Home
/
ZyXEL Communications
/
VMG1312-B10C
/
User Manual

ZyXEL Communications VMG1312-B10C, User Manual

Share

Page: 218 / 294

ZyXEL Communications VMG1312-B10C User Manual Download Page 218

Chapter 19 VPN

VMG1312-B10C User’s Guide

218

19.3.4 Negotiation Mode

The phase 1

Negotiation Mode

you select determines how the Security Association (SA) will be

established for each connection through IKE negotiations.

•

Main Mode

ensures the highest level of security when the communicating parties are

negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation,
Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode
features identity protection (your identity is not revealed in the negotiation).

•

Aggressive Mode

is quicker than

Main Mode

because it eliminates several steps when the

communicating parties are negotiating authentication (phase 1). However the trade-off is that
faster speed limits its negotiating power and it also does not provide identity protection. It is
useful in remote access situations where the address of the initiator is not know by the responder
and both parties want to use pre-shared key authentication.

19.3.5 IPSec and NAT

Read this section if you are running IPSec on a host computer behind the Device.

NAT is incompatible with the

AH

protocol in both

Transport

and

Tunnel

mode. An IPSec VPN using

the

AH

protocol digitally signs the outbound packet, both data payload and headers, with a hash

value appended to the packet. When using

AH

protocol, packet contents (the data payload) are not

encrypted.

A NAT device in between the IPSec endpoints will rewrite either the source or destination address
with one of its own choosing. The VPN device at the receiving end will verify the integrity of the
incoming packet by computing its own hash value, and complain that the hash value appended to
the received packet doesn't match. The VPN device at the receiving end doesn't know about the
NAT in the middle, so it assumes that the data has been maliciously altered.

IPSec using

ESP

in

Tunnel

mode encapsulates the entire original packet (including headers) in a

new IP packet. The new IP packet's source address is the outbound address of the sending VPN
gateway, and its destination address is the inbound address of the VPN device at the receiving end.
When using

ESP

protocol with authentication, the packet contents (in this case, the entire original

packet) are encrypted. The encrypted contents, but not the new headers, are signed with a hash
value appended to the packet.

Tunnel

mode

ESP

with authentication is compatible with NAT because integrity checks are

performed over the combination of the "original header plus original payload," which is unchanged
by a NAT device.

Transport

mode

ESP

with authentication is not compatible with NAT.

Table 93

VPN and NAT

SECURITY PROTOCOL

MODE

NAT

AH

Transport

N

AH

Tunnel

N

ESP

Transport

N

ESP

Tunnel

Y

«
...
216
217
218
219
220
...
»

Summary of Contents for VMG1312-B10C

Page 1: ...com VMG1312 B10C Wireless N VDSL2 4 port Gateway with USB Version 1 00 Edition 1 10 2014 Copyright 2014 ZyXEL Communications Corporation User s Guide Default Login Details LAN IP Address http 192 168 1 1 Login admin Password 1234 ...

Page 2: ... book may differ slightly from your product due to differences in your product firmware or your computer operating system Every effort has been made to ensure that the information in this manual is accurate Related Documentation Quick Start Guide The Quick Start Guide shows how to connect the Device and get up and running right away ...

Page 3: ...ce QoS 131 Network Address Translation NAT 149 Dynamic DNS Setup 167 Interface Group 171 USB Service 177 Firewall 183 MAC Filter 193 Parental Control 195 Scheduler Rule 199 Certificates 201 VPN 209 Log 221 Traffic Status 225 ARP Table 229 Routing Table 231 IGMP Status 233 xDSL Statistics 235 3G Statistics 239 User Account 241 Remote Management 243 TR 069 Client 245 TR 064 247 Time Settings 249 E m...

Page 4: ...Contents Overview VMG1312 B10C User s Guide 4 Diagnostic 265 Troubleshooting 271 ...

Page 5: ... 18 1 4 1 Internet Access 18 1 4 2 Device s USB Support 19 1 5 LEDs Lights 20 1 6 The RESET Button 20 1 7 Wireless Access 21 1 7 1 Using the WLAN WPS Button 21 Chapter 2 The Web Configurator 23 2 1 Overview 23 2 1 1 Accessing the Web Configurator 23 2 2 Web Configurator Layout 25 2 2 1 Title Bar 25 2 2 2 Main Window 26 2 2 3 Navigation Panel 27 Chapter 3 Quick Start 31 3 1 Overview 31 3 2 Quick St...

Page 6: ...en 57 5 7 Technical Reference 58 Chapter 6 Wireless 65 6 1 Overview 65 6 1 1 What You Can Do in this Chapter 65 6 1 2 What You Need to Know 66 6 2 The General Screen 66 6 2 1 No Security 69 6 2 2 Basic WEP Encryption 70 6 2 3 Basic 802 1X 71 6 2 4 More Secure WPA 2 PSK 73 6 2 5 WPA 2 Authentication 74 6 3 The More AP Screen 75 6 3 1 Edit More AP 77 6 4 MAC Authentication 78 6 5 The WPS Screen 79 6...

Page 7: ...xample 109 7 6 Using UPnP in Windows XP Example 112 7 7 The Additional Subnet Screen 118 7 8 The STB Vendor ID Screen 119 7 9 The LAN VLAN Screen 120 7 10 Technical Reference 120 7 10 1 LANs WANs and the Device 121 7 10 2 DHCP Setup 121 7 10 3 DNS Server Addresses 121 7 10 4 LAN TCP IP 122 Chapter 8 Routing 125 8 1 Overview 125 8 2 The Routing Screen 126 8 2 1 Add Edit Static Route 127 8 3 The Pol...

Page 8: ...10 3 The Applications Screen 153 10 3 1 Add New Application 154 10 4 The Port Triggering Screen 155 10 4 1 Add Edit Port Triggering Rule 157 10 5 The DMZ Screen 158 10 6 The ALG Screen 158 10 7 The Address Mapping Screen 159 10 7 1 Add Edit Address Mapping Rule 160 10 8 Technical Reference 161 10 8 1 NAT Definitions 161 10 8 2 What NAT Does 162 10 8 3 How NAT Works 163 10 8 4 NAT Application 164 C...

Page 9: ...ou Begin 181 Chapter 14 Firewall 183 14 1 Overview 183 14 1 1 What You Can Do in this Chapter 183 14 1 2 What You Need to Know 184 14 2 The Firewall Screen 185 14 3 The Service Screen 185 14 3 1 Add Edit a Service 187 14 4 The Access Control Screen 188 14 4 1 Add Edit an ACL Rule 189 14 5 The DoS Screen 190 Chapter 15 MAC Filter 193 15 1 Overview 193 15 2 The MAC Filter Screen 193 Chapter 16 Paren...

Page 10: ...ral Screen 209 19 2 2 IPSec VPN Add 210 19 3 Technical Reference 215 19 3 1 IPSec Architecture 215 19 3 2 Encapsulation 216 19 3 3 IKE Phases 217 19 3 4 Negotiation Mode 218 19 3 5 IPSec and NAT 218 19 3 6 VPN NAT and NAT Traversal 219 19 3 7 Pre Shared Key 219 19 3 8 Diffie Hellman DH Key Groups 220 Chapter 20 Log 221 20 1 Overview 221 20 1 1 What You Can Do in this Chapter 221 20 1 2 What You Ne...

Page 11: ...24 2 The IGMP Group Status Screen 233 Chapter 25 xDSL Statistics 235 25 1 The xDSL Statistics Screen 235 Chapter 26 3G Statistics 239 26 1 Overview 239 26 2 The 3G Statistics Screen 239 Chapter 27 User Account 241 27 1 Overview 241 27 2 The User Account Screen 241 Chapter 28 Remote Management 243 28 1 Overview 243 28 2 The Remote MGMT Screen 243 Chapter 29 TR 069 Client 245 29 1 Overview 245 29 2 ...

Page 12: ... Settings Screen 256 33 2 1 Example E mail Log 257 Chapter 34 Firmware Upgrade 259 34 1 Overview 259 34 2 The Firmware Screen 259 Chapter 35 Configuration 261 35 1 Overview 261 35 2 The Configuration Screen 261 35 3 The Reboot Screen 263 Chapter 36 Diagnostic 265 36 1 Overview 265 36 1 1 What You Can Do in this Chapter 265 36 2 What You Need to Know 265 36 3 Ping TraceRoute NsLookup 266 36 4 802 1...

Page 13: ...tents VMG1312 B10C User s Guide 13 37 3 Internet Access 274 37 4 Wireless Internet Access 275 37 5 USB Device Connection 276 37 6 UPnP 276 Appendix A Customer Support 277 Appendix B Legal Information 283 Index 289 ...

Page 14: ...Table of Contents VMG1312 B10C User s Guide 14 ...

Page 15: ...15 PART I User s Guide ...

Page 16: ...16 ...

Page 17: ...nagement of the Device using a supported web browser TR 069 This is an auto configuration server used to remotely configure your device 1 3 Good Habits for Managing the Device Do the following things regularly to make the Device more secure and to manage the Device more effectively Change the password Use a password that s not easy to guess and that consists of different types of characters such a...

Page 18: ... layer 2 interfaces that you configure in the Device Refer to Section 5 2 on page 42 for the Network Setting Broadband screen Computers can connect to the Device s LAN ports or wirelessly Figure 1 Device s Internet Access Application You can also configure IP filtering on the Device for secure Internet access When the IP filter is on all incoming traffic from the Internet to your network is blocke...

Page 19: ...USB hard drive B You can connect one USB hard drive to the Device at a time Use FTP to access the files on the USB device Figure 2 USB File Sharing Application Media Server You can also use the Device as a media server This lets anyone on your network play video music and photos from a USB device B connected to the Device s USB port without having to copy them to another computer Figure 3 USB Medi...

Page 20: ... The Device is communicating with other wireless clients Orange Blinking The Device is setting up a WPS connection Off The wireless network is not activated 4 1 ETHERNET Green On The Device has a successful 100 Mbps Ethernet connection with a device on the Local Area Network LAN Blinking The Device is sending or receiving data to from the LAN at 100 Mbps Off The Device does not have an Ethernet co...

Page 21: ... 1 7 1 Using the WLAN WPS Button If the wireless network is turned off press the WLAN WPS button at the back of the Device for one second Once the WLAN WPS LED turns green the wireless network is active You can also use the WLAN WPS button to quickly set up a secure wireless connection between the Device and a WPS compatible client by adding one device at a time To activate WPS 1 Make sure the POW...

Page 22: ...Chapter 1 Introducing the Device VMG1312 B10C User s Guide 22 ...

Page 23: ...rmissions enabled by default 2 1 1 Accessing the Web Configurator 1 Make sure your Device hardware is properly connected refer to the Quick Start Guide 2 Launch your web browser If the Device does not automatically re direct you to the login screen go to http 192 168 1 1 3 A password screen displays To access the administrative web configurator and manage the Device type the default username admin...

Page 24: ...d to the main menu if you do not want to change the password now Figure 6 Change Password Screen 5 The Quick Start Wizard screen appears You can configure the Device s time zone basic Internet access and wireless settings See Chapter 3 on page 31 for more information 6 After you finished or closed the Quick Start Wizard screen the Network Map page appears Figure 7 Network Map 7 Click Status to dis...

Page 25: ... Guide 25 2 2 Web Configurator Layout Figure 8 Screen Layout As illustrated above the main screen is divided into these parts A title bar B main window C navigation panel 2 2 1 Title Bar The title bar provides some icons in the upper right corner B C A ...

Page 26: ...is document After you click Status on the Connection Status page the Status screen is displayed See Chapter 4 on page 36 for more information about the Status screen Table 2 Web Configurator Icons in the Title Bar ICON DESCRIPTION Quick Start Click this icon to open screens where you can configure the Device s time zone Internet access and wireless settings Logout Click this icon to log out of the...

