Home
/
ZyXEL Communications
/
P-661H Series
/
User Manual

ZyXEL Communications P-661H Series, User Manual, Page: 160 / 383

Share

Page: 160 / 383

ZyXEL Communications P-661H Series User Manual Download Page 160

P-661H/HW Series User’s Guide

160

Chapter 9 Firewall Configuration

9.4.1 LAN to WAN Rules

The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-
restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want
to limit some or all users from accessing certain services on the WAN. WAN to LAN Rules

The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If
you wish to allow certain WAN users to have access to your LAN, you will need to create
custom rules to allow it.

9.4.2 Alerts

Alerts are reports on events, such as attacks, that you may want to know about right away. You
can choose to generate an alert when a rule is matched in the

Edit Rule

screen (see

When an event generates an alert, a message can be immediately sent to an e-

mail account that you specify in the

Log Settings

screen. Refer to the chapter on logs for

details.

9.5 Triangle Route

When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and
the Internet. In an ideal network topology, all incoming and outgoing network traffic passes
through the ZyXEL Device to protect your LAN against attacks.

Figure 83

Ideal Firewall Setup

9.5.1 The “Triangle Route” Problem

You may have more than one connection to the Internet (through one or more ISPs). If the
alternate gateway is on the LAN (and its IP address is in the same subnet as the ZyXEL
Device’s LAN IP address), the “triangle route” (also called asymmetrical route) problem may
occur. The steps below describe the “triangle route” problem.

1

A computer on the LAN initiates a connection by sending out a SYN packet to a
receiving server on the WAN.

2

The ZyXEL Device reroutes the SYN packet through Gateway

A

on the LAN to the

WAN.

3

The reply from the WAN goes directly to the computer on the LAN without going
through the ZyXEL Device.

«
...
158
159
160
161
162
...
»

Summary of Contents for P-661H Series

Page 1: ...P 661H HW Series 802 11g Wireless ADSL2 4 port Security Gateway User s Guide Version 3 40 Edition 1 5 2006...

Page 2: ......

Page 3: ...ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does it c...

Page 4: ...ions If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interferen...

Page 5: ...P 661H HW Series User s Guide Certifications 5...

Page 6: ...hem or stumble over them Do NOT allow anything to rest on the power cord and do NOT locate the product where anyone can walk on the power cord If you wall mount your device make sure that no electrica...

Page 7: ...by an act of God or subjected to abnormal working conditions Note Repair or replacement as provided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other...

Page 8: ...mark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zyxel...

Page 9: ...t zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com ZyXEL Ukr...

Page 10: ...P 661H HW Series User s Guide 10 Customer Support...

Page 11: ...reless Devices Only 38 1 3 Applications for the ZyXEL Device 39 1 3 1 Protected Internet Access 39 1 3 2 LAN to LAN Application 40 1 4 Front Panel LEDs 40 1 5 Hardware Connection 41 1 6 Splitters and...

Page 12: ...vices only 66 3 2 1 Manually assign a WPA PSK key 69 3 2 2 Manually assign a WEP key 69 3 3 Bandwidth Management Wizard 72 3 3 1 Screen 1 73 3 3 2 Screen 2 74 3 3 3 Screen 3 75 Chapter 4 WAN Setup 77...

Page 13: ...up 92 Chapter 5 LAN Setup 95 5 1 LAN Overview 95 5 1 1 LANs WANs and the ZyXEL Device 95 5 1 2 DHCP Setup 96 5 1 2 1 IP Pool Setup 96 5 1 3 DNS Server Address 96 5 1 4 DNS Server Address Assignment 97...

Page 14: ...126 6 7 2 WMM QoS Priorities 126 6 7 3 Services 127 6 8 QoS Screen 128 6 8 1 ToS Type of Service and WMM QoS 129 6 8 2 Application Priority Configuration 130 Chapter 7 Network Address Translation NAT...

Page 15: ...2 8 5 2 Stateful Inspection and the ZyXEL Device 152 8 5 3 TCP Security 153 8 5 4 UDP ICMP Security 153 8 5 5 Upper Layer Protocols 154 8 6 Guidelines for Enhancing Security with Your Firewall 154 8 6...

Page 16: ...cking Time 176 9 11 3 Configuring Firewall Thresholds 177 Chapter 10 Trend Micro Security Services 179 10 1 Trend Micro Security Services Overview 179 10 1 1 TMSS Web Page 179 10 2 Configuring TMSS on...

Page 17: ...ure Gateway Address 205 13 4 1 Dynamic Secure Gateway Address 205 13 5 VPN Setup Screen 205 13 6 Keep Alive 207 13 7 VPN NAT and NAT Traversal 207 13 8 Remote DNS Server 208 13 9 ID Type and Content 2...

Page 18: ...Bandwidth for Non Bandwidth Class Traffic 237 15 6 2 Maximize Bandwidth Usage Example 238 15 6 2 1 Priority based Allotment of Unused and Unbudgeted Bandwidth 238 15 6 2 2 Fairness based Allotment of...

Page 19: ...1 How do I know if I m using UPnP 263 18 1 2 NAT Traversal 263 18 1 3 Cautions with UPnP 264 18 2 UPnP and ZyXEL 264 18 2 1 Configuring UPnP 264 18 3 Installing UPnP in Windows Example 265 18 4 Using...

Page 20: ...endix A Product Specifications 297 Appendix B About ADSL 301 Introduction to DSL 301 ADSL Overview 301 Advantages of ADSL 301 Appendix C Wall mounting Instructions 303 Appendix D Setting up Your Compu...

Page 21: ...s of PPPoE 337 Traditional Dial up Scenario 337 How PPPoE Works 338 ZyXEL Device as a PPPoE Client 338 Appendix J Log Descriptions 339 Log Commands 353 Log Command Example 354 Appendix K Wireless LANs...

Page 22: ...P 661H HW Series User s Guide 22 Table of Contents Appendix L Pop up Windows JavaScripts and Java Permissions 369 Internet Explorer Pop up Blockers 369 Java Permissions 374 Index 377...

Page 23: ...ion 60 Figure 20 Internet Setup Wizard Manual Configuration 61 Figure 21 Internet Access Wizard Setup ISP Parameters 61 Figure 22 Internet Setup Wizard ISP Parameters Ethernet 62 Figure 23 Internet Se...

Page 24: ...e 57 Wireless WPA PSK WPA2 PSK 116 Figure 58 Wireless WPA WPA2 117 Figure 59 Wireless LAN Advanced 119 Figure 60 Wireless LAN OTIST 121 Figure 61 Example Wireless Client OTIST Screen 122 Figure 62 Sec...

Page 25: ...ashboard 180 Figure 101 TMSS Service Summary 180 Figure 102 TMSS 3 Steps 181 Figure 103 TMSS Registration Form 181 Figure 104 Example TMSS Activated Service Summary Screen 182 Figure 105 Example TMSS...

Page 26: ...54 Figure 144 Remote Management FTP 255 Figure 145 SNMP Management Model 256 Figure 146 Remote Management SNMP 258 Figure 147 Remote Management DNS 259 Figure 148 Remote Management ICMP 260 Figure 149...

Page 27: ...P IP Properties 311 Figure 189 Windows XP Advanced TCP IP Properties 312 Figure 190 Windows XP Internet Protocol TCP IP Properties 313 Figure 191 Macintosh OS X Apple Menu 314 Figure 192 Macintosh OS...

Page 28: ...on 367 Figure 212 Pop up Blocker 369 Figure 213 Internet Options 370 Figure 214 Internet Options 371 Figure 215 Pop up Blocker Settings 372 Figure 216 Internet Options 373 Figure 217 Security Settings...

