Page 1 P-661H/HW Series 802.11g Wireless ADSL2+ 4-port Security Gateway User’s Guide Version 3.40 7/2007 Edition 3 DEFAULT LOGIN IP Address http://192.168.1.1 Admin Password 1234 User Password user www.zyxel.com...
Page 3: About This User's Guide
Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead. Thank you! The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device. ZyXEL Device Server Telephone P-661H/HW Series User’s Guide Computer Notebook computer DSLAM Firewall Switch Router Document Conventions...
Page 6: Safety Warnings
Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7 Safety Warnings P-661H/HW Series User’s Guide...
Page 8 Safety Warnings P-661H/HW Series User’s Guide...
Page 9: Table Of Contents
Introduction ... 31 Getting To Know Your ZyXEL Device ... 33 Introducing the Web Configurator ... 39 Wizards ... 53 Network ... 71 WAN Setup ... 73 LAN Setup ... 89 Wireless LAN ... 101 Network Address Translation (NAT) Screens ... 123 Security ...
Page 10 Contents Overview P-661H/HW Series User’s Guide...
Page 11: Table Of Contents
About This User's Guide ... 3 Document Conventions... 4 Safety Warnings... 6 Contents Overview ... 9 Table of Contents... 11 List of Figures ... 21 List of Tables... 27 Part I: Introduction... 31 Chapter 1 Getting To Know Your ZyXEL Device... 33 1.1 Introducing the ZyXEL Device ...
Page 12 Table of Contents 2.4.3 Status: Any IP Table ... 47 2.4.4 Status: WLAN Status (Wireless devices only) ... 48 2.4.5 Status: VPN Status ... 48 2.4.6 Status: Bandwidth Status ... 49 2.4.7 Status: Packet Statistics ... 50 2.4.8 Changing Login Password ... 51 Chapter 3 Wizards ...
Page 13 4.7 Traffic Redirect ... 86 4.8 Configuring WAN Backup Setup ... 87 Chapter 5 LAN Setup... 89 5.1 LAN Overview ... 89 5.1.1 LANs, WANs and the ZyXEL Device ... 89 5.1.2 DHCP Setup ... 90 5.1.3 DNS Server Address ... 90 5.1.4 DNS Server Address Assignment ...
Page 14 Table of Contents 6.7 WMM QoS ...117 6.7.1 WMM QoS Example ...117 6.7.2 WMM QoS Priorities ...117 6.7.3 Services ...118 6.8 QoS Screen ...119 6.8.1 ToS (Type of Service) and WMM QoS ... 120 6.8.2 Application Priority Configuration ... 121 Chapter 7 Network Address Translation (NAT) Screens...
Page 15 8.5 Stateful Inspection ... 142 8.5.1 Stateful Inspection Process ... 143 8.5.2 Stateful Inspection and the ZyXEL Device ... 144 8.5.3 TCP Security ... 144 8.5.4 UDP/ICMP Security ... 145 8.5.5 Upper Layer Protocols ... 145 8.6 Guidelines for Enhancing Security with Your Firewall ... 146 8.6.1 Security In General ...
Page 16 Table of Contents 10.4 Configuring Trusted Computers ... 173 Chapter 11 Introduction to IPSec... 175 11.1 VPN Overview ... 175 11.1.1 IPSec ... 175 11.1.2 Security Association ... 175 11.1.3 Other Terminology ... 175 11.1.4 VPN Applications ... 176 11.2 IPSec Architecture ... 176 11.2.1 IPSec Algorithms ...
Page 17 12.17 Configuring Global Setting ... 201 12.18 Telecommuter VPN/IPSec Examples ... 202 12.18.1 Telecommuters Sharing One VPN Rule Example ... 202 12.18.2 Telecommuters Using Unique VPN Rules Example ... 203 12.19 VPN and Remote Management ... 204 Part IV: Advanced ... 205 Chapter 13 Static Route ...
Page 18 Table of Contents 16.1 Remote Management Overview ... 225 16.1.1 Remote Management Limitations ... 226 16.1.2 Remote Management and NAT ... 226 16.1.3 System Timeout ... 226 16.2 WWW ... 226 16.3 Telnet ... 227 16.4 Configuring Telnet ... 227 16.5 Configuring FTP ...
Page 19 19.3 Configuring Log Settings ... 258 Chapter 20 Tools... 261 20.1 Firmware Upgrade ... 261 20.2 Configuration ... 263 20.3 Restart ... 265 Chapter 21 Diagnostic... 267 21.1 General Diagnostic ... 267 21.2 DSL Line Diagnostic ... 268 Part VI: Troubleshooting and Specifications ... 269 Chapter 22 Troubleshooting...
Page 20 Table of Contents Index... 351 P-661H/HW Series User’s Guide...
Page 21: List Of Figures
List of Figures List of Figures Figure 1 Protected Internet Access Applications ... 34 Figure 2 LAN-to-LAN Application Example ... 35 Figure 3 Front Panel ... 36 Figure 4 Connecting a POTS Splitter ... 37 Figure 5 Connecting a Microfilter ... 38 Figure 6 Password Screen ...
Page 22 List of Figures Figure 39 Advanced Internet Connection ... 80 Figure 40 More Connections ... 82 Figure 41 More Connections Edit ... 83 Figure 42 More Connections Advanced Setup ... 85 Figure 43 Traffic Redirect Example ... 86 Figure 44 Traffic Redirect LAN Setup ... 87 Figure 45 WAN Backup Setup ...
Page 23 List of Figures Figure 82 Stateful Inspection ... 143 Figure 83 Ideal Firewall Setup ... 152 Figure 84 “Triangle Route” Problem ... 153 Figure 85 IP Alias ... 153 Figure 86 Firewall: General ... 154 Figure 87 Firewall Rules ... 156 Figure 88 Firewall: Edit Rule ...
Page 24 List of Figures Figure 125 Remote Management: WWW ... 226 Figure 126 Remote Management: Telnet ... 227 Figure 127 Remote Management: FTP ... 228 Figure 128 SNMP Management Model ... 229 Figure 129 Remote Management: SNMP ... 231 Figure 130 Remote Management: DNS ... 232 Figure 131 Remote Management: ICMP ...
Page 25 List of Figures Figure 168 Windows XP: Start Menu ... 287 Figure 169 Windows XP: Control Panel ... 287 Figure 170 Windows XP: Control Panel: Network Connections: Properties ... 288 Figure 171 Windows XP: Local Area Connection Properties ... 288 Figure 172 Windows XP: Internet Protocol (TCP/IP) Properties ...
Page 26 List of Figures Figure 211 Conflicting Computer IP Addresses Example ... 321 Figure 212 Conflicting Computer and Router IP Addresses Example ... 322 Figure 213 Peer-to-Peer Communication in an Ad-hoc Network ... 323 Figure 214 Basic Service Set ... 324 Figure 215 Infrastructure WLAN ...
Page 27: List Of Tables
List of Tables List of Tables Table 1 ADSL Standards ... 33 Table 2 Front Panel LEDs ... 36 Table 3 Web Configurator Screens Summary ... 43 Table 4 Status Screen ... 45 Table 5 Status: Any IP Table ... 47 Table 6 Status: WLAN Status ...
Page 28 List of Tables Table 39 Wireless: WPA-PSK/WPA2-PSK ... 108 Table 40 Wireless: WPA/WPA2 ...110 Table 41 Wireless LAN: Advanced ...111 Table 42 OTIST ...113 Table 43 MAC Address Filter ...116 Table 44 WMM QoS Priorities ...117 Table 45 Commonly Used Services ...118 Table 46 Wireless LAN: QoS ...
Page 29 List of Tables Table 82 VPN: Global Setting ... 202 Table 83 Telecommuters Sharing One VPN Rule Example ... 203 Table 84 Telecommuters Using Unique VPN Rules Example ... 204 Table 85 Static Route ... 208 Table 86 Static Route Edit ... 209 Table 87 Application and Subnet-based Bandwidth Management Example ...
Page 30 List of Tables Table 125 Subnet 2 ... 318 Table 126 Subnet 3 ... 318 Table 127 Subnet 4 ... 318 Table 128 Eight Subnets ... 318 Table 129 24-bit Network Number Subnet Planning ... 319 Table 130 16-bit Network Number Subnet Planning ... 319 Table 131 IEEE 802.11g ...
Page 31: Introduction
Introduction Getting To Know Your ZyXEL Device (33) Introducing the Web Configurator (39) Wizards (53)
Page 33: Getting To Know Your Zyxel Device
H A P T E R Getting To Know Your ZyXEL This chapter describes the key features and applications of your ZyXEL Device 1.1 Introducing the ZyXEL Device The ZyXEL Device is an ADSL2+ gateway that allows super-fast, secure Internet access over analog (POTS) or digital (ISDN) telephone lines (depending on your model).
Page 34: Applications For The Zyxel Device
Chapter 1 Getting To Know Your ZyXEL Device In the ZyXEL Device product name, “H” denotes an integrated 4-port switch (hub) and “W” denotes an included wireless LAN card that provides wireless connectivity. Models ending in “1”, for example P-661H-D1, denote a device that works over the analog telephone system, POTS (Plain Old Telephone Service).
Page 35: Ways To Manage The Zyxel Device
Figure 2 LAN-to-LAN Application Example 1.3 Ways to Manage the ZyXEL Device Use any of the following methods to manage the ZyXEL Device. • Web Configurator. This is recommended for everyday management of the ZyXEL Device using a (supported) web browser. See •...
Page 36: Hardware Connection
Chapter 1 Getting To Know Your ZyXEL Device Figure 3 Front Panel The following table describes the LEDs. Table 2 Front Panel LEDs COLOR POWER Green ETHERNET Green WLAN Green (wireless devices only) Green INTERNET Green 1.6 Hardware Connection Refer to the Quick Start Guide for information on hardware connection. 1.7 Splitters and Microfilters This section describes how to connect ADSL splitters and microfilters.
Page 37: Connecting A Pots Splitter
1.7.1 Connecting a POTS Splitter When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals. This allows simultaneous Internet access and telephone service on the same line. A splitter also eliminates the destructive interference conditions caused by telephone sets.
Page 38: Figure 5 Connecting A Microfilter
Chapter 1 Getting To Know Your ZyXEL Device Figure 5 Connecting a Microfilter P-661H/HW Series User’s Guide...
Page 39: Introducing The Web Configurator
H A P T E R This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyXEL Device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions.
Page 40: Figure 6 Password Screen
Chapter 2 Introducing the Web Configurator 4 Type "192.168.1.1" as the URL. 5 A window displays as shown. Enter the default admin password 1234 to configure the wizards and the advanced features or enter the default user password user to view the status only.
Page 41: Figure 7 Change Password At Login
Figure 7 Change Password at Login 8 The next screen depends on which password (admin or user) you used in step 5. Select Go to Wizard setup, and click Apply to display the wizard main screen. Select Go to Advanced setup or View Device Status, and click Apply to display the Status screen. Select Change Password if you want to change the user password.
Page 42: Resetting The Zyxel Device
Chapter 2 Introducing the Web Configurator 2.3 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file.
Page 43: Table 3 Web Configurator Screens Summary
Click the icon (located in the top right corner of most screens) to view embedded help. Table 3 Web Configurator Screens Summary LINK/ICON SUB-LINK Wizard INTERNET SETUP BANDWIDTH MANAGEMENT SETUP Logout Status Network Internet Connection More Connections WAN Backup Setup DHCP Setup Client List IP Alias...
Page 44 Chapter 2 Introducing the Web Configurator Table 3 Web Configurator Screens Summary (continued) LINK/ICON SUB-LINK Threshold Content Filter Keyword Schedule Trusted Setup Monitor VPN Global Setting Advanced Static Route Bandwidth MGMT Summary Rule Setup Monitor Dynamic DNS Remote MGMT Telnet SNMP ICMP UPnP...
Page 45: Status Screen
2.4.2 Status Screen The following summarizes how to navigate the web configurator from the Status screen. Some fields or links are not available if you entered the user password in the login password screen (see Figure 6 on page Figure 10 Status Screen The following table describes the labels shown in the Status screen.
Page 46 Chapter 2 Introducing the Web Configurator Table 4 Status Screen LABEL Default Gateway VPI/VCI LAN Information IP Address IP Subnet Mask This is the LAN port IP subnet mask. DHCP WLAN Information (Wireless devices only) SSID Channel Security Security (not available if you entered the user password) Firewall Content Filter System Status...
Page 47: Status: Any Ip Table
Table 4 Status Screen LABEL DESCRIPTION Rate For the LAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-duplex refers to a device's ability to send and receive simultaneously, while half-duplex indicates that traffic can flow in only one direction at a time.
Page 48: Status: Wlan Status (Wireless Devices Only)
Chapter 2 Introducing the Web Configurator Table 5 Status: Any IP Table (continued) LABEL DESCRIPTION MAC Address This field displays the MAC (Media Access Control) address of the computer with the displayed IP address. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 49: Status: Bandwidth Status
Figure 13 Status: VPN Status The following table describes the labels in this screen. Table 7 Status: VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode.
Page 50: Status: Packet Statistics
Chapter 2 Introducing the Web Configurator 2.4.7 Status: Packet Statistics Click the Packet Statistics hyperlink in the Status screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 15 Status: Packet Statistics The following table describes the fields in this screen.
Page 51: Changing Login Password
Table 8 Status: Packet Statistics (continued) LABEL DESCRIPTION RxPkts This field displays the number of packets received on this port. Errors This field displays the number of error packets on this port. Tx B/s This field displays the number of bytes transmitted in the last second. Rx B/s This field displays the number of bytes received in the last second.
Page 52: Figure 16 System General
Chapter 2 Introducing the Web Configurator Figure 16 System General The following table describes the fields in this screen. Table 9 System General: Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 53: Wizards
H A P T E R Use these screens to configure Internet access or to configure basic bandwidth management. See the advanced menu chapters for background information on these fields. To access the wizards, click Go to Wizard setup in icon ( ) in the top right corner of the web configurator.
Page 54: Internet Setup Wizard
Chapter 3 Wizards 3.1 Internet Setup Wizard Use these screens to configure Internet access and wireless network settings (wireless devices only). To access this wizard, click INTERNET/WIRELESS SETUP in the wizard main screen. Wait while the device tries to detect your DSL connection and connection type. Figure 18 Internet Setup Wizard: Connection Test The next screen depends on the results.
Page 55: Figure 20 Internet Setup Wizard: Manual Configuration
3.1.2.1 Screen 1 Figure 20 Internet Setup Wizard: Manual Configuration Click Back to return to the wizard main screen. Click Next to continue to the next screen. Click Exit to close the wizard main screen and return to the Status screen or the main window. 3.1.2.2 Screen 2 This screen lets you enter some of the ISP settings for your Internet connection.
Page 56: Figure 22 Internet Setup Wizard: Isp Parameters (Ethernet)
Chapter 3 Wizards The following table describes the fields in this screen. Table 11 Internet Setup Wizard: ISP Parameters LABEL DESCRIPTION Mode Select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise, select Bridge. Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop-down list box.
Page 57: Figure 23 Internet Setup Wizard: Isp Parameters (Pppoe)
The following table describes the fields in this screen. Table 12 Internet Setup Wizard: ISP Parameters (Ethernet) LABEL DESCRIPTION Obtain an IP Select this if you have a dynamic IP address. Address Automatically Static IP Select this if you have a static (fixed) IP address, and enter the information below. Address These fields appear if you select Static IP Address.
Page 58: Figure 24 Internet Setup Wizard: Isp Parameters (Rfc1483 + Routing Mode)
Chapter 3 Wizards Table 13 Internet Setup Wizard: ISP Parameters (PPPoE) LABEL DESCRIPTION Service Name Type the name of your PPPoE service here. Leave this field blank if your ISP did not provide you a PPPoE service. Back Click Back to go back to the previous screen. Apply Click Apply to finish manual configuration.
Page 59: No Dsl Detection
Figure 25 Internet Setup Wizard: ISP Parameters (PPPoA) The following table describes the fields in this screen. Table 15 Internet Setup Wizard: ISP Parameters (PPPoA) LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.
Page 60: Wireless Connection Wizard Setup (Wireless Devices Only)
Chapter 3 Wizards Figure 26 Internet Setup Wizard: No DSL Connection Click Restart the Internet/Wireless Setup Wizard to return to the wizard main screen. Click Next to continue to the the wizard main screen and return to the Status screen or the main window. 3.2 Wireless Connection Wizard Setup (wireless devices only) After you configure the Internet access information, use the following screens to set up your...
Page 61: Figure 28 Wireless Lan Setup Wizard 1
Figure 28 Wireless LAN Setup Wizard 1 The following table describes the labels in this screen. Table 16 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Active Select the check box to turn on the wireless LAN. Enable OTIST Select the check box to enable OTIST if you want to transfer your ZyXEL Device’s SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range.
Page 62: Figure 29 Wireless Lan Setup Wizard 2
Chapter 3 Wizards Figure 29 Wireless LAN Setup Wizard 2 The following table describes the labels in this screen. Table 17 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless Name(SSID) LAN.
Page 63: Manually Assign A Wpa-Psk Key
The wireless stations and ZyXEL Device must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication. 4 This screen varies depending on the security mode you selected in the previous screen. Fill in the field (if available) and click Next.
Page 64: Figure 31 Manually Assign A Wep Key
Chapter 3 Wizards Figure 31 Manually assign a WEP key The following table describes the labels in this screen. Table 19 Manually assign a WEP key LABEL DESCRIPTION The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission.
Page 65: Bandwidth Management Wizard
Figure 33 Internet Setup Wizard: Summary Screen 6 Use the read-only summary table to check whether what you have configured is correct. Click Finish to complete and save the wizard setup.The following table describes the fields in this screen. Table 20 Internet Setup Wizard: Summary LABEL DESCRIPTION Return to...
Page 66: Screen 1
Chapter 3 Wizards The following table describes the services you can select. Table 21 Media Bandwidth Management Setup: Services SERVICE DESCRIPTION E-Mail Electronic mail consists of messages sent through a computer network to specific groups or individuals. Here are some default ports for e-mail: POP3 - port 110 IMAP - port 143 SMTP - port 25...
Page 67: Screen 2
Figure 34 Bandwidth Management Wizard: General Information The following fields describe the label in this screen. Table 22 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device’s WAN, LAN or WLAN port.
Page 68: Figure 35 Bandwidth Management Wizard: Configuration
Chapter 3 Wizards Figure 35 Bandwidth Management Wizard: Configuration The following table describes the labels in this screen. Table 23 Bandwidth Management Wizard: Configuration LABEL DESCRIPTION Active Select an entry’s Active check box to turn on bandwidth management for the service/ application.
Page 69: Screen 3
3.3.3 Screen 3 Follow the on-screen instructions and click Finish to complete the wizard setup and save your configuration. Figure 36 Bandwidth Management Wizard: Complete P-661H/HW Series User’s Guide Chapter 3 Wizards...
Page 70 Chapter 3 Wizards P-661H/HW Series User’s Guide...
Page 71: Network
Network WAN Setup (73) LAN Setup (89) Wireless LAN (101) Network Address Translation (NAT) Screens (123)
Page 73: Wan Setup
H A P T E R This chapter describes how to configure WAN settings. 4.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 4.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods.
Page 74: Multiplexing
Chapter 4 WAN Setup 4.1.1.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection. The ZyXEL Device encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider’s (ISP) DSLAM (digital access multiplexer).
Page 75: Nailed-Up Connection (Ppp)
4.1.4.1 IP Assignment with PPPoA or PPPoE Encapsulation If you have a dynamic IP, then the IP Address and ENET ENCAP Gateway fields are not applicable (N/A). If you have a static IP, then you only need to fill in the IP Address field and not the ENET ENCAP Gateway field.
Page 76: Traffic Shaping
Chapter 4 WAN Setup For example, if the normal route has a metric of "1" and the traffic-redirect route has a metric of "2" and dial-backup route has a metric of "3", then the normal route acts as the primary default route.
Page 77: Atm Traffic Classes
4.3.1 ATM Traffic Classes These are the basic ATM traffic classes defined by the ATM Forum Traffic Management 4.0 Specification. 4.3.1.1 Constant Bit Rate (CBR) Constant Bit Rate (CBR) provides fixed bandwidth that is always available even if no data is being sent.
Page 78: Internet Connection
Chapter 4 WAN Setup 4.5 Internet Connection To change your ZyXEL Device’s WAN remote node settings, click Network > WAN. The screen differs by the encapsulation. Section 4.1 on page 73 Figure 38 Internet Connection (PPPoE) The following table describes the labels in this screen. Table 24 Internet Connection LABEL General...
Page 79: Configuring Advanced Internet Connection
Table 24 Internet Connection LABEL DESCRIPTION Service Name (PPPoE only) Type the name of your PPPoE service here. Multiplexing Select the method of multiplexing used by your ISP from the drop-down list. Choices are VC or LLC. Virtual Circuit ID VPI (Virtual Path Identifier) and VCI (Virtual Channel Identifier) define a virtual circuit.
Page 80: Figure 39 Advanced Internet Connection
Chapter 4 WAN Setup Figure 39 Advanced Internet Connection The following table describes the labels in this screen. Table 25 Advanced Internet Connection LABEL DESCRIPTION RIP & Multicast Setup RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers.
Page 81: Configuring More Connections
Table 25 Advanced Internet Connection LABEL DESCRIPTION cell/sec Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here.
Page 82: More Connections Edit
Chapter 4 WAN Setup Figure 40 More Connections The following table describes the labels in this screen. Table 26 More Connections LABEL Active Name VPI/VCI Encapsulation Modify Apply Cancel 4.6.1 More Connections Edit Click the edit icon in the More Connections screen to configure a DESCRIPTION This is the index number of a connection.
Page 83: Figure 41 More Connections Edit
Figure 41 More Connections Edit The following table describes the labels in this screen. Table 27 More Connections Edit LABEL DESCRIPTION Active Select the check box to activate or clear the check box to deactivate this connection. Name Enter a unique, descriptive name of up to 13 ASCII characters for this connection.
Page 84 Chapter 4 WAN Setup Table 27 More Connections Edit (continued) LABEL User Name Password Service Name Multiplexing IP Address Subnet Mask Gateway IP address Specify a gateway IP address (supplied by your ISP). Connection Nailed-Up Connection Connect on Demand Max Idle Timeout Back Apply DESCRIPTION...
Page 85: Configuring More Connections Advanced Setup
Table 27 More Connections Edit (continued) LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh. Advanced Setup Click this button to display the More Connections Advanced screen and edit more details of your WAN setup. 4.6.2 Configuring More Connections Advanced Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen.
Page 86: Traffic Redirect
Chapter 4 WAN Setup Table 28 More Connections Advanced Setup (continued) LABEL DESCRIPTION Maximum Burst Maximum Burst Size (MBS) refers to the maximum number of cells that can be Size sent at the peak rate. Type the MBS, which is less than 65535. Back Click Back to return to the previous screen.
Page 87: Configuring Wan Backup Setup
Figure 44 Traffic Redirect LAN Setup 4.8 Configuring WAN Backup Setup To change your ZyXEL Device’s WAN backup settings, click WAN > WAN Backup Setup. The screen appears as shown. Figure 45 WAN Backup Setup P-661H/HW Series User’s Guide Chapter 4 WAN Setup...
Page 88: Table 29 Wan Backup Setup
Chapter 4 WAN Setup The following table describes the labels in this screen. Table 29 WAN Backup Setup LABEL DESCRIPTION Backup Type Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up.
Page 89: Lan Setup
H A P T E R This chapter describes how to configure LAN settings. 5.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building.
Page 90: Dhcp Setup
Chapter 5 LAN Setup 5.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients.
Page 91: Lan Tcp/Ip
• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. •...
Page 92: Rip Setup
Chapter 5 LAN Setup You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks. On the other hand, if you are part of a much larger organization, you should consult your network administrator for the appropriate IP addresses.
Page 93: Any Ip
224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 94: Configuring Lan Ip
Chapter 5 LAN Setup You must enable NAT/SUA to use the Any IP feature on the ZyXEL Device. 5.2.4.1 How Any IP Works Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network.
Page 95: Configuring Advanced Lan Setup
The following table describes the fields in this screen. Table 30 LAN IP LABEL DESCRIPTION TCP/IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation, for example, 192.168.1.1 (factory default). IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Apply Click Apply to save your changes back to the ZyXEL Device.
Page 96: Dhcp Setup
Chapter 5 LAN Setup Table 31 Advanced LAN Setup (continued) LABEL DESCRIPTION RIP Version This field is enabled if RIP Direction is not None. The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyXEL Device sends (it recognizes both formats when receiving).
Page 97: Figure 50 Dhcp Setup
Figure 50 DHCP Setup The following table describes the labels in this screen. Table 32 DHCP Setup LABEL DESCRIPTION DHCP Setup DHCP Select what type of DHCP services the ZyXEL Device provides to the network. Choices are: None - the ZyXEL Device does not provide any DHCP services. There is already a DHCP server on the network.
Page 98: Lan Client List
Chapter 5 LAN Setup 5.5 LAN Client List This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 99: Lan Ip Alias
Table 33 LAN Client List LABEL DESCRIPTION Cancel Click Cancel to begin configuring this screen afresh. Refresh Click Refresh to reload the DHCP table. 5.6 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface.
Page 100: Figure 53 Lan Ip Alias
Chapter 5 LAN Setup Figure 53 LAN IP Alias The following table describes the labels in this screen. Table 34 LAN IP Alias LABEL IP Alias 1, 2 IP Address IP Subnet Mask RIP Direction RIP Version Apply Cancel DESCRIPTION Select the check box to configure another LAN network for the ZyXEL Device.
Page 101: Wireless Lan
H A P T E R This chapter discusses how to configure the wireless network settings in your device (wireless devices only). See the appendices for more detailed information about wireless networks. 6.1 Wireless Network Overview The following figure provides an example of a wireless network. Example of a Wireless Network The wireless network is the part in the blue circle.
Page 102: Wireless Security Overview
Chapter 6 Wireless LAN • Every device in the same wireless network must use security compatible with the ZyXEL Device. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 6.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network.
Page 103: Encryption
Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.
Page 104: One-Touch Intelligent Security Technology (Otist)
Chapter 6 Wireless LAN When you select WPA2 or WPA2-PSK in your ZyXEL Device, you can also select an option (WPA compatible) to support WPA as well. In this case, if some of the devices support WPA and some support WPA2, you should set up WPA2-PSK or WPA2 (depending on the type of wireless network login) and select the WPA compatible option in the ZyXEL Device.
Page 105: No Security
Figure 54 Wireless LAN: General The following table describes the general wireless LAN labels in this screen. Table 36 Wireless LAN: General LABEL DESCRIPTION Active Wireless Click the check box to activate wireless LAN. Network Name (Service Set IDentity) The SSID identifies the Service Set with which a wireless client (SSID) is associated.
Page 106: Wep Encryption
Chapter 6 Wireless LAN If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range. Figure 55 Wireless: No Security The following table describes the labels in this screen. Table 37 Wireless: No Security LABEL DESCRIPTION...
Page 107: Wpa-Psk/Wpa2-Psk
Figure 56 Wireless: Static WEP Encryption The following table describes the wireless LAN security labels in this screen. Table 38 Wireless: Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop-down list box. Passphrase Enter a Passphrase (up to 32 printable characters) and clicking Generate. The ZyXEL Device automatically generates a WEP key.
Page 108: Figure 57 Wireless: Wpa-Psk/Wpa2-Psk
Chapter 6 Wireless LAN Figure 57 Wireless: WPA-PSK/WPA2-PSK The following table describes the wireless LAN security labels in this screen. Table 39 Wireless: WPA-PSK/WPA2-PSK LABEL Security Mode WPA Compatible Pre-Shared Key ReAuthentication Timer (In Seconds) Idle Timeout (In Seconds) DESCRIPTION Choose WPA-PSK or WPA2-PSK from the drop-down list box.
Page 109: Wpa/Wpa2
Table 39 Wireless: WPA-PSK/WPA2-PSK LABEL DESCRIPTION Group Key The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/ Update Timer (In WPA2-PSK key management) or RADIUS server (if using WPA(2) key Seconds) management) sends a new group key out to all clients. The re-keying process is the WPA(2) equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis.
Page 110: Table 40 Wireless: Wpa/Wpa2
Chapter 6 Wireless LAN The following table describes the wireless LAN security labels in this screen. Table 40 Wireless: WPA/WPA2 LABEL WPA Compatible ReAuthentication Timer (In Seconds) Idle Timeout (In Seconds) Group Key Update Timer (In Seconds) Authentication Server IP Address Port Number Shared Secret Accounting Server (optional)
Page 111: Wireless Lan Advanced Setup
6.4.5 Wireless LAN Advanced Setup To configure advanced wireless settings, click the Advanced Setup button in the General screen. The screen appears as shown. Figure 59 Wireless LAN: Advanced The following table describes the labels in this screen. Table 41 Wireless LAN: Advanced LABEL DESCRIPTION Wireless Advanced Setup...
Page 112: Otist
Chapter 6 Wireless LAN Table 41 Wireless LAN: Advanced LABEL DESCRIPTION Enable Select the Enable 802.11g+ mode checkbox to allow any ZyXEL WLAN devices 802.11g+ mode that support this feature to associate with the ZyXEL Device at higher transmission speeds. This permits the ZyXEL Device to transmit at a higher speed than the 802.11g Only mode.
Page 113: Figure 60 Wireless Lan: Otist
6.5.1.1.1 Reset button If you use the RESET button, the default (01234567) or previous saved (through the web configurator) Setup key is used to encrypt the settings that you want to transfer. Hold in the RESET button for one to five seconds. If you hold in the RESET button too long, the device will reset to the factory defaults! 6.5.1.1.2 Web Configurator...
Page 114: Starting Otist
Chapter 6 Wireless LAN 6.5.1.2 Wireless Client On your wireless client, start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’s and click Save. Figure 61 Example Wireless Client OTIST Screen 6.5.2 Starting OTIST You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of...
Page 115: Notes On Otist
2 This screen appears while OTIST settings are being transferred. It closes when the transfer is complete. Figure 63 OTIST in Progress (AP) 3 In the wireless client, you see this screen if it can't find an OTIST-enabled AP (with the same Setup key).
Page 116: Mac Filter
Chapter 6 Wireless LAN 6.6 MAC Filter The MAC filter screen allows you to configure the to 32 devices (Allow) or exclude up to 32 devices from accessing the Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 117: Wmm Qos
Table 43 MAC Address Filter LABEL DESCRIPTION This is the index number of the MAC address. Enter the MAC addresses of the wireless client that are allowed or denied access to the ZyXEL Device in these address fields. Enter the MAC addresses in a valid MAC Address address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
Page 118: Services
Chapter 6 Wireless LAN 6.7.3 Services The commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Page 119: Qos Screen
Table 45 Commonly Used Services SERVICE PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 6.8 QoS Screen The QoS screen by default allows you to automatically give a service a priority level according to the ToS value in the IP header of the packets it sends.
Page 120: Tos (Type Of Service) And Wmm Qos
Chapter 6 Wireless LAN 6.8.1 ToS (Type of Service) and WMM QoS ToS defines the DS (Differentiated Service) field in the IP packet header. The ToS value of outgoing packets is between 0 and 255. 0 is the lowest priority. WMM QoS checks the ToS in the header of transmitted data packets.
Page 121: Application Priority Configuration
Table 46 Wireless LAN: QoS LABEL Modify Apply Cancel 6.8.2 Application Priority Configuration To edit a WMM QoS application entry, click the edit icon under Modify. The following screen displays. Figure 69 Application Priority Configuration The following table describes the fields in this screen. Table 47 Application Priority Configuration LABEL Application Priority Configuration...
Page 122 Chapter 6 Wireless LAN Table 47 Application Priority Configuration LABEL Service Dest Port Priority Apply Cancel DESCRIPTION The following is a description of the applications you can prioritize with WMM QoS. Select a service from the drop-down list box. • File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail.
Page 123: Network Address Translation (Nat) Screens
H A P T E R Network Address Translation This chapter discusses how to configure NAT on the ZyXEL Device. 7.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 124: What Nat Does
Chapter 7 Network Address Translation (NAT) Screens 7.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 125: Nat Mapping Types
Figure 71 NAT Application With IP Alias 7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address. •...
Page 126: Sua (Single User Account) Versus Nat
Chapter 7 Network Address Translation (NAT) Screens The following table summarizes these types. Table 49 NAT Mapping Types TYPE One-to-One Many-to-One (SUA/PAT) Many-to-Many Overload Many-to-Many No Overload Server 7.2 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 127: Port Forwarding
Figure 72 NAT General The following table describes the labels in this screen. Table 50 NAT General LABEL DESCRIPTION Active Select this check box to enable NAT. Network Address Translation (NAT) SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device.
Page 128: Port Forwarding: Services And Port Numbers
Chapter 7 Network Address Translation (NAT) Screens If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup. 7.4.2 Port Forwarding: Services and Port Numbers Use the Port Forwarding screen to forward incoming service requests to the server(s) on your local network.
Page 129: Configuring Port Forwarding
Figure 73 Multiple Servers Behind NAT Example 7.5 Configuring Port Forwarding The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 130: Figure 74 Port Forwarding
Chapter 7 Network Address Translation (NAT) Screens Figure 74 Port Forwarding The following table describes the fields in this screen. Table 52 Port Forwarding LABEL DESCRIPTION Default Server Setup Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen.
Page 131: Port Forwarding Rule Edit
7.5.1 Port Forwarding Rule Edit To edit a port forwarding rule, click the rule’s edit icon in the Port Forwarding screen to display the screen shown next. Figure 75 Port Forwarding Rule Setup The following table describes the fields in this screen. Table 53 Port Forwarding Rule Setup LABEL DESCRIPTION...
Page 132: Figure 76 Address Mapping Rules
Chapter 7 Network Address Translation (NAT) Screens Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules.
Page 133: Address Mapping Rule Edit
Table 54 Address Mapping Rules (continued) LABEL DESCRIPTION Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 134: Table 55 Edit Address Mapping Rule
Chapter 7 Network Address Translation (NAT) Screens The following table describes the fields in this screen. Table 55 Edit Address Mapping Rule LABEL DESCRIPTION Type Choose the port mapping type from one of the following. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type.
Page 135: Security
Security Firewalls (137) Firewall Configuration (149) Content Filtering (171) Introduction to IPSec (175) VPN Screens (181)
Page 137: Firewalls
H A P T E R This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 8.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
Page 138: Application-Level Firewalls
Chapter 8 Firewalls 8.2.2 Application-level Firewalls Application-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts: Information hiding prevents the names of internal systems from being made known via DNS...
Page 139: Denial Of Service Attacks
8.3.1 Denial of Service Attacks Figure 78 ZyXEL Device Firewall Application 8.4 Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 140: Types Of Dos Attacks
Chapter 8 Firewalls 8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing.
Page 141: Figure 80 Syn Flood
Figure 80 SYN Flood • In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 142: Stateful Inspection
Chapter 8 Firewalls 8.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 57 ICMP Commands That Trigger Alerts 8.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal. Table 58 Legal NetBIOS Commands MESSAGE: REQUEST:...
Page 143: Stateful Inspection Process
are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 144: Stateful Inspection And The Zyxel Device
Chapter 8 Firewalls 6 Later, an inbound packet reaches the interface. This packet is part of the connection previously established with the outbound packet. The inbound packet is evaluated against the inbound access list, and is permitted because of the temporary access list entry previously created.
Page 145: Udp/Icmp Security
If an initiation packet originates on the LAN, this means that someone is trying to make a connection from the LAN to the Internet. Assuming that this is an acceptable part of the security policy (as is the case with the default policy), the connection will be allowed. A cache entry is added which includes connection information such as IP addresses, TCP ports, sequence numbers, etc.
Page 146: Guidelines For Enhancing Security With Your Firewall
Chapter 8 Firewalls 8.6 Guidelines for Enhancing Security with Your Firewall • Change the default password. • Limit who can telnet into your router. • Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk.
Page 147: Packet Filtering Vs Firewall
• Always shred confidential information, particularly about your computer, before throwing it away. Some hackers dig through the trash of companies or individuals for information that might help them in an attack. 8.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyXEL Device’s filtering and firewall functions. 8.7.1 Packet Filtering: •...
Page 148 Chapter 8 Firewalls • To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address. • The firewall performs better than filtering if you need to check many rules. •...
Page 149: Firewall Configuration
H A P T E R Firewall Configuration This chapter shows you how to enable and configure the ZyXEL Device firewall. 9.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.
Page 150: Rule Logic Overview
Chapter 9 Firewall Configuration You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so. If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network.
Page 151: Key Fields For Configuring Rules
2 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service? 3 Is it possible to modify the rule to be more specific? For example, if IRC is blocked for all users, will a rule that blocks just certain users be more effective? 4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to...
Page 152: Lan To Wan Rules
Chapter 9 Firewall Configuration 9.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 153: Solving The "Triangle Route" Problem
Figure 84 “Triangle Route” Problem 9.5.2 Solving the “Triangle Route” Problem You can have the ZyXEL Device allow triangle route sessions. However this can allow traffic from the WAN to go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection.
Page 154: General Firewall Policy
Chapter 9 Firewall Configuration 9.6 General Firewall Policy Click Security > Firewall to display the following screen. Activate the firewall by selecting the Active Firewall check box as seen in the following screen. Refer to Section 8.1 on page 137 Figure 86 Firewall: General The following table describes the labels in this screen.
Page 155: Firewall Rules Summary
Table 60 Firewall: General (continued) LABEL DESCRIPTION Default Action Use the drop-down list boxes to select the default action that the firewall is take on packets that are traveling in the selected direction and do not match any of the firewall rules.
Page 156: Figure 87 Firewall Rules
Chapter 9 Firewall Configuration Figure 87 Firewall Rules The following table describes the labels in this screen. Table 61 Firewall Rules LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the ZyXEL Device's memory for recording Storage Space firewall rules it is currently using.
Page 157: Configuring Firewall Rules
Table 61 Firewall Rules (continued) LABEL DESCRIPTION This field shows you whether a log is created when packets match this rule (Yes) or not (No). Modify Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing firewall rule.
Page 158: Figure 88 Firewall: Edit Rule
Chapter 9 Firewall Configuration Figure 88 Firewall: Edit Rule P-661H/HW Series User’s Guide...
Page 159: Table 62 Firewall: Edit Rule
The following table describes the labels in this screen. Table 62 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule. Action for Matched Use the drop-down list box to select what the firewall is to do with packets that Packet match this rule.
Page 160: Customized Services
Chapter 9 Firewall Configuration Table 62 Firewall: Edit Rule (continued) LABEL Apply Cancel 9.7.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
Page 161: Example Firewall Rule
Refer to Section 8.1 on page 137 Figure 90 Firewall: Configure Customized Services The following table describes the labels in this screen. Table 64 Firewall: Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box.
Page 162: Figure 91 Firewall Example: Rules
Chapter 9 Firewall Configuration Figure 91 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
Page 163: Figure 93 Firewall Example: Edit Rule: Destination Address
Chapter 9 Firewall Configuration Figure 93 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Custom services show up with an “*” before their names in the Services list box and the Rules list box.
Page 164: Figure 94 Firewall Example: Edit Rule: Select Customized Services
Chapter 9 Firewall Configuration Figure 94 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Page 165: Anti Probing
Figure 95 Firewall Example: Rules: MyService 9.9 Anti Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. The ZyXEL Device supports anti probing, which prevents the ICMP response packet from being sent.
Page 166: Dos Thresholds
Chapter 9 Firewall Configuration The following table describes the labels in this screen. Table 65 Firewall: Anti Probing LABEL Respond to PING Do Not Respond to Requests for Unauthorized Services. Apply Cancel 9.10 DoS Thresholds For DoS attacks, the ZyXEL Device uses thresholds to determine when to drop sessions that do not become fully established.
Page 167: Half-Open Sessions
9.10.2 Half-Open Sessions An unusually high number of half-open sessions (either an absolute number or measured as the arrival rate) could indicate that a Denial of Service attack is occurring. For TCP, "half- open" means that the session has not reached the established state-the TCP three-way handshake has not yet been completed (see means that the firewall has detected no return traffic.
Page 168: Figure 97 Firewall: Thresholds
Chapter 9 Firewall Configuration Figure 97 Firewall: Thresholds The following table describes the labels in this screen. Table 66 Firewall: Thresholds LABEL Denial of Service Thresholds One Minute Low One Minute High Maximum Incomplete Low Maximum Incomplete High DESCRIPTION The ZyXEL Device measures both the total number of existing half-open sessions and the rate of session establishment attempts.
Page 169 Table 66 Firewall: Thresholds (continued) LABEL DESCRIPTION TCP Maximum An unusually high number of half-open sessions with the same destination host Incomplete address could indicate that a DoS attack is being launched against the host. Specify the number of existing half-open TCP sessions with the same destination host IP address that causes the firewall to start dropping half-open sessions to that same destination host IP address.
Page 170 Chapter 9 Firewall Configuration P-661H/HW Series User’s Guide...
Page 171: Content Filtering
H A P T E R This chapter covers how to configure content filtering. 10.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL.
Page 172: Configuring The Schedule
Chapter 10 Content Filtering Figure 98 Content Filter: Keyword The following table describes the labels in this screen. Table 67 Content Filter: Keyword LABEL Active Keyword Blocking Block Websites that contain these keywords in the URL: Delete Clear All Keyword Add Keyword Apply Cancel...
Page 173: Configuring Trusted Computers
Figure 99 Content Filter: Schedule The following table describes the labels in this screen. Table 68 Content Filter: Schedule LABEL DESCRIPTION Schedule Select Active Everyday to Block to make the content filtering active everyday. Otherwise, select Edit Daily to Block and configure which days of the week (or everyday) and which time of the day you want the content filtering to be active.
Page 174: Figure 100 Content Filter: Trusted
Chapter 10 Content Filtering Figure 100 Content Filter: Trusted The following table describes the labels in this screen. Table 69 Content Filter: Trusted LABEL Trusted User IP Range From Apply Cancel DESCRIPTION Type the IP address of a computer (or the beginning IP address of a specific range of computers) on the LAN that you want to exclude from content filtering.
Page 175: Introduction To Ipsec
H A P T E R This chapter introduces the basics of IPSec VPNs. 11.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 176: Vpn Applications
Chapter 11 Introduction to IPSec Figure 101 Encryption and Decryption 11.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 11.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.
Page 177: Ipsec Algorithms
Figure 102 IPSec Architecture 11.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Page 178: Transport Mode
Chapter 11 Introduction to IPSec Figure 103 Transport and Tunnel Mode IPSec Encapsulation 11.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 179: Table 70 Vpn And Nat
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 180 Chapter 11 Introduction to IPSec P-661H/HW Series User’s Guide...
Page 181: Vpn Screens
H A P T E R This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 12.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 182: My Ip Address
Chapter 12 VPN Screens Table 71 AH and ESP DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys ENCRYPTION...
Page 183: Dynamic Secure Gateway Address
If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Secure Gateway Address field. You can also enter a remote secure gateway’s domain name in the Secure Gateway Address field if the remote secure gateway has a dynamic WAN IP address and is using DDNS.
Page 184: Figure 105 Vpn Setup
Chapter 12 VPN Screens Figure 105 VPN Setup The following table describes the fields in this screen. Table 72 VPN Setup LABEL DESCRIPTION This is the VPN policy index number. Click a number to edit VPN policies. Active This field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active.
Page 185: Keep Alive
12.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see for more on the IPSec SA lifetime). In effect, the IPSec tunnel becomes an “always on” connection after you initiate it.
Page 186: Remote Dns Server
Chapter 12 VPN Screens Finally, NAT is compatible with ESP in tunnel mode because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table.
Page 187: Id Type And Content
12.9 ID Type and Content With aggressive negotiation mode identifies incoming SAs by ID type and content since this identifying information is not encrypted. This enables the ZyXEL Device to distinguish between multiple rules for SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. Telecommuters can use separate passwords to simultaneously connect to the ZyXEL Device from IPSec routers with dynamic IP addresses example).
Page 188: Id Type And Content Examples
Chapter 12 VPN Screens 12.9.1 ID Type and Content Examples Two IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel. The two ZyXEL Devices in this example can complete negotiation and establish a VPN tunnel.
Page 189: Figure 108 Edit Vpn Policies
Figure 108 Edit VPN Policies The following table describes the fields in this screen. Table 78 Edit VPN Policies LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Select either Yes or No from the drop-down list box.
Page 190 Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL Name IPSec Key Mode Negotiation Mode Encapsulation Mode DNS Server (for IPSec VPN) Local Local Address Type IP Address Start End / Subnet Mask When the Local Address Type field is configured to Single, this field is N/A. Remote Remote Address Type...
Page 191 Table 78 Edit VPN Policies LABEL DESCRIPTION IP Address Start When the Remote Address Type field is configured to Single, enter a (static) IP address on the network behind the remote IPSec router. When the Remote Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 192 Chapter 12 VPN Screens Table 78 Edit VPN Policies LABEL Content Secure Gateway Address Security Protocol VPN Protocol Pre-Shared Key Encryption Algorithm DESCRIPTION The configuration of the peer content depends on the peer ID type. For IP, type the IP address of the computer with which you will make the VPN connection.
Page 193: Ike Phases
Table 78 Edit VPN Policies LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Page 194: Negotiation Mode
Chapter 12 VPN Screens • Choose an authentication algorithm • Choose whether to enable Perfect Forward Secrecy (PFS) using Diffie-Hellman public- key cryptography – PFS. • Choose Tunnel mode or Transport mode. • Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out.
Page 195: Configuring Advanced Ike Settings
12.13 Configuring Advanced IKE Settings Click Advanced in the Figure 110 Advanced VPN Policies The following table describes the fields in this screen. Table 79 Advanced VPN Policies LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Page 196 Chapter 12 VPN Screens Table 79 Advanced VPN Policies (continued) LABEL Phase 1 Negotiation Mode Pre-Shared Key Encryption Algorithm Authentication Algorithm SA Life Time (Seconds) Key Group Phase 2 Active Protocol Encryption Algorithm DESCRIPTION Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode.
Page 197: Manual Key Setup
Table 79 Advanced VPN Policies (continued) LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Page 198: Figure 111 Vpn: Manual Key
Chapter 12 VPN Screens Figure 111 VPN: Manual Key The following table describes the fields in this screen. Table 80 VPN: Manual Key LABEL IPSec Setup Active Name IPSec Key Mode Encapsulation Mode DESCRIPTION Select this check box to activate this VPN policy. Type up to 32 characters to identify this VPN policy.
Page 199 Table 80 VPN: Manual Key (continued) LABEL DESCRIPTION DNS Server (for If there is a private DNS server that services the VPN, type its IP address here. IPSec VPN) The ZyXEL Device assigns this additional DNS server to the ZyXEL Device 's DHCP clients that have IP addresses in this IPSec rule's range of local addresses.
Page 200: Viewing Sa Monitor
Chapter 12 VPN Screens Table 80 VPN: Manual Key (continued) LABEL My IP Address Secure Gateway Address Security Protocol IPSec Protocol Encryption Algorithm Encapsulation Key (only with ESP) Authentication Algorithm Authentication Key Back Apply Reset 12.16 Viewing SA Monitor Click Security, VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections.
Page 201: Configuring Global Setting
When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic. Figure 112 VPN: SA Monitor The following table describes the fields in this screen.
Page 202: Telecommuter Vpn/Ipsec Examples
Chapter 12 VPN Screens The following table describes the fields in this screen. Table 82 VPN: Global Setting LABEL Windows Networking (NetBIOS over TCP/IP) Allow NetBIOS Traffic Through All IPSec Tunnels Apply Cancel 12.18 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters.
Page 203: Telecommuters Using Unique Vpn Rules Example
Table 83 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS My IP Address: 0.0.0.0 (dynamic IP address assigned by the ISP) Secure Gateway IP Public static IP address Address: Local IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15 Remote IP 192.168.1.10 Address:...
Page 204: Vpn And Remote Management
Chapter 12 VPN Screens Table 84 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS All Telecommuter Rules: My IP Address 0.0.0.0 Secure Gateway Address: bigcompanyhq.com Remote IP Address: 192.168.1.10 Peer ID Type: E-mail Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.org) Local ID Type: IP Local ID Content: 192.168.2.12 Local IP Address: 192.168.2.12 Telecommuter B (telecommuterb.dydns.org)
Page 205: Advanced
Advanced Static Route (207) Bandwidth Management (211) Dynamic DNS Setup (221) Remote Management Configuration (225) Universal Plug-and-Play (UPnP) (237)
Page 207: Static Route
H A P T E R This chapter shows you how to configure static routes for your ZyXEL Device. 13.1 Static Route The ZyXEL Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the ZyXEL Device send data to devices not reachable through the default gateway, use static routes.
Page 208: Configuring Static Route
Chapter 13 Static Route 13.2 Configuring Static Route Click Advanced > Static Route to open the Static Route screen. Figure 117 Static Route The following table describes the labels in this screen. Table 85 Static Route LABEL DESCRIPTION This is the number of an individual static route. Active This field shows whether this static route is active (Yes) or not (No).
Page 209: Figure 118 Static Route Edit
Figure 118 Static Route Edit The following table describes the labels in this screen. Table 86 Static Route Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Destination IP This parameter specifies the IP network address of the final destination.
Page 210 Chapter 13 Static Route P-661H/HW Series User’s Guide...
Page 211: Bandwidth Management
H A P T E R Bandwidth Management This chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device’s bandwidth management logs. 14.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet.
Page 212: Application And Subnet-Based Bandwidth Management
Chapter 14 Bandwidth Management Figure 119 Subnet-based Bandwidth Management Example 14.4 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.
Page 213: Fairness-Based Scheduler
14.5.2 Fairness-based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface’s bandwidth. 14.6 Maximize Bandwidth Usage The maximize bandwidth usage option (see Device to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a class is not using) among the bandwidth classes that require more bandwidth.
Page 214: Table 89 Priority-Based Allotment Of Unused And Unbudgeted Bandwidth Example
Chapter 14 Bandwidth Management The ZyXEL Device divides up the unbudgeted 2048 kbps among the classes that require more bandwidth. If the administration department only uses 1024 kbps of the budgeted 2048 kbps, the ZyXEL Device also divides the remaining 1024 kbps among the classes that require more bandwidth.
Page 215: Over Allotment Of Bandwidth
14.6.3 Over Allotment of Bandwidth You can set the bandwidth management speed for an interface higher than the interface’s actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface’s available bandwidth. This could stop lower priority traffic from being sent.
Page 216: Figure 120 Bandwidth Management: Summary
Chapter 14 Bandwidth Management Figure 120 Bandwidth Management: Summary The following table describes the labels in this screen. Table 93 Media Bandwidth Management: Summary LABEL DESCRIPTION Interface These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface. Bandwidth management applies to all traffic flowing out of the router through the interface, regardless of the traffic’s source.
Page 217: Bandwidth Management Rule Setup
14.8 Bandwidth Management Rule Setup You must use the Bandwidth Management Summary screen to enable bandwidth management on an interface before you can configure rules for that interface. Click Advanced > Bandwidth MGMT > Rule Setup to open the following screen. Figure 121 Bandwidth Management: Rule Setup The following table describes the labels in this screen.
Page 218: Rule Configuration
Chapter 14 Bandwidth Management 14.8.1 Rule Configuration Click the Edit icon or select User define in the Service field to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets. Figure 122 Bandwidth Management Rule Configuration The following table describes the labels in this screen.
Page 219 Table 95 Bandwidth Management Rule Configuration (continued) LABEL DESCRIPTION Use All Managed Select this option to allow a rule to borrow unused bandwidth on the interface. Bandwidth Bandwidth borrowing is governed by the priority of the rules. That is, a rule with the highest priority is the first to borrow bandwidth.
Page 220: Bandwidth Monitor
Chapter 14 Bandwidth Management Table 96 Services and Port Numbers SERVICES ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol)
Page 221: Dynamic Dns Setup
H A P T E R This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS. 15.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 222: Figure 124 Dynamic Dns
Chapter 15 Dynamic DNS Setup Figure 124 Dynamic DNS The following table describes the fields in this screen. Table 97 Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Dynamic Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Dynamic DNS Select the type of service that you are registered for from your Dynamic DNS Type...
Page 223 Table 97 Dynamic DNS (continued) LABEL DESCRIPTION Dynamic DNS Select this option only when there are one or more NAT routers between the ZyXEL server auto Device and the DDNS server. This feature has the DDNS server automatically detect IP detect and use the IP address of the NAT router that has a public IP address.
Page 224 Chapter 15 Dynamic DNS Setup P-661H/HW Series User’s Guide...
Page 225: Remote Management Configuration
H A P T E R This chapter provides information on configuring remote management. 16.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.
Page 226: Remote Management Limitations
Chapter 16 Remote Management Configuration 16.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: • You have disabled that service in one of the remote management screens. • The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately.
Page 227: Telnet
The following table describes the labels in this screen. Table 98 Remote Management: WWW LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Page 228: Configuring Ftp
Chapter 16 Remote Management Configuration The following table describes the labels in this screen. Table 99 Remote Management: Telnet LABEL Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.
Page 229: Snmp
Table 100 Remote Management: FTP LABEL DESCRIPTION Secured Client IP A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 230: Supported Mibs
Chapter 16 Remote Management Configuration An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Page 231: Configuring Snmp
Table 102 SNMPv2 Traps (continued) OBJECT LABEL WarmStart linkDown linkUp RFC 1493 Traps newRoot topology change 16.6.3 Configuring SNMP To change your ZyXEL Device’s SNMP settings, click Advanced > Remote MGMT > SNMP. The screen appears as shown. Figure 129 Remote Management: SNMP The following table describes the labels in this screen.
Page 232: Configuring Dns
Chapter 16 Remote Management Configuration Table 103 Remote Management: SNMP LABEL Secured Client IP SNMP Configuration Get Community Set Community Trap Community Destination Apply Cancel 16.7 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa.
Page 233: Configuring Icmp
The following table describes the labels in this screen. Table 104 Remote Management: DNS LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may send DNS queries to the ZyXEL Device.
Page 234: P-661H Only)
Chapter 16 Remote Management Configuration Table 105 Remote Management: ICMP LABEL DESCRIPTION Do not respond to Select this option to prevent hackers from finding the ZyXEL Device by probing for requests for unused ports. If you select this option, the ZyXEL Device will not respond to port unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device services...
Page 235: Table 106 Tr-069 Commands
The following table gives a description of TR-069 commands. Table 106 TR-069 Commands COMMAND COMMAND SUBDIRECTO tr069 load active [0:no/ 1:yes] acsUrl <URL> username [maxlength:15] password [maxlength:15] periodicEnable [0:Disable/ 1:Enable] informInterval [sec] save P-661H/HW Series User’s Guide Chapter 16 Remote Management Configuration DESCRIPTION All TR-069 related commands must be preceded by wan tr069.
Page 236 Chapter 16 Remote Management Configuration P-661H/HW Series User’s Guide...
Page 237: Universal Plug-And-Play (Upnp)
H A P T E R Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 17.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 238: Upnp And Zyxel
Chapter 17 Universal Plug-and-Play (UPnP) When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the ZyXEL Device allows multicast messages on the LAN only. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 239: Installing Upnp In Windows Example
Table 107 Configuring UPnP LABEL Apply Cancel 17.3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. 1 Click Start and Control Panel.
Page 240: Figure 135 Add/Remove Programs: Windows Setup: Communication: Components
Chapter 17 Universal Plug-and-Play (UPnP) Figure 135 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel.
Page 241: Figure 137 Windows Optional Networking Components Wizard
Chapter 17 Universal Plug-and-Play (UPnP) Figure 137 Windows Optional Networking Components Wizard 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 138 Networking Services P-661H/HW Series User’s Guide...
Page 242: Using Upnp In Windows Xp Example
Chapter 17 Universal Plug-and-Play (UPnP) 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 17.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device.
Page 243: Figure 140 Internet Connection Properties
Chapter 17 Universal Plug-and-Play (UPnP) Figure 140 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. P-661H/HW Series User’s Guide...
Page 244: Figure 141 Internet Connection Properties: Advanced Settings
Chapter 17 Universal Plug-and-Play (UPnP) Figure 141 Internet Connection Properties: Advanced Settings Figure 142 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Page 245: Figure 143 System Tray Icon
Figure 143 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 144 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first.
Page 246: Figure 145 Network Connections
Chapter 17 Universal Plug-and-Play (UPnP) Figure 145 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. P-661H/HW Series User’s Guide...
Page 247: Figure 146 Network Connections: My Network Places
Chapter 17 Universal Plug-and-Play (UPnP) Figure 146 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 147 Network Connections: My Network Places: Properties: Example P-661H/HW Series User’s Guide...
Page 248 Chapter 17 Universal Plug-and-Play (UPnP) P-661H/HW Series User’s Guide...
Page 249: Maintenance
Maintenance System (251) Logs (257) Tools (261) Diagnostic (267)
Page 251: System
H A P T E R Use this screen to configure the ZyXEL Device’s time and date settings. 18.1 General Setup 18.1.1 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Page 252: Figure 148 System General Setup
Chapter 18 System Figure 148 System General Setup The following table describes the labels in this screen. Table 108 System General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 253: Time Setting
Table 108 System General Setup LABEL DESCRIPTION Old Password Type the default administrator password (1234) or the existing password you use to access the system for configuring advanced features in this field. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Page 254: Table 109 System Time Setting
Chapter 18 System The following table describes the fields in this screen. Table 109 System Time Setting LABEL Current Time and Date Current Time Current Date Time and Date Setup Manual New Time (hh:mm:ss) New Date (yyyy/mm/dd) Get from Time Server Time Protocol Time Server...
Page 255 Table 109 System Time Setting (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the first Sunday of April.
Page 256 Chapter 18 System P-661H/HW Series User’s Guide...
Page 257: Logs
H A P T E R This chapter contains information about configuring general log settings and viewing the ZyXEL Device’s logs. Refer to the appendix for example log message explanations. 19.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server.
Page 258: Configuring Log Settings
Chapter 19 Logs Figure 150 View Log The following table describes the fields in this screen. Table 110 View Logs LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 259: Figure 151 Log Settings
Figure 151 Log Settings The following table describes the fields in this screen. Table 111 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 260 Chapter 19 Logs Table 111 Log Settings LABEL DESCRIPTION User Name Enter the user name (up to 31 characters) (usually the user name of a mail account). Password Enter the password associated with the user name above. Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: Daily Weekly...
Page 261: Tools
H A P T E R This chapter covers uploading new firmware, managing configuration and restarting your ZyXEL Device. 20.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Page 262: Figure 153 Firmware Upload In Progress
Chapter 20 Tools Table 112 Firmware Upgrade (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.
Page 263: Configuration
Figure 155 Error Message 20.2 Configuration Use this screen to back up or restore the configuration of the ZyXEL Device. You can also use this screen to reset the ZyXEL Device to the factory default settings. To access this screen, click Maintenance >...
Page 264: Figure 157 Configuration Upload Successful
Chapter 20 Tools Table 113 Configuration LABEL DESCRIPTION Upload Click this to restore the selected configuration file. See below for more information about this. Note: Do not turn off the device while configuration file upload is in Back to Factory Defaults Reset Click this to clear all user-entered configuration information and return the ZyXEL...
Page 265: Restart
You might have to open a new browser to log in again. If the upload was not successful, a Configuration Upload Error screen appears. Figure 159 Configuration Upload Error Click Return to go back to the previous screen. 20.3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off.
Page 266 Chapter 20 Tools P-661H/HW Series User’s Guide...
Page 267: Diagnostic
H A P T E R These read-only screens display information to help you identify problems with the ZyXEL Device. 21.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 161 Diagnostic: General The following table describes the fields in this screen. Table 114 Diagnostic: General LABEL DESCRIPTION...
Page 268: Dsl Line Diagnostic
Chapter 21 Diagnostic 21.2 DSL Line Diagnostic Click Maintenance > Diagnostic > DSL Line to open the screen shown next. Figure 162 Diagnostic: DSL Line The following table describes the fields in this screen. Table 115 Diagnostic: DSL Line LABEL DESCRIPTION ATM Status Click this button to view ATM status.
Page 269: Troubleshooting And Specifications
Troubleshooting and Specifications Troubleshooting (271) Product Specifications (275)
Page 271: Troubleshooting
H A P T E R This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyXEL Device Access and Login • Internet Access •...
Page 272: Zyxel Device Access And Login
Chapter 22 Troubleshooting 22.2 ZyXEL Device Access and Login I forgot the IP address for the ZyXEL Device. 1 The default IP address is 192.168.1.1. 2 If you changed the IP address and have forgotten it, you might get the IP address of the ZyXEL Device by looking up the IP address of the default gateway for your computer.
Page 273: Internet Access
5 Check that you have enabled web service access. If you have configured a secured client IP address, your computer's IP address must match it. See 6 Reset the device to its factory defaults, and try to access the ZyXEL Device with the default IP address.
Page 274: Wireless Router/Ap Troubleshooting
Chapter 22 Troubleshooting 4 Disconnect all the cables from your device, and follow the directions in the Quick Start Guide again. 5 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore.
Page 275: Product Specifications
H A P T E R Product Specifications This chapter gives details about your ZyXEL Device’s hardware and firmware features. 23.1 General ZyXEL Device Specifications The following tables summarize the ZyXEL Device’s hardware and firmware features. Table 116 Hardware Specifications SPECIFICATION Dimensions (W x D x H) Power...
Page 276 Chapter 23 Product Specifications Table 117 Firmware Specifications FEATURE Firmware Upgrade Configuration Backup & Restoration Network Address Translation (NAT) Port Forwarding DHCP (Dynamic Host Configuration Protocol) Dynamic DNS Support IP Multicast IP Alias Time and Date Logging and Tracing PPPoE Universal Plug and Play (UPnP) Firewall...
Page 277: Table 118 Standards Supported
The following list, which is not exhaustive, illustrates the standards supported in the ZyXEL Device. Table 118 Standards Supported STANDARD RFC 867 RFC 868 RFC 1058 RFC 1112 RFC 1157 RFC 1305 RFC 1441 RFC 1483 RFC 1631 RFC 1661 RFC 1723 RFC 1901 RFC 2236...
Page 278: Wall-Mounting Instructions
Chapter 23 Product Specifications 23.2 Wall-mounting Instructions Complete the following steps to hang your ZyXEL Device on a wall. Table 116 on page 275 place them. 1 Select a position free of obstructions on a sturdy wall. 2 Drill two holes for the screws. Be careful to avoid damaging pipes or cables located inside the wall when drilling holes for the screws.
Page 279: Cable Pin Assignments
Figure 164 Masonry Plug and M4 Tap Screw 23.3 Cable Pin Assignments Table 119 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT Straight-through (Switch) 1 IRD + 2 IRD - 3 OTD 6 OTD - P-661H/HW Series User’s Guide Chapter 23 Product Specifications Crossover (Adapter) (Switch)
Page 280 Chapter 23 Product Specifications P-661H/HW Series User’s Guide...
Page 281: Appendices And Index
Appendices and Index The appendices provide general information. Some details may not apply to your ZyXEL Device. Setting up Your Computer’s IP Address (283) Pop-up Windows, JavaScripts and Java Permissions (305) IP Addresses and Subnetting (313) Wireless LANs (323) Common Services (337) Legal Information (341) Customer Support (345) Index (351)
Page 283: Appendix A Setting Up Your Computer's Ip Address
P P E N D I X Setting up Your Computer’s IP All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 284: Figure 165 Windows 95/98/Me: Network: Configuration
Appendix A Setting up Your Computer’s IP Address Figure 165 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 285: Figure 166 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 286: Figure 167 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
Appendix A Setting up Your Computer’s IP Address Figure 167 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Page 287: Figure 168 Windows Xp: Start Menu
Figure 168 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 169 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. P-661H/HW Series User’s Guide Appendix A Setting up Your Computer’s IP Address...
Page 288: Figure 170 Windows Xp: Control Panel: Network Connections: Properties
Appendix A Setting up Your Computer’s IP Address Figure 170 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 171 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 289: Figure 172 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Figure 172 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 290: Figure 173 Windows Xp: Advanced Tcp/Ip Properties
Appendix A Setting up Your Computer’s IP Address Figure 173 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 291: Figure 174 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Figure 174 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 292: Figure 175 Windows Vista: Start Menu
Appendix A Setting up Your Computer’s IP Address Figure 175 Windows Vista: Start Menu 2 In the Control Panel, double-click Network and Internet. Figure 176 Windows Vista: Control Panel 3 Click Network and Sharing Center. Figure 177 Windows Vista: Network And Internet 4 Click Manage network connections.
Page 293: Figure 179 Windows Vista: Network And Sharing Center
5 Right-click Local Area Connection and then click Properties. During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. Figure 179 Windows Vista: Network and Sharing Center 6 Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Figure 180 Windows Vista: Local Area Connection Properties P-661H/HW Series User’s Guide Appendix A Setting up Your Computer’s IP Address...
Page 294: Figure 181 Windows Vista: Internet Protocol Version 4 (Tcp/Ipv4) Properties
Appendix A Setting up Your Computer’s IP Address 7 The Internet Protocol Version 4 (TCP/IPv4) Properties window opens (the General tab). • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 295: Figure 182 Windows Vista: Advanced Tcp/Ip Properties
Figure 182 Windows Vista: Advanced TCP/IP Properties 9 In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 296: Figure 183 Windows Vista: Internet Protocol Version 4 (Tcp/Ipv4) Properties
Appendix A Setting up Your Computer’s IP Address Figure 183 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window. 11 Click Close to close the Local Area Connection Properties window. 12 Close the Network Connections window.
Page 297: Figure 184 Macintosh Os 8/9: Apple Menu
Figure 184 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 185 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Page 298: Figure 186 Macintosh Os X: Apple Menu
Appendix A Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel.
Page 299: Figure 187 Macintosh Os X: Network
Figure 187 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 300: Figure 188 Red Hat 9.0: Kde: Network Configuration: Devices
Appendix A Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 301: Figure 190 Red Hat 9.0: Kde: Network Configuration: Dns
• If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 302: Figure 192 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Appendix A Setting up Your Computer’s IP Address Figure 192 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter = followed by the IP address (in dotted decimal notation) and type IPADDR followed by the subnet mask.
Page 303: Figure 196 Red Hat 9.0: Checking Tcp/Ip Properties
Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 196 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet inet addr:172.23.19.129 UP BROADCAST RUNNING MULTICAST RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) Interrupt:10 Base address:0x1000...
Page 304 Appendix A Setting up Your Computer’s IP Address P-661H/HW Series User’s Guide...
Page 305: Appendix B Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Page 306: Figure 198 Internet Options: Privacy
Appendix B Pop-up Windows, JavaScripts and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 198 Internet Options: Privacy 3 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Page 307: Figure 199 Internet Options: Privacy
Figure 199 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 200 Pop-up Blocker Settings P-661H/HW Series User’s Guide Appendix B Pop-up Windows, JavaScripts and Java Permissions...
Page 308: Figure 201 Internet Options: Security
Appendix B Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 309: Figure 202 Security Settings - Java Scripting
Figure 202 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.
Page 310: Figure 204 Java (Sun)
Appendix B Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 204 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here.
Page 311: Figure 205 Mozilla Firefox: Tools > Options
Appendix B Pop-up Windows, JavaScripts and Java Permissions Figure 205 Mozilla Firefox: Tools > Options Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 206 Mozilla Firefox Content Security P-661H/HW Series User’s Guide...
Page 312 Appendix B Pop-up Windows, JavaScripts and Java Permissions P-661H/HW Series User’s Guide...
Page 313: Appendix C Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 314: Figure 207 Network Number And Host Id
Appendix C IP Addresses and Subnetting Figure 207 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation).
Page 315: Table 121 Subnet Masks
Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 121 Subnet Masks BINARY OCTET 8-bit mask 11111111 16-bit mask 11111111 24-bit mask 11111111...
Page 316: Figure 208 Subnetting Example: Before Subnetting
Appendix C IP Addresses and Subnetting Table 123 Alternative Subnet Mask Notation (continued) SUBNET MASK 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.
Page 317: Figure 209 Subnetting Example: After Subnetting
Figure 209 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 2 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address).
Page 318: Table 125 Subnet 2
Appendix C IP Addresses and Subnetting Table 125 Subnet 2 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.64 Broadcast Address: 192.168.1.127 Table 126 Subnet 3 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.128 Broadcast Address:...
Page 319: Table 129 24-Bit Network Number Subnet Planning
Table 128 Eight Subnets (continued) SUBNET SUBNET ADDRESS Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 129 24-bit Network Number Subnet Planning NO. “BORROWED” HOST BITS The following table is a summary for subnet planning on a network with a 16-bit network number.
Page 320: Private Ip Addresses
Appendix C IP Addresses and Subnetting Table 130 16-bit Network Number Subnet Planning (continued) NO. “BORROWED” HOST BITS Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask.
Page 321: Figure 210 Conflicting Computer Ip Addresses Example
IP Address Conflicts Each device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network. Conflicting Computer IP Addresses Example More than one device can not use the same IP address.
Page 322: Figure 212 Conflicting Computer And Router Ip Addresses Example
Appendix C IP Addresses and Subnetting Conflicting Computer and Router IP Addresses Example More than one device can not use the same IP address. In the following example, the computer and the router’s LAN port both use 192.168.1.1 as the IP address. The computer cannot access the Internet.
Page 323: Appendix D Wireless Lans
P P E N D I X Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 324: Figure 214 Basic Service Set
Appendix D Wireless LANs Figure 214 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 325: Figure 215 Infrastructure Wlan
Figure 215 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Page 326: Figure 216 Rts/Cts
Appendix D Wireless LANs Figure 216 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 327: Table 131 Ieee 802.11G
If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver.
Page 328: Table 132 Wireless Security Levels
Appendix D Wireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.
Page 329: Types Of Radius Messages
Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 330 Appendix D Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Page 331: Table 133 Comparison Of Eap Authentication Types
Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Page 332 Appendix D Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Page 333: Wireless Client Wpa Supplicants
Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client. The Windows XP patch is a free download that adds WPA capability to Windows XP's built-in "Zero Configuration"...
Page 334: Figure 218 Wpa(2)-Psk Authentication
Appendix D Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys.
Page 335: Antenna Characteristics
Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 336 Appendix D Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up.
Page 337: Appendix E Common Services
P P E N D I X The following table lists some commonly-used services and their associated protocols and port numbers. For a comprehensive list of port numbers, ICMP type/code numbers and services, visit the IANA (Internet Assigned Number Authority) web site. •...
Page 338 Appendix E Common Services Table 135 Commonly Used Services (continued) NAME H.323 HTTP HTTPS ICMP IGMP (MULTICAST) User-Defined MSN Messenger NEW-ICQ NEWS NNTP PING POP3 PPTP PPTP_TUNNEL (GRE) RCMD REAL_AUDIO REXEC RLOGIN PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail.
Page 339 Table 135 Commonly Used Services (continued) NAME PROTOCOL RTELNET RTSP TCP/UDP SFTP SMTP SNMP TCP/UDP SNMP-TRAPS TCP/UDP SQL-NET TCP/UDP STRM WORKS SYSLOG TACACS TELNET TFTP VDOLIVE P-661H/HW Series User’s Guide Appendix E Common Services PORT(S) DESCRIPTION Remote Telnet. The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet.
Page 340 Appendix E Common Services P-661H/HW Series User’s Guide...
Page 342 Appendix F Legal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna.
Page 343: Zyxel Limited Warranty
3 Select the certification you wish to view from this page. ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...
Page 344 Appendix F Legal Information P-661H/HW Series User’s Guide...
Page 345: Appendix G Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com, www.europe.zyxel.com • FTP: ftp.zyxel.com, ftp.europe.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan Costa Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr •...
Page 346 Appendix G Customer Support • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • Telephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • Web: www.zyxel.dk • Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark Finland •...
Page 347 India • Support E-mail: support@zyxel.in • Sales E-mail: sales@zyxel.in • Telephone: +91-11-30888144 to +91-11-30888153 • Fax: +91-11-30888149, +91-11-26810715 • Web: http://www.zyxel.in • Regular Mail: India - ZyXEL Technology India Pvt Ltd., II-Floor, F2/9 Okhla Phase -1, New Delhi 110020, India Japan •...
Page 348 Appendix G Customer Support • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • Telephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • Web: www.zyxel.no • Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland •...
Page 349 • Telephone: +44-1344-303044, 08707-555779 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • FTP: ftp.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) P-661H/HW Series User’s Guide Appendix G Customer Support...
Page 350 Appendix G Customer Support P-661H/HW Series User’s Guide...
Page 351 Address Assignment Address Resolution Protocol (ARP) ADSL standards Advanced Encryption Standard See AES. AH Protocol alternative subnet mask notation antenna directional gain omni-directional Antenna gain Any IP How it works note Any IP Setup AP (access point) Application-level Firewalls applications Internet access ATM Adaptation Layer 5 (AAL5) Attack Alert...
Page 352 Index diagnostic Diffie-Hellman Key Groups dimensions disclaimer DNS Server For VPN Host Domain Name 90, 128, 251 Domain Name System 139, 169 Basics Types DoS attacks, types of DSL line, reinitialize DSLAM (Digital Subscriber Line Access Multiplexer) Dynamic DNS Dynamic Secure Gateway Address dynamic WEP key exchange DYNDNS Wildcard EAP Authentication...
Page 353 HTTP 128, 138, 139 HTTP (Hypertext Transfer Protocol) humidity IANA 91, 92, 320 IANA (Internet Assigned Number Authority) IBSS ICMP echo ID Type and Content IEEE 802.11g IGMP 92, 93 IKE Phases Independent Basic Service Set See IBSS initialization vector (IV) Inside Header Install UPnP Windows Me...
Page 354 Index Nailed-Up Connection 91, 127, 129, 320 Address mapping rule Application Definitions How it works Mapping Types What it does What NAT does NAT (Network Address Translation) NAT mode NAT Traversal NAT traversal navigating the web configurator Negotiation Mode NetBIOS commands Network Management Network Temporarily Disconnected NNTP...
Page 355 Security Association Security In General Security Parameter Index Security Ramifications Server 125, 126, 254 Service Service Set Service Type Services SMTP Smurf SNMP 35, 128, 229 Manager MIBs Source Address Splitters Stateful Inspection 137, 138, 142, 143 Device Process Static Route SUA (Single User Account) SUA vs NAT subnet...
Page 356 Index web configurator web configurator screen summary WEP Encryption WEP encryption Wi-Fi Multimedia QoS Wi-Fi Protected Access wireless channel wireless client WPA supplicants wireless LAN wireless security 274, 327 WLAN interference security parameters key caching pre-authentication user authentication vs WPA-PSK wireless client supplicant with RADIUS application example WPA2...
Page 357 Index P-661H/HW Series User’s Guide...
Page 358 Index P-661H/HW Series User’s Guide...

This manual is also suitable for:

P-661hw series

ZyXEL Communications P-661H Series User Manual

Chapter 1 Getting to Know Your Zyxel Device

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizards

Chapter 4 WAN Setup

Chapter 5 LAN Setup

Chapter 6 Wireless LAN

Chapter 7 Network Address Translation (NAT) Screens

Chapter 8 Firewalls

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications P-661H Series

Summary of Contents for ZyXEL Communications P-661H Series