Page 27: ... ports are in color and disconnected ports are gray Figure 9 Virtual Device 2 2 3 Navigation Panel Use the menu items on the navigation panel to open screens to configure Device features The following tables describe each menu item Table 3 Navigation Panel Summary LINK TAB FUNCTION Connection Status This screen shows the network status of the Device and computers devices connected to it Network Se...

Page 28: ...s Channel Status Use this screen to scan wireless LAN channel noises and view the results Home Networking LAN Setup Use this screen to configure LAN TCP IP settings and other advanced properties Static DHCP Use this screen to assign specific IP addresses to individual MAC addresses UPnP Use this screen to turn UPnP and UPnP NAT T on or off Additional Subnet Use this screen to configure IP alias an...

Page 29: ...ess Control Use this screen to enable specific traffic directions for network services DoS Use this screen to activate protection against Denial of Service DoS attacks MAC Filter Use this screen to block or allow traffic from devices of certain MAC addresses to the Device Parental Control Use this screen to block web sites with the specific URL Scheduler Rule Use this screen to configure the days ...

Page 30: ...e this screen to configure up to two mail servers and sender addresses on the Device Log Setting Use this screen to change your Device s log settings Firmware Upgrade Use this screen to upload firmware to your device Configuration Use this screen to backup and restore your device s configuration settings or reset the factory default settings Reboot Use this screen to reboot the Device without turn...

Page 31: ...technical reference chapters starting on page 33 for background information on the features in this chapter 3 2 Quick Start Setup 1 The Quick Start Wizard appears automatically after login Or you can click the Click Start icon in the top right corner of the web configurator to open the quick start screens Select the time zone of the Device s location and click Next Figure 10 Time Zone ...

Page 32: ...pending on your current connection type Click Next Click Next Figure 11 Internet Connection 3 Turn the wireless LAN on or off If you keep it on record the security settings so you can configure your wireless clients to connect to the Device Click Save Figure 12 Internet Connection 4 Your Device saves your settings and attempts to connect to the Internet ...

Page 33: ...33 PART II Technical Reference ...

Page 34: ...34 ...

Page 35: ...nt status of the Device system resources and interfaces LAN WAN and WLAN 4 2 The Network Map Screen Use this screen to view the network connection status of the device and its clients A warning message appears if there is a connection problem If you prefer to view the status in a list click List View in the Viewing Mode selection box You can configure how often you want the Device to update this s...

Page 36: ...ck the client s name and Info Click the IP address if you want to change it If you want to change the name or icon of the client click Change icon name In List Mode you can also view the client s information 4 3 The Status Screen Use this screen to view the status of the Device Click Status to open this screen Figure 15 Status Screen ...

Page 37: ... what DHCP services the Device is providing to the LAN Choices are Server The Device is a DHCP server in the LAN It assigns IP addresses to other computers in the LAN Relay The Device acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients None The Device is not providing any DHCP services to the LAN MAC Address This shows the LAN Ethernet a...

Page 38: ...t some applications to have more throughput you should turn off other applications for example using QoS see Chapter 9 on page 131 Memory Usage This field displays what percentage of the Device s memory is currently used Usually this percentage should not increase much If memory usage does get close to 100 the Device is probably becoming unstable and you should restart the device See Section 35 2 ...

Page 39: ...uters in other locations Figure 16 LAN and WAN 3G third generation standards for the sending and receiving of voice video and data in a mobile environment You can attach a 3G wireless adapter to the USB port and set the Device to use this 3G connection as your WAN or a backup when the wired WAN connection fails Figure 17 3G WAN Connection 5 1 1 What You Can Do in this Chapter Use the Broadband scr...

Page 40: ...e Device to communicate with other devices in other networks It can be static fixed or dynamically assigned by the ISP each time the Device tries to access the Internet If your ISP assigns you a static WAN IP address they should also assign you the subnet mask and DNS server IP address es Table 5 WAN Setup Overview LAYER 2 INTERFACE INTERNET CONNECTION CONNECTION DSL LINK TYPE MODE ENCAPSULATION C...

Page 41: ...ion IPv6 Internet Protocol version 6 is designed to enhance IP address size and features The increase in IPv6 address size to 128 bits from the 32 bit IPv4 address allows up to 3 4 x 1038 IP addresses The Device can use IPv4 IPv6 dual stack to connect to IPv4 and IPv6 networks and supports IPv6 rapid deployment 6RD IPv6 Addressing The 128 bit IPv6 address is written as eight 16 bit hexadecimal blo...

Page 42: ...nge your Device s Internet access settings Click Network Setting Broadband from the menu The summary table shows you the configured WAN services connections on the Device Figure 18 Network Setting Broadband The following table describes the labels in this screen Table 6 Network Setting Broadband LABEL DESCRIPTION Add new WAN Interface Click this button to create a new connection This is the index ...

Page 43: ...default gateway IPv6 This shows whether IPv6 is activated or not for this connection IPv6 is not available when the connection uses the bridging service MLD Proxy This shows whether Multicast Listener Discovery MLD is activated or not for this connection MLD is not available when the connection uses the bridging service Modify Delete Click the Edit icon to configure the WAN connection Click the De...

Page 44: ...he following example screen displays when you select the ADSL over ATM connection type Routing mode and PPPoE encapsulation The screen varies when you select other interface type encapsulation and IPv6 IPv4 mode Figure 19 Routing Mode The following table describes the labels in this screen Table 7 Routing Mode LABEL DESCRIPTION General Active Select this to activate the WAN configuration settings ...

Page 45: ...NAP header This is available only when you select IPoE or PPPoE in the Select DSL Link Type field VC MUX In VC multiplexing each protocol is carried on a single ATM virtual circuit VC To transport multiple protocols the Device needs separate VCs There is a binding between a VC and the type of the network protocol carried on the VC This reduces payload overhead since there is no need to carry proto...

Page 46: ...through if you do not need to allow hosts on the LAN to use PPPoE client software on their computers to connect to the ISP IP Address This is available only when you select IPv4 Only or IPv6 IPv4 DualStack in the IPv6 IPv4 Mode field Obtain an IP Address Automatically A static IP address is a fixed IP that your ISP gives you A dynamic IP address is not fixed the ISP assigns you a different one eac...

Page 47: ... RA This option is available only when you choose to get your IPv6 address automatically Select Static if you have a fixed IPv6 address assigned by your ISP Select None to not assign any IPv6 address to this WAN connection WAN IPv6 Address Enter the IPv6 address assigned by your ISP Prefix Length Enter the address prefix length to specify how many most significant bits in an IPv6 address compose t...

Page 48: ...ing traffic through this connection 802 1p IEEE 802 1p defines up to 8 separate traffic types by inserting a tag into a MAC layer frame that contains bits to define class of service Select the IEEE 802 1p priority level from 0 to 7 to add to traffic through this connection The greater the number the higher the priority level 802 1q Type the VLAN ID number from 1 to 4094 for traffic through this co...

Page 49: ... select Bridge you cannot use routing functions such as QoS Firewall DHCP server and NAT on traffic from the selected LAN port s VLAN This section is available only when you select ADSL VDSL over PTM in the Type field Active Select this to add the VLAN Tag specified below to the outgoing traffic through this connection 802 1p IEEE 802 1p defines up to 8 separate traffic types by inserting a tag in...

Page 50: ...the method of multiplexing used by your ISP from the drop down list box Choices are LLC SNAP BRIDGING In LCC encapsulation bridged PDUs are encapsulated by identifying the type of the bridged media in the SNAP header This is available only when you select IPoE or PPPoE in the Select DSL Link Type field VC MUX In VC multiplexing each protocol is carried on a single ATM virtual circuit VC To transpo...

Page 51: ...ilable only when you select Non Realtime VBR or Realtime VBR Maximum Burst Size Maximum Burst Size MBS refers to the maximum number of cells that can be sent at the peak rate Type the MBS which is less than 65535 This field is available only when you select Non Realtime VBR or Realtime VBR QoS Rate Limit Enter the rate limit for the connection This is the maximum transmission rate allowed for traf...

Page 52: ... want the Device to ping check the connection status of your WAN You can configure the frequency of the ping check and number of consecutive failures before triggering 3G backup Check Cycle Enter the frequency of the ping check in this field Consecutive Fail Enter how many consecutive failures are required before 3G backup is triggered Ping Default Gateway Select this to have the Device ping the W...

Page 53: ...onnection up all the time and specify an idle time out in the Max Idle Timeout field Max Idle Timeout This value specifies the time in minutes that elapses before the Device automatically disconnects from the ISP Obtain an IP Address Automatically Select this option If your ISP did not assign you a fixed IP address Use the following static IP address Select this option If the ISP assigned a fixed ...

Page 54: ...hly budget restart so if you configured the time and data budget counters to reset on the second day of the month and you use this button on the first the time and data budget counters will still reset on the second Actions before over budget Specify the actions the Device takes before the time or data limit exceeds Enable of time budget data budget Mbytes data budget kPackets Select Enable and en...

Page 55: ...ble to use PTM over ADSL Since PTM has less overhead than ATM some ISPs use PTM over ADSL for better performance Annex M You can enable Annex M for the Device to use double upstream mode to increase the maximum upstream transfer rate PhyR US Enable or disable PhyR US upstream for upstream transmission to the WAN PhyR US should be enabled if data being transmitted upstream is sensitive to noise How...

Page 56: ...ctive Interface This is the interface that uses the authentication This displays N A when there is no interface assigned EAP Identity This shows the EAP identity of the authentication This displays N A when there is no EAP identity assigned EAP method This shows the EAP method used in the authentication This displays N A when there is no EAP method assigned Bidirectional Authentication This shows ...

Page 57: ...on Clear this to disable this authentication without having to delete the entry Interface This field displays where there is an interface available to select for the 802 1X authentication settings Select the interface to which to apply the 802 1X authentication settings EAP Identity Enter the EAP identity of the authentication EAP method This is the EAP method used for this authentication Enable B...

Page 58: ...terface and the WAN interface and then formatted so that they can be understood in a bridged environment For instance it encapsulates routed Ethernet frames into bridged Ethernet cells PPP over ATM PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 AAL5 A PPPoA connection functions like a dial up Internet connection The Device encapsulates the PPP session based on RFC1483 a...

Page 59: ...daptation Layer 5 AAL5 The first method allows multiplexing of multiple protocols over a single ATM virtual circuit LLC based multiplexing and the second method assumes that each protocol is carried over a separate ATM virtual circuit VC based multiplexing Please refer to RFC 1483 for more detailed information Multiplexing There are two conventions to identify what protocols the virtual circuit VC...

Page 60: ...tes to your upstream line rate The following figure illustrates the relationship between PCR SCR and MBS Figure 27 Example of Traffic Shaping ATM Traffic Classes These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4 0 Specification Constant Bit Rate CBR Constant Bit Rate CBR provides fixed bandwidth that is always available even if no data is being sent CBR traffic ...

Page 61: ...ctly talk to or hear from devices that are not in the same group s the traffic must first go through a router In Multi Tenant Unit MTU applications VLAN is vital in providing isolation and security among the subscribers When properly configured VLAN prevents one subscriber from accessing the network resources of another on the same LAN thus a user will not see the printers and hard disks of anothe...

Page 62: ...any group and is used by IP multicast computers The address 224 0 0 1 is used for query messages and is assigned to the permanent group of all IP hosts including gateways All hosts must join the 224 0 0 1 group in order to participate in IGMP The address 224 0 0 2 is assigned to the multicast routers group At start up the Device queries all directly connected networks to gather group membership Af...

Page 63: ... 0000 0000 0015 can be written as 2001 0db8 1a2f 0000 0000 0015 2001 0db8 0000 0000 1a2f 0015 2001 db8 1a2f 0 0 15 or 2001 db8 0 0 1a2f 15 IPv6 Prefix and Prefix Length Similar to an IPv4 subnet mask IPv6 uses an address prefix to represent the network address An IPv6 prefix length specifies how many most significant bits start from the left in the address compose the network address The prefix le...