Page 29: ...Wireless LAN Setup Wizard 1 67 Table 17 Wireless LAN Setup Wizard 2 68 Table 18 Manually assign a WPA key 69 Table 19 Manually assign a WEP key 70 Table 20 Internet Setup Wizard Summary 71 Table 21 Me...

Page 30: ...57 ICMP Commands That Trigger Alerts 150 Table 58 Legal NetBIOS Commands 150 Table 59 Legal SMTP Commands 150 Table 60 Firewall General 162 Table 61 Firewall Rules 164 Table 62 Firewall Edit Rule 166...

Page 31: ...nt of Bandwidth Example 239 Table 98 Bandwidth Management Priorities 240 Table 99 Media Bandwidth Management Summary 240 Table 100 Bandwidth Management Rule Setup 242 Table 101 Bandwidth Management Ru...

Page 32: ...e 143 NetBIOS Filter Default Settings 336 Table 144 System Maintenance Logs 339 Table 145 System Error Logs 340 Table 146 Access Control Logs 340 Table 147 TCP Reset Logs 341 Table 148 Packet Filter L...

Page 33: ...ntions Enter means for you to type one or more characters Select or Choose means for you to use one of the predefined choices Mouse action sequences are denoted using a comma or right angle bracket Fo...

Page 34: ...ns or suggestions for improvement to techwriters zyxel com tw or send regular mail to The Technical Writing Team ZyXEL Communications Corp 6 Innovation Road II Science Based Industrial Park Hsinchu 30...

Page 35: ...hone Service Models ending in 3 denote a device that works over ISDN Integrated Services Digital Network Models ending in 7 denote a device that works over T ISDN UR 2 Note Only use firmware for your...

Page 36: ...assword is required or the ZyXEL Device cannot connect to the ISP you will be redirected to web screen s for information input or troubleshooting Any IP The Any IP feature allows a computer to access...

Page 37: ...nection terminates after a period of no traffic that you configure and PPPoE Dial on Demand the PPPoE connection is brought up only when an Internet access request is made Network Address Translation...

Page 38: ...akes your ZyXEL Device a cost effective and viable network solution You can connect up to four computers to the ZyXEL Device without the cost of a hub Use a hub to add more than four computers to your...

Page 39: ...rence or difficulty with channel assignment when there is a high density of APs within a coverage area In this case you can lower the output power of each access point thus enabling you to place acces...

Page 40: ...ons 1 3 2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line A typical LAN to LAN application example is shown as follows Figure 2...

Page 41: ...f The system is not ready or has malfunctioned ETHERNET Green On The ZyXEL Device has a successful 10Mb Ethernet connection Blinking The ZyXEL Device is sending receiving data Amber On The ZyXEL Devic...

Page 42: ...DSL to your ZyXEL Device 3 Connect the side labeled Line to the telephone wall jack 1 6 2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range 0 4KHz while ADSL...

Page 43: ...P 661H HW Series User s Guide Chapter 1 Getting To Know Your ZyXEL Device 43 Figure 5 Connecting a Microfilter...

Page 44: ...P 661H HW Series User s Guide 44 Chapter 1 Getting To Know Your ZyXEL Device...

Page 45: ...Windows XP SP Service Pack 2 JavaScripts enabled by default Java permissions enabled by default See the chapter on troubleshooting if you need to make sure these functions are allowed in Internet Exp...

Page 46: ...ssword Enter a new password between 1 and 30 characters retype it to confirm and click Apply alternatively click Ignore to proceed to the main menu if you do not want to change the password now Note I...

Page 47: ...file This means that you will lose all configurations that you had previously and the password will be reset to 1234 2 3 1 Using the Reset Button 1 Make sure the POWER LED is on not blinking 2 Press...

Page 48: ...ns to limit bandwidth usage by application or packet size Logout Click this icon to exit the web configurator Status Use this screen to look at the ZyXEL Device s general device system and interface s...

Page 49: ...Device Address Mapping Use this screen to configure network address translation mapping rules Security Firewall General Use this screen to activate deactivate the firewall and the direction of networ...

Page 50: ...nfigure your ZyXEL Device s settings for Simple Network Management Protocol management DNS Use this screen to configure through which interface s and from which IP address es users can send DNS querie...

Page 51: ...l screen statistics automatically at the end of every time interval or to not refresh the screen statistics Apply Click this button to refresh the status screen statistics Device Information Host Name...

Page 52: ...sent date and time System Mode This displays whether the ZyXEL Device is functioning as a router or a bridge CPU Usage This number shows how many kilobytes of the heap memory the ZyXEL Device is using...

Page 53: ...ltaneous transmissions over the same port Full duplex essentially double the bandwidth For the WAN port it displays the downstream and upstream transmission rate For the WLAN port it displays the tran...

Page 54: ...dress This field displays the MAC Media Access Control address of the computer with the displayed IP address Every Ethernet device has a unique MAC address The MAC address is assigned at the factory a...

Page 55: ...unused bandwidth and the orange color represents the percentage of bandwidth in use Figure 14 Status Bandwidth Status Table 7 Status VPN Status LABEL DESCRIPTION No This is the security association in...

Page 56: ...stem up Time This is the elapsed time the system has been up Current Date Time This field displays your ZyXEL Device s present date and time CPU Usage This field specifies the percentage of CPU utiliz...

Page 57: ...nd Rx B s This field displays the number of bytes received in the last second Up Time This field displays the elapsed time this port has been up LAN Port Statistics Interface This field displays the t...

Page 58: ...eneral Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field New Password Type the new password in this field Retype to...

Page 59: ...of the web configurator The wizard main screen appears Figure 17 Wizard Main Screen The following table describes the fields in this screen Table 10 Wizard Main Screen LABEL DESCRIPTION INTERNET WIREL...

Page 60: ...Wait while the device tries to detect your DSL connection and connection type Figure 18 Internet Setup Wizard Connection Test The next screen depends on the results 3 1 1 Automatic Detection The ZyXE...

Page 61: ...1 2 1 Screen 1 Figure 20 Internet Setup Wizard Manual Configuration Click Back to return to the wizard main screen Click Next to continue to the next screen Click Exit to close the wizard main screen...

Page 62: ...ox Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field select PPPoA RFC 1483 ENET...

Page 63: ...appear if you select Static IP Address IP Address Enter the static IP address provided by your ISP Subnet Mask Enter the subnet mask provided by your ISP Gateway IP Address Enter the IP address of the...

Page 64: ...given Password Enter the password associated with the user name above Service Name Type the name of your PPPoE service here Leave this field blank if your ISP did not provide you a PPPoE service Back...

Page 65: ...he DSL connection Check your hardware connections Table 15 Internet Setup Wizard ISP Parameters PPPoA LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned If assigned a name in...

Page 66: ...Exit to close the wizard main screen and return to the Status screen or the main window 3 2 Wireless Connection Wizard Setup wireless devices only After you configure the Internet access information...

Page 67: ...SSID and WPA PSK security settings to wireless clients that support OTIST and are within transmission range You must also activate and start OTIST on the wireless client at the same time The process...

Page 68: ...PA and OTIST This option is available only when you enable OTIST in the previous wizard screen Select Manually assign a WPA PSK key to configure a Pre Shared Key WPA PSK Choose this option only if you...

Page 69: ...etup screen to set up a Pre Shared Key Figure 30 Manually assign a WPA key The following table describes the labels in this screen 3 2 2 Manually assign a WEP key Choose Manually assign a WEP key to s...

Page 70: ...SCRIPTION Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission Enter any 5 13 or 29 ASCII characters or 10 26 or 58...

Page 71: ...you have configured is correct Click Finish to complete and save the wizard setup The following table describes the fields in this screen Table 20 Internet Setup Wizard Summary LABEL DESCRIPTION Retur...

Page 72: ...sages sent through a computer network to specific groups or individuals Here are some default ports for e mail POP3 port 110 IMAP port 143 SMTP port 25 HTTP port 80 FTP File Transfer Program enables f...

Page 73: ...e transported over TCP using the default port number 5060 Telnet Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments It operates over TCP IP networks It...

Page 74: ...andwidth Management Wizard Configuration Table 22 Bandwidth Management Wizard General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth manageme...

Page 75: ...much bandwidth as it needs If you select services as having the same priority then bandwidth is divided equally amongst those services Services not specified in bandwidth management are allocated ban...

Page 76: ...P 661H HW Series User s Guide 76 Chapter 3 Wizards...

Page 77: ...ess in the ENET ENCAP Gateway field in the second wizard screen You can get this information from your ISP 4 1 1 2 PPP over Ethernet PPPoE Point to Point Protocol over Ethernet provides access control...

Page 78: ...ver a separate ATM virtual circuit VC based multiplexing Please refer to the RFC for more detailed information 4 1 2 Multiplexing There are two conventions to identify what protocols the virtual circu...

Page 79: ...dynamic IP For a static IP you must fill in all the IP Address and ENET ENCAP Gateway fields as supplied by your ISP However for a dynamic IP the ZyXEL Device acts as a DHCP client on the WAN port an...

Page 80: ...ffic redirect route next In the same manner the ZyXEL Device uses the dial backup route if the traffic redirect route also fails If you want the dial backup route to take first priority over the traff...

Page 81: ...CBR traffic is generally time sensitive doesn t tolerate delay CBR is used for connections that continuously require a specific amount of bandwidth A PCR is specified and if traffic exceeds this rate...

Page 82: ...transfer 4 4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack it automatically detects the Internet connection settings such as the VCI VPI numbers...

Page 83: ...your ISP from the drop down list box Choices vary depending on the mode you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in th...

Page 84: ...PPPoE PPPoA and ENET ENCAP only Select this if you do not have a dynamic IP address IP Address Enter the static IP address provided by your ISP Subnet Mask ENET ENCAP only Enter the subnet mask provi...

Page 85: ...mats when receiving RIP 1 is universally supported but RIP 2 carries more information RIP 1 is probably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M se...

Page 86: ...not applicable available when you configure the ZyXEL Device to use a static WAN IP address or in bridge mode Select Yes to set the ZyXEL Device to automatically detect the Internet connection setting...

Page 87: ...e connection Select the check box to enable it Name This is the descriptive name for this connection VPI VCI This is the VPI and VCI values used for this connection Encapsulation This is the method of...

Page 88: ...Name Enter a unique descriptive name of up to 13 ASCII characters for this connection Mode Select Routing from the drop down list box if your ISP allows multiple computers to share an Internet account...

Page 89: ...d the ISP assigns you a different one each time you connect to the Internet If you use the encapsulation type except RFC 1483 select Obtain an IP Address Automatically when you have a dynamic IP addre...

Page 90: ...le 28 More Connections Advanced Setup LABEL DESCRIPTION RIP Multicast Setup RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP...

Page 91: ...onfigure filters that allow packets from the protected LAN Subnet 1 to the backup gateway Subnet 2 Peak Cell Rate Divide the DSL line rate bps by 424 the size of an ATM cell to find the Peak Cell Rate...

Page 92: ...eries User s Guide 92 Chapter 4 WAN Setup Figure 44 Traffic Redirect LAN Setup 4 8 Configuring WAN Backup To change your ZyXEL Device s WAN backup settings click WAN WAN Backup Setup The screen appear...

Page 93: ...s the other WAN backup connection if configured if there is no response Fail Tolerance Type the number of times 2 recommended that your ZyXEL Device may ping the IP addresses configured in the Check W...

Page 94: ...the cost of transmission A router determines the best route for transmission by choosing a path with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for direc...

Page 95: ...immediate area usually the same building or floor of a building The LAN screens can help you configure a LAN DHCP server and manage IP addresses See Section 5 3 on page 101 to configure the LAN screen...

Page 96: ...rst is for an ISP to tell a customer the DNS server addresses usually in the form of an information sheet when s he signs up If your ISP gives you the DNS server addresses enter them in the DNS Server...

Page 97: ...eir instructions in selecting the IP addresses and the subnet mask If the ISP did not explicitly give you an IP network number then most likely you have a single user account and the ISP will assign y...

Page 98: ...For more information on address assignment please refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space 5 2 2 RIP Setup RIP Routing Inf...

Page 99: ...ected networks to gather group membership After that the ZyXEL Device periodically updates this information IP multicasting can be enabled disabled on the ZyXEL Device LAN and or WAN interfaces in the...

Page 100: ...es to access the Internet for the first time through the ZyXEL Device 1 When a computer which is in a different subnet first attempts to access the Internet it sends packets to its default gateway whi...

Page 101: ...ced Setup button in the LAN IP screen The screen appears as shown Table 30 LAN IP LABEL DESCRIPTION TCP IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation for example 1...

Page 102: ...obably adequate for most networks unless you have an unusual network topology Both RIP 2B and RIP 2M sends the routing data in RIP 2 format the difference being that RIP 2B uses subnet broadcasting wh...

Page 103: ...to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN Allow between LAN and WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and from t...

Page 104: ...ation to the network The ZyXEL Device is the DHCP server for the network IP Pool Starting Address This field is enabled if the ZyXEL Device is a DHCP Server Enter the first of the contiguous addresses...

Page 105: ...Address This field displays the IP address relative to the field listed above MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique to your computer six pa...

Page 106: ...ZyXEL Device itself as the gateway for each LAN network When you use IP alias you can also configure firewall rules to control access between the LAN s logical networks subnets Note Make sure that th...

Page 107: ...dcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives when set to None it will not send any RIP packets and will ignore any RIP pack...

Page 108: ...P 661H HW Series User s Guide 108 Chapter 5 LAN Setup...

Page 109: ...s the part in the blue circle In this wireless network devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your ZyXEL Device is the AP E...

Page 110: ...ally written using twelve hexadecimal characters2 for example 00A0C5000002 or 00 A0 C5 00 00 02 To get the MAC address for each device in the wireless network see the device s User s Guide or other do...

Page 111: ...etwork has a RADIUS server you can choose WPA or WPA2 If users do not log in to the wireless network you can choose no encryption Static WEP WPA PSK or WPA2 PSK Usually you should set up the strongest...

Page 112: ...reless network The devices in the wireless network have to support OTIST and they have to be in range of the ZyXEL Device when you activate it See Section 6 5 on page 120 for more details 6 3 Wireless...

Page 113: ...e configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device s SSID or WEP settings you will lose your wireless connection when you press Apply to confi...

Page 114: ...crypts unicast and multicast communications in a network Both the wireless clients and the access points must use the same WEP key Your ZyXEL Device allows you to configure up to four 64 bit 128 bit o...

Page 115: ...r a Passphrase up to 32 printable characters and clicking Generate The ZyXEL Device automatically generates a WEP key WEP Key The WEP keys are used to encrypt data Both the ZyXEL Device and the wirele...

Page 116: ...between the two is that WPA PSK WPA2 PSK uses a simple common password instead of user specific credentials Type a pre shared key from 8 to 63 case sensitive ASCII characters including spaces and sym...

Page 117: ...management sends a new group key out to all clients The re keying process is the WPA 2 equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis Settin...

Page 118: ...hanging the WEP key for an AP and all stations in a WLAN on a periodic basis Setting of the Group Key Update Timer is also supported in WPA PSK WPA2 PSK mode The default is 1800 seconds 30 minutes Aut...

Page 119: ...nter a value between 0 and 2432 If you select the Enable 802 11g mode checkbox this field is grayed out and the ZyXEL Device uses 4096 automatically Fragmentation Threshold It is the maximum data frag...

Page 120: ...when wireless adapters support it otherwise the ZyXEL Device uses long preamble 802 11 Mode Select 802 11b Only to allow only IEEE 802 11b compliant WLAN devices to associate with the ZyXEL Device Sel...

Page 121: ...you use the RESET button the default 01234567 or previous saved through the web configurator Setup key is used to encrypt the settings that you want to transfer Hold in the RESET button for one to fiv...

Page 122: ...tomatically generate a WPA PSK you must Change your security to any security other than WPA PSK in the Wireless LAN General screen Select the Yes checkbox in the OTIST screen and click Start The wirel...

Page 123: ...s in the wireless network After reviewing the settings click OK Figure 62 Security Key 2 This screen appears while OTIST settings are being transferred It closes when the transfer is complete 3 In the...

Page 124: ...d to run OTIST again or enter them manually in the wireless client s 5 If you configure OTIST to generate a WPA PSK key this key changes each time you run OTIST Therefore if a new wireless client join...

Page 125: ...t listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device MAC addresses not listed will be denied access to the ZyXEL Device Set This is the index number of...

Page 126: ...a transmission for applications that are sensitive 6 7 2 WMM QoS Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless netwo...

Page 127: ...be used to find out if a user is logged on FTP TCP 20 21 File Transfer Program a program to enable fast transfer of files including large files that may not be possible by e mail H 323 TCP 1720 NetMee...

Page 128: ...edia on the Internet SFTP TCP 115 Simple File Transfer Protocol SMTP TCP 25 Simple Mail Transfer Protocol is the message exchange standard for the Internet SMTP enables you to move messages from one e...

Page 129: ...LAN QoS The following table describes the fields in this screen Table 46 Wireless LAN QoS LABEL DESCRIPTION QoS Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device WMM QoS Polic...

Page 130: ...the WMM QoS priority for traffic bandwidth Modify Click the Edit icon to open the Application Priority Configuration screen Modify an existing application entry or create a application entry in the A...

Page 131: ...rotocol HTTP a client server protocol for the World Wide Web The Web is not synonymous with the Internet rather it is just one service on the Internet Other services on the Internet include Internet R...

Page 132: ...P 661H HW Series User s Guide 132 Chapter 6 Wireless LAN...

Page 133: ...refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that in...

Page 134: ...he additional benefit of firewall protection With no servers defined your ZyXEL Device filters out all incoming inquiries thus preventing intruders from probing your network For more information on IP...

Page 135: ...address to one global IP address Many to One In Many to One mode the ZyXEL Device maps multiple local IP addresses to one global IP address This is equivalent to SUA for instance PAT port address tra...

Page 136: ...servers using mapping types as outlined in Table 49 on page 136 Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device Choose Full Feature if you have multiple public WAN IP...

Page 137: ...ervice for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a range of ports Many residential b...

Page 138: ...ther information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT 7 4 3 Configuring Servers Behind Port Forwarding Example Let s say y...

Page 139: ...ilable only when you select SUA Only in the NAT General screen If you do not assign a Default Server IP address the ZyXEL Device discards all packets received for ports that are not specified here or...

Page 140: ...here or in the remote management setup Port Forwarding Service Name Select a service from the drop down list box Server IP Address Enter the IP address of the server for the specified service Add Clic...

Page 141: ...and 7 become new rules 4 5 and 6 To change your ZyXEL Device s address mapping settings click Network NAT Address Mapping to open the following screen Table 53 Port Forwarding Rule Setup LABEL DESCRI...

Page 142: ...s is the ending Inside Global IP Address IGA This field is N A for One to one Many to One and Server mapping types Type 1 1 One to one mode maps one local IP address to one global IP address Note that...

Page 143: ...Many to Many No Overload Many to Many No Overload mode maps each local IP address to unique global IP addresses Server This type allows you to specify inside servers of different services behind the N...

Page 144: ...Translation NAT Screens Back Click Back to return to the previous screen Apply Click Apply to save your changes back to the ZyXEL Device Cancel Click Cancel to begin configuring this screen afresh Tab...

Page 145: ...ld never be the only mechanism or method employed For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information securi...

Page 146: ...ewalls restrict access by screening data packets against defined access rules They make access control decisions based on IP address and protocol They also inspect the session data to assure the integ...

Page 147: ...gured to automatically detect and thwart all known DoS attacks 8 4 1 Basics Computers share information over the Internet using a common language called TCP IP TCP IP in turn is a set of application p...

Page 148: ...eardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragment looks like the or...

Page 149: ...hackers flood SYN packets into the network with a spoofed source IP address of the targeted system This makes it appear as if the host computer sent the packets to itself making the system unavailabl...

Page 150: ...etBIOS commands are the following all others are illegal All SMTP commands are illegal except for those displayed in the following tables Table 57 ICMP Commands That Trigger Alerts 5 REDIRECT 13 TIMES...

Page 151: ...wed through the router or firewall The ZyXEL Device blocks all IP Spoofing attempts 8 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already know...

Page 152: ...st entry that is inserted at the beginning of the WAN interface s inbound extended access list This temporary access list entry is designed to permit inbound packets of the same connection as the outb...

Page 153: ...tion packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases see Upper Layer Protocols shown next these packets...

Page 154: ...rnet would normally be rejected In order to achieve this the ZyXEL Device inspects the application level FTP data Specifically it searches for outgoing PORT commands and when it sees these it adds a c...

Page 155: ...our company Be careful of files e mailed to you from strangers One common way of getting BackOrifice on a system is to include it as a Trojan horse with other files Change your passwords regularly Als...

Page 156: ...the outbound request for that packet and allowed in Conversely an incoming packet masquerading as a response to a nonexistent outbound request can be blocked The firewall uses session filtering i e s...

Page 157: ...ackets to which they apply Note The LAN includes both the LAN port and the WLAN By default the ZyXEL Device s stateful packet inspection allows packets traveling in the following directions LAN to LAN...

Page 158: ...ew Note Study these points carefully before configuring rules 9 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a...

Page 159: ...lect the service from the Service scrolling list box If the service is not listed it is necessary to first define it See Section 9 9 on page 172 for more information on predefined services 9 3 3 3 Sou...

Page 160: ...ail account that you specify in the Log Settings screen Refer to the chapter on logs for details 9 5 Triangle Route When the firewall is on your ZyXEL Device acts as a secure gateway between your LAN...

Page 161: ...s allows you to partition your network into logical sections over the same Ethernet interface Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for...

Page 162: ...Bypass Triangle Route Select this check box to have the ZyXEL Device firewall permit the use of triangle route topology on the network See the appendix for more on triangle route topology Note Allowin...

Page 163: ...wall rules Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination unreachable message to the sender Select Reject to deny the packets and send a TCP rese...

Page 164: ...is drop down list box displays the source addresses or ranges of addresses to which this firewall rule applies Please note that a blank source or destination address is equivalent to Any Destination I...

Page 165: ...pter 9 Firewall Configuration 165 In the Rules screen select an index number and click Add or click a rule s Edit icon to display this screen and refer to the following table for information on the la...

Page 166: ...the Source or Destination Address box You can add multiple addresses ranges of addresses and or subnets Edit To edit an existing source or destination address select it from the box and click Edit Del...

Page 167: ...vices The following table describes the labels in this screen Apply Click Apply to save your customized settings and exit this screen Cancel Click Cancel to exit this screen without saving Table 62 Fi...

Page 168: ...Click Security Firewall Rules 2 Select WAN to LAN in the Packet Direction field Table 64 Firewall Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port...

Page 169: ...ne becomes rule 8 4 Click Add to display the firewall rule configuration screen 5 In the Edit Rule screen click the Edit Customized Services link to open the Customized Service screen 6 Click an index...

Page 170: ...mple Edit Rule Destination Address 9 Use the Add and Remove buttons between Available Services and Selected Services list boxes to configure it as follows Click Apply when you are done Note Custom ser...

Page 171: ...rewall Example Edit Rule Select Customized Services On completing the configuration procedure for this Internet firewall rule the Rules screen should look like the following Rule 1 allows a MyService...

Page 172: ...ries are supported Custom service ports may also be configured using the Edit Customized Services function discussed previously Table 65 Predefined Services SERVICE DESCRIPTION AIM NEW_ICQ TCP 5190 AO...

Page 173: ...t whether or not a remote host is reachable POP3 TCP 110 Post Office Protocol version 3 lets a client computer get e mail from a POP3 server through a temporary connection TCP IP or other PPTP TCP 172...

Page 174: ...obing to display the screen as shown Figure 96 Firewall Anti Probing SSDP UDP 1900 Simole Service Discovery Protocol SSDP is a discovery service searching for Universal Plug and Play devices on your h...

Page 175: ...sable is selected Select LAN to reply to incoming LAN Ping requests Select WAN to reply to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do No...

Page 176: ...il the number of existing half open sessions drops below another threshold max incomplete low When the rate of new connection attempts rises above a threshold one minute high the ZyXEL Device starts d...

Page 177: ...ting half open sessions The ZyXEL Device continues to delete half open sessions as necessary until the rate of new connection attempts drops below this number 80 existing half open sessions One Minute...

Page 178: ...ting half open sessions with the number of existing half open sessions drops below 80 TCP Maximum Incomplete This is the number of existing half open TCP sessions with the same destination host IP add...

Page 179: ...web pages based on pre defined web site categories such as pornography gambling etc 10 1 1 TMSS Web Page TMSS is enabled by default on the ZyXEL Device so you should see the following screen after you...

Page 180: ...Download ActiveX to View TMSS Web Page 2 In the TMSS web page click Service Summary Figure 100 TMSS Web Page Dashboard 3 Click Activate My Services to begin a 3 step process to activate TMSS Figure 1...

Page 181: ...ration form you will receive an e mail with instructions for validating your e mail address Follow the instructions 7 Download TMSS to each computer behind the ZyXEL Device that you want TMSS to monit...

Page 182: ...e Trend micro Internet Security TIS 1 package This package contains anti virus software and a license for Parental Control to forbid access to undesirable web site content based on pre defined web sit...

Page 183: ...ve the ZyXEL Device download the latest scan engine and virus pattern version numbers not the actual software from the Trend Micro web site The ZyXEL Device can then compare version numbers currently...

Page 184: ...ck Apply to save your customized settings Reset Click Reset to begin configuring this screen afresh Table 68 General TMSS Settings LABEL DESCRIPTION Table 69 TMSS Exception List LABEL DESCRIPTION Exce...

Page 185: ...tatus This table provides information on all TMSS client computers and the ZyXEL Device itself This field displays the index number of a TMSS client computer or the ZyXEL Device IP Address This field...

Page 186: ...splays if The ZyXEL Device had no response after an update request There is currently no Trend Micro anti virus installed on the TMSS client The LAN computer is using a UNIX or Macintosh operating sys...

Page 187: ...ID Web Proxy This is a server that acts as an intermediary between a user and the Internet to provide security administrative control and caching service When a proxy server is located on the WAN it...

Page 188: ...t promote offer sell supply encourage or otherwise advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants or chemicals and their related parapher...

Page 189: ...ernet Options and then the Security tab 2 In the Internet Options window click Custom Level Table 72 Parental Controls Statistics LABEL DESCRIPTION Category All Parental Control categories are display...

Page 190: ...s Figure 112 Internet Options Security 3 Scroll down to ActiveX controls and plug ins 4 Under Download signed ActiveX controls select the Prompt radio button 5 Under Run ActiveX controls and plug ins...

Page 191: ...P 661H HW Series User s Guide Chapter 10 Trend Micro Security Services 191 Figure 113 Security Setting ActiveX Controls...

Page 192: ...P 661H HW Series User s Guide 192 Chapter 10 Trend Micro Security Services...

Page 193: ...n the ZyXEL Device performs content filtering You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering 11 2 Configuring Keyword Blocking Use t...

Page 194: ...ist of all the keywords that you have configured the ZyXEL Device to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords f...

Page 195: ...ox to have the content filtering to be active on the selected day Start TIme Enter the start time when you want the content filtering to take effect in hour minute format End Time Enter the end time w...

Page 196: ...P 661H HW Series User s Guide 196 Chapter 11 Content Filtering...

Page 197: ...s for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and authent...

Page 198: ...lowing VPN applications Linking Two or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compare...

Page 199: ...implementation algorithms The Encryption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC...

Page 200: ...d forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 12 3 2 Tunnel Mode Tunnel mode encapsulates the entire IP...

Page 201: ...T in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packet s...

Page 202: ...P 661H HW Series User s Guide 202 Chapter 12 Introduction to IPSec...

Page 203: ...integrity authentication sequence integrity replay resistance and non repudiation but not for confidentiality for which the ESP was designed In applications where confidentiality is not required or no...

Page 204: ...t block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3DES is a variant of DES which iterates three times with three separate keys 3 x...

Page 205: ...ed with the remote gateway s new WAN IP address 13 4 1 Dynamic Secure Gateway Address If the remote secure gateway has a dynamic WAN IP address and does not use DDNS enter 0 0 0 0 as the secure gatewa...

Page 206: ...al Key screen is configured to Subnet Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the Secure Gateway Addres...

Page 207: ...Device automatically drops the tunnel after two minutes 13 7 VPN NAT and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode An IPSec VPN using the AH protocol dig...

Page 208: ...able NAT traversal on both IPSec endpoints Set the NAT router to forward UDP port 500 to IPSec router A Finally NAT is compatible with ESP in tunnel mode because integrity checks are performed over th...

Page 209: ...ce to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the ZyX...

Page 210: ...field is used for identification purposes only and does not need to be a real domain name or e mail address Table 81 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the...

Page 211: ...d because you have to share it with another party before you can communicate with them over a secure connection 13 11 Editing VPN Policies Click an Edit icon in the VPN Setup Screen to edit VPN polici...

Page 212: ...his check box to activate this VPN policy This option determines whether a VPN rule is applied before a packet leaves the firewall Keep Alive Select either Yes or No from the drop down list box Select...

Page 213: ...ured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You can configure multiple SAs between the same local and remote IP addresses as long as on...

Page 214: ...ind the remote IPSec router Address Information Local ID Type Select IP to identify this ZyXEL Device by its IP address Select DNS to identify this ZyXEL Device by a domain name Select E mail to ident...

Page 215: ...has a dynamic WAN IP address the Key Management field must be set to IKE In order to have more than one active rule with the Secure Gateway Address field set to 0 0 0 0 the ranges of the local IP addr...

Page 216: ...n code The DES encryption algorithm uses a 56 bit key Triple DES 3DES is a variation on DES that uses a 168 bit key As a result 3DES is more secure than DES It also requires more processing power resu...

Page 217: ...d expires The ZyXEL Device also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled even if there is no traffic If an IPSec SA times out then the IPSec router must re...

Page 218: ...is transient The key is thrown away and replaced by a brand new key using a new Diffie Hellman exchange for each new IPSec SA setup With PFS enabled if one key is compromised previous and subsequent k...

Page 219: ...r select NO to disable it Local Start Port 0 is the default and signifies any port Type a port number from 0 to 65535 Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP 110 P...

Page 220: ...lgorithm Select SHA1 or MD5 from the drop down list box MD5 Message Digest 5 and SHA1 Secure Hash Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally conside...

Page 221: ...h Algorithm are hash algorithms used to authenticate packet data The SHA1 algorithm is generally considered stronger than MD5 but is slower Select MD5 for minimal security and SHA1 for maximum securit...

Page 222: ...Type up to 32 characters to identify this VPN policy You may use any character including spaces but the ZyXEL Device drops trailing spaces IPSec Key Mode Select IKE or Manual from the drop down list b...

Page 223: ...cal Address Type field is configured to Range enter the end static IP address in a range of computers on the LAN behind your ZyXEL Device When the Local Address Type field is configured to Subnet this...

Page 224: ...m fields described next Encryption Algorithm Select DES 3DES or NULL from the drop down list box When DES is used for data communications both sender and receiver must know the same secret key which c...

Page 225: ...in this screen 13 17 Configuring Global Setting To change your ZyXEL Device s global settings click VPN and then Global Setting The screen appears as shown Table 87 VPN SA Monitor LABEL DESCRIPTION No...

Page 226: ...headquarters HQ in the figure The telecommuters do not have domain names mapped to the WAN IP addresses of their IPSec routers The telecommuters must all use the same IPSec parameters but the local I...

Page 227: ...ecommuters IPSec routers should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a ZyXEL Device located a...

Page 228: ...yXEL Device Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Address 192...

Page 229: ...Series User s Guide Chapter 13 VPN Screens 229 13 19 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for tha...

Page 230: ...P 661H HW Series User s Guide 230 Chapter 13 VPN Screens...

Page 231: ...eyond For instance the ZyXEL Device knows about network N2 in the following figure through remote node Router 1 However the ZyXEL Device is unable to route a packet to network N3 because it doesn t kn...

Page 232: ...This is the name that describes or identifies this route Destination This parameter specifies the IP network address of the final destination Routing is always based on network number Gateway This is...

Page 233: ...on Routing is always based on network number If you need to specify a route to a single host use a subnet mask of 255 255 255 255 in the subnet mask field to force the network number to be identical t...

Page 234: ...P 661H HW Series User s Guide 234 Chapter 14 Static Route...

Page 235: ...the bandwidth of traffic that comes into an interface Bandwidth management applies to all traffic flowing out of the router regardless of the traffic s source Traffic redirect or IP alias may cause L...

Page 236: ...The ZyXEL Device has two types of scheduler fairness based and priority based 15 5 1 Priority based Scheduler With the priority based scheduler the ZyXEL Device forwards traffic from bandwidth classe...

Page 237: ...udgeted or unused by the classes depending on how many bandwidth classes require more bandwidth and on their priority levels When only one class requires more bandwidth the ZyXEL Device gives extra ba...

Page 238: ...Unbudgeted Bandwidth The following table shows the priorities of the bandwidth classes and the amount of bandwidth that each class gets Suppose that all of the classes except for the administration c...

Page 239: ...ted bandwidth even if it takes up all of the interface s available bandwidth This could stop lower priority traffic from being sent The following is an example If you use VoIP and NetMeeting at the sa...

Page 240: ...ic or video that is especially sensitive to jitter jitter is the variations in delay Mid Typically used for excellent effort or better than best effort and would include important business traffic tha...

Page 241: ...priority traffic does not get through Note Unless you enable Max Bandwidth Usage the ZyXEL Device only uses up to the amount of bandwidth that you configure here The ZyXEL Device does not use any more...

Page 242: ...er of an individual bandwidth management rule Active This displays whether the rule is enabled Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth ma...

Page 243: ...on Active Select this check box to have the ZyXEL Device apply this bandwidth management rule Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does n...

Page 244: ...t based network that does not provide a guaranteed quality of service Select H 323 from the drop down list box to configure this bandwidth filter for traffic that uses H 323 Select User defined from t...

Page 245: ...he bandwidth usage of its bandwidth rules Figure 139 Bandwidth Management Monitor Table 102 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfe...

Page 246: ...P 661H HW Series User s Guide 246 Chapter 15 Bandwidth Management...

Page 247: ...if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with a dynamic IP from their ISP or DHCP server that would sti...

Page 248: ...me Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma User Name Type your user name Password Type th...

Page 249: ...address of the NAT router that has a public IP address Note The DDNS server may not be able to detect the proper IP address if there is an HTTP proxy server between the ZyXEL Device and the DDNS serv...

Page 250: ...P 661H HW Series User s Guide 250 Chapter 16 Dynamic DNS Setup...

Page 251: ...via Internet WAN only ALL LAN and WAN LAN only Neither Disable Note When you choose WAN only or LAN WAN you still need to configure a firewall rule to allow access To disable remote management of a s...

Page 252: ...1 2 Remote Management and NAT When NAT is enabled Use the ZyXEL Device s WAN IP address when configuring from the WAN Use the ZyXEL Device s LAN IP address when configuring from the LAN 17 1 3 System...

Page 253: ...ay change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Select the interface s through which...

Page 254: ...net LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Access Status Sele...

Page 255: ...s only available if TCP IP is configured Table 106 Remote Management FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed however you must use the same port number...

Page 256: ...Information Base MIB is a collection of managed objects SNMP allows a manager and agents to communicate for the purpose of accessing these objects SNMP itself is a simple request response protocol ba...

Page 257: ...warm start 6a For intentional reboot A trap is sent with the message System reboot by user if reboot is done intentionally for example download new files CI command sys reboot etc 6b For fatal error A...

Page 258: ...ZyXEL Device using this service Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service SNMP Configuration Get Community Enter th...

Page 259: ...L Device s security settings click Advanced Remote MGMT ICMP The screen appears as shown Table 110 Remote Management DNS LABEL DESCRIPTION Port You may change the server port number for a service if n...

Page 260: ...y to incoming WAN Ping requests Otherwise select LAN WAN to reply to both incoming LAN and WAN Ping requests Do not respond to requests for unauthorized services Select this option to prevent hackers...

Page 261: ...erver IP address or domain name See Table 112 on page 261for detailed descriptions of the commands Figure 149 Enabling TR 069 The following table gives a description of TR 069 commands ras wan tr069 l...

Page 262: ...e to 1 in order for the ZyXEL Device to send information to CNM Access informInterval sec The duration in seconds of the interval for which the device MUST attempt to connect with CNM Access to send i...

Page 263: ...How do I know if I m using UPnP UPnP hardware is identified as an icon in the Network Connections folder Windows XP Each UPnP compatible device installed on your network will appear as a separate icon...

Page 264: ...intention 18 2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports IGD 1 0 Internet Gat...

Page 265: ...activate UPnP Be aware that anyone could use a UPnP application to open the web configurator s login screen without entering the ZyXEL Device s IP address although you must still enter the password t...

Page 266: ...tup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 152 Add Remove Programs Windows Setup Communication Components 4 Cl...

Page 267: ...l Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 153 Network Connections 4 The Windows Op...

Page 268: ...UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device Make sure the com...

Page 269: ...ries User s Guide Chapter 18 Universal Plug and Play UPnP 269 Figure 156 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatic...

Page 270: ...661H HW Series User s Guide 270 Chapter 18 Universal Plug and Play UPnP Figure 157 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings...

Page 271: ...ties Advanced Settings Figure 159 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically...

Page 272: ...tatus Web Configurator Easy Access With UPnP you can access the web based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first This comes helpful if you do not...

Page 273: ...Plug and Play UPnP 273 Figure 162 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your ZyXEL Device and selec...

Page 274: ...UPnP Figure 163 Network Connections My Network Places 6 Right click on the icon for your ZyXEL Device and select Properties A properties window displays with basic information about the ZyXEL Device...

Page 275: ...Name In Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and...

Page 276: ...n name Administrator Inactivity Timer Type how many minutes a management session either via the web configurator or CLI Command Line Interpreter can be left idle before the session times out The defau...

Page 277: ...e ZyXEL Device Old Password Type the default administrator password 1234 or the existing password you use to access the system for configuring advanced features in this field New Password Type your ne...

Page 278: ...Setup to Manual enter the new date in this field and then click Apply Get from Time Server Select this radio button to have the ZyXEL Device get the time and date from the time server you specified be...

Page 279: ...zone is one hour ahead of GMT or UTC GMT 1 End Date Configure the day and time when Daylight Saving Time ends if you selected Enable Daylight Saving The o clock field uses the 24 hour format Here are...

Page 280: ...P 661H HW Series User s Guide 280 Chapter 19 System...

Page 281: ...warrants more serious attention They include system errors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You m...

Page 282: ...Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop down list box Select a category of logs to view select All Logs to view logs from all of th...

Page 283: ...ject line of the log e mail message that the ZyXEL Device sends Not all ZyXEL Device models have this field Send Log To The ZyXEL Device sends logs to the e mail address specified in this field If thi...

Page 284: ...s are sent Day for Sending Log Use the drop down list box to select which day of the week to send the logs Time for Sending Log Enter the time of the day in 24 hour format for example 23 00 equals 11...

Page 285: ...inutes After a successful upload the system will reboot Only use firmware for your device s specific model Refer to the label on the bottom of your device Click Maintenance Tools to open the Firmware...

Page 286: ...g systems you may see the following icon on your desktop Figure 171 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the uplo...

Page 287: ...ation Figure 173 Configuration The following table describes the labels in this screen Table 119 Configuration LABEL DESCRIPTION Backup Configuration Backup Click this to save the ZyXEL Device s curre...

Page 288: ...esktop File Path Enter the location of the file you want to upload or click Browse to find it Browse Click this to find the file you want to upload Upload Click this to restore the selected configurat...

Page 289: ...or the appendices for details on how to set up your computer s IP address You might have to open a new browser to log in again If the upload was not successful a Configuration Upload Error screen app...

Page 290: ...P 661H HW Series User s Guide 290 Chapter 21 Tools...

Page 291: ...Click Maintenance Diagnostic to open the screen shown next Figure 178 Diagnostic General The following table describes the fields in this screen Table 120 Diagnostic General LABEL DESCRIPTION TCP IP...

Page 292: ...PIs VCIs before you begin this test The ZyXEL Device sends an OAM F5 packet to the DSLAM ATM switch and then returns it loops it back to the ZyXEL Device The ATM loopback test is useful for troublesho...

Page 293: ...ppropriate power source Make sure that the ZyXEL Device and the power source are both turned on Turn the ZyXEL Device off and on If the error persists you may have a hardware problem In this case you...

Page 294: ...ntication may be through the user name and password the MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct S...

Page 295: ...configurator Make sure there is not a telnet session running Use the ZyXEL Device s WAN IP address when configuring from the WAN Refer to the instructions on checking your WAN connection Use the ZyXE...

Page 296: ...P 661H HW Series User s Guide 296 Chapter 23 Troubleshooting...

Page 297: ...55 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 33 to 192 168 1 64 Dimensions W x D x H 180 x 128 x 36 mm Power Specification 12V AC 1A Built in Switch Four auto negotiating auto MDI MDI X...

Page 298: ...ent bridging for unsupported network layer protocols DHCP Server Client Relay RIP I RIP II ICMP ATM QoS SNMP v1 and v2c with MIB II support RFC 1213 IP Multicasting IGMP v1 and v2 IGMP Proxy UPnP Mana...

Page 299: ...ding 1024 NAT sessions Multimedia application PPTP under NAT SUA IPSec passthrough SIP ALG passthrough VPN passthrough Content Filtering Web page blocking by URL keyword Static Routes 16 IP and 4 Brid...

Page 300: ...P 661H HW Series User s Guide 300 Appendix A...

Page 301: ...wnload that includes graphics and text As data rates increase the carrying distance decreases That means that users who are beyond a certain distance from the telephone company s central office may no...

Page 302: ...eds drop significantly as more users go on line because the line is shared 3 ADSL can be always on connected This means that there is no time wasted dialing up the service several times a day and wait...

Page 303: ...rs of the holes matches what is listed in the product specifications appendix Note Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws 3 Do not scre...

Page 304: ...P 661H HW Series User s Guide 304 Appendix C...

Page 305: ...onents you need to install and use TCP IP on your computer Windows 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows N...

Page 306: ...you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If you need TCP IP 1 In the Net...

Page 307: ...nd click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP address and type your inform...

Page 308: ...P IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Restart your computer when prompted Verifying Settings 1 Click Start and then Run 2 In the Run window...

Page 309: ...gure 184 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 185 Windows XP Control Panel 3 Right click Local Area C...

Page 310: ...then click Properties Figure 187 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP IP Properties window opens the General tab in Windows XP If you have a dynamic IP address clic...

Page 311: ...dress type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the above two steps for each IP address you want to add Configure additional default gateways in the I...

Page 312: ...ows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS server addresses and type th...

Page 313: ...nnections window Network and Dial up Connections in Windows 2000 NT 11Restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories and then Command Prompt 2 In the Comma...

Page 314: ...IP tab 3 For dynamically assigned settings select Using DHCP from the Configure list Figure 192 Macintosh OS X Network 4 For statically assigned settings do the following From the Configure box selec...

Page 315: ...your Linux distribution and release version Note Make sure you are logged in as the root administrator Using the K Desktop Environment KDE Follow the steps below to configure your computer IP address...

Page 316: ...he Address Subnet mask and Default Gateway Address fields 3 Click OK to save the changes and close the Ethernet Device General screen 4 If you know your DNS server IP address es click the DNS tab in t...

Page 317: ...ere eth0 is the name of the Ethernet card Open the configuration file with any plain text editor If you have a dynamic IP address enter dhcp in the BOOTPROTO field The following figure shows an exampl...

Page 318: ...r TCP IP properties Figure 201 Red Hat 9 0 Checking TCP IP Properties DEVICE eth0 ONBOOT yes BOOTPROTO static IPADDR 192 168 1 10 NETMASK 255 255 255 0 USERCTL no PEERDNS yes TYPE Ethernet nameserver...

Page 319: ...he first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three octets ma...

Page 320: ...e host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arrangem...

Page 321: ...168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into two separa...

Page 322: ...directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 Similarly t...

Page 323: ...Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highest Host ID...

Page 324: ...11 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 139 Eight Subnets SUBNET SUBNET ADDRESS FIRS...

Page 325: ...etting The following table is a summary for class B subnet planning Table 141 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32766 2 255...

Page 326: ...P 661H HW Series User s Guide 326 Appendix E...

Page 327: ...unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are enclosed in angle brackets The...

Page 328: ...P 661H HW Series User s Guide 328 Appendix F...

Page 329: ...rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set information abo...

Page 330: ...9 This command sets the minute of the hour for the firewall log to be sent via e mail if the ZyXEL Device is set to send it on a hourly daily or weekly basis Attack config edit firewall attack send al...

Page 331: ...nfig edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall set set icmp t...

Page 332: ...g edit firewall set set rule rule alert yes no This command sets whether or not the ZyXEL Device sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall...

Page 333: ...to have the ZyXEL Device check for TCP traffic with a destination port in this range config edit firewall set set rule rule UDP destport single port This command sets a rule to have the ZyXEL Device...

Page 334: ...P 661H HW Series User s Guide 334 Appendix G...

Page 335: ...You can configure NetBIOS filters to do the following Allow or disallow the sending of NetBIOS packets from the LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS pack...

Page 336: ...g calls Disabled type Identify which NetBIOS filter numbered 0 3 to configure 0 Between LAN and WAN 3 IPSec packet pass through 4 Trigger Dial on off For type 0 and 1 use on to enable the filter and b...

Page 337: ...a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden on the...

Page 338: ...trator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is between the m...

Page 339: ...Successful FTP login Someone has logged on to the router via ftp FTP login failed Someone has failed to log on to the router via ftp NAT Session Table is Full The maximum number of NAT session table e...

Page 340: ...able 146 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default policy TCP UDP IGMP ESP GRE OSPF Packet Direction Attempted TCP UDP IGMP ESP GRE OSPF access matched the default policy and was bl...

Page 341: ...UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout s 150 minute...

Page 342: ...ly packet to the sender Table 150 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call call is the re...

Page 343: ...filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the blocked category...

Page 344: ...detected an ICMP echo attack For type and code details see Table 161 on page 351 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port scan attack...

Page 345: ...uring IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s Local Remote...

Page 346: ...mote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s Local ID Ty...

Page 347: ...er and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule s IKE phase...

Page 348: ...ject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user cert subject...

Page 349: ...rithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4 Not used 5...

Page 350: ...red User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user from which the...

Page 351: ...achable 0 Net unreachable 1 Host unreachable 2 Protocol unreachable 3 Port unreachable 4 A packet that needed fragmentation was dropped because it was set to Don t Fragment DF 5 Source route failed 4...

Page 352: ...system RAS displays as the system name if you haven t configured one when the router generates a syslog The facility is defined in the web MAIN MENU LOGS Log Settings page The severity is the log s s...

Page 353: ...to record Use 0 to not record logs for that category 1 to record only logs for that category 2 to record only alerts for that category and 3 to record both logs and alerts for that category Not every...

Page 354: ...05 58 21 172 21 4 154 224 0 1 24 ACCESS BLOCK Firewall default policy IGMP W to W ZW 1 06 08 2004 05 58 20 172 21 3 56 239 255 255 250 ACCESS BLOCK Firewall default policy IGMP W to W ZW 2 06 08 2004...

Page 355: ...oc network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 206 Peer to Peer Communicati...

Page 356: ...connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired network bu...

Page 357: ...lap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 channels and a...

Page 358: ...sion It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP without the...

Page 359: ...rovide more reliable communications in busy wireless networks Select Short preamble if you are sure the wireless adapters support it and to provide more efficient communications Select Dynamic to have...

Page 360: ...ard was designed to extend the features of IEEE 802 11 to support extended authentication as well as providing additional accounting and control features It is supported by Windows XP and a number of...

Page 361: ...IUS server Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication Access Request Sent by an access point r...

Page 362: ...ssible to impersonate an authentication server as MD5 authentication method does not perform mutual authentication Finally MD5 authentication method does not support data encryption with dynamic sessi...

Page 363: ...rformed If this feature is enabled it is not necessary to configure a default encryption key in the Wireless screen You may still configure and store keys here but they will not be used while Dynamic...

Page 364: ...WPA2 use Advanced Encryption Standard AES in the Counter mode with Cipher block chaining Message authentication code Protocol CCMP to offer stronger encryption than TKIP TKIP uses 128 bit keys that a...

Page 365: ...ication These two features are optional and may not be supported in all wireless devices Key caching allows a wireless client to store the PMK it derived through a successful authentication with an AP...

Page 366: ...mple WPA 2 PSK Application Example A WPA 2 PSK application looks as follows 1 First enter identical passwords into the AP and all wireless clients The Pre Shared Key PSK must consist of between 8 and...

Page 367: ...gure these security features Table 167 Wireless Security Relational Matrix AUTHENTICATION METHOD KEY MANAGEMENT PROTOCOL ENCRYPTION METHOD ENTER MANUAL KEY IEEE 802 1X Open None No Disable Enable with...

Page 368: ...P 661H HW Series User s Guide 368 Appendix K...

Page 369: ...king to log into your device Either disable pop up blocking enabled by default in Windows XP SP Service Pack 2 or allow pop up blocking and create an exception for your device s IP address Disable pop...

Page 370: ...his setting Enable pop up Blockers with Exceptions Alternatively if you only want to allow pop up windows from your device see the following steps 1 In Internet Explorer select Tools Internet Options...

Page 371: ...71 Figure 214 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to move the IP addre...

Page 372: ...Close to return to the Privacy screen 6 Click Apply to save this setting JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that JavaScripts are allowed 1...

Page 373: ...et Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sure that Enable is...

Page 374: ...Scripting Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under Java permissions make...

Page 375: ...de 375 Figure 218 Security Settings Java JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Java Sun is selected 3 Cl...

Page 376: ...P 661H HW Series User s Guide 376 Figure 219 Java Sun...

Page 377: ...er Class Configuration 241 Bandwidth Manager Monitor 245 Bandwidth Manager Summary 240 Basement 6 Basic wireless security 69 Blocking Time 176 Brute force Attack 149 BSS 355 BW Budget 242 C CA 362 Cab...

Page 378: ...tacks types of 148 DSL Digital Subscriber Line 301 DSL line reinitialize 292 DSLAM Digital Subscriber Line Access Multiplexer 39 Dust 6 Dynamic DNS 37 247 dynamic DNS 37 Dynamic Host Configuration Pro...

Page 379: ...nsfer Protocol 285 I IANA 98 IANA Internet Assigned Number Authority 167 IBSS 355 ICMP echo 149 ID Type and Content 209 IEEE 802 11g 38 359 IEEE 802 11i 38 IGMP 99 IKE Phases 216 Independent Basic Ser...

Page 380: ...otocol Encapsulation 78 My IP Address 204 N Nailed Up Connection 79 NAT 97 138 139 Address mapping rule 143 Application 135 Definitions 133 How it works 134 Mapping Types 135 What it does 134 What NAT...

Page 381: ...o Interference 4 Radio Reception 4 Radio Technician 4 RADIUS 361 Shared Secret Key 362 RADIUS Message Types 361 RADIUS Messages 361 Receiving Antenna 4 Registered 3 Registered Trademark 3 Regular Mail...

Page 382: ...tain Cell Rate SCR 86 91 Sustained Cell Rate SCR 80 Sweden Contact Information 9 Swimming Pool 6 SYN Flood 148 149 SYN ACK 149 Syntax Conventions 33 Syslog 171 System Name 276 System Timeout 252 T Tam...

Page 383: ...48 146 154 159 web configurator screen summary 48 Web Site 8 WEP Wired Equivalent Privacy 39 WEP Encryption 116 WEP encryption 114 Wet Basement 6 Wi Fi Multimedia QoS 126 Wi Fi Protected Access 364 W...

Reviews:

No comments