ZyXEL Communications Prestige 661H Series User Manual Download Page 145 | Manualshive

Page: 145 / 547

background image

Prestige 661H/HW Series User’s Guide

145

Chapter 12 Firewall Configuration

Note:

If you configure firewall rules without a good understanding of how they work,
you might inadvertently introduce security risks to the firewall and to the
protected network. Make sure you test your rules after you configure them.

For example, you may create rules to:

• Block certain types of traffic, such as IRC (Internet Relay Chat), from the LAN to the

Internet.

• Allow certain types of traffic, such as Lotus Notes database synchronization, from

specific hosts on the Internet to specific hosts on the LAN.

• Allow everyone except your competitors to access a Web server.
• Restrict use of certain protocols, such as Telnet, to authorized users on the LAN.

These custom rules work by comparing the Source IP address, Destination IP address and IP
protocol type of network traffic to rules set by the administrator. Your customized rules take
precedence and override the Prestige’s default rules.

12.3 Rule Logic Overview

Note:

Study these points carefully before configuring rules.

12.3.1 Rule Checklist

State the intent of the rule. For example, “This restricts all IRC access from the LAN to the
Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an
inside Notes server.”

1

Is the intent of the rule to forward or block traffic?

2

What direction of traffic does the rule apply to (refer to

Section 12.2 on page 144

)?

3

What IP services will be affected?

4

What computers on the LAN are to be affected (if any)?

5

What computers on the Internet will be affected? The more specific, the better. For
example, if traffic is being allowed from the Internet to the LAN, it is better to allow only
certain machines on the Internet to access the LAN.

12.3.2 Security Ramifications

1

Once the logic of the rule has been defined, it is critical to consider the security
ramifications created by the rule:

2

Does this rule stop LAN users from accessing critical resources on the Internet? For
example, if IRC is blocked, are there users that require this service?

3

Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all
users, will a rule that blocks just certain users be more effective?

«
...
143
144
145
146
147
...
»

Summary of Contents for Prestige 661H Series

Page 1: ...Prestige 661H Series ADSL 2 Security Gateway Prestige 661HW Series 802 11g Wireless ADSL 2 Gateway User s Guide Version 3 40 12 2005...

Page 2: ...by ZyXEL Communications Corporation All rights reserved Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products or software described herein Neither does...

Page 3: ...to radio communications If this equipment does cause harmful interference to radio television reception which can be determined by turning the equipment off and on the user is encouraged to try to co...

Page 4: ...er supply is damaged remove it from the power outlet Do NOT attempt to repair the power supply Contact your local vendor to order a new power supply Place connecting cables carefully so that no one wi...

Page 5: ...rovided under this warranty is the exclusive remedy of the purchaser This warranty is in lieu of all other warranties express or implied including any implied warranty of merchantability or fitness fo...

Page 6: ...Denmark sales zyxel dk 45 39 55 07 07 FINLAND support zyxel fi 358 9 4780 8411 www zyxel fi ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland sales zyxel fi 358 9 4780 8448 FRANCE info zy...

Page 7: ...support zyxel se 46 31 744 7700 www zyxel se ZyXEL Communications A S Sj porten 4 41764 G teborg Sweden sales zyxel se 46 31 744 7701 UKRAINE support ua zyxel com 380 44 247 69 78 www ua zyxel com Zy...

Page 8: ...Prestige 42 1 1 1 Features of the Prestige 43 1 1 1 1 P 661HW Wireless Features 46 1 1 2 Applications for the Prestige 47 1 1 2 1 Protected Internet Access 47 1 1 2 2 LAN to LAN Application 48 1 1 3 F...

Page 9: ...etup 75 5 2 3 Multicast 75 5 2 4 Any IP 76 5 2 4 1 How Any IP Works 77 5 2 5 Configuring LAN 77 5 3 Configuring Static DHCP 79 Chapter 6 Wireless LAN Prestige 661HW 82 6 1 Introduction 82 6 2 Wireless...

Page 10: ...3 7 1 2 Multiplexing 103 7 1 2 1 VC based Multiplexing 103 7 1 2 2 LLC based Multiplexing 103 7 1 3 VPI and VCI 103 7 1 4 IP Address Assignment 103 7 1 4 1 IP Assignment with PPPoA or PPPoE Encapsulat...

Page 11: ...g Dynamic DNS 126 Chapter 10 Time and Date 128 10 1 Configuring Time and Date 128 Chapter 11 Firewalls 130 11 1 Firewall Overview 130 11 2 Types of Firewalls 130 11 2 1 Packet Filtering Firewalls 130...

Page 12: ...tion 146 12 3 3 2 Service 146 12 3 3 3 Source Address 146 12 3 3 4 Destination Address 146 12 4 Connection Direction 146 12 4 1 LAN to WAN Rules 146 12 4 2 Alerts 147 12 5 Configuring Basic Firewall S...

Page 13: ...N Screens 176 15 1 VPN IPSec Overview 176 15 2 IPSec Algorithms 176 15 2 1 AH Authentication Header Protocol 176 15 2 2 ESP Encapsulating Security Payload Protocol 177 15 3 My IP Address 177 15 4 Secu...

Page 14: ...nfiguring Remote Management 206 Chapter 17 Universal Plug and Play UPnP 208 17 1 Introducing Universal Plug and Play 208 17 1 1 How do I know if I m using UPnP 208 17 1 2 NAT Traversal 208 17 1 3 Caut...

Page 15: ...19 9 Configuring Class Setup 235 19 9 1 Media Bandwidth Management Class Configuration 236 19 9 2 Media Bandwidth Management Statistics 239 19 10 Bandwidth Monitor 240 Chapter 20 Trend Micro Security...

Page 16: ...ure to Configure Dynamic DNS 273 Chapter 24 Menu 2 WAN Backup Setup 276 24 1 Introduction to WAN Backup Setup 276 24 2 Configuring WAN Backup in Menu 2 276 24 2 1 Traffic Redirect Setup 277 Chapter 25...

Page 17: ...plexing non PPP Encapsulation 301 28 5 2 LLC based Multiplexing or PPP Encapsulation 301 28 5 3 Advance Setup Options 302 Chapter 29 Static Route Setup 304 29 1 IP Static Route Overview 304 29 2 Confi...

Page 18: ...er Set for the Prestige 332 33 3 Filter Rules Summary Menus 333 33 4 Configuring a Filter Rule 334 33 4 1 TCP IP Filter Rule 335 33 4 2 Generic Filter Rule 337 33 5 Filter Types and NAT 339 33 6 Examp...

Page 19: ...nagement Limitations 367 37 2 6 Backup Configuration Using TFTP 368 37 2 7 TFTP Command Example 368 37 2 8 GUI based TFTP Clients 368 37 3 Restore Configuration 369 37 3 1 Restore Using FTP 369 37 3 2...

Page 20: ...icy Routing Example 391 Chapter 41 Call Scheduling 396 41 1 Introduction 396 Chapter 42 VPN IPSec Setup 400 42 1 VPN IPSec Overview 400 42 2 IPSec Summary Screen 400 42 3 IPSec Setup 403 42 4 IKE Setu...

Page 21: ...ngs 435 Windows 2000 NT XP 435 Verifying Settings 440 Macintosh OS 8 9 440 Verifying Settings 442 Macintosh OS X 442 Verifying Settings 443 Appendix C IP Subnetting 444 IP Addressing 444 IP Classes 44...

Page 22: ...ing the VPN Tunnel via SMT 474 VPN Troubleshooting 474 VPN Log 475 IPSec Debug 476 Use a VPN Tunnel 476 FTP Example 477 Appendix I Splitters and Microfilters 480 Connecting a POTS Splitter 480 Telepho...

Page 23: ...Algorithm 5 508 EAP TLS Transport Layer Security 509 EAP TTLS Tunneled Transport Layer Service 509 PEAP Protected EAP 509 LEAP 509 Dynamic WEP Key Exchange 509 WPA 510 User Authentication 510 Encrypt...

Page 24: ...tion 65 Figure 16 Internet Access Wizard Setup Connection Tests 66 Figure 17 Media Bandwidth Mgnt Wizard Setup 69 Figure 18 Media Bandwidth Mgnt Wizard Setup Second Screen 70 Figure 19 Media Bandwidth...

Page 25: ...Way Handshake 134 Figure 59 SYN Flood 134 Figure 60 Smurf Attack 135 Figure 61 Stateful Inspection 137 Figure 62 Firewall Default Policy 147 Figure 63 Firewall Rule Summary 148 Figure 64 Firewall Edit...

Page 26: ...Advanced Settings 217 Figure 102 Internet Connection Properties Advanced Settings Add 217 Figure 103 System Tray Icon 218 Figure 104 Internet Connection Status 218 Figure 105 Network Connections 219 F...

Page 27: ...enu 23 1 Change Password 271 Figure 147 Menu 1 General Setup 273 Figure 148 Menu 1 1 Configure Dynamic DNS 274 Figure 149 Menu 2 WAN Backup Setup 276 Figure 150 Menu 2 1Traffic Redirect Setup 277 Figu...

Page 28: ...85 Menu 15 2 NAT Server Setup 318 Figure 186 Menu 15 2 1 NAT Server Setup 319 Figure 187 Multiple Servers Behind NAT Example 319 Figure 188 NAT Example 1 320 Figure 189 Menu 4 Internet Access NAT Exam...

Page 29: ...230 Sample Error and Information Messages 359 Figure 231 Menu 24 3 2 System Maintenance Syslog and Accounting 359 Figure 232 Syslog Example 360 Figure 233 Menu 24 4 System Maintenance Diagnostic 361 F...

Page 30: ...net Options Security 426 Figure 275 Security Setting ActiveX Controls 427 Figure 276 WIndows 95 98 Me Network Configuration 433 Figure 277 Windows 95 98 Me TCP IP Properties IP Address 434 Figure 278...

Page 31: ...307 Prestige with ISDN 481 Figure 308 Single Computer per Router Hardware Configuration 485 Figure 309 Prestige as a PPPoE Client 485 Figure 310 Displaying Log Categories Example 500 Figure 311 Displa...

Page 32: ...Setup Second Screen 70 Table 14 LAN Setup 78 Table 15 LAN Static DHCP 80 Table 16 Wireless LAN 85 Table 17 MAC Address Filter 88 Table 18 Wireless LAN 802 1x WPA No Access Authentication 91 Table 19 W...

Page 33: ...guration Example 183 Table 58 VPN IKE 185 Table 59 VPN IKE Advanced Setup 191 Table 60 VPN Manual Key 195 Table 61 VPN SA Monitor 198 Table 62 VPN Global Setting 198 Table 63 Telecommuters Sharing One...

Page 34: ...Remote Node Profile 296 Table 104 Menu 11 3 Remote Node Network Layer Options 298 Table 105 Menu 11 8 Advance Setup Options 303 Table 106 Menu12 1 1 Edit IP Static Route 306 Table 107 Remote Node Netw...

Page 35: ...IKE Setup 407 Table 140 Active Protocol Encapsulation and Security Protocol 408 Table 141 Menu 27 1 1 2 Manual Setup 409 Table 142 Menu 27 2 SA Monitor 413 Table 143 Troubleshooting Starting Up Your P...

Page 36: ...99 Table 184 RFC 2408 ISAKMP Payload Types 499 Table 185 IEEE 802 11g 506 Table 186 Comparison of EAP Authentication Types 510 Table 187 Wireless Security Relational Matrix 511 Table 188 Abbreviations...

Page 37: ...Prestige 661H HW Series User s Guide 37 List of Tables...

Page 38: ...tor System Management Terminal SMT or command interpreter interface to configure your Prestige Not all features can be configured through all interfaces Syntax Conventions Enter means for you to type...

Page 39: ...Site Please refer to www zyxel com for an online glossary of networking terms and additional support documentation User Guide Feedback Help us help you E mail all User Guide related comments question...

Page 40: ...e upstream capacity Asymmetrical services ADSL are suitable for Internet users because more information is usually downloaded than uploaded For example a simple button click in a web browser can start...

Page 41: ...Prestige 661H HW Series User s Guide 41 Introduction to DSL...

Page 42: ...ide pertain to the P 661HW series only Models ending in 1 for example Prestige 661HW 61 denote a device that works over the analog telephone system POTS Plain Old Telephone Service Models ending in 3...

Page 43: ...tically adjust to either a crossover or straight through Ethernet cable High Speed Internet Access Your Prestige ADSL ADSL2 ADSL2 router can support downstream transmission rates of up to 24Mbps and u...

Page 44: ...rm the filtering and give trusted LAN IP addresses unfiltered Internet access IPSec VPN Capability Establish a Virtual Private Network VPN to connect with business partners and branch offices using da...

Page 45: ...dress allowing the host to be more easily accessible from various locations on the Internet You must register for this service with a Dynamic DNS service provider DHCP DHCP Dynamic Host Configuration...

Page 46: ...d Key differences between WPA and WEP are user authentication and improved data encryption Wireless g Wireless g technology allows super fast transmission rates actual speed depends on environment amo...

Page 47: ...ts the ADSL standards as shown in Table 1 on page 42 In addition the P 661HW allows wireless clients access to your network resources The Prestige provides protection from attacks by Internet hackers...

Page 48: ...r Prestige 48 Figure 1 Protected Internet Access Applications ss 1 1 2 2 LAN to LAN Application You can use the Prestige to connect two geographically dispersed networks over the ADSL line A typical L...

