If the wizard does not detect a connection type and the following screen appears see Figure 21 on page 54 check your hardware connections and click Restart the Internet Wireless Setup Wiza...

Page 55: ...pting you to enter your Internet account information Enter the username password and or service name exactly as provided 2 Click Next Figure 23 Auto Detection PPPoE 3 2 2 Manual Configuration 1 If the...

Page 56: ...Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET EN...

Page 57: ...where domain identifies a service name then enter both components exactly as given Password Enter the password associated with the user name above Service Name Type the name of your PPPoE service here...

Page 58: ...dress Select Static IP Address if your ISP gives you a fixed IP address IP Address Enter your ISP assigned IP address Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices...

Page 59: ...an modify them Figure 29 Connection Test Failed 1 If the following screen displays check if your account is activated or click Restart the Internet Wireless Setup Wizard to verify your Internet access...

Page 60: ...izard Setup After you configure the Internet access information use the following screens to set up your wireless LAN 1 Select Yes and click Next to configure wireless settings Otherwise select No and...

Page 61: ...EL Device s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time T...

Page 62: ...s support WPA and OTIST This option is available only when you enable OTIST in the previous wizard screen Select Manually assign a WPA PSK key to configure a pre shared key WPA PSK Choose this option...

Page 63: ...ss LAN setup screen to set up a Pre Shared Key Figure 34 Manually assign a WPA key The following table describes the labels in this screen 3 3 2 Manually assign a WEP key Choose Manually assign a WEP...

Page 64: ...assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII...

Page 65: ...Figure 37 Internet Access and WLAN Wizard Setup Complete 7 Launch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed...

Page 66: ...Chapter 3 Wizard Setup for Internet Access P 660HW Dx v2 User s Guide 66...

Page 67: ...d Wide Web WWW is an Internet system to distribute graphical hyper linked information based on Hyper Text Transfer Protocol HTTP a client server protocol for the World Wide Web The Web is not synonymo...

Page 68: ...ort number 1720 VoIP SIP Sending voice signals over the Internet is called Voice over IP or VoIP Session Initiated Protocol SIP is an internationally recognized standard for implementing VoIP SIP is a...

Page 69: ...requirements Figure 40 Bandwidth Management Wizard General Information The following fields describe the label in this screen Table 18 Bandwidth Management Wizard General Information LABEL DESCRIPTIO...

Page 70: ...y the services names Priority Select High Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service A service with High priority is given as m...

Page 71: ...k Finish to complete the wizard setup and save your configuration Figure 42 Bandwidth Management Wizard Complete Apply Click Apply to save your changes to the ZyXEL Device Exit Click Exit to close the...

Page 72: ...Chapter 4 Bandwidth Management Wizard P 660HW Dx v2 User s Guide 72...

Page 73: ...73 PART III Network WAN Setup 75 LAN Setup 93 Wireless LAN 105 Network Address Translation NAT Screens 129...

Page 74: ...74...

Page 75: ...E Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial up services using PPP PPPoE is an IETF standard RFC 2516 specifying how a personal...

Page 76: ...ominant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 5 1 2 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifyin...

Page 77: ...your choices for IP address and ENET ENCAP gateway 5 1 5 1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and ENET ENCAP Gateway fields are not applicabl...

Page 78: ...e Section 5 8 on page 89 For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the normal route acts as the pr...

Page 79: ...Constant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that co...

Page 80: ...ansfer 5 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers an...

Page 81: ...Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE User Name PPPoA and PPPoE encapsulat...

Page 82: ...ss to use enter it here Subnet Mask ENET ENCAP encapsulation only Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting G...

Page 83: ...Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Variable Bit Rate non Re...

Page 84: ...thod from the ISP and make the necessary configuration changes Select No to disable this feature You must manually configure the ZyXEL Device for Internet access PPPoE Passthrough This feature is avai...

Page 85: ...lect the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of encapsulation...

Page 86: ...account If you select Bridge the ZyXEL Device will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulation us...

Page 87: ...use enter it here Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address Specify a gateway...

Page 88: ...ect CBR Continuous Bit Rate to specify fixed always on bandwidth for voice or data traffic Select UBR Unspecified Bit Rate for applications that are non time sensitive such as e mail Select VBR nRT Va...

Page 89: ...ay is connected to the LAN Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network Put the protected LAN in one subnet Sub...

Page 90: ...ctivate either traffic redirect or dial backup you must configure at least one IP address here When using a WAN backup connection the ZyXEL Device periodically pings the addresses configured here and...

Page 91: ...e If you activate traffic redirect you must configure at least one Check WAN IP Address Metric This field sets this route s priority among the routes the ZyXEL Device uses The metric represents the co...

Page 92: ...Chapter 5 WAN Setup P 660HW Dx v2 User s Guide 92...

Page 93: ...rea usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 6 3 on page 98 to configure the LAN screens 6 1 1 LANs...

Page 94: ...dresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the...

Page 95: ...ddress Translation NAT feature of the ZyXEL Device The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless y...

Page 96: ...RIP packets but will not accept any RIP packets received None the ZyXEL Device will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broa...

Page 97: ...evice In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to access the I...

Page 98: ...ds packets to its default gateway which is not the ZyXEL Device by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway an ARP request is broadcast on the...

Page 99: ...Subnet Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to save your changes to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Advanced Se...

Page 100: ...over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPoE or PPTP NetBIOS pac...

Page 101: ...he clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server field in this case When DHCP is used the following items need to be set IP Pool Starting Address This field s...

Page 102: ...ble entry row Status This field displays whether the client is connected to the ZyXEL Device Host Name This field displays the computer host name IP Address This field displays the IP address relative...

Page 103: ...AN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 58 Physical Network Partitioned L...

Page 104: ...s routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets rece...

Page 105: ...less network devices A and B are called wireless clients The wireless clients use the access point AP to interact with other devices such as the printer or with the Internet Your ZyXEL Device is the A...

Page 106: ...other documentation You can use the MAC address filter to tell the AP which wireless clients are allowed or not allowed to use the wireless network If a wireless client is allowed to use the wireless...

Page 107: ...e if the wireless network has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should s...

Page 108: ...ZyXEL s OTIST you set up the SSID and WPA PSK on the ZyXEL Device Then the ZyXEL Device transfers them to the devices in the wireless networks As a result you do not have to set up the SSID and encry...

Page 109: ...AP must have the same SSID Enter a descriptive name up to 32 printable 7 bit ASCII characters for the wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wirele...

Page 110: ...EL Device allows you to configure up to four 64 bit 128 bit or 256 bit WEP keys but only one key can be enabled at any one time In order to configure and enable WEP encryption click Network Wireless L...

Page 111: ...er a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wirel...

Page 112: ...yXEL Device is using WPA2 PSK or WPA2 Pre Shared Key The encryption mechanisms used for WPA WPA2 and WPA PSK WPA2 PSK are the same The only difference between the two is that WPA PSK WPA2 PSK uses a s...

Page 113: ...nnected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number o...

Page 114: ...A2 ReAuthentication Timer In Seconds Specify how often wireless clients have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default...

Page 115: ...ditional information Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on...

Page 116: ...Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have the ZyXEL Device automatically use short preamble when wirele...

Page 117: ...n t configure one manually OTIST replaces the pre configured wireless settings on the wireless clients 7 4 1 Enabling OTIST You must enable OTIST on both the AP and wireless client before you start tr...

Page 118: ...nt s Yes If you want OTIST to automatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN General screen Select the Yes checkbox in the OTIST...

Page 119: ...wireless clients and AP in any order but they must all be within range and have OTIST enabled 1 In the AP a web configurator screen pops up showing you the security settings to transfer You can use th...

Page 120: ...loses its wireless connection for more than ten seconds it will search for an OTIST enabled AP for up to one minute If you manually have the wireless client search for an OTIST enabled AP there is no...

Page 121: ...this screen To change your ZyXEL Device s MAC filter settings click Network Wireless LAN MAC Filter The screen appears as shown Figure 74 MAC Address Filter The following table describes the labels in...

Page 122: ...the MAC addresses of the wireless client that are allowed or denied access to the ZyXEL Device in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecimal cha...

Page 123: ...used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMeeti...

Page 124: ...n the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail...

Page 125: ...AN QoS The following table describes the fields in this screen Table 42 Wireless Lan QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device WMM QoS Policy...

Page 126: ...he WMM QoS priority for traffic bandwidth Modify Click the to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the Application P...