Page 64: ...Chapter 5 Broadband VMG1312 B10C User s Guide 64 ...

Page 65: ...tication screen to allow or deny wireless clients based on their MAC addresses from connecting to the Device Section 6 4 on page 78 Use the WPS screen to enable or disable WPS view or generate a security PIN Personal Identification Number Section 6 5 on page 79 Use the WMM screen to enable Wi Fi MultiMedia WMM to ensure quality of service in wireless networks for multimedia applications Section 6 ...

Page 66: ...quire a license to use However wireless networking is different from that of most traditional radio communications in that there a number of wireless networking standards available with different methods of data encryption Finding Out More See Section 6 10 on page 86 for advanced technical information on wireless networks 6 2 The General Screen Use this screen to enable the Wireless LAN enter the ...

Page 67: ...Chapter 6 Wireless VMG1312 B10C User s Guide 67 Click Network Setting Wireless to open the General screen Figure 28 Network Setting Wireless General ...

Page 68: ...c channel and set the Bandwidth field to 40MHz Set whether the control channel set in the Channel field should be in the Lower or Upper range of channel bands Passphrase Type If you set security for the wireless LAN and have the Device generate a password the setting in this field determines how the Device generates the password Select None to set the Device s password generation to not be based o...

Page 69: ...ic to this WLAN from the WAN in kilobits per second Kbps BSSID This shows the MAC address of the wireless interface on the Device when wireless LAN is enabled Security Level Security Mode Select Basic WEP 802 1X or More Secure WPA 2 PSK WPA 2 to add security on this wireless network The wireless clients which want to associate to this network must have same wireless security settings as the Device...

Page 70: ...t or use WPA or WPA2 if your wireless devices support it and you have a RADIUS server If your wireless devices support nothing stronger than WEP use the highest encryption level available Your Device allows you to configure up to four 64 bit or 128 bit WEP keys but only one key can be enabled at any one time In order to configure and enable WEP encryption click Network Setting Wireless to display ...

Page 71: ...sic 802 1X Password 1 4 The password WEP keys are used to encrypt data Both the Device and the wireless stations must use the same password WEP key for data transmission If you chose 64 bit WEP then enter any 5 ASCII characters or 10 hexadecimal characters 0 9 A F If you chose 128 bit WEP then enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F You must configure at least one password o...

Page 72: ...e 128 bit WEP then enter 13 ASCII characters or 26 hexadecimal characters 0 9 A F You must configure at least one password only one password can be activated at any one time more less Click more to show more fields in this section Click less to hide them WEP Encryption Select 64 bits or 128 bits This dictates the length of the security key that the network is going to use IP Address Enter the IP a...

Page 73: ...n Table 19 Wireless General More Secure WPA 2 PSK LABEL DESCRIPTION Security Level Select More Secure to enable WPA 2 PSK data encryption Security Mode Select WPA PSK or WPA2 PSK from the drop down list box Generate password automatically Select this option to have the Device automatically generate a password The password field will not be configurable when you select this option Password The encr...

Page 74: ... encryption standard is slightly older than WPA2 and therefore is more compatible with older devices Click Network Setting Wireless to display the General screen Select More Secure as the security level Then select WPA or WPA2 from the Security Mode list Figure 33 Wireless General More Secure WPA 2 Encryption Select the encryption type TKIP AES or TKIP AES for data encryption Select TKIP if your w...

Page 75: ...nt over the network more less Click more to show more fields in this section Click less to hide them WPA Compatible This field is only available for WPA2 Select this if you want the Device to support WPA and WPA2 simultaneously Encryption Select the encryption type TKIP AES or TKIP AES for data encryption Select TKIP if your wireless clients can all use TKIP Select AES if your wireless clients can...

Page 76: ...o one of the Device s BSSs The SSID Service Set IDentifier identifies the Service Set with which a wireless device is associated This field displays the name of the wireless profile on the network When a wireless client scans for an AP to associate with this is the name that is broadcast and seen in the wireless client utility Security This field indicates the security mode of the SSID profile Gue...

Page 77: ...e More AP screen The following screen displays Figure 35 More AP Edit The following table describes the fields in this screen Table 22 More AP Edit LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field Passphrase Type Passphrase type cannot be changed The default is None Wireless Network Settings ...

Page 78: ... allow the Device to convert wireless multicast traffic into wireless unicast traffic Guest WLAN Select this to create Guest WLANs for home and external clients Select the WLAN type in the Access Scenario field Access Scenario If you select Home Guest clients can connect to each other directly If you select External Guest clients are blocked from connecting to each other directly Maximum Upstream ...

Page 79: ...ngs MAC Restrict Mode Define the filter action for the list of MAC addresses in the MAC Address table Select Disable to turn off MAC filtering Select Deny to block access to the Device MAC addresses not listed will be allowed to access the Device Select Allow to permit access to the Device MAC addresses not listed will be denied access to the Device Add new MAC address Click this if you want to ad...

Page 80: ...Use this section to set up a WPS wireless network using Push Button Configuration PBC Connect Click this button to add another WPS enabled wireless device within wireless range of the Device to your wireless network This button may either be a physical button on the outside of device or a menu button similar to the Connect button on this screen Note You must press the other wireless device s WPS b...

Page 81: ... have the Device create a new PIN Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Table 24 Network Setting Wireless WPS continued LABEL DESCRIPTION Table 25 Network Setting Wireless WMM LABEL DESCRIPTION WMM Select On to have the Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends ...

Page 82: ...s Note At the time of writing WDS is compatible with other ZyXEL APs only Not all models support WDS links Check your other AP s documentation Click Network Setting Wireless WDS The following screen displays Figure 39 Network Setting Wireless WDS The following table describes the labels in this screen Table 26 Network Setting Wireless WDS LABEL DESCRIPTION Wireless Bridge Setup AP Mode Select the ...

Page 83: ... Click the Edit icon and type the MAC address of the peer device in a valid MAC address format six hexadecimal character pairs for example 12 34 56 78 9a bc Click the Delete icon to remove this entry Scan Click the Scan icon to search and display the available APs within range Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Table 26 Network Sett...

Page 84: ...fy the interval in minutes for how often the Device scans for the best channel Enter 0 to disable the periodical scan Output Power Set the output power of the Device If there is a high density of APs in an area decrease the output power to reduce interference with other APs Select one of the following 20 40 60 80 or 100 Beacon Interval When a wirelessly networked device sends a beacon it includes ...

Page 85: ... your Device might be reduced 802 11 Protection Enabling this feature can help prevent collisions in mixed mode networks networks with both IEEE 802 11b and IEEE 802 11g traffic Select Auto to have the wireless devices transmit data after a RTS CTS handshake This helps improve IEEE 802 11g performance Select Off to disable 802 11 protection The transmission rate of your Device might be reduced in ...

Page 86: ...igure 42 Network Setting Wireless Channel Status 6 10 Technical Reference This section discusses wireless LANs in depth 6 10 1 Wireless Network Overview Wireless networks consist of wireless clients access points and bridges A wireless client is a radio connected to a user s computer An access point is a radio with a wired connection to a network which can connect with numerous wireless clients an...

Page 87: ...ork devices A and B use the access point AP to interact with the other devices such as the printer or with the Internet Your Device is the AP Every wireless network must follow these basic guidelines Every device in the same wireless network must use the same SSID The SSID is the name of the wireless network It stands for Service Set IDentifier If two wireless networks overlap they should use a di...

Page 88: ... network Second they encrypt This means that the information sent over the air is encoded Only people with the code key can understand the information and only people who have been authenticated are given the code key These security standards vary in effectiveness Some can be broken such as the old Wired Equivalent Protocol WEP Using WEP is better than using no security at all but it will not keep...

Page 89: ...however because there are ways for unauthorized wireless devices to get the SSID In addition unauthorized wireless devices can still see the information that is sent in the wireless network 6 10 3 2 MAC Address Filter Every device that can use a wireless network has a unique identification number called a MAC address 1 A MAC address is usually written using twelve hexadecimal characters2 for examp...

Page 90: ... WPA2 PSK Usually you should set up the strongest encryption that every device in the wireless network supports For example suppose you have a wireless network with the Device and you do not have a RADIUS server Therefore there is no authentication Suppose the wireless network has two devices Device A only supports WEP and device B supports WEP and WPA Therefore you should set up Static WEP in the...

Page 91: ...alls are between the two radios muffling the signal 6 10 5 BSS A Basic Service Set BSS exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point AP Intra BSS traffic is traffic between wireless stations in the BSS When Intra BSS traffic blocking is disabled wireless station A and B can access the wired network and ...

Page 92: ...ort long preamble but not all support short preamble Use long preamble if you are unsure what preamble mode other wireless devices on the network support and to provide more reliable communications in busy wireless networks Use short preamble if you are sure all wireless devices on the network support it and to provide more efficient communications Use the dynamic setting to automatically use shor...

Page 93: ...t and set up a secure network by themselves 6 10 9 1 Push Button Configuration WPS Push Button Configuration PBC is initiated by pressing a button on each WPS enabled device and allowing them to connect automatically You do not need to enter any information Not every WPS enabled device has a physical WPS button Some may have a WPS PBC button in their configuration utilities instead of or in additi...

Page 94: ...g steps to set up a WPS connection between an access point or wireless router referred to here as the AP and a client device using the PIN method 1 Ensure WPS is enabled on both devices 2 Access the WPS section of the AP s configuration interface See the device s User s Guide for how to do this 3 Look for the client s WPS PIN it will be displayed either on the device or in the WPS section of the c...

Page 95: ...ice acts as the enrollee the device that receives network and security settings The registrar creates a secure EAP Extensible Authentication Protocol tunnel and sends the network name SSID and the WPA PSK or WPA2 PSK pre shared key to the enrollee Whether WPA PSK or WPA2 PSK is used depends on the standards supported by the devices If the registrar is already part of a network it sends the existin...

Page 96: ...t it is not part of an existing network and can act as either enrollee or registrar if it supports both functions If the registrar is unconfigured the security settings it transmits to the enrollee are randomly generated Once a WPS enabled device has connected to another device using WPS it becomes configured A configured wireless client can still act as enrollee or registrar in subsequent WPS con...

Page 97: ... You know that Client 1 supports registrar mode but it is better to use AP1 for the WPS handshake with the new client since you must connect to the access point anyway in order to use the network In this case AP1 must be the registrar since it is configured it already has security information for the network AP1 supplies the existing security information to Client 2 Figure 49 WPS Example Network S...

Page 98: ... enrollees and one registrar you must set up the first enrollee by pressing the WPS button on the registrar and the first enrollee for example then check that it successfully enrolled then set up the second device in the same way WPS works only with other WPS enabled devices However you can still add non WPS devices to a network you already set up using WPS WPS works by automatically issuing a ran...

Page 99: ...f this has happened WPS works between only two devices simultaneously so if another device has enrolled your device will be unable to enroll and will not have access to the network If this happens open the access point s configuration interface and look at the list of associated clients usually displayed by MAC address It does not matter if the access point is the WPS registrar the enrollee or was...

Page 100: ...Chapter 6 Wireless VMG1312 B10C User s Guide 100 ...

Page 101: ...7 2 on page 103 Use the Static DHCP screen to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses Section 7 3 on page 107 Use the UPnP screen to enable UPnP and UPnP NAT traversal on the Device Section 7 4 on page 108 Use the Additional Subnet screen to configure IP alias and public static IP Section 7 5 on page 109 Use the STB Vendor ID screen to have the ...

Page 102: ...you can access it RADVD Router Advertisement Daemon When an IPv6 host sends a Router Solicitation RS request to discover the available routers RADVD with Router Advertisement RA messages in response to the request It specifies the minimum and maximum intervals of RA broadcasts RA messages containing the address prefix IPv6 hosts can be generated with the IPv6 prefix an IPv6 address 7 1 2 2 About U...

Page 103: ...achieved UPnP certification from the Universal Plug and Play Forum UPnP Implementers Corp UIC ZyXEL s UPnP implementation supports Internet Gateway Device IGD 1 0 See Section 7 5 on page 109 for examples of installing and using UPnP Finding Out More See Section 7 10 on page 120 for technical background information on LANs 7 1 3 Before You Begin Find out the MAC addresses of your network devices if...

Page 104: ...2 on page 171 for how to create a new interface group LAN IP Setup IP Address Enter the LAN IP address you want to assign to your Device in dotted decimal notation for example 192 168 1 1 factory default Subnet Mask Type the subnet mask of your network in dotted decimal notation for example 255 255 255 0 factory default Your Device automatically computes the subnet mask based on the IP Address you...

Page 105: ... recycled and made available for future reassignment to other systems This field is only available when you select Enable in the DHCP field Days Hours Minutes Enter the lease time of the DHCP server DNS Values This field is only available when you select Enable in the DHCP field DNS Specify which DNS server addresses the Device sends to LAN DHCP clients Select Dynamic to have the DHCP clients use ...

Page 106: ...ix information in router advertisements periodically and in response to router solicitations DHCPv6 server is disabled See page 102 for more information on RADVD stateless DNS send by DHCPv6 The Device uses IPv6 stateless autoconfiguration The DNS is provided by a DHCPv6 server stateful DHCPv6 server The Device uses IPv6 stateful autoconfiguration The DHCPv6 server is enabled to have the Device ac...

Page 107: ...ollowing screen displays Figure 53 Static DHCP Add Edit Table 32 Network Setting Home Networking Static DHCP LABEL DESCRIPTION Add new static lease Click this to add a new static DHCP entry This is the index number of the entry Status This field displays whether the client is connected to the Device MAC Address The MAC Media Access Control or Ethernet address on a LAN Local Area Network is unique ...

Page 108: ...etwork Setting Home Networking UPnP Table 33 Static DHCP Add Edit LABEL DESCRIPTION Active Select this to activate the connection between the client and the Device Group Name Select the interface group name for which you want to configure static DHCP settings See Chapter 12 on page 171 for how to create a new interface group Select Device Info If you select Manual Input you can manually type in th...

Page 109: ...ct Enable to allow UPnP enabled applications to automatically configure the Device so that they can communicate through the Device by using NAT traversal UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device this eliminates the need to manually configure port forwarding for the UPnP enabled application The table below displays the NA...

Page 110: ...ab and select Communication in the Components selection box Click Details Add Remove Programs Windows Setup Communication 3 In the Communications window select the Universal Plug and Play check box in the Components selection box Add Remove Programs Windows Setup Communication Components ...

Page 111: ...elow to install the UPnP in Windows XP 1 Click Start and Control Panel 2 Double click Network Connections 3 In the Network Connections window click Advanced in the main menu and select Optional Networking Components Network Connections 4 The Windows Optional Networking Components Wizard window displays Select Networking Service in the Components selection box and click Details Windows Optional Net...

Page 112: ...ck Next 7 6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP You must already have UPnP installed in Windows XP and UPnP activated on the Device Make sure the computer is connected to a LAN port of the Device Turn on your computer and the Device Auto discover Your UPnP enabled Network Device 1 Click Start and Control Panel Double click Network Conne...

Page 113: ...10C User s Guide 113 2 Right click the icon and select Properties Network Connections 3 In the Internet Connection Properties window click Settings to see the port mappings there were automatically created Internet Connection Properties ...

Page 114: ...Internet Connection Properties Advanced Settings Internet Connection Properties Advanced Settings Add 5 When the UPnP enabled device is disconnected from your computer all port mappings will be deleted automatically 6 Select Show icon in notification area when connected option and click OK An icon displays in the system tray System Tray Icon ...

Page 115: ...on Status Web Configurator Easy Access With UPnP you can access the web based configurator on the Device without finding out the IP address of the Device first This comes helpful if you do not know the IP address of the Device Follow the steps below to access the web configurator 1 Click Start and then Control Panel 2 Double click Network Connections ...

Page 116: ... Places under Other Places Network Connections 4 An icon with the description for each UPnP enabled device displays under Local Network 5 Right click on the icon for your Device and select Invoke The web configurator login screen displays Network Connections My Network Places ...

Page 117: ...ing VMG1312 B10C User s Guide 117 6 Right click on the icon for your Device and select Properties A properties window displays with basic information about the Device Network Connections My Network Places Properties Example ...

Page 118: ...re 55 Network Setting Home Networking Additional Subnet The following table describes the labels in this screen Table 35 Network Setting Home Networking Additional Subnet LABEL DESCRIPTION IP Alias Setup Group Name Select the interface group name for which you want to configure the IP alias settings See Chapter 12 on page 171 for how to create a new interface group Active Select the check box to c...

Page 119: ...dor ID to open this screen Figure 56 Network Setting Home Networking STB Vendor ID The following table describes the labels in this screen Offer Public IP by DHCP Select the check box to enable the Device to provide public IP addresses by DHCP server Enable ARP Proxy Select the check box to enable the ARP Address Resolution Protocol proxy Apply Click Apply to save your changes Cancel Click Cancel ...

Page 120: ...gs of downstream traffic before sending it out through this LAN port Unchange Don t do anything to the traffic s VLAN ID and priority tags Add Add VLAN ID and priority tags to untagged traffic Remove Delete one tag from tagged traffic If the frame has double tags this removes the outer tag This does not affect untagged traffic Remark Change the value of the outer VLAN ID and priority tags 802 1P M...

Page 121: ...mputer must be manually configured IP Pool Setup The Device is pre configured with a pool of IP addresses for the DHCP clients DHCP Pool See the product specifications in the appendices Do not assign static IP addresses from the DHCP pool to your LAN computers 7 10 3 DNS Server Addresses DNS Domain Name System maps a domain name to its corresponding IP address and vice versa The DNS server is extr...

Page 122: ...nnection is established If this is the case it is recommended that you select a network number from 192 168 0 0 to 192 168 255 0 and you must enable the Network Address Translation NAT feature of the Device The Internet Assigned Number Authority IANA reserved this block of addresses specifically for private use please do not use any other number unless you are told otherwise Let s say you select 1...

Page 123: ... Internet addresses for your local networks On the other hand if you are part of a much larger organization you should consult your network administrator for the appropriate IP addresses Note Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines above For more information on address assignment please refer to RFC 1597 Address Allocation for Priv...

Page 124: ...Chapter 7 Home Networking VMG1312 B10C User s Guide 124 ...

Page 125: ... use static routes For example the next figure shows a computer A connected to the Device s LAN interface The Device routes most traffic from A to the Internet through the Device s default gateway R1 You create one static route to connect to services offered by your ISP behind router R2 You create another static route to communicate with a separate network behind a router R3 connected to the LAN F...

Page 126: ...ay bulb signifies that this route is not active Name This is the name that describes or identifies this route Destination IP This parameter specifies the IP network address of the final destination Routing is always based on network number Subnet Mask Prefix Length This parameter specifies the IP network subnet mask of the final destination Gateway This is the IP address of the gateway The gateway...

Page 127: ...e deactivate this static route Select this to enable the static route Clear this to disable this static route without having to delete the entry Route Name Enter a descriptive name for the static route IP Type Select whether your IP type is IPv4 or IPv6 Destination IP Address Enter the IPv4 or IPv6 network address of the final destination IP Subnet Mask If you are using IPv4 and need to specify a ...

Page 128: ...in this screen Table 40 Network Setting Routing Policy Forwarding LABEL DESCRIPTION Add new Policy Forward Rule Click this to create a new policy forwarding rule This is the index number of the entry Policy Name This is the name of the rule Source IP This is the source IP address Source Subnet Mask his is the source subnet mask address Protocol This is the transport layer protocol Source Port This...

Page 129: ...nformation with other routers Table 41 Policy Forwarding Add Edit LABEL DESCRIPTION Policy Name Enter a descriptive name of up to 8 printable English keyboard characters not including spaces Source IP Enter the source IP address Source Subnet Mask Enter the source subnet mask address Protocol Select the transport layer protocol TCP or UDP Source Port Enter the source port number Source MAC Enter t...

Page 130: ... the Device sends it recognizes both formats when receiving RIP version 1 is universally supported but RIP version 2 carries more information RIP version 1 is probably adequate for most networks unless you have an unusual network topology Operation Select Passive to have the Device update the routing table based on the RIP packets received from neighbors but not advertise its route information to ...

Page 131: ...ackets assigned a high priority are processed more quickly than those with low priority if there is congestion allowing time sensitive applications to flow more smoothly Time sensitive applications include both those that require a low level of latency delay and a low level of jitter variations in delay such as Voice over IP VoIP or Internet gaming and those for which jitter alone is a problem suc...

Page 132: ... DiffServ is a new protocol and defines a new DS field which replaces the eight bit ToS Type of Service field in the IP header Tagging and Marking In a QoS class you can configure whether to add or change the DSCP DiffServ Code Point value IEEE 802 1p priority level and VLAN ID number in a matched packet When the packet passes through a compatible network the networking device such as a backbone s...

Page 133: ... algorithms Token Bucket Filter TBF Single Rate Two Color Maker srTCM and Two Rate Two Color Marker trTCM You can specify actions which are performed on the colored packets See Section 9 8 on page 144 for more information on each metering algorithm 9 3 The Quality of Service General Screen Click Network Setting QoS General to open the screen as shown next Use this screen to enable or disable QoS a...

Page 134: ...andwidth for the LAN interfaces including WLAN that you want to allocate using QoS The recommendation is to set this speed to match the WAN interfaces actual transmission speed For example set the LAN managed downstream bandwidth to 100000 kbps if you use a 100 Mbps wired Ethernet WAN connection You can also set this number lower than the WAN interfaces actual transmission speed This will cause th...

Page 135: ...ueue is not active Name This shows the descriptive name of this queue Interface This shows the name of the Device s interface through which traffic in this queue passes Priority This shows the priority of this queue Weight This shows the weight of this queue Buffer Management This shows the queue management algorithm used for this queue Queue management algorithms determine how the Device should h...

Page 136: ... 1 to 7 of this queue The smaller the number the higher the priority level Traffic assigned to higher priority queues gets through faster while traffic in lower priority queues is dropped if the network is congested Weight Select the weight from 1 to 8 of this queue If two queues have the same priority level the Device divides the bandwidth across the queues according to their weights Queues with ...

Page 137: ... classifier This is the index number of the entry Status This field displays whether the classifier is active or not A yellow bulb signifies that this classifier is active A gray bulb signifies that this classifier is not active Class Name This is the name of the classifier Classification Criteria This shows criteria specified in this classifier for example the interface from which traffic of this...

Page 138: ... of Service QoS VMG1312 B10C User s Guide 138 9 5 1 Add Edit QoS Class Click Add new Classifier in the Class Setup screen or the Edit icon next to a classifier to open the following screen Figure 69 Class Setup Add Edit ...

Page 139: ... Type the mask for the specified MAC address to determine which bits a packet s MAC address should match Enter f for each bit of the specified source MAC address that the traffic s MAC address should match Enter 0 for the bit s of the matched traffic s MAC address which can be of any hexadecimal character s For example if you set the MAC address to 00 13 49 00 00 00 and the mask to ff ff ff 00 00 ...

Page 140: ...ther Type field Select this option and select a priority level between 0 and 7 from the drop down list box 0 is the lowest priority level and 7 is the highest VLAN ID This field is available only when you select 802 1Q in the Ether Type field Select this option and specify a VLAN ID number TCP ACK This field is available only when you select IP in the Ether Type field If you select this option the...

Page 141: ...ESCRIPTION Add new Policer Click this to create a new entry This is the index number of the entry Status This field displays whether the policer is active or not A yellow bulb signifies that this policer is active A gray bulb signifies that this policer is not active Name This field displays the descriptive name of this policer Regulated Classes This field displays the name of a QoS classifier Met...

Page 142: ...lso the bucket size The Single Rate Three Color Marker srTCM is based on the token bucket filter and identifies packets by comparing them to the Committed Information Rate CIR the Committed Burst Size CBS and the Excess Burst Size EBS The Two Rate Three Color Marker trTCM is based on the token bucket filter and identifies packets by comparing them to the Committed Information Rate CIR and the Peak...

Page 143: ...ackets Drop Discard the packets DSCP Mark Change the DSCP mark value of the packets Enter the DSCP mark value to use The packets may be dropped if there is congestion on the network Available Class Selected Class Select a QoS classifier to apply this QoS policer to traffic that matches the QoS classifier Highlight a QoS classifier in the Available Class box and use the button to move it to the Sel...

Page 144: ...nitor This is the index number of the entry Name This shows the name of the queue Pass Rate This shows how many packets assigned to this queue are transmitted successfully Drop Rate This shows how many packets assigned to this queue are dropped Table 50 Network Setting QoS Monitor continued LABEL DESCRIPTION Table 51 IEEE 802 1p Priority Level and Traffic Type PRIORITY LEVEL TRAFFIC TYPE Level 7 T...

Page 145: ...header The DS field contains a 2 bit unused field and a 6 bit DSCP field which can define up to 64 service levels The following figure illustrates the DS field DSCP is backward compatible with the three precedence bits in the ToS octet so that non DiffServ compliant ToS enabled network device will not conflict with the DSCP mapping The DSCP value determines the forwarding behavior the PHB Per Hop ...

Page 146: ...an hold up to b tokens Tokens are generated and added into the bucket at a constant rate The following shows how tokens work with packets A packet can be transmitted if the number of tokens in the bucket is equal to or greater than the size of the packet in bytes After a packet is transmitted a number of tokens corresponding to the packet size is removed from the bucket Table 52 Internal Layer2 an...

Page 147: ...el is referred to as red medium is referred to as yellow and low is referred to as green The srTCM is based on the token bucket filter and has two token buckets CBS and EBS Tokens are generated and added into the bucket at a constant rate called Committed Information Rate CIR When the first bucket CBS is full new tokens overflow into the second bucket EBS All packets are evaluated against the CBS ...

Page 148: ...IR respectively All packets are evaluated against the PIR If a packet exceeds the PIR it is marked red Otherwise it is evaluated against the CIR If it exceeds the CIR then it is marked yellow Finally if it is below the CIR then it is marked green The following shows how tokens work with incoming packets in trTCM A packet arrives If the number of tokens in the PBS bucket is less than the size of th...

Page 149: ...o configure a default server Section 10 5 on page 158 Use the ALG screen to enable and disable the NAT and SIP VoIP ALG in the Device Section 10 6 on page 158 Use the Address Mapping screen to configure the Device s address mapping settings Section 10 7 on page 159 10 1 2 What You Need To Know Inside Outside Inside outside denotes where a host is located relative to the Device for example the comp...

Page 150: ...and the local IP address of the desired server The port number identifies a service for example web service is on port 80 and FTP on port 21 In some cases such as for unknown services or where one server can support more than one service for example both FTP and web service it might be better to specify a range of port numbers You can allocate a server IP address that corresponds to a port or a ra...

Page 151: ...ber of the entry Status This field displays whether the NAT rule is active or not A yellow bulb signifies that this rule is active A gray bulb signifies that this rule is not active Service Name This shows the service s name WAN Interface This shows the WAN interface through which the service is forwarded WAN IP This field displays the incoming packet s destination IP address Server IP Address Thi...

Page 152: ...the IP protocol supported by this virtual server whether it is TCP UDP or TCP UDP Modify Delete Click the Edit icon to edit this rule Click the Delete icon to delete an existing rule Table 53 Network Setting NAT Port Forwarding continued LABEL DESCRIPTION Table 54 Port Forwarding Add Edit LABEL DESCRIPTION Active Clear the checkbox to disable the rule Select the check box to enable it Service Name...

Page 153: ... port number here and the end port number in the End Port field End Port Enter the last port of the original destination port range To forward only one port enter the port number in the Start Port field above and then enter it again in this field To forward a series of ports enter the last port number in a series that begins with the port number in the Start Port field above Translation Start Port...

Page 154: ...interface through which the service is forwarded Server IP Address This field displays the destination IP address for the service Delete Click the Delete icon to delete the rule Table 56 Applications Add LABEL DESCRIPTION WAN Interface Select the WAN interface that you want to apply this NAT rule to Server IP Address Enter the inside IP address of the application here Application Category Select t...

Page 155: ...ol a trigger port When the Device s WAN port receives a response with a specific port number and protocol open port the Device forwards the traffic to the LAN IP address of the computer that sent the request After that computer s connection for that service closes another computer on the LAN can use the service in the same manner This way you do not need to configure a new IP address each time you...

Page 156: ...e through which the service is forwarded Trigger Start Port The trigger port is a port or a range of ports that causes or triggers the Device to record the IP address of the LAN computer that sent the traffic to a server on the WAN This is the first port number that identifies a service Trigger End Port This is the last port number that identifies a service Trigger Proto This is the trigger transp...

Page 157: ...auses or triggers the Device to record the IP address of the LAN computer that sent the traffic to a server on the WAN Type a port number or the starting port number in a range of port numbers Trigger End Port Type a port number or the ending port number in a range of port numbers Trigger Protocol Select the transport layer protocol from TCP UDP or TCP UDP Open Start Port The open port is a port o...

Page 158: ...ter server the SIP ALG translates the Device s private IP address inside the SIP data stream to a public IP address You do not need to use STUN or an outbound proxy if your Device is behind a SIP ALG Use this screen to enable and disable the NAT and SIP VoIP ALG in the Device To access this screen click Network Setting NAT ALG Figure 82 Network Setting NAT ALG Table 59 Network Setting NAT DMZ LABE...

Page 159: ... make sure SIP VoIP works correctly with port forwarding and address mapping rules Apply Click Apply to save your changes Cancel Click Cancel to restore your previously saved settings Table 61 Network Setting NAT Address Mapping LABEL DESCRIPTION Add new rule Click this to create a new rule Set This is the index number of the address mapping set Local Start IP This is the starting Inside Local IP ...

Page 160: ...l IP addresses to shared global IP addresses Modify Delete Click the Edit icon to go to the screen where you can edit the address mapping rule Click the Delete icon to delete an existing address mapping rule Note that subsequent address mapping rules move up by one when you take this action Table 61 Network Setting NAT Address Mapping continued LABEL DESCRIPTION Table 62 Address Mapping Add Edit L...

Page 161: ...e same packet is traveling in the WAN side Local End IP Enter the ending Inside Local IP Address ILA If the rule is for all local IP addresses then this field displays 0 0 0 0 as the Local Start IP address and 255 255 255 255 as the Local End IP address This field is blank for One to One mapping types Global Start IP Enter the starting Inside Global IP Address IGA Enter 0 0 0 0 here if you have a ...

Page 162: ...e inside local address before forwarding it to the original inside host Note that the IP address either local or global of an outside host is never changed The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP In addition you can designate servers for example a web server and a telnet server on your local network and make them accessible to the outsid...

Page 163: ...ired for communication with hosts on other networks It replaces the original IP source address and TCP or UDP source port numbers for Many to One and Many to Many Overload NAT mapping in each packet and then forwards it to the Internet The Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored The following figure illustrates...

Page 164: ...ers are shown in the following table Please refer to RFC 1700 for further information about port numbers Please also refer to the Supporting CD for more examples and details on port forwarding and NAT Table 64 Services and Port Numbers SERVICES PORT NUMBER ECHO 7 FTP File Transfer Protocol 21 SMTP Simple Mail Transfer Protocol 25 DNS Domain Name System 53 Finger 79 HTTP Hyper Text Transfer protoco...

Page 165: ...port 80 to another B in the example and assign a default server IP address of 192 168 1 35 to a third C in the example You assign the LAN IP addresses and the ISP assigns the WAN IP address The NAT network appears as a single host on the Internet Figure 87 Multiple Servers Behind NAT Example D 192 168 1 36 192 168 1 1 IP address assigned by ISP A 192 168 1 33 B 192 168 1 34 C 192 168 1 35 ...

Page 166: ...Chapter 10 Network Address Translation NAT VMG1312 B10C User s Guide 166 ...

Page 167: ...uting table Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you in NetMeeting CU SeeMe etc You can also access your FTP server or Web site on your own computer using a domain name for instance myhost dhs org where myhost is a name of your choice that will never change instead of using an IP address that c...

Page 168: ...mic DNS 11 2 The DNS Entry Screen Use this screen to view and configure DNS routes on the Device Click Network Setting DNS to open the DNS Entry screen Figure 88 Network Setting DNS DNS Entry The following table describes the fields in this screen Table 65 Network Setting DNS DNS Entry LABEL DESCRIPTION Add new DNS entry Click this to create a new DNS entry This is the index number of the entry Ho...

Page 169: ... 89 DNS Entry Add Edit The following table describes the labels in this screen 11 3 The Dynamic DNS Screen Use this screen to change your Device s DDNS Click Network Setting DNS Dynamic DNS The screen appears as shown Figure 90 Network Setting DNS Dynamic DNS Table 66 DNS Entry Add Edit LABEL DESCRIPTION Host Name Enter the host name of the DNS entry IP Address Enter the IP address of the DNS entr...

Page 170: ... domain name assigned to your Device by your Dynamic DNS provider You can specify up to two host names in the field separated by a comma Username Type your user name Password Type the password assigned to you Email If you select TZO in the Service Provider field enter the user name you used to register for this service Key If you select TZO in the Service Provider field enter the password you used...

Page 171: ...reate multiple networks on the Device Section 12 2 on page 171 12 2 The Interface Group Screen You can manually add a LAN interface to a new group Alternatively you can have the Device automatically add the incoming traffic and the LAN interface on which traffic is received to an interface group when its DHCP Vendor ID option information matches one listed for the interface group Use the LAN scree...

Page 172: ...ion Click the Add New Interface Group button in the Interface Group screen to open the following screen Use this screen to create a new interface group Table 68 Network Setting Interface Group LABEL DESCRIPTION Add New Interface Group Click this button to create a new interface group Group Name This shows the descriptive name of the group WAN Interface This shows the WAN interfaces in the group LA...

Page 173: ...ace up to one ATM interface and up to one ETH interface Select None to not add a WAN interface to this group Grouped LAN Interfaces Available LAN Interfaces Select one or more LAN interfaces Ethernet LAN HPNA or wireless LAN in the Available LAN Interfaces list and use the left arrow to move them to the Grouped LAN Interfaces list to add the interfaces to this group To remove a LAN or wireless LAN...

Page 174: ...move icon to delete this rule from the Device Apply Click Apply to save your changes back to the Device Cancel Click Cancel to exit this screen without saving Table 69 Interface Group Configuration continued LABEL DESCRIPTION Table 70 Interface Grouping Criteria LABEL DESCRIPTION Source MAC Address Enter the source MAC address of the packet DHCP Option 60 Select this option and enter the Vendor Cl...

Page 175: ...owing fields Select Other to enter any string that identifies the device in the DUID field DHCP Option 125 Select this and enter vendor specific information of the matched traffic Enterprise Number Enter the vendor s 32 bit enterprise number registered with the IANA Internet Assigned Numbers Authority Manufactur er OUI Specify the vendor s OUI Organization Unique Identifier It is usually the first...

Page 176: ...Chapter 12 Interface Group VMG1312 B10C User s Guide 176 ...

Page 177: ...are connected on a network and share resources such as a printer or files Windows automatically assigns the workgroup name when you set up a network Shares When settings are set to default each USB device connected to the Device is given a folder called a share If a USB hard drive connected to the Device has more than one partition then each partition will be allocated a share You can also configu...

Page 178: ...tocol is a set of communications protocols that most of the Internet runs on Port A port maps a network service such as http to a process running on your computer such as a process run by your web browser When traffic from the Internet is received on your computer the port number is used to identify which process running on your computer it is intended for Supported OSs Your operating system must ...

Page 179: ...e the Device is connected to your network and turned on 1 Connect the USB device to one of the Device s USB port Make sure the Device is connected to your network 2 The Device detects the USB device and makes its contents available for browsing If you are connecting a USB hard drive that comes with an external power supply make sure it is connected to an appropriate power source that is on Note If...

Page 180: ... all shares for everyone to play media files in the USB storage device connected to the Device Use hardware based media clients like the DMA 2500 to play the files Note Anyone on your network can play the media files in the published shares No user name and password or other form of security is used The media server is enabled by default with the video photo and music shares published To change yo...

Page 181: ... can create a TCP IP port for printing via the network Follow your printer manufacturers instructions on how to install the printer software on your computer Note Your printer s installation instructions may ask that you connect the printer to your computer Connect your printer to the Device instead Use this screen to enable or disable sharing of a USB printer via your Device Table 72 Network Sett...

Page 182: ...n this menu Table 73 Network Setting USB Service Print Server LABEL DESCRIPTION Printer Server Select Enable to have the Device share a USB printer Printer Name Enter the name of the printer Make and model Enter the manufacturer and model number of the printer Printer Name This displays the system name for the printer Apply Click Apply to save your changes Cancel Click Cancel to restore your previ...

Page 183: ...tiate an IM Instant Messaging session from the LAN to the WAN 1 Return traffic for this session is also allowed 2 However other traffic initiated from the WAN is blocked 3 and 4 Figure 100 Default Firewall Action 14 1 1 What You Can Do in this Chapter Use the General screen to configure the security level of the firewall on the Device Section 14 2 on page 185 Use the Service screen to add or remov...

Page 184: ...resources The ZyXEL Device is pre configured to automatically detect and thwart all known DoS attacks DDoS A DDoS attack is one in which multiple compromised systems attack a single target thereby causing denial of service for users of the targeted system LAND Attack In a LAND attack hackers flood SYN packets into the network with a spoofed source IP address of the target system This makes it appe...

Page 185: ...nfigure customized services and port numbers in the Service screen For a comprehensive list of port numbers and services visit the IANA Internet Assigned Number Authority website Table 74 Security Firewall General LABEL DESCRIPTION Firewall Select Enable to activate the firewall feature on the Device Easy Select Easy to allow LAN to WAN and WAN to LAN packet directions Medium Select Medium to allo...

Page 186: ...ce entry Click this to add a new service Name This is the name of your customized service Description This is the description of your customized service Ports Protocol Number This shows the IP protocol TCP UDP ICMP or TCP UDP and the port number or range of ports that defines your customized service Other and the protocol number displays if the service uses another IP protocol Modify Delete Click ...

Page 187: ...fields are displayed if you select TCP or UDP as the IP port Select Single to specify one port only or Range to specify a span of ports that define your customized service If you select Any the service is applied to all ports Type a single port number or the range of port numbers that define your customized service Protocol Number This field is displayed if you select Other as the protocol Enter t...

Page 188: ...coming or outgoing IP traffic This is the index number of the entry Name This displays the name of the rule Src IP This displays the source IP addresses to which this rule applies Please note that a blank source address is equivalent to Any Dst IP This displays the destination IP addresses to which this rule applies Please note that a blank destination address is equivalent to Any Service This dis...

Page 189: ... not including spaces underscores and dashes You must enter the filter name to add an ACL rule This field is read only if you are editing the ACL rule Order Select the order of the ACL rule Select Source Device Select the source device to which the ACL rule applies If you select Specific IP Address enter the source IP address in the field below Source IP Address Enter the source IP address Select ...

Page 190: ...s field is displayed only when you select Specific Protocol in Select Protocol Enter a single port number or the range of port numbers of the source Custom Destination Port This field is displayed only when you select Specific Protocol in Select Protocol Enter a single port number or the range of port numbers of the destination Policy Use the drop down list box to select whether to discard DROP de...

Page 191: ...this screen Table 79 Security Firewall DoS LABEL DESCRIPTION DoS Protection Blocking Select Enable to enable protection against DoS attacks Deny Ping Response Select Enable to block ping request packets Apply Click Apply to save your changes Cancel Click Cancel to exit this screen without saving ...

Page 192: ...Chapter 14 Firewall VMG1312 B10C User s Guide 192 ...

Page 193: ...et device has a unique MAC Media Access Control address The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters for example 00 A0 C5 00 00 02 You need to know the MAC addresses of the devices to configure this screen 15 2 The MAC Filter Screen Use this screen to allow wireless and LAN clients access to the Device Click Security MAC Filter The screen appears a...

Page 194: ...will be denied access to the Device If you clear this the MAC Address field for this set clears Host name Enter the host name of the wireless or LAN clients that are allowed access to the Device MAC Address Enter the MAC addresses of the wireless or LAN clients that are allowed access to the Device in these address fields Enter the MAC addresses in a valid MAC address format that is six hexadecima...

Page 195: ...ick Security Parental Control to open the following screen Figure 108 Security Parental Control The following table describes the fields in this screen Table 81 Security Parental Control LABEL DESCRIPTION Parental Control Select Enable to activate parental control Add new PCP Click this if you want to configure a new parental control rule This shows the index number of the rule Status This indicat...

Page 196: ... shows the MAC address of the LAN user s computer to which this rule applies Internet Access Schedule This shows the day s and time on which parental control is enabled Network Service This shows whether the network service is configured If not None will be shown Website Block This shows whether the website block is configured If not None will be shown Modify Delete Click the Edit icon to go to th...

Page 197: ... If you select Block the Device prohibits the users from viewing the Web sites with the URLs listed below If you select Allow the Device blocks access to all URLs except ones listed below Add new service Click this to show a screen in which you can add a new service rule You can configure the Service Name Protocol and Name of the new rule This shows the index number of the rule Select the checkbox...

Page 198: ...Chapter 16 Parental Control VMG1312 B10C User s Guide 198 ...

Page 199: ... Scheduler Rule The following table describes the fields in this screen Table 83 Security Scheduler Rule LABEL DESCRIPTION Add new rule Click this to create a new rule This is the index number of the entry Rule Name This shows the name of the rule Day This shows the day s on which this rule is enabled Time This shows the period of time on which this rule is enabled Description This shows the descr...

Page 200: ...he fields in this screen Table 84 Scheduler Rule Add Edit LABEL DESCRIPTION Rule Name Enter a name up to 31 printable English keyboard characters not including spaces for this schedule Day Select check boxes for the days that you want the Device to perform this scheduler rule Time if Day Range Enter the time period of each day in 24 hour format during which the rule will be enforced Description En...

Page 201: ...save the certificates of trusted CAs to the Device Section 18 4 on page 205 18 2 What You Need to Know The following terms and concepts may help as you read through this chapter Certification Authority A Certification Authority CA issues certificates and guarantees the identity of each certificate owner There are commercial certification authorities like CyberTrust or VeriSign and government certi...

Page 202: ...that you give each certificate a unique name Subject This field displays identifying information about the certificate s owner such as CN Common Name OU Organizational Unit or department O Organization or company and C Country It is recommended that each certificate have unique subject information Issuer This field displays identifying information about the certificate s issuing certification auth...

Page 203: ...dentify this certificate Common Name Select Auto to have the Device configure this field automatically Or select Customize to enter it manually Type the IP address in dotted decimal notation domain name or e mail address in the field provided The domain name or e mail address can be up to 63 ASCII characters The domain name or e mail address is for identification purposes only and can be any strin...

Page 204: ...ificate Request Created 18 3 2 Load Signed Certificate After you create a certificate request and have it signed by a Certificate Authority in the Local Certificates screen click the certificate request s Load Signed icon to import the signed certificate into the Device ...

Page 205: ...n This screen displays a summary list of certificates of the certification authorities that you have set the Device to accept as trusted The Device accepts any valid certificate signed by a certification authority on this list as Table 87 Load Signed Certificate LABEL DESCRIPTION Certificate Name This is the name of the signed certificate Certificate Copy and paste the signed certificate into the ...

Page 206: ...tificate of a certification authority that you trust to the Device This is the index number of the entry Name This field displays the name used to identify this certificate Subject This field displays information that identifies the owner of the certificate such as Common Name CN OU Organizational Unit or department Organization O State ST and Country C It is recommended that each certificate have...

Page 207: ...printable form You can copy and paste the certificate into an e mail to send to friends or colleagues or you can copy and paste the certificate into a text editor and save the file on a management computer for later distribution via floppy disk for example Back Click Back to return to the previous screen Table 90 Trusted CA Import Certificate LABEL DESCRIPTION Certificate File Path Type in the loc...

Page 208: ...Chapter 18 Certificates VMG1312 B10C User s Guide 208 ...

Page 209: ...lity data integrity and authentication This chapter shows you how to configure the Device s VPN settings 19 2 IPSec VPN 19 2 1 The General Screen Use this screen to view and manage your VPN tunnel policies The following figure helps explain the main fields in the web configurator Figure 119 IPSec Fields Summary Click Security VPN to open this screen as shown next Figure 120 IPSec VPN Local Network...

Page 210: ...Add new connection Click this button to add an item to the list Enable This displays if the VPN policy is enabled Connection Name The name of the VPN connection Remote Gateway This is the IP address of the remote IPSec router in the IKE SA Local Addresses This displays the IP address es on the LAN behind your Device Remote Addresses This displays the IP address es on the LAN behind the remote IPSe...

Page 211: ...Chapter 19 VPN VMG1312 B10C User s Guide 211 Figure 121 IPSec VPN Add ...

Page 212: ...the network address IP Subnetmask If Subnet is selected enter the subnet mask to identify the network address Remote Remote Address Type Select Single to have only one remote LAN IP address use the VPN tunnel Select Subnet to specify remote LAN IP addresses by their subnet mask IP Address for VPN If Single is selected enter a static IP address on the LAN behind the remote IPSec s router If Subnet ...

Page 213: ... to establish the IKE SA Aggressive this is faster but does not encrypt the identities The Device and the remote IPSec router must use the same negotiation mode Encryption Algorithm Select which key size and encryption algorithm to use in the IKE SA Choices are DES a 56 bit key with the DES encryption algorithm 3DES a 168 bit key with the DES encryption algorithm AES128 a 128 bit key with the AES ...

Page 214: ...s are temporarily disconnected DPD Active Enable Dead Peer Detection DPD Active check box if you want the Device to make sure the remote IPSec router is there before it transmits data through the IKE SA The remote IPSec router must support DPD If the remote IPSec router does not respond the Device shuts down the IKE SA Security Protocol Manual Key Exchange Method Select the key exchange method Aut...

Page 215: ...rmats and the default standards for packet structure including implementation algorithms Authentication Key Enter the authentication key which depends on the authentication algorithm MD5 type a unique key 32 hexadecimal characters long SHA1 type a unique key 40 hexadecimal characters long SPI Type a unique SPI Security Parameter Index in hexadecimal characters The SPI is used to identify the Devic...

Page 216: ... header and options but before any upper layer protocols contained in the packet such as TCP and UDP With ESP protection is applied only to the upper layer protocols contained in the packet The IP header information and options are not used in the authentication process Therefore the originating IP address cannot be verified for integrity against the data With the use of AH as the security protoco...

Page 217: ...rithm Choose an authentication algorithm Choose a Diffie Hellman public key cryptography key group Set the IKE SA lifetime This field allows you to determine how long an IKE SA should stay up before it times out An IKE SA times out when the IKE SA lifetime period expires If an IKE SA times out when an IPSec SA is already established the IPSec SA stays connected In phase 2 you must Choose an encryp...

Page 218: ... and headers with a hash value appended to the packet When using AH protocol packet contents the data payload are not encrypted A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value and complain that the hash v...

Page 219: ...he IPSec packet The NAT router forwards the IPSec packet with the UDP port 500 header unchanged In the above figure when IPSec router A tries to establish an IKE SA IPSec router B checks the UDP port 500 header and IPSec routers A and B build the IKE SA For NAT traversal to work you must Use ESP security protocol in either transport or tunnel mode Use IKE keying mode Enable NAT traversal on both I...

Page 220: ... protocol that allows two parties to establish a shared secret over an unsecured communications channel Diffie Hellman is used within IKE SA setup to establish session keys Upon completion of the Diffie Hellman exchange the two peers have a shared secret but the IKE SA is not authenticated For authentication use pre shared keys ...

Page 221: ...onsist of both logs and alerts You may differentiate them by their color in the View Log screen Alerts display in red and logs display in black Syslog Overview The syslog protocol allows devices to send event notification messages across an IP network to syslog servers that collect the event messages A syslog enabled device can generate a syslog message and send it to a syslog server Syslog is def...

Page 222: ... level you have selected When you select a severity the Device searches through all logs of that severity or higher Category Select the type of logs to display Clear Log Click this to delete all the logs Refresh Click this to renew the log screen Export Log Click this to export the selected log s Email Log Now Click this to send the log file s to the E mail address you specify in the Maintenance L...

Page 223: ...h all logs of that severity or higher Category Select the type of logs to display Clear Log Click this to delete all the logs Refresh Click this to renew the log screen Export Log Click this to export the selected log s Email Log Now Click this to send the log file s to the E mail address you specify in the Maintenance Logs Setting screen This field is a sequential value and is not associated with...

Page 224: ...Chapter 20 Log VMG1312 B10C User s Guide 224 ...

Page 225: ... Can Do in this Chapter Use the WAN screen to view the WAN traffic statistics Section 21 2 on page 225 Use the LAN screen to view the LAN traffic statistics Section 21 3 on page 227 21 2 The WAN Status Screen Click System Monitor Traffic Status to open the WAN screen The figure in this screen shows the number of bytes received and sent on the Device Figure 128 System Monitor Traffic Status WAN ...

Page 226: ...indicates the number of frames with errors received on this interface Drop This indicates the number of received packets dropped on this interface more hide more Click more to show more information Click hide more to hide them Disabled Interface This shows the name of the WAN interface that is currently disconnected Packets Sent Data This indicates the number of transmitted packets on this interfa...

Page 227: ...ates the number of bytes transmitted on this interface Bytes Received This indicates the number of bytes received on this interface more hide more Click more to show more information Click hide more to hide them Interface This shows the LAN or WLAN interface Sent Packets Data This indicates the number of transmitted packets on this interface Error This indicates the number of frames with errors tr...

Page 228: ...Traffic Status NAT The following table describes the fields in this screen Table 100 System Monitor Traffic Status NAT LABEL DESCRIPTION Refresh Interval Select how often you want the Device to update this screen Device Name This displays the name of the connected host IP Address This displays the IP address of the connected host MAC Address This displays the MAC address of the connected host No o...

Page 229: ... own MAC and IP address in the sender address fields and puts the known IP address of the target in the target IP address field In addition the device puts all ones in the target MAC field FF FF FF FF FF FF is the Ethernet broadcast address The replying device which is either the IP address of the device being sought or the router that knows the way replaces the broadcast address with the target s...

Page 230: ...ddress This is the MAC address of the device with the listed IP address Device This is the type of interface used by the device You can click on the device type to go to its configuration screen Table 101 System Monitor ARP Table continued LABEL DESCRIPTION ...

Page 231: ...ateway that helps forward this route s traffic Subnet Mask This indicates the destination subnet mask of this route Flag This indicates the route status U Up The route is up Reject The route is blocked and will force a route lookup to fail G Gateway The route uses a gateway to forward traffic H Host The target of the route is a host R Reinstate The route is reinstated for dynamic routing D Dynamic...

Page 232: ...forward the route Interface This indicates the name of the interface through which the route is forwarded br0 indicates the LAN interface ptm0 indicates the WAN interface using IPoE or in bridge mode ppp0 indicates the WAN interface using PPPoE Table 102 System Monitor Routing Table continued LABEL DESCRIPTION ...

Page 233: ... System Monitor IGMP Group Status LABEL DESCRIPTION Interface This field displays the name of an interface on the Device that belongs to an IGMP multicast group Multicast Group This field displays the name of the IGMP multicast group to which the interface belongs Filter Mode INCLUDE means that only the IP addresses in the Source List get to receive the multicast group s traffic EXCLUDE means that...

Page 234: ...Chapter 24 IGMP Status VMG1312 B10C User s Guide 234 ...

Page 235: ...uide 235 CHAPTER 25 xDSL Statistics 25 1 The xDSL Statistics Screen Use this screen to view detailed DSL statistics Click System Monitor xDSL Statistics to open the following screen Figure 134 System Monitor xDSL Statistics ...

Page 236: ...his is the upstream and downstream interleave delay It is the wait in milliseconds that determines the size of a single block of data to be interleaved assembled and then transmitted Interleave delay is used when transmission error correction Reed Solomon is necessary due to a less than ideal telephone line The bigger the delay the bigger the data block size allowing better error correction to be ...

Page 237: ...undancy Checks ES This is the number of Errored Seconds meaning the number of seconds containing at least one errored block or at least one defect SES This is the number of Severely Errored Seconds meaning the number of seconds containing 30 or more errored blocks or at least one defect This is a subset of ES UAS This is the number of UnAvailable Seconds LOS This is the number of Loss Of Signal se...

Page 238: ...Chapter 25 xDSL Statistics VMG1312 B10C User s Guide 238 ...

Page 239: ...en you want the Device to update this screen Select No Refresh to stop refreshing 3G Status This field displays the status of the 3G Internet connection This field can display GSM Global System for Mobile Communications 2G GPRS General Packet Radio Service 2 5G EDGE Enhanced Data rates for GSM Evolution 2 75G WCDMA Wideband Code Division Multiple Access 3G HSDPA High Speed Downlink Packet Access 3...

Page 240: ...3G card 3G Card Model This field displays the model name of the 3G card 3G Card F W Version This field displays the firmware version of the 3G card SIM Card IMSI The International Mobile Subscriber Identity or IMSI is a unique identification number associated with all cellular networks This number is provisioned in the SIM card Table 105 System Monitor 3G Statistics continued LABEL DESCRIPTION ...

Page 241: ...LABEL DESCRIPTION User Name This field displays the name of the account that you used to log in the system Old Password Type the default password or the existing password you use to access the system in this field New Password Type your new system password up to 256 characters Note that as you type a password the screen displays a for each character you type After you change the password use the n...

Page 242: ...Chapter 27 User Account VMG1312 B10C User s Guide 242 ...

Page 243: ...cation through the following interfaces LAN WAN Trust Domain Note The Device is managed using the Web Configurator 28 2 The Remote MGMT Screen Use this screen to configure through which interface s users can use which service s to manage the Device Click Maintenance Remote MGMT to open the following screen Figure 137 Maintenance Remote MGMT ...

Page 244: ...ck box for the corresponding services that you want to allow access to the Device from the WAN Trust Domain Select the Enable check box for the corresponding services that you want to allow access to the Device from the Trust Domain Port You may change the server port number for a service if needed however you must use the same port number in order to use that service for remote management Certifi...

Page 245: ...cedure Calls RPCs between an ACS and a client device RPCs are sent in Extensible Markup Language XML format over HTTP or HTTPS An administrator can use an ACS to remotely set up the Device modify settings perform firmware upgrades as well as monitor and diagnose the Device You have to enable the device to be managed by the ACS and specify the ACS IP address or domain name and username and password...

Page 246: ...re configured WAN connection s Display SOAP messages on serial console Select Enable to show the SOAP messages on the console Connection Request Authentication Select this option to enable authentication when there is a connection request from the ACS Connection Request User Name Enter the connection request user name When the ACS makes a connection request to the Device this user name is used to ...

Page 247: ... 064 compliant CPE management application on their computers from the LAN to discover the CPE and configure user specific parameters such as the username and password Click Maintenance TR 064 to open the following screen Figure 139 Maintenance TR 064 The following table describes the fields in this screen Table 109 Maintenance TR 064 LABEL DESCRIPTION State Select Enable to activate management via...

Page 248: ...Chapter 30 TR 064 VMG1312 B10C User s Guide 248 ...

Page 249: ...ted settings such as system time password name the domain name and the inactivity timeout interval 31 2 The Time Screen To change your Device s time and date click Maintenance Time The screen appears as shown Use this screen to configure the Device s time based on your local time zone Figure 140 Maintenance Time Setting ...

Page 250: ...the United States on the second Sunday of March Each time zone in the United States starts using Daylight Saving Time at 2 A M local time So in the United States set the day to Second Sunday the month to March and the time to 2 in the Hour field Daylight Saving Time starts in the European Union on the last Sunday of March All of the time zones in the European Union start using Daylight Saving Time...

Page 251: ...er 31 Time Settings VMG1312 B10C User s Guide 251 Apply Click Apply to save your changes Cancel Click Cancel to exit this screen without saving Table 110 Maintenance Time Setting continued LABEL DESCRIPTION ...

Page 252: ...Chapter 31 Time Settings VMG1312 B10C User s Guide 252 ...

Page 253: ...move and add mail server information on the Device Figure 141 Maintenance Email Notification The following table describes the labels in this screen Table 111 Maintenance Email Notification LABEL DESCRIPTION Add New Email Click this button to create a new entry Mail Server Address This field displays the server name or the IP address of the mail server Username This field displays the user name of...

Page 254: ...If this field is left blank reports logs or notifications will not be sent via e mail Authentication Username Enter the user name up to 32 characters This is usually the user name of a mail account you specified in the Account Email Address field Authentication Password Enter the password associated with the user name above Account Email Address Enter the e mail address that you want to be in the ...

Page 255: ...VMG1312 B10C User s Guide 255 CHAPTER 33 Logs Setting 33 1 Overview You can configure where the Device sends logs and which logs and or immediate alerts the Device records in the Logs Setting screen ...

Page 256: ...113 Maintenance Logs Setting LABEL DESCRIPTION Syslog Setting Syslog Logging The Device sends a log to an external syslog server Select Enable to enable syslog logging Mode Select the syslog destination from the drop down list box If you select Remote the log s will be sent to a remote syslog server If you select Local File the log s will be saved in a local file If you want to send the log s to a...

Page 257: ...e sends logs to the e mail address specified in this field If this field is left blank the Device does not send logs via E mail Send Alarm to Alerts are real time notifications that are sent as soon as an event such as a DoS attack system error or forbidden web access attempt occurs Enter the E mail address where the alert messages will be sent Alerts include system errors attacks and attempted ac...

Page 258: ...m 192 168 1 131 To 192 168 1 255 default policy forward 09 54 17 UDP src port 00520 dest port 00520 1 00 3 Apr 7 00 From 192 168 1 6 To 10 10 10 10 match forward 09 54 19 UDP src port 03516 dest port 00053 1 01 snip snip 126 Apr 7 00 From 192 168 1 1 To 192 168 1 255 match forward 10 05 00 UDP src port 00520 dest port 00520 1 02 127 Apr 7 00 From 192 168 1 131 To 192 168 1 255 match forward 10 05 ...

Page 259: ...col and may take up to two minutes After a successful upload the system will reboot Do NOT turn off the Device while firmware upload is in progress Figure 145 Maintenance Firmware Upgrade The following table describes the labels in this screen Table 114 Maintenance Firmware Upgrade LABEL DESCRIPTION Current Firmware Version This is the present Firmware version and the date created File Path Type i...

Page 260: ...y restarts in this time causing a temporary network disconnect In some operating systems you may see the following icon on your desktop Figure 147 Network Temporarily Disconnected After two minutes log in again and check your new firmware version in the Status screen If the upload was not successful the following screen will appear Click OK to go back to the Firmware Upgrade screen Figure 148 Erro...

Page 261: ...ing configuration appears in this screen as shown next Figure 149 Maintenance Configuration Backup Configuration Backup Configuration allows you to back up save the Device s current configuration to a file on your computer Once your Device is configured and functioning properly it is highly recommended that you back up your configuration file before making configuration changes The backup configur...

Page 262: ... icon on your desktop Figure 150 Network Temporarily Disconnected If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default device IP address 192 168 1 1 If the upload was not successful the following screen will appear Click OK to go back to the Configuration screen Figure 151 Configuration Upload Error Ta...

Page 263: ...Process Message You can also press the RESET button on the rear panel to reset the factory defaults of your Device Refer to Section 1 6 on page 20 for more information on the RESET button 35 3 The Reboot Screen System restart allows you to reboot the Device remotely without turning the power off You may need to do this if the Device hangs for example Click Maintenance Reboot Click Reboot to have t...

Page 264: ...Chapter 35 Configuration VMG1312 B10C User s Guide 264 ...

Page 265: ...OAM Ping screen lets you send an ATM OAM Operation Administration and Maintenance packet to verify the connectivity of a specific PVC Section 36 5 on page 268 36 2 What You Need to Know The following terms and concepts may help as you read through this chapter How CFM Works A Maintenance Association MA defines a VLAN and associated Maintenance End Point MEP ports on the device under a Maintenance ...

Page 266: ... the fields in this screen Table 116 Maintenance Diagnostic Ping TraceRoute NsLookup LABEL DESCRIPTION URL or IP Address Type the IP address of a computer that you want to perform ping traceroute or nslookup in order to test a connection Ping Click this to ping the IP address that you entered TraceRoute Click this button to perform the traceroute function This determines the path a packet takes to...

Page 267: ...evice performs a CFM loopback test 802 1Q VLAN ID Type a VLAN ID 0 4095 for this MA VDSL Traffic Type This shows whether the VDSL traffic is activated Loopback Message LBM This shows how many Loop Back Messages LBMs are sent and if there is any inorder or outorder Loop Back Response LBR received from a remote MEP Linktrace Message LTM This shows the destination MAC address in the Link Trace Respon...

Page 268: ... channel VC level F4 cells use the same VPI as the user data cells on VP connections but use different predefined VCI values F5 cells use the same VPI and VCI as the user data cells on the VC connections and are distinguished from data cells by a predefined Payload Type Identifier PTI in the cell header Both F4 flows and F5 flows are bidirectional and have two types segment F4 flows VCI 3 end to e...

Page 269: ... fields in this screen Table 118 Maintenance Diagnostic OAM Ping LABEL DESCRIPTION Select a PVC on which you want to perform the loopback test F4 segment Press this to perform an OAM F4 segment loopback test F4 end end Press this to perform an OAM F4 end to end loopback test F5 segment Press this to perform an OAM F5 segment loopback test F5 end end Press this to perform an OAM F5 end to end loopb...

Page 270: ...Chapter 36 Diagnostic VMG1312 B10C User s Guide 270 ...

Page 271: ...n on 1 Make sure the Device is turned on 2 Make sure you are using the power adaptor or cord included with the Device 3 Make sure the power adaptor or cord is connected to the Device and plugged in to an appropriate power source Make sure the power source is turned on 4 Turn the Device off and on 5 If the problem continues contact the vendor One of the LEDs does not behave as expected 1 Make sure ...

Page 272: ...aults See Section 1 6 on page 20 I forgot the password 1 The default admin password is 1234 2 If this does not work you have to reset the device to its factory defaults See Section 1 6 on page 20 I cannot see or access the Login screen in the web configurator 1 Make sure you are using the correct IP address The default IP address is 192 168 1 1 If you changed the IP address Section 7 2 on page 103...

Page 273: ...I cannot log in to the Device 1 Make sure you have entered the password correctly The default admin password is 1234 The field is case sensitive so make sure Caps Lock is not on 2 You cannot log in to the web configurator while someone is using Telnet to access the Device Log out of the Device in the other session or ask the person who is logged in to log out 3 Turn the Device off and on 4 If this...

Page 274: ...ave the DSL WAN port connected to a telephone jack or the DSL or modem jack on a splitter if you have one 2 Make sure you configured a proper DSL WAN interface Network Setting Broadband screen with the Internet account information provided by your ISP and that it is enabled 3 Check that the LAN interface you are connected to is in the same interface group as the DSL connection Network Setting Inte...

Page 275: ...uality of your wireless connection you can Move your wireless device closer to the AP if the signal strength is low Reduce wireless interference that may be caused by other wireless networks or surrounding wireless electronics such as cordless phones Place the AP where there are minimum obstacles such as walls and ceilings between the AP and the wireless client Reduce the number of wireless client...

Page 276: ... connect your USB device to the Device 37 6 UPnP When using UPnP and the Device reboots my computer cannot detect UPnP and refresh My Network Places Local Network 1 Disconnect the Ethernet cable from the Device s LAN port or from your computer 2 Re connect the Ethernet cable The Local Area Connection icon for UPnP disappears in the screen Restart your computer I cannot open special applications su...

Page 277: ...se have the following information ready when you contact an office Required Information Product model and serial number Warranty Information Date that you received your device Brief description of the problem and the steps you took to solve it Corporate Headquarters Worldwide Taiwan ZyXEL Communications Corporation http www zyxel com Asia China ZyXEL Communications Shanghai Corp ZyXEL Communicatio...

Page 278: ...l com pk Philippines ZyXEL Philippines http www zyxel com ph Singapore ZyXEL Singapore Pte Ltd http www zyxel com sg Taiwan ZyXEL Communications Corporation http www zyxel com Thailand ZyXEL Thailand Co Ltd http www zyxel co th Vietnam ZyXEL Communications Corporation Vietnam Office http www zyxel com vn vi Europe Austria ZyXEL Deutschland GmbH http www zyxel de Belarus ZyXEL BY http www zyxel by ...

Page 279: ...ommunications Czech s r o http www zyxel cz Denmark ZyXEL Communications A S http www zyxel dk Estonia ZyXEL Estonia http www zyxel com ee et Finland ZyXEL Communications http www zyxel fi France ZyXEL France http www zyxel fr Germany ZyXEL Deutschland GmbH http www zyxel de Hungary ZyXEL Hungary SEE http www zyxel hu Latvia ZyXEL Latvia http www zyxel com lv lv homepage shtml ...

Page 280: ...yXEL Communications http www zyxel no Poland ZyXEL Communications Poland http www zyxel pl Romania ZyXEL Romania http www zyxel com ro ro Russia ZyXEL Russia http www zyxel ru Slovakia ZyXEL Communications Czech s r o organizacna zlozka http www zyxel sk Spain ZyXEL Spain http www zyxel es Sweden ZyXEL Communications http www zyxel se Switzerland Studerus AG http www zyxel ch ...

Page 281: ... Latin America Argentina ZyXEL Communication Corporation http www zyxel com ec es Ecuador ZyXEL Communication Corporation http www zyxel com ec es Middle East Egypt ZyXEL Communication Corporation http www zyxel com homepage shtml Middle East ZyXEL Communication Corporation http www zyxel com homepage shtml North America USA ZyXEL Communications Inc North America Headquarters http www us zyxel com...

Page 282: ...Appendix A Customer Support VMG1312 B10C User s Guide 282 Oceania Australia ZyXEL Communications Corporation http www zyxel com au en Africa South Africa Nology Pty Ltd http www zyxel co za ...

Page 283: ...mful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this device does cause harmful interference to radio television reception which can be determined by turning the device off and on the user is encouraged to try to correct the interference by one or more of the following measures 1 Reorient or relocate the receiv...

Page 284: ... please contact your vendor or ZyXEL Technical Support at support zyxel com tw Regulatory Information European Union The following information applies if you use the product within the European Union Declaration of Conformity with Regard to EU Directive 1999 5 EC R TTE Directive Compliance Information for Wireless Products Relevant to the EU and Other Countries Following the EU Directive 1999 5 EC...

Page 285: ...doors in the band 2454 2483 5 MHz There are no restrictions when used indoors or in other parts of the 2 4 GHz band Check http www arcep fr for more details Pour la bande 2 4 GHz la puissance est limitée à 10 mW en p i r e pour les équipements utilisés en extérieur dans la bande 2454 2483 5 MHz Il n y a pas de restrictions pour des utilisations en intérieur ou dans d autres parties de la bande 2 4...

Page 286: ... over them Always disconnect all cables from this device before servicing or disassembling Use ONLY an appropriate power adaptor or cord for your device Connect it to the right supply voltage for example 110V AC in North America or 230V AC in Europe Do NOT allow anything to rest on the power adaptor or cord and do NOT place the product where anyone can walk on the power adaptor or cord Do NOT use ...

Page 287: ...marked with this symbol which is known as the WEEE mark WEEE stands for Waste Electronics and Electrical Equipment It means that used electrical and electronic products should not be mixed with general waste Used electrical and electronic equipment should be treated separately ...

Page 288: ...Appendix B Legal Information VMG1312 B10C User s Guide 288 ...

Page 289: ... 62 BSS 91 example 91 C CA 201 Canonical Format Indicator See CFI CCMs 265 certificate factory default 202 certificates 201 authentication 201 CA creating 203 public key 201 replacing 202 storage space 202 Certification Authority 201 Certification Authority see CA certifications 283 notices 283 viewing 284 CFI 61 CFM 265 CCMs 265 link trace test 265 loopback test 265 MA 265 MD 265 MEP 265 MIP 265 ...

Page 290: ...5 DS dee differentiated services DSCP 145 dynamic DNS 167 wildcard 168 Dynamic Host Configuration Protocol see DHCP DYNDNS wildcard 168 E ECHO 164 e mail log example 257 Encapsulation 58 MER 58 PPP over Ethernet 59 encapsulation 40 216 RFC 1483 59 encryption 90 ESP 215 Extended Service Set IDentification 68 78 F FCC interference statement 283 File Sharing 178 file sharing 19 filters MAC address 78...

Page 291: ...ion 42 prefix length 41 63 ISP 40 iTunes server 180 L LAN 101 and USB printer 181 client list 107 DHCP 102 121 DNS 102 121 IP address 102 103 122 MAC address 107 status 37 subnet mask 102 103 122 LAND attack 184 LAN Side DSL CPE Configuration 247 LBR 265 limitations wireless LAN 91 WPS 98 link trace 265 Link Trace Message see LTM Link Trace Response see LTR login 23 passwords 23 24 logs 221 225 23...

Page 292: ... documentation 2 outside header 216 P passwords 23 24 PBC 93 Peak Cell Rate PCR 60 Per Hop Behavior see PHB 145 PHB 145 PIN WPS 94 example 95 Ping of Death 184 Point to Point Tunneling Protocol 164 POP3 164 port forwarding 150 ports 20 PPP over Ethernet see PPPoE PPPoE 40 59 Benefits 59 PPTP 164 preamble 85 88 preamble mode 92 prefix delegation 42 pre shared key 219 Printer Server 181 printer shar...

Page 293: ...e Color Marker see srTCM SIP ALG 158 activation 159 SMTP 164 SNMP 164 SNMP trap 164 SPI 184 srTCM 147 SSID 89 activation 76 MBSSID 91 static route 125 129 253 configuration 57 127 169 example 125 static VLAN status 35 firmware version 37 LAN 37 WAN 37 wireless LAN 37 status indicators 20 subnet mask 102 122 Sustained Cell Rate SCR 60 SYN attack 184 syslog protocol 221 severity levels 221 system fi...

Page 294: ... WDS 82 92 compatibility 82 example 92 web configurator 23 login 23 passwords 23 24 WEP 90 WEP Encryption 70 72 73 WEP encryption 70 WEP key 70 Wireless Distribution System see WDS wireless LAN 65 86 authentication 88 89 BSS 91 example 91 channel 88 encryption 90 example 87 fragmentation threshold 84 88 limitations 91 MAC address filter 78 89 MBSSID 91 preamble 85 88 RADIUS server 90 RTS CTS thres...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands