manualshive.com logo in svg

ZyXEL Communications P-660HWP-D1, User Manual

The ZyXEL Communications P-660HWP-D1 is a high-performance router that offers secure and reliable internet connectivity. Ensure optimal usage by referring to the User Manual, available for free download from manualshive.com. This detailed manual will guide you through setup, troubleshooting, and optimizing your network experience.

Share
Download
background image

 Chapter 10 Firewalls

P-660HWP-D1 User’s Guide

157

If an initiation packet originates on the LAN, this means that someone is trying to make a 
connection from the LAN to the Internet. Assuming that this is an acceptable part of the 
security policy (as is the case with the default policy), the connection will be allowed. A cache 
entry is added which includes connection information such as IP addresses, TCP ports, 
sequence numbers, etc.
When the P-660HWP-D1 receives any subsequent packet (from the Internet or from the 
LAN), its connection information is extracted and checked against the cache. A packet is only 
allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a 
connection which originated on the LAN).

10.5.4  UDP/ICMP Security

UDP and ICMP do not themselves contain any connection information (such as sequence 
numbers). However, at the very minimum, they contain an IP address pair (source and 
destination). UDP also contains port pairs, and ICMP has type and code information. All of 
this data can be analyzed in order to build "virtual connections" in the cache. 
For instance, any UDP packet that originates on the LAN will create a cache entry. Its IP 
address and port pairs will be stored. For a short period of time, UDP packets from the WAN 
that have matching IP and UDP information will be allowed back in through the firewall.
A similar situation exists for ICMP, except that the P-660HWP-D1 is even more restrictive. 
Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask 
requests will allow incoming address mask replies, and outgoing timestamp requests will 
allow incoming timestamp replies. No other ICMP packets are allowed in through the firewall, 
simply because they are too dangerous and contain too little tracking information. For 
instance, ICMP redirect packets are never allowed in, since they could be used to reroute 
traffic through attacking machines. 

10.5.5  Upper Layer Protocols

Some higher layer protocols (such as FTP and RealAudio) utilize multiple network 
connections simultaneously. In general terms, they usually have a "control connection" which 
is used for sending commands between endpoints, and then "data connections" which are used 
for transmitting bulk information. 
Consider the FTP protocol. A user on the LAN opens a control connection to a server on the 
Internet and requests a file. At this point, the remote server will open a data connection from 
the Internet. For FTP to work properly, this connection must be allowed to pass through even 
though a connection from the Internet would normally be rejected.
In order to achieve this, the P-660HWP-D1 inspects the application-level FTP data. 
Specifically, it searches for outgoing “PORT” commands, and when it sees these, it adds a 
cache entry for the anticipated data connection. This can be done safely, since the PORT 
command contains address and port information, which can be used to uniquely identify the 
connection.
Any protocol that operates in this way must be supported on a case-by-case basis. You can use 
the web configurator’s Custom Ports feature to do this.

Summary of Contents for P-660HWP-D1

Page 1: ...www zyxel com P 660HWP D1 802 11g HomePlug AV ADSL2 Security Gateway User s Guide Version 3 40 6 2007 Edition 1...

Page 2: ......

Page 3: ...Configurator Online Help Embedded web help for descriptions of individual screens and supplementary information It is recommended you use the web configurator to configure the P 660HWP D1 Supporting D...

Page 4: ...ld choices are all in bold font A key stroke is denoted by square brackets and uppercase text for example ENTER means the enter or return key on your keyboard Enter means for you to type one or more c...

Page 5: ...de 5 Icons Used in Figures Figures in this User s Guide may use the following generic icons The P 660HWP D1 icon is not an exact representation of your device P 660HWP D1 Computer Notebook computer Se...

Page 6: ...Y an appropriate power adaptor or cord for your device Connect the power adaptor or cord to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to...

Page 7: ...Safety Warnings P 660HWP D1 User s Guide 7...

Page 8: ...Safety Warnings P 660HWP D1 User s Guide 8...

Page 9: ...up 73 LAN Setup 91 Wireless LAN 103 Powerline 127 Network Address Translation NAT 135 Security 147 Firewalls 149 Firewall Configuration 161 Content Filtering 183 Certificates 187 Advanced 209 Static R...

Page 10: ...Contents Overview P 660HWP D1 User s Guide 10...

Page 11: ...ood Habits for Managing the P 660HWP D1 35 1 4 LEDs 35 1 5 Hardware Connections 37 1 5 1 Connecting a POTS Splitter 37 1 5 2 Telephone Microfilters 37 1 5 3 P 660HWP D1 With ISDN 38 Chapter 2 Introduc...

Page 12: ...ess 63 3 2 3 Manually assign a WPA PSK key 66 3 2 4 Manually assign a WEP key 66 Chapter 4 Bandwidth Management Wizard 69 4 1 Introduction 69 4 2 Bandwidth Management Wizard Setup 69 Part III Network...

Page 13: ...Multicast 94 6 2 4 Any IP 95 6 3 Configuring LAN IP 96 6 3 1 Configuring Advanced LAN Setup 97 6 4 DHCP Setup 98 6 5 LAN Client List 99 6 6 LAN IP Alias 100 Chapter 7 Wireless LAN 103 7 1 Wireless Net...

Page 14: ...Networks 129 8 3 Configuring Local Settings 130 8 4 Configuring Remote Settings 131 8 5 Powerline Network Status 132 Chapter 9 Network Address Translation NAT 135 9 1 NAT Overview 135 9 1 1 NAT Defini...

Page 15: ...156 10 5 4 UDP ICMP Security 157 10 5 5 Upper Layer Protocols 157 10 6 Guidelines for Enhancing Security with Your Firewall 158 10 6 1 Security In General 158 10 7 Packet Filtering Vs Firewall 159 10...

Page 16: ...s of Certificates 188 13 2 Self signed Certificates 188 13 3 Verifying a Certificate 188 13 3 1 Checking the Fingerprint of a Certificate on Your Computer 188 13 4 Configuration Summary 189 13 5 My Ce...

Page 17: ...idth Usage Example 218 15 6 3 Bandwidth Management Priorities 219 15 7 Over Allotment of Bandwidth 219 15 8 Configuring Summary 220 15 9 Bandwidth Management Rule Setup 221 15 10 DiffServ 222 15 10 1...

Page 18: ...1 Installing UPnP in Windows Me 245 18 3 2 Installing UPnP in Windows XP 246 18 4 Using UPnP in Windows XP Example 247 18 4 1 Auto discover Your UPnP enabled Network Device 248 18 4 2 Web Configurato...

Page 19: ...are Connections and LEDs 289 23 2 P 660HWP D1 Access and Login 290 23 3 Internet Access 291 23 4 Powerline Issues 293 Part VII Appendices and Index 295 Appendix A Product Specifications and Wall Mount...

Page 20: ...Table of Contents P 660HWP D1 User s Guide 20...

Page 21: ...Status Packet Statistics 52 Figure 19 System General 54 Figure 20 Wizard Welcome 57 Figure 21 Internet Access Wizard Setup ISP Parameters 58 Figure 22 Internet Connection with PPPoE 59 Figure 23 Inter...

Page 22: ...urity 109 Figure 58 Wireless Static WEP Encryption 110 Figure 59 Wireless WPA PSK WPA2 PSK 111 Figure 60 Wireless WPA WPA2 112 Figure 61 Advanced 114 Figure 62 OTIST 116 Figure 63 Example Wireless Cli...

Page 23: ...nt Filter Keyword 183 Figure 104 Content Filter Schedule 184 Figure 105 Content Filter Trusted 185 Figure 106 Certificates on Your Computer 188 Figure 107 Certificate Details 189 Figure 108 Certificat...

Page 24: ...s Optional Networking Components Wizard 247 Figure 144 Networking Services 247 Figure 145 Network Connections 248 Figure 146 Internet Connection Properties 249 Figure 147 Internet Connection Propertie...

Page 25: ...re 187 Windows XP Internet Protocol TCP IP Properties 325 Figure 188 Macintosh OS 8 9 Apple Menu 326 Figure 189 Macintosh OS 8 9 TCP IP 326 Figure 190 Macintosh OS X Apple Menu 327 Figure 191 Macintos...

Page 26: ...List of Figures P 660HWP D1 User s Guide 26...

Page 27: ...1 64 Table 16 Wireless LAN Setup Wizard 2 65 Table 17 Manually assign a WPA key 66 Table 18 Manually assign a WEP key 67 Table 19 Bandwidth Management Wizard General Information 70 Table 20 Internet C...

Page 28: ...l Rules 166 Table 61 Firewall Edit Rule 169 Table 62 Customized Services 170 Table 63 Firewall Configure Customized Services 171 Table 64 Predefined Services 175 Table 65 Firewall Anti Probing 178 Tab...

Page 29: ...e 95 Services and Port Numbers 225 Table 96 Bandwidth Management Monitor 226 Table 97 Dynamic DNS 228 Table 98 Remote Management WWW 233 Table 99 Remote Management Telnet 234 Table 100 Remote Manageme...

Page 30: ...7 Wireless Firmware Specifications 299 Table 138 Standards Supported 300 Table 139 IEEE 802 11g 307 Table 140 Wireless Security Levels 308 Table 141 Comparison of EAP Authentication Types 311 Table 14...

Page 31: ...31 PART I Introduction Introducing the P 660HWP D1 33 Introducing the Web Configurator 41...

Page 32: ...32...

Page 33: ...one Service Model names ending in 3 denote a device that works over ISDN Integrated Services Digital Network The DSL RJ 11 ADSL over POTS models or RJ 45 ADSL over ISDN models connects to your ADSL or...

Page 34: ...follows Figure 2 LAN to LAN Application Example The P 660HWP D1 is compatible with the ADSL ADSL2 ADSL2 standards Maximum data rates attainable for each standard are shown in the next table If your P...

Page 35: ...SPTGEN file This is especially convenient if you need to configure many devices of the same type TR 069 This is an auto configuration server used to remotely configure your device 1 3 Good Habits for...

Page 36: ...HWP D1 is ready but is not sending receiving data through the wireless LAN Blinking The P 660HWP D1 is sending receiving data through the wireless LAN Off The wireless LAN is not ready or has failed D...

Page 37: ...ephone 2 Connect the side labeled Modem or DSL to your P 660HWP D1 3 Connect the side labeled Line to the telephone wall jack 1 5 2 Telephone Microfilters Telephone voice transmissions take place in t...

Page 38: ...2 Connect a cable from the double jack end of the Y Connector to the wall side of the microfilter 3 Connect another cable from the double jack end of the Y Connector to the P 660HWP D1 4 Connect the...

Page 39: ...Chapter 1 Introducing the P 660HWP D1 P 660HWP D1 User s Guide 39 Figure 7 P 660HWP D1 with ISDN...

Page 40: ...Chapter 1 Introducing the P 660HWP D1 P 660HWP D1 User s Guide 40...

Page 41: ...windows from your device Web pop up blocking is enabled by default in Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshootin...

Page 42: ...dministrator access enter the default admin password 1234 to configure the wizards and the advanced features 2 Click Login to proceed to a screen asking you to change your password or click Cancel to...

Page 43: ...ange Password at Login 4 Select Go to Wizard setup and click Apply to display the wizard main screen Otherwise select Go to Advanced setup and click Apply to display the Status screen Figure 11 Select...

Page 44: ...set Button 1 Make sure the POWER LED is on not blinking 2 Press the RESET button for ten seconds or until the POWER LED begins to blink and then release it When the POWER LED begins to blink the defau...

Page 45: ...p Use this screen to configure your traffic redirect properties and WAN backup settings LAN IP Use this screen to configure LAN TCP IP settings enable Any IP and other advanced properties DHCP Setup U...

Page 46: ...range of users on the LAN from content filtering on your P 660HWP D1 Certificates My Certificates Use this screen to show a list of the P 660HWP D1 s certificates Trusted CA s Use this screen to show...

Page 47: ...e s and from which IP address es users can send DNS queries to the P 660HWP D1 ICMP Use this screen to change your anti probing settings UPnP General Use this screen to enable UPnP on the P 660HWP D1...

Page 48: ...WP D1 s model name MAC Address This is the MAC Media Access Control or Ethernet address unique to your P 660HWP D1 ZyNOS Firmware Version This is the ZyNOS firmware version and the date created ZyNOS...

Page 49: ...ys what percent of the P 660HWP D1 s heap memory is in use The bar turns from green to red when the maximum is being approached Interface Status Interface This displays the P 660HWP D1 port types Stat...

Page 50: ...gure 15 Status WLAN Status The following table describes the labels in this screen Table 5 Status Any IP Table LABEL DESCRIPTION This is the index number of the host computer IP Address This field dis...

Page 51: ...bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use Figure 16 Status Bandwidth Status 2 4 6 Status Powerline Statistics Click the Powerl...

Page 52: ...eld is configurable Not all fields are available on all models Figure 18 Status Packet Statistics The following table describes the fields in this screen Table 7 Status Packet Statistics LABEL DESCRIP...

Page 53: ...ts This field displays the number of packets received on this port Errors This field displays the number of error packets on this port Tx B s This field displays the number of bytes transmitted in the...

Page 54: ...Chapter 2 Introducing the Web Configurator P 660HWP D1 User s Guide 54 Figure 19 System General...

Page 55: ...55 PART II Wizards Wizard Setup for Internet Wireless Access 57 Bandwidth Management Wizard 69...

Page 56: ...56...

Page 57: ...screens to configure your system for Internet Wireless access with the information given to you by your ISP See the advanced menu chapters for background information on these fields 3 2 Internet Wire...

Page 58: ...ist box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483...

Page 59: ...Connection with RFC 1483 Table 9 Internet Connection with PPPoE LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in the form user domain where domain ide...

Page 60: ...static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one each time you connect to the Internet Select Obtain an IP Address Automat...

Page 61: ...ck Apply to save your changes to the P 660HWP D1 Exit Click Exit to close the wizard screen without saving your changes Table 12 Internet Connection with PPPoA LABEL DESCRIPTION User Name Enter the lo...

Page 62: ...tep 2 of the wizard where you can configure your wireless settings Select No to finish the wizard Reconfigure Select Reconfigure to try to log on with a different user name and password The P 660HWP D...

Page 63: ...the INTERNET WIRELESS Wizard After checking your connections click this to restart the Wizard Continue to Wireless Setup Wizard Select Yes to continue to Step 2 of the wizard where you can configure y...

Page 64: ...0HWP D1 s SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The...

Page 65: ...lly assign a WPA PSK key to configure a pre shared key WPA PSK Choose this option only if your wireless clients support WPA See Section 3 2 3 on page 66 for more information Select Manually assign a W...

Page 66: ...LAN setup screen to set up a Pre Shared Key Figure 31 Manually assign a WPA key The following table describes the labels in this screen 3 2 4 Manually assign a WEP key Choose Manually assign a WEP ke...

Page 67: ...Management page to start the Bandwidth Management wizard or click Go to Advanced Setup page to configure advanced settings Table 18 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are use...

Page 68: ...ch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of P 660HWP D1 features If y...

Page 69: ...WAN port and prioritize the distribution of the bandwidth according to service bandwidth requirements This helps keep one service from using all of the available bandwidth and shutting out other users...

Page 70: ...your configuration Figure 37 Bandwidth Management Wizard Complete Table 19 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the P 660HWP D1...

Page 71: ...71 PART III Network WAN Setup 73 LAN Setup 91 Wireless LAN 103 Powerline 127 Network Address Translation NAT 135...

Page 72: ...72...

Page 73: ...Point to Point Protocol over Ethernet provides access control and billing functionality in a manner similar to dial up services using PPP PPPoE is an IETF standard RFC 2516 specifying how a personal...

Page 74: ...minant in environments where dynamic creation of large numbers of ATM VCs is fast and economical 5 1 2 2 LLC based Multiplexing In this case one VC carries multiple protocols with protocol identifying...

Page 75: ...s your choices for IP address and ENET ENCAP gateway 5 1 5 1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP then the IP Address and ENET ENCAP Gateway fields are not applicab...

Page 76: ...Section 5 8 on page 88 For example if the normal route has a metric of 1 and the traffic redirect route has a metric of 2 and dial backup route has a metric of 3 then the normal route acts as the pri...

Page 77: ...onstant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that con...

Page 78: ...ransfer 5 4 Zero Configuration Internet Access Once you turn on and connect the P 660HWP D1 to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers an...

Page 79: ...entification purposes only Mode Select Routing default from the drop down list box if your ISP allows multiple computers to share an Internet account Otherwise select Bridge Encapsulation Select the m...

Page 80: ...Select this if your ISP gave you a fixed IP address Enter the IP address you were given in the IP Address field IP Address If your ISP gave you an IP address to use enter it here Subnet Mask ENET ENC...

Page 81: ...ish membership in a multicast group The P 660HWP D1 supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed alwa...

Page 82: ...the VCI VPI numbers and the encapsulation method from the ISP and make the necessary configuration changes Select No to disable this feature You must manually configure the P 660HWP D1 for Internet ac...

Page 83: ...ect the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of encapsulation u...

Page 84: ...rnet account If you select Bridge the P 660HWP D1 will forward any packet that it does not route to this remote node otherwise the packets are discarded Encapsulation Select the method of encapsulatio...

Page 85: ...use enter it here Subnet Mask Enter a subnet mask in dotted decimal notation Refer to the appendices to calculate a subnet mask If you are implementing subnetting Gateway IP address Specify a gateway...

Page 86: ...membership in a multicast group The P 660HWP D1 supports both IGMP version 1 IGMP v1 and IGMP v2 Select None to disable it ATM QoS ATM QoS Type Select CBR Continuous Bit Rate to specify fixed always o...

Page 87: ...address or in bridge mode Select Yes to set the P 660HWP D1 to automatically detect the Internet connection settings such as the VCI VPI numbers and the encapsulation method from the ISP and make the...

Page 88: ...HWP D1 User s Guide 88 Figure 45 Traffic Redirect LAN Setup 5 8 Configuring WAN Backup To change your P 660HWP D1 s WAN backup settings click Network WAN WAN Backup Setup The screen appears as shown F...

Page 89: ...for the P 660HWP D1 to wait between checks Allow more time if your destination IP address handles lots of traffic Timeout Type the number of seconds 3 recommended for your P 660HWP D1 to wait for a p...

Page 90: ...Chapter 5 WAN Setup P 660HWP D1 User s Guide 90...

Page 91: ...rea usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 6 3 on page 96 to configure the LAN screens 6 1 1 LANs...

Page 92: ...dresses enter them in the DNS Server fields in DHCP Setup otherwise leave them blank Some ISP s choose to pass the DNS servers using the DNS server extensions of PPP IPCP IP Control Protocol after the...

Page 93: ...ddress Translation NAT feature of the P 660HWP D1 The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless yo...

Page 94: ...P packets but will not accept any RIP packets received None the P 660HWP D1 will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the broadca...

Page 95: ...P D1 In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to access the In...

Page 96: ...nds packets to its default gateway which is not the P 660HWP D1 by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway an ARP request is broadcast on the...

Page 97: ...Mask Type the subnet mask assigned to you by your ISP if given Apply Click Apply to save your changes to the P 660HWP D1 Cancel Click Cancel to begin configuring this screen afresh Advanced Setup Clic...

Page 98: ...s Networking NetBIOS over TCP IP NetBIOS Network Basic Input Output System are TCP or UDP packets that enable a computer to connect to and communicate with a LAN For some dial up services such as PPPo...

Page 99: ...of the actual remote DHCP server in the Remote DHCP Server field in this case When DHCP is used the following items need to be set IP Pool Starting Address This field specifies the first of the contig...

Page 100: ...ble entry row Status This field displays whether the client is connected to the P 660HWP D1 Host Name This field displays the computer host name IP Address This field displays the IP address relative...

Page 101: ...AN s logical networks subnets Make sure that the subnets of the logical networks do not overlap The following figure shows a LAN divided into subnets A B and C Figure 53 Physical Network Partitioned L...

Page 102: ...routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP packets receiv...

Page 103: ...ess network devices A and B are called wireless clients The wireless clients use the access point AP to interact with other devices such as the printer or with the Internet Your P 660HWP D1 is the AP...

Page 104: ...B adapter or a wireless CardBus card 3 a RADIUS server only if you want to use IEEE802 1x WPA or WPA2 To have two or more computers communicate with each other wirelessly without an AP or wireless rou...

Page 105: ...irly weak however because there are ways for unauthorized devices to get the SSID In addition unauthorized devices can still see the information that is sent in the wireless network 7 3 2 MAC Address...

Page 106: ...ore there are ways for unauthorized wireless users to get a valid user name and password Then they can use that user name and password to use the wireless network Local user databases also have an add...

Page 107: ...to protect the information in the wireless network The longer the key the stronger the encryption Every wireless client in the wireless network must have the same key 7 3 5 One Touch Intelligent Secu...

Page 108: ...printable 7 bit English keyboard characters for the wireless LAN Note If you are configuring the P 660HWP D1 from a computer connected to the wireless LAN and you change the P 660HWP D1 s SSID or WEP...

Page 109: ...ireless clients and the access points must use the same WEP key Your P 660HWP D1 allows you to configure up to four 64 bit 128 bit or 256 bit WEP keys but only one key can be enabled at any one time I...

Page 110: ...Passphrase up to 32 printable characters and clicking Generate The P 660HWP D1 automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the P 660HWP D1 and the wireless cli...

Page 111: ...less clients have to resend usernames and passwords in order to stay connected Enter a time interval between 10 and 9999 seconds The default time interval is 1800 seconds 30 minutes Note If wireless c...

Page 112: ...management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Settin...

Page 113: ...all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Authentication Server IP Address Ente...

Page 114: ...thin an area decrease the output power of the P 660HWP D1 to reduce interference with other APs The options are Maximum Middle and Minimum Preamble Select Long preamble if you are unsure what preamble...

Page 115: ...The AP and wireless client s MUST use the same Setup key 7 5 1 1 AP You can enable OTIST using the RESET button or the web configurator 7 5 1 1 1 Reset button If you use the RESET button the default...

Page 116: ...st also make the same change on the wireless client s Yes If you want OTIST to automatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN Gen...

Page 117: ...ireless clients and AP in any order but they must all be within range and have OTIST enabled 1 In the AP a web configurator screen pops up showing you the security settings to transfer You can use the...

Page 118: ...oses its wireless connection for more than ten seconds it will search for an OTIST enabled AP for up to one minute If you manually have the wireless client search for an OTIST enabled AP there is no t...

Page 119: ...he devices to configure this screen To change your P 660HWP D1 s MAC filter settings click Network Wireless LAN MAC Filter The screen appears as shown Figure 69 MAC Address Filter The following table...

Page 120: ...ess MAC Address Enter the MAC addresses of the wireless client that are allowed or denied access to the P 660HWP D1 in these address fields Enter the MAC addresses in a valid MAC address format that i...

Page 121: ...r further information about port numbers Next to the name of the service two fields appear in brackets The first field indicates the IP protocol type TCP UDP or ICMP The second field indicates the IP...

Page 122: ..._TUNNEL AH 0 The IPSEC AH Authentication Header tunneling protocol uses this service IPSEC_TUNNEL ESP 0 The IPSEC ESP Encapsulation Security Protocol tunneling protocol uses this service IRC TCP UDP 6...

Page 123: ...Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e mail server to another SNMP TCP UDP 161 Simple Network Management Program SNMP TRAPS TC...

Page 124: ...which you want to apply WMM QoS This is the number of an individual application entry Name This field displays a description given to an application entry Service This field displays either FTP WWW E...

Page 125: ...of messages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 WWW The World Wide Web is an...

Page 126: ...User s Guide 126 Apply Click Apply to save your changes back to the P 660HWP D1 Cancel Click Cancel to return to the previous screen without saving your changes Table 43 Application Priority Configur...

Page 127: ...g section shows you a typical application Figure 72 Expand Your Network 1 Connect your P 660HWP D1 to the Internet 2 Then plug your P 660HWP D1 into a power outlet and turn it on The P 660HWP D1 is re...

Page 128: ...network name may be called the network password By default all HomePlug AV powerline adapters are configured with the network name HomePlugAV This allows all HomePlug AV powerline adapters and the P...

Page 129: ...network name for example Password1 to this powerline adapter Add additional powerline adapters to your network by plugging them into your powerline outlets and assigning them the same network name Pa...

Page 130: ...ocal station Figure 75 Network Powerline Local Setting The following table describes the labels in this screen Table 44 Network Powerline Local Setting Password 1 Password 2 Password 2 Password 1 LABE...

Page 131: ...s that you want to be part of your powerline network The network name can be from 1 to 64 alphanumeric characters in length spaces are not allowed DAK Password DAK Password is the password used to ver...

Page 132: ...ions In The Same Network This field shows the MAC addresses of the HomePlug AV adapters on your network These adapters all share the Network Name entered in the Local Settings section Select one of th...

Page 133: ...pairs of hexadecimal characters hexadecimal characters are 0 9 and a f In the case of the P 660HWP D1 this label is on the bottom of the device TEI TEI refers to Terminal Equipment Identifier In this...

Page 134: ...nsmits data to another adapter on your powerline network The rate is given in the following format application data transmission rate raw data transmission rate Application data reflects more accurate...

Page 135: ...st when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that inside outside refers to the locati...

Page 136: ...ting intruders from probing your network For more information on IP address translation refer to RFC 1631 The IP Network Address Translator NAT 9 1 3 How NAT Works Each packet has two addresses a sour...

Page 137: ...e PAT port address translation ZyXEL s Single User Account feature that previous ZyXEL routers supported the SUA Only option in today s routers Many to Many Overload In Many to Many Overload mode the...

Page 138: ...un friendly because they embed IP addresses and port numbers in their packets data payload Some NAT routers may include a SIP Application Layer Gateway ALG An Application Layer Gateway ALG manages a s...

Page 139: ...limit the number of NAT sessions a single client can establish this can result in all of the available NAT sessions being used In this case no additional NAT sessions can be established and users may...

Page 140: ...Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to your ISP 9 5 1 Default Server IP Address In add...

Page 141: ...s as a single host on the Internet Figure 81 Multiple Servers Behind NAT Example 9 6 Configuring Port Forwarding The Port Forwarding screen is available only when you select SUA Only in the NAT Genera...

Page 142: ...or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Click thi...

Page 143: ...DESCRIPTION Active Click this check box to enable the rule Service Name Enter a name to identify this port forwarding rule Start Port Enter a port number in this field To forward only one port enter t...

Page 144: ...is the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a dynamic IP address from your ISP You can only do this for Many to One and Server mapping types Global End IP This is the...

Page 145: ...o Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the NAT to be accessible to the outs...

Page 146: ...Translation NAT P 660HWP D1 User s Guide 146 Apply Click Apply to save your changes to the P 660HWP D1 Cancel Click Cancel to begin configuring this screen afresh Table 54 Edit Address Mapping Rule co...

Page 147: ...147 PART IV Security Firewalls 149 Firewall Configuration 161 Content Filtering 183 Certificates 187...

Page 148: ...148...

Page 149: ...only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In add...

Page 150: ...to assure the integrity of the connection and to adapt to dynamic protocols These firewalls generally provide the best speed and transparency however they may lack the granular application level acces...

Page 151: ...ific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc For example Web traffic by default uses TCP po...

Page 152: ...series of IP fragments with overlapping offset fields When these fragments are reassembled at the destination some systems will crash hang or reboot 6 Weaknesses in the TCP IP specification leave it o...

Page 153: ...r floods a router with Internet Control Message Protocol ICMP echo request packets pings Since the destination IP address of each packet is the broadcast address of the network the router will broadca...

Page 154: ...king a router or firewall into thinking that the communications are coming from within the trusted network To engage in IP spoofing a hacker must modify the packet headers so that it appears that the...

Page 155: ...packet leaves the LAN network through the firewall s WAN interface The TCP packet is the first in a session and the packet s application layer protocol is configured for a firewall rule inspection 1 T...

Page 156: ...ow certain types of traffic from the Internet to specific hosts on the LAN Allow access to a Web server to everyone but competitors Restrict use of certain protocols such as Telnet to authorized users...

Page 157: ...ve Specifically only outgoing echoes will allow incoming echo replies outgoing address mask requests will allow incoming address mask replies and outgoing timestamp requests will allow incoming timest...

Page 158: ...icularly vulnerable because they provide more opportunities for hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolic...

Page 159: ...ilters can not distinguish traffic originating from an inside host or an outside host by IP address To block allow IP trace route 10 7 2 Firewall The firewall inspects packet contents as well as their...

Page 160: ...ish traffic originating from an inside host or an outside host by IP address The firewall performs better than filtering if you need to check many rules Use the firewall if you need routine e mail rep...

Page 161: ...ravel of packets to which they apply By default the P 660HWP D1 s stateful packet inspection allows packets traveling in the following directions LAN to LAN Router This allows computers on the LAN to...

Page 162: ...recedence and override the P 660HWP D1 s default rules 11 3 Rule Logic Overview Study these points carefully before configuring rules 11 3 1 Rule Checklist State the intent of the rule For example Thi...

Page 163: ...an ICMP destination unreachable message to the sender 11 3 3 2 Service Select the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Secti...

Page 164: ...ou will need to create custom rules to allow it 11 4 2 Alerts Alerts are reports on events such as attacks that you may want to know about right away You can choose to generate an alert when a rule is...

Page 165: ...s the direction of travel of packets LAN to LAN Router LAN to WAN WAN to WAN Router WAN to LAN Firewall rules are grouped based on the direction of travel of packets to which they apply For example LA...

Page 166: ...figure summarized below take priority over the general firewall action settings in the General screen This is your firewall rule number The ordering of your rules is important as rules are applied in...

Page 167: ...can edit the rule Click the Remove icon to delete an existing firewall rule A window displays asking you to confirm that you want to delete the firewall rule Note that subsequent firewall rules move u...

Page 168: ...Chapter 11 Firewall Configuration P 660HWP D1 User s Guide 168 Figure 93 Firewall Edit Rule...

Page 169: ...he Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Dele...

Page 170: ...omized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action displays the following screen Apply Click Apply to save yo...

Page 171: ...ices LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Config...

Page 172: ...becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index n...

Page 173: ...ample Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Custom service...

Page 174: ...wall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService co...

Page 175: ...m service ports may also be configured using the Edit Customized Services function discussed previously Table 64 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AOL s Internet Messenger s...

Page 176: ...from a POP3 server through a temporary connection TCP IP or other PPTP TCP 1723 Point to Point Tunneling Protocol enables secure transfer of data over public networks This is the control channel PPTP_...

Page 177: ...n user Refer to Section 10 1 on page 149 for more information Click Security Firewall Anti Probing to display the screen as shown Figure 101 Firewall Anti Probing SSH TCP UDP 22 Secure Shell Remote Lo...

Page 178: ...wall rules Table 65 Firewall Anti Probing LABEL DESCRIPTION Respond to PING on The P 660HWP D1 does not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming L...

Page 179: ...The P 660HWP D1 continues to delete half open sessions as necessary until the rate of new connection attempts drops below another threshold one minute low The rate is the number of new attempts detec...

Page 180: ...eleting half open sessions When the rate of new connection attempts rises above this number the P 660HWP D1 deletes half open sessions as required to accommodate new connection attempts 100 half open...

Page 181: ...sessions with the same destination host IP address that causes the firewall to start dropping half open sessions to that same destination host IP address Enter a number between 1 and 256 As a general...

Page 182: ...Chapter 11 Firewall Configuration P 660HWP D1 User s Guide 182...

Page 183: ...D1 performs content filtering You can also specify trusted IP addresses on the LAN for which the P 660HWP D1 will not perform content filtering 12 2 Configuring Keyword Blocking Use this screen to blo...

Page 184: ...ist of all the keywords that you have configured the P 660HWP D1 to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords fr...

Page 185: ...o Block Select this option to filter websites according to the day s and time s configured Active Select the check box to have the content filtering active on the selected day Start TIme Enter the sta...

Page 186: ...Chapter 12 Content Filtering P 660HWP D1 User s Guide 186...

Page 187: ...secure Public key encryption for authentication works as follows 1 Tim wants to send a private message to Jenny Tim generates a public private key pair What is encrypted with one key can only be decr...

Page 188: ...13 2 Self signed Certificates You can have the P 660HWP D1 act as a certification authority and sign its own certificates 13 3 Verifying a Certificate Before you import a trusted CA or trusted remote...

Page 189: ...certificates on the P 660HWP D1 Figure 108 Certificate Configuration Overview Use the My Certificate screens to generate and export self signed certificates or certification requests and import the P...

Page 190: ...e The factory default certificate is common to all P 660HWP D1s that use certificates ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your P 660...

Page 191: ...ith an in depth list of information about the certificate or certification request Click the export icon to save the certificate to a computer For a certification request click the export icon and the...

Page 192: ...you must select this check box in another self signed certificate s details screen This automatically clears the check box in the details screen of the certificate that was previously set to sign the...

Page 193: ...certificate is about to expire or has already expired Key Algorithm This field displays the type of algorithm that was used to generate the certificate s key pair the P 660HWP D1 uses RSA encryption...

Page 194: ...ficates My Certificates Create Back Click Back to go the previous screen Export Click Export to export a file containing your certificate details Apply Click Apply to save your changes back to the P 6...

Page 195: ...rtificate owner is located You may use any character including spaces but the P 660HWP D1 drops trailing spaces Key Length Select a number from the drop down list box to determine how many bits the ke...

Page 196: ...TCP based enrollment protocol that was developed by VeriSign and Cisco Certificate Management Protocol CMP is a TCP based enrollment protocol that was developed by the Public Key Infrastructure X 509...

Page 197: ...X 509 certificate into a printable form Binary PKCS 7 This is a standard that defines the general syntax for data including digital signatures that may be encrypted The P 660HWP D1 currently allows t...

Page 198: ...t This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that e...

Page 199: ...icon to open a screen with an in depth list of information about the certificate Use the export icon to save the certificate to a computer Click the icon and then Save in the File Download screen The...

Page 200: ...gned means that a Certification Authority signed the certificate Self signed means that the certificate s owner signed the certificate not a certification authority X 509 means that this certificate w...

Page 201: ...o displays the domain names or IP addresses of the servers MD5 Fingerprint This is the certificate s message digest that the P 660HWP D1 calculated using the MD5 algorithm You can use this value to ve...

Page 202: ...te that is signed by one of the certification authorities on the Trusted CAs screen since the P 660HWP D1 automatically accepts any valid certificate signed by a trusted certification authority as bei...

Page 203: ...rtificates This field displays the certificate index number The certificates are listed in alphabetical order Name This field displays the name used to identify this certificate Subject This field dis...

Page 204: ...ts screen Click the details icon to open the Trusted Remote Host Details screen You can use this screen to view in depth information about the trusted remote host s certificate and or change the certi...

Page 205: ...issuing certification authority For a trusted host the list consists of the end entity s own certificate and the default self signed certificate that the P 660HWP D1 uses to sign remote host certific...

Page 206: ...uthority s certificate and Path Length Constraint 1 means that there can only be one certification authority in the certificate s path MD5 Fingerprint This is the certificate s message digest that the...

Page 207: ...n about a directory server that the P 660HWP D1 can access Table 81 Security Certificates Directory Servers LABEL DESCRIPTION PKI Storage Space in Use This bar displays the percentage of the P 660HWP...

Page 208: ...dotted decimal notation or the domain name of the directory server Server Port This field displays the default server port number of the protocol that you select in the Access Protocol field You may...

Page 209: ...209 PART V Advanced Static Route 211 Bandwidth Management 215 Dynamic DNS Setup 227 Remote Management Configuration 231 Universal Plug and Play UPnP 243...

Page 210: ...210...

Page 211: ...ance the P 660HWP D1 knows about network N2 in the following figure through remote node Router 1 However the P 660HWP D1 is unable to route a packet to network N3 because it doesn t know that there is...

Page 212: ...check box Name This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number G...

Page 213: ...on Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical t...

Page 214: ...Chapter 14 Static Route P 660HWP D1 User s Guide 214...

Page 215: ...raffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic t...

Page 216: ...he P 660HWP D1 has two types of scheduler fairness based and priority based 15 5 1 Priority based Scheduler With the priority based scheduler the P 660HWP D1 forwards traffic from bandwidth classes ac...

Page 217: ...eted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the P 660HWP D1 gives extra bandwi...

Page 218: ...he amount of bandwidth that each class gets Suppose that all of the classes except for the administration class need more bandwidth Each class gets up to its budgeted bandwidth The administration clas...

Page 219: ...available bandwidth This could stop lower priority traffic from being sent The following is an example Table 88 Fairness based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AN...

Page 220: ...l interfaces Select an interface s check box to enable bandwidth management on that interface Bandwidth management applies to all traffic flowing out of the router through the interface regardless of...

Page 221: ...ndwidth among the bandwidth classes that require bandwidth Do not select this if you want to reserve bandwidth for traffic that does not match a bandwidth class or you want to limit the speed of this...

Page 222: ...Serv Differentiated Service Field The DSCP value determines the forwarding behavior the PHB Per Hop Behavior that each packet gets across the DiffServ network Based on the marking rule different kinds...

Page 223: ...Configuration Click the Edit icon or select User Defined from the Service drop down list in the Rule Setup screen to configure a bandwidth management rule Use bandwidth rules to allocate specific amou...

Page 224: ...the lowest priority mark will be dropped when the line is busy Filter Configuration Service This field simplifies bandwidth class configuration by allowing you to select a predefined application When...

Page 225: ...ct the protocol TCP or UDP or select User defined and enter the protocol service type number 0 means any protocol number TOS Type of Service TOS defines the DS Differentiated Service field in the IP h...

Page 226: ...width rules The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use The screen refreshes every few seconds Figure 128...

Page 227: ...ow your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would still like to have a...

Page 228: ...Type the domain name assigned to your P 660HWP D1 by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type the pa...

Page 229: ...P address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the P 660HWP D1 and the DDNS serv...

Page 230: ...Chapter 16 Dynamic DNS Setup P 660HWP D1 User s Guide 230...

Page 231: ...s You may manage your P 660HWP D1 from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you choose WAN only or LAN WAN you still need to configure a firewall rule...

Page 232: ...nagement session running at one time There is a firewall rule that blocks it 17 1 2 Remote Management and NAT When NAT is enabled Use the P 660HWP D1 s WAN IP address when configuring from the WAN Use...

Page 233: ...ficate that the P 660HWP D1 will use to identify itself The P 660HWP D1 is the SSL server and must always authenticate itself to the SSL client the computer which requests the HTTPS connection with th...

Page 234: ...pears as shown Table 99 Remote Management Telnet LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that ser...

Page 235: ...ly available if TCP IP is configured Table 100 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in o...

Page 236: ...formation Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol based...

Page 237: ...DESCRIPTION 0 coldStart defined in RFC 1215 A trap is sent after booting power on 1 warmStart defined in RFC 1215 A trap is sent after booting software reboot 6 whyReboot defined in ZYXEL MIB A trap...

Page 238: ...using this service Secured Client IP A secured client is a trusted computer that is allowed to communicate with the P 660HWP D1 using this service Select All to allow any computer to access the P 660...

Page 239: ...ponse packet from being sent This keeps outsiders from discovering your P 660HWP D1 when unsupported ports are probed Table 103 Remote Management DNS LABEL DESCRIPTION Port The DNS service port number...

Page 240: ...cation user Respond to Ping on The P 660HWP D1 will not respond to any incoming Ping requests when Disable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming...

Page 241: ...ON wan tr069 All TR 069 related commands must be preceded by wan tr069 load Start configuring TR 069 on your P 660HWP D1 active 0 no 1 yes Enable disable TR 069 operation acsUrl URL Set the IP address...

Page 242: ...Chapter 17 Remote Management Configuration P 660HWP D1 User s Guide 242...

Page 243: ...work will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 18 1 2 NAT Traversal UPnP NAT traversal automates the pro...

Page 244: ...PnP to display the screen shown next See Section 18 1 on page 243 for more information Figure 139 Configuring UPnP The following table describes the fields in this screen Table 106 Configuring UPnP LA...

Page 245: ...Components selection box Click Details Figure 140 Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selectio...

Page 246: ...mpted 18 3 2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP 1 Click start and Control Panel 2 Double click Network Connections 3 In the Network Connections wind...

Page 247: ...elect the Universal Plug and Play check box Figure 144 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next 18 4 Using UPnP in Windows XP...

Page 248: ...P 660HWP D1 18 4 1 Auto discover Your UPnP enabled Network Device 1 Click start and Control Panel Double click Network Connections An icon displays under Internet Gateway 2 Right click the icon and s...

Page 249: ...d Play UPnP P 660HWP D1 User s Guide 249 Figure 146 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings Figure 147 Internet Connection...

Page 250: ...d When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 5 Select Show icon in notification area when connected option and click OK An icon dis...

Page 251: ...n access the web based configurator on the P 660HWP D1 without finding out the IP address of the P 660HWP D1 first This comes helpful if you do not know the IP address of the P 660HWP D1 Follow the st...

Page 252: ...D1 User s Guide 252 Figure 151 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your P 660HWP D1 and select I...

Page 253: ...253 Figure 152 Network Connections My Network Places 6 Right click on the icon for your P 660HWP D1 and select Properties A properties window displays with basic information about the P 660HWP D1 Fig...

Page 254: ...Chapter 18 Universal Plug and Play UPnP P 660HWP D1 User s Guide 254...

Page 255: ...255 PART VI Maintenance and Troubleshooting System 257 Logs 263 Tools 281 Diagnostic 287 Troubleshooting 289...

Page 256: ...256...

Page 257: ...ndows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter it a...

Page 258: ...ype how many minutes a management session can be left idle before the session times out The default is 5 minutes After it times out you have to log in with your password again Very long idle timeouts...

Page 259: ...the existing password you use to access the system for configuring advanced features New Password Type your new system password up to 30 characters Note that as you type a password the screen display...

Page 260: ...d Date Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the P 660HWP D1 get the time and date from the time server you specif...

Page 261: ...e zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here ar...

Page 262: ...Chapter 19 System P 660HWP D1 User s Guide 262...

Page 263: ...arrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may...

Page 264: ...SCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of the log categor...

Page 265: ...subject line of the log e mail message that the P 660HWP D1 sends Not all ZyXEL models have this field Send Log To The P 660HWP D1 sends logs to the e mail address specified in this field If this fiel...

Page 266: ...is Full an alert is sent when the log fills up If you select None no log messages are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sen...

Page 267: ...rc port 00520 dest port 00520 1 02 End of Firewall Log Table 111 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on information fr...

Page 268: ...using HTTPS protocol HTTPS login failed Someone has failed to log on to the router s web configurator interface using HTTPS protocol Table 112 System Error Logs LOG MESSAGE DESCRIPTION s exceeds the m...

Page 269: ...session time out sent TCP RST The router sent a TCP reset packet when a dynamic firewall session timed out The default timeout values are as follows ICMP idle timeout 3 minutes UDP idle timeout 3 min...

Page 270: ...hannel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the reference count number of the call dev is the device type 3 is for dial up 6 is for P...

Page 271: ...esponded that the web site is in the blocked category list and returned the category type s cache hit The system detected that the web site is in the blocked list from the local cache but does not kno...

Page 272: ...rewall detected an UDP teardrop attack teardrop ICMP type d code d The firewall detected an ICMP teardrop attack For type and code details see Table 127 on page 278 illegal command TCP The firewall de...

Page 273: ...A process done The phase 1 IKE SA process has been completed Duplicate requests with the same cookie The router received multiple requests from the same peer while still processing the first IKE packe...

Page 274: ...ID contents do not match Configured Peer ID Content Configured Peer ID Content The phase 1 ID contents do not match and the configured Peer ID Content is displayed Incoming ID Content Incoming Peer ID...

Page 275: ...1 hash mismatch The listed rule s IKE phase 1 hash did not match between the router and the peer Rule d Phase 1 preshared key mismatch The listed rule s IKE phase 1 pre shared key did not match betwe...

Page 276: ...ame as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd ARL size issuer name The router received an ARL Authority Revocation List with size and issuer name...

Page 277: ...pecific information missing 14 Not used 15 CRL is too old 16 CRL is not valid 17 CRL signature was not verified correctly 18 CRL was not found anywhere 19 CRL was not added to the cache 20 CRL decodin...

Page 278: ...ed to queue the datagrams for output to the next network on the route to the destination network 5 Redirect 0 Redirect datagrams for the Network 1 Redirect datagrams for the Host 2 Redirect datagrams...

Page 279: ...ured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s syslog class The definition of messages and notes are defined...

Page 280: ...Chapter 20 Logs P 660HWP D1 User s Guide 280...

Page 281: ...er a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware screen Fol...

Page 282: ...ems you may see the following icon on your desktop Figure 161 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was...

Page 283: ...Tools Configuration Backup configuration allows you to back up save the P 660HWP D1 s current configuration to a file on your computer Once your P 660HWP D1 is configured and functioning properly it i...

Page 284: ...work disconnect In some operating systems you may see the following icon on your desktop Upload Restore your router to a previous configuration by uploading a previously saved configuration file from...

Page 285: ...166 Configuration Restore Error 21 2 3 Back to Factory Defaults Pressing the RESET button in this section clears all user entered configuration information and returns the P 660HWP D1 to its factory...

Page 286: ...Chapter 21 Tools P 660HWP D1 User s Guide 286...

Page 287: ...nostic Click Maintenance Diagnostic to open the screen shown next Figure 168 Diagnostic General The following table describes the fields in this screen Table 133 Diagnostic General LABEL DESCRIPTION T...

Page 288: ...VCIs before you begin this test The P 660HWP D1 sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the P 660HWP D1 The ATM loopback test is useful for troubleshooting...

Page 289: ...re using the power adaptor or cord included with the P 660HWP D1 3 Make sure the power adaptor or cord is connected to the P 660HWP D1 and plugged in to an appropriate power source Make sure the power...

Page 290: ...e or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 If you changed the IP address Section 6 2 1 on page 93 use t...

Page 291: ...entered the user name and password correctly The default password is 1234 This field is case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is us...

Page 292: ...Address Translation NAT make sure that Enable SIP ALG is activated in the NAT General screen See Section 9 3 on page 138 4 Ensure STUN is turned off on your VoIP device 5 If you are using a new VoIP a...

Page 293: ...1 and see if the Link LED lights up This checks whether the P 660HWP D1 can detect the powerline adapters on your electrical circuit V I cannot access my powerline network 1 Make sure that the devices...

Page 294: ...Chapter 23 Troubleshooting P 660HWP D1 User s Guide 294 4 Avoid wiring that is old low quality or with a long wiring path as this may affect the quality of your powerline signal...

Page 295: ...ns and Wall Mounting 297 Wireless LANs 303 Setting up Your Computer s IP Address 317 IP Subnetting 333 Command Interpreter 341 Firewall Commands 345 Pop up Windows JavaScripts and Java Permissions 351...

Page 296: ...296...

Page 297: ...ature 0 C 40 C Storage Temperature 20 60 C Operation Humidity 20 85 RH Storage Humidity 10 90 RH Distance between the centers of the holes for wall mounting on the device s back 215 5 mm Screw size fo...

Page 298: ...omePlug 1 0 devices but do not detect each other The range of a HomePlug AV network is 300 meters 984 feet HomePlug AV is compatible with all OSs IP Multicast IP multicast is used to send traffic to a...

Page 299: ...s is done without changing the network settings such as IP address and subnet mask of the computer Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the P 660HWP D1 canno...

Page 300: ...l version 2 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator NAT RFC 1661 The Point to Point Protocol PPP RFC 1723 RIP 2 Routing Information Prot...

Page 301: ...ack of the P 660HWP D1 with the screws on the wall Hang the P 660HWP D1 on the screws IEEE 802 1x Port Based Network Access Control ANSI T1 413 Issue 2 Asymmetric Digital Subscriber Line ADSL standard...

Page 302: ...l Mounting P 660HWP D1 User s Guide 302 Figure 170 Wall mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting All measurements are in millimeters mm...

Page 303: ...endent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an ad hoc wireless LAN Figure 172 Peer to Peer Communication in an Ad hoc Net...

Page 304: ...red connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired networ...

Page 305: ...overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels a...

Page 306: ...equested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the RTS Request To Send CTS Clear to Send handshake You should only configure RTS CTS if th...

Page 307: ...t and to provide more efficient communications Select Dynamic to have the AP automatically use short preamble when wireless adapters support it otherwise the AP uses long preamble The AP and the wirel...

Page 308: ...ntages of IEEE 802 1x are User based identification that allows for roaming Support for RADIUS Remote Authentication Dial In User Service RFC 2138 2139 for centralized user profile and accounting mana...

Page 309: ...nt and the RADIUS server for user accounting Accounting Request Sent by the access point requesting accounting Accounting Response Sent by the RADIUS server to indicate that it has started or stopped...

Page 310: ...wireless clients for mutual authentication The server presents a certificate to the client After validating the identity of the server the client sends a different certificate to the server The exchan...

Page 311: ...stronger encryption authentication and key management than WPA Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication If both an AP and the wireless clients s...

Page 312: ...with and the packet is dropped By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism MIC with TKIP and AES it is more difficult to decrypt dat...

Page 313: ...hentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database and grants or denies network access accordingly 3 The RADIUS server distributes...

Page 314: ...RF signals onto air A transmitter within a wireless device sends an RF signal to the antenna which propagates the signal through the air The antenna also operates in reverse by capturing RF signals fr...

Page 315: ...isotropic antenna An isotropic antenna is a theoretical perfect antenna that sends out radio signals equally well in all directions dBi represents the true gain that the antenna provides Types of Ant...

Page 316: ...o on point the antenna up For omni directional antennas mounted on a wall or ceiling point the antenna down For a single AP application place omni directional antennas as close to the center of the co...

Page 317: ...a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the appropriate TCP IP components are...

Page 318: ...en click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Network window click Add 2 Select Protocol and then click Add 3 Select Microsoft...

Page 319: ...elect Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your information into the IP Address and Subnet Mask fields Figure 179 Windows 95 98 Me T...

Page 320: ...the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your P 660HWP D1 and restart your computer when prompted Verifying Settings 1 Click Sta...

Page 321: ...D1 User s Guide 321 Figure 181 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 182 Windows XP Control Panel 3 Ri...

Page 322: ...b in Win XP and then click Properties Figure 184 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic...

Page 323: ...dd In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default ga...

Page 324: ...he General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server...

Page 325: ...k Connections window Network and Dial up Connections in Windows 2000 NT 11 Turn on your P 660HWP D1 and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and...

Page 326: ...acintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 189 Macintosh OS 8 9 TCP IP 3 For dynamically assigned settings select Using DHCP Server from the Configure list...

Page 327: ...nfiguration 7 Turn on your P 660HWP D1 and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel window Macintosh OS X 1 Click the Apple menu an...

Page 328: ...k in the Subnet mask box Type the IP address of your P 660HWP D1 in the Router address box 5 Click Apply Now and close the window 6 Turn on your P 660HWP D1 and restart your computer if prompted Verif...

Page 329: ...ow to configure your computer IP address using the KDE 1 Click the Red Hat button located on the bottom left corner select System Setting and click Network Figure 192 Red Hat 9 0 KDE Network Configura...

Page 330: ...0 KDE Network Configuration DNS 5 Click the Devices tab 6 Click the Activate button to apply the changes The following screen displays Click Yes to save the changes in all screens Figure 195 Red Hat 9...

Page 331: ...the etc directory The following figure shows an example where two DNS server IP addresses are specified Figure 198 Red Hat 9 0 DNS Settings in resolv conf 3 After you edit and save the configuration f...

Page 332: ...root localhost ifconfig eth0 Link encap Ethernet HWaddr 00 50 BA 72 5B 44 inet addr 172 23 19 129 Bcast 172 23 19 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 717...

Page 333: ...he first two octets make up the network number and the two remaining octets make up the host ID In a class C address the first three octets make up the network number and the last octet is the host ID...

Page 334: ...ation A subnet mask has 32 bits If a bit in the subnet mask is a 1 then the corresponding bit in the IP address is part of the network number If a bit in the subnet mask is 0 then the corresponding bi...

Page 335: ...derstood that the natural mask is being used Example Two Subnets As an example you have a class C address 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up th...

Page 336: ...e first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly the host ID range for the second su...

Page 337: ...dcast Address 192 168 1 63 Highest Host ID 192 168 1 62 Table 151 Subnet 2 IP SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192 168 1 64 IP Address Binary 11000000 10101000 00000001 01000...

Page 338: ...tets see Table 143 on page 333 available for subnetting The following table is a summary for class B subnet planning Table 154 Eight Subnets SUBNET SUBNET ADDRESS FIRST ADDRESS LAST ADDRESS BROADCAST...

Page 339: ...128 510 8 255 255 255 0 24 256 254 9 255 255 255 128 25 512 126 10 255 255 255 192 26 1024 62 11 255 255 255 224 27 2048 30 12 255 255 255 240 28 4096 14 13 255 255 255 248 29 8192 6 14 255 255 255 2...

Page 340: ...Appendix D IP Subnetting P 660HWP D1 User s Guide 340...

Page 341: ...e same subnet In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default P 660HWP D1 IP address and click OK 3 A login screen displays Enter the default...

Page 342: ...g Parameters Example 4 Use sys logs category followed by a log category and a parameter to decide what to record Use 0 to not record logs for that category 1 to record only logs for that category 2 to...

Page 343: ...s display access time source destination notes message 0 06 08 2004 05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default policy IGMP W to W 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250...

Page 344: ...Appendix E Command Interpreter P 660HWP D1 User s Guide 344...

Page 345: ...of all the firewall settings including e mail attack and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default per...

Page 346: ...e mail hour 0 23 This command sets the hour when the firewall log is sent through e mail if the P 660HWP D1 is set to send it on an hourly daily or weekly basis config edit firewall e mail minute 0 59...

Page 347: ...h the same destination where the P 660HWP D1 starts dropping half open sessions to that destination Sets config edit firewall set set name desired name This command sets a name to identify a specified...

Page 348: ...CMP Config edit firewall set set rule rule log none match not match both This command sets the P 660HWP D1 to log traffic that matches the rule doesn t match both or neither Config edit firewall set s...

Page 349: ...nd to enter various non consecutive port numbers config edit firewall set set rule rule TCP destport range start port end port This command sets a rule to have the P 660HWP D1 check for TCP traffic wi...

Page 350: ...Commands P 660HWP D1 User s Guide 350 config delete firewall set set rule rule This command removes the specified rule in a firewall configuration set Table 157 Firewall Commands continued FUNCTION C...

Page 351: ...rnet Explorer Pop up Blockers You may have to disable pop up blocking to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking...

Page 352: ...web pop up blockers you may have enabled Figure 204 Internet Options Privacy 3 Click Apply to save this setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up wi...

Page 353: ...de 353 Figure 205 Internet Options Privacy 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 167 1 4 Click Add to mov...

Page 354: ...lay properly in Internet Explorer check that JavaScripts are allowed 1 In Internet Explorer click Tools Internet Options and then the Security tab Figure 207 Internet Options Security 2 Click the Cust...

Page 355: ...tings Java Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permiss...

Page 356: ...Permissions P 660HWP D1 User s Guide 356 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 Make sure that Use Java 2 for applet under Java Sun is selected 3 Cl...

Page 357: ...ce Trademarks ZyNOS ZyXEL Network Operating System is a registered trademark of ZyXEL Communications Inc Other trademarks mentioned in this publication are used for identification purposes only and ma...

Page 358: ...nna or transmitter IEEE 802 11b or 802 11g operation of this product in the U S A is firmware limited to channels 1 through 11 To comply with FCC RF exposure compliance requirements a separation dista...

Page 359: ...lacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability...

Page 360: ...Appendix H Legal Information P 660HWP D1 User s Guide 360...

Page 361: ...mail support zyxel com tw Sales E mail sales zyxel com tw Telephone 886 3 578 3942 Fax 886 3 578 2439 Web www zyxel com www europe zyxel com FTP ftp zyxel com ftp europe zyxel com Regular Mail ZyXEL...

Page 362: ...448 Web www zyxel fi Regular Mail ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland France E mail info zyxel fr Telephone 33 4 72 52 97 97 Fax 33 4 72 52 19 20 Web www zyxel fr Regular Mai...

Page 363: ...agawa ku Tokyo 141 0022 Japan Kazakhstan Support http zyxel kz support Sales E mail sales zyxel kz Telephone 7 3272 590 698 Fax 7 3272 590 689 Web www zyxel kz Regular Mail ZyXEL Kazakhstan 43 Dostyk...

Page 364: ...krzei 1A 03 715 Warszawa Poland Russia Support http zyxel ru support Sales E mail sales zyxel ru Telephone 7 095 542 89 29 Fax 7 095 542 89 25 Web www zyxel ru Regular Mail ZyXEL Russia Ostrovityanova...

Page 365: ...il ZyXEL Thailand Co Ltd 1 1 Moo 2 Ratchaphruk Road Bangrak Noi Muang Nonthaburi 11000 Thailand Ukraine Support E mail support ua zyxel com Sales E mail sales ua zyxel com Telephone 380 44 247 69 78 F...

Page 366: ...Appendix I Customer Support P 660HWP D1 User s Guide 366...

Page 367: ...st 288 attack alert 180 attack types 154 attacks 263 auxiliary gateway 299 B backup gateway 299 backup settings 283 backup type 89 bandwidth 69 budget 222 bandwidth management 69 215 bandwidth manager...

Page 368: ...r see DSLAM dimensions 297 disclaimer 357 DNS 92 238 domain name 92 140 257 258 Domain Name System see DNS DoS 150 151 179 basics 151 types 152 downstream 33 34 DS Field 222 DS field 222 DSCPs 222 DSL...

Page 369: ...53 177 ICMP echo 153 IEEE 802 11g 307 IGMP 94 95 Independent Basic Service Set See IBSS 303 initialization vector IV 312 Integrated Services Digital Network see ISDN Internet access 34 57 wizard setup...

Page 370: ...rsal 243 navigating the web configurator 44 NetBIOS commands 154 Network Address Translation see NAT network disconnect icon 282 284 network management 140 NMK changing 128 NNTP 140 O one minute high...

Page 371: ...283 saving the state 154 scheduler 216 fairness based 217 priority based 216 SCR 77 81 86 screws 301 security general 158 ramifications 162 Server 138 server 137 138 260 service 163 service set 108 Se...

Page 372: ...cal user database 106 RADIUS server 106 weaknesses 106 user name 228 V Vantage CNM Access 299 Variable Bit Rate see VBR VBR 81 86 VC 74 VC based multiplexing 74 VCI 75 Virtual Channel Identifier see V...

Page 373: ...ple 313 WPA compatibility 107 WPA2 311 user authentication 312 vs WPA2 PSK 312 wireless client supplicant 313 with RADIUS application example 313 WPA2 Pre Shared Key 311 WPA2 PSK 311 312 application e...

Page 374: ...Index P 660HWP D1 User s Guide 374...

Reviews:

No comments

Related manuals for P-660HWP-D1

Pathport 6824 Manual preview
6824
Brand: Pathport Pages: 3
2N SmartGate Quick Start preview
SmartGate
Brand: 2N Pages: 2
KE2 SmartGate Installation And Setup preview
SmartGate
Brand: KE2 Pages: 16
2Wire HomePortal Installation And Support Manual preview
HomePortal
Brand: 2Wire Pages: 14
ICP DAS USA HRT-310 Quick Start Manual preview
HRT-310
Brand: ICP DAS USA Pages: 7
ICP DAS USA UA-5200 Series Quick Start preview
UA-5200 Series
Brand: ICP DAS USA Pages: 4
Advantech UNO-410 User Manual preview
UNO-410
Brand: Advantech Pages: 66
ProLinx 6201-WA-DFNT to DFNT Setup Manual preview
6201-WA-DFNT to DFNT
Brand: ProLinx Pages: 45
Quantum StorNext G300 R520 Hardware Manual preview
StorNext G300 R520
Brand: Quantum Pages: 52
SinoCon KonNad C2000-D2-DCTZ02 User Manual preview
KonNad C2000-D2-DCTZ02
Brand: SinoCon Pages: 11
SAE J2716 User Manual preview
J2716
Brand: SAE Pages: 17
ECKELMANN Combi Operating Instructions Manual preview
Combi
Brand: ECKELMANN Pages: 58
Schwaiger HOME4YOU HA102 User Manual preview
HOME4YOU HA102
Brand: Schwaiger Pages: 24
TASHI MT101 User Quick Reference Manual preview
MT101
Brand: TASHI Pages: 2
ZyXEL Communications VFG6005 User Manual preview
VFG6005
Brand: ZyXEL Communications Pages: 162
Daikin intelligent Touch Manager BACnet DCM014A51 Design Manual preview
intelligent Touch Manager BACnet DCM014A51
Brand: Daikin Pages: 148
3Com V6100 Installation Manual preview
V6100
Brand: 3Com Pages: 47
3Com OfficeConnect 3C855 User Manual preview
OfficeConnect 3C855
Brand: 3Com Pages: 80

Brands by name

Popular brands

Load more brands