Page 49: ...ON PWR SYS Green On The Prestige is receiving power and functioning properly Blinking The Prestige is rebooting or performing diagnostics Red On Power to the Prestige is too low None Off The system is...

Page 50: ...nding receiving data through the wireless LAN None Off The wireless LAN is not ready or has failed DSL PPP Green Fast Blinking The Prestige is sending receiving non PPP data Slow Blinking The Prestige...

Page 51: ...Prestige 661H HW Series User s Guide 51 Chapter 1 Getting To Know Your Prestige...

Page 52: ...ervice Pack 2 JavaScripts enabled by default Java permissions enabled by default See the Troubleshooting chapter if you need to make sure these functions are allowed in Internet Explorer 2 1 1 Accessi...

Page 53: ...ars every time you log in Figure 6 Change Password at Login 7 You should now see the SITE MAP screen Note The Prestige automatically times out after five minutes of inactivity Simply log back into the...

Page 54: ...b screens in this guide as an example Screens vary slightly for different Prestige models Click Wizard Setup to begin a series of screens to configure your Prestige for the first time Click a link und...

Page 55: ...LAN DHCP and TCP IP settings Wireless LAN P 661HW only Wireless Use this screen to configure the wireless LAN settings MAC Filter Use this screen to change MAC filter settings on the Prestige 802 1x W...

Page 56: ...NetBIOS traffic through all tunnels Remote Management Use this screen to configure through which interface s and from which IP address es users can use Telnet FTP Web to manage the Prestige UPnP Use t...

Page 57: ...he Prestige Diagnostic General These screens display information to help you identify problems with the Prestige general connection DSL Line These screens display information to help you identify prob...

Page 58: ...creens for Internet access in the web configurator 3 1 Introduction Use the Wizard Setup screens to configure your system for Internet access with the information given to you by your ISP Note See the...

Page 59: ...sulation drop down list box Choices vary depending on what you select in the Mode field If you select Bridge in the Mode field select either PPPoA or RFC 1483 If you select Routing in the Mode field s...

Page 60: ...btain an IP Address Automatically if you have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the text box below Connection Select Connect on Demand wh...

Page 61: ...ection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field Type your ISP assigned IP address in this field Network Address Translation Select Non...

Page 62: ...have a dynamic IP address otherwise select Static IP Address and type your ISP assigned IP address in the IP Address text box below Subnet Mask Enter a subnet mask in dotted decimal notation Refer to...

Page 63: ...ss and type your ISP assigned IP address in the IP Address text box below Connection Select Connect on Demand when you don t want the connection up all the time and specify an idle time out in seconds...

Page 64: ...To change the LAN information on the Prestige click Change LAN Configurations Otherwise click Save Settings to save the configuration and skip to the section 3 13 Figure 14 Internet Access Wizard Setu...

Page 65: ...f you want to access the web configurator again LAN Subnet Mask Enter a subnet mask in dotted decimal notation DHCP DHCP Server From the DHCP Server drop down list box select On to allow your Prestige...

Page 66: ...nch your web browser and navigate to www zyxel com Internet access is just the beginning Refer to the rest of this guide for more detailed information on the complete range of Prestige features If you...

Page 67: ...Prestige 661H HW Series User s Guide 67 Chapter 3 Wizard Setup for Internet Access...

Page 68: ...through the Prestige and be managed by bandwidth management 4 1 1 Predefined Media Bandwidth Management Services The following is a description of the services that you can select and to which you ca...

Page 69: ...t 25 HTTP port 80 eMule These programs use advanced file sharing applications relying on central servers to search for files They use default port 4662 WWW The World Wide Web WWW is an Internet system...

Page 70: ...AN port Select the service to apply bandwidth management These checkboxes are applicable when you select the Active check box above Create bandwidth management classes by selecting services from the l...

Page 71: ...nagement You may now continue configuring your device Click Return to Main Menu to return to the Site Map screen Figure 19 Media Bandwidth Mgnt Wizard Setup Finish Back Click Back to return to the pre...

Page 72: ...tige The actual physical connection determines whether the Prestige ports are LAN or WAN ports There are two separate IP networks one inside the LAN network and the other outside the WAN network as sh...

Page 73: ...ver extensions through the DNS proxy feature If the Primary and Secondary DNS Server fields in the LAN Setup screen are not specified for instance left as 0 0 0 0 the Prestige tells the DHCP clients t...

Page 74: ...do not use any other number unless you are told otherwise Let s say you select 192 168 1 0 as the network number which covers 254 individual addresses from 192 168 1 1 to 192 168 1 254 zero and 255 a...

Page 75: ...out RIP packets but will not accept any RIP packets received None the Prestige will not send any RIP packets and will ignore any RIP packets received The Version field controls the format and the bro...

Page 76: ...the Prestige In cases where your computer is required to use a static IP address in another network you may need to manually configure the network settings of the computer every time you want to acces...

Page 77: ...attempts to access the Internet it sends packets to its default gateway which is not the Prestige by looking at the MAC address in its ARP table 2 When the computer cannot locate the default gateway...

Page 78: ...ige acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients Enter the IP address of the actual remote DHCP server in the Remote DHCP Server fie...

Page 79: ...y your ISP if given RIP Direction Select the RIP direction from None Both In Only and Out Only RIP Version Select the RIP version from RIP 1 RIP 2B and RIP 2M Multicast IGMP Internet Group Multicast P...

Page 80: ...AN Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry row MAC Address Type the MAC address with colons of a computer on your LAN IP Address This field specifies the si...

Page 81: ...Prestige 661H HW Series User s Guide 81 Chapter 5 LAN Setup...

Page 82: ...thentication restricting access by device MAC address and hiding the Prestige identity 6 2 1 Encryption Use WPA security if you have WPA aware wireless clients and a RADIUS server WPA has user authent...

Page 83: ...don t hide the ESSID at least you should change the default one 6 2 5 Configuring Wireless LAN on the Prestige 1 Configure the ESSID and WEP in the Wireless screen If you configure WEP you can t confi...

Page 84: ...access points to keep network communications private It encrypts unicast and multicast communications in a network Both the wireless stations and the access points must use the same WEP key Your Prest...

Page 85: ...vironment among Wireless g enabled access points and wireless clients ESSID The ESSID Extended Service Set IDentification is a unique name to identify the Prestige in the wireless LAN Wireless station...

Page 86: ...te four different WEP keys At the time of writing you cannot use passphrase to generate 256 bit WEP keys Generate After you enter the passphrase click Generate to have the Prestige generate four diffe...

Page 87: ...characters for example 00 A0 C5 00 00 02 You need to know the MAC addresses of the devices to configure this screen To change your Prestige s MAC filter settings click Wireless LAN MAC Filter to open...

Page 88: ...haracters are case sensitive 2 The AP checks each client s password and only allows it to join the network if the passwords match 3 The AP derives and distributes keys to the wireless clients 4 The AP...

Page 89: ...tribution system wired link to the LAN 1 The AP passes the wireless client s authentication request to the RADIUS server 2 The RADIUS server then checks the user s identification against its database...

Page 90: ...oftware s Odyssey client and Meetinghouse Data Communications AEGIS client The Windows XP patch is a free download that adds WPA capability to Windows XP s built in Zero Configuration wireless client...

Page 91: ...he wired network select a control method from the drop down list box Choose from No Access Allowed No Authentication Required and Authentication Required No Access Allowed blocks all wireless stations...

Page 92: ...method from the drop down list box Choose from No Authentication Required Authentication Required and No Access Allowed The following fields are only available when you select Authentication Required...

Page 93: ...this drop down list box to select which database the Prestige should use first to authenticate a wireless station Before you specify the priority make sure you have set up the corresponding database c...

Page 94: ...if the Key Management Protocol is WPA and WPA Mixed Mode is disabled WEP is used automatically if you have enabled WPA Mixed Mode All unicast traffic is automatically encrypted by TKIP when WPA or WPA...

Page 95: ...tials Type a pre shared key from 8 to 63 printable characters including spaces alphabetic characters are case sensitive WPA Mixed Mode The Prestige can operate in WPA Mixed Mode which supports both cl...

Page 96: ...is way To change your Prestige s local user database click Wireless LAN Local User Database The screen appears as shown Figure 34 Local User Database The following table describes the fields in this s...

Page 97: ...the main wireless LAN setup screen Apply Click Apply to save these settings back to the Prestige Cancel Click Cancel to begin configuring this screen again Table 22 Local User Database continued LABE...

Page 98: ...e OTIST using the Reset button or the web configurator Shared Secret Enter a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access...

Page 99: ...key up to eight printable characters The default OTIST setup key is 01234567 Note If you change the OTIST setup key here you must also make the same change on the wireless client s Yes To have OTIST...

Page 100: ...ator screen and in the wireless client s Adapter screen all within three minutes at the time or writing You can start OTIST in the wireless clients and AP in any order but they must all be within rang...

Page 101: ...d AP you must still click Start in the AP OTIST web configurator screen or hold in the Reset button for one or two seconds for the AP to transfer settings 4 If you change the SSID or the keys on the A...

Page 102: ...P Gateway field in the second wizard screen You can get this information from your ISP 7 1 1 2 PPP over Ethernet PPPoE provides access control and billing functionality in a manner similar to dial up...

Page 103: ...ifying information being contained in each packet header Despite the extra bandwidth and processing overhead this method may be advantageous if it is not practical to have a separate VC for each carri...

Page 104: ...ion is down A nailed up connection can be very expensive for obvious reasons Do not specify a nailed up connection unless your telephone company offers flat rate service or you need a constant connect...

Page 105: ...service provider PPPoE offers an access and authentication method that works with existing access control systems for example Radius PPPoE provides a login and authentication method that the existing...

Page 106: ...this time more cells up to the MBS can be sent at the PCR again If the PCR SCR or MBS is set to the default of 0 the system will assign a maximum value that correlates to your upstream line rate The f...

Page 107: ...restige 661H HW Series User s Guide 107 Chapter 7 WAN Setup 7 6 Configuring WAN Setup To change your Prestige s WAN remote node settings click WAN and WAN Setup The screen differs by the encapsulation...

Page 108: ...ields in this screen Table 25 WAN Setup LABEL DESCRIPTION Name Enter the name of your Internet Service Provider e g MyISP This information is for identification purposes only Mode Select Routing defau...

Page 109: ...Cell Rate PCR This is the maximum rate at which the sender can send cells Type the PCR here Sustain Cell Rate The Sustain Cell Rate SCR sets the average cell rate long term that can be transmitted Ty...

Page 110: ...tive to NAT for application where NAT is not appropriate Disable PPPoE pass through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP S...

Page 111: ...or three logical networks with the Prestige itself as the gateway for each LAN network Put the protected LAN in one subnet Subnet 1 in the following figure and the backup gateway in another subnet Sub...

Page 112: ...ivate either traffic redirect you must configure at least one IP address here When using a WAN backup connection the Prestige periodically pings the addresses configured here and uses the other WAN ba...

Page 113: ...P Address Metric This field sets this route s priority among the routes the Prestige uses The metric represents the cost of transmission A router determines the best route for transmission by choosing...

Page 114: ...refers to the IP address of a host when the packet is in the local network while the global address refers to the IP address of the host when the same packet is traveling in the WAN side Note that ins...

Page 115: ...age 117 NAT offers the additional benefit of firewall protection With no servers defined your Prestige filters out all incoming inquiries thus preventing intruders from probing your network For more i...

Page 116: ...w NAT Works 8 1 4 NAT Application The following figure illustrates a possible NAT application where three inside LANs logical LANs using IP Alias behind the Prestige can communicate with three distinc...

Page 117: ...the Prestige maps the multiple local IP addresses to shared global IP addresses Many to Many No Overload In Many to Many No Overload mode the Prestige maps each local IP address to a unique global IP...

Page 118: ...ort 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of...

Page 119: ...host on the Internet IP address assigned by ISP Figure 50 Multiple Servers Behind NAT Example 8 4 Selecting the NAT Mode You must create a firewall rule in addition to setting up SUA NAT to allow traf...

Page 120: ...creen Refer to Table 29 on page 118 for port numbers commonly used for particular services Table 30 NAT Mode LABEL DESCRIPTION None Select this radio button to disable NAT SUA Only Select this radio b...

Page 121: ...s of ports enter the start port number here and the end port number in the End Port No field End Port No Enter a port number in this field To forward only one port enter the port number again in the S...

Page 122: ...e your Prestige s address mapping settings click NAT Select Full Feature and click Edit Details to open the following screen Figure 53 Address Mapping Rules The following table describes the fields in...

Page 123: ...T mapping type M 1 Many to One mode maps multiple local IP addresses to one global IP address This is equivalent to SUA i e PAT port address translation ZyXEL s Single User Account feature that previo...

Page 124: ...utside world Local Start IP This is the starting local IP address ILA Local IP addresses are N A for Server port mapping Local End IP This is the end local IP address ILA If your rule is for all local...

Page 125: ...Prestige 661H HW Series User s Guide 125 Chapter 8 Network Address Translation NAT Screens...

Page 126: ...friends or relatives will always be able to call you even if they don t know your IP address First of all you need to have registered a dynamic DNS account with www dyndns org This is for people with...

Page 127: ...Provider This is the name of your Dynamic DNS service provider Host Names Type the domain name assigned to your Prestige by your Dynamic DNS provider E mail Address Type your e mail address User Type...

