ZyXEL Communications 650 Series User Manual

Zyxel communications network device user's guide prestige 650 series

Table of Contents

Quick Links

Download this manual

Prestige 650 Series

ADSL Router

User's Guide

Version 3.40

February 2004

Table of Contents

Troubleshooting

Summary of Contents for ZyXEL Communications 650 Series

Page 1 Prestige 650 Series ADSL Router User's Guide Version 3.40 February 2004...
Page 2 Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 3: Federal Communications Commission
2. Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3. Select the certification you wish to view from this page FCC Statement (FCC) Interference Statement Prestige 650 Series User’s Guide...
Page 4: Zyxel Limited Warranty
Prestige 650 Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and...
Page 5: Customer Support
+45-3955-0700 www.zyxel.dk +45-3955-0707 ftp.zyxel.dk +49-2405-6909-0 www.zyxel.de +49-2405-6909-99 Prestige 650 Series User’s Guide REGULAR MAIL ZyXEL Communications Corp., 6 Innovation Road II, Science- Based Industrial Park, Hsinchu 300, Taiwan. ZyXEL Communications Inc., 1130 N. Miller St. Anaheim, CA 92806, U.S.A.
Page 6: Table Of Contents
Preface ... xxvi Introduction to DSL...xxviii Getting Started ...I Chapter 1 Getting To Know Your Prestige ...1-1 Introducing the Prestige 650 Series ...1-1 Features of the Prestige...1-2 Applications for the Prestige...1-7 Chapter 2 Introducing the Web Configurator ...2-1 Web Configurator Overview...2-1 Accessing the Prestige Web Configurator ...2-1...
Page 7 Chapter 9 Time and Date Setup...9-1 Configuring Time Zone...9-1 Firewall and Content Filter... IV Chapter 10 Firewalls...10-1 10.1 Firewall Overview...10-1 10.2 Types of Firewalls...10-1 10.3 Introduction to ZyXEL’s Firewall...10-2 10.4 Denial of Service...10-3 Table of Contents Prestige 650 Series User’s Guide...
Page 8 10.5 Stateful Inspection ...10-7 10.6 Guidelines for Enhancing Security with Your Firewall...10-11 10.7 Packet Filtering Vs Firewall ...10-12 Chapter 11 Firewall Configuration ... 11-1 11.1 Remote Management and the Firewall ...11-1 11.2 Enabling the Firewall...11-1 11.3 Configuring E-mail Alerts ...11-2 11.4 Attack Alert...11-3 Chapter 12 Creating Custom Rules ...12-1 12.1 Rules Overview...12-1...
Page 9 20.3 Proportional Bandwidth Allocation...20-2 20.4 Bandwidth Management Usage Examples...20-2 20.5 Scheduler...20-4 20.6 Maximize Bandwidth Usage ...20-4 20.7 Bandwidth Borrowing ...20-7 20.8 Configuring Summary...20-9 20.9 Configuring Class Setup...20-11 20.10 Configuring Monitor ...20-17 Maintenance ... VIII Table of Contents Prestige 650 Series User’s Guide...
Page 10 Chapter 21 Maintenance ...21-1 21.1 Maintenance Overview ...21-1 21.2 System Status Screen ...21-1 21.3 DHCP Table Screen...21-6 21.4 Wireless Screens ...21-7 21.5 Diagnostic Screens...21-9 21.6 Firmware Screen ...21-12 21.7 Configuration Screen ...21-14 SMT General Configuration...IX Chapter 22 Introducing the SMT ...22-1 22.1 SMT Introduction ...22-1 22.2 Navigating the SMT Interface...22-4 22.3 Changing the System Password ...22-6...
Page 11 35.1 System Maintenance Overview...35-1 35.2 System Status ...35-1 35.3 System Information...35-3 35.4 Log and Trace ...35-5 35.5 Diagnostic ...35-8 Chapter 36 Firmware and Configuration File Maintenance...36-1 36.1 Filename Conventions...36-1 36.2 Backup Configuration ...36-2 Table of Contents Prestige 650 Series User’s Guide...
Page 12 36.3 Restore Configuration...36-7 36.4 Uploading Firmware and Configuration Files ...36-10 Chapter 37 System Maintenance ...37-1 37.1 Command Interpreter Mode Overview ...37-1 37.2 Call Control Support ...37-2 37.3 Time and Date Setting ...37-4 Chapter 38 Remote Management...38-1 38.1 Remote Management Overview...38-1 38.2 Configuring Remote Management...38-1 38.3 Remote Management and NAT ...38-3 38.4 System Timeout ...38-3...
Page 13 Prestige 650HW-11/-13 ADSL Router with 4-Port Ethernet Switch/Wireless LAN... I-6 Prestige 650HW-31/-33/-37; Prestige 650H-31/-33/-37 ADSL Router with 4-port Switch/Wireless... I-7 Prestige 650H-E1/3/7 ADSL Router with 4-port Switch ... I-8 Appendix J Index ...J-1 Table of Contents Prestige 650 Series User’s Guide xiii...
Page 14: List Of Figures
Prestige 650 Series User’s Guide List of Figures Figure 1-1 Prestige Internet Access Application...1-8 Figure 1-2 Prestige LAN-to-LAN Application ...1-8 Figure 2-1 Password Screen ...2-1 Figure 2-2 Web Configurator SITE MAP Screen ...2-2 Figure 2-3 Password ...2-3 Figure 2-4 Example Xmodem Upload...2-5 Figure 3-1 Wizard Screen 1 ...3-3...
Page 15 Prestige 650 Series User’s Guide Figure 10-5 Stateful Inspection ... 10-8 Figure 11-1 Enabling the Firewall...11-1 Figure 11-2 E-mail ...11-2 Figure 11-3 Alert ...11-6 Figure 12-1 LAN to WAN Traffic... 12-3 Figure 12-2 WAN to LAN Traffic... 12-4 Figure 12-3 Firewall Logs... 12-5 Figure 12-4 Firewall Rules Summary: First Screen...
Page 16 Prestige 650 Series User’s Guide Figure 19-2 View Logs ...19-4 Figure 19-3 E-mail Log Example ...19-6 Figure 20-1 Application-based Bandwidth Management Example ...20-2 Figure 20-2 Subnet-based Bandwidth Management Example...20-3 Figure 20-3 Application and Subnet-based Bandwidth Management Example...20-4 Figure 20-4 Bandwidth Allotment Example ...20-5 Figure 20-5 Maximize Bandwidth Usage Example ...20-6...
Page 17 Prestige 650 Series User’s Guide Figure 25-2 Menu 3.5.1 WLAN MAC Address Filtering ... 25-4 Figure 26-1 Physical Network ... 26-2 Figure 26-2 Partitioned Logical Networks... 26-2 Figure 26-3 Menu 3.2 TCP/IP and DHCP Setup... 26-3 Figure 26-4 Menu 3.2.1 IP Alias Setup ... 26-3 Figure 26-5 Menu 1 General Setup ...
Page 18 Prestige 650 Series User’s Guide Figure 30-11 NAT Example 1 ...30-12 Figure 30-12 Menu 4 Internet Access & NAT Example ...30-12 Figure 30-13 NAT Example 2...30-13 Figure 30-14 Menu 15.2.1 Specifying an Inside Server ...30-13 Figure 30-15 NAT Example 3...30-14 Figure 30-16 Example 3: Menu 11.3 ...30-15...
Page 19 Prestige 650 Series User’s Guide Figure 35-1 Menu 24 System Maintenance ... 35-1 Figure 35-2 Menu 24.1 System Maintenance : Status... 35-2 Figure 35-3 Menu 24.2 System Information and Console Port Speed... 35-3 Figure 35-4 Menu 24.2.1 System Maintenance : Information ... 35-4 Figure 35-5 Menu 24.2.2 System Maintenance : Change Console Port Speed ...
Page 20 Prestige 650 Series User’s Guide Figure 39-7 IP Routing Policy Example ...39-8 Figure 39-8 IP Routing Policy Example ...39-9 Figure 39-9 Applying IP Policies Example...39-9 Figure 40-1 Menu 26 Schedule Setup...40-1 Figure 40-2 Menu 26.1 Schedule Set Setup...40-2 Figure 40-3 Applying Schedule Set(s) to a Remote Node (PPPoE)...40-4 Figure 41-1 VPN SMT Menu Tree ...41-1...
Page 21 Prestige 650 Series User’s Guide List of Tables Table 1-1 Model Specific Features... 1-2 Table 2-1 Password ... 2-3 Table 3-1 Wizard Screen 1 ... 3-3 Table 3-2 Internet Connection with PPPoA ... 3-7 Table 3-3 Internet Connection with RFC 1483 ... 3-9 Table 3-4 Internet Connection with ENET ENCAP...
Page 22 Prestige 650 Series User’s Guide Table 14-2 Content Filter: Schedule ...14-4 Table 14-3 Content Filter: Trusted...14-4 Table 14-4 Content Filter Logs ...14-6 Table 15-1 VPN and NAT...15-6 Table 16-1 AH and ESP ...16-2 Table 16-2 VPN Summary...16-4 Table 16-3 Local ID Type and Content Fields ...16-6 Table 16-4 Peer ID Type and Content Fields ...16-6...
Page 23 Prestige 650 Series User’s Guide Table 21-9 Restore Configuration ... 21-16 Table 22-1 Main Menu Commands... 22-4 Table 22-2 Main Menu Summary for P650H/HW-31... 22-5 Table 23-1 Menu 1 General Setup... 23-2 Table 23-2 Menu 1.1 Configure Dynamic DNS... 23-3 Table 24-1 DHCP Ethernet Setup Menu Fields...
Page 24 Prestige 650 Series User’s Guide Table 37-1 Menu 24.9.1 Budget Management...37-3 Table 37-2 Menu 24.10 System Maintenance: Time and Date Setting ...37-5 Table 38-1 Menu 24.11 Remote Management Control...38-2 Table 39-1 Menu 25.1 IP Routing Policy Setup...39-3 Table 39-2 Menu 25.1.1 IP Routing Policy...39-4 Table 40-1 Menu 26.1 Schedule Set Setup ...40-2...
Page 25 Prestige 650 Series User’s Guide List of Charts Chart A-1 Troubleshooting Power LED...A-1 Chart A-2 Troubleshooting LAN LED...A-1 Chart A-3 Troubleshooting DSL LED...A-2 Chart A-4 Troubleshooting Console Port ...A-2 Chart A-5 Troubleshooting Telnet...A-2 Chart A-6 Troubleshooting Web Configurator ...A-3 Chart A-7 Troubleshooting Internet Browser Display ...A-4 Chart A-8 Troubleshooting Login Username and Password ...A-4...
Page 26: Preface
Prestige 650 Series User’s Guide Congratulations on your purchase from the Prestige 650 ADSL Router series. Your Prestige is easy to install and configure. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured through all interfaces.
Page 27 For brevity’s sake, we will use “e.g.,” as a shorthand for “for instance”, and “i.e.,” for “that is” or “in other words” throughout this manual. • The Prestige 650 series may be referred to as the Prestige in this user’s guide. This refers to both models (ADSL over POTS and ADSL over ISDN) unless specifically identified. •...
Page 28: Introduction To Dsl
Prestige 650 Series User’s Guide Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
Page 29: Getting Started
Getting Started Part I: Getting Started This part is structured as a step-by-step guide to help you access your Prestige. It covers key features and applications, accessing the web configurator, password setup and configuring the wizard screens for initial setup.
Page 31: Chapter 1 Getting To Know Your Prestige
Getting To Know Your Prestige This chapter describes the key features and applications of your Prestige Introducing the Prestige 650 Series Your Prestige integrates a high-speed 10/100Mbps auto-negotiating LAN interface(s) and a high-speed ADSL port into a single package. The Prestige is ideal for high-speed Internet browsing and making LAN-to- LAN connections to remote networks.
Page 32: Features Of The Prestige
Features of the Prestige The following sections describe the features of the Prestige series. Features vary by Prestige model. This table lists the key features of the Prestige series. Refer to the feature descriptions below for more details. Some features are not available in every model. Refer to the Model Specific Features table to see what features are specific to your Prestige model.
Page 33: Traffic Redirect
The Prestige is a stateful inspection firewall with DoS (Denial of Service) protection. By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the Getting To Know Your Prestige Prestige 650 Series User’s Guide...
Page 34: Dynamic Dns Support
LAN. The Prestige firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs. IPSec VPN Capability Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site lines. The Prestige VPN is based on the IPSec standard and is fully interoperable with other IPSec-based VPN products.
Page 35: Protocol Support
♦ TCP/IP (Transmission Control Protocol/Internet Protocol) network layer protocol. ♦ Transparently bridging for unsupported network layer protocols. ♦ RIP I/RIP II ♦ IGMP Proxy ♦ ICMP support ♦ MIB II support (RFC 1213) Getting To Know Your Prestige Prestige 650 Series User’s Guide...
Page 36 ♦ PPPoE feature PPPoE idle time out PPPoE dial on demand Networking Compatibility Your Prestige is compatible with major ADSL DSLAM (Digital Subscriber Line Access Multiplexer) providers. Multiplexing The Prestige Series supports VC-based and LLC-based multiplexing. Encapsulation The Prestige series supports PPPoA (RFC 2364 - PPP over ATM Adaptation Layer 5), RFC 1483 encapsulation over ATM, MAC encapsulated routing (ENET Encapsulation) as well as PPP over Ethernet (RFC 2516).
Page 37: Applications For The Prestige
ADSL. In addition, for Prestige 650H/HW, you can insert an optional wireless PCMICA card into the Prestige and allow wireless stations access to your network resources. A typical Internet access application is shown below. Getting To Know Your Prestige Prestige 650 Series User’s Guide...
Page 38: Figure 1-1 Prestige Internet Access Application
Prestige 650 Series User’s Guide Figure 1-1 Prestige Internet Access Application 1.3.2 LAN to LAN Application You can use the Prestige to connect two geogr ly dispersed networks over the ADSL line. A typical aphical LAN-to-LAN application for your Prestige is shown as follows.
Page 39: Chapter 2 Introducing The Web Configurator
Type "192.168.1.1" as the URL. Step 5. An Enter Network Password window displays. Enter the user name (“admin” is the default), password (“1234” is the default) and click OK. Introducing the Web Configurator Figure 2-1 Password Screen Prestige 650 Series User’s Guide Chapter 2...
Page 40: Navigating The Prestige Web Configurator
Step 6. You should now see the Site Map screen. The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you. Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the Site Map screen. We use the Prestige 650H/HW-31 web screens in this guide as an example.
Page 41: Configuring Password
Type the new password again in this field. Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. Introducing the Web Configurator Prestige 650 Series User’s Guide embedded help. Figure 2-3 Password Table 2-1 Password DESCRIPTION...
Page 42: Resetting The Prestige
Resetting the Prestige If you forget your password or cannot access the Prestige, you will need to reload the factory-default configuration file or use the RESET button on the back of the Prestige. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
Page 43: Figure 2-4 Example Xmodem Upload
Step 6. After successful firmware upload, enter "atgo" to restart the router. Introducing the Web Configurator Figure 2-4 Example Xmodem Upload Prestige 650 Series User’s Guide Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.
Page 45: Chapter 3 Wizard Setup
RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider's (ISP) DSLAM (digital access multiplexer). Please refer to RFC 2364 for more information on PPPoA. Refer to RFC 1661 for more information on PPP. Wizard Setup Prestige 650 Series User’s Guide Chapter 3 Wizard Setup...
Page 46: Multiplexing
3.2.4 RFC 1483 RFC 1483 describes two methods for Multiprotocol Encapsulation over ATM Adaptation Layer 5 (AAL5). The first method allows multiplexing of multiple protocols over a single ATM virtual circuit (LLC-based multiplexing) and the second method assumes that each protocol is carried over a separate ATM virtual circuit (VC-based multiplexing).
Page 47: Figure 3-1 Wizard Screen 1
VPI Enter the VPI assigned to you. This field may already be configured. VCI Enter the VCI assigned to you. This field may already be configured. Wizard Setup Figure 3-1 Wizard Screen 1 Table 3-1 Wizard Screen 1 DESCRIPTION Prestige 650 Series User’s Guide...
Page 48: Ip Address And Subnet Mask
LABEL Next Click this button to go to the next wizard screen. The next wizard screen you see depends on what protocol you chose above. Click on the protocol link to see the next wizard screen for that protocol. IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Page 49: Ip Assignment With Pppoa Or Pppoe Encapsulation
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. Wizard Setup Prestige 650 Series User’s Guide...
Page 50: Nailed-Up Connection (Ppp)
Nailed-Up Connection (PPP) A nailed-up connection is a dial-up line where the connection is always up regardless of traffic demand. The Prestige does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down.
Page 51: Figure 3-2 Internet Connection With Pppoa
Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given. Password Enter the password associated with the user name above. Wizard Setup DESCRIPTION where domain identifies a service name, then enter both components exactly Prestige 650 Series User’s Guide...
Page 52 LABEL IP Address This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet. The Single User Account feature can be used with either a dynamic or static IP address.
Page 53: Figure 3-3 Internet Connection With Rfc 1483
Click Next to continue to the next wizard screen. Next 3.10.3 ENET ENCAP Select ENET ENCAP from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown. Wizard Setup Prestige 650 Series User’s Guide DESCRIPTION...
Page 54: Figure 3-4 Internet Connection With Enet Encap
Figure 3-4 Internet Connection with ENET ENCAP The following table describes the labels in this screen. Table 3-4 Internet Connection with ENET ENCAP LABEL IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;...
Page 55: Figure 3-5 Internet Connection With Pppoe
Select PPPoE from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown. Figure 3-5 Internet Connection with PPPoE The following table describes the labels in this screen. Wizard Setup Prestige 650 Series User’s Guide DESCRIPTION 3-11...
Page 56: Dhcp Setup
LABEL Service Name Type the name of your PPPoE service here. User Name Configure User Name and Password fields for PPPoA and PPPoE encapsulation only. Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given.
Page 57: Wizard Setup Configuration: Third Screen
Prestige 650 Series User’s Guide DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured. 3.11.1 IP Pool Setup The Prestige is pre-configured with a pool of 32 IP addresses starting from 192.168.1.33 to 192.168.1.64 for the client machines.
Page 58: Figure 3-7 Wizard : Lan Configuration
The following table describes the labels in this screen. LABEL LAN IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default). LAN Subnet Mask Enter a subnet mask in dotted decimal notation. DHCP DHCP Server From the DHCP Server drop-down list box, select On to allow your Prestige to assign IP addresses, an IP default gateway and DNS servers to computer systems...
Page 59: Wizard Setup Configuration: Connection Tests
Prestige to the ISP, click Start Diagnose. Otherwise click Return to Main Menu to go back to the Site Map screen. Wizard Setup Table 3-6 Wizard : LAN Configuration DESCRIPTION Figure 3-8 Wizard Screen 4 Prestige 650 Series User’s Guide 3-15...
Page 60: Test Your Internet Connection
Prestige 650 Series User’s Guide 3.14 Test Your Internet Connection Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User’s Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.
Page 61: Lan, Wireless Lan And Wan
LAN, Wireless LAN and WAN Part II: LAN, Wireless LAN and WAN This part covers the LAN (Local Area Network), wireless LAN and WAN setup.
Page 63: Chapter 4 Lan Setup
The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. LAN Setup This chapter describes how to configure LAN settings. Figure 4-1 LAN and WAN IP Addresses Prestige 650 Series User’s Guide Chapter 4 LAN Setup...
Page 64: Dns Server Address Assignment
There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up. If your ISP gives you the DNS server addresses, enter them in the DNS Server fields in DHCP Setup, otherwise, leave them blank.
Page 65: Rip Setup
Prestige 650 Series User’s Guide These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 4.4.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
Page 66: Configuring Lan
Prestige 650 Series User’s Guide Configuring LAN Click LAN to open the following screen. Figure 4-2 LAN The following table describes the labels in this screen. Table 4-1 LAN LABEL DESCRIPTION DHCP LAN Setup...
Page 67 1 (IGMP-v1) and IGMP-v2. Select None to disable it. Apply Click this button to save these settings back to the Prestige. Cancel Click this button to reset the fields in this screen. LAN Setup Prestige 650 Series User’s Guide Table 4-1 LAN DESCRIPTION...
Page 69: Chapter 5 Wireless Lan Setup
An ESS ID uniquely identifies each set. All access points or wireless gateways and their associated wireless stations in the same set must have the same ESSID. Wireless LAN Setup Prestige 650 Series User’s Guide Wireless LAN Setup applicable to the Prestige 650H and Prestige 650HW.
Page 70: Figure 5-1 Rts/Cts
Prestige 650 Series User’s Guide 5.1.4 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear”...
Page 71: Levels Of Security
Prestige 650 Series User’s Guide Enabling the RTS Threshold causes redundant network overhead that could negatively affect the throughput performance instead of providing a remedy. 5.1.5 Fragmentation Threshold A Fragmentation Threshold is the maximum data fragment size (between 256 and 2432 bytes) that can be sent in the wireless network before the Prestige will fragment the packet into smaller data frames.
Page 72: Data Encryption With Wep
Data Encryption with WEP WEP encryption scrambles the data transmitted between the wireless stations and the access points to keep network communications private. It encrypts unicast and multicast communications in a network. Both the wireless stations and the access points must use the same WEP key for data encryption and decryption. Your Prestige allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time.
Page 73 The ESSID (Extended Service Set Identification) is a unique name to identify the Prestige in the wireless LAN. Wireless stations associating to the Prestige must have the same ESSID. Enter a descriptive name (up to 32 characters). Wireless LAN Setup Prestige 650 Series User’s Guide Figure 5-3 Wireless Table 5-1 Wireless DESCRIPTION...
Page 74: Table 5-1 Wireless
LABEL Hide ESSID Select Yes to hide the ESSID in so a station cannot obtain the ESSID through passive scanning. Select No to make the ESSID visible so a station can obtain the ESSID through passive scanning. Channel ID The range of radio frequencies used by IEEE 802.11b wireless devices is called a channel. Select a channel from the drop-down list box.
Page 75: Configuring Mac Filter
Prestige 650 Series User’s Guide Configuring MAC Filter The MAC filter screen allows you to configure the Prestige to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the Prestige (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 76: Figure 5-4 Mac Address Filter
Prestige 650 Series User’s Guide Figure 5-4 MAC Address Filter The following table describes the labels in this menu. Wireless LAN Setup...
Page 77: Overview
RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user authentication: Wireless LAN Setup Table 5-2 MAC Address Filter DESCRIPTION Prestige 650 Series User’s Guide...
Page 78: Eap Authentication Overview
• Access-Request Sent by an access point requesting authentication. • Access-Reject Sent by a RADIUS server rejecting access. • Access-Accept Sent by a RADIUS server allowing access. • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message.
Page 79: Configuring 802.1X
To change your Prestige’s authentication settings, click Wireless LAN, 802.1x. The screen appears as shown. The following table describes the labels in this screen. Wireless LAN Setup Figure 5-5 EAP Authentication Figure 5-6 802.1x Prestige 650 Series User’s Guide 5-11...
Page 80: Table 5-3 802.1X
LABEL Wireless Port To control wireless stations access to the wired network, select a control method from Control the drop-down list box. Choose from No Authentication Required, Authentication Required and No Access Allowed. No Authentication Required allows all wireless stations access to the wired network without entering user names and passwords.
Page 81: Configuring Local User Authentication
RADIUS server. However, there is a limit on the number of users you may authenticate in this way. To change your Prestige’s local user database, click Wireless LAN, Local User Database. The screen appears as shown. Wireless LAN Setup Prestige 650 Series User’s Guide Table 5-3 802.1x DESCRIPTION 5-13...
Page 82: Figure 5-7 Local User Database
Prestige 650 Series User’s Guide Figure 5-7 Local User Database 5-14 Wireless LAN Setup...
Page 83: Configuring Radius
Once you enable the EAP authentication, you need to specify the external sever for remote user authentication and accounting. To set up your Prestige’s RADIUS server settings, click WIRELESS LAN, RADIUS. The screen appears as shown. Wireless LAN Setup Table 5-4 Local User Database DESCRIPTION Prestige 650 Series User’s Guide 5-15...
Page 84: Figure 5-8 Radius
The following table describes the labels in this screen. LABEL Authentication Server Active Select Yes from the drop-down list box to enable user authentication through an external authentication server. Server IP Address Enter the IP address of the external authentication server in dotted decimal notation.
Page 85 Click Back to go to the main wireless LAN setup screen. Apply Click Apply to save these settings back to the Prestige. Cancel Click Cancel to begin configuring this screen again. Wireless LAN Setup Prestige 650 Series User’s Guide Table 5-5 RADIUS DESCRIPTION 5-17...
Page 87: Chapter 6 Wan Setup
Virtual Private Network (VPN) using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet. WAN Setup Prestige 650 Series User’s Guide WAN Setup This chapter describes how to configure WAN settings. Chapter 6...
Page 88: Traffic Shaping
Prestige 650 Series User’s Guide Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections.
Page 89: Configuring Wan Setup
Prestige 650 Series User’s Guide Configuring WAN Setup To change your Prestige’s WAN remote node settings, click WAN. The screen differs by the encapsulation. Figure 6-2 Internet Access Setup WAN Setup...
Page 90: Table 6-1 Internet Access Setup
The following table describes the labels in this screen. LABEL Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account.
Page 91 Demand. The default setting is 0, which means the Internet session will not timeout. WAN Setup Table 6-1 Internet Access Setup DESCRIPTION where domain identifies a service name, then enter both components as the remote node. Prestige 650 Series User’s Guide...
Page 92 LABEL Subnet Mask Enter a subnet mask in dotted decimal notation. (ENET ENCAP Refer to the Subnetting appendix in the to calculate a subnet mask If you are encapsulation only) implementing subnetting. ENET ENCAP You must specify a gateway IP address (supplied by your ISP) when you select ENET Gateway ENCAP in the Encapsulation field.
Page 93: Nat, Dynamic Dns And Time Zone
NAT, Dynamic DNS and Time Zone Part III: NAT, Dynamic DNS and Time Zone This part covers NAT (Network Address Translation), dynamic DNS (Domain Name Sever) and Time Zone setup.
Page 95: Chapter 7 Network Address Translation (Nat)
(the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside This chapter discusses how to configure NAT on the Prestige. Table 7-1 NAT Definitions DESCRIPTION Prestige 650 Series User’s Guide Chapter 7...
Page 96: Figure 7-1 How Nat Works
Prestige 650 Series User’s Guide local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world.
Page 97: Figure 7-2 Nat Application With Ip Alias
3. Many to Many Overload: In Many-to-Many Overload mode, the Prestige maps the multiple local IP addresses to shared global IP addresses. 4. Many-to-Many No Overload: In Many-to-Many No Overload mode, the Prestige maps each local IP address to a unique global IP address. Prestige 650 Series User’s Guide...
Page 98: Sua (Single User Account) Versus Nat
5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-to-Many No Overload NAT The following table summarizes these types. TYPE One-to-One Many-to-One (SUA/PAT)
Page 99: Sua Server
Prestige 650 Series User’s Guide 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.
Page 100: Table 7-3 Services And Port Numbers
Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Page 101: Selecting The Nat Mode
Prestige 650 Series User’s Guide Figure 7-3 Multiple Servers Behind NAT Example Selecting the NAT Mode Click NAT to open the following screen. Figure 7-4 NAT Mode The following table describes the labels in this screen.
Page 102: Configuring Sua Server
LABEL None Select this radio button to disable NAT. Select this radio button if you have just one public WAN IP address for your Prestige. The SUA Only Prestige uses Address Mapping Set 1 in the NAT - Edit SUA/NAT Server Set screen. Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen.
Page 103: Figure 7-5 Edit Sua/Nat Server Set
To forward a series of ports, enter the start port number here and the end port number in the End Port No. field. Figure 7-5 Edit SUA/NAT Server Set Table 7-5 Edit SUA/NAT Server Set DESCRIPTION Prestige 650 Series User’s Guide...
Page 104: Configuring Address Mapping
LABEL End Port No. Enter a port number in this field. To forward only one port, enter the port number again in the Start Port No. field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port No.
Page 105: Figure 7-6 Address Mapping Rules
Global End IP This is the ending Inside Global IP Address (IGA). This field is N/A for One-to-one, Many-to-One and Server mapping types. Figure 7-6 Address Mapping Rules Table 7-6 Address Mapping Rules DESCRIPTION Prestige 650 Series User’s Guide 7-11...
Page 106: Editing An Address Mapping Rule
LABEL Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 107: Table 7-7 Address Mapping Rule Edit
Click Apply to save your changes back to the Prestige. Cancel Click Cancel to return to the previously saved settings. Click Delete to exit this screen without saving Delete Table 7-7 Address Mapping Rule Edit DESCRIPTION Prestige 650 Series User’s Guide 7-13...
Page 109: Chapter 8 Dynamic Dns Setup
If you have a private WAN IP address, then you cannot use Dynamic DNS. Configuring Dynamic DNS To change your Prestige’s DDNS, click Dynamic DNS. The screen appears as shown. Dynamic DNS Setup Prestige 650 Series User’s Guide Chapter 8 Dynamic DNS Setup...
Page 110: Figure 8-1 Ddns
The following table describes the labels in this screen. LABEL Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider. E-mail Address Type your e-mail address.
Page 111: Chapter 9 Time And Date Setup
Prestige 650 Series User’s Guide Chapter 9 Time and Date Setup Use this screen to configure the Prestige’s time and date settings. This chapter is not available on all models. Configuring Time Zone To change your Prestige’s time and date, click Time Zone (or Time And Date). The screen appears as shown.
Page 112 The following table describes the labels in this screen. LABEL Time Server Use Time Server Select the time service protocol that your time server sends when you turn on the when Bootup (or Use Prestige. Not all time servers support all protocols, so you may have to check with Protocol when your ISP/network administrator or use trial and error to find a protocol that works.
Page 113: Table 9-1 Time And Date
Apply. Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to return to the previously saved settings. Time and Date Setup Table 9-1 Time and Date DESCRIPTION Prestige 650 Series User’s Guide...
Page 114: Firewall And Content Filter
Firewall and Content Filter Part IV: Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
Page 115: Chapter 10 Firewalls
Prestige 650 series User’s Guide Chapter 10 Firewalls This chapter gives some background information on firewalls and introduces the Prestige firewall. This chapter applies to the Prestige 650H/HW and the Prestige 650H-E. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 116: Introduction To Zyxel's Firewall
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 117: Denial Of Service
Prestige 650 series User’s Guide Figure 10-1 Prestige Firewall Application 10.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 118: Table 10-1 Common Ip Ports
10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4.
Page 119: Figure 10-2 Three-Way Handshake
(which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Firewalls Figure 10-2 Three-Way Handshake Figure 10-3 SYN Flood Prestige 650 series User’s Guide 10-5...
Page 120: Figure 10-4 Smurf Attack
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
Page 121: Stateful Inspection
Internet. In summary, stateful inspection: Firewalls Table 10-3 Legal NetBIOS Commands MESSAGE: REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE: Table 10-4 Legal SMTP Commands ETRN EXPN SAML SEND Prestige 650 series User’s Guide HELO HELP MAIL SOML TURN VRFY NOOP 10-7...
Page 122: Figure 10-5 Stateful Inspection
Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works.
Page 123: Stateful Inspection And The Prestige
Internet. Use extreme caution when creating or deleting firewall rules. Test changes after creating them to make sure they work correctly. Firewalls Prestige 650 series User’s Guide 10-9...
Page 124: Tcp Security
Prestige 650 series User’s Guide Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual connections" created for UDP and ICMP).
Page 125: Guidelines For Enhancing Security With Your Firewall
10.6.1 Security In General You can never be too careful! Factors outside your firewall, filtering or NAT can cause security breaches. Below are some generalizations about what you can do to minimize them. Firewalls Prestige 650 series User’s Guide 10-11...
Page 126: Packet Filtering Vs Firewall
1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk.
Page 127: When To Use Filtering
4. The firewall performs better than filtering if you need to check many rules. 5. Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. Firewalls Prestige 650 series User’s Guide 10-13...
Page 128 Prestige 650 series User’s Guide 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. 10-14 Firewalls...
Page 129: Chapter 11 Firewall Configuration
Click Advanced Setup, Firewall, and then Config to display the following screen. Select the Firewall Enabled check box and click Apply to enable (or activate) the firewall. Firewall Configuration Firewall Configuration the Prestige 650H/HW and Prestige 650H-E. Figure 11-1 Enabling the Firewall Prestige 650 series User’s Guide Chapter 11 11-1...
Page 130: Configuring E-Mail Alerts
11.3 Configuring E-mail Alerts To change your Prestige’s E-mail log settings, click Advanced Setup, Firewall, and then E-mail. The screen appears as shown. This screen is not available on all models. Use the E-Mail screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige is to send.
Page 131: Attack Alert
You can use the default threshold values, or you can change them to values more suitable to your security requirements. Firewall Configuration Table 11-1 E-mail DESCRIPTION Daily Weekly Hourly When Log is Full None. Prestige 650 series User’s Guide 11-3...
Page 132: Threshold Values
Prestige 650 series User’s Guide 11.4.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Alert screen (Figure 11-3 - select the Generate alert...
Page 133: Tcp Maximum Incomplete And Blocking Time
The Prestige also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Advanced Setup, Firewall, and Alert to bring up the next screen. Firewall Configuration Prestige 650 series User’s Guide 11-5...
Page 134: Figure 11-3 Alert
The following table describes the labels in this screen. LABEL Generate alert Select this check box to generate an alert whenever an attack is detected. when attack detected Denial of Services Thresholds One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
Page 135 Click Back to return to the previous screen. Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to return to the previously saved settings. Firewall Configuration Prestige 650 series User’s Guide Table 11-2 Alert DESCRIPTION 11-7...
Page 137: Chapter 12 Creating Custom Rules
1. State the intent of the rule. For example, “This restricts all IRC access from the LAN to the Internet.” Or, “This allows a remote Lotus Notes server to synchronize over the Internet to an inside Notes server.” Creating Custom Rules Prestige 650 series User’s Guide Creating Custom Rules applies to the Prestige 650H/HW and the Prestige 650H-E.
Page 138: Security Ramifications
2. Is the intent of the rule to forward or block traffic? 3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6.
Page 139: Connection Direction
Prestige 650 series User’s Guide Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 12.3 Connection Direction...
Page 140: Logs
Prestige 650 series User’s Guide 12.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it.
Page 141: Figure 12-3 Firewall Logs
This field lists packet information such as: From and To IP Information addresses, protocol and port numbers. Creating Custom Rules Figure 12-3 Firewall Logs DESCRIPTION Prestige 650 series User’s Guide EXAMPLE dd:mm:yy e.g., Jan 01 0 hh:mm:ss e.g., 00:04:28 12-5...
Page 142: Rule Summary
Table 12-1 Firewall Logs LABEL Reason This field states the reason for the log; i.e., was the rule matched, not matched, or was there an attack. The set and rule coordinates (<X, Y> where X=1,2; Y=00~10) follow with a simple explanation. There are two policy sets; set 1 (X = 1) is for LAN to WAN rules and set 2 (X = 2) for WAN to LAN rules.
Page 143: Figure 12-4 Firewall Rules Summary: First Screen
Prestige 650 series User’s Guide Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn.
Page 144: Predefined Services
Table 12-2 Firewall Rules Summary: First Screen LABEL The default action for Use the drop-down list box to select whether to Block (silently discard) or packets not matching Forward (allow the passage of) packets that do not match the following rules. following rules Default Permit Log Select this check box to log all matched rules in the default set.
Page 145: Table 12-3 Predefined Services
The IPSEC ESP (Encapsulation Security Protocol) tunneling protocol uses this service. This is another popular Internet chat program. Microsoft Networks’ messenger service uses this protocol. Internet Group Multicast Protocol is used when sending packets to a specific group of hosts. Prestige 650 series User’s Guide DESCRIPTION 12-9...
Page 146 SERVICE NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS (TCP/UDP:162) SQL-NET(TCP:1521) 12-10 Table 12-3 Predefined Services DESCRIPTION A protocol for news groups. Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments.
Page 147: Creating/Editing Firewall Rules
Its primary function is to allow users to log into remote host systems. Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). Another videoconferencing solution. Prestige 650 series User’s Guide 12-11...
Page 148: Figure 12-5 Creating/Editing A Firewall Rule
Figure 12-5 Creating/Editing A Firewall Rule The following table describes the labels in this screen. LABEL Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to Source Address delete one. 12-12 Table 12-4 Creating/Editing A Firewall Rule DESCRIPTION Creating Custom Rules...
Page 149: Source And Destination Addresses
To add a new source or destination address, click SrcAdd or DestAdd from the previous screen. To edit an existing source or destination address, select it from the box and click SrcEdit or DestEdit from the previous screen. Either action displays the following screen. Creating Custom Rules Prestige 650 series User’s Guide DESCRIPTION 12-13...
Page 150: Timeout
Figure 12-6 Adding/Editing Source and Destination Addresses The following table describes the labels in this screen. Table 12-5 Adding/Editing Source and Destination Addresses LABEL Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Page 151: Figure 12-7 Timeout
Prestige considers the connection closed. ICMP Timeout Type the number of seconds (default 60) for an ICMP session to wait for the ICMP response. Creating Custom Rules Prestige 650 series User’s Guide Figure 12-7 Timeout Table 12-6 Timeout DESCRIPTION 12-15...
Page 152 LABEL Back Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Apply Cancel Click Cancel to return to the previous configuration. 12-16 Table 12-6 Timeout DESCRIPTION Creating Custom Rules...
Page 153: Chapter 13 Customized Services
Prestige 650 series User’s Guide Chapter 13 Customized Services This chapter covers creating, viewing and editing custom services. This chapter applies to the Prestige 650H/HW and Prestige 650H-E. 13.1 Introduction to Customized Services Configure customized services and port numbers not predefined by the Prestige (see Figure 12-5). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
Page 154: Creating/Editing A Customized Service
LABEL Customized Services This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. Name This is the name of your customized service. This shows the IP protocol (TCP, UDP or Both) that defines your customized Protocol service.
Page 155: Example Custom Service Firewall Rule
Click Rule Summary under Internet to Local Network Set. Step 2. Click a rule number to open the edit rule screen. Step 3. Click Any in the Source Address box and then click ScrDelete. Customized Services DESCRIPTION Figure 13-3 Edit Rule Example Prestige 650 series User’s Guide 13-3...
Page 156: Figure 13-4 Configure Source Ip Example
Step 1. Click ScrAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Step 5. Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 13-5 Customized Service for MyService Example Customized services show up with an “*”...
Page 157: Figure 13-6 Syslog Rule Configuration Example
Click Apply when finished. Figure 13-6 Syslog Rule Configuration Example Customized Services Prestige 650 series User’s Guide This is the address range of the MyService computers. This is your MyService custom port.
Page 158: Figure 13-7 Rule Summary Example
Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a MyService connection from the WAN.
Page 159: Chapter 14 Content Filtering
Prestige 650 series User’s Guide Chapter 14 Content Filtering This chapter covers how to configure content filtering. This chapter applies to the Prestige 650H/HW. 14.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs.
Page 160: Figure 14-1 Content Filter: Keyword
The following table describes the labels in this screen. LABEL Enable Keyword Blocking Select this check box to enable this feature. Block Websites that This box contains the list of all the keywords that you have configured the Prestige contain these keywords in to block.
Page 161: Configuring The Schedule
To set the days and times for the Prestige to perform content filtering, click Content Filter and Schedule. The screen appears as shown. The following table describes the labels in this screen. Content Filtering Table 14-1 Content Filter: Keyword DESCRIPTION Figure 14-2 Content Filter: Schedule Prestige 650 series User’s Guide 14-3...
Page 162: Configuring Trusted Computers
LABEL Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active.
Page 163: Configuring Logs
14.5 Configuring Logs This screen records the results of your content filter policies. Click Content Filter and Logs. The screen appears as shown Content Filtering Table 14-3 Content Filter: Trusted DESCRIPTION Figure 14-4 Content Filter Logs Prestige 650 series User’s Guide 14-5...
Page 164: Table 14-4 Content Filter Logs
The following table describes the labels in this screen. LABEL Page Choose a page of logs from the drop-down list box to display. This is the index number of the content filter log. Time This field displays the time of the log. Source IP This field displays the IP address of the computer accessing the web site.
Page 165: Vpn/Ipsec
VPN/IPSec Part V: VPN/IPSec This part provides information about configuring VPN/IPSec for secure communications.
Page 167: Chapter 15 Introduction To Ipsec
Decryption is the opposite of encryption: it is a mathematical operation that transforms “ciphertext” to plaintext. Decryption also requires a key. Introduction to IPSec Prestige 650 Series User’s Guide Chapter 15 Introduction to IPSec...
Page 168: Figure 15-1 Encryption And Decryption
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Page 169: Ipsec Architecture
Prestige 650 Series User’s Guide Figure 15-2 VPN Application 15.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 15-3...
Page 170: Figure 15-3 Ipsec Architecture
Prestige 650 Series User’s Guide Figure 15-3 IPSec Architecture 15.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 171: Encapsulation
AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted. Introduction to IPSec Prestige 650 Series User’s Guide 15-5...
Page 172: Table 15-1 Vpn And Nat
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 173: Chapter 16 Vpn Screens
Prestige 650 Series User’s Guide Chapter 16 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log descriptions. This chapter applies to the Prestige 650H/HW. 16.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 174: My Ip Address
DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
Page 175: Vpn Summary Screen
Prestige 650 Series User’s Guide The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 16.5 VPN Summary Screen The following figure helps explain the main fields in the web configurator.
Page 176: Figure 16-2 Vpn Summary
The following table describes the labels in this screen. LABEL This is the VPN policy index number. Click a number to edit VPN policies. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not. A "Y" signifies that this VPN policy is active.
Page 177: Keep Alive
Telecommuters can use separate passwords to simultaneously connect to the Prestige from IPSec routers with dynamic IP addresses (see section 16.17.2 for a telecommuter configuration example). VPN Screens Table 16-2 VPN Summary DESCRIPTION drops the tunnel after two minutes. Prestige 650 Series User’s Guide 16-5...
Page 178: Table 16-3 Local Id Type And Content Fields
With main mode (see section 16.10.1), the ID type and content are encrypted to provide identity protection. In this case the Prestige can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Prestige can distinguish up to eight incoming SAs because you can select between two encryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see section 16.11).
Page 179: Pre-Shared Key
16.9 Editing VPN Policies Click a number (No.) on the Summary screen to edit VPN policies. VPN Screens Prestige 650 Series User’s Guide PRESTIGE B Local ID type: IP Local ID content: 1.1.1.2 Peer ID type: E-mail Peer ID content: tom@yourcompany.com...
Page 180: Figure 16-3 Vpn Ike
Prestige 650 Series User’s Guide Figure 16-3 VPN IKE 16-8 VPN Screens...
Page 181: Table 16-7 Vpn Ike
LAN’s full IP address range as the local IP address, then you cannot configure any other active rules with the Secure Gateway Address field set to 0.0.0.0. VPN Screens Prestige 650 Series User’s Guide Table 16-7 VPN IKE DESCRIPTION...
Page 182 LABEL Local Address Type Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige.
Page 183 Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. VPN Screens Prestige 650 Series User’s Guide Table 16-7 VPN IKE DESCRIPTION 16-11...
Page 184 Prestige 650 Series User’s Guide Table 16-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
Page 185: Ike Phases
Figure 16-4 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. VPN Screens Prestige 650 Series User’s Guide Table 16-7 VPN IKE DESCRIPTION 16-13...
Page 186: Negotiation Mode
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
Page 187: Configuring Advanced Ike Settings
Prestige 650 Series User’s Guide 16.10.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 188: Figure 16-5 Vpn Ike: Advanced
Prestige 650 Series User’s Guide Figure 16-5 VPN IKE: Advanced The following table describes the labels in this screen. Table 16-8 VPN IKE: Advanced LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Page 189 Both ends of the VPN tunnel must use the same pre-shared key. You will receive a “PYLD_MALFORMED” (payload malformed) packet if the same pre-shared key is not used on both ends. VPN Screens Table 16-8 VPN IKE: Advanced DESCRIPTION Prestige 650 Series User’s Guide 16-17...
Page 190 LABEL Encryption Select DES or 3DES from the drop-down list box. Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 191: Manual Key Setup
VPN gateway to the local VPN gateway. The local VPN gateway then uses the network, encryption and key values that the administrator associated with the SPI to establish the tunnel. VPN Screens Table 16-8 VPN IKE: Advanced DESCRIPTION Prestige 650 Series User’s Guide 16-19...
Page 192: Configuring Manual Key
Prestige 650 Series User’s Guide Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 16.13 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen. This is the VPN Manual Key screen as shown next.
Page 193: Table 16-9 Vpn Manual Key
Local Address Type Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. VPN Screens Table 16-9 VPN Manual Key DESCRIPTION Prestige 650 Series User’s Guide 16-21...
Page 194 LABEL IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your Prestige.
Page 195 MD5 authentication or 20 characters for SHA-1 authentication. Any characters may be used, including spaces, but trailing spaces are truncated. Back Click Back to return to the previous screen. VPN Screens Table 16-9 VPN Manual Key DESCRIPTION Prestige 650 Series User’s Guide 16-23...
Page 196: Viewing Sa Monitor
LABEL Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. Delete Click Delete to remove the current rule. 16.14 Viewing SA Monitor Click VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections.
Page 197: Figure 16-7 Sa Monitor
Both AH and ESP increase Prestige processing requirements and communications latency (delay). Select Disconnect next to a security association and then click Apply to stop that Disconnect security association. VPN Screens Figure 16-7 SA Monitor Table 16-10 SA Monitor DESCRIPTION Prestige 650 Series User’s Guide 16-25...
Page 198: Configuring Global Setting
LABEL Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige. Click Refresh to display the current active VPN connection(s). Refresh 16.15 Configuring Global Setting To change your Prestige’s global settings, click VPN and then Global Setting. The screen appears as shown. The following table describes the labels in this screen.
Page 199: Configuring Ipsec Logs
This screen is useful for troubleshooting. A log index number, the date and time the log was created and a log message are displayed. VPN Screens Prestige 650 Series User’s Guide Figure 16-9 VPN Logs Table 16-12 VPN Logs DESCRIPTION...
Page 200: Table 16-13 Sample Ike Key Exchange Logs
Double exclamation marks (!!) denote an error or warning message. The following table shows sample log messages during IKE key exchange. Table 16-13 Sample IKE Key Exchange Logs LOG MESSAGE Cannot find outbound SA for rule <#d> Send Main Mode request to <IP> Send Aggressive Mode request to <IP>...
Page 201: Table 16-14 Sample Ipsec Logs During Packet Transmission
The Prestige cannot find a phase 2 SA that corresponds with the SPI of an inbound packet (from the peer); the packet is dropped. If the Prestige receives a packet with the wrong sequence number it will discard it. Prestige 650 Series User’s Guide DESCRIPTION 16-29...
Page 202: Table 16-15 Rfc-2408 Isakmp Payload Types
Table 16-14 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! Inbound packet authentication failed !! Inbound packet decryption failed Rule <#d> idle time out, disconnect The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
Page 203: Telecommuter Vpn/Ipsec Examples
Remote IP 0.0.0.0 (N/A) Address: VPN Screens HEADQUARTERS 0.0.0.0 (dynamic IP address assigned by the ISP) With this IP address Public static IP address Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15 192.168.1.10 Prestige 650 Series User’s Guide TELECOMMUTERS 16-31...
Page 204: Figure 16-11 Telecommuters Using Unique Vpn Rules Example
16.17.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). With aggressive negotiation mode (see section 16.10.1), the Prestige can use the ID types and contents to distinguish between VPN rules.
Page 205: Vpn And Remote Management
If a VPN tunnel uses Telnet, FTP, WWW SNMP, DNS or ICMP, then you should configure remote management (REMOTE MGNT) to allow access for that service. VPN Screens Prestige 650 Series User’s Guide TELECOMMUTERS Peer ID Type: E-mail Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.org)
Page 206: Remote Management, Upnp And Logs
Remote Management, UPnP and Logs Part VI: Remote Management, UPnP and Logs This part contains information on how to configure the Prestige for remote management, setting up Universal Plug and Play (UPnP) and the logs.
Page 207: Chapter 17 Remote Management Configuration
Telnet session; it will not begin if there already is a Telnet session. 7. There is a firewall rule that blocks it. Remote Management Configuration Prestige 650 Series User’s Guide Chapter 17 available on all models...
Page 208: Telnet
17.1.2 Remote Management and NAT When NAT is enabled: Use the Prestige’s WAN IP address when configuring from the WAN. Use the Prestige’s LAN IP address when configuring from the LAN. 17.1.3 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections.
Page 209: Web
The default 0.0.0.0 allows any client to use this service to remotely manage the Prestige. Type Client IP an IP address to restrict access to a client with a matching IP address. Remote Management Configuration Figure 17-2 Remote Management Table 17-1 Remote Management DESCRIPTION Prestige 650 Series User’s Guide 17-3...
Page 210 LABEL Apply Click Apply to save your settings back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. 17-4 Table 17-1 Remote Management DESCRIPTION Remote Management Configuration...
Page 211: Chapter 18 Universal Plug-And-Play (Upnp)
The automated nature of NAT traversal applications in establishing their own services may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. UPnP This chapter introduces the UPnP feature in the web configurator. Prestige 650 Series User’s Guide Chapter 18 18-1...
Page 212: Upnp And Zyxel
Prestige 650 Series User’s Guide All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 18.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™...
Page 213: Installing Upnp In Windows Example
Follow the steps below to install the UPnP in Windows Me. Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. UPnP Prestige 650 Series User’s Guide 18-3...
Page 214: Installing Upnp In Windows Xp
Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4. Click OK to go back to the Add/Remove Programs Properties window and click Next. Step 5. Restart the computer when prompted. 18.3.2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP.
Page 215: Using Upnp In Windows Xp Example
Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige. 18.4.1 Auto-discover Your UPnP-enabled Network Device Step 1. Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Step 2. Right-click the icon and select Properties. UPnP Prestige 650 Series User’s Guide 18-5...
Page 216 Step 3. In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray 18-6 mappings will be deleted automatically.
Page 217: Web Configurator Easy Access
Prestige first. This comes helpful if you do not know the IP address of the Prestige. Follow the steps below to access the web configurator. Step 1. Click Start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. UPnP Prestige 650 Series User’s Guide 18-7...
Page 218 Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays. Step 6. Right-click on the icon for your Prestige and select Properties.
Page 219: Chapter 19 Logs Screens
Prestige 650 Series User’s Guide Chapter 19 Logs Screens This chapter contains information about configuring general log settings and viewing the Prestige’s logs. This chapter is only applicable to P650H-E. Refer to the appendices for example log message explanations. 19.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the Prestige log and then display the logs or have the Prestige send them to an administrator (as e-mail) or to a syslog server.
Page 220: Figure 19-1 Log Settings
Prestige 650 Series User’s Guide Figure 19-1 Log Settings The following table describes the labels in this screen. 19-2 Logs Screens...
Page 221: Table 19-1 Log Settings
Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to send the logs. Logs Screens Table 19-1 Log Settings DESCRIPTION Daily Weekly Hourly When Log is Full None. Prestige 650 Series User’s Guide 19-3...
Page 222: Displaying The Logs
Prestige 650 Series User’s Guide LABEL Select the categories of logs that you want to record. Logs include alerts. Send Immediate Alert Select the categories of alerts for which you want the Prestige to instantly e-mail alerts to the e-mail address specified in the Send Alerts To field.
Page 223: Smtp Error Messages
Table 19-2 View Logs DESCRIPTION Table 19-3 SMTP Error Messages -1 means Prestige out of socket -2 means tcp SYN fail -3 means smtp server OK fail -4 means HELO fail -5 means MAIL FROM fail Prestige 650 Series User’s Guide 19-5...
Page 224: Figure 19-3 E-Mail Log Example
19.4.1 Example E-mail Log An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. Subject: Firewall Alert From Prestige Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com user@zyxel.com...
Page 225: Bandwidth Management
Bandwidth Management Part VII: Bandwidth Management This part provides information on the functions and configuration of Bandwidth Management.
Page 227: Chapter 20 Bandwidth Management
The Prestige leaves the bandwidth budget allocated and unused for a class that does not have a filter itself or child-classes with filters. View your configured bandwidth classes and child-classes in the Class Setup tab (see section 20.9 for details). Bandwidth Management Prestige 650 Series User’s Guide Bandwidth Management only applies to the Prestige P650H/HW. Chapter 20...
Page 228: Proportional Bandwidth Allocation
Prestige 650 Series User’s Guide The total of the configured bandwidth budgets for child-classes cannot exceed the configured bandwidth budget speed of the parent class. 20.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth.
Page 229: Figure 20-2 Subnet-Based Bandwidth Management Example
Table 20-1 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE VoIP E-mail Video Bandwidth Management Prestige 650 Series User’s Guide FROM SUBNET A 64 kbps 64 kbps 64 kbps 64 kbps 64 kbps FROM SUBNET B...
Page 230: Scheduler
Prestige 650 Series User’s Guide Figure 20-3 Application and Subnet-based Bandwidth Management Example 20.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The Prestige has two types of scheduler: fairness-based and priority-based. 20.5.1 Priority-based Scheduler With the priority-based scheduler, the Prestige forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes.
Page 231: Figure 20-4 Bandwidth Allotment Example
Prestige 650 Series User’s Guide and on their priority levels. When only one class requires more bandwidth, the Prestige gives extra bandwidth to that class. When multiple classes require more bandwidth, the Prestige gives the highest priority classes the available bandwidth first (as much as they require, if there is enough available bandwidth), and then to lower priority classes if there is still bandwidth available.
Page 232: Figure 20-5 Maximize Bandwidth Usage Example
The following figure shows the bandwidth usage with the maximize bandwidth usage option enabled. The Prestige divides up the unbudgeted 2 Mbps among the classes that require more bandwidth. If the administration department only uses 1 Mbps of the budgeted 2 Mbps, the Prestige also divides the remaining 1 Mbps among the classes that require more bandwidth.
Page 233: Bandwidth Borrowing
Prestige 650 Series User’s Guide 20.7 Bandwidth Borrowing Bandwidth borrowing allows a child-class to borrow unused bandwidth from its parent class, whereas maximize bandwidth usage allows bandwidth classes to borrow any unused or unbudgeted bandwidth on the whole interface. Enable bandwidth borrowing on a child-class to allow the child-class to use its parent class’s unused bandwidth.
Page 234: Figure 20-6 Bandwidth Borrowing Example
Prestige 650 Series User’s Guide Figure 20-6 Bandwidth Borrowing Example The Bill class can borrow unused bandwidth from the Sales USA class because the Bill class has bandwidth borrowing enabled. The Bill class can also borrow unused bandwidth from the Sales class because the Sales USA class also has bandwidth borrowing enabled.
Page 235: Configuring Summary
20.8 Configuring Summary Click BW Manager, Summary to open the Summary screen. Enable bandwidth management on an interface and set the maximum allowed bandwidth for that interface. Bandwidth Management Prestige 650 Series User’s Guide 20-9...
Page 236: Figure 20-7 Bandwidth Manager: Summary
Figure 20-7 Bandwidth Manager: Summary The following table describes the labels in this screen. LABEL These read-only labels represent the physical interfaces. WLAN Active Select an interface’s check box to enable bandwidth management on that interface. Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management.
Page 237: Configuring Class Setup
(see section 20.6.1). The Administration and Sales USA bandwidth classes each have bigger bandwidth budgets than the total of the budgets of their child-classes. The child-classes can borrow the extra bandwidth as long as they have bandwidth borrowing enabled (see section 20.7). Bandwidth Management Prestige 650 Series User’s Guide DESCRIPTION 20-11...
Page 238: Figure 20-8 Bandwidth Manager: Class Setup
Figure 20-8 Bandwidth Manager: Class Setup The following table describes the labels in this screen. Table 20-3 Bandwidth Manager: Class Setup LABEL Interface Select an interface from the drop-down list box for which you wish to set up classes. Back Click Back to go to the main BW Manager screen.
Page 239: Figure 20-9 Bandwidth Manager: Class Configuration
Prestige 650 Series User’s Guide 20.9.1 Bandwidth Manager Class Configuration Configure a bandwidth management class in the Class Configuration screen. You must use the Bandwidth Manager - Summary screen to enable bandwidth management on an interface before you can configure classes for that interface.
Page 240: Table 20-4 Bandwidth Manager: Class Configuration
Table 20-4 Bandwidth Manager: Class Configuration LABEL Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces. BW Budget (kbps) Specify the maximum bandwidth allowed for the class in kbps. The recommendation is a setting between 20 kbps and 20000 kbps for an individual class.
Page 241: Table 20-5 Services And Port Numbers
HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) Bandwidth Management DESCRIPTION Table 20-5 Services and Port Numbers SERVICES Prestige 650 Series User’s Guide PORT NUMBER 1723 20-15...
Page 242: Figure 20-10 Bandwidth Management Statistics
20.9.2 Bandwidth Management Statistics Use the Bandwidth Management Statistics screen to view network performance information. Click the Statistics button in the Class Setup screen to open the Statistics screen. Figure 20-10 Bandwidth Management Statistics The following table describes the labels in this screen. Table 20-6 Bandwidth Management Statistics LABEL Class Name...
Page 243: Configuring Monitor
This field displays the amount of bandwidth allocated to the class. Current Usage (kbps) This field displays the amount of bandwidth that each class is using. Bandwidth Management DESCRIPTION Table 20-7 Bandwidth Manager Monitor DESCRIPTION Prestige 650 Series User’s Guide 20-17...
Page 244 LABEL Back Click Back to go to the main BW Manager screen. Click Refresh to update the page. Refresh 20-18 Table 20-7 Bandwidth Manager Monitor DESCRIPTION Bandwidth Management...
Page 245: Maintenance
Maintenance Part VIII: Maintenance This part covers the maintenance screens. VIII...
Page 247: Chapter 21 Maintenance
Prestige 650 Series User’s Guide Chapter 21 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 21.1 Maintenance Overview Use the maintenance screens to view system information, upload new firmware, manage configuration and restart your Prestige.
Page 248: Figure 21-1 System Status
Prestige 650 Series User’s Guide Figure 21-1 System Status The following table describes the labels in this screen. 21-2 Maintenance...
Page 249: Table 21-1 System Status
DHCP Start IP This is the first of the contiguous addresses in the IP address pool. DHCP Pool Size This is the number of IP addresses in the IP address pool. Maintenance Table 21-1 System Status DESCRIPTION Prestige 650 Series User’s Guide 21-3...
Page 250: Figure 21-2 System Status: Show Statistics
LABEL Show Statistics Click Show Statistics to see router performance statistics such as number of packets sent and number of packets received for each port. 21.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics.
Page 251: Table 21-2 System Status: Show Statistics
This field displays the number of bytes transmitted in the last second. Rx B/s This field displays the number of bytes received in the last second. Up Time This field displays the elapsed time this port has been up. Maintenance Prestige 650 Series User’s Guide DESCRIPTION 21-5...
Page 252: Dhcp Table Screen
LABEL Collisions This is the number of collisions on this port. Poll Interval(s) Type the time interval for the browser to refresh system statistics. Set Interval Click this button to apply the new poll interval you entered in the Poll Interval field above.
Page 253: Wireless Screens
This screen displays the MAC address(es) of the wireless clients that are currently logged in to the network. Click Wireless LAN and then Association List to open the screen shown next. The following table describes the labels in this screen. Maintenance Table 21-3 DHCP Table DESCRIPTION Figure 21-4 Association List Prestige 650 Series User’s Guide 21-7...
Page 254: Figure 21-5 Channel Usage Table
LABEL This is the index number of an associated wireless client. MAC Address This field displays the MAC (Media Access Control) address of an associated wireless station. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 255: Diagnostic Screens
These read-only screens display information to help you identify problems with the Prestige. Click Diagnostic to display the following screen. 21.5.1 Diagnostic General Screen Click Diagnostic and then General to open the screen shown next. Maintenance Table 21-5 Channel Usage Table DESCRIPTION Figure 21-6 Diagnostic Prestige 650 Series User’s Guide 21-9...
Page 256: Figure 21-7 Diagnostic General
The following table describes the labels in this screen. LABEL TCP/IP Type the IP address of a computer that you want to ping in order to test a connection. Address Ping Click this button to ping the IP address that you entered. Click this button to reboot the Prestige.
Page 257: Figure 21-8 Diagnostic Dsl Line
Prestige 650 Series User’s Guide Table 21-6 Diagnostic General LABEL DESCRIPTION Back Click this button to go back to the main Diagnostic screen. 21.5.2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the screen shown next.
Page 258: Firmware Screen
LABEL Reset ADSL Click this button to reinitialize the ADSL line. The large text box above then displays the Line progress and results of this operation, for example: "Start to reset ADSL Loading ADSL modem F/W... Reset ADSL Line Successfully!" ATM Status Click this button to view ATM status.
Page 259: Figure 21-9 Firmware Upgrade
The Prestige automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Maintenance Figure 21-9 Firmware Upgrade Table 21-8 Firmware Upgrade DESCRIPTION Prestige 650 Series User’s Guide 21-13...
Page 260: Configuration Screen
Prestige 650 Series User’s Guide Figure 21-10 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the System Status screen. If the upload was not successful, the following screen will appear. Click Back to go back to the Firmware screen.
Page 261: Figure 21-13 Restore Configuration
Prestige 650 Series User’s Guide Figure 21-12 Backup Configuration 21.7.2 Restore Configuration Restore configuration replaces your Prestige 's current configuration (firewall settings, etc.) with a previously saved configuration. Restore files (usually) have a .ROM extension, e.g., "prestige.rom". The system reboots automatically after the file transfer is complete and uses the configured values in the file.
Page 262: Figure 21-14 Configuration Upload Successful
LABEL File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the file you want to upload. Remember that you must decompress Browse... compressed (.ZIP) files before you can upload them.
Page 263: Figure 21-16 Configuration Upload Error
Prestige 650 Series User’s Guide If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default Prestige IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
Page 264: Figure 21-18 Reset Warning Message
Prestige 650 Series User’s Guide The following warning screen will appear. Figure 21-18 Reset Warning Message You can also press the RESET button on the side panel to reset the factory defaults of your Prestige. Refer to the Resetting the Prestige section for more information on the RESET button.
Page 265: Smt General Configuration
SMT General Configuration Part IX: SMT General Configuration This part covers System Management Terminal configuration for general setup, LAN setup, wireless LAN setup, Internet access, remote nodes, remote node TCP/IP, static routing and NAT. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 267: Chapter 22 Introducing The Smt
For your first login, enter the default password “1234”. As you type the password, the screen displays an asterisk “*” for each character you type. Introducing the SMT Prestige 650 Series User’s Guide Chapter 22 Introducing the SMT overview of its menus.
Page 268: Figure 22-1 Login Screen
Prestige 650 Series User’s Guide Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 22-1 Login Screen 22.1.4 Prestige SMT Menu Overview We use the Prestige 650H/HW-31 SMT menus in this guide as an example.
Page 269: Figure 5-3 Wireless
Diagnostic Upload System Firmware Menu 24.6 Menu 24.5 System Maintenance -- System Maintenance -- Restore Configuration Backup Configuration Prestige 650 Series User’s Guide Menu 14 Menu 15 Dial-in User Setup NAT Setup Menu 14.1 Menu 15.1 Menu 15.1.x Edit Dial-in User...
Page 270: Navigating The Smt Interface
Prestige 650 Series User’s Guide 22.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 271: Figure 22-3 Smt Main Menu For P650H/Hw-31
Filter and Firewall Setup SNMP Configuration System Security System Maintenance Introducing the SMT Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Prestige 650H/HW-31 Main Menu Advanced Management Enter Menu Selection Number: Use this menu to set up your general information.
Page 272: Changing The System Password
Prestige 650 Series User’s Guide Table 22-2 Main Menu Summary for P650H/HW-31 MENU TITLE IP Routing Policy Setup Schedule Setup VPN/IPSec Setup Exit 22.3 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1.
Page 273: Chapter 23 General Setup
Name) on each individual computer, the domain name can be assigned from the Prestige via DHCP. 23.2 Configuring Menu 1 Enter 1 in the Main Menu to open Menu 1 — General Setup (shown next). General Setup Prestige 650 Series User’s Guide Chapter 23 General Setup 23-1...
Page 274: Figure 23-1 Menu 1 General Setup
Prestige 650 Series User’s Guide System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Fill in the required fields. Refer to the table shown next for more information about these fields.
Page 275: Figure 23-2 Menu 1.1 Configure Dynamic Dns
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. General Setup Menu 1.1 - Configure Dynamic DNS Press ENTER to confirm or ESC to cancel: DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE WWW.DynDNS.ORG (default) me.dyndns.org mail@mailserver...
Page 277: Chapter 24 Lan Setup
Figure 24-1 Menu 3 LAN Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: Prestige 650 Series User’s Guide Chapter 24 LAN Setup 24-1...
Page 278: Protocol Dependent Ethernet Setup
Prestige 650 Series User’s Guide 24.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. For TCP/IP Ethernet setup refer to the Internet Access Application chapter. For bridging Ethernet setup refer to the Bridging Setup chapter.
Page 279: Table 24-1 Dhcp Ethernet Setup Menu Fields
RIP-2B or RIP-2M. LAN Setup DESCRIPTION DESCRIPTION SPACE BAR ] to select the RIP direction. Choices are SPACE BAR] to select the RIP version. Choices are RIP-1, Prestige 650 Series User’s Guide EXAMPLE Server (default) 192.168.1.33 EXAMPLE 192.168.1.1 255.255.255. Both...
Page 280 Prestige 650 Series User’s Guide Table 24-2 TCP/IP Ethernet Setup Menu Fields FIELD Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The Prestige supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2).
Page 281: Chapter 25 Wireless Lan Setup
Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.5 – Wireless LAN Setup as shown next. Wireless LAN Setup Prestige 650 Series User’s Guide Wireless LAN Setup applicable to the Prestige 650H and Prestige 650HW.
Page 282: Figure 25-1 Menu 3.5 - Wireless Lan Setup
Prestige 650 Series User’s Guide Figure 25-1 Menu 3.5 - Wireless LAN Setup The following table describes the fields in this menu. Table 25-1 Wireless LAN Setup Field Description FIELD ESSID The ESSID (Extended Service Set IDentifier) identifies the service set the wireless station is to connect to.
Page 283: Wireless Lan Mac Address Filter
The next layer of security is MAC address filter. To allow a wireless station to associate with the Prestige, enter the MAC address of the wireless LAN card on that wireless station in the MAC address table. Wireless LAN Setup Prestige 650 Series User’s Guide DESCRIPTION EXAMPLE...
Page 284: Figure 25-2 Menu 3.5.1 Wlan Mac Address Filtering
Prestige 650 Series User’s Guide ------------------------------------------------------------------------------ 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 ------------------------------------------------------------------------------ Press Space Bar to Toggle. Figure 25-2 Menu 3.5.1 WLAN MAC Address Filtering The following table describes the fields in this menu.
Page 285: Chapter 26 Internet Access
Prestige 650 Series User’s Guide Chapter 26 Internet Access This chapter shows you how to configure the LAN and WAN of your Prestige for Internet access 26.1 Internet Access Overview Refer to the chapters on the web configurator’s wizard, LAN and WAN screens for more background information on fields in the SMT screens covered in this chapter.
Page 286: Ip Alias Setup
Prestige 650 Series User’s Guide Figure 26-1 Physical Network Figure 26-2 Partitioned Logical Networks Use menu 3.2.1 to configure IP Alias on your Prestige. 26.4 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACEBAR] to choose Yes and press [ENTER] to configure the second and third network.
Page 287: Figure 26-3 Menu 3.2 Tcp/Ip And Dhcp Setup
IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A Enter here to CONFIRM or ESC to CANCEL: Figure 26-4 Menu 3.2.1 IP Alias Setup Prestige 650 Series User’s Guide 26-3...
Page 288: Route Ip Setup
Prestige 650 Series User’s Guide FIELD IP Alias Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Your Prestige will automatically calculate the subnet mask based on Mask the IP address that you assign.
Page 289: Internet Access Configuration
Network Address Translation= SUA Only Address Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Table 26-2 Menu 4 Internet Access Setup DESCRIPTION SPACE BAR ] to select the method of encapsulation Prestige 650 Series User’s Guide EXAMPLE MyISP ENET ENCAP 26-5...
Page 290 Prestige 650 Series User’s Guide Table 26-2 Menu 4 Internet Access Setup FIELD Multiplexing Press [ by your ISP. Choices are VC-based or LLC-based. VPI # Enter the Virtual Path Identifier (VPI) assigned to you. VCI # Enter the Virtual Channel Identifier (VCI) assigned to you.
Page 291 Internet Access Table 26-2 Menu 4 Internet Access Setup DESCRIPTION SPACE BAR ] to select None, SUA Only or Full Prestige 650 Series User’s Guide EXAMPLE SUA Only 26-7...
Page 293: Chapter 27 Remote Node Configuration
When menu 11 appears, as shown in the following figure, type the number of the remote node that you want to configure. Remote Node Configuration Remote Node Configuration This chapter covers remote node configuration. Prestige 650 Series User’s Guide Chapter 27 27-1...
Page 294: Figure 27-1 Menu 11 Remote Node Setup
Prestige 650 Series User’s Guide 27.2.2 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. Consult your ISP for information on encapsulation and multiplexing methods for LAN-to-LAN applications, for example between a branch office and corporate headquarters. There must be prior agreement on encapsulation and multiplexing methods because they cannot be automatically determined.
Page 295: Figure 27-2 Menu 11.1 Remote Node Profile
Nailed-Up Connection= N/A Session Options: Edit Filter Sets= No Idle Timeout(sec)= N/A Edit Traffic Redirect= No DESCRIPTION Prestige 650 Series User’s Guide Edit IP/Bridge Options in menu 11.3. Edit ATM Options in menu 11.6 Edit Filter Sets in menu 11.5.
Page 296 Prestige 650 Series User’s Guide Table 27-1 Menu 11.1 Remote Node Profile FIELD Rem Login Type the login name that this remote node will use to call your Prestige. The login name and the Rem Password will be used to authenticate this node.
Page 297: Metric
The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a Remote Node Configuration Prestige 650 Series User’s Guide DESCRIPTION EXAMPLE...
Page 298: Remote Node Network Layer Options
Prestige 650 Series User’s Guide minimum of "1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the Prestige’s routes to the Internet. If any two of the default routes have the same metric, the Prestige uses the following pre-defined priorities: 1.
Page 299: Figure 27-3 Menu 11.3 Remote Node Network Layer Options
Prestige. The SMT uses Address Mapping Set 255 (menu 15.1 - see section 30.3.1). Select None to disable NAT. Remote Node Configuration Prestige 650 Series User’s Guide Bridge Options: Ethernet Addr Timeout (min)= N/A Remote Node Network Layer Options. –...
Page 300: My Wan Addr Sample Ip Addresses
Prestige 650 Series User’s Guide Table 27-2 Menu 11.3 Remote Node Network Layer Options FIELD Address When Full Feature is selected in the NAT field, configure address Mapping Set mapping sets in menu 15.1. Select one of the NAT server sets (2-10) in menu 15.2 (see the NAT chapter for details) and type that number here.
Page 301: Remote Node Filter
Prestige 650 Series User’s Guide Figure 27-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection 27.5 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter.
Page 302: Figure 27-5 Menu 11.5 Remote Node Filter (Rfc 1483 Or Enet Encapsulation)
Prestige 650 Series User’s Guide Enter here to CONFIRM or ESC to CANCEL: Figure 27-5 Menu 11.5 Remote Node Filter (RFC 1483 or ENET Encapsulation) Enter here to CONFIRM or ESC to CANCEL: Figure 27-6 Menu 11.5 Remote Node Filter (PPPoA or PPPoE Encapsulation) 27.5.1 Web Configurator Internet Security Filter Rules...
Page 303: Figure 27-7 Internet Security
Prestige 650 Series User’s Guide Figure 27-7 Internet Security Once you apply the filter rules in the web configurator, filter sets 11 and 12 are automatically applied in the protocol filters field under Input Filter Sets in SMT menu 11.5.
Page 304: Figure 27-8 Menu 21- Filer Set Configuration (P650R And P650R-E)
Prestige 650 Series User’s Guide Filter Set # ------ ----------------- NetBIOS_WAN NetBIOS_LAN TELNET_WAN PPPoE FTP_WAN _______________ Figure 27-8 Menu 21- Filer Set Configuration (P650R and P650R-E) The following figures display the filter rules in filter sets 11 and 12. # A Type...
Page 305: Editing Atm Layer Options
VC Options for Bridge: VPI #= 1 VCI #= 36 ATM QoS Type= N/A Peak Cell Rate (PCR)= N/A Sustain Cell Rate (SCR)= N/A Maximum Burst Size (MBR)= N/A Prestige 650 Series User’s Guide Separate VPI and VCI numbers must be specified. 27-13...
Page 306: Traffic Redirect
Prestige 650 Series User’s Guide Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 8 VCI #= 35 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 ENTER here to CONFIRM or ESC to CANCEL: Figure 27-12 Menu 11.6 for LLC-based Multiplexing or PPP Encapsulation...
Page 307: Figure 27-14 Traffic Redirect Lan Setup
Prestige 650 Series User’s Guide The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network.
Page 308: Figure 27-15 Menu 11.1 - Remote Node Profile
Prestige 650 Series User’s Guide Rem Node Name= MyISP Active= Yes Encapsulation= ENET ENCAP Multiplexing= LLC-based Service Name= N/A Incoming: Rem Login= N/A Rem Password= N/A Outgoing: My Login= N/A My Password= N/A Authen= N/A Figure 27-15 Menu 11.1 – Remote Node Profile To configure traffic redirect properties, press [SPACE BAR] to select Yes in the Edit Traffic Redirect field and then press [ENTER].
Page 309: Figure 27-16 Menu 11.7 Traffic Redirect Setup
[ESC] to cancel and go back to the previous screen. Remote Node Configuration Menu 11.7 - Traffic Redirect Setup Backup Gateway IP Address= 0.0.0.0 Metric= 15 DESCRIPTION Prestige 650 Series User’s Guide 27-17...
Page 311: Chapter 28 Static Route Setup
Prestige 650 Series User’s Guide Chapter 28 Static Route Setup This chapter shows how to setup IP static routes. 28.1 IP Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
Page 312: Configuring An Ip Static Route
Prestige 650 Series User’s Guide 28.2 Configuring an IP static route Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next). Step 2. From menu 12, select 1 to open Menu 12.1 — IP Static Route Setup (shown next).
Page 313: Figure 28-4 Menu12.1.1 Edit Ip Static Route
Menu 12.1.1 - Edit IP Static Route Route #: 1 Route Name= ? Active= No Destination IP Address= ? IP Subnet Mask= ? Gateway IP Address= ? Metric= 2 Private= No Press ENTER to Confirm or ESC to Cancel: DESCRIPTION Prestige 650 Series User’s Guide 28-3...
Page 314 Prestige 650 Series User’s Guide Table 28-1 Menu12.1.1 Edit IP Static Route FIELD Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and is not included in RIP broadcasts.
Page 315: Chapter 29 Bridging Setup
Prestige 650 Series User’s Guide Chapter 29 Bridging Setup This chapter shows you how to configure the bridging parameters of your Prestige. 29.1 Bridging Overview Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address.
Page 316: Figure 29-1 Menu 11.1 Remote Node Profile
Prestige 650 Series User’s Guide Rem Node Name= ? Active= Yes Encapsulation= ENET ENCAP Multiplexing= VC-based Service Name= N/A Incoming: Rem Login= N/A Rem Password= N/A Outgoing: My Login= N/A My Password= N/A Authen= N/A Figure 29-1 Menu 11.1 Remote Node Profile Step 2.
Page 317: Figure 29-3 Menu 12.3 Bridge Static Route Setup
4. ________ Enter selection number: Menu 12.3.1 - Edit Bridge Static Route Route #: 1 Route Name= Active= No Ether Address= ? IP Address= Gateway Node= 1 Press ENTER to Confirm or ESC to Cancel: Prestige 650 Series User’s Guide 29-3...
Page 318: Table 29-2 Menu 12.3.1 Edit Bridge Static Route
Prestige 650 Series User’s Guide The following table describes the Edit Bridge Static Route menu. Table 29-2 Menu 12.3.1 Edit Bridge Static Route FIELD Route # This is the route index number you typed in Menu 12.3 – Bridge Static Route Setup.
Page 319: Chapter 30 Network Address Translation (Nat)
Prestige 650 Series User’s Guide Chapter 30 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 30.1 NAT Overview 30.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 320: Figure 30-1 Menu 4 Applying Nat For Internet Access
Prestige 650 Series User’s Guide ISP's Name= MyISP Encapsulation= RFC 1483 Multiplexing= LLC-based VPI #= 8 VCI #= 35 ATM QoS Type= UBR Peak Cell Rate (PCR)= 0 Sustain Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0 My Login= N/A...
Page 321: Nat Setup
11.3, the SMT will use Set 1. When you select SUA Only, the SMT will use the pre-configured Set 255 (read only). Menu 11.3 - Remote Node Network Layer Options Bridge Options: Ethernet Addr Timeout(min)= N/A Enter here to CONFIRM or ESC to CANCEL: DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE Full Feature None SUA Only 30-3...
Page 322: Figure 30-3 Menu 15 Nat Setup
Prestige 650 Series User’s Guide The server set is a list of LAN servers mapped to external ports. To use this set, a server rule must be set up inside the NAT address mapping set. Please see the section on port forwarding in the chapter on NAT web configurator screens for further information on these menus.
Page 323: Figure 30-5 Menu 15.1.255 Sua Address Mapping Rules
Local End IP Global Start IP --------------- --------------- 255.255.255.255 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Menu 15.1.255 is read-only. DESCRIPTION Prestige 650 Series User’s Guide Global End IP Type --------------- ------ Server+ EXAMPLE 0.0.0.0 255.255.255.255 0.0.0.0...
Page 324: Figure 30-6 Menu 15.1.1 Acl Default Set
Prestige 650 Series User’s Guide FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen.
Page 325: Table 30-3 Menu 15.1.1 First Set
Address Mapping Rule in which you can edit an individual rule and configure the Type, Local and Global Start/End IPs. An End IP address must be numerically greater than its corresponding IP Start Table 30-3 Menu 15.1.1 First Set DESRIPTION address. Prestige 650 Series User’s Guide EXAMPLE ACL Default Edit 30-7...
Page 326: Figure 30-7 Menu 15.1.1.1 Editing/Configuring An Individual Rule In A Set
Prestige 650 Series User’s Guide Press Space Bar to Toggle. Figure 30-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set The following table explains the fields in this menu. Table 30-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set...
Page 327: Configuring A Server Behind Nat
4. Server Set 4 5. Server Set 5 6. Server Set 6 7. Server Set 7 8. Server Set 8 9. Server Set 9 10. Server Set 10 Enter Set Number to Edit: Prestige 650 Series User’s Guide EXAMPLE 30-9...
Page 328: Figure 30-9 Menu 15.2.1 Nat Server Setup
Prestige 650 Series User’s Guide Rule --------------------------------------------------- Figure 30-9 Menu 15.2.1 NAT Server Setup Step 4. Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field.
Page 329: General Nat Examples
Prestige 650 Series User’s Guide Figure 30-10 Multiple Servers Behind NAT Example 30.5 General NAT Examples The following are some examples of NAT configuration. 30.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 330: Figure 30-11 Nat Example 1
Prestige 650 Series User’s Guide ISP's Name= MyISP Encapsulation= RFC 1483 Multiplexing= LLC-based VPI #= 8 VCI #= 35 ATM QoS Type= UBR My Login= N/A My Password= N/A ENET ENCAP Gateway= N/A IP Address Assignment= Static Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 30-12 Menu 4 Internet Access &...
Page 331: Figure 30-13 Nat Example 2
Figure 30-14 Menu 15.2.1 Specifying an Inside Server Figure 30-13 NAT Example 2 Start Port No. End Port No. Default Default Press ENTER to Confirm or ESC to Cancel: Prestige 650 Series User’s Guide IP Address 192.168.1.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...
Page 332: Figure 30-15 Nat Example 3
Prestige 650 Series User’s Guide 30.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
Page 333: Figure 30-16 Example 3: Menu 11.3
Press ENTER to Confirm or ESC to Cancel: Figure 30-16 Example 3: Menu 11.3 Menu 15.1.1.1 Address Mapping Rule = N/A = N/A Press ENTER to Confirm or ESC to Cancel: Figure 30-17 Example 3: Menu 15.1.1.1 Prestige 650 Series User’s Guide 30-15...
Page 334: Figure 30-18 Example 3: Final Menu 15.1.1
Prestige 650 Series User’s Guide Set Name= Example3 Local Start IP --------------- 1. 192.168.1.10 192.168.1.11 3. 0.0.0.0 Figure 30-18 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN.
Page 335: Figure 30-19 Nat Example 4
Prestige 650 Series User’s Guide 30.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to- Many No Overload (and One-to-One) NAT mapping types.
Page 336: Figure 30-20 Example 4: Menu 15.1.1.1 Address Mapping Rule
Prestige 650 Series User’s Guide Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Server Mapping Set= N/A Figure 30-20 Example 4: Menu 15.1.1.1 Address Mapping Rule After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as shown next.
Page 337: Smt Advanced Management
SMT Advanced Management Part X: SMT Advanced Management This part discusses filtering setup, SNMP, system security, system information and diagnosis, firmware and configuration file maintenance, system maintenance, remote management, IP policy routing and call scheduling. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 339: Chapter 31 Filter Configuration
Prestige 650 Series User’s Guide Chapter 31 Filter Configuration This chapter shows you how to create and apply filters. 31.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call.
Page 340: Figure 31-1 Outgoing Packet Filtering Process
Prestige 650 Series User’s Guide Outgoing Data Packet Match Drop packet Figure 31-1 Outgoing Packet Filtering Process Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow.
Page 341: Figure 31-2 Filter Rule Process
Filter Configuration Filter Set Fetch Next Filter Rule Next filter Rule Available? Check Next Rule Figure 31-2 Filter Rule Process Prestige 650 Series User’s Guide Start Packet intoFilter Fetch First Filter Set Fetch First Filter Rule Active? Execute Filter Rule...
Page 342: Configuring A Filter Set For The Prestige 650H And The Prestige 650Hw
Prestige 650 Series User’s Guide For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, for example, all the rules for NetBIOS, into a single set and give it a descriptive name.
Page 343: Figure 31-4 Netbios_Wan Filter Rules Summary
Enter Filter Rule Number (1-6) to Configure: Menu 21.1.4 - Filter Rules Summary Filter Rules Enter Filter Rule Number (1-6) to Configure: Figure 31-6 IGMP Filter Rules Summary Prestige 650 Series User’s Guide M m n N D N N D N N D N...
Page 344: Configuring A Filter Set For The Prestige 650R And The Prestige 650R-E
Prestige 650 Series User’s Guide 31.3 Configuring a Filter Set for the Prestige 650R and the Prestige 650R-E To configure a filter set, follow the steps shown next. Step 1. Enter 21 in the main menu to display Menu 21 – Filter Set Configuration.
Page 345: Figure 31-8 Telnet_Wan Filter Rules Summary
Enter Filter Rule Number (1-6) to Configure: Figure 31-9 PPPoE Filter Rules Summary Menu 21.5 - Filter Rules Summary Filter Rules Enter Filter Rule Number (1-6) to Configure: Prestige 650 Series User’s Guide M m n N D F M m n N F N...
Page 346: Table 31-1 Abbreviations Used In The Filter Rules Summary Menu
Prestige 650 Series User’s Guide 31.3.1 Filter Rules Summary Menus The following tables briefly describe the abbreviations used in menu 21.1.x. Table 31-1 Abbreviations Used in the Filter Rules Summary Menu FIELD The filter rule number: 1 to 6. Active: “Y” means the rule is active. “N” means the rule is inactive.
Page 347: Configuring A Filter Rule
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.x.1 – TCP/IP Filter Rule, as shown next. Filter Configuration Table 31-2 Rule Abbreviations Used DESCRIPTION Offset Length Prestige 650 Series User’s Guide 31-9...
Page 348: Figure 31-11 Menu 21.1.X.1 Tcp/Ip Filter Rule
Prestige 650 Series User’s Guide Press Space Bar to Toggle. Figure 31-11 Menu 21.1.x.1 TCP/IP Filter Rule The following table describes how to configure your TCP/IP filter rule. Table 31-3 Menu 21.1.x.1 TCP/IP Filter Rule FIELD Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third filter rule of that set.
Page 349 If More is Yes, then Action Matched and Action Not Matched will be N/A. Filter Configuration Prestige 650 Series User’s Guide DESCRIPTION EXAMPLE IP address IP mask...
Page 350 Prestige 650 Series User’s Guide Table 31-3 Menu 21.1.x.1 TCP/IP Filter Rule FIELD Select the logging option from the following: None – No packets will be logged. Action Matched – Only packets that match the rule parameters will be logged.
Page 351: Figure 31-12 Executing An Ip Filter
Drop Packet Filter Configuration Not Matched Not Matched Not Matched Not Matched Check Next Rule Check Next Rule Forward Check Next Rule Figure 31-12 Executing an IP Filter Prestige 650 Series User’s Guide Action Not Matched Drop Forward Accept Packet 31-13...
Page 352: Figure 31-13 Menu 21.1.6.1 Generic Filter Rule
Prestige 650 Series User’s Guide 31.4.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly.
Page 353: Table 31-4 Menu 21.1.6.1 Generic Filter Rule
When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. Filter Configuration Prestige 650 Series User’s Guide DESCRIPTION EXAMPLE...
Page 354: Filter Types And Nat
Prestige 650 Series User’s Guide 31.5 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets.
Page 355: Figure 31-15 Sample Telnet Filter
Enter the index number of the filter set you want to configure (in this case 6) Step 3. Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER]. Filter Configuration Figure 31-15 Sample Telnet Filter Prestige 650 Series User’s Guide 31-17...
Page 356: Figure 31-16 Menu 21.1.6.1 Sample Filter
Prestige 650 Series User’s Guide Step 4. Press [ENTER] at the message 21.6 — Filter Rules Summary. Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next. When you press [ENTER] to confirm, the following screen appears. Note that there is only one filter rule in this set.
Page 357: Applying Filters And Factory Defaults
(n = F) if the action is not matched no matter whether there are more rules to be checked (there aren’t in this example). Prestige 650 Series User’s Guide M m n N D F 31-19...
Page 358: Figure 31-18 Filtering Ethernet Traffic
Prestige 650 Series User’s Guide FILTER SETS Input Filter Sets: Output Filter Sets: Call Filter Sets: 31.7.1 Ethernet Traffic You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate.
Page 359: Figure 31-19 Filtering Remote Node Traffic
Output Filter Sets: protocol filters= 1 device filters= Call Filter Sets: Protocol filters= Device filters= Prestige 650 Series User’s Guide Apply filter 3 to block Tel traffic from the WAN. Apply filter 1 to block NETBIOS traffic to the WAN.
Page 361: Chapter 32 Enabling The Firewall
Yes in the Active field to activate the firewall. The firewall must be active to protect against Denial of Service (DoS) attacks. Additional rules may be configured using the web configurator. Enabling the Firewall Prestige 650 Series User’s Guide Chapter 32 Enabling the Firewall Prestige 650H/HW.
Page 362: Viewing Firewall Log
Prestige 650 Series User’s Guide The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets 1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN...
Page 363: Table 32-1 Firewall Logs
After viewing the firewall log, enter “y” to clear the log or “n” to retain it. With either option you will be returned to Menu 21 - Filter and Firewall Setup. Enabling the Firewall DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE dd:mm:yy e.g., Jan 01 0 hh:mm:ss e.g., 00:04:28 not match <1,01>...
Page 365: Chapter 33 Snmp Configuration
Prestige 650 Series User’s Guide Chapter 33 SNMP Configuration This chapter explains SNMP Configuration menu 22. 33.1 SNMP Overview Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 366: Supported Mibs
Prestige 650 Series User’s Guide An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Page 367: Figure 33-2 Menu 22 Snmp Configuration
Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Table 33-1 Menu 22 SNMP Configuration DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE public public 0.0.0.0 public 0.0.0.0 33-3...
Page 368: Snmp Traps
Prestige 650 Series User’s Guide 33.4 SNMP Traps The Prestige will send traps to the SNMP manager when any one of the following events occurs: TRAP # TRAP NAME coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) linkDown (defined in RFC-1215)
Page 369: Chapter 34 System Security
2. RADIUS Server 4. IEEE802.1x Figure 34-1 Menu 23 System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Figure 34-2 Menu 23 System Security Prestige 650 Series User’s Guide Chapter 34 System Security 34-1...
Page 370: Figure 34-3 Menu 23.2 System Security : Radius Server
Prestige 650 Series User’s Guide Figure 34-3 Menu 23.2 System Security : RADIUS Server The following table describes the fields in this menu. Table 34-1 Menu 23.2 System Security : RADIUS Server FIELD Authentication Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable user authentication through an external authentication server.
Page 371: Figure 34-4 Menu 23 System Security
Enter 4 to display Menu 23.4 – System Security – IEEE802.1x. System Security DESCRIPTION Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Figure 34-4 Menu 23 System Security Prestige 650 Series User’s Guide EXAMPLE 1813 34-3...
Page 372: Figure 34-5 Menu 23.4 System Security : Ieee802.1X
Prestige 650 Series User’s Guide Wireless Port Control= Authentication Required ReAuthentication Timer (in second)= 1800 Idle Timeout (in second)= 3600 Authentication Databases= Local User Database Only Figure 34-5 Menu 23.4 System Security : IEEE802.1x The following table describes the fields in this menu.
Page 373: Creating User Accounts On The Prestige
RADIUS server. Follow the steps below to set up user profiles on your Prestige. Step 1. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup. System Security Prestige 650 Series User’s Guide DESCRIPTION 34-5...
Page 374: Figure 34-6 Menu 14 Dial-In User Setup
Prestige 650 Series User’s Guide 1. ________ 2. ________ 3. ________ 4. ________ 5. ________ 6. ________ 7. ________ 8. ________ Step 3. Type a number and press [ENTER] to edit the user profile. The following table describes the fields in this menu.
Page 375: Chapter 35 System Information And Diagnosis
System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Enter Menu Selection Number: Prestige 650 Series User’s Guide Chapter 35 35-1...
Page 376: Figure 35-2 Menu 24.1 System Maintenance : Status
Prestige 650 Series User’s Guide Node-Lnk Status 1-ENET My WAN IP (from ISP) : Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.8% Figure 35-2 Menu 24.1 System Maintenance : Status The following table describes the fields present in Menu 24.1 — System Maintenance — Status which are read-only and meant for diagnostic purposes.
Page 377: System Information
Enter 1 in menu 24.2 to display the screen shown next. System Information and Diagnosis DESCRIPTION Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Please enter selection: Prestige 650 Series User’s Guide 35-3...
Page 378: Figure 35-4 Menu 24.2.1 System Maintenance : Information
This refers to the routing protocol used. ZyNOS F/W Version This refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. ADSL Chipset Vendor This displays the vendor of the ADSL chipset and DSL version.
Page 379: Log And Trace
Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system. System Information and Diagnosis Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: Prestige. 1. View Error Log 2. UNIX Syslog Please enter selection: Prestige 650 Series User’s Guide 35-5...
Page 380: Figure 35-7 Sample Error And Information Messages
Prestige 650 Series User’s Guide After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure. 1 Sat Jan 01 00:00:02 2000 PP09 -WARN...
Page 381: Table 35-3 Menu 24.3.2 System Maintenance : Syslog And Accounting
Jul 19 11:19:32 192.168.102.2 ZYXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZYXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated System Information and Diagnosis Prestige 650 Series User’s Guide DESCRIPTION 1 - CDR 2 - Packet Triggered...
Page 382: Diagnostic
Prestige 650 Series User’s Guide SdcmdSyslogSend (SYSLOG_PKTTRI, SYSLOG_NOTICE, String); String = Packet trigger: Protocol=xx Data=xxxxxxxxxx…..x Protocol: (1:IP 2:IPX 3:IPXHC 4:BPDU 5:ATALK 6:IPNG) Data: We will send forty-eight Hex characters to the server Jul 19 11:28:39 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f70717273 Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1,...
Page 383: Figure 35-9 Menu 24.4 System Maintenance : Diagnostic
If you typed 12 to Ping Host, now type the address of the computer you want to ping. System Information and Diagnosis Menu 24.4 - System Maintenance – Diagnostic System 21. Reboot System 22. Command Mode Enter Menu Selection Number: Host IP Address= N/A DESCRIPTION Prestige 650 Series User’s Guide 35-9...
Page 385: Chapter 36 Firmware And Configuration File Maintenance
Prestige 650 Series User’s Guide Chapter 36 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 36.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 386: Backup Configuration
Prestige 650 Series User’s Guide FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 36.2 Backup Configuration The Prestige displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console port or Telnet.
Page 387: Figure 36-1 Telnet In Menu 24.5
36.2.3 Example of FTP Commands from the Command Line Firmware and Configuration File Maintenance Menu 24.5 - Backup Configuration For details on backup using TFTP (note that you must remain Press ENTER to Exit: Figure 36-1 Telnet in Menu 24.5 Prestige 650 Series User’s Guide 36-3...
Page 388: Figure 36-2 Ftp Session Example
Prestige 650 Series User’s Guide 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 389: Backup Configuration Using Tftp
Prestige IP address, “get” transfers the file source on the Prestige (rom-0, name of the configuration file on the Prestige) to the file destination on the computer and renames it config.rom. Firmware and Configuration File Maintenance Prestige 650 Series User’s Guide 36-5...
Page 390: Figure 36-3 Menu 24.5 System Maintenance - Backup Configuration
Prestige 650 Series User’s Guide 36.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 36-3 General Commands for GUI-based TFTP Clients COMMAND Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped.
Page 391: Restore Configuration
Firmware and Configuration File Maintenance ** Backup Configuration completed. OK. ### Hit any key to continue.### Prestige 650 Series User’s Guide Type a location for storing the configuration file or click Browse to look for one. Choose the Xmodem protocol.
Page 392: Figure 36-7 Telnet Into Menu 24.6
Prestige 650 Series User’s Guide DO NOT INTERRUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. 36.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.
Page 393: Figure 36-8 Restore Using Ftp Session Example
Starting XMODEM download (CRC mode) ... CCCCCCCCC Figure 36-10 System Maintenance – Starting Xmodem Download Screen Step 3. Run the HyperTerminal program by clicking Transfer, then Send File as shown in the following screen. Firmware and Configuration File Maintenance Prestige 650 Series User’s Guide 36-9...
Page 394: Uploading Firmware And Configuration Files
Prestige 650 Series User’s Guide Figure 36-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Figure 36-12 Successful Restoration Confirmation Screen 36.4 Uploading Firmware and Configuration Files...
Page 395: Figure 36-13 Telnet Into Menu 24.7.1 Upload System Firmware
36.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Firmware and Configuration File Maintenance Prestige 650 Series User’s Guide Then type "root" and Press ENTER to Exit: Press ENTER to Exit:...
Page 396: Figure 36-15 Ftp Session Example Of Firmware File Upload
Prestige 650 Series User’s Guide Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username. Step 4. Enter your password as requested (the default is “1234”).
Page 397: Tftp Upload Command Example
Uploading files via the console port under normal conditions is not recommended since FTP or TFTP is faster. Any serial communications program should work fine; however, you must use the Xmodem protocol to perform the download/upload. Firmware and Configuration File Maintenance Prestige 650 Series User’s Guide 36-13...
Page 398: Figure 36-16 Menu 24.7.1 As Seen Using The Console Port
Prestige 650 Series User’s Guide 36.4.8 Uploading Firmware File Via Console Port (only for the Prestige 650H/HW) Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in the following screen.
Page 399: Figure 36-18 Menu 24.7.2 As Seen Using The Console Port
Step 3. Enter “atgo” to restart the Prestige. 36.4.11 Example Xmodem Configuration Upload Using HyperTerminal Click Transfer, then Send File to display the following screen. Firmware and Configuration File Maintenance Do You Wish To Proceed:(Y/N) Prestige 650 Series User’s Guide 36-15...
Page 400: Figure 36-19 Example Xmodem Upload
Prestige 650 Series User’s Guide After the configuration upload process has completed, restart the Prestige by entering “atgo”. 36-16 Figure 36-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it.
Page 401: Chapter 37 System Maintenance
Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Enter Menu Selection Number: Figure 37-1 Command Mode in Menu 24 Prestige 650 Series User’s Guide Chapter 37 37-1...
Page 402: Call Control Support
Prestige 650 Series User’s Guide Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: ipsec ras> 37.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1.
Page 403: Figure 37-4 Menu 24.9.1 Budget Management
11.1. The period is the time cycle in hours that the allocation budget is reset (see menu 11.1.) The elapsed time is the time used up within this period. Prestige 650 Series User’s Guide Elapsed Time/Total Period No Budget EXAMPLE...
Page 404: Time And Date Setting
Prestige 650 Series User’s Guide 37.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige.
Page 405: Table 37-2 Menu 24.10 System Maintenance: Time And Date Setting
The Prestige resets the time in three instances: On leaving menu 24.10 after making changes. When the Prestige starts up, if there is a time server configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance Prestige 650 Series User’s Guide DESCRIPTION 37-5...
Page 407: Chapter 38 Remote Management
Enter 11, from menu 24, to display Menu 24.11 — Remote Management Control (shown next). Remote Management Prestige 650 Series User’s Guide Chapter 38 Remote Management available on all models.
Page 408: Figure 38-1 Menu 24.11 Remote Management Control
Prestige 650 Series User’s Guide TELNET Server: Server Port = 23 Secured Client IP = 0.0.0.0 FTP Server: Server Port = 21 Secured Client IP = 0.0.0.0 Web Server: Server Port = 80 Secured Client IP = 0.0.0.0 Figure 38-1 Menu 24.11 Remote Management Control The following table describes the fields in this menu.
Page 409: Remote Management And Nat
24.1 or when sys stdio has been changed on the command line. Remote Management Prestige 650 Series User’s Guide 38-3...
Page 411: Chapter 39 Ip Policy Routing
(and hence the outgoing interface). • setting the TOS and precedence fields in the IP header. IP Policy Routing This chapter covers setting and applying policies used for IP routing. Prestige 650 Series User’s Guide Chapter 39 IP Policy Routing 39-1...
Page 412: Ip Routing Policy Setup
Prestige 650 Series User’s Guide IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set.
Page 413: Figure 39-2 Menu 25.1 Ip Routing Policy Setup
IP layer 4 protocol number (TCP=6, UDP=17…) Type of service of incoming packet Precedence of incoming packet Gateway IP address Outgoing Type of service Outgoing Precedence Normal Minimum Delay Maximum Throughput Maximum Reliability Minimum Cost Prestige 650 Series User’s Guide |GW=192.168.1.1,T=MT,PR=0 39-3...
Page 414: Figure 39-3 Menu 25.1.1 Ip Routing Policy
Prestige 650 Series User’s Guide Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test Active= Yes Criteria:...
Page 415: Applying An Ip Policy
You can choose up to four IP policy sets (from 12) by typing their numbers separated by commas, for example, 2, 4, 7, 9. IP Policy Routing Table 39-2 Menu 25.1.1 IP Routing Policy Prestige 650 Series User’s Guide DESCRIPTION 39-5...
Page 416: Figure 39-4 Menu 3.2 Tcp/Ip And Dhcp Ethernet Setup
Prestige 650 Series User’s Guide Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1...
Page 417: Ip Policy Routing Example
Prestige 650 Series User’s Guide 39.6 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure.
Page 418: Figure 39-7 Ip Routing Policy Example
Prestige 650 Series User’s Guide Step 1. Create a routing policy set in menu 25. Step 2. Create a rule for this set in Menu 25.1.1 — IP Routing Policy as shown next. Policy Set Name= set1 Active= Yes Criteria:...
Page 419: Figure 39-8 Ip Routing Policy Example
RIP Direction= Both Version= RIP-1 Multicast= None IP Policies= 1,2 Edit IP Alias= No Press ENTER to Confirm or ESC to Cancel: Prestige 650 Series User’s Guide Packet length= 10 Len Comp= N/A end= N/A end= N/A end= N/A end= 21...
Page 421: Chapter 40 Call Scheduling
______________ ______________ ______________ ______________ Enter Schedule Set Number to Configure= Edit Name= Press ENTER to Confirm or ESC to Cancel: Figure 40-1 Menu 26 Schedule Setup Prestige 650 Series User’s Guide Chapter 40 Call Scheduling Name ------------------ ______________ ______________ ______________...
Page 422: Figure 40-2 Menu 26.1 Schedule Set Setup
Prestige 650 Series User’s Guide To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 —...
Page 423 Main Menu and then enter the target remote node index. Using [SPACE BAR], select PPPoE or PPPoA in the Encapsulation field and then press [ENTER] to make the schedule sets field available as shown next. Call Scheduling Prestige 650 Series User’s Guide DESCRIPTION EXAMPLE Once...
Page 424: Figure 40-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
Prestige 650 Series User’s Guide Rem Node Name= ChangeMe Active= Yes Encapsulation= PPPoE Multiplexing=VC-based Service Name= Incoming Rem Login= Rem Password= ******** Outgoing= My Login=? My Password= ******** Authen= CHAP/PAP Figure 40-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
Page 425: Smt Vpn/Ipsec And Internal Sptgen
SMT VPN/IPSec and Internal SPTGEN Part XI: SMT VPN/IPSec and Internal SPTGEN This part provides information about configuring VPN/IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 427: Chapter 41 Vpn/Ipsec Setup
This is an overview of the VPN menu tree. From the main menu, enter 27 to display the first VPN menu (shown next). VPN/IPSec Setup VPN/IPSec Setup This chapter introduces the VPN SMT menus. Figure 41-1 VPN SMT Menu Tree Prestige 650 Series User’s Guide Chapter 41 41-1...
Page 428: Ipsec Summary Screen
41.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
Page 429 (delay). You need to finish configuring the VPN policy in menu 27.1.1.1 or 27.1.1.2 if ??? is displayed. VPN/IPSec Setup Table 41-1 Menu 27.1 IPSec Summary DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE Taiwan 192.168.1.35 192.168.1.38 Tunnel ESP DES MD5...
Page 430 FIELD Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
Page 431: Ipsec Setup
[ENTER] to edit the VPN using the menu shown next. You must also configure menu 27.1.1.1 or menu 27.1.1.2 to fully configure and use VPN/IPSec Setup Table 41-1 Menu 27.1 IPSec Summary DESCRIPTION a VPN. Prestige 650 Series User’s Guide EXAMPLE None 41-5...
Page 432: Figure 41-4 Menu 27.1.1 Ipsec Setup
Index= 1 Active= Yes Local ID type= IP My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: IP Addr Start= 1.1.1.1 Remote: IP Addr Start= 4.4.4.4 Enable Replay Detection = No Key Management= IKE Edit Key Management Setup= No The following table describes the fields in this menu.
Page 433 The domain name also does not have to match the remote router’s IP address or what you configure in the Secure Gateway Address field below. VPN/IPSec Setup Table 41-2 Menu 27.1.1 IPSec Setup DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE 0.0.0.0 41-7...
Page 434 FIELD Secure Type the IP address or the domain name (up to 31 characters) of the Gateway IPSec router with which you’re making the VPN connection. Address Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE, see later).
Page 435 Prestige 650 Series User’s Guide Table 41-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE End/Subnet When the Addr Type field is configured to Single, this field is N/A. 192.168.1.38 Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your Prestige.
Page 436 FIELD End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 437: Ike Setup
Menu 27.1.1.1 - IKE Setup = ESP = DES = SHA1 = Tunnel Press ENTER to Confirm or ESC to Cancel: Figure 41-5 Menu 27.1.1.1 IKE Setup Table 41-3 Menu 27.1.1.1 IKE Setup DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE Main 41-11...
Page 438: Table 41-3 Menu 27.1.1.1 Ike Setup
FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Prestige DES encryption algorithm uses a 56-bit key.
Page 439: Manual Setup
To edit this menu, move the cursor to the Edit Manual Setup field in Menu 27.1.1 – IPSec Setup press [SPACE BAR] to select Yes and then press [ENTER] to go to Menu 27.1.1.2 – Manual Setup. VPN/IPSec Setup Table 41-3 Menu 27.1.1.1 IKE Setup DESCRIPTION SECURITY PROTOCOL Prestige 650 Series User’s Guide EXAMPLE None 41-13...
Page 440: Figure 41-6 Menu 27.1.1.2 Manual Setup
Active Protocol= ESP Tunnel ESP Setup AH Setup The following table describes the fields in this menu. FIELD Active Protocol Press [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH Transport and then press [ENTER]. Choosing an ESP combination causes the AH Setup fields to be non-applicable (N/A) ESP Setup The ESP Setup fields are N/A if you chose an AH Active Protocol.
Page 441 When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. VPN/IPSec Setup Table 41-5 Menu 27.1.1.2 Manual Setup DESCRIPTION Prestige 650 Series User’s Guide EXAMPLE 123456789a bcde 41-15...
Page 443: Chapter 42 Sa Monitor
The following table describes the fields in this menu. SA Monitor Menu 27.2 - SA Monitor Name Encap. --------- Tunnel Select Command= Refresh Select Connection= N/A Figure 42-1 Menu 27.2 SA Monitor Prestige 650 Series User’s Guide Chapter 42 SA Monitor IPSec ALgorithm ---------------- ESP DES MD5 42-1...
Page 444: Table 42-1 Menu 27.2 Sa Monitor
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
Page 445: Viewing Ipsec Log
This menu is useful for troubleshooting. A log index number, the date and time the log was created and a log message is displayed. Double exclamation marks (!!) denote an error or warning message. SA Monitor Prestige 650 Series User’s Guide Log: Send Main Mode request to <192.168.100.101> Send:<SA>...
Page 447: Chapter 43 Internal Sptgen
Prestige 650 Series User’s Guide Chapter 43 Internal SPTGEN 43.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file –...
Page 448: Figure 43-1 Configuration Text File Format: Column Descriptions
This is the name of the menu. / Menu 1 General Setup 10000000 = Configured 10000001 = System Name 10000002 = Location 10000003 = Contact Person’s Name 10000004 = Route IP 10000005 = Route IPX 10000006 = Bridge This is the Field Identification Number column.
Page 449: Internal Sptgen Ftp Download Example
4. Edit the "rom-t" file using a text editor (do not use a word processor). You must leave this FTP screen to edit. Figure 43-4 Internal SPTGEN FTP Download Example Internal SPTGEN Prestige 650 Series User’s Guide c:\ftp 192.168.1.1 220 PPP FTP version 1.0 ready at Sat Jan 1 03:22:12 2000 User (192.168.1.1:(none)):...
Page 450: Internal Sptgen Ftp Upload Example
You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 43.4 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary.
Page 451: Appendices And Index
Appendices and Index Part XII: Appendices and Index This part contains troubleshooting, additional background information and an index of key terms.
Page 453: Appendix A Troubleshooting
Make sure your computer’s Ethernet card is working properly. If these steps fail to correct the problem, contact your local distributor for assistance. Troubleshooting Chart A-1 Troubleshooting Power LED CORRECTIVE ACTION Chart A-2 Troubleshooting LAN LED CORRECTIVE ACTION Prestige 650 Series User’s Guide Appendix A Troubleshooting...
Page 454: Console Port
A.1.3 DSL LED The DSL LED on the front panel does not light up. STEPS Check the telephone wire and connections between the Prestige DSL port and the wall jack. Make sure that the telephone company has checked your phone line and set it up for DSL service. Reset your ADSL line to reinitialize your link to the DSLAM.
Page 455: Web Configurator
If you changed the Prestige’s LAN IP address, then enter the new one as the URL. Remove any filters in SMT menu 3.1 (LAN) or menu 11.5 (WAN) that block web service. See also Section A.9. Troubleshooting Chart A-5 Troubleshooting Telnet CORRECTIVE ACTION CORRECTIVE ACTION Prestige 650 Series User’s Guide...
Page 456: Login Username And Password
The web configurator does not display properly. Chart A-7 Troubleshooting Internet Browser Display STEPS Make sure you are using Internet Explorer 5.0 and later versions. Delete the temporary web files and log in again. In Internet Explorer, click Tools, Internet Options and then click the Delete Files ... button. When a Delete Files window displays, select Delete all offline content and click OK.
Page 457: Wan Interface
A.8 Internet Access I cannot access the Internet. Chart A-12 Troubleshooting Internet Access STEPS Make sure the Prestige is turned on and connected to the network. Troubleshooting Prestige 650 Series User’s Guide CORRECTIVE ACTION CORRECTIVE ACTION CORRECTIVE ACTION CORRECTIVE ACTION...
Page 458: Remote Management
Chart A-12 Troubleshooting Internet Access STEPS If the DSL LED is off, refer to Section A.1.3. Verify your WAN settings. Refer to the WAN Setup chapter (web configurator) or the Internet Access chapter (SMT). Make sure you entered the correct user name and password. For wireless stations, check that both the Prestige and wireless station(s) are using the same ESSID, channel and WEP keys (if WEP encryption is activated).
Page 459: Remote Node Connection
Check menu 4 or WAN screen to verify that the username and password are entered properly. In menu 11.1, verify your login name and password for the remote node. If these steps fail, you may need to verify your login and password with your ISP. Troubleshooting Prestige 650 Series User’s Guide CORRECTIVE ACTION...
Page 461: Chart B-1 Classes Of Ip Addresses
Chart B-1 Classes of IP Addresses OCTET 2 Host ID Network number Network number –2 or 254 hosts. –2 or 65534 hosts. Prestige 650 Series User’s Guide Appendix B IP Subnetting OCTET 3 OCTET 4 Host ID Host ID Host ID...
Page 462: Appendix B Ip Subnetting
Prestige 650 Series User’s Guide A class “A” address (24 host bits) can have 2 Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 463: Chart B-4 Alternative Subnet Mask Notation
The first three octets of the address make up the network number (class “C”). You want to have two separate networks. IP Subnetting SUBNET MASK “1” BITS NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 255.255.255. 11111111.11111111.11111111. Prestige 650 Series User’s Guide LAST OCTET BIT VALUE 0000 0000 1000 0000 1100 0000 1110 0000 1111 0000 1111 1000 1111 1100...
Page 464: Chart B-5 Subnet 1
Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed”...
Page 465: Chart B-7 Subnet 1
Highest Host ID: 192.168.1.126 Chart B-9 Subnet 3 NETWORK NUMBER 192.168.1. 11000000.10101000.00000001. 11111111.11111111.11111111. Lowest Host ID: 192.168.1.129 Highest Host ID: 192.168.1.190 Prestige 650 Series User’s Guide LAST OCTET BIT VALUE 00000000 11000000 LAST OCTET BIT VALUE 01000000 11000000 LAST OCTET BIT VALUE...
Page 466: Chart B-10 Subnet 4
IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet. SUBNET SUBNET ADDRESS The following table is a summary for class “C”...
Page 467: Chart B-13 Class B Subnet Planning
255.255.192.0 (/18) 255.255.224.0 (/19) 255.255.240.0 (/20) 255.255.248.0 (/21) 255.255.252.0 (/22) 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) Prestige 650 Series User’s Guide NO. HOSTS PER SUBNET NO. HOSTS PER SUBNET 32766 16382 8190 4094 2046 1022 1024 2048...
Page 468 NO. “BORROWED” HOST BITS Chart B-13 Class B Subnet Planning SUBNET MASK NO. SUBNETS 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) NO. HOSTS PER SUBNET 4096 8192 16384 32768 IP Subnetting...
Page 469 ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data. Wireless LAN and IEEE 802.11 Prestige 650 Series User’s Guide Appendix C...
Page 470 Prestige 650 Series User’s Guide Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS). In the most basic form, a wireless LAN connects a set of computers with wireless adapters.
Page 471 Prestige 650 Series User’s Guide Diagram C-2 ESS Provides Campus-Wide Coverage Wireless LAN and IEEE 802.11...
Page 473: Appendix Dpppoe
3. It allows the ISP to use the existing dial-up model to authenticate and (optionally) to provide differentiated services. Traditional Dial-up Scenario The following diagram depicts a typical hardware configuration where the PCs use traditional dial-up networking. Diagram D-1 Single-PC per Router Hardware Configuration PPPoE Prestige 650 Series User’s Guide Appendix D PPPoE...
Page 474 Prestige 650 Series User’s Guide How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 475: Appendix E Virtual Circuit Topology
Your service provider should supply you with VPI/VCI numbers. Virtual Circuit Topology Virtual Circuit Topology Logical connections between ATM switches A bundle of virtual channels A series of virtual paths between circuit end points Diagram E-1 Virtual Circuit Topology Prestige 650 Series User’s Guide Appendix E...
Page 477: Appendix F Setting Up Your Computer's Ip Address
Prestige 650 Series User’s Guide Appendix F Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 478: Installing Components
The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK.
Page 479 -If you do not know your DNS information, select Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). Setting up Your Computer’s IP Address Prestige 650 Series User’s Guide...
Page 480: Verifying Settings
Click the Gateway tab. -If you do not know your gateway’s IP address, remove previously installed gateways. -If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window.
Page 481 Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Setting up Your Computer’s IP Address Prestige 650 Series User’s Guide Right-click Local Area Connection and then click Properties.
Page 482 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 483 Prestige 650 Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 484 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 485 Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Setting up Your Computer’s IP Address Prestige 650 Series User’s Guide...
Page 486 For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Prestige in the Router address box.
Page 487 -Type the IP address of your Prestige in the Router address box. Click Apply Now and close the window. Turn on your Prestige and restart your computer (if prompted). Check your TCP/IP properties in the Network window. Setting up Your Computer’s IP Address Prestige 650 Series User’s Guide Verifying Settings F-11...
Page 489: Appendix G Splitters And Microfilters
ADSL transmissions do not interfere with your telephone voice transmissions. The use of a telephone microfilter is optional. Step 1. Connect a phone cable from the wall jack to the single jack end of the Y- Connector. Splitters and Microfilters Prestige 650 Series User’s Guide Splitters and Microfilters Appendix G...
Page 490 Step 2. Connect a cable from the double jack end of the Y-Connector to the “wall side” of the microfilter. Step 3. Connect another cable from the double jack end of the Y-Connector to the Prestige. Step 4. Connect the “phone side” of the microfilter to your telephone as shown in the following figure. Prestige With ISDN This section relates to people who use their Prestige with ADSL over ISDN (digital telephone service) only.
Page 491: Appendix H Log Descriptions
Someone has failed to log on to the router via telnet. Someone has logged on to the router via ftp. Someone has failed to log on to the router via ftp. Prestige 650 Series User’s Guide Appendix H Log Descriptions...
Page 492: Chart H-2 Upnp Logs
LOG MESSAGE UPnP pass through Firewall The attack logs may include the protocol (Protocol) of the packet (for example TCP or UDP) that triggered the log. LOG MESSAGE attack (Protocol) land Protocol) icmp echo ICMP (type:%d, code:%d) syn flood TCP ports scan TCP teardrop (Protocol) illegal command TCP...
Page 493: Chart H-4 Access Logs
The Prestige sent or received an ICMP source quench packet to tell a host to slow down data transmission. The Prestige sent or received an ICMP Time Exceed packet because a packet with zero Time To Live (TTL) was dropped. Prestige 650 Series User’s Guide...
Page 494: Chart H-5 Tcp Reset Logs
LOG MESSAGE ICMP Destination Unreachable Packet without a NAT table entry blocked (Protocol) Out of order TCP handshake packet blocked (Protocol) Unsupported/out-of- order ICMP (Protocol) Router reply ICMP packet Remote access denied LOG MESSAGE Firewall sent TCP reset packets TYPE CODE Echo Reply Echo reply message...
Page 495 Redirect datagrams for the Type of Service and Host Echo Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Log Descriptions Prestige 650 Series User’s Guide Chart H-6 ICMP Notes DESCRIPTION...
Page 496 TYPE CODE Timestamp reply message Information Request Information request message Information Reply Information reply message Chart H-6 ICMP Notes DESCRIPTION Log Descriptions...
Page 497: Appendix I Power Adaptor Specifications
UL, CUL (UL 1310, CSA C22.2 No.223) NORTH AMERICA PLUG STANDARDS AA-121A AC120Volts/60Hz/18W max. AC12Volts/1.0A UL, CUL (UL 1310, CSA C22.2 No.223) CHINESE PLUG STANDARDS DV-121AACCP-5720 AC220Volts/50Hz/18W AC12Volts/1.0A CCEE (GB8898) CHINESE PLUG STANDARDS BH-48 (AA-121AP) AC220Volts/50Hz AC12Volts/1.0A Prestige 650 Series User’s Guide Appendix I...
Page 498: Prestige 650R-11 Adsl Router
Prestige 650 Series User’s Guide Power consumption Safety standards AC Power Adapter model Input power Output power Power consumption Safety standards AC Power Adapter model Input power Output power Power consumption Safety standards AC Power Adapter model Input power Output power...
Page 499: Prestige 650R-13/-17 Adsl Ethernet Router
NORTH AMERICA PLUG STANDARDS DV-121AACS AC120Volts/60Hz/23W max. AC12Volts/1.0A 12 W UL, CUL (UL 1310, CSA C22.2 No.223) NORTH AMERICA PLUG STANDARDS AA-121A AC120Volts/60Hz/18W max. AC12Volts/1.0A 12 W UL, CUL (UL 1310, CSA C22.2 No.223) CHINESE PLUG STANDARDS DV-121AACCP-5720 Prestige 650 Series User’s Guide...
Page 500: Prestige 650R-31/-33 Adsl Over Isdn Router
Prestige 650 Series User’s Guide Input power Output power Power consumption Safety standards AC Power Adapter model Input power Output power Power consumption Safety standards Prestige 650R-31/-33 ADSL over ISDN Router AC Power Adapter model Input power Output power Power consumption...
Page 501: Prestige 650H-11/-13 Adsl Router With 4-Port Ethernet Switch
ITS-GS, CE (EN 60950) EUROPEAN PLUG STANDARDS DV-121AACCP-5716 AC230Volts/50Hz/100mA AC12Volts/1.0A TUV-GS, CE (EN 60950) UNITED KINGDOM PLUG STANDARDS AA-121AD AC230Volts/50Hz/140mA AC12Volts/1.0A ITS-GS, CE (EN 60950) NORTH AMERICA PLUG STANDARDS DV-1215A AC120Volts/60Hz/30W AC 12Volts/ 1.25A 12 W Prestige 650 Series User’s Guide...
Page 502: Prestige 650Hw-11/-13 Adsl Router With 4-Port Ethernet Switch/Wireless Lan
Prestige 650 Series User’s Guide Safety standards AC Power Adapter model Input power Output power Power consumption Safety standards AC Power Adapter model Input power Output power Power consumption Safety standards Prestige 650HW-11/-13 ADSL Router with 4-Port Ethernet Switch/Wireless LAN...
Page 503: Prestige 650Hw-31/-33/-37; Prestige 650H-31/-33/-37 Adsl Router With 4-Port Switch/Wireless
UL, CUL, CSA (UL 1310, CSA C22.2 No.223) NORTH AMERICA PLUG STANDARDS AA-121A25 AC120Volts/60Hz/19W AC 12Volts/ 1.25A 15 W UL, CUL (UL 1310, CSA C22.2 No.223) EUROPEAN PLUG STANDARDS AA-121A3BN AC230Volts/50Hz/140mA AC12Volts/1.3A 15 W ITS-GS, CE (EN 60950) UNITED KINGDOM PLUG STANDARDS Prestige 650 Series User’s Guide...
Page 504: Prestige 650H-E1/3/7 Adsl Router With 4-Port Switch
Prestige 650 Series User’s Guide AC Power Adapter model Input power Output power Power consumption Safety standards Prestige 650H-E1/3/7 ADSL Router with 4-port Switch AC Power Adapter model Input power Output power Power consumption Safety standards AC Power Adapter model...
Page 505 AA-121ABN AC230Volts/50Hz/140mA AC12Volts/1.0A 10 W ITS-GS, CE (EN 60950) UNITED KINGDOM PLUG STANDARDS AA-121AD AC230Volts/50Hz/140mA AC12Volts/1.0A 10 W ITS-GS, CE (EN 60950, BS 7002) AUSTRALIA PLUG STANDARDS AA-121AE AC240Volts/50Hz/140mA AC12Volts/1.0A 10 W (AS/NZS 60950: 2000) Prestige 650 Series User’s Guide...
Page 507: Appendix J Index
Static Route Setup... 29-3 Brute-force Attack,... 10-6 BSS...See Basic Service Set Budget Management... 37-2, 37-3 BW Budget... 20-14 Index Prestige 650 Series User’s Guide Appendix J Call Filtering ...31-1 Call Filters Built-In ... 31-1 User-Defined ... 31-1 Call Scheduling ...40-1 Maximum Number of Schedule Sets...
Page 508 Data encryption... 5-4 Data Filtering... 31-1 Default Policy Log... 12-8 Denial of Service ... 10-2, 10-3, 11-4, 11-5, 32-1 Destination Address... 12-3, 12-13 Device Filter rules... 31-16 DHCP ... 1-5, 3-12, 4-2, 8-1, 21-6, 35-4 Diagnostic Tools... 35-1 Digital Subscriber Line Access Multiplexer ... 1-7 Direct Sequence Spread Spectrum...
Page 509 Host ... 2-3 Host IDs ...B-1 HTTP... 7-6, 10-1, 10-3, 10-4, 41-9, 41-10 HyperTerminal program... 36-6, 36-9 Index Prestige 650 Series User’s Guide IANA ...3-5 IBSS ... See Independent Basic Service Set ICMP echo ...10-6 IEEE 802.11 ... C-1 IEEE 802.1x ...1-3 IGMP ...4-3...
Page 510 IP Protocol ... 39-4 IP Routing Policy (IPPR)... 39-1 Benefits... 39-1 Cost Savings ... 39-1 Criteria... 39-1 Load Sharing ... 39-1 Setup... 39-2 IP Routing Policy Setup... 39-3 IP Spoofing...10-4, 10-7 IP Static Route ... 28-1 IP Static Route Setup ... 28-2 IPSec standard ...
Page 511 Remote Management Firewall... 11-1, 32-1 Remote Management and NAT... 17-2 Remote Management Limitations... 17-1, 38-2 Index Prestige 650 Series User’s Guide Remote Management Setup...38-1 Remote Node... 27-1, 35-2 Profile (Traffic Redirect Field)... 27-16 Remote Node Profile ... 27-3 Remote Node Setup... 27-1, 27-2 Remote Node Index Number...35-2...
Page 512 Server , 9-2, 30-4, 30-5, 30-8, 30-9, 30-10, 30-13, 30-14, 37-5 Service ... iv, 12-2 Service Type ... A-5, 13-3 Services...7-5, 7-6 setup a schedule ... 40-2 SMT Menu Overview ... 22-2 SMTP... 7-6 SMTP Error Messages ... 19-5 Smurf ... 10-6 SNMP ...
Page 513 VC-based Multiplexing ... 27-2 Virtual Private Network ... 1-4 VPI & VCI ... 3-2 VPN... 6-1 Index Prestige 650 Series User’s Guide WAN to LAN Rules...12-4 Web Configurator...2-1, 2-2, 10-2, 10-11, 12-2, 32-2 WEP ...5-4 WEP Encryption ...25-3 Wireless LAN ...C-1, 25-1 Benefits...C-1...

This manual is also suitable for:

Prestige 650 series

ZyXEL Communications 650 Series User Manual

Chapter 1 Getting to Know Your Prestige

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 LAN Setup

Chapter 5 Wireless LAN Setup

Chapter 6 WAN Setup

Chapter 7 Network Address Translation (NAT)

Chapter 8 Dynamic DNS Setup

Chapter 9 Time and Date Setup

Chapter 10 Firewalls

Chapter 11 Firewall Configuration

Chapter 12 Creating Custom Rules

Chapter 13 Customized Services

Chapter 14 Content Filtering

Chapter 15 Introduction to Ipsec

Chapter 16 VPN Screens

Chapter 17 Remote Management Configuration

Chapter 18 Universal Plug-And-Play (Upnp)

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications 650 Series

Summary of Contents for ZyXEL Communications 650 Series