Page 1 Prestige 334W 802.11g Wireless Broadband Router with Firewall User’s Guide Version 3.60 May 2004...
Page 2 ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein.
Page 3 Prestige 334W User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: This device may not cause harmful interference. This device must accept any interference received, including interference that may cause undesired operations.
Page 4 Prestige 334W User’s Guide Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 5: Zyxel Limited Warranty
Prestige 334W User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to...
Page 7: Customer Support
+45 39 55 07 00 www.zyxel.dk +45 39 55 07 07 +47 22 80 61 80 www.zyxel.no +47 22 80 61 81 REGULAR MAIL ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan ZyXEL Communications Inc. 1130 N. Miller St.
Page 8 TELEPHONE WEB SITE FTP SITE +46 31 744 7700 www.zyxel.se +46 31 744 7701 +358-9-4780-8411 www.zyxel.fi +358-9-4780 8448 Prestige 334W User’s Guide REGULAR MAIL ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden ZyXEL Communications Oy Malminkaari 10 00700 Helsinki Finland...
Page 9: Table Of Contents
Copyright...ii Federal Communications Commission (FCC) Interference Statement... iii Information for Canadian Users ...iv ZyXEL Limited Warranty ...v Customer Support ...vi List of Figures ...xxi List of Tables ...xxvii Preface ...xxxi Getting Started ... I Chapter 1 Getting to Know Your Prestige ... 1-1 Prestige Internet Security Gateway Overview...
Page 10 3.6.4 WAN MAC Address...3-12 Basic Setup Complete ...3-14 Chapter 4 Media Bandwidth Management Setup...4-1 Media Bandwidth Management Setup Overview ...4-1 Media Bandwidth Management Setup 1...4-1 Media Bandwidth Management Setup 2...4-2 Media Bandwidth Management Setup 3: ...4-3 Media Bandwidth Management Setup Complete ...4-4 System, LAN, WLAN and WAN...
Page 11 Configuring Roaming ... 7-6 7.4.1 Requirements for Roaming ... 7-8 Chapter 8 Wireless Security ... 8-1 Wireless Security Overview... 8-1 Security Parameters Summary ... 8-3 WEP Overview ... 8-4 8.3.1 Data Encryption ... 8-4 8.3.2 Authentication ... 8-4 8.3.3 Preamble Type ... 8-6 Configuring WEP Encryption...
Page 12 SUA/NAT and Static Route ... III Chapter 10 Network Address Translation (NAT) Screens...10-1 10.1 NAT Overview ...10-1 10.1.1 NAT Definitions ...10-1 10.1.2 What NAT Does ...10-2 10.1.3 How NAT Works...10-2 10.1.4 NAT Application ...10-3 10.1.5 NAT Mapping Types ...10-4 10.2 Using NAT ...10-6 10.2.1 SUA (Single User Account) Versus NAT ...10-6...
Page 13 13.3 The Firewall, NAT and Remote Management ... 13-5 13.3.1 LAN-to-WAN rules ... 13-5 13.3.2 WAN-to-LAN rules ... 13-5 13.4 Configuring Content Filtering ... 13-6 13.5 Services... 13-8 Remote Management and VPN/IPSec...V Chapter 14 Remote Management Screens ... 14-1 14.1 Remote Management Overview ...
Page 14 16.4.1 Dynamic Secure Gateway Address...16-3 16.5 Summary Screen ...16-3 16.6 Keep Alive...16-5 16.7 NAT Traversal ...16-6 16.7.1 NAT Traversal Configuration...16-6 16.7.2 Remote DNS Server...16-7 16.8 ID Type and Content...16-8 16.8.1 ID Type and Content Examples ...16-9 16.9 Pre-Shared Key ...16-10 16.10 Editing VPN Rules ...16-10 16.11...
Page 15 18.5 Monitor Screen ... 18-13 Chapter 19 Maintenance ... 19-1 19.1 Maintenance Overview ... 19-1 19.2 Status Screen... 19-1 19.2.1 System Statistics... 19-2 19.3 DHCP Table Screen... 19-4 19.4 Any IP Table ... 19-5 19.5 Association List... 19-5 19.6 F/W Upload Screen ... 19-6 19.7 Configuration Screen ...
Page 16 24.1 Introduction to Internet Access Setup...24-1 24.2 Ethernet Encapsulation ...24-1 24.3 Configuring the PPTP Client ...24-3 24.4 Configuring the PPPoE Client ...24-4 24.5 Basic Setup Complete ...24-5 Chapter 25 Remote Node Configuration ...25-1 25.1 Introduction to Remote Node Setup...25-1 25.2 Remote Node Profile Setup ...25-1 25.2.1 Ethernet Encapsulation ...25-1...
Page 17 30.2.2 Configuring a TCP/IP Filter Rule ... 30-6 30.2.3 Configuring a Generic Filter Rule... 30-11 30.3 Example Filter ... 30-13 30.4 Filter Types and NAT... 30-15 30.5 Firewall Versus Filters ... 30-16 30.6 Applying a Filter ... 30-16 30.6.1 Applying LAN Filters ... 30-17 30.6.2 Applying Remote Node Filters...
Page 18 34.3.2 Restore Using FTP Session Example...34-8 34.4 Uploading Firmware and Configuration Files ...34-8 34.4.1 Firmware File Upload ...34-8 34.4.2 Configuration File Upload ...34-9 34.4.3 FTP File Upload Command from the DOS Prompt Example...34-10 34.4.4 FTP Session Example of Firmware File Upload...34-10 34.4.5 TFTP File Upload ...34-10 34.4.6...
Page 19 Prestige 334W User’s Guide Appendix G Wireless LAN With IEEE 802.1x ... G-1 Appendix H Types of EAP Authentication... H-1 Appendix I Antenna Selection and Positioning Recommendation...I-1 Appendix J Brute-Force Password Guessing Protection ... J-1 Appendix K Triangle Route ... K-1 Appendix L Index...L-1 Table of Contents...
Page 21 Prestige 334W User’s Guide List of Figures Figure 1-1 Secure Internet Access via Cable, DSL or Wireless Modem... 1-6 Figure 1-2 VPN Application ... 1-6 Figure 1-3 Internet Access Application Example... 1-7 Figure 2-1 Change Password Screen... 2-1 Figure 2-2 The MAIN MENU Screen of the Web Configurator... 2-3 Figure 3-1 Wizard 1: General Setup...
Page 22: Chapter 36 Remote Management
Prestige 334W User’s Guide Figure 8-6 Wireless: WPA-PSK...8-11 Figure 8-7 WPA with RADIUS Application Example...8-14 Figure 8-8 Wireless: WPA ...8-15 Figure 8-9 Wireless: 802.1x and Dynamic WEP ...8-18 Figure 8-10 Wireless: 802.1x and Static WEP...8-20 Figure 8-11 Wireless: 802.1x ...8-23 Figure 8-12 MAC Address Filter ...8-26 Figure 8-13 Local User Database ...8-28 Figure 8-14 EAP Authentication...8-30...
Page 23 Prestige 334W User’s Guide Figure 14-7 Remote Management: DNS... 14-12 Figure 14-8 Security... 14-13 Figure 15-1 Encryption and Decryption... 15-2 Figure 15-2 IPSec Architecture... 15-3 Figure 15-3 Transport and Tunnel Mode IPSec Encapsulation... 15-4 Figure 16-1 IPSec Summary Fields ... 16-3 Figure 16-2 VPN: Summary ...
Page 24: Chapter 21 Menu 1 General Setup
Prestige 334W User’s Guide Figure 19-15 System Restart...19-12 Figure 20-1 Login Screen ...20-2 Figure 20-2 SMT Menu Overview ...20-3 Figure 20-3 SMT Main Menu...20-5 Figure 20-4 Menu 23 System Password ...20-6 Figure 21-1 Menu 1 General Setup...21-2 Figure 21-2 Menu 1.1 Configure Dynamic DNS...21-4 Figure 22-1 Menu 2 WAN Setup ...22-1 Figure 23-1 Menu 3 LAN Setup ...23-1 Figure 23-2 Menu 3.1 LAN Port Filter Setup...23-1...
Page 25 Prestige 334W User’s Guide Figure 28-10 NAT Example 1 ... 28-10 Figure 28-11 Menu 4 Internet Access & NAT Example...28-11 Figure 28-12 NAT Example 2 ...28-11 Figure 28-13 Menu 15.2.1 Specifying an Inside Server... 28-12 Figure 28-14 NAT Example 3 ... 28-13 Figure 28-15 Example 3: Menu 11.3...
Page 26 Prestige 334W User’s Guide Figure 33-9 LAN & WAN DHCP...33-10 Figure 34-1 Telnet in Menu 24.5 ...34-3 Figure 34-2 FTP Session Example...34-4 Figure 34-3 Telnet into Menu 24.6 ...34-7 Figure 34-4 Restore Using FTP Session Example ...34-8 Figure 34-5 Telnet Into Menu 24.7.1 Upload System Firmware ...34-9 Figure 34-6 Telnet Into Menu 24.7.2 System Maintenance ...34-9 Figure 34-7 FTP Session Example of Firmware File Upload ...34-10 Figure 35-1 Command Mode in Menu 24 ...35-1...
Page 27 Prestige 334W User’s Guide List of Tables Table 2-1 Screens Summary... 2-3 Table 3-1 Wizard 2: Wireless LAN Setup ... 3-3 Table 3-2 Wizard 3: Wireless LAN Setup: Basic Security... 3-4 Table 3-3 Wizard 3: Wireless LAN Setup: Extend Security ... 3-5 Table 3-4 Wizard 4: Ethernet Encapsulation...
Page 28 Prestige 334W User’s Guide ...9-13 Table 9-6 WAN: Traffic Redirect Table 10-1 NAT Definitions...10-1 Table 10-2 NAT Mapping Types...10-5 Table 10-3 Services and Port Numbers...10-7 Table 10-4 SUA/NAT Setup ...10-9 Table 10-5 Address Mapping ...10-11 Table 10-6 Address Mapping Edit ...10-13 Table 10-7 Trigger Port...10-15 Table 11-1 Static Route...11-2 Table 11-2 Static Route: Edit ...11-3...
Page 29 Prestige 334W User’s Guide Table 19-1 Maintenance Status ... 19-2 Table 19-2 Maintenance System Statistics ... 19-3 Table 19-3 Maintenance DHCP Table... 19-4 Table 19-4 Maintenance Any IP... 19-5 Table 19-5 Maintenance Association List ... 19-6 Table 19-6 Maintenance Firmware Upload... 19-7 Table 19-7 Maintenance Restore Configuration ...
Page 30 Prestige 334W User’s Guide Table 32-2 Menu 23.4 System Security : IEEE802.1x ...32-4 Table 33-1 System Maintenance: Status Menu Fields ...33-2 Table 33-2 Menu 24.2.1 System Maintenance : Information...33-4 Table 33-3 Menu 24.3.2 System Maintenance : Syslog and Accounting...33-5 Table 33-4 System Maintenance Menu Diagnostic ...33-11 Table 34-1 Filename Conventions ...34-2 Table 34-2 General Commands for GUI-based FTP Clients ...34-4 Table 34-3 General Commands for GUI-based TFTP Clients ...34-6...
Page 31: Related Documentation
Help us help you. E-mail all User’s Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.
Page 32 • The version number on the title page is the latest firmware version that is documented in this User’s Guide. Earlier versions may also be included. • “Enter” means for you to type one or more characters and press the carriage return. “Select” or “Choose”...
Page 33: Getting Started
Getting Started Part I: Getting Started This part helps you get to know your Prestige, introduces the web configurator and covers how to configure the Wizard Setup screens.
Page 35: Chapter 1 Getting To Know Your Prestige
This chapter introduces the main features and applications of the Prestige. Prestige Internet Security Gateway Overview The Prestige is the ideal secure gateway for all data passing between the Internet and LAN’s. By integrating NAT, firewall, media bandwidth management and VPN capability, ZyXEL’s Prestige is a complete security solution that protects your Intranet and efficiently manages data traffic on your network.
Page 36: Non-Physical Features
Prestige 334W User’s Guide 1.2.2 Non-Physical Features Media Bandwidth Management ZyXEL’s Media Bandwidth Management allows you to specify bandwidth classes based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth classes. IPSec VPN Capability Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site...
Page 37: G Wireless Lan Standard
Data Rate (Mbps) Modulation DBPSK (Differential Binary Phase Shift Keyed) DQPSK (Differential Quadrature Phase Shift Keying 5.5 / 11 CCK (Complementary Code Keying) The Prestige may be prone to RF (Radio Frequency) interference from other 2.4 GHz devices such as microwave ovens, wireless phones, Bluetooth enabled 802.11g Wireless LAN Standard The Prestige, complies with the 802.11g wireless standard and is also fully compatible with the 802.11b standard.
Page 38: Dynamic Dns Support
Prestige 334W User’s Guide Dynamic DNS Support With Dynamic DNS (Domain Name System) support, you can have a static hostname alias for a dynamic IP address, allowing the host to be more easily accessible from various locations on the Internet. You must register for this service with a Dynamic DNS service provider.
Page 39: Applications For The Prestige
Any IP The Any IP feature allows a computer to access the Internet without changing the network settings (such as IP address and subnet mask) of the computer, when the IP addresses of the computer and the Prestige are not in the same subnet. Full Network Management The embedded web configurator is an all-platform web-based utility that allows you to easily access the Prestige’s management settings and configure the firewall.
Page 40: Figure 1-1 Secure Internet Access Via Cable, Dsl Or Wireless Modem
Prestige 334W User’s Guide 1.3.1 Secure Broadband Internet Access via Cable or DSL Modem You can connect a cable modem, DSL or wireless modem to the Prestige for broadband Internet access via an Ethernet or a wireless port on the modem. The Prestige guarantees not only high speed Internet access, but secure internal network protection and traffic management as well.
Page 41: Figure 1-3 Internet Access Application Example
Prestige 334W User’s Guide 1.3.3 Internet Access Application Add a wireless LAN to your existing network without expensive network cables. Wireless stations can move freely anywhere in the coverage area and use resources on the wired network. Figure 1-3 Internet Access Application Example Getting to Know Your Prestige...
Page 43: Chapter 2 Introducing The Web Configurator
Introducing the Web Configurator This chapter describes how to access the Prestige web configurator and provides an overview of its Web Configurator Overview The embedded web configurator allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Page 44: Resetting The Prestige
Prestige 334W User’s Guide Step 6. You should now see the MAIN MENU screen (see Figure 2-2). The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into Resetting the Prestige If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the Prestige to reload the factory-default configuration file.
Page 45: Navigation Panel
Click LOGOUT at Click MAINTENANCE to view information about your Prestige or upgrade any time to exit the configuration/firmware files. Maintenance includes Status (Statistics), DHCP Table, web configurator. F/W (firmware) Upload, Configuration (Backup, Restore, Defaults) and Restart. Figure 2-2 The MAIN MENU Screen of the Web Configurator 2.3.2 Navigation Panel After you enter the password, use the sub-menus on the navigation panel to configure Prestige features.
Page 46 Prestige 334W User’s Guide LINK DDNS Password Time Zone Static DHCP IP Alias WIRELESS Wireless MAC Filter Roaming 802.1x/WPA Local User Database RADIUS Route WAN ISP WAN IP WAN MAC Traffic Redirect SUA/NAT SUA Server Address Mapping Trigger Port STATIC ROUTE IP Static Route Table 2-1 Screens Summary FUNCTION...
Page 47 LINK FIREWALL Settings Filter Services REMOTE MGMT TELNET SNMP Security Summary Rule Setup SA Monitor Global Setting UPnP UPnP LOGS View Log Log Settings BW MGMT Configuration Monitor MAINTENANCE Status Introducing the Web Configurator Table 2-1 Screens Summary FUNCTION Use this screen to activate/deactivate the firewall and log packets related to firewall rules.
Page 48 Prestige 334W User’s Guide LINK DHCP Table Any IP F/W Upload Configuration Restart LOGOUT Table 2-1 Screens Summary FUNCTION This screen displays DHCP (Dynamic Host Configuration Protocol) related information and is READ-ONLY. Use this screen to allow a computer to access the Internet without changing the network settings of the computer, when the IP addresses of the computer and the Prestige are not in the same subnet.
Page 49: Chapter 3 Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your device to access the Internet. The second screen has three variations depending on what encapsulation type you use. Refer to your ISP checklist in the Quick Start Guide to know what to enter in each field.
Page 50: Figure 3-1 Wizard 1: General Setup
Prestige 334W User’s Guide Figure 3-1 Wizard 1: General Setup Wizard Setup: Screen 2 Set up your wireless LAN using the second wizard screen. Figure 3-2 Wizard 2: Wireless LAN Setup The following table describes the fields in this screen. Wizard Setup...
Page 51: Table 3-1 Wizard 2: Wireless Lan Setup
LABEL ESSID Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the Prestige, make sure all wireless stations use the same ESSID in order to access the network. Choose To manually set the Prestige to use a channel, select a channel from the drop-down list box.
Page 52: Figure 3-3 Wizard 3: Wireless Lan Setup: Basic Security
Prestige 334W User’s Guide Figure 3-3 Wizard 3: Wireless LAN Setup: Basic Security The following table describes the labels in this screen. Table 3-2 Wizard 3: Wireless LAN Setup: Basic Security Select 64-bit WEP or 128-bit WEP to allow data encryption. Encryption ASCII Select this option in order to enter ASCII characters as the WEP keys.
Page 53: Figure 3-4 Wizard 3: Wireless Lan Setup: Extend Security
If you choose Extend security in the Wireless LAN Setup screen, you can set up a Pre-Shared Key. Figure 3-4 Wizard 3: Wireless LAN Setup: Extend Security The following table describes the labels in this screen. Table 3-3 Wizard 3: Wireless LAN Setup: Extend Security Pre-Shared Type from 8 to 31 case-sensitive ASCII characters or from 16 to 62 hexadecimal ("0-9", "A- F") characters.
Page 54: Figure 3-5 Wizard 4: Ethernet Encapsulation
Prestige 334W User’s Guide Figure 3-5 Wizard 4: Ethernet Encapsulation The following table describes the fields in this screen. Table 3-4 Wizard 4: Ethernet Encapsulation LABEL ISP Parameters for Internet Access You must choose the Ethernet option when the WAN port is used as a regular Encapsulation Ethernet.
Page 55: Pppoe Encapsulation
Table 3-4 Wizard 4: Ethernet Encapsulation LABEL Relogin Every This field only applies when you select Telia Login in the Service Type field. The (min) Telia server logs the Prestige out if the Prestige does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the Prestige to wait between logins.
Page 56: Figure 3-6 Wizard 4: Pppoe Encapsulation
Prestige 334W User’s Guide Figure 3-6 Wizard 4: PPPoE Encapsulation The following table describes the fields in this screen. Table 3-5 Wizard 4: PPPoE Encapsulation LABEL ISP Parameter for Internet Access Encapsulation Choose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up connection.
Page 57: Figure 3-7 Wizard 4: Pptp Encapsulation
Prestige 334W User’s Guide Table 3-5 Wizard 4: PPPoE Encapsulation LABEL DESCRIPTION Click Back to return to the previous screen. Back 3.5.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables transfers of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 58: Table 3-6 Wizard 4: Pptp Encapsulation
Prestige 334W User’s Guide LABEL ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. User Name Type the user name given to you by your ISP. Password Type the password associated with the User Name above. Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out.
Page 59: Table 3-7 Private Ip Address Ranges
You can obtain your IP address from the IANA, from an ISP or have it assigned by a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 60: Table 3-8 Example Of Network Properties For Lan Servers With Fixed Ip Addresses
Prestige 334W User’s Guide The Prestige can get the DNS server addresses in the following ways. 1. The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in DHCP Setup. 2.
Page 61: Figure 3-8 Wizard 5: Wan Setup
The following table describes the fields in this screen. LABEL WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection. Use fixed IP address Select this option If the ISP assigned a fixed IP address.
Page 62 Prestige 334W User’s Guide LABEL System DNS Server Address Assignment (if applicable) DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 63: Figure 3-9 Wizard Finish
Prestige 334W User’s Guide Figure 3-9 Wizard Finish Well done! You have successfully set up your Prestige to operate on your network and access the Internet. Wizard Setup 3-15...
Page 65: Media Bandwidth Management Setup
Media Bandwidth Management Setup This chapter provides information on the bandwidth management setup screens in the web Media Bandwidth Management Setup Overview The web configurator’s BW SETUP allows you to specify bandwidth classes based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth classes.
Page 66: Figure 4-2 Media Bandwidth Management Setup 2: Services
Prestige 334W User’s Guide Table 4-1 Media Bandwidth Management Setup 1 LABEL Active Select the Active check box to have the Prestige apply bandwidth management to traffic going out through the Prestige’s WAN, LAN or WLAN port. Managed Bandwidth Enter the amount of Managed Bandwidth in kbps (2 to 100,000) that you want (Kbps) to allocate for traffic.
Page 67: Figure 4-3 Media Bandwidth Management Setup 3: Service Priority
Table 4-2 Media Bandwidth Management Setup 2: Services LABEL Choose Create bandwidth management classes by selecting services from the list provided. Channel ID XBox Live VoIP (SIP) E-Mail eMule/eDonkey For a detailed description of these services, see the Media Bandwidth Management chapter.
Page 68: Figure 4-4 Media Bandwidth Management Setup 4: Finish
Prestige 334W User’s Guide Table 4-3 Media Bandwidth Management Setup 3: Service Priority LABEL Service These fields display the services selected in the previous screen. Priority Select High, Mid or Low priority for each service to have your Prestige use a priority for traffic that matches that service.
Page 69 System, LAN, WLAN and WAN Part II: System, LAN, WLAN and WAN This part covers configuration of the system, LAN, WLAN and WAN screens.
Page 71: Figure 5-1 System General Setup
System Overview See the Wizard Setup chapter for more information on the next few screens. Configuring General Setup Click SYSTEM to open the General screen. System Screens This chapter provides information on the System screens. Figure 5-1 System General Setup Prestige 334W User’s Guide Chapter 5 System Screens...
Page 72: Table 5-1 System General Setup
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field (see the Wizard Setup chapter for how to find your computer’s name).
Page 73: Dynamic Dns
Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 74: Figure 5-2 Ddns
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. DDNS Type Select the type of service that you are registered for from your Dynamic DNS service provider.
Page 75: Configuring Password
LABEL Host Names 1~3 Enter the host names in the three fields provided. You can specify up to two host names in each field separated by a comma (","). User Enter your user name. Password Enter the password assigned to you. Enable Wildcard Select the check box to enable DynDNS Wildcard.
Page 76: Configuring Time Zone
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.
Page 77: Figure 5-4 Time Setting
The following table describes the labels in this screen. LABEL Use Time Server Select the time service protocol that your time server sends when you turn on the when Bootup Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 78 Prestige 334W User’s Guide LABEL Time Server IP Enter the IP address of your time server. Check with your ISP/network administrator Address if you are unsure of this information. Current Time This field displays the time of your Prestige. Each time you reload this page, the Prestige synchronizes the time with the time server.
Page 79: Lan Screens
LAN Overview Local Area Network (LAN) is a shared communication system to which many computers are attached. The LAN screens can help you configure a LAN DHCP server, manage IP addresses, and partition your physical network into logical networks. DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server.
Page 80: Rip Setup
Prestige 334W User’s Guide These parameters should work for the majority of installations. If your ISP gives you explicit DNS server address(es), read the embedded web configurator help regarding what fields need to be configured. 6.3.2 IP Address and Subnet Mask Refer to the IP Address and Subnet Mask section in the Wizard Setup chapter for this information.
Page 81: Figure 6-1 Any Ip Example Application
Prestige 334W User’s Guide Any IP Traditionally, you must set the IP addresses and the subnet masks of a computer and the Prestige to be in the same subnet to allow the computer to access the Internet (through the Prestige). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the Prestige.
Page 82: How Any Ip Works
You must enable NAT/SUA to use the Any IP feature on the Prestige. 6.4.1 How Any IP Works Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network.
Page 83: Figure 6-2 Ip
The following table describes the fields in this screen. LABEL DHCP Server DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients (computers) to obtain TCP/IP configuration at startup from a server. Leave the DHCP Server check box selected unless your ISP instructs you to do otherwise.
Page 84 LABEL Pool Size This field specifies the size, or count of the IP address pool. DNS Servers Assigned by DHCP Server The Prestige passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The Prestige only passes this information to the LAN DHCP clients when you select the DHCP Server check box.
Page 85 LABEL RIP Direction RIP (Routing Information Protocol, RFC1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the Prestige will broadcast its routing table periodically.
Page 86: Configuring Static Dhcp
LABEL Allow from LAN to Select this check box to forward NetBIOS packets from the LAN to the WAN and from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.
Page 87: Figure 6-4 Ip Alias
LABEL This is the index number of the Static IP table entry (row). MAC Address Type the MAC address (with colons) of a computer on your LAN. IP Address This field specifies the size, or count of the IP address pool. Apply Click Apply to save your changes back to the Prestige.
Page 88: Table 6-3 Ip Alias
LABEL IP Alias 1,2 Select the check box to configure another LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation. IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Page 89: Figure 7-1 Ibss (Ad-Hoc) Wireless Lan
Prestige 334W User’s Guide Chapter 7 Wireless Configuration and Roaming This chapter discusses how to configure the Wireless and Roaming screens on the Prestige. Wireless LAN Overview This section introduces the wireless LAN(WLAN) and some basic scenarios. 7.1.1 IBSS An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest WLAN configuration.
Page 90: Figure 7-2 Basic Service Set
Prestige 334W User’s Guide Figure 7-2 Basic Service set 7.1.3 ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
Page 91: Figure 7-3 Extended Service Set
Prestige 334W User’s Guide Figure 7-3 Extended Service Set Wireless LAN Basics Refer also to the Wizard Setup chapter for more background information on Wireless LAN features, such as channels. 7.2.1 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other.
Page 92: Fragmentation Threshold
Prestige 334W User’s Guide When station A sends data to the Prestige, it might not know that station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 93: Configuring Wireless
A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set, then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Page 94: Configuring Roaming
Prestige 334W User’s Guide LABEL ESSID (Extended Service Set IDentity) The ESSID identifies the Service Set with which a wireless station is associated. Wireless stations associating to the access point (AP) must have the same ESSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN.
Page 95: Figure 7-6 Roaming Example
Prestige 334W User’s Guide The roaming feature on the access points allows the access points to relay information about the wireless stations to each other. When a wireless station moves from a coverage area to another, it scans and uses the channel of a new access point, which then informs the access points on the LAN about the change.
Page 96: Requirements For Roaming
Prestige 334W User’s Guide 7.4.1 Requirements for Roaming The following requirements must be met in order for wireless stations to roam between the coverage areas. 1. All the access points must be on the same subnet and configured with the same ESSID. 2.
Page 97 LABEL Port Enter the port number to communicate roaming information between APs. The port number must be the same on all APs. The default is 3517. Make sure this port is not used by other services. Click Apply to save your changes back to the Prestige. Apply Reset Click Reset to reload the previous configuration for this screen.
Page 99: Figure 8-1 Prestige Wireless Security Levels
Prestige 334W User’s Guide Chapter 8 Wireless Security This Chapter describes how to use the MAC Filter, 802.1x, Local User Database and RADIUS to configure wireless security on your Prestige. Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless stations, access points and the wired network.
Page 100: Figure 8-2 Wireless: No Security
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL Security Choose from one of the security features listed in the drop-down box. No Security Static WEP WPA-PSK 802.1x + Dynamic WEP 802.1x + Static WEP 802.1x + No WEP Preamble Select a preamble type from the drop-down list menu.
Page 101: Table 8-2 Wireless Security Relational Matrix
LABEL 802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the Prestige. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the Prestige. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices to associate with the Prestige.
Page 102: Wep Overview
Prestige 334W User’s Guide Table 8-2 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY MANAGEMENT PROTOCOL WPA-PSK WPA-PSK WEP Overview WEP (Wired Equivalent Privacy) as specified in the IEEE 802.11 standard provides methods for both data encryption and wireless station authentication. 8.3.1 Data Encryption WEP provides a mechanism for encrypting data using encryption keys.
Page 103: Figure 8-3 Wep Authentication Steps
Prestige 334W User’s Guide Figure 8-3 WEP Authentication Steps Open system authentication involves an unencrypted two-message procedure. A wireless station sends an open system authentication request to the AP, which will then automatically accept and connect the wireless station to the network. In effect, open system is not authentication at all as any station can gain access to the network.
Page 104: Preamble Type
Prestige 334W User’s Guide 8.3.3 Preamble Type A preamble is used to synchronize the transmission timing in your wireless network. There are two preamble modes: Long and Short. Short preamble takes less time to process and minimizes overhead, so it should be used in a good wireless network environment when all wireless clients support it.
Page 105: Figure 8-4 Wireless: Static Wep Encryption
Figure 8-4 Wireless: Static WEP Encryption The following table describes the wireless LAN security labels in this screen. Table 8-3 Wireless: Static WEP Encryption LABEL Select 64-bit WEP or 128-bit WEP to enable data encryption. Encryption Authentication This field is activated when you select 64-bit WEP or 128-bit WEP in the WEP Method Encryption field.
Page 106: Introduction To Wpa
Prestige 334W User’s Guide Table 8-3 Wireless: Static WEP Encryption LABEL Select this option in order to enter hexadecimal characters as the WEP keys. The preceding "0x", that identifies a hexadecimal key, is entered automatically. Key 1 to Key The WEP keys are used to encrypt data. Both the Prestige and the wireless stations must use the same WEP key for data transmission.
Page 107: User Authentication
8.5.1 User Authentication WPA applies IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate wireless clients using an external RADIUS database. You can’t use the Prestige’s Local User Database for WPA authentication purposes since the Local User Database uses EAP MD5, which cannot be used to generate keys.
Page 108: Figure 8-5 Wpa - Psk Authentication
Prestige 334W User’s Guide Step 3. The AP derives and distributes keys to the wireless clients. Step 4. The AP and wireless clients use the TKIP encryption process to encrypt data exchanged between them. Configuring WPA-PSK Authentication In order to configure and enable WPA-PSK Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen.
Page 109: Figure 8-6 Wireless: Wpa-Psk
The following table describes the labels in this screen. LABEL Pre-Shared Key The encryption mechanisms used for WPA and WPA-PSK are the same. The only difference between the two is that WPA-PSK uses a simple common password, instead of user-specific credentials. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).
Page 110 Prestige 334W User’s Guide LABEL ReAuthentication Specify how often wireless stations have to reenter usernames and passwords in Timer (in order to stay connected. Enter a time interval between 10 and 9999 seconds. The seconds) default time interval is 1800 seconds (30 minutes). server, the reauthentication timer on the RADIUS server has Idle Timeout The Prestige automatically disconnects a wireless station from the wired network after...
Page 111: Wireless Client Wpa Supplicants
Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicants are the WPA patch for Windows XP, Funk Software's Odyssey client, and Meetinghouse Data Communications' AEGIS client.
Page 112: Figure 8-7 Wpa With Radius Application Example
Prestige 334W User’s Guide Figure 8-7 WPA with RADIUS Application Example Configuring WPA Authentication In order to configure and enable WPA Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA from the Security list. 8-14 Wireless Security...
Page 113: Figure 8-8 Wireless: Wpa
The following table describes the labels in this screen. LABEL ReAuthentication Specify how often wireless stations have to reenter usernames and passwords in Timer (in seconds) order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes).
Page 114: Table 8-5 Wireless: Wpa
Prestige 334W User’s Guide LABEL WPA Group Key The WPA Group Key Update Timer is the rate at which the AP (if using WPA-PSK Update Timer key management) or RADIUS server (if using WPA key management) sends a new group key out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis.
Page 115: Dynamic Wep Key Exchange
8.10 Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed.
Page 116: Figure 8-9 Wireless: 802.1X And Dynamic Wep
Prestige 334W User’s Guide Figure 8-9 Wireless: 802.1x and Dynamic WEP The following table describes the labels in this screen. Table 8-6 Wireless: 802.1x and Dynamic WEP LABEL ReAuthentication Specify how often wireless stations have to reenter usernames and passwords in Timer (in seconds) order to stay connected.
Page 117: Configuring 802.1X And Static Wep Key Exchange
Table 8-6 Wireless: 802.1x and Dynamic WEP LABEL Dynamic WEP Select 64-bit WEP or 128-bit WEP to enable data encryption. Up to 32 stations can Key Exchange access the Prestige when you configure dynamic WEP key exchange.This field is not available when you set Security to WPA or WPA-PSK.
Page 118: Figure 8-10 Wireless: 802.1X And Static Wep
Prestige 334W User’s Guide Figure 8-10 Wireless: 802.1x and Static WEP The following table describes the labels in this screen. Table 8-7 Wireless: 802.1x and Static WEP LABEL WEP Encryption Select 64-bit WEP or 128-bit WEP to enable data encryption. Authentication This field is activated when you select 64-bit WEP or 128-bit WEP in the WEP Method...
Page 119 Table 8-7 Wireless: 802.1x and Static WEP LABEL ASCII Select this option in order to enter ASCII characters as the WEP keys. Select this option in order to enter hexadecimal characters as the WEP keys. The preceding "0x", that identifies a hexadecimal key, is entered automatically. Key 1 to Key 4 The WEP keys are used to encrypt data.
Page 120 Prestige 334W User’s Guide Table 8-7 Wireless: 802.1x and Static WEP LABEL Authentication The authentication database contains wireless station login information. The local Databases user database is the built-in database on the Prestige. The RADIUS is an external server. Use this drop-down list box to select which database the Prestige should use (first) to authenticate a wireless station.
Page 121: Figure 8-11 Wireless: 802.1X
Table 8-7 Wireless: 802.1x and Static WEP LABEL Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to reload the previous configuration for this screen. 8.13 Configuring 802.1x In order to configure and enable 802.1x; click the WIRELESS link under ADVANCED to display the Wireless screen.
Page 122: Table 8-8 Wireless: 802.1X And No Wep
Prestige 334W User’s Guide LABEL ReAuthentication Specify how often wireless stations have to reenter usernames and passwords in Timer (in seconds) order to stay connected. Enter a time interval between 10 and 9999 seconds. The default time interval is 1800 seconds (30 minutes). server, the reauthentication timer on the RADIUS server has Idle Timeout The Prestige automatically disconnects a wireless station from the wired network...
Page 123: Mac Filter
LABEL 802.11 Mode Select 802.11b Only to allow only IEEE 802.11b compliant WLAN devices to associate with the Prestige. Select 802.11g Only to allow only IEEE 802.11g compliant WLAN devices to associate with the Prestige. Select Mixed to allow either IEEE802.11b or IEEE802.11g compliant WLAN devices to associate with the Prestige.
Page 124: Figure 8-12 Mac Address Filter
Prestige 334W User’s Guide Figure 8-12 MAC Address Filter The following table describes the labels in this menu. Table 8-9 MAC Address Filter LABEL DESCRIPTION Active Select Yes from the drop down list box to enable MAC address filtering. 8-26 Wireless Security...
Page 125: Introduction To Local User Database
LABEL Filter Action Define the filter action for the list of MAC addresses in the MAC Address table. Select Deny Association to block access to the Prestige, MAC addresses not listed will be allowed to access the Prestige Select Allow Association to permit access to the Prestige, MAC addresses not listed will be denied access to the Prestige.
Page 126: Figure 8-13 Local User Database
Prestige 334W User’s Guide 8.16 Configuring Local User Database To change your Prestige’s local user database, click the WIRELESS link under ADVANCED and then the Local User Database tab. The screen appears as shown. Figure 8-13 Local User Database 8-28 Wireless Security...
Page 127: Table 8-10 Local User Database
The following table describes the labels in this screen. LABEL Active Select this option to activate the user profile. User Name Enter the username (up to 31 characters) for this user profile. Password Type a password (up to 31 characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type.
Page 128: Figure 8-14 Eap Authentication
Prestige 334W User’s Guide • Access-Challenge Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: •...
Page 129: Figure 8-15 Radius
• The wireless station sends a “start” message to the Prestige. • The Prestige sends a “request identity” message to the wireless station for identity information. • The wireless station replies with identity information, including username and password. • The RADIUS server checks the user information against its user profile database and determines whether or not to authenticate the wireless station.
Page 130 Prestige 334W User’s Guide LABEL Server IP Address Enter the IP address of the external authentication server in dotted decimal notation. Port Number Enter the port number of the external authentication server. The default port number is 1812. You need not change this value unless your network administrator instructs you to do so with additional information.
Page 131: Wan Screens
WAN Overview See the Wizard Setup chapter for more information on the fields in the WAN screens. TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1"...
Page 132: Figure 9-1 Wan: Route
The following table describes the labels in this screen. LABEL The default WAN connection is "1' as your broadband connection via the WAN port should always be your preferred method of accessing the WAN. The default priority of Traffic the routes is WAN and then Traffic Redirect. Redirect Apply Click Apply to save your changes back to the Prestige.
Page 133: Figure 9-2 Ethernet Encapsulation
The following table describes the labels in this screen. LABEL Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet. Service Type Choose from Standard, Telstra (RoadRunner Telstra authentication method), RR- Manager (Roadrunner Manager authentication method), RR-Toshiba (Roadrunner Toshiba authentication method) or Telia Login.
Page 134 LABEL Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 9.4.2 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection.
Page 135: Figure 9-3 Pppoe Encapsulation
The following table describes the labels in this screen. LABEL ISP Parameters for Internet Access Encapsulation The PPP over Ethernet choice is for a dial-up connection using PPPoE. The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF Draft standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (i.e.
Page 136: Figure 9-4 Pptp Encapsulation
LABEL Nailed-Up Select Nailed-Up Connection if you do not want the connection to time out. Connection Idle Timeout This value specifies the time in seconds that elapses before the router automatically disconnects from the PPPoE server. Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh.
Page 137: Table 9-4 Pptp Encapsulation
The following table describes the labels in this screen. LABEL ISP Parameters for Internet Access Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 138: Figure 9-5 Wan: Ip
The following table describes the labels in this screen. LABEL WAN IP Address Assignment Get automatically Select this option If your ISP did not assign you a fixed IP address. This is the from ISP default selection. Use fixed IP Select this option If the ISP assigned a fixed IP address.
Page 139 LABEL Remote IP Address Enter the Remote IP Address (if your ISP gave you one) in this field. Gateway/Remote IP Enter the gateway IP address (if your ISP gave you one) in this field if you selected Address Use Fixed IP Address. Network Address Network Address Translation (NAT) allows the translation of an Internet protocol Translation...
Page 140 LABEL RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, None, In Only or Out Only. When set to Both or Out Only, the Prestige will broadcast its routing table periodically.
Page 141: Figure 9-6 Mac Setup
LABEL Allow between WAN Select this check box to forward NetBIOS packets from the LAN to the WAN and and LAN from the WAN to the LAN. If your firewall is enabled with the default policy set to block WAN to LAN traffic, you also need to enable the default WAN to LAN firewall rule that forwards NetBIOS traffic.
Page 142: Figure 9-7 Traffic Redirect Wan Setup
Prestige 334W User’s Guide Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the Prestige cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the Prestige still provides firewall protection.
Page 143: Figure 9-9 Wan: Traffic Redirect
Configuring Traffic Redirect To change your Prestige’s Traffic Redirect settings, click WAN, then the Traffic Redirect tab. The screen appears as shown. The following table describes the labels in this screen. LABEL Active Select this check box to have the Prestige use traffic redirect if the normal WAN connection goes down.
Page 144 LABEL Check WAN Configuration of this field is optional. If you do not enter an IP address here, the Prestige IP Address will use the default gateway IP address. Configure this field to test your Prestige's WAN accessibility. Type the IP address of a reliable nearby computer (for example, your ISP's DNS server address).
Page 145 NAT and Static Route Part III: SUA/NAT and Static Route This part covers Network Address Translation and setting up static routes.
Page 147: Nat Overview
Network Address Translation (NAT) 10.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet. For example, the source address of an outgoing packet, used within one network is changed to a different IP address known within another network.
Page 148: What Nat Does
Prestige 334W User’s Guide NAT never changes the IP address (either local or global) of an outside host. 10.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 149: Figure 10-1 How Nat Works
Prestige 334W User’s Guide Figure 10-1 How NAT Works 10.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the Prestige can communicate with three distinct WAN networks. More examples follow at the end of this chapter.
Page 150: Figure 10-2 Nat Application With Ip Alias
10.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
Page 151: Table 10-2 Nat Mapping Types
Many One-to-One: In Many-One-to-One mode, the Prestige maps each local IP address to a unique global IP address. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many One-to-One NAT mapping The following table summarizes these types.
Page 152: Using Nat
Prestige 334W User’s Guide 10.2 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. 10.2.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 153: Table 10-3 Services And Port Numbers
21. In some cases, such as for unknown services or where one server can support more than one service (for example both FTP and web service), it might be better to specify a range of port numbers. In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server.
Page 154: Figure 10-3 Multiple Servers Behind Nat Example
Figure 10-3 Multiple Servers Behind NAT Example 10.4 Configuring SUA Server If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management. Click SUA/NAT to open the SUA Server screen. Refer to Table 10-3 for port numbers commonly used for particular services.
Page 155: Figure 10-4 Sua/Nat Setup
The following table describes the labels in this screen. LABEL Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP Address, the Prestige discards all packets received for ports that are not specified in this screen or remote management.
Page 156 LABEL Number of an individual SUA server entry. Active Select this check box to enable the SUA server entry. Clear this checkbox to disallow forwarding of these ports to an inside server without having to delete the entry. Name Enter a name to identify this port-forwarding rule. Start Port Enter a port number here.
Page 157: Figure 10-5 Address Mapping
The following table describes the labels in this screen. LABEL Local Start IP This refers to the Inside Local Address (ILA), which is the starting local IP address. If the rule is for all local IP addresses, then this field displays 0.0.0.0 as the Local Start IP address.
Page 158: Figure 10-6 Address Mapping Edit
LABEL Type 1. One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 159: Trigger Port Forwarding
LABEL Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address.
Page 160: Figure 10-7 Trigger Port Forwarding Process: Example
receives a response with a specific port number and protocol ("incoming" port), the Prestige forwards the traffic to the LAN IP address of the computer that sent the request. After that computer’s connection for that service closes, another computer on the LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application.
Page 161: Figure 10-8 Trigger Port
Prestige 334W User’s Guide Only one LAN computer can use a trigger port (range) at a time. Figure 10-8 Trigger Port The following table describes the labels in this screen. Table 10-7 Trigger Port LABEL DESCRIPTION This is the rule index number (read-only). NAT Screens 10-15...
Page 162 LABEL Name Type a unique name (up to 15 characters) for identification purposes. All characters are permitted - including spaces. Incoming Incoming is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 163: Figure 11-1 Example Of Static Routing Topology
Prestige 334W User’s Guide Chapter 11 Static Route Screens This chapter shows you how to configure static routes for your Prestige. 11.1 Static Route Overview Each remote node specifies only the network to which the gateway is directly connected, and the Prestige has no knowledge of the networks beyond.
Page 164: Configuring Route Entry
The following table describes the labels in this screen. LABEL Number of an individual static route. Name Name that describes or identifies this route. Active This field shows whether this static route is active (Yes) or not (No). Destination This parameter specifies the IP network address of the final destination. Routing is always based on network number.
Page 165: Figure 11-3 Static Route: Edit
The following table describes the labels in this screen. LABEL Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Active This field allows you to activate/deactivate this static route. Destination IP This parameter specifies the IP network address of the final destination.
Page 166 LABEL Private This parameter determines if the Prestige will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this checkbox to propagate this route to other hosts through RIP broadcasts. Apply Click Apply to save your changes back to the Prestige.
Page 167 UPnP and Firewall Part IV: UPnP and Firewall This part provides information and configuration instructions for configuration of Universal Plug and Play, firewall and content filtering.
Page 169: Universal Plug And Play Overview
12.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
Page 170: Cautions With Upnp
Prestige 334W User’s Guide 12.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 171: Figure 12-1 Configuring Upnp
The following table describes the labels in this screen. LABEL Enable the Universal Plug and Play (UPnP) feature Allow users to make configuration changes through UPnP Allow UPnP to pass through firewall Apply Reset UPnP Figure 12-1 Configuring UPnP Table 12-1 Configuring UPnP Select this checkbox to activate UPnP.
Page 172: Installing Upnp In Windows Example
Prestige 334W User’s Guide 12.4 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. 12.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. Step 1. Click Start and Control Panel.
Page 173 Step 1. Click Start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. The Windows Optional Networking Components Wizard window displays. Step 4. Select Networking Service in the Components selection box and click Details.
Page 174: Using Upnp In Windows Xp Example
Prestige 334W User’s Guide 12.5 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device.
Page 175 Step 3. In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created. UPnP Prestige 334W User’s Guide Step 4. You may edit or delete the port mappings or click Add to manually add port mappings. 12-7...
Page 176: Web Configurator Easy Access
Prestige 334W User’s Guide When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select the Show icon in notification area when connected check box and click OK. An icon displays in the system tray Step 6. Double-click the icon to display your current Internet connection status.
Page 177 Step 1. Click Start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click the icon for your ZyXEL device and select Invoke.
Page 178 Prestige 334W User’s Guide Step 6. Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. 12-10 UPnP...
Page 179: What Is A Firewall
Prestige 334W User’s Guide Chapter 13 Firewall This chapter gives some background information on firewalls and explains how to get started with the Prestige firewall. 13.1 Introduction What is a Firewall? Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 180: Guidelines For Enhancing Security With Your Firewall
Prestige 334W User’s Guide Prestige can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network. The Prestige is installed between the LAN and a broadband modem connecting to the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
Page 181: Figure 13-1 Firewall: Settings
13.2 Firewall Settings Screen From the MAIN MENU, click FIREWALL to open the Settings screen. The following table describes the labels in this screen. LABEL Enable Firewall Select this check box to activate the firewall. The Prestige performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.
Page 182 Prestige 334W User’s Guide LABEL LAN to WAN To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs, Log Settings screen. Packets to Log Choose what LAN to WAN packets to log. Choose from: WAN to LAN To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs, Log Settings screen.
Page 183: Figure 13-2 Firewall Rule Directions
Prestige 334W User’s Guide 13.3 The Firewall, NAT and Remote Management Figure 13-2 Firewall Rule Directions 13.3.1 LAN-to-WAN rules LAN-to-WAN rules are local network to Internet firewall rules. The default is to forward all traffic from your local network to the Internet. How can you block certain LAN to WAN traffic? You may choose to block certain LAN-to-WAN traffic in the Services screen (click the Services tab).
Page 184: Configuring Content Filtering
Prestige 334W User’s Guide How can you forward certain WAN to LAN traffic? You may allow traffic originating from the WAN to be forwarded to the LAN by: Configuring NAT port forwarding rules in the web configurator SUA Server screen or SMT NAT menus.
Page 185: Figure 13-3 Firewall: Filter
The following table describes the labels in this screen. LABEL Restricted Web Features ActiveX ActiveX is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.
Page 186 Prestige 334W User’s Guide LABEL Java Java is a programming language and development environment for building downloadable Web components or Internet and intranet business applications of all kinds. Cookies Web servers that track usage and provide service based on ID use cookies. Web Proxy This is a server that acts as an intermediary between a user and the Internet to provide security, administrative control, and caching service.
Page 187: Figure 13-4 Firewall: Service
The following table describes the labels in this screen. LABEL Enable Services Select this check box to enable this feature. Blocking Available Service This is a list of pre-defined services (ports) you may prohibit your LAN computers from using. Select the port you want to block using the drop-down list and click Add to add the port to the Blocked Service field.
Page 188 Prestige 334W User’s Guide LABEL Blocked Service This is a list of services (ports) that will be inaccessible to computers on your LAN once you enable service blocking. Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. A custom port is a service that is not available in the pre-defined Available Custom Port Services list and you must define using the next two fields.
Page 189 Remote Management and VPN/IPSec Part V: Remote Management and VPN/IPSec This part provides information and configuration instructions for configuration of remote management and VPN/IPSec.
Page 191: Remote Management Screens
14.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access. See the firewall chapters for You may manage your Prestige from a remote location via: Internet (WAN only) LAN only,...
Page 192: Remote Management Limitations
Prestige 334W User’s Guide 14.1.1 Remote Management Limitations Remote management over LAN or WAN will not work when: 1. A filter in SMT menu 3.1 (LAN) or in menu 11.5 (WAN) is applied to block a Telnet, FTP or Web service.
Page 193: Figure 14-1 Remote Management: Www
Figure 14-1 Remote Management: WWW The following table describes the labels in this screen. LABEL Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the Prestige using this service.
Page 194: Figure 14-2 Telnet Configuration On A Tcp/Ip Network
Prestige 334W User’s Guide 14.3 Configuring Telnet You can configure your Prestige for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the Prestige. Figure 14-2 Telnet Configuration on a TCP/IP Network 14.4 Configuring TELNET Click REMOTE MGMT and the TELNET tab to display the screen as shown.
Page 195: Figure 14-3 Remote Management: Telnet
Figure 14-3 Remote Management: Telnet The following table describes the labels in this screen. LABEL Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Server Access Select the interface(s) through which a computer may access the Prestige using this service.
Page 196: Figure 14-4 Remote Management: Ftp
Prestige 334W User’s Guide 14.5 Configuring FTP You can upload and download the Prestige’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your Prestige’s FTP settings, click REMOTE MGMT, then the FTP tab.
Page 197 LABEL Secured Client A secured client is a “trusted” computer that is allowed to communicate with the IP Address Prestige using this service. Select All to allow any computer to access the Prestige using this service. Choose Selected to just allow the computer with the IP address that you specify to access the Prestige using this service.
Page 198: Figure 14-5 Snmp Management Model
Prestige 334W User’s Guide SNMP is only available if TCP/IP is configured. Figure 14-5 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 199: Supported Mibs
SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: • Get - Allows the manager to retrieve an object variable from the agent. •...
Page 200: Figure 14-6 Remote Management: Snmp
Prestige 334W User’s Guide 14.6.3 Configuring SNMP To change your Prestige’s SNMP settings, click REMOTE MGMT, then the SNMP tab. The screen appears as shown. Figure 14-6 Remote Management: SNMP The following table describes the labels in this screen. 14-10 Remote Management Screens...
Page 201: Configuring Dns
LABEL SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station. The default is public and allows all requests. Set Community Enter the Set community, which is the password for incoming Set requests from the management station.
Page 202: Figure 14-7 Remote Management: Dns
Prestige 334W User’s Guide To change your Prestige’s DNS settings, click REMOTE MGMT, then the DNS tab. The screen appears as shown. The following table describes the labels in this screen. LABEL Server Port The DNS service port number is 53 and cannot be changed here. Server Access Select the interface(s) through which a computer may send DNS queries to the Prestige.
Page 203: Configuring Security
14.8 Configuring Security To change your Prestige’s security settings, click REMOTE MGMT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your Prestige, an ICMP response packet is automatically returned. This allows the outside user to know the Prestige exists. Your Prestige supports anti- probing, which prevents the ICMP response packet from being sent.
Page 204: Table 14-7 Security
Prestige 334W User’s Guide LABEL Respond to Ping The Prestige will not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests. Otherwise select LAN & WAN to reply to both incoming LAN and WAN Ping requests.
Page 205: Introduction To Ipsec
15.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 206: Data Confidentiality
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Page 207: Figure 15-2 Ipsec Architecture
Prestige 334W User’s Guide 15.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 15-2 IPSec Architecture 15.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 208: Key Management
Prestige 334W User’s Guide 15.2.2 Key Management Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order to set up a VPN. 15.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 15-3 Transport and Tunnel Mode IPSec Encapsulation 15.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Page 209: Table 15-1 Vpn And Nat
Inside header: The inside IP header contains the destination IP address of the final system behind the VPN gateway. The security protocol appears after the outer IP header and before the inside IP header. 15.4 IPSec and NAT Read this section if you are running IPSec on a host computer behind the Prestige. NAT is incompatible with the AH protocol in both Transport and Tunnel mode.
Page 211: Vpn Screens
Prestige 334W User’s Guide Chapter 16 VPN Screens This chapter introduces the VPN Web Configurator. See the Logs chapter for information on viewing logs and the Appendices for IPSec log descriptions. 16.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 212: Table 16-1 Ah And Esp
Prestige 334W User’s Guide 16.2.2 ESP (Encapsulating Security Payload) Protocol The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process.
Page 213: Figure 16-1 Ipsec Summary Fields
Prestige 334W User’s Guide If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Secure Gateway Address field.
Page 214: Figure 16-2 Vpn: Summary
Prestige 334W User’s Guide Local and remote IP addresses must be static. Click VPN to open the Summary screen. This is a read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then clicking Edit to configure the associated submenus.
Page 215: Keep Alive
LABEL Remote Addr. This is the IP address(es) of computer(s) on the remote network behind the remote IPSec router. A single (static) IP address is displayed when the Remote Address Start and Remote Address End/Mask fields in the Rule Setup IKE (or Manual) screen are both configured to the same IP address.
Page 216: Figure 16-3 Nat Router Between Ipsec Routers
Prestige 334W User’s Guide If the Prestige has its maximum number of simultaneous IPSec tunnels connected to it and they all have keep alive enabled, then no other tunnels can take a turn connecting to the Prestige because the Prestige never drops the tunnels that are already connected.
Page 217: Remote Dns Server
Use ESP security protocol (in either transport or tunnel mode). Use IKE keying mode. Enable NAT traversal on both IPSec endpoints. In order for IPSec router A (see the figure) to receive an initiating IPSec packet from IPSec router B, set the NAT router to forward UDP port 500 to IPSec router A.
Page 218: Table 16-3 Local Id Type And Content Fields
Prestige 334W User’s Guide If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote network. 16.8 ID Type and Content With aggressive negotiation mode (see Section 16.11.1), the Prestige identifies incoming SAs by ID type and content since this identifying information is not encrypted.
Page 219: Table 16-4 Peer Id Type And Content Fields
Table 16-4 Peer ID Type and Content Fields PEER ID TYPE Type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
Page 220: Editing Vpn Rules
Prestige 334W User’s Guide Table 16-6 Mismatching ID Type and Content Configuration Example PRESTIGE A PRESTIGE B Peer ID content: aa@yahoo.com Peer ID content: N/A 16.9 Pre-Shared Key A pre-shared key identifies a communicating party during a phase 1 IKE negotiation (see Section 16.11 for more on IKE phases).
Page 221: Figure 16-5 Vpn: Rule Setup (Basic)
Prestige 334W User’s Guide Figure 16-5 VPN: Rule Setup (Basic) The following table describes the labels in this screen. VPN Screens 16-11...
Page 222: Table 16-7 Vpn: Rule Setup (Basic)
Prestige 334W User’s Guide LABEL Active Select this check box to activate this VPN tunnel. This option determines whether a VPN rule is applied before a packet leaves the firewall. Keep Alive Select this check box to have the Prestige automatically re-initiate the SA after the SA lifetime times out, even if there is no traffic.
Page 223 LABEL DNS Server (for If there is a private DNS server that services the VPN, type its IP address here. The IPSec VPN) Prestige assigns this additional DNS server to the Prestige’s DHCP clients that have IP addresses in this IPSec rule's range of local addresses. A DNS server allows clients on the VPN to find other computers and servers on the VPN by their (private) domain names.
Page 224 Prestige 334W User’s Guide LABEL Peer Content The configuration of the peer content depends on the peer ID type. It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations: Encapsulation Select Tunnel mode or Transport mode from the drop-down list box.
Page 225: Ike Phases
LABEL Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Page 226: Figure 16-6 Two Phases To Set Up The Ipsec Sa
Prestige 334W User’s Guide Figure 16-6 Two Phases to Set Up the IPSec SA In phase 1 you must: Choose a negotiation mode. Authenticate the connection by entering a pre-shared key. Choose an encryption algorithm. Choose an authentication algorithm. Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime.
Page 227: Negotiation Mode
Choose Tunnel mode or Transport mode. Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out. The Prestige automatically renegotiates the IPSec SA if there is traffic when the IPSec SA lifetime period expires. The Prestige also automatically renegotiates the IPSec SA if both IPSec routers have keep alive enabled, even if there is no traffic.
Page 228: Configuring Advanced Ike Settings
Prestige 334W User’s Guide 16.11.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 229: Figure 16-7 Vpn Ike: Advanced
Prestige 334W User’s Guide Figure 16-7 VPN IKE: Advanced VPN Screens 16-19...
Page 230: Table 16-8 Vpn Ike: Advanced
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL Active Select this check box to activate this VPN policy. Select this check box to turn on the Keep Alive feature for this SA. Turn on Keep Alive to have the Prestige automatically reinitiate the SA after the Keep Alive SA lifetime times out, even if there is no traffic.
Page 231 LABEL Enter a port number in this field to define a port range. This port number must be Local Port End greater than that specified in the previous field (or equal to it for configuring an individual port). Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses.
Page 232 Prestige 334W User’s Guide LABEL When you select IP in the Local ID Type field, type the IP address of your computer in the local Content field. The Prestige automatically uses the IP address in the My IP Address field (refer to the My IP Address field description) if you configure the local Content field to 0.0.0.0 or leave it blank.
Page 233 LABEL The configuration of the peer content depends on the peer ID type. Peer Content It is recommended that you type an IP address other than 0.0.0.0 or use the DNS or E-mail ID type in the following situations: When you want the Prestige to distinguish between VPN connection requests that come in from remote IPSec routers with dynamic WAN IP addresses.
Page 234 Prestige 334W User’s Guide LABEL Define the length of time before an IKE SA automatically renegotiates in this field. It may range from 60 to 3,000,000 seconds (almost 35 days). A short SA Life Time increases security by forcing the two VPN gateways to update the SA Life Time encryption and authentication keys.
Page 235: Manual Key Setup
LABEL Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Authentication SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet Algorithm data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Page 236: Configuring Manual Key
Prestige 334W User’s Guide Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 16.14 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the IPSec Keying Mode field on the Rule Setup IKE screen. This is the Rule Setup Manual screen as shown next. 16-26 VPN Screens...
Page 237: Figure 16-8 Rule Setup: Manual
Prestige 334W User’s Guide Figure 16-8 Rule Setup: Manual The following table describes the labels in this screen. VPN Screens 16-27...
Page 238: Table 16-9 Rule Setup: Manual
Prestige 334W User’s Guide LABEL Active Select this check box to activate this VPN policy. IPSec Keying Mode Select IKE or Manual from the drop-down list box. Manual is a useful option for troubleshooting if you have problems using IKE key management. Protocol Number Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc.
Page 239 LABEL Remote Port End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. If Remote Port Start is left at 0, Remote Port End will also remain at 0. If there is a private DNS server that services the VPN, type its IP address here.
Page 240: Viewing Sa Monitor
Prestige 334W User’s Guide LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate Algorithm packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.
Page 241: Figure 16-9 Sa Monitor
When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See section 16.6 on keep alive to have the Prestige renegotiate an IPSec SA when the SA lifetime The following table describes the labels in this screen.
Page 242: Figure 16-10 Vpn: Global Setting
Prestige 334W User’s Guide LABEL Previous Page Click Previous Page to view more items in the summary. (If applicable) Refresh Click Refresh to display the current active VPN connection(s). Next Page Click Next Page to view more items in the summary. (If applicable) 16.16 Configuring Global Setting To change your Prestige’s Global Settings, click VPN, then the Global Setting tab.
Page 243: Table 16-12 Telecommuter And Headquarters Configuration Example
LABEL Allow Through IP/Sec Select this check box to send NetBIOS packets through the VPN connection. Tunnel Apply Click Apply to save your changes back to the Prestige. Reset Click Reset to begin configuring this screen afresh. 16.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters from remote IPSec routers that use dynamic WAN IP addresses.
Page 244: Figure 16-11 Telecommuters Sharing One Vpn Rule Example
Prestige 334W User’s Guide Figure 16-11 Telecommuters Sharing One VPN Rule Example 16.17.2 Telecommuters Using Unique VPN Rules Example With aggressive negotiation mode (see section 16.11.1), the Prestige can use the ID types and contents to distinguish between VPN rules. Telecommuters can each use a separate VPN rule to simultaneously access a Prestige at headquarters.
Page 245: Figure 16-12 Telecommuters Using Unique Vpn Rules Example
Prestige 334W User’s Guide Figure 16-12 Telecommuters Using Unique VPN Rules Example VPN Screens 16-35...
Page 246: Vpn And Remote Management
Prestige 334W User’s Guide 16.18 VPN and Remote Management If a VPN tunnel uses a remote management service port (Telnet, FTP, WWW SNMP, DNS or ICMP) and terminates at the Prestige’s LAN or WAN port, configure remote management (REMOTE MGNT) to allow access for that service.
Page 247 Logs, Media Bandwidth Management and Maintenance Part VI: Logs, Media Bandwidth Management and Maintenance This part covers the centralized logs, media bandwidth management and maintenance screens.
Page 249: Figure 17-1 View Logs
Prestige 334W User’s Guide Chapter 17 Centralized Logs This chapter contains information about configuring general log settings and viewing the Prestige’s logs. Refer to the appendices for example log message explanations. 17.1 View Log The web configurator allows you to look at all of the Prestige’s logs in one location. Click the LOGS in the navigation panel to open the View Log screen.
Page 250: Log Settings
Prestige 334W User’s Guide LABEL Display The categories that you select in the Log Settings page (see section 17.2) display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.
Page 251: Figure 17-2 Log Settings
Prestige 334W User’s Guide Figure 17-2 Log Settings Centralized Logs 17-3...
Page 252: Table 17-2 Log Settings
Prestige 334W User’s Guide The following table describes the labels in this screen. LABEL Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below. If this field is left blank, logs and alert messages will not be sent via e- mail.
Page 253 LABEL Log Schedule This drop-down menu is used to configure the frequency of log messages being sent as E-mail: • Daily • Weekly • Hourly • When Log is Full • None. If you select Weekly or Daily, specify a time of day when the E-mail should be sent. If you select Weekly, then also specify which day of the week the E-mail should be sent.
Page 255: Bandwidth Management Overview
Media Bandwidth Management This chapter contains information about configuring media bandwidth management, editing rules 18.1 Bandwidth Management Overview ZyXEL’s Media Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.
Page 256: Figure 18-1 Application-Based Bandwidth Management Example
Prestige 334W User’s Guide Figure 18-1 Application-based Bandwidth Management Example 18.1.2 Subnet-based Bandwidth Management Example The following example uses bandwidth rules based solely on LAN subnets. Each bandwidth rule (Subnet A and Subnet B) is allotted 320 Kbps. Figure 18-2 Subnet-based Bandwidth Management Example 18.1.3 Application and Subnet-based Bandwidth Management Example The following example uses bandwidth rules based on LAN subnets and applications (specific applications in each subnet are allotted bandwidth).
Page 257: Figure 18-3 Application And Subnet-Based Bandwidth Management Example
Prestige 334W User’s Guide Figure 18-3 Application and Subnet-based Bandwidth Management Example 18.1.4 Bandwidth Usage Example Here is an example of a Prestige that has bandwidth usage enabled on an interface. The first figure shows each bandwidth rule’s bandwidth budget. The rules are set up based on subnets. The interface is set to 320 Kbps.
Page 258: Bandwidth Management Priorities
Prestige 334W User’s Guide The following figure shows the bandwidth usage with the maximize bandwidth usage option enabled. The Prestige divides up the unbudgeted 64 Kbps among the rules that require more bandwidth. If the administration department only uses 32 Kbps of the budgeted 64 Kbps, the Prestige also divides the remaining 32 Kbps among the rules that require more bandwidth.
Page 259: Bandwidth Management Services
Table 18-2 Media Bandwidth Management Priorities Priority Levels: Traffic with a higher priority gets through faster while traffic with a lower priority is dropped if the network is congested. Typically used for voice traffic or video that is especially sensitive to jitter (jitter is the High variations in delay).
Page 260: Table 18-3 Commonly Used Services
Prestige 334W User’s Guide eMule/eDonkey These programs use advanced file sharing applications relying on central servers to search for files. They use default port 4662. The World Wide Web is an Internet system to distribute graphical, hyper-linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web. The Web is not synonymous with the Internet;...
Page 261 SERVICE HTTP(TCP:80) HTTPS(TCP:443) ICQ(UDP:4000) IKE(UDP:500) IPSEC_TUNNEL(AH:0) IPSEC_TUNNEL(ESP:0) IRC(TCP/UDP:6667) MSN Messenger(TCP:1863) MULTICAST(IGMP:0) NEW-ICQ(TCP:5190) NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) Media Bandwidth Management Table 18-3 Commonly Used Services DESCRIPTION Hyper Text Transfer Protocol - a client/server protocol for the world wide web.
Page 262: Configuration Screen
Prestige 334W User’s Guide SERVICE REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 18.2 Configuration Screen Click ADVANCED and then BW MGMT to open the media bandwidth management Configuration screen, where you can configure your Prestige. 18-8 Table 18-3 Commonly Used Services Remote Execution Daemon.
Page 263: Figure 18-6 Bandwidth Management Configuration
Prestige 334W User’s Guide Figure 18-6 Bandwidth Management Configuration Media Bandwidth Management 18-9...
Page 264: Table 18-4 Bandwidth Management Configuration
Prestige 334W User’s Guide The following table describes the labels in this screen. Table 18-4 Bandwidth Management Configuration LABEL Active Select this check box to have the Prestige apply bandwidth management. Enable bandwidth management to give traffic that matches a bandwidth rule priority over traffic that does not match a bandwidth rule.
Page 265: Figure 18-7 Bandwidth Management Edit
Prestige 334W User’s Guide 18.3 Editing Bandwidth Management Rules Use the Bandwidth Management Configuration Edit screen to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets. 18.3.1 Bandwidth Borrowing Enable bandwidth borrowing by selecting Use All Managed Bandwidth on a rule to allow the rule to use any unused bandwidth.
Page 266: Table 18-5 Bandwidth Management Edit
Prestige 334W User’s Guide LABEL Active Select this check box to have the Prestige apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule. Rule Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 267: Monitor Screen
LABEL Protocol Enter the protocol (service type) number, for example: 1 for ICMP, 6 for TCP or 17 for UDP. Apply Click Apply to save your customized settings and exit this screen. Reset Click Reset to begin configuring this screen afresh. Delete Click Delete to remove a rule configuration.
Page 268: Figure 18-8 Bandwidth Management Monitor
Prestige 334W User’s Guide Figure 18-8 Bandwidth Management Monitor 18-14 Media Bandwidth Management...
Page 269: Figure 19-1 Maintenance Status
Prestige 334W User’s Guide Chapter 19 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 19.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your Prestige.
Page 270: System Statistics
LABEL System Name This is the System Name you chose in the first Internet Access Wizard screen. It is for identification purposes Model Name The model name identifies your device type. The model name should also be on a sticker on your Prestige. If you are uploading firmware, be sure to upload firmware for this exact model name.
Page 271: Figure 19-2 Maintenance System Statistics
Figure 19-2 Maintenance System Statistics The following table describes the labels in this screen. Table 19-2 Maintenance System Statistics LABEL Port This is the WAN, LAN or WLAN port. Status This displays the port speed and duplex setting if you're using Ethernet encapsulation and down (line is down), idle (line (ppp) idle), dial (starting to trigger a call) and drop (dropping a call) if you're using PPPoE encapsulation.
Page 272: Dhcp Table Screen
19.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
Page 273: Figure 19-4 Maintenance Any Ip
LABEL Refresh Click Refresh to renew the screen. 19.4 Any IP Table Click MAINTENANCE, Any IP Table. The Any IP table shows current read-only information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the Prestige.
Page 274: F/W Upload Screen
The following table describes the labels in this screen. LABEL This is the index number of an associated wireless station. MAC Address This field displays the MAC address of an associated wireless station. Association Time This field displays the time a wireless station first associated with the Prestige. Refresh Click Refresh to redisplay the current screen.
Page 275: Figure 19-7 Upload Warning
The following table describes the labels in this screen. Table 19-6 Maintenance Firmware Upload LABEL File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Page 276: Figure 19-9 Upload Error Message
Prestige 334W User’s Guide If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen. Figure 19-9 Upload Error Message 19.7 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring configuration files using FTP/TFTP commands.
Page 277: Backup Configuration
Prestige 334W User’s Guide Figure 19-10 Maintenance Configuration 19.7.1 Backup Configuration Backup configuration allows you to back up (save) the Prestige’s current configuration to a file on your computer. Once your Prestige is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 278: Figure 19-11 Configuration Restore Successful
Table 19-7 Maintenance Restore Configuration LABEL File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Click Browse... to find the file you want to upload. Remember that you must decompress Browse...
Page 279: Back To Factory Defaults
Prestige 334W User’s Guide Figure 19-13 Configuration Restore Error 19.7.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the Prestige to its factory defaults as shown on the screen. The following warning screen will appear. Figure 19-14 Factory Defaults You can also press the RESET button on the rear panel to reset the factory defaults of your Prestige.
Page 280: Figure 19-15 System Restart
Prestige 334W User’s Guide Figure 19-15 System Restart 19-12 Maintenance...
Page 281 SMT General Configuration Part VII: SMT General Configuration This part covers System Management Terminal configuration for general setup, WAN setup, LAN setup, WLAN setup, Internet access, remote node, static route, NAT and enabling the firewall. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 283: Smt Introduction
This chapter explains how to access and navigate the System Management Terminal and gives an 20.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. This chapter shows you how to access the SMT (System Management Terminal) menus via console port, how to navigate the SMT and how to configure SMT menus.
Page 284: Figure 20-1 Login Screen
Prestige 334W User’s Guide Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 20-1 Login Screen 20.1.4 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige.
Page 285: Figure 20-2 Smt Menu Overview
Prestige 334W User’s Guide Figure 20-2 SMT Menu Overview 20.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 286: Table 20-1 Main Menu Commands
Prestige 334W User’s Guide OPERATION KEYSTROKE Move down to [ENTER] another menu Move up to a [ESC] previous menu Move to a “hidden” Press [SPACE menu BAR] to change No to Yes then press [ENTER]. Move the cursor [ENTER] or [UP]/[DOWN] arrow keys.
Page 287: System Management Terminal Interface Summary
Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Getting Started 1. General Setup 2. WAN Setup 3. LAN Setup 4. Internet Access Setup Advanced Applications 11. Remote Node Setup 12. Static Routing Setup 14. Dial-in User Setup 15. NAT Setup 20.2.1 System Management Terminal Interface Summary...
Page 288: Figure 20-4 Menu 23 System Password
Prestige 334W User’s Guide MENU TITLE System Maintenance Schedule Setup VPN/ IPSec Setup Exit 20.3 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1. Enter 23 in the main menu to display Menu 23 - System Security as shown next. Step 2.
Page 289: Procedure To Configure Menu 1
Menu 1 - General Setup contains administrative and system-related information. 21.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Page 290: Figure 21-1 Menu 1 General Setup
Prestige 334W User’s Guide Step 2. Fill in the required fields. Refer to the table shown next for more information about these fields. FIELD System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name” in this field.
Page 291: Procedure To Configure Dynamic Dns
FIELD First System DNS DNS (Domain Name System) is for mapping a domain name to its Server corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address Second System of a machine before you can access it.
Page 292: Figure 21-2 Menu 1.1 Configure Dynamic Dns
Prestige 334W User’s Guide Service Provider= WWW.DynDNS.ORG Active= No DDNSType= DynamicDNS Host1= Host2= Host3= USER= Password= ******** Enable Wildcard= No Offline= N/A Edit Update IP Address: Use Server Detected IP= No User Specified IP Address= No IP Address= N/A Figure 21-2 Menu 1.1 Configure Dynamic DNS Follow the instructions in the next table to configure Dynamic DNS parameters.
Page 293 Table 21-2 Menu 1.1 Configure Dynamic DNS FIELD Offline This field is only available when CustomDNS is selected in the DDNS Type field. Press [SPACE BAR] and then [ENTER] to select Yes. When Yes is selected, traffic is redirected to a URL that you have previously specified (see www.dyndns.org Edit Update IP Address:...
Page 295: Chapter 22 Menu 2 Wan Setup
22.1 Introduction to WAN This chapter explains how to configure settings for your WAN port. 22.2 WAN Setup From the main menu, enter 2 to open menu 2. The following table describes the fields in this menu. FIELD MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 296 Prestige 334W User’s Guide FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel. 22-2 Table 22-1 Menu 2 WAN Setup DESCRIPTION Menu 2 WAN Setup...
Page 297: Figure 23-2 Menu 3.1 Lan Port Filter Setup
This chapter covers how to configure your wired Local Area Network (LAN) settings. 23.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 — LAN Setup. From the main menu, enter 3 to display menu 3. 23.1.1 General Ethernet Setup This menu allows you to specify filter set(s) that you wish to apply to the Ethernet traffic.
Page 298: Protocol Dependent Ethernet Setup
Prestige 334W User’s Guide 23.2 Protocol Dependent Ethernet Setup Depending on the protocols for your applications, you need to configure the respective Ethernet Setup, as outlined below. For TCP/IP Ethernet setup refer to the Internet Access Application chapter. For bridging Ethernet setup refer to the Bridging Setup chapter. 23.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP.
Page 299 Table 23-1 Menu 3.2: DHCP Ethernet Setup Fields FIELD Client IP Pool: Starting Address This field specifies the first of the contiguous addresses in the IP address pool. Size of Client IP This field specifies the size, or count of the IP address pool. Pool First DNS Server The Prestige passes a DNS (Domain Name System) server IP address...
Page 300: Table 23-2 Menu 3.2: Lan Tcp/Ip Setup Fields
Prestige 334W User’s Guide Table 23-2 Menu 3.2: LAN TCP/IP Setup Fields FIELD TCP/IP Setup: IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Page 301: Figure 23-4 Physical Network & Partitioned Logical Networks
Figure 23-4 Physical Network & Partitioned Logical Networks You must use menu 3.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network. Press [ENTER] to open Menu 3.2.1 - IP Alias Setup, as shown next.
Page 302: Table 23-3 Menu 3.2.1: Ip Alias Setup
Prestige 334W User’s Guide FIELD IP Alias 1, 2 Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation. IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Page 303: Figure 23-6 Menu 3.5 Wireless Lan Setup
Figure 23-6 Menu 3.5 Wireless LAN Setup The following table describes the fields in this menu. Table 23-4 Menu 3.5 Wireless LAN Setup FIELD The ESSID (Extended Service Set IDentity) identifies the AP to which the wireless stations associate. Wireless stations associating to the AP must ESSID have the same ESSID.
Page 304 Prestige 334W User’s Guide FIELD Select Disable to allow wireless stations to communicate with the access points without any data encryption. Select 64-bit WEP or 128-bit WEP to enable data encryption. Default Key Enter the key number (1 to 4) in this field. Only one key can be enabled at any one time.
Page 305: Configuring Mac Address Filter
Table 23-4 Menu 3.5 Wireless LAN Setup FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 23.4.1 Configuring MAC Address Filter Your Prestige checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses.
Page 306: Figure 23-8 Menu 3.5.1 Wlan Mac Address Filter
Prestige 334W User’s Guide ------------------------------------------------------------------------------ 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 00:00:00:00:00:00 ------------------------------------------------------------------------------ Figure 23-8 Menu 3.5.1 WLAN MAC Address Filter The following table describes the fields in this menu. Table 23-5 Menu 3.5.1 WLAN MAC Address Filter FIELD Active To enable MAC address filtering, press [SPACE BAR] to select Yes and press [ENTER].
Page 307: Configuring Roaming On The Prestige
Table 23-5 Menu 3.5.1 WLAN MAC Address Filter FIELD MAC Address Filter 1..32 Enter the MAC addresses (in XX:XX:XX:XX:XX:XX format) of the client computers that are allowed or denied access to the Prestige in these address fields. When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel”...
Page 308: Figure 23-10 Menu 3.5.2 Roaming Configuration
Prestige 334W User’s Guide Press ENTER to Confirm or ESC to Cancel: Figure 23-10 Menu 3.5.2 Roaming Configuration The following table describes the fields in this menu. Table 23-6 Menu 3.5.2 Roaming Configuration FIELD Active Press [SPACE BAR] and then [ENTER] to select Yes to enable roaming on the Prestige if you have two or more Prestige’s on the same subnet.
Page 309: Figure 24-1 Menu 4 Internet Access Setup
This chapter shows you how to configure your Prestige for Internet access 24.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your Prestige to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation.
Page 310: Table 24-1 Menu 4: Internet Access Setup (Ethernet)
Table 24-1 Menu 4: Internet Access Setup (Ethernet) FIELD ISP’s Name Enter the name of your Internet Service Provider, e.g., myISP. This information is for identification purposes only. Encapsulation Press [SPACE BAR] and then press [ENTER] to choose Ethernet. The encapsulation method influences your choices for the IP Address field.
Page 311: Configuring The Pptp Client
Table 24-1 Menu 4: Internet Access Setup (Ethernet) FIELD Network Address Network Address Translation (NAT) allows the translation of an Internet protocol Translation address used within one network (for example a private IP address used in a local network) to a different IP address known within another network (for example a public IP address used on the Internet).
Page 312: Configuring The Pppoe Client
The following table contains instructions about the new fields when you choose PPTP in the Encapsulation field in menu 4. Table 24-2 New Fields in Menu 4 (PPTP) Screen FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field.
Page 313: Figure 24-3 Internet Access Setup (Pppoe)
Figure 24-3 Internet Access Setup (PPPoE) The following table contains instructions about the new fields when you choose PPPoE in the Encapsulation field in menu 4. Table 24-3 New Fields in Menu 4 (PPPoE) screen FIELD Encapsulation Press [SPACE BAR] and then press [ENTER] to choose PPPoE. The encapsulation method influences your choices in the IP Address field.
Page 314 Prestige 334W User’s Guide You may deactivate the firewall in menu 21.2 or via the Prestige embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so. See the chapters on firewall for more information on the firewall. 24-6 Internet Access...
Page 315: Remote Node Configuration
Prestige 334W User’s Guide Chapter 25 Remote Node Configuration This chapter covers remote node configuration. 25.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 316: Figure 25-1 Menu 11.1 Remote Node Profile For Ethernet Encapsulation
Prestige 334W User’s Guide Rem Node Name= MyISP Active= Yes Encapsulation= Ethernet Service Type= Standard Service Name= N/A Outgoing: My Login= N/A My Password= N/A Retype to Confirm= N/A Server= N/A Relogin Every (min)= Figure 25-1 Menu 11.1 Remote Node Profile for Ethernet Encapsulation The following table describes the fields in this menu.
Page 317 Table 25-1 Menu 11.1 Remote Node Profile for Ethernet Encapsulation FIELD My Password Enter the password assigned by your ISP when the Prestige calls this remote node. Valid for PPPoE encapsulation only. Retype to Type your password again to make sure that you have entered it Confirm correctly.
Page 318: Figure 25-2 Menu 11.1 Remote Node Profile For Pppoe Encapsulation
Prestige 334W User’s Guide 25.2.2 PPPoE Encapsulation The Prestige supports PPPoE (Point-to-Point Protocol over Ethernet). You can only use PPPoE encapsulation when you’re using the Prestige with a DSL modem as the WAN device. If you change the Encapsulation to PPPoE, then you will see the next screen.
Page 319: Table 25-2 Fields In Menu 11.1 (Pppoe Encapsulation Specific)
The second is that the Prestige will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons. Do not specify a nailed-up connection unless your telephone company offers flat-rate service or you need a constant connection and the cost is of no concern.
Page 320: Figure 25-3 Menu 11.1 Remote Node Profile For Pptp Encapsulation
Prestige 334W User’s Guide 25.2.3 PPTP Encapsulation If you change the Encapsulation to PPTP in menu 11.1, then you will see the next screen. Please see the appendix for information on PPTP. Rem Node Name= MyISP Active= Yes Encapsulation= PPTP Service Type= Standard Service Name= N/A Outgoing:...
Page 321: Figure 25-4 Menu 11.3 Remote Node Network Layer Options For Ethernet Encapsulation
25.3 Edit IP Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Remote Node Network Layer Options. Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 322 Prestige 334W User’s Guide Table 25-4 Remote Node Network Layer Options FIELD This field is applicable to PPPoE and PPTP encapsulations only. Some My WAN Addr implementations, especially the UNIX derivatives, require the WAN link to have a separate IP network number from the LAN and each end must have a unique address within the WAN network number.
Page 323: Remote Node Filter
Table 25-4 Remote Node Network Layer Options FIELD Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The Prestige supports both IGMP version 1 (IGMP-v1) and version 2 (IGMP-v2). Press [SPACE BAR] to enable IP Multicasting or select None to disable it.
Page 324: Figure 25-6 Menu 11.5: Remote Node Filter (Pppoe Or Pptp Encapsulation)
Prestige 334W User’s Guide Figure 25-6 Menu 11.5: Remote Node Filter (PPPoE or PPTP Encapsulation) 25.4.1 Traffic Redirect Setup Configure parameters that determine when the Prestige will forward WAN traffic to the backup gateway using Menu 11.6 — Traffic Redirect Setup. Figure 25-7 Menu 11.6: Traffic Redirect Setup The following table describes the fields in this screen.
Page 325 Table 25-5 Menu 11.6: Traffic Redirect Setup FIELD Configuration: Backup Enter the IP address of your backup gateway in dotted decimal notation. Gateway IP The Prestige automatically forwards traffic to this IP address if the Address Prestige’s Internet connection terminates. Metric Enter a number from 1 to 15 to set this route’s priority among the Prestige’s routes (see the Metric section in the WAN and Dial Backup...
Page 327: Figure 26-1 Menu 12 Ip Static Route Setup
26.1 IP Static Route Setup Step 1. To configure an IP static route, use Menu 12 – Static Routing Setup (shown next). Menu 12 - IP Static Route Setup Figure 26-1 Menu 12 IP Static Route Setup Step 2. Now, type the route number of a static route you want to configure. Static Route Setup Static Route Setup This chapter shows how to setup IP static routes.
Page 328: Figure 26-2 Menu12.1 Edit Ip Static Route
Prestige 334W User’s Guide Press ENTER to Confirm or ESC to Cancel: Figure 26-2 Menu12.1 Edit IP Static Route The following table describes the fields for Menu 12.1 – Edit IP Static Route Setup. FIELD Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route.
Page 329 Table 26-1 Menu12.1 Edit IP Static Route FIELD Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and is not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 331: Figure 27-1 Menu 14- Dial-In User Setup
27.1 Dial-in User Setup By storing user profiles locally, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your ZyAIR. Step 1. From the main menu, enter 14 to display Menu 14 - Dial-in User Setup. Menu 14 - Dial-in User Setup 1.
Page 332: Table 27-1 Menu 14.1- Edit Dial-In User
Prestige 334W User’s Guide The following table describes the fields in this screen. FIELD User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive. Press [SPACE BAR] to select Yes and press [ENTER] to enable the user profile. Active Password Enter a password up to 31 characters long for this user profile.
Page 333: Applying Nat
Prestige 334W User’s Guide Chapter 28 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 28.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the Prestige. 28.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 334: Figure 28-1 Menu 4 Applying Nat For Internet Access
ISP's Name= MyISP Encapsulation= Ethernet IP Address Assignment= Dynamic Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 28-1 Menu 4 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1.
Page 335: Nat Setup
Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= SUA Only Metric= 1 Private= N/A RIP Direction= None Version= N/A Multicast= None Enter here to CONFIRM or ESC to CANCEL: Figure 28-2 Menu 11.3 Applying NAT to the Remote Node The following table describes the options for Network Address Translation.
Page 336: Figure 28-3 Menu 15 Nat Setup
configurator screens for further information on these menus. To configure NAT, enter 15 from the main menu to bring up the following screen. 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup 28.3.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 — Address Mapping Sets. 255.
Page 337: Figure 28-5 Menu 15.1.255 Sua Address Mapping Rules
Set Name= SUA Local Start IP --------------- 0.0.0.0 Figure 28-5 Menu 15.1.255 SUA Address Mapping Rules The following table explains the fields in this menu. FIELD Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 338: Figure 28-6 Menu 15.1.1 First Set
Prestige 334W User’s Guide FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. User-Defined Address Mapping Sets Now let’s look at option 1 in menu 15.1.
Page 339: Table 28-3 Menu 15.1.1 First Set
ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty rules. For example, if you have already configured rules 1 to 6 in your current set and now you configure rule number 9.
Page 340: Figure 28-7 Menu 15.1.1.1 Editing/Configuring An Individual Rule In A Set
Prestige 334W User’s Guide Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 0.0.0.0 Global IP: Start= 0.0.0.0 Figure 28-7 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set The following table explains the fields in this menu. Table 28-4 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Page 341: Configuring A Server Behind Nat
28.4 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2. Enter 2 to display Menu 15.2 - NAT Server Setup as shown next. Rule --------------------------------------------------- Press ENTER to Confirm or ESC to Cancel:...
Page 342: Figure 28-9 Multiple Servers Behind Nat Example
Prestige 334W User’s Guide Figure 28-9 Multiple Servers Behind NAT Example 28.5 General NAT Examples The following are some examples of NAT configuration. 28.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 343: Figure 28-11 Menu 4 Internet Access & Nat Example
ISP's Name= MyISP Encapsulation= Ethernet IP Address Assignment= Dynamic Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 28-11 Menu 4 Internet Access & NAT Example From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 28.5.
Page 344: Figure 28-13 Menu 15.2.1 Specifying An Inside Server
Rule --------------------------------------------------- Figure 28-13 Menu 15.2.1 Specifying an Inside Server 28.5.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server.
Page 345: Figure 28-14 Nat Example
Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 28-15. Step 2.
Page 346: Figure 28-16 Example 3: Menu
Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature Metric= 1 Private= N/A RIP Direction= None Multicast= None The following figures show how to configure the first rule. Type= One-to-One Local IP: Global IP:...
Page 347: Figure 28-17 Example 3: Final Menu
Menu 15.1.1 - Address Mapping Rules NAT_SET Set Name= Local Start IP --------------- 192.168.1.10 192.168.1.11 0.0.0.0 Figure 28-17 Example 3: Final Menu 15.1.1 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu.
Page 348: Example 4: Nat Unfriendly Application Programs
Rule --------------------------------------------------- HTTP:80 FTP:21 Telnet:23 SMTP:25 POP3:110 PPTP:1723 28.5.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping as port numbers do not change for Many-to-Many No Overload (and One-to-One) NAT mapping types.
Page 349: Figure 28-19 Example 4: Menu 15.1.1.1 Address Mapping Rule
Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload Follow the steps outlined in example 3 to configure these two menus as follows. Type= Many-One-to-One Local IP: Start= 192.168.1.10...
Page 350: Figure 28-21 Menu 15.3 Trigger Port Setup
28.6 Configuring Trigger Port Forwarding Only one LAN computer can use a trigger port (range) at a time. Enter 3 in menu 15 to display Menu 15.3 — Trigger Port Setup, shown next. Rule ---------------------------------------------------------------------- Real Audio The following table describes the fields in this screen. Table 28-5 Menu 15.3 Trigger Port Setup FIELD Rule...
Page 351 Prestige 334W User’s Guide Table 28-5 Menu 15.3 Trigger Port Setup FIELD DESCRIPTION EXAMPLE End Port Enter a port number or the ending port number in a range of port numbers. 7070 Press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel.
Page 353: Remote Management And The Firewall
29.1 Remote Management and the Firewall When SMT menu 24.11 is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it.
Page 354: Figure 29-1 Menu 21.2 Firewall Setup
Prestige 334W User’s Guide The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off. Refer to the User's Guide for details about the firewall default policies.
Page 355 SMT Advanced Management Part VIII: SMT Advanced Management This part discusses filtering setup, SNMP, system security, system information and diagnosis, firmware and configuration file maintenance, system maintenance, remote management and call scheduling. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 357: Introduction To Filters
Prestige 334W User’s Guide Chapter 30 Filter Configuration This chapter shows you how to create and apply filters. 30.1 Introduction to Filters Your Prestige uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 358: The Filter Structure Of The Prestige
Prestige 334W User’s Guide Data Outgoing Packet Filtering Match Drop packet Figure 30-1 Outgoing Packet Filtering Process For incoming packets, your Prestige applies data filters only. Packets are processed depending upon whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige 30.1.1 A filter set consists of one or more filter rules.
Page 359: Filter Set
Fetch Next Filter Set Next Filter Set Available? Drop Packet Filter Configuration Filter Set Fetch Next Filter Rule Next filter Rule Available? Check Next Rule Figure 30-2 Filter Rule Process Prestige 334W User’s Guide Start Packet into filter Fetch First Filter Set Fetch First Filter Rule...
Page 360: Figure 30-4 Menu 21: Filter And Firewall Setup
Prestige 334W User’s Guide You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. 30.2 Configuring a Filter Set The Prestige includes filtering for NetBIOS over TCP/IP packets by default.
Page 361: Table 30-1 Abbreviations Used In The Filter Rules Summary Menu
Step 3. Select the filter set you wish to configure (1-12) and press [ENTER] Step 4. Enter a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 5. Press [ENTER] at the message [Press ENTER to confirm] to open Menu 21.1.1 - Filter Rules Summary.
Page 362: Configuring A Filter Rule
Prestige 334W User’s Guide ABBREVIATION Refer to the next section for information on configuring the filter rules. 30.2.1 Configuring a Filter Rule To configure a filter rule, type its number in Menu 21.1.1 - Filter Rules Summary and press [ENTER] to open menu 21.1.1.1 for the rule.
Page 363: Figure 30-6 Menu 21.1.1.1 Tcp/Ip Filter Rule
To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1.1 - TCP/IP Filter Rule, as shown next. Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 Destination: IP Addr= 0.0.0.0 TCP Estab= N/A More= No...
Page 364 Prestige 334W User’s Guide FIELD IP Mask Enter the IP mask to apply to the Destination: IP Addr. Port # Enter the destination port of the packets that you wish to filter. The range of this field is 0 to 65535. This field is ignored if it is Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet...
Page 365 FIELD Press [SPACE BAR] and then [ENTER] to select a logging option from the following: None – No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Page 366: Figure 30-7 Executing An Ip Filter
Prestige 334W User’s Guide Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched Drop...
Page 367: Configuring A Generic Filter Rule
30.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP or IPX packet.
Page 368 Prestige 334W User’s Guide Table 30-4 Generic Filter Rule Menu Fields FIELD Filter Use [SPACE BAR] and then [ENTER] to select a rule type. Parameters Type displayed below each type will be different. TCP/IP filter rules are used to filter IP packets while generic filter rules allow filtering of non-IP packets. Active Select Yes to turn on the filter rule or No to turn it off.
Page 369: Figure 30-9 Telnet Filter Example
30.3 Example Filter Let’s look at an example to block outside users from accessing the Prestige via telnet. Step 1. Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. Step 2. Enter 1 to open Menu 21.1 - Filter Set Configuration. Step 3.
Page 370: Figure 30-10 Example Filter: Menu 21.1.3.1
Prestige 334W User’s Guide Step 6. Enter 1 to configure the first filter rule (the only filter rule of this set). Make the entries in this menu as shown in the following figure. Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6...
Page 371: Filter Types And Nat
# A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Page 372: Firewall Versus Filters
Prestige 334W User’s Guide Generic and TCP/IP filter rules are discussed in more detail in the next section. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by- connection basis, which makes it impossible to know the exact address and port on the wire. Therefore, the Prestige applies the protocol filters to the “native”...
Page 373: Applying Lan Filters
30.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Page 374: Figure 30-14 Filtering Remote Node Traffic
Prestige 334W User’s Guide Figure 30-14 Filtering Remote Node Traffic 30-18 Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Filter Configuration...
Page 375: Figure 31-1 Snmp Management Model
Prestige 334W User’s Guide Chapter 31 SNMP Configuration This chapter explains SNMP Configuration menu 22. 31.1 About SNMP Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 376 Prestige 334W User’s Guide An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions. It executes applications that control and monitor managed devices.
Page 377: Figure 31-2 Menu 22 Snmp Configuration
SNMP: Get Community= public Set Community= public Trusted Host= 0.0.0.0 Trap: Community= public Destination= 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 31-2 Menu 22 SNMP Configuration The following table describes the SNMP configuration parameters. Table 31-1 Menu 22 SNMP Configuration FIELD SNMP: Get Community...
Page 378: Table 31-2 Snmp Traps
Prestige 334W User’s Guide 31.4 SNMP Traps The Prestige will send traps to the SNMP manager when any one of the following events occurs: TRAP # TRAP NAME coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) linkDown (defined in RFC-1215) linkUp (defined in RFC-1215) authenticationFailure (defined in RFC-1215)
Page 379: Figure 32-1 Menu 23 System Security
This chapter describes how to configure the system security on the Prestige. 32.1 System Security You can configure the system password, an external RADIUS server and 802.1x in this menu. 32.1.1 System Password You should change the default password. If you forget your password you have to restore the default configuration file.
Page 380: Figure 32-3 Menu 23.2 System Security : Radius Server
Prestige 334W User’s Guide Menu 23.2 - System Security - RADIUS Server Figure 32-3 Menu 23.2 System Security : RADIUS Server The following table describes the fields in this screen. Table 32-1 Menu 23.2 System Security : RADIUS Server FIELD Authentication Server Active Press [SPACE BAR] to select Yes and press [ENTER] to enable...
Page 381: Figure 32-4 Menu 23 System Security
Table 32-1 Menu 23.2 System Security : RADIUS Server FIELD Server Address Enter the IP address of the external accounting server in dotted decimal notation. Port The default port of the RADIUS server for accounting is 1813. You need not change this value unless your network administrator instructs you to do so with additional information.
Page 382: Figure 32-5 Menu 23.4 System Security : Ieee802.1X
Prestige 334W User’s Guide Wireless Port Control= No Authentication Required ReAuthentication Timer (in second)= 1800 Idle Timeout (in second)= 3600 Key Management Protocol= Local User Database Only Dynamic WEP Key Exchange= 64-bit WEP PSK = N/A WPA Mixed Mode= N/A Data Privacy for Broadcast/Multicast packets= N/A WPA Broadcast/Multicast Key Update Timer= N/A Authentication Databases= N/A...
Page 383 Table 32-2 Menu 23.4 System Security : IEEE802.1x FIELD Idle Timeout The ZyAIR automatically disconnects a client from the wired network after a period of (in second) inactivity. The client needs to enter the username and password again before access to the wired network is allowed.
Page 384 Prestige 334W User’s Guide Table 32-2 Menu 23.4 System Security : IEEE802.1x FIELD Authentication The authentication database contains wireless station login information. The local user Databases database is the built-in database on the ZyAIR. The RADIUS is an external server. Use this field to decide which database the ZyAIR should use (first) to authenticate a wireless station.
Page 385: Figure 33-1 Menu 24 System Maintenance
System Information and Diagnosis This chapter covers the information and diagnostic tools in SMT menus 24.1 to 24.4. These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 Figure 33-1 Menu 24 System Maintenance 33.1 System Status...
Page 386: Figure 33-2 Menu 24.1 System Maintenance : Status
Prestige 334W User’s Guide Port Status 100M/Full 100M/Full WLAN Port Ethernet Address 00:A0:C5:01:23:46 00:A0:C5:01:23:45 System up Time: Name: Routing: IP ZyNOS F/W Version: V3.60(JK.0)b1 | 01/28/2004 Figure 33-2 Menu 24.1 System Maintenance : Status The following table describes the fields present in Menu 24.1 — System Maintenance — Status. These fields are READ-ONLY and meant for diagnostic purposes.
Page 387: Figure 33-3 Menu 24.2 System Information And Console Port Speed
Table 33-1 System Maintenance: Status Menu Fields FIELD IP Mask The IP mask of the port listed on the left. DHCP The DHCP setting of the port listed on the left. System up Time The total time the Prestige has been on. Name This is the Prestige's system name + domain name assigned in menu 1.
Page 388: Console Port Speed
Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. Ethernet Address Refers to the Ethernet MAC (Media Access Control) of your Prestige.
Page 389: Figure 33-5 Menu 24.2.2 System Maintenance : Change Console Port Speed
Menu 24.2.2 – System Maintenance – Change Console Port Speed Figure 33-5 Menu 24.2.2 System Maintenance : Change Console Port Speed 33.3 Log and Trace There are two logging facilities in the Prestige. The first is the error logs and trace records that are stored locally.
Page 390: Packet Triggered
Prestige 334W User’s Guide Table 33-3 Menu 24.3.2 System Maintenance : Syslog and Accounting PARAMETER Syslog Server IP Enter the IP Address of the server that will log the CDR (Call Detail Record) and Address system messages i.e., the syslog server. Log Facility Press [SPACE BAR] and then [ENTER] to select a Local option.
Page 391: Filter Log
3. Filter log Filter log Message Format SdcmdSyslogSend(SYSLOG_FILLOG, SYSLOG_NOTICE, String ); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol (“TCP”,”UDP”,”ICMP”) spo: Source port...
Page 392: Firewall Log
Prestige 334W User’s Guide 5. Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol (“TCP”,”UDP”,”ICMP”, ”IGMP”, ”GRE”, ”ESP”)
Page 393: Figure 33-7 Call-Triggering Packet Example
IP Frame: ENET0-RECV Size: Frame Type: IP Header: IP Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source IP Destination IP TCP Header: Source Port Destination Port Sequence Number Ack Number Header Length Flags Window Size...
Page 394: Figure 33-8 Menu 24.4 System Maintenance : Diagnostic
Prestige 334W User’s Guide Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. Internet Setup Test System 11. Reboot System Enter Menu Selection Number: Host IP Address= N/A Figure 33-8 Menu 24.4 System Maintenance : Diagnostic 33.4.1 WAN DHCP DHCP functionality can be enabled on the LAN or WAN as shown in Figure 33-9.
Page 395: Table 33-4 System Maintenance Menu Diagnostic
Table 33-4 System Maintenance Menu Diagnostic FIELD Ping Host Enter 1 to ping any machine (with an IP address) on your LAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings. WAN DHCP Renewal Enter 3 to renew your WAN DHCP settings.
Page 397: Filename Conventions
Prestige 334W User’s Guide Chapter 34 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 34.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 398: Table 34-1 Filename Conventions
Prestige 334W User’s Guide FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 34.2 Backup Configuration Option 5 from Menu 24 – System Maintenance allows you to backup the current Prestige configuration to your computer. Backup is highly recommended once your Prestige is functioning properly. FTP is the preferred methods for backing up your current configuration to your computer since they are faster.
Page 399: Using The Ftp Command From The Command Line
34.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 400: Figure 34-2 Ftp Session Example
Prestige 334W User’s Guide 34.2.3 Example of FTP Commands from the Command Line 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 401: Backup Configuration Using Tftp
3. The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the Prestige will disconnect the Telnet session immediately. 4. You have an SMT console session running. 34.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN.
Page 402: Table 34-3 General Commands For Gui-Based Tftp Clients
Prestige 334W User’s Guide 34.2.8 GUI-based TFTP Clients The following table describes some of the fields that you may see in GUI-based TFTP clients. Table 34-3 General Commands for GUI-based TFTP Clients COMMAND Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped.
Page 403: Restore Using Ftp
34.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter. Menu 24.6 -- System Maintenance - Restore Configuration To transfer the firmware and configuration file to your workstation, follow the procedure below: 1.
Page 404: Figure 34-4 Restore Using Ftp Session Example
Prestige 334W User’s Guide 34.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 34-4 Restore Using FTP Session Example Refer to section 34.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Page 405: Configuration File Upload
Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Page 406: Ftp File Upload Command From The Dos Prompt Example
Prestige 334W User’s Guide 34.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username.
Page 407: Tftp Upload Command Example
To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 409: Chapter 35 System Maintenance
35.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
Page 410: Command Usage
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ?
Page 411: Figure 35-4 Budget Management
35.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu. Remote Node Connection Time/Total Budget 1. MyISP No Budget The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked.
Page 412: Time And Date Setting
Prestige 334W User’s Guide 35.2.2 Call History This is the second option in Menu 24.9 - System Maintenance - Call Control. It displays information about past incoming and outgoing calls. Enter 2 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.
Page 413: Figure 35-6 Menu 24: System Maintenance
you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige. The real time is then displayed in the Prestige error logs and firewall logs. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown next. Figure 35-6 Menu 24: System Maintenance Enter 10 to go to Menu 24.10 - System Maintenance - Time and Date Setting to update the time and date settings of your Prestige as shown in the following screen.
Page 414: Resetting The Time
Prestige 334W User’s Guide Table 35-3 Time and Date Setting Fields FIELD Time Protocol Enter the time service protocol that your timeserver sends when you turn on the Prestige. Not all timeservers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 415 On leaving menu 24.10 after making changes. When the Prestige starts up, if there is a timeserver configured in menu 24.10. iii. 24-hour intervals after starting. System Maintenance Prestige 334W User’s Guide 35-7...
Page 417: Figure 36-1 Menu 24.11 - Remote Management Control
36.1 Remote Management Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: Internet (WAN only) LAN only When you Choose WAN only or ALL (LAN & WAN), you still need to configure a To disable remote management of a service, select Disable in the corresponding Server Access field.
Page 418: Table 36-1 Menu 24.11 - Remote Management Control
Prestige 334W User’s Guide The following table describes the fields in this screen. Table 36-1 Menu 24.11 – Remote Management Control FIELD Telnet Server Each of these read-only labels denotes a service or protocol. FTP Server Web Server SNMP Service DNS Service Port This field shows the port number for the service or protocol.
Page 419: Figure 37-1 Menu 26 Schedule Setup
Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a 37.1 Introduction to Call Scheduling The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a videocassette recorder (you can specify a time period for the VCR to record).
Page 420: Figure 37-2 Menu 26.1 Schedule Set Setup
Prestige 334W User’s Guide To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 — Schedule Set Setup as shown next. Press Space Bar to Toggle Figure 37-2 Menu 26.1 Schedule Set Setup If a connection has been already established, your Prestige will not drop it.
Page 421 Table 37-1 Menu 26.1 Schedule Set Setup FIELD Weekday: If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER]. Start Time Enter the start time when you wish the schedule set to take effect in hour- minute format.
Page 422: Figure 37-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
Prestige 334W User’s Guide Rem Node Name= MyISP Active= Yes Encapsulation= PPPoE Service Type= Standard Service Name= Outgoing: My Login= My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP Figure 37-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node. Change the schedule set numbers to your preference(s).
Page 423 SMT VPN/IPSec Part IX: SMT VPN/IPSec This part provides information about configuring VPN/IPSec for secure communications. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 425: Figure 38-1 Vpn Smt Menu Tree
38.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
Page 426: Ipsec Summary Screen
Prestige 334W User’s Guide 38.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
Page 427 FIELD Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active. Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Start Single, this is a static IP address on the LAN behind your Prestige.
Page 428 Prestige 334W User’s Guide FIELD This field displays the SA’s type of key management, (IKE or Manual). Key Mgt Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
Page 429: Ipsec Setup
FIELD Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 430: Figure 38-4 Menu 27.1.1 Ipsec Setup
Prestige 334W User’s Guide Index= 1 Active= Yes Local ID type My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: Remote: Enable Replay Detection = No Key Management= IKE Edit Key Management Setup= No The following table describes the fields in this menu.
Page 431 FIELD Nat Traversal Select this check box to enable NAT traversal. NAT traversal allows you to set up a VPN connection when there are NAT routers between the two IPSec routers. The remote IPSec router must also have NAT traversal enabled. You can use NAT traversal with ESP protocol using Transport or Tunnel mode, but not with AH protocol nor with Manual key management.
Page 432 Prestige 334W User’s Guide FIELD When you select IP in the Peer ID Type field, type the IP address of the Content computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
Page 433 Prestige 334W User’s Guide Table 38-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE End Enter a port number in this field to define a port range. This port number must be greater than that specified in the previous field. This field is N/A when 0 is configured in the Port Start field.
Page 434: Ike Setup
Prestige 334W User’s Guide FIELD Port Start 0 is the default and signifies any port. Type a port number from 0 to 65535. Someone behind the remote IPSec router cannot create a VPN tunnel when attempting to connect using a port number that does not match this port number or range of port numbers.
Page 435: Figure 38-5 Menu 27.1.1.1 Ike Setup
Phase 1 Negotiation Mode= Main PSK= qwer1234 Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= SHA1 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None The following table describes the fields in this menu.
Page 436 Prestige 334W User’s Guide FIELD When DES is used for data communications, both sender and receiver must Encryption Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Prestige DES encryption algorithm uses a 56-bit key.
Page 437: Manual Setup
FIELD Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number.
Page 438: Figure 38-6 Menu 27.1.1.2 Manual Setup
Prestige 334W User’s Guide Active Protocol= ESP Tunnel ESP Setup SPI (Decimal)= Encryption Algorithm= DES Authentication Algorithm= MD5 AH Setup SPI (Decimal)= N/A Authentication Algorithm= N/A The following table describes the fields in this menu. FIELD Active Protocol Press [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH Transport and then press [ENTER].
Page 439 FIELD Key3 Enter a unique eight-character key. It can be comprised of any character including spaces (but trailing spaces are truncated). Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must be unique.
Page 441: Figure 39-1 Menu 27.2 Sa Monitor
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 39.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 442: Table 39-1 Menu 27.2 Sa Monitor
The following table describes the fields in this menu. FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address.
Page 443: Appendices And Index
Part X: Appendices and Index This section provides some Appendices and an Index.
Page 445 PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) that connects to an xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 446 Prestige 334W User’s Guide Diagram A-1 Single-PC per Modem Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 447 Prestige 334W User’s Guide The Prestige as a PPPoE Client When using the Prestige as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs. Diagram A-2 The Prestige as a PPPoE Client PPPoE...
Page 449: Appendix B Pptp
Prestige 334W User’s Guide Appendix B PPTP What is PPTP? PPTP (Point-to-Point Tunneling Protocol) is a Microsoft proprietary protocol (RFC 2637 for PPTP is informational only) to tunnel PPP frames. How can we transport PPP frames from a PC to a broadband modem over Ethernet? A solution is to build PPTP into the ANT (ADSL Network Termination) where PPTP is used only over the short haul between the PC and the modem over Ethernet.
Page 450: Pptp Protocol Overview
Prestige 334W User’s Guide In Windows VPN or PPTP Pass-Through feature, the PPTP tunneling is created from Windows 95, 98 and NT clients to an NT server in a remote location. The pass-through feature allows users on the network to access a different remote server using the Prestige's Internet connection.
Page 451: Ppp Data Connection
Prestige 334W User’s Guide The control connection runs over TCP. Similar to L2TP, a tunnel control connection is first established before call control messages can be exchanged. Please note that a tunnel control connection supports multiple call sessions. The following diagram depicts the message exchange of a successful call setup between a PC and an ANT. Diagram B-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC...
Page 453: Netbios Filter Commands
Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to: •...
Page 454: Table C-1 Netbios Filter Default Settings
NAME Between LAN This field displays whether NetBIOS packets are blocked or and WAN forwarded from the LAN to the WAN or from the WAN to the LAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.
Page 455 Prestige 334W User’s Guide Command: sys filter netbios config 4 off This command stops NetBIOS commands from initiating calls. NetBIOS Filter Commands...
Page 457: Appendix D Log Descriptions
Configure centralized logs using the embedded web configurator; see the online help for details. LOG MESSAGE %s exceeds the max. number of session per host! LOG MESSAGE Time calibration is successful Time calibration failed DHCP client gets %s DHCP client IP expired DHCP server assigns SMT Login...
Page 458: Ftp Login
Prestige 334W User’s Guide LOG MESSAGE TELNET Login Successfully TELNET Login Fail FTP Login Successfully FTP Login Fail NAT Session Table is Full! !! Phase 1 ID type mismatch !! Phase 1 ID content mismatch !! No known phase 1 ID type found LOG MESSAGE UPnP pass through Firewall...
Page 459 CATEGORY LOG MESSAGE JAVBLK IP/Domain Name Chart 5 ICMP Type and Code Explanations TYPE CODE Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench...
Page 460 Prestige 334W User’s Guide Chart 5 ICMP Type and Code Explanations TYPE CODE Echo message Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply...
Page 461: Appendix E Setting Up Your Computer's Ip Address
Prestige 334W User’s Guide Appendix E Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer. Windows 3.1 requires the purchase of a third-party TCP/IP application package.
Page 462 Prestige 334W User’s Guide 1. Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. 2. The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add.
Page 463 Select Client for Microsoft Networks from the list of network clients and then click OK. Restart your computer so the changes you made take effect. In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties. Click the IP Address tab.
Page 464 Prestige 334W User’s Guide Click the DNS Configuration tab. -If you do not know your DNS information, select Disable DNS. -If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Page 465 Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your Prestige and restart your computer when prompted. Checking/Modifying Your Computer’s IP Address Click Start and then Run. In the Run window, type "winipcfg" and then click OK to open the IP Configuration window. Select your network adapter.
Page 466 Prestige 334W User’s Guide Windows 2000/NT/XP In Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. In Windows XP, click Network Connections. In Windows 2000/NT, click Network and Dial-up Connections. Right-click Local Area Connection and then click Properties.
Page 467 Prestige 334W User’s Guide Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Setting up Your Computer’s IP Address...
Page 468 Prestige 334W User’s Guide The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). - To have your computer assigned a dynamic IP address, click Obtain an IP address automatically. -If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields.
Page 469 Prestige 334W User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 470 Prestige 334W User’s Guide In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): -Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). -If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.
Page 471 Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. Setting up Your Computer’s IP Address Prestige 334W User’s Guide E-11...
Page 472 Prestige 334W User’s Guide For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: -From the Configure box, select Manually. -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your Prestige in the Router address box.
Page 473 Click Network in the icon bar. - Select Automatic from the Location list. - Select Built-in Ethernet from the Show list. - Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. For statically assigned settings, do the following: -From the Configure box, select Manually.
Page 475 Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection. In effect a wireless LAN environment provides you the freedom to stay connected to the network while roaming around in the coverage area.
Page 476: Infrastructure Wireless Lan Configuration
Prestige 334W User’s Guide Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless nodes or stations (STA), which is called a Basic Service Set (BSS).
Page 477 Prestige 334W User’s Guide points can provide wireless coverage for an entire building or campus. All communications between stations or between a station and a wired network client go through the access point. The Extended Service Set (ESS) shown in the next figure consists of a series of overlapping BSSs (each containing an Access Point) connected together by means of a Distribution System (DS).
Page 479 Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 480 Prestige 334W User’s Guide The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Diagram G-1 Sequences for EAP MD5–Challenge Authentication RADIUS Server Authentication Sequence Client computer access authorized. Client computer access not authorized.
Page 481: Appendix H Types Of Eap Authentication
Prestige 334W User’s Guide Appendix H Types of EAP Authentication This appendix discusses the four popular EAP authentication types: EAP-MD5, EAP-TLS, EAP-TTLS and PEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 482 Prestige 334W User’s Guide hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5 and EAP- MSCHAPv2, for client authentication. For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, simple user name and password pair is more practical.
Page 483: Radiation Pattern
Antenna Selection and Positioning An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air.
Page 484: Positioning Antennas
Prestige 334W User’s Guide Types of Antennas For WLAN There are two types of antennas used for wireless LAN applications. • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment.
Page 485 Brute-Force Password Guessing The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See other appendices for information on the command structure. Chart 6 Brute-Force Password Guessing Protection Commands COMMAND sys pwderrtm sys pwderrtm 0 sys pwderrtm N Example...
Page 487: Appendix K Triangle Route
The Ideal Setup When the firewall is on, your Prestige acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Prestige to protect your LAN against attacks. The “Triangle Route”...
Page 488 Prestige 334W User’s Guide The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your Prestige supports up to three logical LAN interfaces with the Prestige being the gateway for each logical network.
Page 489 Gateways on the WAN Side A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your Prestige to your LAN.
Page 490 Prestige 334W User’s Guide Step 3. Use the following commands to allow/disallow triangle route. sys firewall ignore triangle all off sys firewall ignore triangle all on This command allows triangle route. This command disallows triangle route. Triangle Route...
Page 491 802.1x ... 8-16 Active... 25-2 Address Assignment ... 3-10, 3-11 Address Resolution Protocol (ARP) ... 6-4 Ad-hoc Configuration ... F-2 Allocated Budget ... 25-5 Antenna Directional ...I-2 Omni-directional...I-2 Types ...I-2 Antenna gain ...I-1 Applications ... 1-5 AT command ... 34-1 Authen...
Page 492 Disclaimer...ii Distribution System ... F-3 DNS ... 14-11, 23-3 DNS Server For VPN Host... 16-7 Domain Name... 3-1, 3-11, 10-7, 18-3, 33-3 DoS (Denial of Service)... 1-2 DS ... See Distribution System DSL Modem ... 1-6, 25-4 DSSS...See Direct Sequence Spread Spectrum Dynamic DNS...
Page 493 Gateway IP Address... 24-2 General Setup...3-1, 5-1, 21-1 Global... 10-1 Hidden Menus... 20-4 Hop Count... 26-2 Host...5-6, 21-4 How PPPoE Works ... A-2 HTTP ... 10-7, 18-3, 38-8, 38-10 i.e...See Syntax Conventions IBSS ... 7-1. See Independent Basic Service Set Idle Timeout...
Page 494 Nailed-up Connection... 25-4 Nailed-Up Connection ... 25-5 NAT... 3-7, 10-6, 10-7, 10-8, 10-9, 25-8, 30-16 Applying NAT in the SMT Menus... 28-1 Configuring ... 28-3 Definitions ... 10-1 Examples ... 28-10 How NAT Works ... 10-2 Mapping Types... 10-4 Non NAT Friendly Application Programs28-16 Ordering Rules ...
Page 495 Repairs ... v Replacement... v Required fields ... 20-4 Reset Button... 1-1 Resetting the Time ... 35-6 Restore ... 19-9 Restore Configuration ... 34-6 Return Material Authorization Number ... v RF signals... F-1 RIP ... 6-2, 23-4, 23-6, 25-8 Direction ... 23-6 Version...
Page 496 TCP/IP ... 6-6, 14-4, 23-3, 23-4, 25-7, 30-6, 30-7, 30-9, 30-12, 30-15 Setup... 23-4 TCP/IP filter rule ... 30-6 Telnet ... 14-4 Telnet Configuration... 14-4 TFTP and FTP over WAN Management Limitations... 34-4 TFTP and FTP Over WAN} ... 14-2, 36-2 TFTP File Transfer ...

This manual is also suitable for:

Prestige 334w

ZyXEL Communications P-334W User Manual

Table of Contents

List of Figures

Chapter 36 Remote Management

Chapter 21 Menu 1 General Setup

Chapter 1 Getting to Know Your Prestige

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Media Bandwidth Management Setup

Chapter 5 System Screens

Chapter 6 LAN Screens

Chapter 7 Wireless Configuration and Roaming

Chapter 8 Wireless Security

Chapter 9 WAN Screens

Chapter 10 Network Address Translation (NAT) Screens

Chapter 26 Static Route Setup

Chapter 27 Dial-In User Setup

Chapter 28 Network Address Translation (NAT)

Chapter 11 Static Route Screens

Chapter 12 Upnp

Chapter 13 Firewall

Chapter 14 Remote Management Screens

Chapter 15 Introduction to Ipsec

Chapter 16 VPN Screens

Chapter 17 Centralized Logs

Chapter 18 Media Bandwidth Management

Chapter 19 Maintenance

Chapter 20 Introducing the SMT

Chapter 22 Menu 2 WAN Setup

Chapter 23 Menu 3 LAN Setup

Chapter 25 Remote Node Configuration

Chapter 29 Enabling the Firewall

Chapter 30 Filter Configuration

Chapter 31 SNMP Configuration

Chapter 32 System Security

Chapter 33 System Information and Diagnosis

Chapter 34 Firmware and Configuration File Maintenance

Chapter 35 System Maintenance

Chapter 37 Call Scheduling

Chapter 38 Vpn/Ipsec Setup

Chapter 39 SA Monitor

Appendix A Pppoe

Appendix B PPTP

Appendix C Netbios Filter Commands

Appendix D Log Descriptions

Appendix E Setting up Your Computer's IP Address

Appendix G Wireless LAN with IEEE 802.1X

Appendix H Types of EAP Authentication

Appendix I Antenna Selection and Positioning Recommendation

Appendix J Brute-Force Password Guessing Protection

Appendix K Triangle Route

Quick Links

Chapters

Related Manuals for ZyXEL Communications P-334W

Summary of Contents for ZyXEL Communications P-334W