Page 127: ...HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet Relay Ch...

Page 128: ...Chapter 7 Wireless LAN P 660HW Dx v2 User s Guide 128...

Page 129: ...f a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the...

Page 130: ...eventing intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 8 1 3 How NAT Works Each packet has two addresses a...

Page 131: ...stance PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode...

Page 132: ...NAT un friendly because they embed IP addresses and port numbers in their packets data payload Some NAT routers may include a SIP Application Layer Gateway ALG An Application Layer Gateway ALG manage...

Page 133: ...the number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may not b...

Page 134: ...tion Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP 8 5 1 Default Server IP Address I...

Page 135: ...pears as a single host on the Internet Figure 80 Multiple Servers Behind NAT Example 8 6 Configuring Port Forwarding The Port Forwarding screen is available only when you select SUA Only in the NAT Ge...

Page 136: ...here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Clic...

Page 137: ...ABEL DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port en...

Page 138: ...le 50 Address Mapping Rules LABEL DESCRIPTION This is the rule index number Local Start IP This is the starting Inside Local IP Address ILA Local IP addresses are N A for Server port mapping Local End...

Page 139: ...address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported only M M Ov Overload Many to Many Overload mode maps multiple local IP addresses to shared global IP addre...

Page 140: ...rvices behind the NAT to be accessible to the outside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end loc...

Page 141: ...141 PART IV Security Firewalls 143 Firewall Configuration 155 Content Filtering 177 Certificates 145...

Page 142: ...142...

Page 143: ...e only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In a...

Page 144: ...assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level access c...

Page 145: ...fic functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP por...

Page 146: ...series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 6 Weaknesses in the TCP IP specification leave it o...

Page 147: ...er floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadc...

Page 148: ...ing a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the p...

Page 149: ...P packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1...

Page 150: ...ow certain types of traffic from the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users...

Page 151: ...ive Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming times...

Page 152: ...icularly vulnerable because they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolic...

Page 153: ...ilters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 9 7 2 Firewall The firewall inspects packet contents as well as their...

Page 154: ...ish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail rep...

Page 155: ...ravel of packets to which they apply By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to...

Page 156: ...precedence and override the ZyXEL Device s default rules 10 3 Rule Logic Overview Study these points carefully before configuring rules 10 3 1 Rule Checklist State the intent of the rule For example T...

Page 157: ...ds an ICMP destination unreachable message to the sender 10 3 3 2 Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Sec...

Page 158: ...you will need to create custom rules to allow it 10 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule i...

Page 159: ...s the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LA...

Page 160: ...nfigure summarized below take priority over the general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in...

Page 161: ...can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move u...

Page 162: ...Chapter 10 Firewall Configuration P 660HW Dx v2 User s Guide 162 Figure 92 Firewall Edit Rule...

Page 163: ...he Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Dele...

Page 164: ...tomized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action displays the following screen Apply Click Apply to save y...

Page 165: ...vices LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Confi...

Page 166: ...e becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index...

Page 167: ...xample Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Custom servic...

Page 168: ...ewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService c...

Page 169: ...om service ports may also be configured using the Edit Customized Services function discussed previously Table 61 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AOL s Internet Messenger...

Page 170: ...from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP...

Page 171: ...ation user Refer to Section 9 1 on page 143 for more information Click Security Firewall Anti Probing to display the screen as shown Figure 100 Firewall Anti Probing SSH TCP UDP 22 Secure Shell Remote...

Page 172: ...ll rules Table 62 Firewall Anti Probing LABEL DESCRIPTION Respond to PING on The ZyXEL Device does not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LA...

Page 173: ...The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts dete...

Page 174: ...eleting half open sessions When the rate of new connection attempts rises above this number the ZyXEL Device deletes half open sessions as required to accommodate new connection attempts 100 half open...

Page 175: ...P sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a genera...

Page 176: ...Chapter 10 Firewall Configuration P 660HW Dx v2 User s Guide 176...

Page 177: ...ce performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 11 2 Configuring Keyword Blocking Use this screen to bl...

Page 178: ...list of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords...

Page 179: ...to Block Select this option to filter websites according to the day s and time s configured Active Select the check box to have the content filtering active on the selected day Start TIme Enter the st...

Page 180: ...Chapter 11 Content Filtering P 660HW Dx v2 User s Guide 180...

Page 181: ...181 PART V Advanced Static Route 183 Bandwidth Management 187 Dynamic DNS Setup 199 Remote Management Configuration 203 Universal Plug and Play UPnP 213...

Page 182: ...182...

Page 183: ...tance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t know that there...

Page 184: ...check box Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number G...

Page 185: ...ion Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical...

Page 186: ...Chapter 12 Static Route P 660HW Dx v2 User s Guide 186...

Page 187: ...traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic...

Page 188: ...he ZyXEL Device has two types of scheduler fairness based and priority based 13 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classes...

Page 189: ...the available bandwidth first as much as they require if there is enough available bandwidth and then to lower priority classes if there is still bandwidth available The ZyXEL Device distributes the a...

Page 190: ...and marketing departments 1536 kbps extra to each for a total of 3584 kbps for each because they both have the highest priority level Research requires more bandwidth but only gets its budgeted 2048...

Page 191: ...n only browse the web when VoIP NetMeeting and FTP do not use all 1000 Kbps of available bandwidth 13 8 Configuring Summary Click Advanced Bandwidth MGMT to open the screen as shown next Enable bandwi...

Page 192: ...nsmission speed For example set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps You can set this number higher than the interface s actual...

Page 193: ...llowing table To LAN Interface This is the number of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device apply this...

Page 194: ...that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping Figure 111 DiffServ Differentiated Service Field The DSCP value determines the forwarding behavior the PH...

Page 195: ...rated name or enter a descriptive name of up to 20 alphanumeric characters including spaces BW Budget Specify the maximum bandwidth allowed for the rule in kbps The recommendation is a setting between...

Page 196: ...t to use a predefined application for the bandwidth class When you select User defined you need to configure at least one of the following fields other than the Subnet Mask fields which you only enter...

Page 197: ...width in use The screen refreshes every few seconds Apply Click Apply to save your changes to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Table 79 Services and Port Nu...

Page 198: ...nagement Monitor Table 80 Bandwidth Management Monitor LABEL DESCRIPTION Monitor This section allows you to select which network to monitor You may select either a LAN WLAN or WAN After selecting a ne...

Page 199: ...now your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have...

Page 200: ...Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the...

Page 201: ...P address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS ser...

Page 202: ...Chapter 14 Dynamic DNS Setup P 660HW Dx v2 User s Guide 202...

Page 203: ...from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access See Appendix E on...

Page 204: ...re is a firewall rule that blocks it A filter is applied through the commands to block a Telnet FTP or Web service 15 1 2 Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP ad...

Page 205: ...may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through whic...

Page 206: ...ssword at the prompts The default password is 1234 The password is case sensitive Table 83 Remote Management Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed...

Page 207: ...ion to manage and monitor the ZyXEL Device through the network The ZyXEL Device supports SNMP version one SNMPv1 and version two SNMPv2 The next figure illustrates an SNMP management operation Table 8...

Page 208: ...collected about a device Examples of variables include such as number of packets received node port status etc A Management Information Base MIB is a collection of managed objects SNMP allows a manage...

Page 209: ...T SNMP The screen appears as shown Figure 120 Remote Management SNMP Table 85 SNMP Traps TRAP TRAP NAME DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart de...

Page 210: ...e using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the ZyX...

Page 211: ...sponse packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed Table 87 Remote Management DNS LABEL DESCRIPTION Port The DNS service port numbe...

Page 212: ...ices Select this option to prevent hackers from finding the ZyXEL Device by probing for unused ports If you select this option the ZyXEL Device will not respond to port request s for unused ports thus...

Page 213: ...twork will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 16 1 2 NAT Traversal UPnP NAT traversal automates the pr...

Page 214: ...UPnP to display the screen shown next See Section 16 1 on page 213 for more information Figure 123 Configuring UPnP The following table describes the fields in this screen Table 89 Configuring UPnP LA...

Page 215: ...Components selection box Click Details Figure 124 Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selecti...

Page 216: ...ompted 16 3 2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click start and Control Panel 2 Double click Network Connections 3 In the Network Connections win...

Page 217: ...select the Universal Plug and Play check box Figure 128 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 16 4 Using UPnP in Windows X...

Page 218: ...e ZyXEL Device 16 4 1 Auto discover Your UPnP enabled Network Device 1 Click start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and...

Page 219: ...Play UPnP P 660HW Dx v2 User s Guide 219 Figure 130 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 131 Internet Connection...

Page 220: ...dd When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connected option and click OK An icon di...

Page 221: ...n access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the...

Page 222: ...v2 User s Guide 222 Figure 135 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select...

Page 223: ...223 Figure 136 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device F...

Page 224: ...Chapter 16 Universal Plug and Play UPnP P 660HW Dx v2 User s Guide 224...

Page 225: ...225 PART VI Maintenance and Troubleshooting System 227 Logs 233 Tools 251 Diagnostic 257 Troubleshooting 259...

Page 226: ...226...

Page 227: ...indows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it...

Page 228: ...pe how many minutes a management session can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts m...

Page 229: ...or the existing password you use to access the system for configuring advanced features New Password Type your new system password up to 30 characters Note that as you type a password the screen displ...

Page 230: ...Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server y...

Page 231: ...me zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here a...

Page 232: ...Chapter 17 System P 660HW Dx v2 User s Guide 232...

Page 233: ...warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You m...

Page 234: ...92 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from a...

Page 235: ...ubject line of the log e mail message that the ZyXEL Device sends Not all ZyXEL models have this field Send Log To The ZyXEL Device sends logs to the e mail address specified in this field If this fie...

Page 236: ...is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the...

Page 237: ...src port 00520 dest port 00520 1 02 End of Firewall Log Table 94 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information f...

Page 238: ...e using HTTPS protocol HTTPS login failed Someone has failed to log on to the router s web configurator interface using HTTPS protocol Table 95 System Error Logs LOG MESSAGE DESCRIPTION s exceeds the...

Page 239: ...l session time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out The default timeout values are as follows ICMP idle timeout 3 minutes UDP idle timeout 3 mi...

Page 240: ...hannel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the reference count number of the call dev is the device type 3 is for dial up 6 is for P...

Page 241: ...esponded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache but does not kno...

Page 242: ...irewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack For type and code details see Table 110 on page 248 illegal command TCP The firewall d...

Page 243: ...SA process done The phase 1 IKE SA process has been completed Duplicate requests with the same cookie The router received multiple requests from the same peer while still processing the first IKE pack...

Page 244: ...ID contents do not match Configured Peer ID Content Configured Peer ID Content The phase 1 ID contents do not match and the configured Peer ID Content is displayed Incoming ID Content Incoming Peer I...

Page 245: ...e 1 hash mismatch The listed rule s IKE phase 1 hash did not match between the router and the peer Rule d Phase 1 preshared key mismatch The listed rule s IKE phase 1 pre shared key did not match betw...

Page 246: ...name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer nam...

Page 247: ...ecific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decoding...

Page 248: ...ded to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams...

Page 249: ...gured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined...

Page 250: ...Chapter 18 Logs P 660HW Dx v2 User s Guide 250...

Page 251: ...el name with a bin extension for example ZyXEL Device bin The upload process uses HTTP Hypertext Transfer Protocol and may take up to two minutes After a successful upload the system will reboot Only...

Page 252: ...145 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click Re...

Page 253: ...Backup Configuration Backup configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly...

Page 254: ...following icon on your desktop Figure 149 Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as tha...

Page 255: ...s You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device Refer to the chapter about introducing the web configurator for more information on the RESET...

Page 256: ...Chapter 19 Tools P 660HW Dx v2 User s Guide 256...

Page 257: ...he screen shown next Figure 152 Diagnostic General The following table describes the fields in this screen 20 2 DSL Line Diagnostic Click Maintenance Diagnostic DSL Line to open the screen shown next...

Page 258: ...ice sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troubleshooting problems with the DSLAM and ATM network DSL...

Page 259: ...the power adaptor or cord included with the ZyXEL Device 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source Make sure the power sourc...

Page 260: ...reen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 If you changed the IP address Section 6 2 1 on page 95 use the new IP address If you...

Page 261: ...e entered the user name and password correctly The default password is 1234 This field is case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is u...

Page 262: ...behaving as expected See the Quick Start Guide and Section 1 4 on page 35 2 Reboot the ZyXEL Device 3 Turn the ZyXEL Device off and on 4 If the problem continues contact your ISP V The Internet conne...

Page 263: ...ur Computer s IP Address 285 IP Addresses and Subnetting 301 Firewall Commands 311 Internal SPTGEN 317 Command Interpreter 331 Pop up Windows JavaScripts and Java Permissions 333 NetBIOS Filter Comman...

Page 264: ...264...

Page 265: ...ce between the centers of the holes for wall mounting on the device s back 108 mm Screw size for wall mounting M4 Tap Screw Antenna The ZyXEL Device is equipped with one 3dBi fixed antenna Table 118 F...

Page 266: ...gging and Tracing Use packet tracing and logs for troubleshooting You can send logs from the ZyXEL Device to an external syslog server PPPoE PPPoE mimics a dial up Internet access connection PPTP Enca...

Page 267: ...fully compatible with both IEEE 802 11b and IEEE 802 11g standards and can support both kinds of clients on the same network WEP Encryption WEP Wired Equivalent Privacy allows the encryption of data b...

Page 268: ...o and Super G modes IEEE 802 11d Standard for Local and Metropolitan Area Networks Media Access Control MAC Bridges IEEE 802 11x Port Based Network Access Control IEEE 802 11e QoS IEEE 802 11 e Wirele...

Page 269: ...ipes or cables located inside the wall when drilling holes for the screws 4 Do not insert the screws all the way into the wall Leave a small gap of about 0 5 cm between the heads of the screws and the...

Page 270: ...Appendix A Product Specifications and Wall Mounting P 660HW Dx v2 User s Guide 270 Figure 155 Masonry Plug and M4 Tap Screw...

Page 271: ...pendent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 156 Peer to Peer Communication in an Ad hoc Ne...

Page 272: ...ired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired netwo...

Page 273: ...tially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 cha...

Page 274: ...requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if t...

Page 275: ...ort it and to provide more efficient communications Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it otherwise the ZyXEL Device uses long...

Page 276: ...dvantages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting m...

Page 277: ...int and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped...

Page 278: ...wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The excha...

Page 279: ...t defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless...

Page 280: ...with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt da...

Page 281: ...client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 A 256 bit Pairwise...

Page 282: ...to this table to see what other security parameters you should configure for each authentication method or key management protocol type MAC address filters are not dependent on how you configure thes...

Page 283: ...door site each 1dB increase in gain results in a range increase of approximately 5 Actual results may vary depending on the network environment Antenna gain is sometimes specified in dBi which is how...

Page 284: ...nd in a direct line of sight to each other to attain the best performance For omni directional antennas mounted on a table desk and so on point the antenna up For omni directional antennas mounted on...

Page 285: ...a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are...

Page 286: ...hen click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft...

Page 287: ...select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 163 Windows 95 98 Me...

Page 288: ...e the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click S...

Page 289: ...v2 User s Guide 289 Figure 165 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 166 Windows XP Control Panel 3 R...

Page 290: ...ab in Win XP and then click Properties Figure 168 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic...

Page 291: ...Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default g...

Page 292: ...the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS serve...

Page 293: ...k Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and...

Page 294: ...Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 173 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list...

Page 295: ...onfiguration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu...

Page 296: ...k in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Ver...

Page 297: ...low to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 176 Red Hat 9 0 KDE Network Configur...

Page 298: ...0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 179 Red Hat...

Page 299: ...the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 182 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration...

Page 300: ...root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 71...

Page 301: ...share a common street name the hosts on a network share a common network number Similarly as each house has its own house number each host on the network has its own unique identifying number the host...

Page 302: ...is part of the host ID The following example shows a subnet mask identifying the network number in bold text and host ID of an IP address 192 168 1 2 in decimal By convention subnet masks always consi...

Page 303: ...d by a continuous number of zeros for the remainder of the 32 bit mask you can simply specify the number of ones instead of writing the value of each octet This is usually specified by writing a follo...

Page 304: ...hows the company network before subnetting Figure 186 Subnetting Example Before Subnetting You can borrow one of the host ID bits to divide the network 192 168 1 0 into two separate sub networks The s...

Page 305: ...68 1 254 Example Four Subnets The previous example illustrated using a 25 bit subnet mask to divide a 24 bit address into two subnets Similarly to divide a 24 bit address into four subnets you need to...

Page 306: ...ubnet 3 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 128 IP Address Binary 11000000 10101000 00000001 10000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet...

Page 307: ...ST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255 255 192 26 4 62 3 255 255 255 224 27 8 30 4 255 255 255 240 28 16 14 5 255 255 255 248 29 32 6 6 255 255 255 252...

Page 308: ...entered You don t need to change the subnet mask computed by the ZyXEL Device unless you are instructed to do otherwise Private IP Addresses Every machine on the Internet must have a unique address I...

Page 309: ...o computer B which is a DHCP client Neither can access the Internet This problem can be solved by assigning a different static IP address to computer A or setting computer A to obtain an IP address au...

Page 310: ...can not use the same IP address In the following example the computer and the router s LAN port both use 192 168 1 1 as the IP address The computer cannot access the Internet This problem can be solv...

Page 311: ...e of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default pe...

Page 312: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyXEL Device is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 5...

Page 313: ...th the same destination where the ZyXEL Device starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specifi...

Page 314: ...CMP Config edit firewall set set rule rule log none match not match both This command sets the ZyXEL Device to log traffic that matches the rule doesn t match both or neither Config edit firewall set...

Page 315: ...mand to enter various non consecutive port numbers config edit firewall set set rule rule TCP destport range start port end port This command sets a rule to have the ZyXEL Device check for TCP traffic...

Page 316: ...Commands P 660HW Dx v2 User s Guide 316 config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set Table 136 Firewall Commands continued FUNCTION...

Page 317: ...You can use FTP to get the Internal SPTGEN file Then edit the file in a text editor and use FTP to upload it again to the same device or another one See the following sections for details The Configu...

Page 318: ...you enter a value other than 0 or 1 in the Input column of Field Identification Number 1000000 refer to Figure 191 on page 317 Figure 192 Invalid Parameter Entered Command Line Example The ZyXEL Devi...

Page 319: ...r computer to the ZyXEL Device using the put command computer to the ZyXEL Device 4 Exit this FTP application Figure 195 Internal SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0 re...

Page 320: ...4 Route IP 0 No 1 Yes 1 10000006 Bridge 0 No 1 Yes 0 Table 139 Menu 3 Menu 3 1 General Ethernet Setup FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256...

Page 321: ...0 None 1 Both 2 In Only 3 Out Only 0 30200011 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 25...

Page 322: ...01017 RIP Direction 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filt...

Page 323: ...e IP address 0 0 0 0 40000015 Remote IP subnet mask 0 40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 4000...

Page 324: ...Route set 1 Gateway 0 0 0 0 120101006 IP Static Route set 1 Metric 0 120101007 IP Static Route set 1 Private 0 No 1 Yes 0 Menu 12 1 2 IP Static Route Setup FIN FN PVA INPUT 120108001 IP Static Route...

Page 325: ...0 All 6 TCP 17 U DP 0 150000019 SUA Server 5 Port Start 0 150000020 SUA Server 5 Port End 0 150000021 SUA Server 5 Local IP address 0 0 0 0 150000022 SUA Server 6 Active 0 No 1 Yes 0 0 150000023 SUA S...

Page 326: ...0 150000052 SUA Server 12 Active 0 No 1 Yes 0 150000053 SUA Server 12 Protocol 0 All 6 TCP 17 U DP 0 150000054 SUA Server 12 Port Start 0 150000055 SUA Server 12 Port End 0 150000056 SUA Server 12 Lo...

Page 327: ...Rule 2 Dest IP address 0 0 0 0 210102005 IP Filter Set 1 Rule 2 Dest Subnet Mask 0 210102006 IP Filter Set 1 Rule 2 Dest Port 138 210102007 IP Filter Set 1 Rule 2 Dest Port Comp 0 none 1 equal 2 not...

Page 328: ...e 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 g reater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210201014 IP Fil...

Page 329: ...1234 Menu 23 2 System security radius server FIN FN PVA INPUT 230200001 Authentication Server Configured 0 No 1 Yes 1 230200002 Authentication Server Active 0 No 1 Yes 1 230200003 Authentication Serve...

Page 330: ...a Privacy for Broadcast Multicast packets 0 TKIP 1 WEP 0 230400010 WPA Broadcast Multicast Key Update Timer 0 Table 145 Menu 23 System Menus continued Table 146 Menu 24 11 Remote Management Control Me...

Page 331: ...ted with the ZyXEL Device s command interpreter commands Table 147 Command Examples FIN FN PVA INPUT ci command for annex a wan adsl opencmd FIN FN PVA INPUT 990000001 ADSL OPMD 0 glite 1 t1 413 2 gdm...

Page 332: ...Appendix F Internal SPTGEN P 660HW Dx v2 User s Guide 332...

Page 333: ...ernet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blockin...

Page 334: ...web pop up blockers you may have enabled Figure 197 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up w...

Page 335: ...ide 335 Figure 198 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to mo...

Page 336: ...play properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 200 Internet Options Security 2 Click the Cus...

Page 337: ...ttings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permis...

Page 338: ...ermissions P 660HW Dx v2 User s Guide 338 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 C...

Page 339: ...configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets thr...

Page 340: ...initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the fi...

Page 341: ...Ethernet devices Some companies have more than one route to one or more ISPs If the alternate gateway is on the LAN and it s IP address is in the same subnet the triangle route problem may occur The...

Page 342: ...al LAN interfaces with the ZyXEL Device being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyXEL Devi...

Page 343: ...ice Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and m...

Page 344: ...onjunction with any other antenna or transmitter IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance r...

Page 345: ...conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implie...

Page 346: ...Appendix J Legal Information P 660HW Dx v2 User s Guide 346...

Page 347: ...78 2439 Web Site www zyxel com www europe zyxel com FTP Site ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL Communications Corp 6 Innovation Road II Science Park Hsinchu 300 Taiwan Costa Rica S...

Page 348: ...ki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web Site www zyxel fr Regular Mail ZyXEL France 1 rue des Vergers Bat 1 C 69760 Limonest France Germany Support E...

Page 349: ...01 U S A Norway Support E mail support zyxel no Sales E mail sales zyxel no Telephone 47 22 80 61 80 Fax 47 22 80 61 81 Web Site www zyxel no Regular Mail ZyXEL Communications A S Nils Hansens vei 13...

Page 350: ...il support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 Fax 380 44 494 49 32 Web Site www ua zyxel com Regular Mail ZyXEL Ukraine 13 Pimonenko Str Kiev 04050 Ukraine United...

Page 351: ...opback test 258 attack alert 174 attack types 148 attacks 233 auxiliary gateway 267 B backup 253 backup gateway 267 backup settings 253 backup type 90 bandwidth 67 budget 193 bandwidth management 67 1...

Page 352: ...NS DoS 144 145 173 basics 145 types 146 downstream 33 34 DS Field 194 DS field 194 DSCPs 194 DSL reinitialize 258 DSLAM 33 dynamic DNS 199 dynamic WEP key exchange 279 DYNDNS wildcard 199 E EAP Authen...

Page 353: ...IBSS 271 initialization vector IV 280 Integrated Services Digital Network see ISDN internal SPTGEN 317 FTP upload example 319 points to remember 318 text file 317 Internet access 34 53 wizard setup 53...

Page 354: ...r 42 NetBIOS 339 commands 148 Network Address Translation see NAT Network Basic Input Output System see NetBIOS network disconnect icon 252 254 network management 134 NNTP 134 O one minute high 173 on...

Page 355: ...ifications 156 Server 132 server 131 132 230 service 157 service set 109 Service Set IDentity See SSID service type 165 services 134 settings backup 253 defaults 253 restore 254 setup general 227 Sing...

Page 356: ...name 200 V Variable Bit Rate see VBR VBR 83 88 VC 76 VC based multiplexing 76 VCI 77 Virtual Channel Identifier see VCI virtual circuit see VC Virtual Path Identifier see VPI Voice over IP see VoIP Vo...

Page 357: ...279 user authentication 280 vs WPA2 PSK 280 wireless client supplicant 281 with RADIUS application example 281 WPA2 Pre Shared Key 279 WPA2 PSK 279 280 application example 281 WPA PSK 279 280 applica...

Page 358: ...Index P 660HW Dx v2 User s Guide 358...

Reviews:

No comments

Brands by name

Popular brands

Load more brands