Page 128: ...his screen to configure the Prestige s time and date settings 10 1 Configuring Time and Date To change your Prestige s time and date click Time And Date The screen appears as shown Use this screen to...

Page 129: ...ter the month and day that your daylight savings time starts on if you selected Daylight Savings End Date Enter the month and day that your daylight savings time ends on if you selected Daylight Savin...

Page 130: ...For a firewall to guard effectively you must design and deploy it appropriately This requires integrating the firewall into a broad information security policy In addition specific policies must be im...

Page 131: ...hat some proxies support See Section 11 5 on page 136 for more information on stateful inspection Firewalls of one type or another have become an integral part of standard security solutions for enter...

Page 132: ...set of application protocols that perform specific functions An extension number called the TCP port or UDP port identifies these protocols such as HTTP Web FTP File Transfer Protocol POP3 E mail etc...

Page 133: ...ash hang or reboot Teardrop attack exploits weaknesses in the re assembly of IP packet fragments As data is transmitted through a network IP packets are often broken up into smaller chunks Each fragme...

Page 134: ...nown as a backlog queue SYN ACKs are moved off the queue only when an ACK comes back or when an internal timer which is set at relatively long intervals terminates the three way handshake Once the que...

Page 135: ...up the intermediary network but will also congest the network of the spoofed source IP address known as the victim network This flood of broadcast traffic consumes all available bandwidth making commu...

Page 136: ...outer or firewall The Prestige blocks all IP Spoofing attempts 11 5 Stateful Inspection With stateful inspection fields of the packets are compared to packets that are already known to be trusted For...

Page 137: ...termine and record information about the state of the packet s connection This information is recorded in a new state table entry created for the new connection If there is not a firewall rule for thi...

Page 138: ...irewall rules is a very powerful tool Using custom rules it is possible to disable all firewall protection or block all access to the Internet Use extreme caution when creating or deleting firewall ru...

Page 139: ...owed in through the firewall simply because they are too dangerous and contain too little tracking information For instance ICMP redirect packets are never allowed in since they could be used to rerou...

Page 140: ...hackers to crack your system Turn your computer off when not in use Never give out a password or any sensitive information to an unsolicited telephone call or e mail Never e mail sensitive informatio...

Page 141: ...network B If the filter blocks the traffic from A to B it also blocks the traffic from B to A Filters can not distinguish traffic originating from an inside host or an outside host by IP address To bl...

Page 142: ...ic between inside host networks and outside host networks Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address The firewall performs bette...

Page 143: ...Prestige 661H HW Series User s Guide 143 Chapter 11 Firewalls...

Page 144: ...rection of travel of packets to which they apply Note The LAN includes both the LAN port and the WLAN By default the Prestige s stateful packet inspection allows packets traveling in the following dir...

Page 145: ...ese points carefully before configuring rules 12 3 1 Rule Checklist State the intent of the rule For example This restricts all IRC access from the LAN to the Internet Or This allows a remote Lotus No...

Page 146: ...ices 12 3 3 3 Source Address What is the connection s source address is it on the LAN WAN Is it a single IP a range of IPs or a subnet 12 3 3 4 Destination Address What is the connection s destination...

Page 147: ...a message can be immediately sent to an e mail account that you specify in the Log Settings screen see the chapter on logs 12 5 Configuring Basic Firewall Settings Click Firewall and then Default Pol...

Page 148: ...ch they apply For example LAN to LAN Router means packets traveling from a computer subnet on the LAN to either another computer subnet on the LAN interface of the Prestige or the Prestige itself Defa...

Page 149: ...k source or destination address is equivalent to Any Destination IP This drop down list box displays the destination addresses or ranges of addresses to which this firewall rule applies Please note th...

Page 150: ...ctions to create a new rule 1 In the Rule Summary screen type the index number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if th...

Page 151: ...Prestige 661H HW Series User s Guide 151 Chapter 12 Firewall Configuration Figure 64 Firewall Edit Rule...

Page 152: ...ox above and click Delete to remove it Services Available Selected Services Please Section 12 10 on page 158see for more information on services available Highlight a service from the Available Servic...

Page 153: ...ll Customized Services 12 8 Creating Editing A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one This action display...

Page 154: ...s LABEL DESCRIPTION Service Name Type a unique name for your custom port Service Type Choose the IP port TCP UDP or TCP UDP that defines your customized port from the drop down list box Port Configura...

Page 155: ...ex number for where you want to put the rule For example if you type 6 your new rule becomes number 6 and the previous rule 6 if there is one becomes rule 7 4 Click Insert to display the firewall rule...

Page 156: ...vices link to open the Customized Service screen 8 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply Figure 69 Edit Custom Port...

Page 157: ...elect Customized Services Note Custom ports show up with an before their names in the Services list box and the Rule Summary list box Click Apply after you ve created your custom port On completing th...

Page 158: ...the IP protocol type TCP UDP or ICMP The second field indicates the IP port number that defines the service Note that there may be more than one IP protocol type For example look at the default confi...

Page 159: ...lticast Protocol is used when sending packets to a specific group of hosts NEWS TCP 144 A protocol for news groups NFS UDP 2049 Network File System NFS is a client server distributed file service that...

Page 160: ...agement Program SNMP TRAPS TCP UDP 162 Traps for use with the SNMP RFC 1215 SQL NET TCP 1521 Structured Query Language is an interface to access data on many different types of database systems includ...

Page 161: ...vent hackers from finding the Prestige by probing for unused ports If you select this option the Prestige will not respond to port request s for unused ports thus leaving the unused ports and the Pres...

Page 162: ...Figure 58 on page 134 For UDP half open means that the firewall has detected no return traffic The Prestige measures both the total number of existing half open sessions and the rate of session establ...

Page 163: ...on requests to the host giving the server time to handle the present connections The Prestige continues to block all new connection requests until the Blocking Time expires The Prestige also sends ale...

Page 164: ...s Do not set Maximum Incomplete High to lower than the current Maximum Incomplete Low number 100 existing half open sessions The above values causes the Prestige to start deleting half open sessions w...

Page 165: ...Prestige 661H HW Series User s Guide 165 Chapter 12 Firewall Configuration...

Page 166: ...ule for when the Prestige performs content filtering You can also specify trusted IP addresses on the LAN for which the Prestige will not perform content filtering 13 2 Configuring Keyword Blocking Us...

Page 167: ...s that you have configured the Prestige to block Delete Highlight a keyword in the box and click Delete to remove it Clear All Click Clear All to remove all of the keywords from the list Keyword Type...

Page 168: ...me of the day or select the All day check box you want the content filtering to be active Back Click Back to return to the previous screen Apply Click Apply to save your changes Cancel Click Cancel to...

Page 169: ...Prestige 661H HW Series User s Guide 169 Chapter 13 Content Filtering...

Page 170: ...tions for secure data communications across a public network like the Internet IPSec is built around a number of standardized cryptographic techniques to provide confidentiality data integrity and aut...

Page 171: ...o or More Private Networks Together Connect branch offices and business partners over the Internet with significant cost savings and improved performance when compared to leased lines between sites Ac...

Page 172: ...yption Algorithm describes the use of encryption techniques such as DES Data Encryption Standard and Triple DES algorithms The Authentication Algorithms HMAC MD5 RFC 2403 and HMAC SHA 1 RFC 2404 provi...

Page 173: ...tended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process 14 3 2 Tunnel Mode Tunnel mode encapsulates the entir...

Page 174: ...NAT in the middle so it assumes that the data has been maliciously altered IPSec using ESP in Tunnel mode encapsulates the entire original packet including headers in a new IP packet The new IP packe...

Page 175: ...Prestige 661H HW Series User s Guide 175 Chapter 14 Introduction to IPSec...

Page 176: ...the AH and ESP protocols The primary function of key management is to establish and maintain the SA between systems Once the SA is established the transport of data may commence 15 2 1 AH Authenticat...

Page 177: ...ata encryption using a private secret key DES applies a 56 bit key to each 64 bit block of data MD5 default MD5 Message Digest 5 produces a 128 bit digest to authenticate packet data 3DES Triple DES 3...

Page 178: ...in name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS The Prestige has to rebuild the VPN tunnel each time the remote secure gateway s...

Page 179: ...ys the identification name for this VPN policy Active This field displays whether the VPN policy is active or not A Yes signifies that this VPN policy is active No signifies that this VPN policy is no...

Page 180: ...omain names to private IP addresses on the remote network Remote Address This is the IP address es of computer s on the remote network behind the remote IPSec router This field displays N A when the S...

Page 181: ...rom remote IPSec routers that have dynamic WAN IP addresses Telecommuters can use separate passwords to simultaneously connect to the Prestige from IPSec routers with dynamic IP addresses seeSection 1...

Page 182: ...le 55 Peer ID Type and Content Fields PEER ID TYPE CONTENT IP Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automaticall...

Page 183: ...hase 1 IKE negotiation seeSection 15 11 on page 188for more on IKE phases It is called pre shared because you have to share it with another party before you can communicate with them over a secure con...

Page 184: ...Prestige 661H HW Series User s Guide Chapter 15 VPN Screens 184 Figure 83 VPN IKE The following table describes the fields in this screen...

Page 185: ...Local IP addresses must be static and correspond to the remote IPSec router s configured remote IP addresses Two active SAs can have the same configured local or remote IP address but not both You ca...

Page 186: ...mation Local ID Type Select IP to identify this Prestige by its IP address Select DNS to identify this Prestige by a domain name Select E mail to identify this Prestige by an e mail address Content Wh...

Page 187: ...y Protocol VPN Protocol Select ESP if you want to use ESP Encapsulation Security Payload The ESP protocol RFC 2406 provides encryption as well as some of the services offered by AH If you select ESP h...

Page 188: ...SA should stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected Authentic...

Page 189: ...ions Main Mode ensures the highest level of security when the communicating parties are negotiating authentication phase 1 It uses 6 messages in three round trips SA negotiation Diffie Hellman exchang...

Page 190: ...derived from previous keys The time consuming Diffie Hellman exchange is the trade off for this extra security This may be unnecessary for data that does not require such security so PFS is disabled...

Page 191: ...to Denial of Service DoS attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks Select YES from the drop down menu to enable replay detection or se...

Page 192: ...drop down list box When you use one of these encryption algorithms for data communications both the sending device and the receiving device must use the same secret key which can be used to encrypt an...

Page 193: ...eased latency and decreased throughput This implementation of AES uses a 128 bit key AES is faster than 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter an...

Page 194: ...15 14 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the IPSec Key Mode field on the VPN IKE screen This is the VPN Manual Key screen as shown next Figure 86 VPN Ma...

Page 195: ...IP Address Start When the Local Address Type field is configured to Single enter a static IP address on the LAN behind your Prestige When the Local Address Type field is configured to Range enter the...

Page 196: ...p down list box When DES is used for data communications both sender and receiver must know the same secret key which can be used to encrypt and decrypt the message or to generate and verify a message...

Page 197: ...resh to display active VPN connections This screen is read only The following table describes the fields in this tab When there is outbound traffic but no inbound traffic the SA times out automaticall...

Page 198: ...ions latency delay Disconnect Select Disconnect next to a security association and then click Apply to stop that security association Back Click Back to return to the previous screen Apply Click Apply...

Page 199: ...for an example configuration that allows multiple telecommuters A B and C in the figure to use one VPN rule to simultaneously access a Prestige at headquarters HQ in the figure The telecommuters do n...

Page 200: ...should not overlap See the following table and figure for an example where three telecommuters each use a different VPN rule for a VPN connection with a Prestige located at headquarters The Prestige...

Page 201: ...uarters Prestige Rule 1 Local ID Type IP Peer ID Type IP Local ID Content 192 168 2 12 Peer ID Content 192 168 2 12 Local IP Address 192 168 2 12 Secure Gateway Address telecommuter1 com Remote Addres...

Page 202: ...HW Series User s Guide Chapter 15 VPN Screens 202 15 18 VPN and Remote Management If a VPN tunnel uses Telnet FTP WWW then you should configure remote management Remote Management to allow access for...

Page 203: ...Prestige 661H HW Series User s Guide 203 Chapter 15 VPN Screens...

Page 204: ...our Prestige from a remote location via Internet WAN only ALL LAN and WAN LAN only Neither Disable When you Choose WAN only or ALL LAN WAN you still need to configure a firewall rule to allow access T...

Page 205: ...ll rule that blocks it 16 1 2 Remote Management and NAT When NAT is enabled Use the Prestige s WAN IP address when configuring from the WAN Use the Prestige s LAN IP address when configuring from the...

Page 206: ...otes a service that you may use to remotely manage the Prestige Access Status Select the access interface Choices are All LAN Only WAN Only and Disable Port This field shows the port number for the re...

Page 207: ...Prestige 661H HW Series User s Guide 207 Chapter 16 Remote Management Configuration...

Page 208: ...will appear as a separate icon Selecting the icon of a UPnP device will allow you to access the information and properties of that device 17 1 2 NAT Traversal UPnP NAT traversal automates the process...

Page 209: ...ation supports IGD 1 0 Internet Gateway Device At the time of writing ZyXEL s UPnP implementation supports Windows Messenger 4 6 and 4 7 while Windows Messenger 5 0 and Xbox are still being tested UPn...

Page 210: ...estige s IP address although you must still enter the password to access the web configurator Allow users to make configuration changes through UPnP Select this check box to allow UPnP enabled applica...

Page 211: ...s Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Figure 95 Add Remove Programs Windows Setup Communication Components 4...

Page 212: ...ndows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Figure 96 Netw...

Page 213: ...661H HW Series User s Guide 213 Chapter 17 Universal Plug and Play UPnP Figure 97 Windows Optional Networking Components Wizard 5 In the Networking Services window select the Universal Plug and Play c...

Page 214: ...section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Prestige Make sure the computer is connected to a LAN port of...

Page 215: ...W Series User s Guide 215 Chapter 17 Universal Plug and Play UPnP Figure 99 Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automa...

Page 216: ...tige 661H HW Series User s Guide Chapter 17 Universal Plug and Play UPnP 216 Figure 100 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mapp...

Page 217: ...perties Advanced Settings Figure 102 Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatica...

Page 218: ...nection Status Web Configurator Easy Access With UPnP you can access the web based configurator on the Prestige without finding out the IP address of the Prestige first This comes helpful if you do no...

Page 219: ...niversal Plug and Play UPnP Figure 105 Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your Prestige and sele...

Page 220: ...Play UPnP 220 Figure 106 Network Connections My Network Places 6 Right click on the icon for your Prestige and select Properties A properties window displays with basic information about the Prestige...

Page 221: ...Prestige 661H HW Series User s Guide 221 Chapter 17 Universal Plug and Play UPnP...

Page 222: ...rors attacks access control and attempted access to blocked web sites Some categories such as System Errors consist of both logs and alerts You may differentiate them by their color in the View Log sc...

Page 223: ...Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e mail addresses specified below If this field is left blank logs and alert...

Page 224: ...facility allows you to log the messages to different files in the syslog server Refer to the documentation of your syslog program for more details Send Log Log Schedule This drop down menu is used to...

Page 225: ...ngs page Time This field displays the time the log was recorded Message This field states the reason for the log Source This field lists the source IP address and the port number of the incoming packe...

Page 226: ...ll Alert From Prestige Date Fri 07 Apr 2000 10 05 42 From user zyxel com To user zyxel com 1 Apr 7 00 From 192 168 1 1 To 192 168 1 255 default policy forward 09 54 03 UDP src port 00520 dest port 005...

Page 227: ...Prestige 661H HW Series User s Guide 227 Chapter 18 Logs Screens...

Page 228: ...also allows you to configure the allowed output for an interface to match what the network can handle This helps reduce delays and dropped packets at the next routing device For example you can set t...

Page 229: ...ndwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets however the actual bandwidth allotted to each class decreases or increases in proportion to actual avail...

Page 230: ...lowing example uses bandwidth classes based on LAN subnets and applications specific applications in each subnet are allotted bandwidth Figure 113 Application and Subnet based Bandwidth Management Exa...

Page 231: ...ss is not using among the bandwidth classes that require more bandwidth When you enable maximize bandwidth usage the Prestige first makes sure that each bandwidth class gets up to its bandwidth allotm...

Page 232: ...the classes that require more bandwidth Therefore the Prestige divides a total of 3 Mbps total of unbudgeted and unused bandwidth among the classes that require more bandwidth In this case suppose th...

Page 233: ...ss The Prestige uses the scheduler to divide a parent class s unused bandwidth among the child classes 19 7 1 Maximize Bandwidth Usage With Bandwidth Borrowing If you configure both maximize bandwidth...

Page 234: ...ies to all traffic flowing out of the router through the interface regardless of the traffic s source Traffic redirect or IP alias may cause LAN to LAN traffic to pass through the Prestige and be mana...

Page 235: ...cribes the labels in this screen Maximize Bandwidth Usage Select this check box to have the Prestige divide up all of the interface s unallocated and or unused bandwidth among the bandwidth classes th...

Page 236: ...creen to enable bandwidth management on an interface before you can configure classes for that interface To add a child class click Media Bandwidth Management then Class Setup Click the Add Child Clas...

Page 237: ...ity The default setting is 3 Borrow bandwidth from parent class Select this option to allow a child class to borrow bandwidth from its parent class if the parent class is not using up its bandwidth bu...

Page 238: ...configuring the Destination Port Source Port and Protocol ID fields Destination IP Address Enter the destination IP address in dotted decimal notation A blank destination IP address means any destina...

Page 239: ...Table 74 Services and Port Numbers SERVICES PORT NUMBER Table 75 Media Bandwidth Management Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is sho...

Page 240: ...er from refreshing bandwidth management statistics Clear Counter Click Clear Counter to clear all of the bandwidth management statistics Table 75 Media Bandwidth Management Statistics LABEL DESCRIPTIO...

Page 241: ...Prestige 661H HW Series User s Guide 241 Chapter 19 Media Bandwidth Management Advanced Setup...

Page 242: ...web site categories such as pornography gambling etc 20 1 1 TMSS Web Page TMSS is enabled by default on the Prestige so you should see the following screen after you launch your web browser to connec...

Page 243: ...122 Download ActiveX to View TMSS Web Page 2 In the TMSS web page click Service Summary Figure 123 TMSS Web Page Dashboard 3 Click Activate My Services to begin a 3 step process to activate TMSS Figu...

Page 244: ...e registration form you will receive an e mail with instructions for validating your e mail address Follow the instructions 7 Download TMSS to each computer behind the Prestige that you want TMSS to m...

Page 245: ...with TMSS activated Figure 128 Example TMSS Activated Parental Controls Screen After the free trial expires you can buy the Trend micro Internet Security TIS 1 package This package contains anti viru...

Page 246: ...ecked and to display the status of computers under TMSS monitoring 3 Use the Parental Controls screen to schedule and block web pages based on pre defined web site categories such as pornography gambl...

Page 247: ...rity Services on your Prestige Security Services Display Interval Automatically display TMSS Web page every Select from the drop down list box how often the TMSS web page appears in your web browser E...

Page 248: ...estige IP Address This field displays the IP address of a TMSS client computer or Prestige Computer Name This field displays the host name of a TMSS client computer or the Prestige system name Antivir...

Page 249: ...ve one or it has expired you will see the following message when you access the Parental Controls screen Figure 132 No Parental Controls License If you have completed the TMSS registration process and...

Page 250: ...Parental Controls Select the check box to enable this feature on your Prestige Blocking Schedule The blocking schedule for TMSS is the same as that used for content filtering web site blocking by key...

Page 251: ...related paraphernalia Alcohol Tobacco Selecting this category excludes pages that promote or offer the sale alcohol tobacco products or provide the means to create them It also includes pages that gl...

Page 252: ...Available IP Addresses list box and click Add to move it them to the Selected IP Addresses box Select an IP address es in the Selected IP Addresses list box and click Remove to move it them to the Ava...

Page 253: ...ser s Guide 253 Chapter 20 Trend Micro Security Services Reset Click Reset to clear all of the fields in this screen Refresh Click Refresh to renew the statistics screen Table 80 Parental Controls Sta...

Page 254: ...and port traffic statistics 21 1 Maintenance Overview The maintenance screens can help you view system information upload new firmware manage configuration and restart your Prestige 21 2 System Status...

Page 255: ...Chapter 21 Maintenance Figure 135 System Status The following table describes the fields in this screen Table 81 System Status LABEL DESCRIPTION System Status System Name This is the name of your Pre...

Page 256: ...y if applicable VPI VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the first Wizard screen LAN Information MAC Address This is the MAC Media Access Control...

Page 257: ...NET RFC 1483 and PPPoE Interface This field displays the type of port Status For the WAN port this displays the port speed and duplex setting if you re using Ethernet encapsulation and down line is do...

Page 258: ...nd MAC Address of all network clients using the DHCP server Figure 137 DHCP Table The following table describes the fields in this screen Poll Interval s Type the time interval for the browser to refr...

Page 259: ...1 Association List This screen displays the MAC address es of the wireless stations that are currently logged in to the network Click Wireless LAN and then Association List to open the screen shown ne...

Page 260: ...ssociation List LABEL DESCRIPTION This is the index number of an associated wireless station MAC Address This field displays the MAC Media Access Control address of an associated wireless station Ever...

Page 261: ...xt Table 86 Diagnostic General LABEL DESCRIPTION TCP IP Address Type the IP address of a computer that you want to ping in order to test a connection Ping Click this button to ping the IP address that...

Page 262: ...Status Click this button to view ATM status ATM Loopback Test Click this button to start the ATM loopback test Make sure you have configured at least one PVC with proper VPIs VCIs before you begin th...

Page 263: ...en to upload firmware to your Prestige Figure 142 Firmware Upgrade The following table describes the labels in this screen Note Do not turn off the Prestige while firmware upload is in progress After...

Page 264: ...t In some operating systems you may see the following icon on your desktop Figure 143 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the System...

Page 265: ...Prestige 661H HW Series User s Guide 265 Chapter 21 Maintenance...

Page 266: ...Prestige 1 In Windows click Start usually in the bottom left corner Run and then type telnet 192 168 1 1 the default IP address and click OK 2 Enter 1234 in the Password field 3 After entering the pas...

Page 267: ...Profile 11 3 Remote Node Network Layer Options 11 5 Remote Node Filter 11 6 Remote Node ATM Layer Options 11 8 Advance Setup Options PPPoE passthrough 12 Static Routing Setup 12 1 Edit Static Route S...

Page 268: ...tion 24 7 Upload Firmware 24 7 1 Upload System Firmware 24 7 2 Upload System Configuration File 24 8 Command Interpreter Mode 24 9 Call Control 24 9 1 Budget Management 24 10 Time and Date Setting 24...

Page 269: ...e to save the new configuration All fields with ChangeMe must not be left blank in order to be able to save the new configuration N A fields N A Some of the fields in the SMT will show a N A This symb...

Page 270: ...A quick and easy way to set up an Internet connection 11 Remote Node Setup Use this menu to set up the Remote Node for LAN to LAN connection including Internet connection 12 Static Routing Setup Use t...

Page 271: ...rd field up to 30 characters and press ENTER 5 Re type your new system password in the Retype to confirm field for confirmation and press ENTER Note Note that as you type a password the screen display...

Page 272: ...Windows 2000 click Start Settings Control Panel and then double click System Click the Network Identification tab and then the Properties button Note the entry for the Computer name field and enter i...

Page 273: ...location up to 31 characters of your Prestige Contact Person s Name optional Enter the name up to 30 characters of the person in charge of this Prestige Domain Name Enter the domain name if you know...

Page 274: ...f your dynamic DNS service provider Active Press SPACE BAR to select Yes and then press ENTER to make dynamic DNS active Host Enter the domain name assigned to your Prestige by your dynamic DNS provid...

Page 275: ...Prestige 661H HW Series User s Guide 275 Chapter 23 Menu 1 General Setup...

Page 276: ...Fail Tolerance 0 Recovery Interval sec 0 ICMP Timeout sec 0 Traffic Redirect No Press ENTER to Confirm or ESC to Cancel Table 95 Menu 2 WAN Backup Setup FIELD DESCRIPTION Check Mechanism Press SPACE...

Page 277: ...ime if your destination IP address handles lots of traffic ICMP Timeout Type the number of seconds for an ICMP session to wait for the ICMP response Traffic Redirect Press SPACE BAR to select Yes or N...

Page 278: ...with the lowest cost RIP routing uses hop count as the measurement of cost with a minimum of 1 for directly connected networks The number must be between 1 and 15 a number greater than 15 means the l...

Page 279: ...Prestige 661H HW Series User s Guide 279 Chapter 24 Menu 2 WAN Backup Setup...

Page 280: ...apply to the Ethernet traffic You seldom need to filter Ethernet traffic however the filter sets may be useful to block certain packets reduce traffic and prevent security breaches Figure 152 Menu 3...

Page 281: ...m the main menu to display Menu 3 LAN Setup When menu 3 appears press 2 and press ENTER to display Menu 3 2 TCP IP and DHCP Ethernet Setup as shown next Figure 153 Menu 3 2 TCP IP and DHCP Ethernet Se...

Page 282: ...e DHCP Serve If Relay is selected in the DHCP field above then enter the IP address of the actual remote DHCP server here Table 98 TCP IP Ethernet Setup FIELD DESCRIPTION TCP IP Setup IP Address Enter...

Page 283: ...Prestige 661H HW Series User s Guide 283 Chapter 25 Menu 3 LAN Setup...

Page 284: ...eless LAN Setup The following table describes the fields in this menu Menu 3 5 Wireless LAN Setup ESSID Wireless Hide ESSID No Channel ID CH06 2437MHz RTS Threshold 2432 Frag Threshold 2432 WEP Disabl...

Page 285: ...provides data encryption to prevent wireless stations from accessing data transmitted over the wireless network Select Disable allows wireless stations to communicate with the access points without an...

Page 286: ...00 00 00 00 11 00 00 00 00 00 00 23 00 00 00 00 00 00 12 00 00 00 00 00 00 24 00 00 00 00 00 00 Enter here to CONFIRM or ESC to CANCEL Table 100 Menu 3 5 1 WLAN MAC Address Filtering FIELD DESCRIPTIO...

Page 287: ...Prestige 661H HW Series User s Guide 287 Chapter 26 Wireless LAN Setup...

Page 288: ...ng based on the policy defined by the network administrator Policy based routing is applied to incoming packets on a per interface basis prior to the normal routing Create policies using SMT menu 25 a...

Page 289: ...e the second and third network Figure 157 Menu 3 2 TCP IP and DHCP Setup Pressing ENTER displays Menu 3 2 1 IP Alias Setup as shown next Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP...

Page 290: ...FIELD DESCRIPTION IP Alias Choose Yes to configure the LAN network for the Prestige IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automa...

Page 291: ...are using ENET ENCAP encapsulation From the main menu type 4 to display Menu 4 Internet Access Setup as shown next Figure 160 Menu 4 Internet Access Setup The following table contains instructions on...

Page 292: ...s the mean cell rate of a bursty on off traffic source that can be sent at the peak rate and a parameter for burst traffic Type the SCR it must be less than the PCR Maximum Burst Size MBS 0 Refers to...

Page 293: ...Prestige 661H HW Series User s Guide 293 Chapter 27 Internet Access...

Page 294: ...ss you are configuring one of the remote nodes You first choose a remote node in Menu 11 Remote Node Setup You can then edit that node s profile in menu 11 1 as well as configure specific settings in...

Page 295: ...tion Here are some examples of more suitable combinations in such an application 28 2 2 1 Scenario 1 One VC Multiple Protocols PPPoA RFC 2364 encapsulation with VC based multiplexing is the best combi...

Page 296: ...nu 11 Encapsulation PPPoA refers to RFC 2364 PPP Encapsulation over ATM Adaptation Layer 5 If RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 of ENET ENCAP are selected then the Rem L...

Page 297: ...Yes and press ENTER to display Menu 11 8 Advance Setup Options Telco Option Allocated Budget min This sets a ceiling for outgoing call time for this remote node The default for this field is 0 meaning...

Page 298: ...Table 104 Menu 11 3 Remote Node Network Layer Options FIELD DESCRIPTION IP Address Assignment Press SPACE BAR and then ENTER to select Dynamic if the remote node is using a dynamically assigned IP add...

Page 299: ...ost for this link The number need not be precise but it must be between 1 and 15 In practice 2 or 3 is usually a good number Private This determines if the Prestige will include the route to this remo...

Page 300: ...the Prestige and also to prevent certain packets from triggering calls You can specify up to 4 filter sets separated by comma for example 1 5 9 12 in each filter field Note that spaces are accepted i...

Page 301: ...example VC1 will carry IP Separate VPI and VCI numbers must be specified for each protocol Figure 167 Menu 11 6 for VC based Multiplexing 28 5 2 LLC based Multiplexing or PPP Encapsulation For LLC ba...

Page 302: ...elect Yes then press ENTER to display Menu 11 8 Advance Setup Options Menu 11 6 Remote Node ATM Layer Options VPI VCI LLC Multiplexing or PPP Encapsulation VPI 0 VCI 38 ATM QoS Type UBR Peak Cell Rate...

Page 303: ...ient you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Prestige Each host can have a separate account...

Page 304: ...Each remote node specifies only the network to which the gateway is directly connected and the Prestige has no knowledge of the networks beyond For instance the Prestige knows about network N2 in the...

Page 305: ...Static Route Menu 12 Static Route Setup 1 IP Static Route 3 Bridge Static Route Please enter selection Menu 12 1 IP Static Route Setup 1 ________ 2 ________ 3 ________ 4 ________ 5 ________ 6 _______...

Page 306: ...s destination Gateway IP Address Type the IP address of the gateway The gateway is a router or switch on the same network segment as the device s LAN or WAN port The gateway helps forward packets to t...

Page 307: ...Prestige 661H HW Series User s Guide 307 Chapter 29 Static Route Setup...

Page 308: ...yer protocol and it also demands more CPU cycles and memory For efficiency reasons do not turn on bridging unless you need to support protocols other than IP on your network For IP enable the routing...

Page 309: ...on Options Authen N A Edit Filter Sets No Idle Timeout sec N A Press ENTER to Confirm or ESC to Cancel Menu 11 3 Remote Node Network Layer Options IP Options Bridge Options IP Address Assignment Stati...

Page 310: ...Cancel Table 108 Menu 12 3 1 Edit Bridge Static Route FIELD DESCRIPTION Route This is the route index number you typed in Menu 12 3 Bridge Static Route Setup Route Name Type a name for the bridge sta...

Page 311: ...Prestige 661H HW Series User s Guide 311 Chapter 30 Bridging Setup...

Page 312: ...ports two types of mapping Many to One and Server See Section 31 3 on page 314 or a detailed description of the NAT set for SUA The Prestige also supports Full Feature NAT to map multiple global IP ad...

Page 313: ...e options for Network Address Translation Menu 4 Internet Access Setup ISP s Name MyISP Encapsulation RFC 1483 Multiplexing LLC based VPI 8 VCI 35 ATM QoS Type UBR Peak Cell Rate PCR 0 Sustain Cell Ra...

Page 314: ...ther information on these menus To configure NAT enter 15 from the main menu to bring up the following screen Figure 180 Menu 15 NAT Setup 31 3 1 Address Mapping Sets Enter 1 to bring up Menu 15 1 Add...

Page 315: ...ead only Menu 15 1 Address Mapping Sets 1 2 3 4 5 6 7 8 255 SUA read only Enter Menu Selection Number Menu 15 1 255 Address Mapping Rules Set Name Idx Local Start IP Local End IP Global Start IP Globa...

Page 316: ...al End IP is the ending local IP address ILA If the rule is for all local IPs then the Start IP is 0 0 0 0 and the End IP is 255 255 255 255 Global Start IP This is the starting global IP address IGA...

Page 317: ...field and then selecting a rule brings up the following menu Menu 15 1 1 1 Address Mapping Rule in which you can edit an individual rule and configure the Type Local and Global Start End IPs An End IP...

Page 318: ...the starting local IP address ILA End This is the ending local IP address ILA If the rule is for all local IPs then put the Start IP as 0 0 0 0 and the End IP as 255 255 255 255 This field is N A for...

Page 319: ...acting as an FTP Telnet and SMTP server ports 21 23 and 25 at 192 168 1 33 6 Press ENTER at the Press ENTER to confirm prompt to save your configuration after you define all the servers or press ESC a...

Page 320: ...the Many to One mapping discussed in Section 31 5 on page 319 The SUA Only read only option from the Network Address Translation field in menus 4 and 11 3 is specifically pre configured to handle thi...

Page 321: ...se the other IGA Map the FTP servers to the first two IGAs and the other LAN traffic to the remaining IGA Map the third IGA to an inside web server and mail server Four rules need to be configured two...

Page 322: ...choose the Full Feature option from the Network Address Translation field in menu 4 or menu 11 3 inFigure 193 on page 323 1 Enter 15 from the main menu 2 Enter 1 to configure the Address Mapping Sets...

Page 323: ...ions IP Address Assignment Static Ethernet Addr Timeout min 0 Rem IP Addr 0 0 0 0 Rem Subnet Mask 0 0 0 0 My WAN Addr 0 0 0 0 NAT Full Feature Address Mapping Set 2 Metric 2 Private No RIP Direction B...

Page 324: ...ng Rules Set Name Example3 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 10 132 50 1 1 1 2 192 168 1 11 10 132 50 2 1 1 3 0 0 0 0 255 255 255 255 10 132 50 3 M 1 4...

Page 325: ...s some gaming programs are NAT unfriendly because they embed addressing information in the data stream These applications won t work through NAT even when using One to One and Many to Many No Overload...

Page 326: ...e 4 Menu 15 1 1 Address Mapping Rules Menu 15 1 1 Address Mapping Rules Set Name Example4 Idx Local Start IP Local End IP Global Start IP Global End IP Type 1 192 168 1 10 192 168 1 12 10 132 50 1 10...

Page 327: ...Prestige 661H HW Series User s Guide 327 Chapter 31 Network Address Translation NAT...

Page 328: ...comprehensive firewall configuration tool your Prestige has to offer For this reason it is recommended that you configure your firewall using the web configurator see the following chapters for instru...

Page 329: ...OS attacks when it is active The default Policy sets 1 allow all sessions originating from the LAN to the WAN and 2 deny all sessions originating from the WAN to the LAN You may define additional Poli...

Page 330: ...the WAN side or the Ethernet side Call filtering is used to determine if a packet should be allowed to trigger a call Outgoing packets must undergo data filtering before they encounter call filtering...

Page 331: ...ncoming packets your Prestige applies data filters only Packets are processed depending on whether a match is found The following sections describe how to configure filter sets 33 1 1 The Filter Struc...

Page 332: ...et 1 in menu 21 1 Figure 204 NetBIOS_WAN Filter Rules Summary Menu 21 1 Filter Set Configuration Filter Set Comments Set Comments 1 _______________ 7 _______________ 2 _______________ 8 ______________...

Page 333: ...fff Value 01005e N D F 2 N 3 N 4 N 5 N 6 N Enter Filter Rule Number 1 6 to Configure Table 113 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number 1 to 6 A Act...

Page 334: ...of a filter set is determined by the first rule that you create When applying the filter sets to a port separate menu fields are provided for protocol and device filter sets If you include a protocol...

Page 335: ...NTER to Confirm or ESC to Cancel Table 115 Menu 21 1 x 1 TCP IP Filter Rule FIELD DESCRIPTION Filter This is the filter set filter rule coordinates for instance 2 3 refers to the second filter set and...

Page 336: ...ies only when the IP Protocol field is 6 TCP If Yes the rule matches packets that want to establish TCP connection s SYN 1 and ACK 0 else it is ignored More If Yes a matching packet is passed to the n...

Page 337: ...figuration Figure 208 Executing an IP Filter 33 4 2 Generic Filter Rule This section shows you how to configure a generic filter rule The purpose of generic rules is to allow you to filter non IP pack...

Page 338: ...tive No Offset 0 Length 0 Mask N A Value N A More No Log None Action Matched Check Next Rule Action Not Matched Check Next Rule Press ENTER to Confirm or ESC to Cancel Table 116 Menu 21 1 5 1 Generic...

Page 339: ...e is receiving and sending the packets for instance the interface The interface can be an Ethernet or any other hardware port The following figure illustrates this Figure 210 Protocol and Device Filte...

Page 340: ...rule Make the entries in this menu as shown next When you press ENTER to confirm the following screen appears Note that there is only one filter rule in this set Figure 212 Menu 21 1 6 1 Sample Filter...

Page 341: ...ter Rules Summary 33 7 Applying Filters and Factory Defaults This section shows you where to apply the filter s after you design it them Sets of factory default filter rules have been configured in me...

Page 342: ...affic 33 7 2 Remote Node Filters Go to menu 11 5 shown next and type the number s of the filter set s as appropriate You can cascade up to four filter sets by typing their numbers separated by commas...

Page 343: ...Prestige 661H HW Series User s Guide 343 Chapter 33 Filter Configuration...

Page 344: ...network The Prestige supports SNMP version one SNMPv1 and version two c SNMPv2c The next figure illustrates an SNMP management operation SNMP is only available if TCP IP is configured Figure 216 SNMP...

Page 345: ...retrieve an object variable from the agent GetNext Allows the manager to retrieve the next object variable from a table or list within an agent In SNMPv1 when a manager wants to retrieve all elements...

Page 346: ...ment station Trusted Host If you enter a trusted host your Prestige will only respond to SNMP messages from this address A blank default field means your Prestige will respond to all SNMP messages it...

Page 347: ...rd 6 whyReboot defined in ZYXEL MIB A trap is sent with the reason of restart before rebooting when the system is going to restart warm start 6a For intentional reboot A trap is sent with the message...

Page 348: ...word Enter 23 in the main menu to display Menu 23 System Security You should change the default password If you forget your password you have to restore the default configuration file Figure 218 Menu...

Page 349: ...ion Shared Secret Specify a password up to 31 alphanumeric characters as the key to be shared between the external authentication server and the access points The key is not sent over the network This...

Page 350: ...ystem Security IEEE 802 1x Figure 221 Menu 23 4 System Security IEEE 802 1x The following table describes the fields in this menu Menu 23 System Security 1 Change Password 2 RADIUS Server 4 IEEE802 1x...

Page 351: ...namic WEP Key Exchange This field is activated only when you select Authentication Required in the Wireless Port Control field Also set the Authentication Databases field to RADIUS Only Local user dat...

Page 352: ...base with 802 1x Key Management Protocol Select Local User Database Only to have the Prestige just check the built in user database on the Prestige for a wireless station s username and password Selec...

Page 353: ..._ 22 ________ 30 ________ 7 ________ 15 ________ 23 ________ 31 ________ 8 ________ 16 ________ 24 ________ 32 ________ Enter Menu Selection Number Menu 14 1 Edit Dial in User User Name test Active Ye...

Page 354: ...gives you information on the status and statistics of the ports as shown next System Status is a tool that can be used to monitor your Prestige Specifically it gives you information on your DSL teleph...

Page 355: ...peed 0 kbps CPU Load 2 17 Downstream Speed 0 kbps Press Command COMMANDS 1 Reset Counters ESC Exit Table 124 Menu 24 1 System Maintenance Status FIELD DESCRIPTION Node Lnk This is the node index numbe...

Page 356: ...t Speed 36 3 1 System Information Enter 1 in menu 24 2 to display the screen shown next WAN This shows statistics for the WAN Line Status This shows the current status of the xDSL line which can be Up...

Page 357: ...0 c5 99 96 23 IP Address 192 168 1 1 IP Mask 255 255 255 0 DHCP Server Press ESC or RETURN to Exit Table 125 Menu 24 2 1 System Maintenance Information FIELD DESCRIPTION Name Displays the system name...

Page 358: ...omething goes wrong is the error log Follow the procedures to view the local error trace log 1 Type 24 in the main menu to display Menu 24 System Maintenance 2 From menu 24 type 3 to display Menu 24 3...

Page 359: ...task pause 1 day 57 Sat Jan 01 00 00 03 2000 PP21 INFO monitoring WAN connectivity 58 Sat Jan 01 00 03 06 2000 PP19 INFO SMT Password pass 59 Sat Jan 01 00 03 06 2000 PP01 INFO SMT Session Begin 60 S...

Page 360: ...C02 OutCall Connected 64000 40002 Jul 19 11 20 06 192 168 102 2 ZYXEL board 0 line 0 channel 0 call 1 C02 Call Terminated 2 Packet Triggered SdcmdSyslogSend SYSLOG_PKTTRI SYSLOG_NOTICE String String P...

Page 361: ...3 55 192 168 102 2 ZYXEL IP Src 202 132 154 123 Dst 255 255 255 255 UDP spo 0208 dpo 0208 S03 R01mF Jul 19 14 44 00 192 168 102 2 ZYXEL IP Src 192 168 102 20 Dst 202 132 154 1 UDP spo 05d4 dpo 0035 S0...

Page 362: ...nance Menu Diagnostic FIELD DESCRIPTION Reset xDSL Re initialize the xDSL link to the telephone company Ping Host Ping the host to see if the links and TCP IP protocol on both systems are working Rebo...

Page 363: ...Prestige 661H HW Series User s Guide 363 Chapter 36 System Information and Diagnosis...

Page 364: ...me of your choosing ZyNOS ZyXEL Network Operating System sometimes referred to as the ras file is the system firmware and has a bin filename extension With many FTP and TFTP clients the filenames are...

Page 365: ...commended once your Prestige is functioning properly FTP is the preferred methods for backing up your current configuration to your computer since they are faster Any serial communications program sho...

Page 366: ...renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt 37 2 3 Example of FTP Commands from the Command Line Menu 24 5 System...

Page 367: ...ole session running 331 Enter PASS command Password 230 Logged in ftp bin 200 Type I OK ftp get rom 0 zyxel rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp...

Page 368: ...ile transfer is complete 4 Launch the TFTP client on your computer and connect to the Prestige Set the transfer mode to binary before starting data transfer 5 Use the TFTP client see the example below...

Page 369: ...start after the file transfer is complete Note Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR Prestige 37 3 1 Restore Using FTP For details about backup using T FTP ple...

Page 370: ...er to Section 37 2 5 on page 367 to read about configurations that disallow TFTP and FTP over WAN Menu 24 6 System Maintenance Restore Configuration To transfer the firmware and configuration file to...

Page 371: ...firmware and the configuration file using FTP Figure 238 Telnet Into Menu 24 7 1 Upload System Firmware 37 4 2 Configuration File Upload You see the following screen when you telnet into menu 24 7 2...

Page 372: ...sfers the configuration file on the Prestige to your computer and renames it config rom See earlier in this chapter for more information on filename conventions 7 Enter quit to exit the ftp prompt The...

Page 373: ...t the SMT in command interpreter CI mode by entering 8 in Menu 24 System Maintenance 3 Enter the command sys stdio 0 to disable the console timeout so the TFTP transfer will not be interrupted Enter s...

Page 374: ...ras where i specifies binary image transfer mode use this mode when transferring binary files host is the Prestige s IP address and put transfers the file source on the computer firmware bin name of...

Page 375: ...Prestige 661H HW Series User s Guide 375 Chapter 37 Firmware and Configuration File Maintenance...

Page 376: ...tion on CI commands Enter 8 from Menu 24 System Maintenance A list of valid commands can be found by typing help or at the command prompt Type exit to return to the SMT main menu when finished Figure...

Page 377: ...xceeds the limit the current call will be dropped and any future outgoing calls will be blocked To access the call control menu select option 9 in menu 24 to go to Menu 24 9 System Maintenance Call Co...

Page 378: ...y or get the current time and date from an external server when you turn on your Prestige Menu 24 10 allows you to update the time and date settings of your Prestige The real time is then displayed in...

Page 379: ...19 Current Date 2000 01 01 New Date yyyy mm dd 2000 01 01 Time Zone GMT Daylight Saving No Start Date mm dd 01 00 End Date mm dd 01 00 Press ENTER to Confirm or ESC to Cancel Table 132 Menu 24 10 Syst...

Page 380: ...only when you re enter this menu New Date Enter the new date in year month and day format Time Zone Press SPACE BAR and then ENTER to set the time difference between your time zone and Greenwich Mean...

Page 381: ...Prestige 661H HW Series User s Guide 381 Chapter 38 System Maintenance...

Page 382: ...n configuring firewall rules 39 2 Remote Management To disable remote management of a service select Disable in the corresponding Server Access field Enter 11 from menu 24 to display Menu 24 11 Remote...

Page 383: ...ss LAN only Secured Client IP 0 0 0 0 FTP Server Server Port 21 Server Access LAN only Secured Client IP 0 0 0 0 Web Server Server Port 80 Server Access LAN only Secured Client IP 0 0 0 0 Press ENTER...

Page 384: ...ddress when configuring from the LAN 39 4 System Timeout There is a default system management idle timeout of five minutes three hundred seconds The Prestige automatically logs you out if the manageme...

Page 385: ...Prestige 661H HW Series User s Guide 385 Chapter 39 Remote Management...

Page 386: ...recedence or TOS Type of Service values in the IP header at the periphery of the network to enable the backbone to prioritize traffic Cost Savings IPPR allows organizations to distribute interactive t...

Page 387: ...n the main menu to open Menu 25 IP Routing Policy Setup 2 Type the index of the policy set you want to configure to open Menu 25 1 IP Routing Policy Setup Menu 25 1 shows the summary of a policy set i...

Page 388: ...___________________________________________________________ ______________________________________________________________________ 5 N _________________________________________________________________...

Page 389: ...cies are displayed with a minus sign in SMT menu 25 Criteria IP Protocol IP layer 4 protocol for example UDP TCP ICMP etc Type of Service Prioritize incoming network traffic by choosing from Don t Car...

Page 390: ...the LAN otherwise the gateway must be the IP address of a remote node The default gateway is specified as 0 0 0 0 Type of Service Set the new TOS value of the outgoing packet Prioritize incoming netwo...

Page 391: ...cy See the next figure Menu 3 2 TCP IP and DHCP Setup DHCP Setup DHCP Server Client IP Pool Starting Address 192 168 1 33 Size of Client IP Pool 32 Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0...

Page 392: ...IP route Figure 253 Example of IP Policy Routing To force packets coming from clients with IP addresses of 192 168 1 33 to 192 168 1 64 to be routed to the Internet via the WAN port of the Prestige f...

Page 393: ...ns any host with protocol TCP and port FTP access through another gateway 192 168 1 100 Menu 25 1 1 IP Routing Policy Policy Set Name set1 Active Yes Criteria IP Protocol 6 Type of Service Don t Care...

Page 394: ...rt 0 Destination addr start 0 0 0 0 port start 20 Action Matched Gateway addr 192 168 1 100 Type of Service No Change Precedence No Change Packet length 10 Len Comp N A end N A end N A end N A end 21...

Page 395: ...Prestige 661H HW Series User s Guide 395 Chapter 40 IP Policy Routing...

Page 396: ...sets take precedence over higher numbered sets thereby avoiding scheduling conflicts For example if sets 1 2 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2 3 and...

Page 397: ...t Yes or No Choose Yes and press ENTER to activate the schedule set Start Date Enter the start date when you wish the set to take effect in year month date format Valid dates are from the present to 2...

Page 398: ...means that the connection is blocked whether or not there is a demand call on the line Enable Dial On Demand means that this schedule permits a demand call on the line Disable Dial On Demand means th...

Page 399: ...Prestige 661H HW Series User s Guide 399 Chapter 41 Call Scheduling...

Page 400: ...anagement Menu 27 2 SA Monitor allows you to manage refresh or disconnect your SA connections From the main menu enter 27 to display the first VPN menu shown next Figure 260 Menu 27 VPN IPSec Setup 42...

Page 401: ...tart When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is a static IP address on the LAN behind your Prestige When the Addr Type field in Menu 27 1 1 IPSec Setup is conf...

Page 402: ...k When the Addr Type field in Menu 27 1 1 IPSec Setup is configured to Single this is the same static IP address as in the Remote Addr Start field When the Addr Type field in Menu 27 1 1 IPSec Setup i...

Page 403: ...m tw Protocol 0 DNS Server 0 0 0 0 Local Addr Type SINGLE IP Addr Start 1 1 1 1 End Subnet Mask N A Port Start 0 End N A Remote Addr Type SUBNET IP Addr Start 4 4 4 4 End Subnet Mask 255 255 0 0 Port...

Page 404: ...dress Select DNS to identify the remote IPSec router by a domain name Select E mail to identify the remote IPSec router by an e mail address Content When you select IP in the Peer ID Type field type t...

Page 405: ...create a VPN tunnel if you try to connect using a port number that does not match this port number or range of port numbers Some of the most common IP ports are 21 FTP 53 DNS 23 Telnet 80 HTTP 25 SMTP...

Page 406: ...End Enter a port number in this field to define a port range This port number must be greater than that specified in the previous field This field is N A when 0 is configured in the Port Start field...

Page 407: ...key You will receive a PYLD_MALFORMED payload malformed packet if the same pre shared key is not used on both ends Encryption Algorithm The Prestige and the remote IPSec router generate an encryption...

Page 408: ...Press SPACE BAR to choose from NULL DES 3DES or AES and then press ENTER Select NULL to set up a tunnel without encryption Authentication Algorithm Press SPACE BAR to choose from SHA1 or MD5 and then...

Page 409: ...en you choose DES and fill in fields Key1 to Key3 when you choose 3DES Select NULL to set up a tunnel without encryption When you select NULL you do not enter any encryption keys Key1 Enter a unique e...

Page 410: ...cable The key must be unique Enter 16 characters for MD5 authentication and 20 characters for SHA 1 authentication Any character may be used including spaces but trailing spaces are truncated When you...

Page 411: ...Prestige 661H HW Series User s Guide 411 Chapter 42 VPN IPSec Setup...

Page 412: ...bound traffic but no inbound traffic the SA times out automatically after two minutes A tunnel with no outbound or inbound traffic is idle and does not timeout until the SA lifetime period expires See...

Page 413: ...d by the remote IP address as configured in Menu 27 1 1 IPSec Setup Individual connections using the same VPN rule may be terminated without affecting other connections using the same rule Encap This...

Page 414: ...ive VPN connections None allows you to jump to the Press ENTER to Confirm prompt Select Next Page or Previous Page to view the next or previous page of rules respectively Select Connection Type the VP...

Page 415: ...Prestige 661H HW Series User s Guide 415 Chapter 43 SA Monitor...

Page 416: ...appropriate power source Make sure that the Prestige and the power source are both turned on Turn the Prestige off and on If the error persists you may have a hardware problem In this case you should...

Page 417: ...e MAC address or the host name The username and password apply to PPPoE and PPPoA encapsulation only Make sure that you have entered the correct Service Type User Name and Password be sure to use the...

Page 418: ...rd and Username fields are case sensitive Make sure that you enter the correct password and username using the proper casing If you have changed the password and have now forgotten it you will need to...

Page 419: ...k pop ups check box in the Pop up Blocker section of the screen This disables any web pop up blockers you may have enabled Figure 267 Internet Options 3 Click Apply to save this setting 44 4 1 1 2 Ena...

Page 420: ...Troubleshooting 420 Figure 268 Internet Options 3 Type the IP address of your device the web page that you do not want to have blocked with the prefix http For example http 192 168 1 1 4 Click Add to...

Page 421: ...ings 5 Click Close to return to the Privacy screen 6 Click Apply to save this setting 44 4 1 2 JavaScripts If pages of the web configurator do not display properly in Internet Explorer check that Java...

Page 422: ...Figure 270 Internet Options 2 Click the Custom Level button 3 Scroll down to Scripting 4 Under Active scripting make sure that Enable is selected the default 5 Under Scripting of Java applets make sur...

Page 423: ...ettings Java Scripting 44 4 1 3 Java Permissions 1 From Internet Explorer click Tools Internet Options and then the Security tab 2 Click the Custom Level button 3 Scroll down to Microsoft VM 4 Under J...

Page 424: ...roubleshooting 424 Figure 272 Security Settings Java 44 4 1 3 1 JAVA Sun 1 From Internet Explorer click Tools Internet Options and then the Advanced tab 2 make sure that Use Java 2 for applet under Ja...

Page 425: ...e to download ActiveX controls or to use Trend Micro Security Services Make sure that ActiveX controls are allowed in Internet Explorer Screen shots for Internet Explorer 6 are shown Steps may vary de...

Page 426: ...igure 274 Internet Options Security 3 Scroll down to ActiveX controls and plug ins 4 Under Download signed ActiveX controls select the Prompt radio button 5 Under Run ActiveX controls and plug ins mak...

Page 427: ...Prestige 661H HW Series User s Guide 427 Chapter 44 Troubleshooting Figure 275 Security Setting ActiveX Controls...

Page 428: ...fault IP Address 192 168 1 1 Default Subnet Mask 255 255 255 0 24 bits Default Password 1234 DHCP Pool 192 168 1 32 to 192 168 1 64 Dimensions 180 W x 128 D x 36 H mm Weight P 661HW 350g P 661H 325g P...

Page 429: ...d multiplexing Up to 8 PVCs Permanent Virtual Circuits I 610 F4 F5 OAM Other Protocol Support PPP Point to Point Protocol link layer protocol Transparent bridging for unsupported network layer protoco...

Page 430: ...s server using EAP MD5 TLS TTLS Firewall Stateful Packet Inspection Prevent Denial of Service attacks such as Ping of Death SYN Flood LAND Smurf etc Real time E mail alerts Reports and logs NAT SUA Po...

Page 431: ...Prestige 661H HW Series User s Guide 431 Appendix A...

Page 432: ...ws 3 1 requires the purchase of a third party TCP IP application package TCP IP should already be installed on computers using Windows NT 2000 XP Macintosh OS 7 and later operating systems After the a...

Page 433: ...t for Microsoft Networks If you need the adapter 1 In the Network window click Add 2 Select Adapter and then click Add 3 Select the manufacturer and model of your network adapter and then click OK If...

Page 434: ...ork adapter s TCP IP entry and click Properties 2 Click the IP Address tab If your IP address is dynamic select Obtain an IP address automatically If you have a static IP address select Specify an IP...

Page 435: ...nd close the TCP IP Properties window 6 Click OK to close the Network window Insert the Windows CD if prompted 7 Turn on your Prestige and restart your computer when prompted Verifying Settings 1 Clic...

Page 436: ...Computer s IP Address 436 Figure 279 Windows XP Start Menu 2 In the Control Panel double click Network Connections Network and Dial up Connections in Windows 2000 NT Figure 280 Windows XP Control Pane...

Page 437: ...rk Connections Properties 4 Select Internet Protocol TCP IP under the General tab in Win XP and then click Properties Figure 282 Windows XP Local Area Connection Properties 5 The Internet Protocol TCP...

Page 438: ...configure additional IP addresses In the IP Settings tab in IP addresses click Add In TCP IP Address type an IP address in IP address and a subnet mask in Subnet mask and then click Add Repeat the abo...

Page 439: ...ndow the General tab in Windows XP Click Obtain DNS server address automatically if you do not know your DNS server IP address es If you know your DNS server IP address es click Use the following DNS...

Page 440: ...e Network Connections window Network and Dial up Connections in Windows 2000 NT 11Turn on your Prestige and restart your computer if prompted Verifying Settings 1 Click Start All Programs Accessories...

Page 441: ...Setting up Your Computer s IP Address Figure 286 Macintosh OS 8 9 Apple Menu 2 Select Ethernet built in from the Connect via list Figure 287 Macintosh OS 8 9 TCP IP 3 For dynamically assigned setting...

Page 442: ...6 Click Save if prompted to save changes to your configuration 7 Turn on your Prestige and restart your computer if prompted Verifying Settings Check your TCP IP properties in the TCP IP Control Panel...

Page 443: ...llowing From the Configure box select Manually Type your IP address in the IP Address box Type your subnet mask in the Subnet mask box Type the IP address of your Prestige in the Router address box 5...

Page 444: ...address the first two octets make up the network number and the two remaining octets make up the host ID Class C addresses begin starting from the left with 1 1 0 In a class C address the first three...

Page 445: ...f the host ID Subnet masks are expressed in dotted decimal notation just as IP addresses are The natural masks for class A B and C IP addresses are as follows Subnetting With subnetting the class arra...

Page 446: ...ddress 192 168 1 0 with subnet mask of 255 255 255 0 The first three octets of the address make up the network number class C You want to have two separate networks Divide the network 192 168 1 0 into...

Page 447: ...128 is the directed broadcast address for the first subnet Therefore the lowest IP address that can be assigned to an actual host for the first subnet is 192 168 1 1 and the highest is 192 168 1 126 S...

Page 448: ...IP Address Binary 11000000 10101000 00000001 00000000 Subnet Mask Binary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 0 Lowest Host ID 192 168 1 1 Broadcast Address 192 168 1 63 Highes...

Page 449: ...nary 11111111 11111111 11111111 11000000 Subnet Address 192 168 1 192 Lowest Host ID 192 168 1 193 Broadcast Address 192 168 1 255 Highest Host ID 192 168 1 254 Table 160 Eight Subnets SUBNET SUBNET A...

Page 450: ...e for subnetting The following table is a summary for class B subnet planning Table 162 Class B Subnet Planning NO BORROWED HOST BITS SUBNET MASK NO SUBNETS NO HOSTS PER SUBNET 1 255 255 128 0 17 2 32...

Page 451: ...Prestige 661H HW Series User s Guide 451 Appendix C IP Subnetting...

Page 452: ...le Prestige boot module commands as shown in the next screen ATBAx allows you to change the console port speed The x denotes the number preceding the colon to give the console port speed following the...

Page 453: ...a ATDUx y dump memory contents from address x for length y ATRBx display the 8 bit value of address x ATRWx display the 16 bit value of address x ATRLx display the 32 bit value of address x ATGO x run...

Page 454: ...the unit and possibly render it unusable Command Syntax The command keywords are in courier new font Enter the command keywords exactly as shown do not abbreviate The required fields in a command are...

Page 455: ...Prestige 661H HW Series User s Guide 455 Appendix E Command Interpreter...

Page 456: ...and the sets rules config display firewall set set This command shows the current configuration of a set including timeout values name default permit and etc If you don t put use a number after set in...

Page 457: ...il minute 0 59 This command sets the minute of the hour for the firewall log to be sent via e mail if the Prestige is set to send it on a hourly daily or weekly basis Attack config edit firewall attac...

Page 458: ...ified set Config edit firewall set set default permit forward block This command sets whether a packet is dropped or allowed through when it does not meet a rule within the set Config edit firewall se...

Page 459: ...ge sends an alert e mail when a DOS attack or a violation of a particular rule occurs config edit firewall set set rule rule srcaddr single ip address This command sets the rule to have the Prestige c...

Page 460: ...rewall set set rule rule UDP destport single port This command sets a rule to have the Prestige check for UDP traffic with this destination address You may repeat this command to enter various non con...

Page 461: ...Prestige 661H HW Series User s Guide 461 Appendix F Firewall Commands...

Page 462: ...he LAN to the WAN and from the WAN to the LAN Allow or disallow the sending of NetBIOS packets from the LAN to the DMZ and from the DMZ to the LAN Allow or disallow the sending of NetBIOS packets from...

Page 463: ...l This field displays whether NetBIOS packets are allowed to initiate calls Disabled means that NetBIOS packets are blocked from initiating calls Disabled type Identify which NetBIOS filter numbered 0...

Page 464: ...Prestige 661H HW Series User s Guide Appendix G NetBIOS Filter Commands 464...

Page 465: ...Prestige 661H HW Series User s Guide 465 Appendix G NetBIOS Filter Commands...

Page 466: ...o not manually create any static IP routes for the remote VPN site They are not required Dynamic IPSec Rule Create a dynamic rule by setting the Secure Gateway Address to 0 0 0 0 A single dynamic rule...

Page 467: ...ocal Remote IP Address Start settings with your own values VPN Configuration via Web Configurator This section gives a VPN rule configuration example using the web configurator 1 Click VPN to display...

Page 468: ...Prestige 661H HW Series User s Guide Appendix H VPN Setup 468 Figure 293 Headquarters VPN Rule Edit IP addresses on different subnets The IP address of the branch office IPSec router...

Page 469: ...HW Series User s Guide 469 Appendix H VPN Setup Figure 294 Branch Office VPN Rule Edit Dialing the VPN Tunnel via Web Configurator IP addresses on different subnets The IP address of the headquarters...

Page 470: ...ick the dial icon in the VPN Rules screen s Modify column to have the IPSec routers set up the tunnel 1 Figure 295 VPN Rule Configured The following screen displays Figure 296 VPN Dial This screen dis...

Page 471: ...er 27 to display the first VPN menu shown next Figure 298 Menu 27 VPN IPSec Setup 2 Type 1 in menu 27 and then press ENTER to display Menu 27 1 IPSec Summary This is a summary read only menu of your I...

Page 472: ...Cancel Press Space Bar to Toggle Menu 27 1 1 IPSec Setup Index 1 Name BRANCH Active Yes Keep Alive Yes Nat Traversal No Local ID type E MAIL Content test example com My IP Addr 0 0 0 0 Peer ID type E...

Page 473: ...ctly the same on both IPSec routers Use a simple key and or copy and paste the setting into the other IPSec router to avoid typos Menu 27 1 1 IPSec Setup Index 1 Name HQ Active Yes Keep Alive Yes Nat...

Page 474: ...t one of the IPSec routers The following steps will help you to rapidly identify and correct configuration problems Log into the SMTs of both ZyXEL IPSec routers via telnet Position the telnet windows...

Page 475: ...E Send HASH 2 09 21 2004 05 45 08 172 21 3 43 172 21 3 185 IKE Adjust TCP MSS to 1398 3 09 21 2004 05 45 07 172 21 3 185 172 21 3 43 IKE Recv HASH SA NONCE ID ID 4 09 21 2004 05 45 07 172 21 3 43 172...

Page 476: ...0 Disable 1 Original on off 2 IKE on off 3 IPSec SPI on off 4 XAUTH on off 5 CERT on off 6 All ras ipsec debug level 0 None 1 User 2 Low 3 High ras ipsec debug type 1 on ras ipsec debug type 2 on ras...

Page 477: ...10m txt rw r r 1 505 505 0 Apr 16 2004 2 log rw r r 1 505 505 11816924 Dec 27 09 12 2neo1b 10mb rw r r 1 505 505 21354248 Dec 27 09 09 2neo2b 10mb rw r r 1 505 505 0 Dec 2 16 37 30m rw r r 1 505 505...

Page 478: ...Prestige 661H HW Series User s Guide Appendix H VPN Setup 478 ftp 5631148 bytes sent in 614 8Seconds 9 17Kbytes sec...

Page 479: ...Prestige 661H HW Series User s Guide 479 Appendix H VPN Setup...

Page 480: ...s caused by telephone sets Install the POTS splitter at the point where the telephone line enters your residence as shown in the following figure Figure 305 Connecting a POTS Splitter 1 Connect the si...

Page 481: ...microfilter 3 Connect another cable from the double jack end of the Y Connector to the Prestige 4 Connect the phone side of the microfilter to your telephone as shown in the following figure Figure 3...

Page 482: ...Prestige 661H HW Series User s Guide Appendix I Splitters and Microfilters 482...

Page 483: ...Prestige 661H HW Series User s Guide 483 Appendix I Splitters and Microfilters...

Page 484: ...ity in a manner similar to dial up services using PPP Benefits of PPPoE PPPoE offers the following benefits It provides you with a familiar dial up networking DUN user interface It lessens the burden...

Page 485: ...Access Concentrator and tunnels the PPP frames to the ISP The L2TP tunnel is capable of carrying multiple PPP sessions With PPPoE the VC Virtual Circuit is equivalent to the dial up connection and is...

Page 486: ...Successful TELNET login Someone has logged on to the router via telnet TELNET login failed Someone has failed to log on to the router via telnet Successful FTP login Someone has logged on to the rout...

Page 487: ...NetBIOS filter settings WAN connection is down A WAN connection is down You cannot access the network through this interface Table 167 Access Control Logs LOG MESSAGE DESCRIPTION Firewall default poli...

Page 488: ...ut 3 minutes UDP idle timeout 3 minutes TCP connection three way handshaking timeout 270 seconds TCP FIN wait timeout 2 MSL Maximum Segment Lifetime set in the TCP header TCP idle established timeout...

Page 489: ...an ICMP reply packet to the sender Table 171 CDR Logs LOG MESSAGE DESCRIPTION board d line d channel d call d s C01 Outgoing Call dev x ch x s The router received the setup requirements for a call ca...

Page 490: ...et s The content filter server responded that the web site is in the blocked category list but it did not return the category type s s The content filter server responded that the web site is in the b...

Page 491: ...The firewall detected an ICMP echo attack For type and code details see Table 182 on page 498 syn flood TCP The firewall detected a TCP syn flood attack ports scan TCP The firewall detected a TCP port...

Page 492: ...ion failed during IKE phase 2 because the router and the peer s Local Remote Addresses don t match Verifying Local ID failed The connection failed during IKE phase 2 because the router and the peer s...

Page 493: ...router s Remote Address This information conflicted with static rule d thus the connection is not allowed Phase 1 ID type mismatch This router s Peer ID Type is different from the peer IPSec router s...

Page 494: ...een the router and the peer Rule d Phase 2 encapsulation mismatch The listed rule s IKE phase 2 encapsulation did not match between the router and the peer Rule d Phase 2 pfs mismatch The listed rule...

Page 495: ...ca cert subject name The router received a certification authority certificate with subject name as recorded from the LDAP server whose IP address and port are recorded in the Source field Rcvd user...

Page 496: ...PTION 1 Algorithm mismatch between the certificate and the search constraints 2 Key usage mismatch between the certificate and the search constraints 3 Certificate was not valid in the time interval 4...

Page 497: ...session expired User logout because of user deassociation The router logged out a user who ended the session User logout because of no authentication response from user The router logged out a user fr...

Page 498: ...AN Prestige ACL set for packets traveling from the WAN to the WAN or the Prestige D to D ZW DMZ to DMZ Prestige ACL set for packets traveling from the DMZ to the DM or the Prestige Table 182 ICMP Note...

Page 499: ...P srcPort dst dstIP dstPort msg msg note note devID mac address last three numbers cat category This message is sent by the system RAS displays as the system name if you haven t configured one when th...

Page 500: ...ory followed by a log category to display the parameters that are available for the category Figure 311 Displaying Log Parameters Example 4 Use sys logs category followed by a log category and a param...

Page 501: ...sys logs clear command to erase all of the Prestige s logs Log Command Example This example shows how to set the Prestige to record the access logs and alerts and then view the results ras sys logs lo...

Page 502: ...network or Independent Basic Service Set IBSS The following diagram shows an example of notebook computers using wireless adapters to form an Ad hoc wireless LAN Figure 312 Peer to Peer Communication...

Page 503: ...his wired connection between APs is called a Distribution System DS This type of wireless LAN topology is called an Infrastructure WLAN The Access Points not only provide communication with the wired...

Page 504: ...ially overlap however To avoid interference due to overlap your AP should be on a channel at least five channels away from a channel that an adjacent AP is using For example if your region has 11 chan...

Page 505: ...ir transmission It also reserves and confirms with the requesting station the time frame for the requested transmission Stations can send frames smaller than the specified RTS CTS directly to the AP w...

Page 506: ...rt long preamble However not all wireless adapters support short preamble Use long preamble if you are unsure what preamble mode the wireless adapters support to ensure interpretability between the AP...

Page 507: ...or the wireless stations RADIUS RADIUS is based on a client server model that supports authentication authorization and accounting The access point is the client and the server is the RADIUS server Th...

Page 508: ...his appendix discusses some popular authentication types EAP MD5 EAP TLS EAP TTLS PEAP and LEAP The type of authentication you use depends on the RADIUS server or the AP Consult your network administr...

Page 509: ...ction thus client identity is protected For client authentication EAP TTLS supports EAP methods and legacy authentication methods such as PAP CHAP MS CHAP and MS CHAP v2 PEAP Protected EAP Like EAP TT...

Page 510: ...named Michael an extended initialization vector IV with sequencing rules and a re keying mechanism TKIP regularly changes and rotates the encryption keys so that the same encryption key is never used...

Page 511: ...tween the two is that WPA PSK uses a simple common password instead of user specific credentials The common password approach makes WPA PSK susceptible to brute force password guessing attacks but it...

Page 512: ...ation number field name parameter values allowed input where input is your input conforming to parameter values allowed The figure shown next is an example of an Internal SPTGEN text file Figure 316 C...

Page 513: ...ine Example The Prestige will display the following if you enter parameter s that are valid Figure 318 Valid Parameter Entered Command Line Example Internal SPTGEN FTP Download Example 1 Launch your F...

Page 514: ...ternal SPTGEN FTP Upload Example Example Internal SPTGEN Screens This section covers Prestige Internal SPTGEN screens c ftp 192 168 1 1 220 PPP FTP version 1 0 ready at Sat Jan 1 03 22 12 2000 User 19...

Page 515: ...0 No 1 Yes 0 Table 190 Menu 3 SMT Menu 3 Menu 3 1 General Ethernet Setup SMT menu 3 1 FIN FN PVA INPUT 30100001 Input Protocol filters Set 1 2 30100002 Input Protocol filters Set 2 256 30100003 Input...

Page 516: ...y 0 30200011 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30200012 Multicast 0 IGMP v2 1 IGMP v1 2 None 2 30200013 IP Policies Set 1 1 12 256 30200014 IP Policies Set 2 1 12 256 30200015 IP Policies Set 3 1 12...

Page 517: ...oth 2 In Only 3 Out Only 0 30201018 Version 0 Rip 1 1 Rip 2B 2 Rip 2M 0 30201019 IP Alias 2 Incoming protocol filters Set 1 256 30201020 IP Alias 2 Incoming protocol filters Set 2 256 30201021 IP Alia...

Page 518: ...1 Enable 0 MENU 3 5 1 WLAN MAC ADDRESS FILTER SMT MENU 3 5 1 FIN FN PVA INPUT 30501001 Mac Filter Active 0 No 1 Yes 0 30501002 Filter Action 0 Allow 1 Deny 0 30501003 Address 1 00 00 00 00 0 0 00 305...

Page 519: ...net mask 0 40000016 ISP incoming protocol filter set 1 6 40000017 ISP incoming protocol filter set 2 256 40000018 ISP incoming protocol filter set 3 256 40000019 ISP incoming protocol filter set 4 256...

Page 520: ...e 0 No 1 Yes 0 Menu 12 1 2 IP Static Route Setup SMT Menu 12 1 2 FIN FN PVA INPUT 120102001 IP Static Route set 2 Name 120102002 IP Static Route set 2 Active 0 No 1 Yes 0 120102003 IP Static Route set...

Page 521: ...on IP subnetmask 0 120105005 IP Static Route set 5 Gateway 0 0 0 0 120105006 IP Static Route set 5 Metric 0 120105007 IP Static Route set 5 Private 0 No 1 Yes 0 Menu 12 1 6 IP Static Route Setup SMT M...

Page 522: ...3 IP Static Route set 9 Destination IP address 0 0 0 0 120109004 IP Static Route set 9 Destination IP subnetmask 0 120109005 IP Static Route set 9 Gateway 0 0 0 0 120109006 IP Static Route set 9 Metri...

Page 523: ...FN PVA INPUT 120113001 IP Static Route set 13 Name Str 120113002 IP Static Route set 13 Active 0 No 1 Yes 0 120113003 IP Static Route set 13 Destination IP address 0 0 0 0 120113004 IP Static Route s...

Page 524: ...sk 0 120116005 IP Static Route set 16 Gateway 0 0 0 0 120116006 IP Static Route set 16 Metric 0 120116007 IP Static Route set 16 Private 0 No 1 Yes 0 Table 192 Menu 12 SMT Menu 12 continued Table 193...

Page 525: ...All 6 TCP 17 U DP 0 0 0 0 150000029 SUA Server 7 Port Start 0 150000030 SUA Server 7 Port End 0 150000031 SUA Server 7 Local IP address 0 0 0 0 150000032 SUA Server 8 Active 0 No 1 Yes 0 150000033 SUA...

Page 526: ...u 21 1 1 1 set 1 rule 1 SMT Menu 21 1 1 1 FIN FN PVA INPUT 210101001 IP Filter Set 1 Rule 1 Type 2 TCP IP 2 210101002 IP Filter Set 1 Rule 1 Active 0 No 1 Yes 1 210101003 IP Filter Set 1 Rule 1 Protoc...

Page 527: ...not equal 3 less 4 greater 0 210102013 IP Filter Set 1 Rule 2 Act Match 1 check next 2 forward 3 drop 3 210102014 IP Filter Set 1 Rule 2 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 1 3 set...

Page 528: ...ess 0 0 0 0 210104009 IP Filter Set 1 Rule 4 Src Subnet Mask 0 210104010 IP Filter Set 1 Rule 4 Src Port 0 210104011 IP Filter Set 1 Rule 4 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 greater 0...

Page 529: ...ilter Set 1 Rule 6 Dest IP address 0 0 0 0 210106005 IP Filter Set 1 Rule 6 Dest Subnet Mask 0 210106006 IP Filter Set 1 Rule 6 Dest Port 139 210106007 IP Filter Set 1 Rule 6 Dest Port Comp 0 none 1 e...

Page 530: ...ilter Set 2 Rule 1 Src Port 0 210201011 IP Filter Set 2 Rule 1 Src Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 0 210201013 IP Filter Set 2 Rule 1 Act Match 1 check next 2 forward 3 drop 3 2...

Page 531: ...210203004 IP Filter Set 2 Rule 3 Dest IP address 0 0 0 0 210203005 IP Filter Set 2 Rule 3 Dest Subnet Mask 0 210203006 IP Filter Set 2 Rule 3 Dest Port 139 210203007 IP Filter Set 2 Rule 3 Dest Port...

Page 532: ...4 gr eater 0 210204013 IP Filter Set 2 Rule 4 Act Match 1 check next 2 forward 3 drop 3 210204014 IP Filter Set 2 Rule 4 Act Not Match 1 check next 2 forward 3 drop 1 Menu 21 1 2 5 Filter set 2 rule...

Page 533: ...Mask 0 210206006 IP Filter Set 2 Rule 6 Dest Port 139 210206007 IP Filter Set 2 Rule 6 Dest Port Comp 0 none 1 equal 2 not equal 3 less 4 gr eater 1 210206008 IP Filter Set 2 Rule 6 Src IP address 0 0...

Page 534: ...1111 230200006 Accounting Server Configured 0 No 1 Yes 1 230200007 Accounting Server Active 0 No 1 Yes 1 230200008 Accounting Server IP Address 192 168 1 44 230200009 Accounting Server Port 1823 23020...

Page 535: ...Menu 24 11 Remote Management Control SMT Menu 24 11 FIN FN PVA INPUT 241100001 TELNET Server Port 23 241100002 TELNET Server Access 0 all 1 none 2 L an 3 Wan 0 241100003 TELNET Server Secured IP addr...

Page 536: ...Prestige 661H HW Series User s Guide Appendix M Internal SPTGEN 536 FIN FN PVA INPUT 990000001 ADSL OPMD 0 etsi 1 normal 2 gdmt 3 multimo de 3 Table 198 Command Examples continued FIN FN PVA INPUT...

Page 537: ...Prestige 661H HW Series User s Guide 537 Appendix M Internal SPTGEN...

Page 538: ...databases 352 Authentication Header 176 Authentication protocol 297 Authority 3 auto negotiation 43 AWG 4 B Backup 365 Backup Typ 112 Bandwidth Borrowing 233 bandwidth budget 228 bandwidth capacity 22...

Page 539: ...4 Copyright 2 Correcting Interference 3 Corrosive Liquids 4 Cost Of Transmission 299 306 Country Code 357 Covers 4 CPU Load 356 CTS Clear to Send 505 Custom Ports Creating Editing 153 Customer Support...

Page 540: ...nded Service Set 503 F Failure 5 Fairness based Scheduler 231 FCC 3 Compliance 3 Rules Part 15 3 FCC Rules 3 Federal Communications Commission 3 Filename Conventions 364 filename conventions 365 Filte...

Page 541: ...8 Independent Basic Service Set 502 Indirect Damages 5 initialization vector IV 510 Inside Header 173 Install UPnP 210 Windows Me 210 Windows XP 212 Insurance 5 Integrated Services Digital Network 42...

Page 542: ...Rule Summary 148 Local User Database 352 Local user database 96 Log and Trace 358 Log Facility 359 Logging Option 336 339 Logical networks 288 Login 296 Logs 222 M MAC Media Access Control 258 MAC Me...

Page 543: ...Packet Error 355 Received 355 Transmitted 355 Packet Filtering 141 Packet filtering When to use 141 Packet Filtering Firewalls 130 Packet Triggered 360 Packets 355 Pairwise Master Key PMK 510 PAP 297...

Page 544: ...red 2 Registered Trademark 2 Regular Mail 6 reinitialize the ADSL line 262 Related Documentation 38 Relocate 3 Re manufactured 5 Remote DHCP Server 282 Remote Management Firewall 328 Remote Management...

Page 545: ...98 349 Shipping 5 Shock Electric 4 SMT Menu Overview 267 SMTP 119 SMTP Error Messages 225 Smurf 134 135 SNMP 119 Community 346 Configuration 345 Get 345 GetNext 345 Manager 344 MIBs 345 Set 345 Trap 3...

Page 546: ...136 Trademark 2 Trademark Owners 2 Trademarks 2 Traffic Redirect 110 111 Setup 277 Traffic redirect 110 traffic redirect 44 Traffic shaping 105 Translation 2 Transmission Rates 43 Transport Mode 173 T...

Page 547: ...ng 84 Wireless LAN MAC Address Filtering 46 Wireless LAN Setup 284 Wireless port control 91 351 Wireless security 82 Wizard Setup 69 WLAN Interference 504 Security parameters 511 Workmanship 5 Worldwi...

Reviews:

No comments

Related manuals for Prestige 661H Series

Brand: AudioCodes Pages: 5

Brand: ZyXEL Communications Pages: 210

Flight Stream 110/210

Brand: Garmin Pages: 46

ReliaGATE 10-10-00

Brand: Eurotech Pages: 30

LBDG-250-DC-8200-1

Brand: Lindsay Broadband Pages: 13

Brand: Dinstar Pages: 100

Brand: Berker Pages: 4

EAC Mini EACIL21

Brand: Winmate Pages: 20

Dynalite DTK622-USB

Brand: Philips Pages: 2

Dynalite DMNG232

Brand: Philips Pages: 2

Dynalite DDNI-LON

Brand: Philips Pages: 2

Dynalite DDNG485

Brand: Philips Pages: 2

Dynalite DDNG232

Brand: Philips Pages: 2

Dynalite DDNG100BT

Brand: Philips Pages: 2

Dynalite DDNG-KNX

Brand: Philips Pages: 2

Dynalite DDMIDC8

Brand: Philips Pages: 2

Brand: Philips Pages: 80

Brand: QNAP Pages: 168

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands