Home
/
ZyXEL Communications
/
P-660HW-T - V2
/
User Manual

ZyXEL Communications P-660HW-T - V2, User Manual

Share

Page: 144 / 351

ZyXEL Communications P-660HW-T - V2 User Manual Download Page 144

P-660HW-T v2 User’s Guide

144

Chapter 9 Firewalls

The previous figure shows the ZyXEL Device’s default firewall rules in action as well as
demonstrates how stateful inspection works. User A can initiate a Telnet session from within
the LAN and responses to this request are allowed. However other Telnet traffic initiated from
the WAN is blocked.

9.5.1 Stateful Inspection Process

In this example, the following sequence of events occurs when a TCP packet leaves the LAN
network through the firewall's WAN interface. The TCP packet is the first in a session, and the
packet's application layer protocol is configured for a firewall rule inspection:

1

The packet travels from the firewall's LAN to the WAN.

2

The packet is evaluated against the interface's existing outbound access list, and the
packet is permitted (a denied packet would simply be dropped at this point).

3

The packet is inspected by a firewall rule to determine and record information about the
state of the packet's connection. This information is recorded in a new state table entry
created for the new connection. If there is not a firewall rule for this packet and it is not an
attack, then the settings in the

Firewall General

screen determine the action for this

packet.

4

Based on the obtained state information, a firewall rule creates a temporary access list
entry that is inserted at the beginning of the WAN interface's inbound extended access
list. This temporary access list entry is designed to permit inbound packets of the same
connection as the outbound packet just inspected.

5

The outbound packet is forwarded out through the interface.

6

Later, an inbound packet reaches the interface. This packet is part of the connection
previously established with the outbound packet. The inbound packet is evaluated against
the inbound access list, and is permitted because of the temporary access list entry
previously created.

7

The packet is inspected by a firewall rule, and the connection's state table entry is updated
as necessary. Based on the updated state information, the inbound extended access list
temporary entries might be modified, in order to permit only packets that are valid for the
current state of the connection.

8

Any additional inbound or outbound packets that belong to the connection are inspected
to update the state table entry and to modify the temporary inbound access list entries as
required, and are forwarded through the interface.

9

When the connection terminates or times out, the connection's state table entry is deleted
and the connection's temporary inbound access list entries are deleted.

9.5.2 Stateful Inspection and the ZyXEL Device

Additional rules may be defined to extend or override the default rules. For example, a rule
may be created which will:

• Block all traffic of a certain type, such as IRC (Internet Relay Chat), from the LAN to the

Internet.

«
...
142
143
144
145
146
...
»

Summary of Contents for P-660HW-T - V2

Page 1: ...P 660HW T v2 802 11g Wireless ADSL 2 4 port Gateway User s Guide Version 3 40 Edition 1 12 2006...

Page 2: ......

Page 3: ...XEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it con...

Page 4: ...nce to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient...

Page 5: ...2 4 GHz network throughout the EC region and Switzerland with restrictions in France This Class B digital apparatus complies with Canadian ICES 003 Cet appareil num rique de la classe B est conforme...

Page 6: ...ing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Euro...

Page 7: ...P 660HW T v2 User s Guide Safety Warnings 7 This product is recyclable Dispose of it properly...

Page 8: ...ment as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or f...

Page 9: ...Modrany Cesk Republika info cz zyxel com 420 241 091 359 DENMARK support zyxel dk 45 39 55 07 00 www zyxel dk ZyXEL Communications A S Columbusvej 2860 Soeborg Denmark sales zyxel dk 45 39 55 07 07 FI...

Page 10: ...rt zyxel es 34 902 195 420 www zyxel es ZyXEL Communications Arte 21 5 planta 28033 Madrid Spain sales zyxel es 34 913 005 345 SWEDEN support zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications...

Page 11: ...ess Features 36 1 3 Applications for the ZyXEL Device 37 1 3 1 Protected Internet Access 37 1 3 2 LAN to LAN Application 38 1 4 Front Panel LEDs 38 1 5 Hardware Connection 39 Chapter 2 Introducing the...

Page 12: ...d Setup 70 Chapter 5 WAN Setup 75 5 1 WAN Overview 75 5 1 1 Encapsulation 75 5 1 1 1 ENET ENCAP 75 5 1 1 2 PPP over Ethernet 75 5 1 1 3 PPPoA 76 5 1 1 4 RFC 1483 76 5 1 2 Multiplexing 76 5 1 2 1 VC ba...

Page 13: ...3 6 1 Wireless Network Overview 93 6 2 Wireless Security Overview 94 6 2 1 SSID 94 6 2 2 MAC Address Filter 94 6 2 3 User Authentication 95 6 2 4 Encryption 95 6 2 5 One Touch Intelligent Security Tec...

Page 14: ...NAT Does 126 8 1 3 How NAT Works 126 8 1 4 NAT Application 127 8 1 5 NAT Mapping Types 127 8 2 SUA Single User Account Versus NAT 128 8 3 NAT General Setup 128 8 4 Port Forwarding 129 8 4 1 Default S...

Page 15: ...ring 147 9 7 1 1 When To Use Filtering 148 9 7 2 Firewall 148 9 7 2 1 When To Use The Firewall 148 Chapter 10 Firewall Configuration 149 10 1 Access Methods 149 10 2 Firewall Policies Overview 149 10...

Page 16: ...ndwidth Management Overview 179 13 2 Application based Bandwidth Management 179 13 3 Subnet based Bandwidth Management 179 13 4 Application and Subnet based Bandwidth Management 180 13 5 Scheduler 180...

Page 17: ...aps 201 15 6 3 Configuring SNMP 201 15 7 Configuring DNS 202 15 8 Configuring ICMP 203 15 9 TR 069 204 Chapter 16 Universal Plug and Play UPnP 207 16 1 Introducing Universal Plug and Play 207 16 1 1 H...

Page 18: ...n 247 19 2 1 Backup Configuration 247 19 2 2 Restore Configuration 248 19 2 3 Back to Factory Defaults 249 19 3 Restart 249 Chapter 20 Diagnostic 251 20 1 General Diagnostic 251 20 2 DSL Line Diagnost...

Page 19: ...Me 281 Windows 2000 NT XP 284 Macintosh OS 8 9 289 Macintosh OS X 291 Linux 292 Appendix F IP Subnetting 297 Introduction to IP Addresses 297 Subnet Masks 298 Subnetting 299 Example Two Subnets 300 E...

Page 20: ...323 Fragmentation Threshold 324 Preamble Type 325 IEEE 802 11g Wireless LAN 325 Wireless Security Overview 326 RADIUS 326 Types of Authentication 327 Dynamic WEP Key Exchange 329 WPA and WPA2 329 Secu...

Page 21: ...igure 19 Internet Access Wizard Setup ISP Parameters 58 Figure 20 Internet Connection with PPPoE 59 Figure 21 Internet Connection with RFC 1483 59 Figure 22 Internet Connection with ENET ENCAP 60 Figu...

Page 22: ...re 56 Security Key 107 Figure 57 OTIST in Progress AP 107 Figure 58 OTIST in Progress Client 107 Figure 59 No AP with OTIST Found 108 Figure 60 Start OTIST 108 Figure 61 MAC Address Filter 109 Figure...

Page 23: ...dth Management Example 180 Figure 102 Bandwidth Management Summary 184 Figure 103 Bandwidth Management Rule Setup 186 Figure 104 Bandwidth Management Rule Configuration 187 Figure 105 Bandwidth Manage...

Page 24: ...Figure 147 Configuration Text File Format Column Descriptions 263 Figure 148 Invalid Parameter Entered Command Line Example 264 Figure 149 Valid Parameter Entered Command Line Example 264 Figure 150 I...

Page 25: ...Example 306 Figure 178 Connecting a POTS Splitter 317 Figure 179 Connecting a Microfilter 318 Figure 180 Connecting a Microfilter and Y Connector 318 Figure 181 ZyXEL Device with ISDN 319 Figure 182...

Page 26: ...P 660HW T v2 User s Guide 26 List of Figures...

Page 27: ...ually assign a WEP key 67 Table 17 Media Bandwidth Management Setup Services 69 Table 18 Bandwidth Management Wizard General Information 71 Table 19 Bandwidth Management Wizard Configuration 72 Table...

Page 28: ...168 Table 60 Content Filter Keyword 172 Table 61 Content Filter Schedule 173 Table 62 Content Filter Trusted 173 Table 63 Static Route 176 Table 64 Static Route Edit 177 Table 65 Application and Subn...

Page 29: ...3 Certificate Path Verification Failure Reason Codes 239 Table 104 802 1X Logs 240 Table 105 ACL Setting Notes 241 Table 106 ICMP Notes 242 Table 107 Syslog Logs 243 Table 108 RFC 2408 ISAKMP Payload...

Page 30: ...lternative Subnet Mask Notation 299 Table 134 Two Subnets Example 300 Table 135 Subnet 1 300 Table 136 Subnet 2 300 Table 137 Subnet 1 301 Table 138 Subnet 2 301 Table 139 Subnet 3 302 Table 140 Subne...

Page 31: ...EL Device Not all features can be configured through all interfaces Syntax Conventions Enter means for you to type one or more characters Select or Choose means for you to use one predefined choice Mo...

Page 32: ...estions for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 300 Taiwan T...

Page 33: ...ing in 1 for example P 660HW T1 denote a device that works over the analog telephone system POTS Plain Old Telephone Service Model names ending in 3 denote a device that works over ISDN Integrated Ser...

Page 34: ...count user name and password is required or the ZyXEL Device cannot connect to the ISP you will be redirected to web screen s for information input or troubleshooting Any IP The Any IP feature allows...

Page 35: ...ion terminates after a period of no traffic that you configure and PPPoE Dial on Demand the PPPoE connection is brought up only when an Internet access request is made Network Address Translation NAT...

Page 36: ...ter makes your ZyXEL Device a cost effective and viable network solution You can connect up to four computers to the ZyXEL Device without the cost of a hub Use a hub to add more than four computers to...

Page 37: ...high density of APs within a coverage area In this case you can lower the output power of each access point thus enabling you to place access points closer together Wireless LAN MAC Address Filtering...

Page 38: ...s 1 3 2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application example is shown as follows Figure 2 LA...

Page 39: ...r has malfunctioned ETHERNET 1 2 3 4 Green On The ZyXEL Device has a successful Ethernet connection Blinking The ZyXEL Device is sending receiving data Off The ZyXEL Device is not connected to the LAN...

Page 40: ...P 660HW T v2 User s Guide 40 Chapter 1 Getting To Know Your ZyXEL Device...

Page 41: ...ult in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Intern...

Page 42: ...admin password it is highly recommended you change the default admin password Enter a new password between 1 and 30 characters retype it to confirm and click Apply Alternatively click Ignore to proce...

Page 43: ...ZyXEL Device to reload the factory default configuration file This means that you will lose all configurations that you had previously and the password will be reset to 1234 2 3 1 Using the Reset Butt...

Page 44: ...application or packet type Logout Click this icon to exit the web configurator Status This screen shows the ZyXEL Device s general device system and interface status information Use this screen to ac...

Page 45: ...onfigure network address translation mapping rules Security Firewall General Use this screen to activate deactivate the firewall and the direction of network traffic to which to apply the rule Rules T...

Page 46: ...face s and from which IP address es users can send DNS queries to the ZyXEL Device ICMP Use this screen to change your anti probing settings UPnP Use this screen to enable UPnP on the ZyXEL Device Mai...

Page 47: ...ral screen It is for identification purposes Model Number This is your ZyXEL Device s model name MAC Address This is the MAC Media Access Control or Ethernet address unique to your ZyXEL Device ZyNOS...

Page 48: ...n kilobytes The bar displays what percent of the ZyXEL Device s heap memory is in use The bar turns from green to red when the maximum is being approached Interface Status Interface This displays the...

Page 49: ...ently associated to the ZyXEL Device Bandwidth Status Use this screen to view the ZyXEL Device s bandwidth usage and allotments Packet Statistics Use this screen to view port status and packet specifi...

Page 50: ...h rules The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use Figure 11 Status Bandwidth Status Table 6 Status WLAN...

Page 51: ...EL DESCRIPTION System Monitor System up Time This is the elapsed time the system has been up Current Date Time This field displays your ZyXEL Device s present date and time CPU Usage This field specif...

Page 52: ...AN port it displays the transmission rate when WLAN is enabled or N A when WLAN is disabled TxPkts This field displays the number of packets transmitted on this port RxPkts This field displays the num...

Page 53: ...P 660HW T v2 User s Guide Chapter 2 Introducing the Web Configurator 53 Figure 13 System General...

Page 54: ...P 660HW T v2 User s Guide 54 Chapter 2 Introducing the Web Configurator...

Page 55: ...ss with the information given to you by your ISP Note See the advanced menu chapters for background information on these fields 3 2 Internet Access Wizard Setup 1 After you enter the admin password to...

Page 56: ...pe you use If the wizard does not detect a connection type and the following screen appears see Figure 16 on page 56 check your hardware connections and click Restart the Internet Wireless Setup Wizar...

Page 57: ...count information Enter the username password and or service name exactly as provided 2 Click Next and see Section 3 3 on page 62 for wireless connection wizard setup Figure 18 Auto Detection PPPoE 3...

Page 58: ...Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET ENCAP or PPPoE Multiplexing Select the multiplexing method used by your ISP from the Multi...

Page 59: ...screen Figure 21 Internet Connection with RFC 1483 Table 9 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form u...

Page 60: ...N Obtain an IP Address Automatically A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Intern...

Page 61: ...Click Back to go back to the previous wizard screen Apply Click Apply to save your changes to the ZyXEL Device Exit Click Exit to close the wizard screen without saving your changes Table 12 Internet...

Page 62: ...ted or click Restart the Internet Wireless Setup Wizard to verify your Internet access settings Figure 25 Connection Test Failed 2 3 3 Wireless Connection Wizard Setup After you configure the Internet...

Page 63: ...User s Guide Chapter 3 Wizard Setup for Internet Access 63 Figure 26 Connection Test Successful 2 Use this screen to activate the wireless LAN and OTIST Click Next to continue Figure 27 Wireless LAN S...

Page 64: ...EL Device s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time T...

Page 65: ...not already in use by a neighboring device Security Select Automatically assign a WPA key Recommended to have the ZyXEL Device create a pre shared key WPA PSK automatically only if your wireless clie...

Page 66: ...ers Figure 30 Manually assign a WEP key Table 15 Manually assign a WPA key LABEL DESCRIPTION Pre Shared Key Type from 8 to 63 case sensitive ASCII characters You can set up the most secure wireless co...

Page 67: ...omplete and save the wizard setup Table 16 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP k...

Page 68: ...r web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features If you ca...

Page 69: ...80 FTP File Transfer Protocol enables fast transfer of files including large files that may not be possible by e mail FTP uses port number 21 NetMeeting H 323 A multimedia communications product from...

Page 70: ...is transported primarily over UDP but can also be transported over TCP using the default port number 5060 Telnet Telnet is the login and terminal emulation protocol common on the Internet and in UNIX...

Page 71: ...ces that you want to apply bandwidth management and select the priorities that you want to apply to the services listed Table 18 Bandwidth Management Wizard General Information LABEL DESCRIPTION Activ...

Page 72: ...s as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated bandwidth after all specified services receive their...

Page 73: ...User s Guide Chapter 4 Bandwidth Management Wizard 73 5 Follow the on screen instructions and click Finish to complete the wizard setup and save your configuration Figure 37 Bandwidth Management Wiza...

Page 74: ...P 660HW T v2 User s Guide 74 Chapter 4 Bandwidth Management Wizard...

Page 75: ...s in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 5 1 1 2 PPP over Ethernet PPPoE Point to Point Protocol over Ethernet provides access control a...

Page 76: ...tiplexing Please refer to the RFC for more detailed information 5 1 2 Multiplexing There are two conventions to identify what protocols the virtual circuit VC is carrying Be sure to use the multiplexi...

Page 77: ...mber or more of VCs than the number of protocols then select RFC 1483 encapsulation and VC based multiplexing 5 1 4 VPI and VCI Be sure to use the correct Virtual Path Identifier VPI and Virtual Chann...

Page 78: ...ation of the IP address of a host in a packet for example the source address of an outgoing packet used within one network to a different IP address known within another network 5 2 Metric The metric...

Page 79: ...can send cells This parameter may be lower but not higher than the maximum line speed 1 ATM cell is 53 bytes 424 bits so a maximum speed of 832Kbps gives a maximum PCR of 1962 cells sec This rate is n...

Page 80: ...conferencing Video conferencing requires real time data transfers and the bandwidth requirement varies in proportion to the video image s changing dynamics The VBR nRT non real time Variable Bit Rate...

Page 81: ...encapsulation See Section 5 1 on page 75 for more information Figure 39 Internet Connection PPPoE The following table describes the labels in this screen Table 20 Internet Connection LABEL DESCRIPTION...

Page 82: ...field A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation...

Page 83: ...Click this button to display the Advanced Internet Connection Setup screen and edit more details of your WAN setup Table 20 Internet Connection continued LABEL DESCRIPTION Table 21 Advanced Internet...

Page 84: ...e Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 Zero Configuration This feature is not applicable available when...

Page 85: ...connection Select the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of e...

Page 86: ...me Enter a unique descriptive name of up to 13 ASCII characters for this connection Mode Select Routing from the drop down list box if your ISP allows multiple computers to share an Internet account I...

Page 87: ...the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation type except RFC 1483 select Obtain an IP Address Automatically when you have a dynamic IP address...

Page 88: ...24 More Connections Advanced Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP 2...

Page 89: ...figure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate P...

Page 90: ...90 Chapter 5 WAN Setup Figure 45 Traffic Redirect LAN Setup 5 8 Configuring WAN Backup To change your ZyXEL Device s WAN backup settings click Network WAN WAN Backup Setup The screen appears as shown...

Page 91: ...ZyXEL Device to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds 3 recommended for your ZyXEL Device to wait for a ping re...

Page 92: ...P 660HW T v2 User s Guide 92 Chapter 5 WAN Setup...

Page 93: ...this wireless network devices A and B are called wireless clients The wireless clients use the access point AP to interact with other devices such as the printer or with the Internet Your ZyXEL Devic...

Page 94: ...has a unique identification number called a MAC address 1 A MAC address is usually written using twelve hexadecimal characters2 for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for...

Page 95: ...s sent in the wireless network even if they cannot use the wireless network Furthermore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user...

Page 96: ...WPA and some support WPA2 you should set up WPA2 PSK or WPA2 depending on the type of wireless network login and select the WPA compatible option in the ZyXEL Device Many types of encryption use a key...

Page 97: ...wireless LAN Note If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection wh...

Page 98: ...crypts unicast and multicast communications in a network Both the wireless clients and the access points must use the same WEP key Your ZyXEL Device allows you to configure up to four 64 bit 128 bit o...

Page 99: ...r a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wirele...

Page 100: ...XEL Device is using WPA2 PSK or WPA2 Pre Shared Key The encryption mechanisms used for WPA WPA2 and WPA PSK WPA2 PSK are the same The only difference between the two is that WPA PSK WPA2 PSK uses a si...

Page 101: ...nnected to the wireless network for example using an authentication server If the wireless network is not keeping track of this information you can usually set this value higher to reduce the number o...

Page 102: ...2 ReAuthentication Timer In Seconds Specify how often wireless clients have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default t...

Page 103: ...up to 31 alphanumeric characters as the key to be shared between the external authentication server and the ZyXEL Device The key must be the same on the external authentication server and your ZyXEL D...

Page 104: ...ZyXEL Device to reduce interference with other APs The options are Maximum Middle and Minimum Preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support and to p...

Page 105: ...ings Note The AP and wireless client s MUST use the same Setup key 6 5 1 1 AP You can enable OTIST using the RESET button or the web configurator 6 5 1 1 1 Reset button If you use the RESET button the...

Page 106: ...lso make the same change on the wireless client s Yes If you want OTIST to automatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN General...

Page 107: ...1 In the AP a web configurator screen pops up showing you the security settings to transfer You can use the key in this screen to set up WPA PSK encryption manually for non OTIST devices in the wirele...

Page 108: ...ust still click Start in the AP OTIST web configurator screen or hold in the RESET button for one to five seconds for the AP to transfer settings 4 If you change the SSID or the keys on the AP after u...

Page 109: ...ction for the list of MAC addresses in the MAC Address table Select Deny to block access to the ZyXEL Device MAC addresses not listed will be allowed to access the ZyXEL Device Select Allow to permit...

Page 110: ...er s Guide 110 Chapter 6 Wireless LAN Apply Click Apply to save your changes to the ZyXEL Device Cancel Click Cancel to reload the previous configuration for this screen Table 34 MAC Address Filter LA...

Page 111: ...mediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 7 3 on page 117 to configure the LAN screens...

Page 112: ...t is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server f...

Page 113: ...r instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign you...

Page 114: ...or more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 7 2 2 RIP Setup RIP Routing Infor...

Page 115: ...cted networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the...

Page 116: ...to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway which...

Page 117: ...nced Setup button in the LAN IP screen The screen appears as shown Table 35 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example...

Page 118: ...mic IP addresses or static IP addresses in the same subnet as the ZyXEL Device s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device Windows Networking NetBI...

Page 119: ...set to Relay the ZyXEL Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in...

Page 120: ...lient List The screen appears as shown Figure 67 LAN Client List Primary DNS Server Secondary DNS Server This field is not available when you set DHCP to Relay Enter the IP addresses of the DNS server...

Page 121: ...ess of a computer on your LAN Add Click Add to add a static DHCP entry This is the index number of the static IP table entry row Status This field displays whether the client is connected to the ZyXEL...

Page 122: ...ble 39 LAN IP Alias LABEL DESCRIPTION IP Alias 1 2 Select the check box to configure another LAN network for the ZyXEL Device IP Address Enter the IP address of your ZyXEL Device in dotted decimal not...

Page 123: ...IP packets that the ZyXEL Device sends it recognizes both formats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless y...

Page 124: ...P 660HW T v2 User s Guide 124 Chapter 7 LAN Setup...

Page 125: ...efers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that insi...

Page 126: ...additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP a...

Page 127: ...ddress to one global IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address trans...

Page 128: ...ypes as outlined in Table 41 on page 128 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP addresses for your ZyXE...

Page 129: ...ons such as file sharing applications they need to establish NAT sessions If you do not limit the number of NAT sessions a single client can establish this can result in all of the available NAT sessi...

Page 130: ...ISP 8 4 1 Default Server IP Address In addition to the servers for specified services NAT supports a default server IP address A default server receives packets from ports that are not specified in t...

Page 131: ...s the WAN IP address The NAT network appears as a single host on the Internet Figure 73 Multiple Servers Behind NAT Example 8 5 Configuring Port Forwarding Note The Port Forwarding screen is available...

Page 132: ...ed here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add C...

Page 133: ...6 and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT Address Mapping to open the following screen Table 45 Port Forwarding Rule Setup LABEL DESCR...

Page 134: ...nding Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that port numb...

Page 135: ...oad mode maps multiple local IP addresses to shared global IP addresses Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type...

Page 136: ...warding screen to edit a server mapping set that you have selected in the Server Mapping Set field Back Click Back to return to the previous screen Apply Click Apply to save your changes to the ZyXEL...

Page 137: ...ver be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security po...

Page 138: ...alls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integri...

Page 139: ...pre configured to automatically detect and thwart all known DoS attacks 9 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of app...

Page 140: ...hang or reboot Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment...

Page 141: ...ackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailable...

Page 142: ...BIOS commands are the following all others are illegal All SMTP commands are illegal except for those displayed in the following tables Table 49 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMESTA...

Page 143: ...d through the router or firewall The ZyXEL Device blocks all IP Spoofing attempts 9 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known...

Page 144: ...entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outbou...

Page 145: ...on packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets a...

Page 146: ...ted In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a cache entry for the anticipat...

Page 147: ...r company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Also...

Page 148: ...he outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e sma...

Page 149: ...ackets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN...

Page 150: ...Note Study these points carefully before configuring rules 10 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a r...

Page 151: ...ct the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Section 10 8 on page 163 for more information on predefined services 10 3 3 3 Sou...

Page 152: ...you will need to create custom rules to allow it 10 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule i...

Page 153: ...is the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example...

Page 154: ...ng read only fields summarize the rules you have created that apply to traffic traveling in the selected packet direction The firewall rules that you configure summarized below take priority over the...

Page 155: ...o Log This field shows you whether a log is created when packets match this rule Yes or not No Modify Click the Edit icon to go to the screen where you can edit the rule Click the Remove icon to delet...

Page 156: ...P 660HW T v2 User s Guide 156 Chapter 10 Firewall Configuration Figure 85 Firewall Edit Rule...

Page 157: ...e Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Delet...

Page 158: ...stomized Services The following table describes the labels in this screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving...

Page 159: ...Click Security Firewall Rules 2 Select WAN to LAN in the Packet Direction field Table 56 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port S...

Page 160: ...e becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index...

Page 161: ...ple Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom serv...

Page 162: ...ewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService c...

Page 163: ...ries are supported Custom service ports may also be configured using the Edit Customized Services function discussed previously Table 57 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AO...

Page 164: ...whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723...

Page 165: ...bing to display the screen as shown Figure 93 Firewall Anti Probing SSDP UDP 1900 Simole Service Discovery Protocol SSDP is a discovery service searching for Universal Plug and Play devices on your ho...

Page 166: ...Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do...

Page 167: ...l the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts de...

Page 168: ...ing half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute...

Page 169: ...eting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP ad...

Page 170: ...P 660HW T v2 User s Guide 170 Chapter 10 Firewall Configuration...

Page 171: ...the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 11 2 Configuring Keyword Blocking Use th...

Page 172: ...ist of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords f...

Page 173: ...k box to have the content filtering active on the selected day Start TIme Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time when...

Page 174: ...P 660HW T v2 User s Guide 174 Chapter 11 Content Filtering...

Page 175: ...yond For instance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t kno...

Page 176: ...heck box Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Ga...

Page 177: ...on Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical t...

Page 178: ...P 660HW T v2 User s Guide 178 Chapter 12 Static Route...

Page 179: ...he bandwidth of traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause LAN...

Page 180: ...he ZyXEL Device has two types of scheduler fairness based and priority based 13 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classes...

Page 181: ...geted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra band...

Page 182: ...nbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration cla...

Page 183: ...6 3 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface Table 68 Fairness based Allotmen...

Page 184: ...eeting do not use all of their allocated bandwidth Suppose you try to browse the web too In this case VoIP NetMeeting and FTP all have higher priority so they get to use the bandwidth first You can on...

Page 185: ...ce s actual transmission speed For example set the WAN interface speed to 1000 kbps if your Internet connection has an upstream transmission speed of 1 Mbps You can set this number higher than the int...

Page 186: ...umber of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth...

Page 187: ...Rule Configuration Active Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth management rule to give traffic that matches the rule priority over tra...

Page 188: ...cket based network that does not provide a guaranteed quality of service Select H 323 from the drop down list box to configure this bandwidth filter for traffic that uses H 323 Select User defined fro...

Page 189: ...epresents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use Figure 105 Bandwidth Management Monitor Table 74 Services and Port Numbers SERVICES PORT N...

Page 190: ...P 660HW T v2 User s Guide 190 Chapter 13 Bandwidth Management...

Page 191: ...f they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still...

Page 192: ...Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the p...

Page 193: ...P address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS ser...

Page 194: ...P 660HW T v2 User s Guide 194 Chapter 14 Dynamic DNS Setup...

Page 195: ...ia Internet WAN only ALL LAN and WAN LAN only Neither Disable Note When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a ser...

Page 196: ...2 Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP address when configuring from the WAN Use the ZyXEL Device s LAN IP address when configuring from the LAN 15 1 3 System Ti...

Page 197: ...ay change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which...

Page 198: ...t LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select...

Page 199: ...only available if TCP IP is configured Table 78 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in...

Page 200: ...nformation Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol base...

Page 201: ...E DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 6 whyReboot defined in ZYXEL MIB A trap...

Page 202: ...ce using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the ZyXEL Device using this service Select All to allow any computer to access the Zy...

Page 203: ...ponse packet from being sent This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed Table 81 Remote Management DNS LABEL DESCRIPTION Port The DNS service port number...

Page 204: ...Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to reque...

Page 205: ...tion wan tr069 All TR 069 related commands must be preceded by wan tr069 load Start configuring TR 069 on your ZyXEL Device active 0 no 1 yes Enable disable TR 069 operation acsUrl URL Set the IP addr...

Page 206: ...P 660HW T v2 User s Guide 206 Chapter 15 Remote Management Configuration...

Page 207: ...w do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon S...

Page 208: ...lticast messages only on the LAN All UPnP enabled devices may communicate freely with each other without additional configuration Disable UPnP if this is not your intention You must have IIS Internet...

Page 209: ...ut entering the ZyXEL Device s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allo...

Page 210: ...p Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 118 Add Remove Programs Windows Setup Communication Components 4 Clic...

Page 211: ...ons 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 119 Network Connections 4 The Windows Optional Networking Components Wizard win...

Page 212: ...you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the computer is connected to a LAN port of the ZyXEL...

Page 213: ...re 122 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Figure 123 Internet Connection Properties 4 You may e...

Page 214: ...perties Advanced Settings Add Note When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connecte...

Page 215: ...access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not know the IP address of the ZyXEL Device Follow the...

Page 216: ...l Plug and Play UPnP Figure 128 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and select...

Page 217: ...217 Figure 129 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device Fi...

Page 218: ...P 660HW T v2 User s Guide 218 Chapter 16 Universal Plug and Play UPnP...

Page 219: ...ame In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and e...

Page 220: ...ty over the ISP assigned domain name Administrator Inactivity Timer Type how many minutes a management session can be left idle before the session times out The default is 5 minutes After it times out...

Page 221: ...on the ZyXEL Device Old Password Type the default admin password 1234 or the existing password you use to access the system for configuring advanced features New Password Type your new system password...

Page 222: ...Time and Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server yo...

Page 223: ...e zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here ar...

Page 224: ...P 660HW T v2 User s Guide 224 Chapter 17 System...

Page 225: ...log that warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and aler...

Page 226: ...play in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categories that you selected in the Log Settings page Time This field displays the tim...

Page 227: ...s The following table describes the fields in this screen Table 88 Log Settings LABEL DESCRIPTION E mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e m...

Page 228: ...week the E mail should be sent If you select When Log is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to selec...

Page 229: ...131 To 192 168 1 255 match forward 10 05 17 UDP src port 00520 dest port 00520 1 02 128 Apr 7 00 From 192 168 1 1 To 192 168 1 255 match forward 10 05 30 UDP src port 00520 dest port 00520 1 02 End o...

Page 230: ...P packet that was too large Configuration Change PC 0x x Task ID 0x x The router is saving configuration changes Successful SSH login Someone has logged on to the router s SSH server SSH login failed...

Page 231: ...a web site that the user requested Table 92 TCP Reset Logs LOG MESSAGE DESCRIPTION Under SYN flood attack sent TCP RST The router sent a TCP reset packet when a host was under a SYN flood attack the...

Page 232: ...and rule number and was blocked or forwarded according to the rule Table 94 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy ICMP Packet Direction type d code d ICMP access matched the defau...

Page 233: ...ol stage has started ppp LCP Opening The PPP connection s Link Control Protocol stage is opening ppp CHAP Opening The PPP connection s Challenge Handshake Authentication Protocol stage is opening ppp...

Page 234: ...he web content Waiting content filter server timeout The external content filtering server did not respond within the timeout period DNS resolving failed The ZyXEL Device cannot get the IP address of...

Page 235: ...l classified an ICMP packet with no source routing entry as an IP spoofing attack vulnerability ICMP type d code d The firewall detected an ICMP vulnerability attack For type and code details see Tabl...

Page 236: ...ase 2 parameters don t match Please check all protocols settings Ex One device being configured for 3DES and the other being configured for DES causes the connection to fail Local remote IPs of incomi...

Page 237: ...ximum Segment Size value after establishing a tunnel Rule d input idle time out disconnect The tunnel for the listed rule was dropped because there was no inbound traffic within the idle timeout perio...

Page 238: ...re failed Rule d Sending IKE request IKE sent an IKE request for the listed rule Rule d Receiving IKE request IKE received an IKE request for the listed rule Swap rule to rule d The router changed to...

Page 239: ...whose address and port are recorded in the Source field Failed to decode the received user cert The router received a corrupted user certificate from the LDAP server whose address and port are recorde...

Page 240: ...ial numbers 23 Time interval is not continuous 24 Time information not available 25 Database method failed due to timeout 26 Database method failed 27 Path was not verified 28 Maximum path length reac...

Page 241: ...y supports EAP MD5 No response from RADIUS Pls check RADIUS Server There is no response message from the RADIUS server please check the RADIUS server Use Local User Database to authenticate user The l...

Page 242: ...ed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams...

Page 243: ...gured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined...

Page 244: ...P 660HW T v2 User s Guide 244 Chapter 18 Logs...

Page 245: ...nutes After a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware s...

Page 246: ...systems you may see the following icon on your desktop Figure 138 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload...

Page 247: ...Backup Configuration Backup configuration allows you to back up save the ZyXEL Device s current configuration to a file on your computer Once your ZyXEL Device is configured and functioning properly...

Page 248: ...following icon on your desktop Figure 142 Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as th...

Page 249: ...s You can also press the RESET button on the rear panel to reset the factory defaults of your ZyXEL Device Refer to the chapter about introducing the web configurator for more information on the RESET...

Page 250: ...P 660HW T v2 User s Guide 250 Chapter 19 Tools...

Page 251: ...General Diagnostic Click Maintenance Diagnostic to open the screen shown next Figure 145 Diagnostic General The following table describes the fields in this screen Table 111 Diagnostic General LABEL D...

Page 252: ...VCIs before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troubleshooti...

Page 253: ...ropriate power source Make sure that the ZyXEL Device and the power source are both turned on Turn the ZyXEL Device off and on If the error persists you may have a hardware problem In this case you sh...

Page 254: ...ntication may be through the user name and password the MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct S...

Page 255: ...Make sure that there is not a Telnet session running Use the ZyXEL Device s WAN IP address when configuring from the WAN Refer to the instructions on checking your WAN connection Use the ZyXEL Device...

Page 256: ...P 660HW T v2 User s Guide 256 Chapter 21 Troubleshooting...

Page 257: ...Subnet Mask 255 255 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 33 to 192 168 1 64 Dimensions W x D x H 180 x 128 x 36 mm Power Specification 12V AC 1A Built in Switch Four auto negotiati...

Page 258: ...protocol Transparent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGM...

Page 259: ...and logs NAT SUA Port Forwarding 1024 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN passthrough Content Filtering Web page blocking by URL keyword St...

Page 260: ...P 660HW T v2 User s Guide 260 Appendix A Product Specifications...

Page 261: ...d than uploaded For example a simple button click in a web browser can start an extended download that includes graphics and text As data rates increase the carrying distance decreases That means that...

Page 262: ...at your service provider are not affected by other users With cable modems transmission speeds drop significantly as more users go on line because the line is shared 3 ADSL can be always on connected...

Page 263: ...d it again to the same device or another one See the following sections for details The Configuration Text File Format All Internal SPTGEN text files conform to the following format field identificati...

Page 264: ...on page 263 Figure 148 Invalid Parameter Entered Command Line Example The ZyXEL Device will display the following if you enter parameter s that are valid Figure 149 Valid Parameter Entered Command Lin...

Page 265: ...our computer to the ZyXEL Device using the put command computer to the ZyXEL Device 4 Exit this FTP application Figure 151 Internal SPTGEN FTP Upload Example c ftp 192 168 1 1 220 PPP FTP version 1 0...

Page 266: ...0 10000001 System Name Str Your Device 10000002 Location Str 10000003 Contact Person s Name Str 10000004 Route IP 0 No 1 Yes 1 10000006 Bridge 0 No 1 Yes 0 Table 121 Menu 3 Menu 3 1 General Ethernet S...

Page 267: ...mary DNS Server 0 0 0 0 30200005 Secondary DNS Server 0 0 0 0 30200006 Remote DHCP Server 0 0 0 0 30200008 IP Address 172 21 2 200 30200009 IP Subnet Mask 16 30200010 RIP Direction 0 None 1 Both 2 In...

Page 268: ...going protocol filters Set 4 256 30201014 IP Alias 2 0 No 1 Yes 0 30201015 IP Address 0 0 0 0 30201016 IP Subnet Mask 0 30201017 RIP Direction 0 None 1 Both 2 In Only 3 Out Only 0 30201018 Version 0 R...

Page 269: ...P 0 30500007 Default Key 1 2 3 4 0 30500008 WEP Key1 30500009 WEP Key2 30500010 WEP Key3 30500011 WEP Key4 30500012 Wlan Active 0 Disable 1 Enable 0 30500013 Wlan 4X Mode 0 Disable 1 Enable 0 MENU 3 5...

Page 270: ...ord Str 1234 40000011 Single User Account 0 No 1 Yes 1 40000012 IP Address Assignment 0 Static 1 D ynamic 1 40000013 IP Address 0 0 0 0 40000014 Remote IP address 0 0 0 0 40000015 Remote IP subnet mas...

Page 271: ...Static Route set 1 Active 0 No 1 Yes 0 120101003 IP Static Route set 1 Destination IP address 0 0 0 0 120101004 IP Static Route set 1 Destination IP subnetmask 0 120101005 IP Static Route set 1 Gatew...

Page 272: ...150000012 SUA Server 4 Active 0 No 1 Yes 0 150000013 SUA Server 4 Protocol 0 All 6 TCP 17 U DP 0 150000014 SUA Server 4 Port Start 0 150000015 SUA Server 4 Port End 0 150000016 SUA Server 4 Local IP...

Page 273: ...6 TCP 17 U DP 0 150000044 SUA Server 10 Port Start 0 150000045 SUA Server 10 Port End 0 150000046 SUA Server 10 Local IP address 0 0 0 0 150000047 SUA Server 11 Active 0 No 1 Yes 0 150000048 SUA Serve...

Page 274: ...ter Set 1 Rule 1 Act Match 1 check next 2 forward 3 drop 3 210101014 IP Filter Set 1 Rule 1 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 2 set 1 rule 2 FIN FN PVA INPUT 210102001 IP Filte...

Page 275: ...3 IP Filter Set 2 Rule 1 Protocol 6 210201004 IP Filter Set 2 Rule 1 Dest IP address 0 0 0 0 210201005 IP Filter Set 2 Rule 1 Dest Subnet Mask 0 210201006 IP Filter Set 2 Rule 1 Dest Port 137 21020100...

Page 276: ...et 2 Rule 2 Src Subnet Mask 0 210202010 IP Filter Set 2 Rule 2 Src Port 0 210202011 IP Filter Set 2 Rule 2 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210202013 IP Filter Set 2 Rule 2...

Page 277: ...o Authentication Required 2 230400002 ReAuthentication Timer in second 555 230400003 Idle Timeout in second 999 230400004 Authentication Databases 0 Local User Database Only 1 RADIUS Only 2 Local RADI...

Page 278: ...Access 0 all 1 none 2 L an 3 Wan 0 241100006 FTP Server Secured IP address 0 0 0 0 241100007 WEB Server Port 80 241100008 WEB Server Access 0 all 1 none 2 L an 3 Wan 0 241100009 WEB Server Secured IP...

Page 279: ...en the centers of the holes matches what is listed in the product specifications appendix Note Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3...

Page 280: ...P 660HW T v2 User s Guide 280 Appendix D Wall mounting Instructions...

Page 281: ...equires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropria...

Page 282: ...Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you n...

Page 283: ...dapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP addre...

Page 284: ...the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your ZyXEL Device and restart your computer when prompted Verifying Settings 1 Click St...

Page 285: ...ter s IP Address 285 Figure 156 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 157 Windows XP Control Panel 3 R...

Page 286: ...nections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 159 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Pr...

Page 287: ...ure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two...

Page 288: ...he General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server...

Page 289: ...k Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and...

Page 290: ...Address Figure 163 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 164 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from...

Page 291: ...e changes to your configuration 7 Turn on your ZyXEL Device and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Cl...

Page 292: ...k in the Subnet mask box Type the IP address of your ZyXEL Device in the Router address box 5 Click Apply Now and close the window 6 Turn on your ZyXEL Device and restart your computer if prompted Ver...

Page 293: ...ck the Red Hat button located on the bottom left corner select System Setting and click Network Figure 167 Red Hat 9 0 KDE Network Configuration Devices 2 Double click on the profile of the network ca...

Page 294: ...work Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 170 Red Hat 9 0 KDE Ne...

Page 295: ...55 0 Figure 172 Red Hat 9 0 Static IP Address Setting in ifconfig eth0 2 If you know your DNS server IP address es enter the DNS server information in the resolv conf file in the etc directory The fol...

Page 296: ...g down loopback interface OK Setting network parameters OK Bringing up loopback interface OK Bringing up interface eth0 OK root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 ine...

Page 297: ...e remaining three octets are the host ID In a class B address the first two octets make up the network number and the two remaining octets make up the host ID In a class C address the first three octe...

Page 298: ...ber of subnets you can have in a network Subnet Masks A subnet mask is used to determine which bits are part of the network number and which bits are part of the host ID using a logical AND operation...

Page 299: ...mply specify the number of ones instead of writing the value of each octet This is usually specified by writing a followed by the number of bits in the mask after the address For example 192 1 1 0 25...

Page 300: ...ts you can have The remaining number of host ID bits after borrowing determines the number of hosts you can have on each subnet Table 134 Two Subnets Example IP SUBNET MASK NETWORK NUMBER HOST ID IP A...

Page 301: ...ets you need to borrow two host ID bits to give four possible combinations 00 01 10 and 11 The subnet mask is 26 bits 11111111 11111111 11111111 11000000 or 255 255 255 192 Each subnet contains 6 host...

Page 302: ...Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 128 Lowest Host ID 192 168 1 129 Broadcast Address 192 168 1 191 Highest Host ID 192 168 1 190 Table 140 Subnet 4 IP SUBNET MAS...

Page 303: ...9 158 159 6 160 161 190 191 7 192 193 222 223 8 224 225 254 255 Table 142 Class C Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 255 128 25 2 126 2 255 255...

Page 304: ...25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 252 30 16384 2 15 255 255 255 254 31 32768 1 Table 143...

Page 305: ...P address are on the same subnet In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default ZyXEL Device IP address and click OK 3 A login screen display...

Page 306: ...ailable for the category Figure 177 Displaying Log Parameters Example 4 Use sys logs category followed by a log category and a parameter to decide what to record Use 0 to not record logs for that cate...

Page 307: ...ogs category access 3 ras sys logs save ras sys logs display access time source destination notes message 0 06 08 2004 05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default policy IGMP W to W...

Page 308: ...P 660HW T v2 User s Guide 308 Appendix G Command Interpreter...

Page 309: ...nd shows the of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name...

Page 310: ...ail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the ZyXEL Device is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59 T...

Page 311: ...h the same destination where the ZyXEL Device starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specifie...

Page 312: ...MP Config edit firewall set set rule rule log none match not match both This command sets the ZyXEL Device to log traffic that matches the rule doesn t match both or neither Config edit firewall set s...

Page 313: ...and to enter various non consecutive port numbers config edit firewall set set rule rule TCP destport range start port end port This command sets a rule to have the ZyXEL Device check for TCP traffic...

Page 314: ...Guide 314 Appendix H Firewall Commands config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set Table 144 Firewall Commands continued FUNCTION...

Page 315: ...ted calls You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of Ne...

Page 316: ...initiating calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the fi...

Page 317: ...all the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Figure 178 Connecting a POTS Splitter 1 Connect the side labeled Phone to your teleph...

Page 318: ...e microfilter Figure 179 Connecting a Microfilter You can also use a Y Connector with a microfilter in order to connect both your modem and a telephone to the same wall jack without using a POTS split...

Page 319: ...crofilters 319 ZyXEL Device With ISDN This section relates to people who use their ZyXEL Device with ADSL over ISDN digital telephone service only The following is an example installation for the ZyXE...

Page 320: ...P 660HW T v2 User s Guide 320 Appendix J Splitters and Microfilters...

Page 321: ...work or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 182 Peer to Peer Communication in...

Page 322: ...ired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired netwo...

Page 323: ...ent channels partially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your r...

Page 324: ...nsmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without...

Page 325: ...mode the wireless adapters support and to provide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more effi...

Page 326: ...ate with it RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server The RADIUS serv...

Page 327: ...messages are exchanged between the access point and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS serve...

Page 328: ...a different certificate to the server The exchange of certificates is done in the open before a secured tunnel is created This makes user identity vulnerable to passive attacks A digital certificate...

Page 329: ...2 IEEE 802 11i is a wireless security standard that defines stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and...

Page 330: ...cally generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients This all happens in the background automatically The Mes...

Page 331: ...A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA At the time of writing the most widely available supplicant is the WPA patc...

Page 332: ...PSK must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters including spaces and symbols 2 The AP checks each wireless client s password and only allows it to join the network i...

Page 333: ...curity features Table 149 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTION METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable without Dynamic W...

Page 334: ...P 660HW T v2 User s Guide 334 Appendix K Wireless LANs...

Page 335: ...have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your dev...

Page 336: ...ons 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer sel...

Page 337: ...pts and Java Permissions 337 Figure 190 Internet Options 2 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Cl...

Page 338: ...up Blocker Settings 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check tha...

Page 339: ...ions 339 Figure 192 Internet Options 3 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java apple...

Page 340: ...193 Security Settings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 U...

Page 341: ...vaScripts and Java Permissions 341 Figure 194 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet und...

Page 342: ...P 660HW T v2 User s Guide 342 Appendix L Pop up Windows JavaScripts and Java Permissions Figure 195 Java Sun...

Page 343: ...between two Ethernet devices Some companies have more than one route to one or more ISPs If the alternate gateway is on the LAN and it s IP address is in the same subnet the triangle route problem ma...

Page 344: ...al LAN interfaces with the ZyXEL Device being the gateway for each logical network By putting your LAN and Gateway B in different subnets all returning network traffic must pass through the ZyXEL Devi...

Page 345: ...nternet access 37 ARP 116 asymmetrical 261 ATM Adaptation Layer 5 see AAL5 ATM loopback test 252 attack alert 168 attack types 142 attacks 225 auto negotiating 258 auxiliary gateway 34 B backup 247 ba...

Page 346: ...19 258 DHCP pool 257 diagnostic DSL line 252 general 251 dial on demand 35 digital 33 Digital Subscriber Line see DSL Digital Subscriber Line Access Multiplexer see DSLAM dimensions 257 disclaimer 3 D...

Page 347: ...on threshold 324 FTP 69 130 195 198 restrictions 195 full rate 317 G global products 31 graphics key 32 H half open sessions 167 help 44 hidden node 323 hide SSID 94 host 220 221 host name 219 HTTP 13...

Page 348: ...BS max incomplete high 167 max incomplete low 167 MBS 79 84 89 media access control see MAC Media Bandwidth Management 35 Message Integrity Check see MIC metric 78 MIB 200 MIC 330 microfilter 317 mult...

Page 349: ...k start guide 41 R radio interference 323 Radio Frequency see RF RADIUS 326 shared secret key 327 RADIUS message types 327 RADIUS messages 327 RADIUS server 95 reboot 249 registration 31 product 8 rel...

Page 350: ...porting disk 31 Sustain Cell Rate see SCR switch 36 257 symmetrical 261 SYN Flood 140 141 SYN ACK 141 syntax conventions 31 syslog 162 system errors 225 system name 219 220 System Parameter Table Gene...

Page 351: ...p 90 WAN setup 75 WAN to LAN rules 152 warranty 8 note 8 web configurator 31 41 43 44 146 151 screen summary 44 WEP 37 98 encryption 100 Wide Area Network see WAN Wi Fi Protected Access see WPA Wired...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands