Page 1 P-660H/HW-D Series ADSL2+ 4-port Gateway User’s Guide Version 3.40 Edition 1 3/2006...
Page 3: Copyright
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 4: Certifications
P-660H/HW-D Series User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 5 2400 to 2483.5 MHz by specified firmware controlled in USA. Certifications 1 Go to www.zyxel.com 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. Certifications...
Page 6: Safety Warnings
P-660H/HW-D Series User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord.
Page 7: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 8: Customer Support
P-660H/HW-D Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 9 P-660H/HW-D Series User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION info@pl.zyxel.com +48-22-5286603 www.pl.zyxel.com ZyXEL Communications ul.Emilli Plater 53 POLAND +48-22-5206701 00-113 Warszawa Poland http://zyxel.ru/support +7-095-542-89-29 www.zyxel.ru ZyXEL Russia Ostrovityanova 37a Str. RUSSIA sales@zyxel.ru...
Page 10 P-660H/HW-D Series User’s Guide Customer Support...
Page 11: Table Of Contents
List of Figures ......................22 List of Tables ......................28 Preface ........................32 Chapter 1 Getting To Know Your ZyXEL Device ..............34 1.1 Introducing the ZyXEL Device ................34 1.2 Features ......................35 1.2.1 Wireless Features (P-660HW-D Only) ............37 1.3 Applications for the ZyXEL Device ..............38 1.3.1 Protected Internet Access .................38...
Page 12 P-660H/HW-D Series User’s Guide 2.4.6 Status: Packet Statistics ................52 2.4.7 Changing Login Password ...............53 Chapter 3 Wizard Setup for Internet Access ................. 56 3.1 Introduction ......................56 3.2 Internet Access Wizard Setup ................56 3.2.1 Automatic Detection ..................58 3.2.2 Manual Configuration ................58 3.3 Wireless Connection Wizard Setup ..............63...
Page 13 5.8 Configuring WAN Backup ..................91 Chapter 6 LAN Setup....................... 94 6.1 LAN Overview ....................94 6.1.1 LANs, WANs and the ZyXEL Device ............94 6.1.2 DHCP Setup .....................95 6.1.2.1 IP Pool Setup ..................95 6.1.3 DNS Server Address ................95 6.1.4 DNS Server Address Assignment .............96 6.2 LAN TCP/IP ......................96...
Page 14 P-660H/HW-D Series User’s Guide 7.3 Wireless Performance Overview ..............111 7.3.1 Quality of Service (QoS) ................. 111 7.4 General Wireless LAN Screen ................112 7.4.1 No Security .....................113 7.4.2 WEP Encryption ..................114 7.4.3 WPA-PSK/WPA2-PSK ................115 7.4.4 WPA/WPA2 .....................116 7.4.5 Wireless LAN Advanced Setup ...............118 7.5 OTIST ......................120...
Page 15 9.4.2.2 Illegal Commands (NetBIOS and SMTP) ........149 9.4.2.3 Traceroute ..................150 9.5 Stateful Inspection ....................150 9.5.1 Stateful Inspection Process ..............151 9.5.2 Stateful Inspection and the ZyXEL Device ..........151 9.5.3 TCP Security ...................152 9.5.4 UDP/ICMP Security ................152 9.5.5 Upper Layer Protocols ................153 9.6 Guidelines for Enhancing Security with Your Firewall ........153...
Page 16 P-660H/HW-D Series User’s Guide 10.4.2 Alerts .....................159 10.5 General Firewall Policy ................159 10.6 Firewall Rules Summary ................160 10.6.1 Configuring Firewall Rules ..............162 10.6.2 Customized Services ................165 10.6.3 Configuring A Customized Service .............166 10.7 Example Firewall Rule ...................166 10.8 Predefined Services ..................170 10.9 Anti-Probing ....................172...
Page 17 P-660H/HW-D Series User’s Guide 13.6.3 Bandwidth Management Priorities ............190 13.7 Over Allotment of Bandwidth ................191 13.8 Configuring Summary ...................191 13.9 Bandwidth Management Rule Setup ............192 13.9.1 Rule Configuration ................194 13.10 Bandwidth Monitor ..................196 Chapter 14 Dynamic DNS Setup..................... 198 14.1 Dynamic DNS Overview ................198 14.1.1 DYNDNS Wildcard ................198...
Page 18 20.1 General Diagnostic ..................244 20.2 DSL Line Diagnostic ..................245 Chapter 21 Troubleshooting ....................246 21.1 Problems Starting Up the ZyXEL Device ............246 21.2 Problems with the LAN ...................246 21.3 Problems with the WAN .................247 21.4 Problems Accessing the ZyXEL Device ............248 Appendix A Product Specifications ..................
Page 19 P-660H/HW-D Series User’s Guide Introduction to DSL ....................254 ADSL Overview...................... 254 Advantages of ADSL ....................254 Appendix C Internal SPTGEN ....................256 Internal SPTGEN Overview ................... 256 The Configuration Text File Format................ 256 Internal SPTGEN FTP Download Example............257 Internal SPTGEN FTP Upload Example ..............
Page 20 P-660H/HW-D Series User’s Guide Firewall Commands ..................... 300 Appendix I NetBIOS Filter Commands .................. 306 Introduction ......................306 Display NetBIOS Filter Settings ................306 NetBIOS Filter Configuration.................. 307 Appendix J Splitters and Microfilters ..................308 Connecting a POTS Splitter ................... 308 Telephone Microfilters ....................
Page 21 P-660H/HW-D Series User’s Guide Triangle Route ...................... 350 The Ideal Setup...................... 350 The “Triangle Route” Problem................350 The “Triangle Route” Solutions ................351 IP Aliasing ......................351 Index........................352 Table of Contents...
Page 22 P-660H/HW-D Series User’s Guide Table of Contents...
Page 23: List Of Figures
Figure 1 Protected Internet Access Applications ..............39 Figure 2 LAN-to-LAN Application Example ................. 39 Figure 3 Front Panel (P-660HW-D) ..................39 Figure 4 Front Panel (P-660H-D) ..................40 Figure 5 Password Screen ....................43 Figure 6 Change Password at Login ................... 43 Figure 7 Select a Mode .......................
Page 24 Figure 72 Application Priority Configuration ................ 129 Figure 73 How NAT Works ....................133 Figure 74 NAT Application With IP Alias ................134 Figure 75 NAT General (P-660H-D) ................... 136 Figure 76 Multiple Servers Behind NAT Example ............... 138 Figure 77 NAT Port Forwarding ..................138 Figure 78 Port Forwarding Rule Setup ................
Page 25 P-660H/HW-D Series User’s Guide Figure 82 Three-Way Handshake ..................147 Figure 83 SYN Flood ......................148 Figure 84 Smurf Attack ....................... 149 Figure 85 Stateful Inspection ....................150 Figure 86 Firewall: General ....................159 Figure 87 Firewall Rules ....................161 Figure 88 Firewall: Edit Rule ....................
Page 26 P-660H/HW-D Series User’s Guide Figure 125 Network Connections ..................220 Figure 126 Internet Connection Properties ................ 220 Figure 127 Internet Connection Properties: Advanced Settings ......... 221 Figure 128 Internet Connection Properties: Advanced Settings: Add ......... 221 Figure 129 System Tray Icon ....................221 Figure 130 Internet Connection Status ................
Page 27 Figure 180 Connecting a Microfilter ..................309 Figure 181 Connecting a Microfilter and Y-Connector ............309 Figure 182 ZyXEL Device with ISDN .................. 310 Figure 183 Displaying Log Categories Example ..............326 Figure 184 Displaying Log Parameters Example ..............326 Figure 185 Peer-to-Peer Communication in an Ad-hoc Network ........
Page 28 P-660H/HW-D Series User’s Guide List of Figures...
Page 29: List Of Tables
P-660H/HW-D Series User’s Guide List of Tables Table 1 ADSL Standards ....................34 Table 2 Front Panel LEDs ....................40 Table 3 Web Configurator Screens Summary ..............45 Table 4 Status Screen ......................48 Table 5 Status: Any IP Table ....................50 Table 6 Status: WLAN Status .....................
Page 30 P-660H/HW-D Series User’s Guide Table 39 MAC Address Filter ..................... 124 Table 40 WMM QoS Priorities .................... 125 Table 41 Commonly Used Services ................... 126 Table 42 Wireless LAN: QoS ....................128 Table 43 Application Priority Configuration ................ 129 Table 44 NAT Definitions ....................132 Table 45 NAT Mapping Types ....................
Page 31 Table 94 Maintenance Restore Configuration ..............241 Table 95 Diagnostic: General ..................... 244 Table 96 Diagnostic: DSL Line ................... 245 Table 97 Troubleshooting Starting Up Your ZyXEL Device ..........246 Table 98 Troubleshooting the LAN ..................246 Table 99 Troubleshooting the WAN ..................247 Table 100 Troubleshooting Accessing the ZyXEL Device ..........
Page 32 P-660H/HW-D Series User’s Guide Table 125 Eight Subnets ....................295 Table 126 Class C Subnet Planning ................... 295 Table 127 Class B Subnet Planning ................... 296 Table 128 Firewall Commands ................... 300 Table 129 NetBIOS Filter Default Settings ................. 307 Table 130 System Maintenance Logs ................
Page 33: Preface
Gateway or P-660H-D ADSL2+ 4-port Gateway. The P-660HW comes with built-in IEEE 802.11g wireless capability allowing wireless connectivity. The P-660HW-D and P- 660H-D have a 4-port switch that allows you to connect up to 4 computers to the P-660H-D or the P-660HW-D without purchasing a switch/hub.
Page 34: User Guide Feedback
P-660H/HW-D Series User’s Guide Please refer to www.zyxel.com for an online glossary of networking terms and additional support documentation. User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park,...
Page 35: Getting To Know Your Zyxel Device
The ZyXEL Device is an ADSL2+ gateway that allows super-fast, secure Internet access over analog (POTS) or digital (ISDN) telephone lines (depending on your model). In the ZyXEL Device product name, “H” denotes an integrated 4-port switch (hub) and “W” denotes an included wireless LAN card that provides wireless connectivity.
Page 36: Features
Any IP The Any IP feature allows a computer to access the Internet and the ZyXEL Device without changing the network settings (such as IP address and subnet mask) of the computer, when the IP addresses of the computer and the ZyXEL Device are not in the same subnet.
Page 37: Dynamic Dns Support
Device has built-in DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyXEL Device can now also act as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Page 38: Wireless Features (P-660Hw-D Only)
P-660H/HW-D Series User’s Guide TR-069 Compliance TR-069 is a protocol that defines how your P-660H-D can be managed via a management server such as ZyXEL’s Vantage CNM Access. The management server can securely manage and update configuration changes in the P-660H-Ds.
Page 39: Applications For The Zyxel Device
P-660H/HW-D Series User’s Guide Antenna The ZyXEL Device is equipped with one 3dBi fixed antenna to provide clear radio signal between the wireless stations and the access points. WEP Encryption WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.
Page 40: Lan To Lan Application
Figure 1 Protected Internet Access Applications 1.3.2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application example is shown as follows. Figure 2 LAN-to-LAN Application Example 1.4 Front Panel LEDs...
Page 41: Hardware Connection
Blinking The ZyXEL Device is sending/receiving data. The LAN is not connected. WLAN Green The ZyXEL Device is ready, but is not sending/receiving data through the wireless LAN. (P-660HW-D only) Blinking The ZyXEL Device is sending/receiving data through the wireless LAN.
Page 42 P-660H/HW-D Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device...
Page 43: Introducing The Web Configurator
LAN port for initial configuration. 1 Make sure your ZyXEL Device hardware is properly connected (refer to the Quick Start Guide). 2 Prepare your computer/computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).
Page 44: Figure 5 Password Screen
P-660H/HW-D Series User’s Guide status only. Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password. Figure 5 Password Screen 6 If you entered the user password, skip the next two steps and refer to Section 2.4.2 on...
Page 45: Resetting The Zyxel Device
If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.
Page 46: Figure 8 Web Configurator: Main Screen
SETUP Logout Click this icon to exit the web configurator. Status This screen shows the ZyXEL Device’s general device, system and interface status information. Use this screen to access the summary statistics tables. Network Internet This screen allows you to configure ISP parameters, WAN IP...
Page 47 Use this screen to block sites containing certain keywords in the URL. Schedule Use this screen to set the days and times for the ZyXEL Device to perform content filtering. Trusted Use this screen to exclude a range of users on the LAN from content filtering on your ZyXEL Device.
Page 48: Status Screen
This screen contains administrative and system-related information and also allows you to change your password. Time Setting Use this screen to change your ZyXEL Device’s time and date. Logs View Log Use this screen to view the logs for the categories that you selected.
Page 49: Figure 9 Status Screen
Model Number This is your ZyXEL Device’s model name. MAC Address This is the MAC (Media Access Control) or Ethernet address unique to your ZyXEL Device. ZyNOS Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design.
Page 50 Network Operating System) and is thus available for running processes like NAT, VPN and the firewall. The bar displays what percent of the ZyXEL Device's heap memory is in use. The bar turns from green to red when the maximum is being approached.
Page 51: Status: Any Ip Table
Table 4 Status Screen LABEL DESCRIPTION Bandwidth Status Use this screen to view the ZyXEL Device’s bandwidth usage and allotments. Packet Statistics Use this screen to view port status and packet specific statistics. 2.4.3 Status: Any IP Table Click the Any IP Table hyperlink in the Status screen. The Any IP table shows current read- only information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the ZyXEL Device.
Page 52: Status: Bandwidth Status
MAC Address This field displays the MAC (Media Access Control) address of an associated wireless station. Association This field displays the time a wireless station first associated with the ZyXEL Device. TIme Refresh Click Refresh to reload this screen. 2.4.5 Status: Bandwidth Status Click the Bandwidth Status hyperlink in the Status screen.
Page 53: Status: Packet Statistics
This is the status of your WAN link. Upstream Speed This is the upstream speed of your ZyXEL Device. Downstream Speed This is the downstream speed of your ZyXEL Device. Node-Link This field displays the remote node index number and link type. Link types are PPPoA, ENET, RFC 1483 and PPPoE.
Page 54: Changing Login Password
Click this button to halt the refreshing of the system statistics. 2.4.7 Changing Login Password It is highly recommended that you periodically change the password for accessing the ZyXEL Device. If you didn’t change the default one after you logged in or you want to change to a new password again, then click Maintenance >...
Page 55: Figure 14 System General
P-660H/HW-D Series User’s Guide Figure 14 System General Chapter 2 Introducing the Web Configurator...
Page 56 P-660H/HW-D Series User’s Guide Chapter 2 Introducing the Web Configurator...
Page 57: Wizard Setup For Internet Access
P-660H/HW-D Series User’s Guide H A P T E R Wizard Setup for Internet Access This chapter provides information on the Wizard Setup screens for Internet access in the web configurator. 3.1 Introduction Use the wizard setup screens to configure your system for Internet access with the information given to you by your ISP.
Page 58: Figure 16 Wizard: Welcome
Figure 17 on page 57), check your hardware connections and click Restart the Internet/ Wireless Setup Wizard to have the ZyXEL Device detect your connection again. Figure 17 Auto Detection: No DSL Connection If the wizard still cannot detect a connection type and the following screen appears (see...
Page 59: Automatic Detection
Figure 19 Auto-Detection: PPPoE 3.2.2 Manual Configuration 1 If the ZyXEL Device fails to detect your DSL connection type, enter the Internet access information given to you by your ISP exactly in the wizard screen. If not given, leave the fields set to the default.
Page 60: Figure 20 Internet Access Wizard Setup: Isp Parameters
P-660H/HW-D Series User’s Guide Figure 20 Internet Access Wizard Setup: ISP Parameters The following table describes the fields in this screen. Table 8 Internet Access Wizard Setup: ISP Parameters LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account.
Page 61: Figure 21 Internet Connection With Pppoe
Type the name of your PPPoE service here. Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes back to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. Figure 22...
Page 62: Figure 23 Internet Connection With Enet Encap
P-660H/HW-D Series User’s Guide The following table describes the fields in this screen. Table 10 Internet Connection with RFC 1483 LABEL DESCRIPTION IP Address This field is available if you select Routing in the Mode field. Type your ISP assigned IP address in this field.
Page 63: Figure 24 Internet Connection With Pppoa
Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes back to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. Figure 24 Internet Connection with PPPoA The following table describes the fields in this screen.
Page 64: Wireless Connection Wizard Setup
P-660H/HW-D Series User’s Guide Figure 25 Connection Test Failed-1 • If the following screen displays, check if your account is activated or click Restart the Internet/Wireless Setup Wizard to verify your Internet access settings. Figure 26 Connection Test Failed-2. 3.3 Wireless Connection Wizard Setup After you configure the Internet access information, use the following screens to set up your wireless LAN.
Page 65: Figure 27 Connection Test Successful
P-660H/HW-D Series User’s Guide Figure 27 Connection Test Successful 2 Use this screen to activate the wireless LAN and OTIST. Click Next to continue. Figure 28 Wireless LAN Setup Wizard 1 Chapter 3 Wizard Setup for Internet Access...
Page 66: Figure 29 Wireless Lan Setup Wizard 2
Select the check box to turn on the wireless LAN. Enable OTIST Select the check box to enable OTIST if you want to transfer your ZyXEL Device’s SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range.
Page 67: Manually Assign A Wpa-Psk Key
Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless Name(SSID) LAN. If you change this field on the ZyXEL Device, make sure all wireless stations use the same SSID in order to access the network. Channel The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a...
Page 68: Manually Assign A Wep Key
P-660H/HW-D Series User’s Guide Figure 30 Manually assign a WPA key The following table describes the labels in this screen. Table 15 Manually assign a WPA key LABEL DESCRIPTION Pre-Shared Type from 8 to 63 case-sensitive ASCII characters. You can set up the most secure wireless connection by configuring WPA in the wireless LAN screens.
Page 69: Figure 32 Wireless Lan Setup 3
LABEL DESCRIPTION The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Enter any 5, 13 or 29 ASCII characters or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or 256-bit WEP key respectively.
Page 70: Figure 33 Internet Access And Wlan Wizard Setup Complete
P-660H/HW-D Series User’s Guide Figure 33 Internet Access and WLAN Wizard Setup Complete 7 Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features.
Page 71: Bandwidth Management Wizard
Bandwidth management allows you to control the amount of bandwidth going out through the ZyXEL Device’s WAN port and prioritize the distribution of the bandwidth according to service bandwidth requirements. This helps keep one service from using all of the available bandwidth and shutting out other users.
Page 72: Bandwidth Management Wizard Setup
P-660H/HW-D Series User’s Guide Table 17 Media Bandwidth Management Setup: Services (continued) SERVICE DESCRIPTION eMule These programs use advanced file sharing applications relying on central servers to search for files. They use default port 4662. The World Wide Web (WWW) is an Internet system to distribute graphical, hyper- linked information, based on Hyper Text Transfer Protocol (HTTP) - a client/server protocol for the World Wide Web.
Page 73: Figure 35 Wizard: Welcome
Table 18 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device’s port(s). Select Services Setup to allocate bandwidth based on the service requirements. Back Click Back to display the previous screen.
Page 74: Figure 37 Bandwidth Management Wizard: Configuration
These fields display the services names. Priority Select High, Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service. A service with High priority is given as much bandwidth as it needs.
Page 75: Figure 38 Bandwidth Management Wizard: Complete
P-660H/HW-D Series User’s Guide 5 Follow the on-screen instructions and click Finish to complete the wizard setup and save your configuration. Figure 38 Bandwidth Management Wizard: Complete Chapter 4 Bandwidth Management Wizard...
Page 76 P-660H/HW-D Series User’s Guide Chapter 4 Bandwidth Management Wizard...
Page 77: Chapter 5 Wan Setup
5.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 5.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods. 5.1.1.1 ENET ENCAP The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol.
Page 78: Pppoa
By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.
Page 79: Scenario 1: One Vc, Multiple Protocols
P-660H/HW-D Series User’s Guide because they cannot be automatically determined. What method(s) you use also depends on how many VCs you have and how many different network protocols you need. The extra overhead that ENET ENCAP encapsulation entails makes it a poor choice in a LAN-to-LAN application.
Page 80: Ip Assignment With Enet Encap Encapsulation
The ZyXEL Device does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 81: Traffic Shaping
P-660H/HW-D Series User’s Guide If you want the dial-backup route to take first priority over the traffic-redirect route or even the normal route, all you need to do is set the dial-backup route’s metric to "1" and the others to "2"...
Page 82: Atm Traffic Classes
An example application is background file transfer. 5.4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes.
Page 83: Internet Connection
P-660H/HW-D Series User’s Guide • the ZyXEL Device is in bridge mode • you set the ZyXEL Device to use a static (fixed) WAN IP address. 5.5 Internet Connection To change your ZyXEL Device’s WAN Internet access settings, click Network > WAN. The screen differs by the encapsulation.
Page 84 Select Nailed-Up Connection when you want your connection up all the time. Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected. Connect on Demand Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field.
Page 85: Configuring Advanced Internet Connection Setup
WAN setup. 5.5.1 Configuring Advanced Internet Connection Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the Internet Connection screen. The screen appears as shown. Figure 41 Advanced Internet Connection Setup The following table describes the labels in this screen.
Page 86: Configuring More Connections
LAN to use PPPoE client software on encapsulation their computers to connect to the ISP via the ZyXEL Device. Each host can have a only) separate account and a public WAN IP address.
Page 87: More Connections Edit
P-660H/HW-D Series User’s Guide Figure 42 More Connections The following table describes the labels in this screen. Table 22 More Connections LABEL DESCRIPTION This is the index number of a connection. Active This display whether this connection is activated. Clear the check box to disable the connection.
Page 88: Figure 43 More Connections Edit
Select Routing from the drop-down list box if your ISP allows multiple computers to share an Internet account. If you select Bridge, the ZyXEL Device will forward any packet that it does not route to this remote node; otherwise, the packets are discarded.
Page 89 Select Nailed-Up Connection when you want your connection up all the time. Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected. Connect on Demand Select Connect on Demand when you don't want the connection up all the time and specify an idle time-out in the Max Idle Timeout field.
Page 90: Configuring More Connections Advanced Setup
WAN setup. 5.6.2 Configuring More Connections Advanced Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown. Figure 44 More Connections Advanced Setup The following table describes the labels in this screen.
Page 91: Traffic Redirect
LAN. Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Page 92: Configuring Wan Backup
P-660H/HW-D Series User’s Guide Figure 46 Traffic Redirect LAN Setup 5.8 Configuring WAN Backup To change your ZyXEL Device’s WAN backup settings, click Network > WAN > WAN Backup Setup. The screen appears as shown. Figure 47 WAN Backup Setup...
Page 93: Table 25 Wan Backup Setup
Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up. Select ICMP to have the ZyXEL Device periodically ping the IP addresses configured in the Check WAN IP Address fields.
Page 94 P-660H/HW-D Series User’s Guide Chapter 5 WAN Setup...
Page 95: Chapter 6 Lan Setup
6.1.1 LANs, WANs and the ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next.
Page 96: Dhcp Setup
If the Primary and Secondary DNS Server fields in the DHCP Setup screen are not specified, for instance, left as 0.0.0.0, the ZyXEL Device tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 97: Dns Server Address Assignment
If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. • The ZyXEL Device acts as a DNS proxy when the Primary and Secondary DNS Server fields are left as 0.0.0.0 in the DHCP Setup screen.
Page 98: Private Ip Addresses
• Both - the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP information that it receives. • In Only - the ZyXEL Device will not send any RIP packets but will accept all RIP packets received.
Page 99: Multicast
Traditionally, you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device to be in the same subnet to allow the computer to access the Internet (through the ZyXEL Device). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the ZyXEL Device.
Page 100: How Any Ip Works
ARP table is updated, the computer is able to access the Internet through the ZyXEL Device. 5 When the ZyXEL Device receives packets from the computer, it creates an entry in the IP routing table so it can properly forward packets intended for the computer.
Page 101: Configuring Lan Ip
Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup. 6.3.1 Configuring Advanced LAN Setup To edit your ZyXEL Device's advanced LAN settings, click the Advanced Setup button in the LAN IP screen. The screen appears as shown. Chapter 6 LAN Setup...
Page 102: Figure 51 Advanced Lan Setup
When you disable the Any IP feature, only computers with dynamic IP addresses or static IP addresses in the same subnet as the ZyXEL Device’s LAN IP address can connect to the ZyXEL Device or access the Internet through the ZyXEL Device.
Page 103: Dhcp Setup
P-660H/HW-D Series User’s Guide 6.4 DHCP Setup Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN. Figure 52 DHCP Setup The following table describes the labels in this screen.
Page 104: Lan Client List
DHCP clients along with the IP address and the subnet mask. If the fields are left as 0.0.0.0, the ZyXEL Device acts as a DNS proxy and forwards the DHCP client’s DNS query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 105: Lan Ip Alias
IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.
Page 106: Figure 54 Physical Network & Partitioned Logical Networks
P-660H/HW-D Series User’s Guide Figure 54 Physical Network & Partitioned Logical Networks To change your ZyXEL Device’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown. Figure 55 LAN IP Alias The following table describes the labels in this screen.
Page 107 RIP packets. Select the RIP direction from Both/In Only/Out Only/None. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...
Page 108 P-660H/HW-D Series User’s Guide Chapter 6 LAN Setup...
Page 109: Wireless Lan
The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyXEL Device is the AP. Every wireless network must follow these basic guidelines.
Page 110: Wireless Security Overview
P-660H/HW-D Series User’s Guide • Every wireless client in the same wireless network must use security compatible with the Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network.
Page 111: User Authentication
P-660H/HW-D Series User’s Guide 7.2.3 User Authentication Authentication is the process of verifying whether a wireless device is allowed to use the wireless network. You can make every user log in to the wireless network before they can use it. This is called user authentication. However, every wireless client in the wireless network has to support IEEE 802.1x to do this.
Page 112: One-Touch Intelligent Security Technology (Otist)
With ZyXEL’s OTIST, you set up the SSID and WPA-PSK on the ZyXEL Device. Then, the ZyXEL Device transfers them to the devices in the wireless networks. As a result, you do not have to set up the SSID and encryption on every device in the wireless network.
Page 113: Figure 57 Wireless Lan: General
P-660H/HW-D Series User’s Guide 7.4 General Wireless LAN Screen Note: If you are configuring the ZyXEL Device from a computer connected to the wireless LAN and you change the ZyXEL Device’s SSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyXEL Device’s new settings.
Page 114: Figure 58 Wireless: No Security
Select No Security to allow wireless clients to communicate with the access points without any data encryption. Note: If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range.
Page 115: Figure 59 Wireless: Static Wep Encryption
Both the wireless clients and the access points must use the same WEP key. Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 256-bit WEP keys but only one key can be enabled at any one time.
Page 116: Figure 60 Wireless: Wpa-Psk/Wpa2-Psk
DESCRIPTION WEP Key The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless clients must use the same WEP key for data transmission. If you want to manually set the WEP key, enter any 5, 13 or 29 characters (ASCII string) or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or...
Page 117: Table 35 Wireless: Wpa-Psk/Wpa2-Psk
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. Pre-Shared Key The encryption mechanisms used for WPA/WPA2 and WPA-PSK/WPA2-PSK are the same.
Page 118: Figure 61 Wireless: Wpa/Wpa2
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. ReAuthentication...
Page 119: Wireless Lan Advanced Setup
Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network.
Page 120: Figure 62 Advanced
ZyXEL Device uses 4096 automatically. Output Power Set the output power of the ZyXEL Device in this field. This control changes the strength of the ZyXEL Device's antenna gain or transmission power. Antenna gain is the increase in coverage. Higher antenna gain improves the range of the signal for better communications.
Page 121: Otist
Enter 0 to disable this feature. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to reload the previous configuration for this screen. 7.5 OTIST In a wireless network, the wireless clients must have the same SSID and security settings as the access point (AP) or wireless router (we will refer to both as “AP”...
Page 122: Figure 63 Otist
ZyXEL Device. You must also activate and start OTIST on the wireless client all within three minutes. 7.5.1.2 Wireless Client Start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’s and click Save. Chapter 7 Wireless LAN...
Page 123: Figure 64 Example Wireless Client Otist Screen
Figure 67 OTIST in Progress (Client) • In the wireless client, you see this screen if it can't find an OTIST-enabled AP (with the same Setup key). Click OK to go back to the ZyXEL utility main screen. Chapter 7 Wireless LAN...
Page 124: Figure 68 No Ap With Otist Found
OTIST on the AP and ALL wireless clients again. 7.6 MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices (Allow) or exclude up to 32 devices from accessing the ZyXEL Device (Deny).
Page 125: Figure 70 Mac Address Filter
Define the filter action for the list of MAC addresses in the MAC Address table. Filter Action Select Deny to block access to the ZyXEL Device, MAC addresses not listed will be allowed to access the ZyXEL Device Select Allow to permit access to the ZyXEL Device, MAC addresses not listed will be denied access to the ZyXEL Device.
Page 126: Wmm Qos Example
You can assign different priorities to different applications. This prevents reductions in data transmission for applications that are sensitive. 7.7.2 WMM QoS Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device sends to the wireless network. Table 40 WMM QoS Priorities...
Page 127: Table 41 Commonly Used Services
P-660H/HW-D Series User’s Guide 7.7.3 Services The commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
Page 128: Qos Screen
P-660H/HW-D Series User’s Guide Table 41 Commonly Used Services SERVICE DESCRIPTION PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
Page 129: Figure 71 Wireless Lan: Qos
LABEL DESCRIPTION Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device. WMM QoS Policy Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends.
Page 130: Figure 72 Application Priority Configuration
Application Priority Configuration screen. Click the Remove icon to delete an application entry. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to reload the previous configuration for this screen. 7.8.2 Application Priority Configuration To edit a WMM QoS application entry, click the edit icon under Modify.
Page 131 Priority Select a priority from the drop-down list box. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to return to the previous screen without saving your changes. Chapter 7 Wireless LAN...
Page 132 P-660H/HW-D Series User’s Guide Chapter 7 Wireless LAN...
Page 133: Chapter 8 Network Address Translation (Nat) Screens
IP address known within another network. 8.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyXEL Device, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 134: What Nat Does
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
Page 135: Figure 74 Nat Application With Ip Alias
8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one global IP address.
Page 136: Table 45 Nat Mapping Types
Table 45 on page 135. • Choose SUA Only if you have just one public WAN IP address for your ZyXEL Device. • Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL Device.
Page 137: Figure 75 Nat General (P-660H-D)
Address Translation (NAT) SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device. Full Feature Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device.
Page 138: Default Server Ip Address
Note: If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 139: Figure 76 Multiple Servers Behind Nat Example
Note: The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 140: Figure 78 Port Forwarding Rule Setup
If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 141: Table 49 Port Forwarding Rule Setup
Note: The Address Mapping screen is available only when you select Full Feature in the NAT > General screen. Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored.
Page 142: Figure 79 Address Mapping Rules
One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 143: Figure 80 Edit Address Mapping Rule
• Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. • Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Page 144 Server Mapping Set field. Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. Chapter 8 Network Address Translation (NAT) Screens...
Page 145: Firewalls
P-660H/HW-D Series User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 9.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 146: Application-Level Firewalls
The ZyXEL Device also has packet filtering capabilities. The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
Page 147: Figure 81 Firewall Application
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyXEL Device is pre-configured to automatically detect and thwart all known DoS attacks.
Page 148: Figure 82 Three-Way Handshake
P-660H/HW-D Series User’s Guide Some of the most common IP ports are: Table 52 Common IP Ports Telnet HTTP SMTP POP3 9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation.
Page 149: Figure 83 Syn Flood
P-660H/HW-D Series User’s Guide Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 150: Figure 84 Smurf Attack
P-660H/HW-D Series User’s Guide Figure 84 Smurf Attack 9.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 53 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 9.4.2.2 Illegal Commands (NetBIOS and SMTP)
Page 151: Traceroute
The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 152: Stateful Inspection Process
P-660H/HW-D Series User’s Guide The previous figure shows the ZyXEL Device’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.
Page 153: Tcp Security
Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as with the "virtual connections" created for UDP and ICMP).
Page 154: Upper Layer Protocols
P-660H/HW-D Series User’s Guide A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies.
Page 155: Packet Filtering Vs Firewall
9.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyXEL Device’s filtering and firewall functions. 9.7.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 156: When To Use Filtering
P-660H/HW-D Series User’s Guide 9.7.1.1 When To Use Filtering • To block/allow LAN packets by their MAC addresses. • To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. • To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 157: Chapter 10 Firewall Configuration
10.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.CLI (Command Line Interpreter) commands provide limited configuration options and are only recommended for advanced users.
Page 158: Rule Logic Overview
These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the ZyXEL Device’s default rules. 10.3 Rule Logic Overview Note: Study these points carefully before configuring rules.
Page 159: Key Fields For Configuring Rules
LAN to LAN/ Router and WAN to WAN/ Router rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ Router means policies for LAN-to-ZyXEL Device (the policies for managing the ZyXEL Device through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 160: Figure 86 Firewall: General
P-660H/HW-D Series User’s Guide 10.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 161: Table 56 Firewall: General
Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the ZyXEL Device firewall permit the use of triangle Route route topology on the network. See the appendix for more on triangle route topology.
Page 162: Figure 87 Firewall Rules
Table 57 Firewall Rules LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the ZyXEL Device's memory for recording Storage Space firewall rules it is currently using. When you are using 80% or less of the storage in Use space, the bar is green.
Page 163: Configuring Firewall Rules
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 10.6.1 Configuring Firewall Rules Refer to Section 9.1 on page 144...
Page 164: Figure 88 Firewall: Edit Rule
P-660H/HW-D Series User’s Guide Figure 88 Firewall: Edit Rule Chapter 10 Firewall Configuration...
Page 165: Table 58 Firewall: Edit Rule
Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs. Alert Send Alert Message Select the check box to have the ZyXEL Device generate an alert when the rule to Administrator is matched. When Matched...
Page 166: Figure 89 Firewall: Customized Services
Click Cancel to exit this screen without saving. 10.6.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 10.8 on page...
Page 167: Figure 90 Firewall: Configure Customized Services
P-660H/HW-D Series User’s Guide 10.6.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Refer to Section 9.1 on page 144 for more information.
Page 168: Figure 91 Firewall Example: Rules
P-660H/HW-D Series User’s Guide Figure 91 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
Page 169: Figure 93 Firewall Example: Edit Rule: Destination Address
P-660H/HW-D Series User’s Guide Figure 93 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Note: Custom services show up with an “*” before their names in the Services list box and the Rules list box.
Page 170: Figure 94 Firewall Example: Edit Rule: Select Customized Services
P-660H/HW-D Series User’s Guide Figure 94 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Page 171: Figure 95 Firewall Example: Rules: Myservice
Section 10.6.1 on page 162) displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type.
Page 172 P-660H/HW-D Series User’s Guide Table 61 Predefined Services (continued) SERVICE DESCRIPTION H.323(TCP:1720) Net Meeting uses this protocol. HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce.
Page 173: Figure 96 Firewall: Anti Probing
Another videoconferencing solution. 10.9 Anti-Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. The ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent.
Page 174: Table 62 Firewall: Anti Probing
Select this option to prevent hackers from finding the ZyXEL Device by probing for Requests for unused ports. If you select this option, the ZyXEL Device will not respond to port Unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device Services.
Page 175: Half-Open Sessions
• If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
Page 176: Figure 97 Firewall: Threshold
P-660H/HW-D Series User’s Guide 10.10.3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall, and Threshold to bring up the next screen.
Page 177 Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256). Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. Chapter 10 Firewall Configuration...
Page 178 P-660H/HW-D Series User’s Guide Chapter 10 Firewall Configuration...
Page 179: Figure 98 Content Filter: Keyword
Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the ZyXEL Device performs content filtering. You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering.
Page 180: Figure 99 Content Filter: Schedule
Click Cancel to return to the previously saved settings. 11.3 Configuring the Schedule To set the days and times for the ZyXEL Device to perform content filtering, click Security > Content Filter > Schedule. The screen appears as shown. Figure 99 Content Filter: Schedule...
Page 181: Figure 100 Content Filter: Trusted
Click Cancel to return to the previously saved settings. 11.4 Configuring Trusted Computers To exclude a range of users on the LAN from content filtering on your ZyXEL Device, click Security > Content Filter > Trusted. The screen appears as shown.
Page 182 P-660H/HW-D Series User’s Guide Chapter 11 Content Filtering...
Page 183: Figure 101 Example Of Static Routing Topology
Device knows about network N2 in the following figure through remote node Router 1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.
Page 184: Table 67 Static Route
Click the Edit icon to go to the screen where you can set up a static route on the ZyXEL Device. Click the Delete icon to remove a static route from the ZyXEL Device. A window displays asking you to confirm that you want to delete the route.
Page 185: Figure 103 Static Route Edit
Back Click Back to return to the previous screen without saving. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. Chapter 12 Static Route...
Page 186 P-660H/HW-D Series User’s Guide Chapter 12 Static Route...
Page 187: Chapter 13 Bandwidth Management
(bandwidth budgets) to different bandwidth rules. The ZyXEL Device applies bandwidth management to traffic that it forwards out through an interface. The ZyXEL Device does not control the bandwidth of traffic that comes into an interface. Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.
Page 188: Figure 104 Subnet-Based Bandwidth Management Example
64 Kbps 64 Kbps 13.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyXEL Device has two types of scheduler: fairness-based and priority-based. 13.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes.
Page 189: Fairness-Based Scheduler
When you enable maximize bandwidth usage, the ZyXEL Device first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the ZyXEL Device divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
Page 190: Table 70 Maximize Bandwidth Usage Example
P-660H/HW-D Series User’s Guide 13.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps.
Page 191: Table 72 Fairness-Based Allotment Of Unused And Unbudgeted Bandwidth Example
1024 kbps extra goes to each so the other classes each get a total of 3072 kbps. 13.6.3 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface. Table 73 Bandwidth Management Priorities PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.
Page 192: Figure 105 Bandwidth Management: Summary
P-660H/HW-D Series User’s Guide 13.7 Over Allotment of Bandwidth You can set the bandwidth management speed for an interface higher than the interface’s actual transmission speed. Higher priority traffic gets to use up to its allocated bandwidth, even if it takes up all of the interface’s available bandwidth. This could stop lower priority traffic from being sent.
Page 193: Table 75 Media Bandwidth Management: Summary
You can also set this number lower than the interface’s actual transmission speed. If you do not enable Max Bandwidth Usage, this will cause the ZyXEL Device to not use some of the interface’s available bandwidth. Scheduler Select either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow.
Page 194: Figure 106 Bandwidth Management: Rule Setup
Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing rule. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
Page 195: Figure 107 Bandwidth Management Rule Configuration
LABEL DESCRIPTION Rule Configuration Active Select this check box to have the ZyXEL Device apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule.
Page 196 (service type) number. 0 means any protocol number. Back Click Back to go to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. Chapter 13 Bandwidth Management...
Page 197: Figure 108 Bandwidth Management: Monitor
1723 13.10 Bandwidth Monitor To view the ZyXEL Device’s bandwidth usage and allotments, click Advanced > Bandwidth MGMT > Monitor. The screen appears as shown. Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth rules. The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use.
Page 198 P-660H/HW-D Series User’s Guide Chapter 13 Bandwidth Management...
Page 199: Chapter 14 Dynamic Dns Setup
H A P T E R Dynamic DNS Setup This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS. 14.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Page 200: Figure 109 Dynamic Dns
Select the type of service that you are registered for from your Dynamic DNS Type service provider. Host Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma (","). User Name Type your user name.
Page 201 Table 79 Dynamic DNS (continued) LABEL DESCRIPTION Dynamic DNS Select this option only when there are one or more NAT routers between the ZyXEL server auto Device and the DDNS server. This feature has the DDNS server automatically detect IP detect and use the IP address of the NAT router that has a public IP address.
Page 202 P-660H/HW-D Series User’s Guide Chapter 14 Dynamic DNS Setup...
Page 203: Chapter 15 Remote Management Configuration
To disable remote management of a service, select Disable in the corresponding Access Status field. You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.
Page 204: Figure 110 Remote Management: Www
There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Page 205: Figure 111 Telnet Configuration On A Tcp/Ip Network
15.3 Telnet You can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device. Figure 111 Telnet Configuration on a TCP/IP Network 15.4 Configuring Telnet Click Advanced >...
Page 206: Figure 112 Remote Management: Telnet
Secured Client IP A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 207: Figure 113 Remote Management: Ftp
Secured Client IP A secured client is a “trusted” computer that is allowed to communicate with the ZyXEL Device using this service. Select All to allow any computer to access the ZyXEL Device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service.
Page 208: Figure 114 Snmp Management Model
• Trap - Used by the agent to inform the manager of some events. 15.6.1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 209: Figure 115 Remote Management: Snmp
P-660H/HW-D Series User’s Guide 15.6.2 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs: Table 83 SNMP Traps TRAP # TRAP NAME DESCRIPTION coldStart (defined in RFC-1215) A trap is sent after booting (power on).
Page 210: Table 84 Remote Management: Snmp
To change your ZyXEL Device’s DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown. Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device’s DNS settings.
Page 211: Figure 116 Remote Management: Dns
To change your ZyXEL Device’s security settings, click Advanced > Remote MGMT > ICMP. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists.
Page 212: Figure 117 Remote Management: Icmp
Click Cancel to begin configuring this screen afresh. 15.9 TR-069 TR-069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL’s Vantage CNM Access. An administrator can use CNM Access to remotely set up the ZyXEL device, modify settings, perform firmware upgrades as well as monitor and diagnose the ZyXEL device.
Page 213: Figure 118 Enabling Tr-069
P-660H/HW-D Series User’s Guide Follow the procedure below to configure your ZyXEL Device to be managed by CNM Access. See the Command Interpreter appendix for information on the command structure and how to access the CLI (Command Line Interface) on the ZyXEL Device.
Page 214 P-660H/HW-D Series User’s Guide Chapter 15 Remote Management Configuration...
Page 215: Chapter 16 Universal Plug-And-Play (Upnp)
P-660H/HW-D Series User’s Guide H A P T E R Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 16.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 216: Cautions With Upnp
Disable UPnP if this is not your intention. 16.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being...
Page 217: Table 88 Configuring Upnp
Select this check box to activate UPnP. Be aware that anyone could use Play (UPnP) Feature a UPnP application to open the web configurator's login screen without entering the ZyXEL Device's IP address (although you must still enter the password to access the web configurator). Allow users to make...
Page 218: Figure 120 Add/Remove Programs: Windows Setup: Communication
P-660H/HW-D Series User’s Guide Figure 120 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 121 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next.
Page 219: Figure 122 Network Connections
P-660H/HW-D Series User’s Guide 16.3.2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 220: Figure 124 Networking Services
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device. Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device.
Page 221: Figure 125 Network Connections
P-660H/HW-D Series User’s Guide Figure 125 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Figure 126 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings.
Page 222: Figure 127 Internet Connection Properties: Advanced Settings
P-660H/HW-D Series User’s Guide Figure 127 Internet Connection Properties: Advanced Settings Figure 128 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 5 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Page 223: Figure 130 Internet Connection Status
16.4.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This comes helpful if you do not know the IP address of the ZyXEL Device.
Page 224: Figure 131 Network Connections
Figure 131 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. Chapter 16 Universal Plug-and-Play (UPnP)
Page 225: Figure 132 Network Connections: My Network Places
P-660H/HW-D Series User’s Guide Figure 132 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 133 Network Connections: My Network Places: Properties: Example...
Page 226 P-660H/HW-D Series User’s Guide Chapter 16 Universal Plug-and-Play (UPnP)
Page 227: Chapter 17 System
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the ZyXEL Device via DHCP.
Page 228: Figure 134 System General Setup
(not recommended). Password User Password If you log in with the user password, you can only view the ZyXEL Device status. The default user password is user. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Page 229: Figure 135 System Time Setting
17.2 Time Setting To change your ZyXEL Device’s time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone. Figure 135 System Time Setting...
Page 230: Table 90 System Time Setting
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the ZyXEL Device get the time and date from the Server time server you specified below.
Page 231 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
Page 232 P-660H/HW-D Series User’s Guide Chapter 17 System...
Page 233: Chapter 18 Logs
The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server.
Page 234: Figure 136 View Log
Click Clear Log to delete all the logs. 18.3 Configuring Log Settings Use the Log Settings screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to record.
Page 235: Figure 137 Log Settings
If this field is left blank, logs and alert messages will not be sent via E-mail. Mail Subject Type a title that you want to be in the subject line of the log e-mail message that the ZyXEL Device sends. Not all ZyXEL models have this field. Chapter 18 Logs...
Page 236 LABEL DESCRIPTION Send Log To The ZyXEL Device sends logs to the e-mail address specified in this field. If this field is left blank, the ZyXEL Device does not send logs via e-mail. Send Alerts To Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs.
Page 237: Figure 138 E-Mail Log Example
P-660H/HW-D Series User’s Guide 18.3.1 Example E-mail Log An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. • You may edit the subject title.
Page 238 P-660H/HW-D Series User’s Guide Chapter 18 Logs...
Page 239: Chapter 19 Tools
ZyXEL Device. 19.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a.bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 240: Figure 140 Firmware Upload In Progress
Click Upload to begin the upload process. This process may take up to two minutes. Note: Do NOT turn off the ZyXEL Device while firmware upload is in progress! After you see the Firmware Upload in Progress screen, wait two minutes before logging into the ZyXEL Device again.
Page 241: Figure 142 Error Message
Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 242: Figure 144 Configuration Restore Successful
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
Page 243: Figure 146 Configuration Restore Error
19.3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off. Click Maintenance > Tools > Restart. Click Restart to have the ZyXEL Device reboot. This does not affect the ZyXEL Device's configuration. Figure 147 Restart Screen...
Page 244 P-660H/HW-D Series User’s Guide Chapter 19 Tools...
Page 245: Figure 148 Diagnostic: General
P-660H/HW-D Series User’s Guide H A P T E R Diagnostic These read-only screens display information to help you identify problems with the ZyXEL Device. 20.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 148 Diagnostic: General The following table describes the fields in this screen.
Page 246: Figure 149 Diagnostic: Dsl Line
Click this button to start the ATM loopback test. Make sure you have configured at Test least one PVC with proper VPIs/VCIs before you begin this test. The ZyXEL Device sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the ZyXEL Device.
Page 247: Table 97 Troubleshooting Starting Up Your Zyxel Device
Make sure that the ZyXEL Device’s power adaptor is connected to the ZyXEL Device LEDs turn on and plugged in to an appropriate power source. Make sure that the ZyXEL Device and when I turn on the power source are both turned on.
Page 248: Table 99 Troubleshooting The Wan
Password (be sure to use the correct casing). Refer to the WAN Setup chapter. I cannot access Make sure the ZyXEL Device is turned on and connected to the network. the Internet. Verify your WAN settings. Refer to the chapter on WAN setup.
Page 249: Table 100 Troubleshooting Accessing The Zyxel Device
Your computer’s and the ZyXEL Device’s IP addresses must be on the same subnet for LAN access. If you changed the ZyXEL Device’s LAN IP address, then enter the new one as the URL. Make sure that pop-up windows, JavaScripts and Java permissions are allowed. See the appendix for how to enable them.
Page 250 P-660H/HW-D Series User’s Guide Chapter 21 Troubleshooting...
Page 251: Table 101 Device
P-660H/HW-D Series User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 101 Device Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits)
Page 252: Table 102 Firmware
P-660H/HW-D Series User’s Guide Table 102 Firmware ADSL Standards Multi-Mode standard (ANSI T1.413,Issue 2; G.dmt(G.992.1); G.lite(G992.2)). ADSL2 G.dmt.bis (G.992.3) ADSL2 G.lite.bis (G.992.4) ADSL2+ (G.992.5) Reach-Extended ADSL (RE ADSL) SRA (Seamless Rate Adaptation) Auto-negotiating rate adaptation ADSL physical connection ATM AAL5 (ATM Adaptation Layer type 5)
Page 253 P-660H/HW-D Series User’s Guide Table 102 Firmware (continued) Firewall Stateful Packet Inspection. Prevent Denial of Service attacks such as Ping of Death, SYN Flood, LAND, Smurf etc. Real time E-mail alerts. Reports and logs. NAT/SUA Port Forwarding 1024 NAT sessions...
Page 254 P-660H/HW-D Series User’s Guide Appendix A Product Specifications...
Page 255: Appendix B About Adsl
P-660H/HW-D Series User’s Guide P P E N D I X About ADSL Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted- pair wire that runs between the local telephone company switching offices and most homes and offices.
Page 256 P-660H/HW-D Series User’s Guide 2 Because your line is dedicated (not shared), transmission speeds between you and the device to which you connect at your service provider are not affected by other users. With cable modems, transmission speeds drop significantly as more users go on-line because the line is shared.
Page 257: Figure 150 Configuration Text File Format: Column Descriptions
– eliminating the need to navigate and configure individual screens for each ZyXEL Device. You can use FTP to get the Internal SPTGEN file. Then edit the file in a text editor and use FTP to upload it again to the same device or another one.
Page 258: Figure 151 Invalid Parameter Entered: Command Line Example
Figure 150 on page 256), then you disable every field in this menu. If you enter a parameter that is invalid in the Input column, the ZyXEL Device will not save the configuration and the command line will display the Field Identification Number.
Page 259: Figure 153 Internal Sptgen Ftp Download Example
2 Enter " ". The command “ ” sets the transfer mode to binary. 3 Upload your “ ” file from your computer to the ZyXEL Device using the “ ” rom-t command. computer to the ZyXEL Device. 4 Exit this FTP application.
Page 260: Table 103 Abbreviations Used In The Example Internal Sptgen Screens Table
P-660H/HW-D Series User’s Guide Example Internal SPTGEN Menus This section provides example Internal SPTGEN menus. Table 103 Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION MEANING Field Identification Number Field Name Parameter Values Allowed INPUT An example of what you may enter Applies to the ZyXEL Device.
Page 261 P-660H/HW-D Series User’s Guide Table 105 Menu 3 30100012 = Output protocol filters Set 4 = 256 30100013 = Output device filters Set 1 = 256 30100014 = Output device filters Set 2 = 256 30100015 = Output device filters Set 3...
Page 262 P-660H/HW-D Series User’s Guide Table 105 Menu 3 30201005 = Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> 30201006 = IP Alias #1 Incoming protocol filters = 256 Set 1 30201007 = IP Alias #1 Incoming protocol filters = 256 Set 2 30201008 =...
Page 263 P-660H/HW-D Series User’s Guide Table 105 Menu 3 INPUT 30500001 = ESSID Wireless 30500002 = Hide ESSID <0(No) | 1(Yes)> 30500003 = Channel ID <1|2|3|4|5|6|7 |8|9|10|11|12| 13> 30500004 = RTS Threshold <0 ~ 2432> = 2432 30500005 = FRAG. Threshold <256 ~ 2432>...
Page 264: Table 106 Menu 4 Internet Access Setup
P-660H/HW-D Series User’s Guide Table 106 Menu 4 Internet Access Setup / Menu 4 Internet Access Setup INPUT 40000000 = Configured <0(No) | 1(Yes)> 40000001 = <0(No) | 1(Yes)> 40000002 = Active <0(No) | 1(Yes)> 40000003 = ISP's Name = ChangeMe...
Page 265: Table 107 Menu 12
P-660H/HW-D Series User’s Guide Table 106 Menu 4 Internet Access Setup (continued) 40000027 = ATM QoS Type <0(CBR) | (1 (UBR)> 40000028 = Peak Cell Rate (PCR) 40000029 = Sustain Cell Rate (SCR) 40000030 = Maximum Burst Size(MBS) 40000031= RIP Direction <0(None) |...
Page 266: Table 108 Menu 15 Sua Server Setup
P-660H/HW-D Series User’s Guide Table 108 Menu 15 SUA Server Setup / Menu 15 SUA Server Setup INPUT 150000001 = SUA Server IP address for default = 0.0.0.0 port 150000002 = SUA Server #2 Active <0(No) | 1(Yes)> 150000003 = SUA Server #2 Protocol <0(All)|6(TCP)|17(U...
Page 267: Table 109 Menu 21.1 Filter Set #1
P-660H/HW-D Series User’s Guide Table 108 Menu 15 SUA Server Setup (continued) 150000031 = SUA Server #7 Local IP address = 0.0.0.0 150000032 = SUA Server #8 Active <0(No) | 1(Yes)> 150000033 = SUA Server #8 Protocol <0(All)|6(TCP)|17(U DP)> 150000034 =...
Page 268 P-660H/HW-D Series User’s Guide Table 109 Menu 21.1 Filter Set #1 (continued) 210101002 = IP Filter Set 1,Rule 1 Active <0(No)|1(Yes)> 210101003 = IP Filter Set 1,Rule 1 Protocol 210101004 = IP Filter Set 1,Rule 1 Dest IP address = 0.0.0.0...
Page 269: Table 110 Menu 21.1 Filer Set #2
P-660H/HW-D Series User’s Guide Table 109 Menu 21.1 Filter Set #1 (continued) 210102013 = IP Filter Set 1,Rule 2 Act Match <1(check next)|2(forward)| 3(drop)> 210102014 = IP Filter Set 1,Rule 2 Act Not Match <1(check next)|2(forward)| 3(drop)> Table 110 Menu 21.1 Filer Set #2, / Menu 21.1 filter set #2,...
Page 270: Table 111 Menu 23 System Menus
P-660H/HW-D Series User’s Guide Table 110 Menu 21.1 Filer Set #2, (continued) 210202001 = IP Filter Set 2, Rule 2 Type <0(none)|2(TCP/IP)> = 2 210202002 = IP Filter Set 2, Rule 2 Active <0(No)|1(Yes)> 210202003 = IP Filter Set 2, Rule 2 Protocol...
Page 271: Table 112 Menu 24.11 Remote Management Control
P-660H/HW-D Series User’s Guide Table 111 Menu 23 System Menus (continued) 230200005 = Authentication Server Shared Secret 111111111111 111111111111 1111 230200006 = Accounting Server Configured <0(No) | 1(Yes)> 230200007 = Accounting Server Active <0(No) | 1(Yes)> 230200008 = Accounting Server IP Address 192.168.1.44...
Page 272: Table 113 Command Examples
|3(Wan)> 241100009 = WEB Server Secured IP address = 0.0.0.0 Command Examples The following are example Internal SPTGEN screens associated with the ZyXEL Device’s command interpreter commands. Table 113 Command Examples INPUT /ci command (for annex a): wan adsl opencmd...
Page 273: Figure 155 Wall-Mounting Example
4 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables. 5 Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws.
Page 274 P-660H/HW-D Series User’s Guide Appendix D Wall-mounting Instructions...
Page 275: Appendix E Setting Up Your Computer's Ip Address
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Page 276: Figure 156 Windows 95/98/Me: Network: Configuration
P-660H/HW-D Series User’s Guide Figure 156 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 277: Figure 157 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
P-660H/HW-D Series User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.
Page 278: Figure 158 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.
Page 279: Figure 159 Windows Xp: Start Menu
P-660H/HW-D Series User’s Guide Figure 159 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 160 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.
Page 280: Figure 161 Windows Xp: Control Panel: Network Connections: Properties
P-660H/HW-D Series User’s Guide Figure 161 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 162 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 281: Figure 163 Windows Xp: Internet Protocol (Tcp/Ip) Properties
P-660H/HW-D Series User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 163 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 282: Figure 164 Windows Xp: Advanced Tcp/Ip Properties
P-660H/HW-D Series User’s Guide Figure 164 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 283: Figure 165 Windows Xp: Internet Protocol (Tcp/Ip) Properties
10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Page 284: Figure 166 Macintosh Os 8/9: Apple Menu
P-660H/HW-D Series User’s Guide Figure 166 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 167 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. Appendix E Setting up Your Computer’s IP Address...
Page 285: Figure 168 Macintosh Os X: Apple Menu
• Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.
Page 286: Figure 169 Macintosh Os X: Network
• Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL Device and restart your computer (if prompted).
Page 287: Figure 170 Red Hat 9.0: Kde: Network Configuration: Devices
P-660H/HW-D Series User’s Guide Note: Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 288: Figure 172 Red Hat 9.0: Kde: Network Configuration: Dns
P-660H/HW-D Series User’s Guide • If you have a dynamic IP address click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 289: Figure 174 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
P-660H/HW-D Series User’s Guide 1 Assuming that you have only one network card on the computer, locate the ifconfig- configuration file (where is the name of the Ethernet card). Open the eth0 eth0 configuration file with any plain text editor.
Page 290: Figure 177 Red Hat 9.0: Restart Ethernet Card
P-660H/HW-D Series User’s Guide Figure 177 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] 21.4.1 Verifying Settings...
Page 291: Table 114 Classes Of Ip Addresses
P-660H/HW-D Series User’s Guide P P E N D I X IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 292: Table 115 Allowed Ip Address Range By Class
P-660H/HW-D Series User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...
Page 293: Table 117 Alternative Subnet Mask Notation
P-660H/HW-D Series User’s Guide For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with mask 255.255.255.128. The following table shows all possible subnet masks for a class “C” address using both notations. Table 117 Alternative Subnet Mask Notation SUBNET MASK SUBNET MASK “1”...
Page 294: Table 119 Subnet 1
P-660H/HW-D Series User’s Guide Table 119 Subnet 1 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask 255.255.255. Subnet Mask (Binary) 11111111.11111111.11111111. 10000000 Subnet Address: 192.168.1.0 Lowest Host ID: 192.168.1.1 Broadcast Address: Highest Host ID: 192.168.1.126...
Page 295: Table 121 Subnet 1
P-660H/HW-D Series User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.
Page 296: Table 124 Subnet 4
P-660H/HW-D Series User’s Guide Table 124 Subnet 4 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255...
Page 297: Table 127 Class B Subnet Planning
P-660H/HW-D Series User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
Page 298 P-660H/HW-D Series User’s Guide Appendix F IP Subnetting...
Page 299: Appendix G Command Interpreter
1 Connect your computer to the ETHERNET port on the ZyXEL Device. 2 Make sure your computer IP address and the ZyXEL Device IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner), Run and then type (the default ZyXEL Device IP address) and click OK.
Page 300 P-660H/HW-D Series User’s Guide Appendix G Command Interpreter...
Page 301: Firewall Commands
P-660H/HW-D Series User’s Guide P P E N D I X Firewall Commands The following describes the firewall commands. Table 128 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall SetUp This command turns the firewall on or off. config edit firewall active <yes | no>...
Page 302: Table 128 Firewall Commands
This command sets the day on which the config edit firewall e-mail current firewall log is sent through e-mail if the day <sunday | monday | tuesday ZyXEL Device is set to send it on a weekly | wednesday | thursday | friday basis. | saturday>...
Page 303 This command sets the threshold of half-open config edit firewall attack TCP sessions with the same destination tcp-max-incomplete <0-255> where the ZyXEL Device starts dropping half- open sessions to that destination. Sets This command sets a name to identify a config edit firewall set <set...
Page 304 ZyXEL Device check for traffic with this #> rule <rule #> srcaddr- individual source address. single <ip address> This command sets a rule to have the ZyXEL config edit firewall set <set Device check for traffic from a particular #> rule <rule #> srcaddr- subnet (defined by IP address and subnet subnet <ip address>...
Page 305 ZyXEL Device check for traffic with this #> rule <rule #> destaddr- individual destination address. single <ip address> This command sets a rule to have the ZyXEL config edit firewall set <set Device check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 306 P-660H/HW-D Series User’s Guide Table 128 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command removes the specified rule in a config delete firewall set firewall configuration set. <set #> rule<rule #> Appendix H Firewall Commands...
Page 307: Netbios Filter Commands
• Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for The ZyXEL Device. NetBIOS Display Filter Settings Command Example =========== NetBIOS Filter Status ===========...
Page 308: Table 129 Netbios Filter Default Settings
P-660H/HW-D Series User’s Guide The filter types and their default settings are as follows. Table 129 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN.
Page 309: Appendix J Splitters And Microfilters
Figure 179 Connecting a POTS Splitter 1 Connect the side labeled “Phone” to your telephone. 2 Connect the side labeled “Modem” or “DSL” to your ZyXEL Device. 3 Connect the side labeled “Line” to the telephone wall jack. Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz.
Page 310: Figure 180 Connecting A Microfilter
2 Connect a cable from the double jack end of the Y-Connector to the “wall side” of the microfilter. 3 Connect another cable from the double jack end of the Y-Connector to the ZyXEL Device. 4 Connect the “phone side” of the microfilter to your telephone as shown in the following figure.
Page 311: Figure 182 Zyxel Device With Isdn
P-660H/HW-D Series User’s Guide ZyXEL Device With ISDN This section relates to people who use their ZyXEL Device with ADSL over ISDN (digital telephone service) only. The following is an example installation for the ZyXEL Device with ISDN. Figure 182 ZyXEL Device with ISDN...
Page 312 P-660H/HW-D Series User’s Guide Appendix J Splitters and Microfilters...
Page 313: Table 130 System Maintenance Logs
P-660H/HW-D Series User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages. Table 130 System Maintenance Logs LOG MESSAGE DESCRIPTION The router has adjusted its time based on information from the Time calibration is time server.
Page 314: Table 131 System Error Logs
P-660H/HW-D Series User’s Guide Table 130 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Someone has logged on to the router's web configurator Successful HTTPS login interface using HTTPS protocol. Someone has failed to log on to the router's web configurator HTTPS login failed interface using HTTPS protocol.
Page 315: Table 133 Tcp Reset Logs
P-660H/HW-D Series User’s Guide Table 133 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.)
Page 316: Table 135 Icmp Logs
P-660H/HW-D Series User’s Guide Table 135 ICMP Logs LOG MESSAGE DESCRIPTION ICMP access matched the default policy and was blocked Firewall default policy: ICMP or forwarded according to the user's setting. For type and <Packet Direction>, <type:%d>, code details, see Table 147 on page 324.
Page 317: Table 138 Upnp Logs
The ZyXEL Device cannot get the IP address of the external content DNS resolving failed filtering via DNS query. Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket creation failed, port:port number. Appendix K Log Descriptions...
Page 318: Table 140 Attack Logs
P-660H/HW-D Series User’s Guide Table 139 Content Filtering Logs (continued) LOG MESSAGE DESCRIPTION The connection to the external content filtering server failed. Connecting to content filter server fail License key is invalid The external content filtering license key is invalid.
Page 319: Table 141 Ipsec Logs
P-660H/HW-D Series User’s Guide Table 141 IPSec Logs LOG MESSAGE DESCRIPTION The router received and discarded a packet with an incorrect Discard REPLAY packet sequence number. The router received a packet that has been altered. A third party may Inbound packet have altered or tampered with the packet.
Page 320 P-660H/HW-D Series User’s Guide Table 142 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router couldn’t resolve the IP address from the domain Cannot resolve Secure Gateway name that was used for the secure gateway address. Addr for rule <%d> The displayed ID information did not match between the two Peer ID: <peer id>...
Page 321 P-660H/HW-D Series User’s Guide Table 142 IKE Logs (continued) LOG MESSAGE DESCRIPTION The router was not able to use extended authentication to XAUTH fail! Username: authenticate the listed username. <Username> The listed rule’s IKE phase 1 negotiation mode did not match Rule[%d] Phase 1 negotiation between the router and the peer.
Page 322: Table 143 Pki Logs
P-660H/HW-D Series User’s Guide Table 142 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 did not match between the router Rule [%d] phase 2 mismatch and the peer. The listed rule’s IKE phase 2 key lengths (with the AES...
Page 323: Table 144 Certificate Path Verification Failure Reason Codes
P-660H/HW-D Series User’s Guide Table 143 PKI Logs (continued) LOG MESSAGE DESCRIPTION The router received directory data that was too large (the size is listed) Rcvd data <size> too from the LDAP server whose address and port are recorded in the large! Max size Source field.
Page 324: Table 145 802.1X Logs
P-660H/HW-D Series User’s Guide Table 144 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 145 802.1X Logs LOG MESSAGE DESCRIPTION A user was authenticated by the local user database.
Page 325: Table 146 Acl Setting Notes
P-660H/HW-D Series User’s Guide Table 146 ACL Setting Notes PACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to WAN ACL set for packets traveling from the LAN to the WAN. (W to L) WAN to LAN ACL set for packets traveling from the WAN to the LAN.
Page 326: Table 148 Syslog Logs
P-660H/HW-D Series User’s Guide Table 147 ICMP Notes (continued) TYPE CODE DESCRIPTION Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message Table 148 Syslog Logs LOG MESSAGE DESCRIPTION "This message is sent by the system ("RAS" displays as the <Facility*8 + Severity>Mon dd...
Page 327: Figure 183 Displaying Log Categories Example
3 to record both logs and alerts for that category. Not every parameter is available with every category. 5 Use the sys logs save command to store the settings in the ZyXEL Device (you must do this in order to record logs).
Page 328: Log Command Example
• Use the sys logs clear command to erase all of the ZyXEL Device’s logs. Log Command Example This example shows how to set the ZyXEL Device to record the access logs and alerts and then view the results. ras> sys logs load ras>...
Page 329: Figure 185 Peer-To-Peer Communication In An Ad-Hoc Network
P-660H/HW-D Series User’s Guide P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C).
Page 330: Figure 186 Basic Service Set
P-660H/HW-D Series User’s Guide Figure 186 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
Page 331: Figure 187 Infrastructure Wlan
P-660H/HW-D Series User’s Guide Figure 187 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.
Page 332: Figure 188 Rts/Cts
P-660H/HW-D Series User’s Guide Figure 188 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 333: Table 150 Ieee 802.11G
P-660H/HW-D Series User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.
Page 334: Table 151 Wireless Security Levels
Wi-Fi Protected Access (WPA) Most Secure WPA2 Note: You must enable the same wireless security settings on the ZyXEL Device and on all wireless clients that you want to associate with it. IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features.
Page 335: Radius
P-660H/HW-D Series User’s Guide RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users.
Page 336: Types Of Authentication
P-660H/HW-D Series User’s Guide In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.
Page 337: Table 152 Comparison Of Eap Authentication Types
P-660H/HW-D Series User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.
Page 338: Wpa And Wpa2
P-660H/HW-D Series User’s Guide WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.
Page 339: Wireless Client Wpa Supplicants
P-660H/HW-D Series User’s Guide By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.
Page 340: Figure 189 Wpa(2) With Radius Application Example
P-660H/HW-D Series User’s Guide 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
Page 341: Figure 190 Wpa(2)-Psk Authentication
P-660H/HW-D Series User’s Guide Figure 190 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.
Page 342 P-660H/HW-D Series User’s Guide Appendix L Wireless LANs...
Page 343: Figure 191 Pop-Up Blocker
P-660H/HW-D Series User’s Guide P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default).
Page 344: Figure 192 Internet Options
P-660H/HW-D Series User’s Guide Figure 192 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
Page 345: Figure 193 Internet Options
P-660H/HW-D Series User’s Guide Figure 193 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.
Page 346: Figure 194 Pop-Up Blocker Settings
P-660H/HW-D Series User’s Guide Figure 194 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 347: Figure 195 Internet Options
P-660H/HW-D Series User’s Guide Figure 195 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default).
Page 348: Figure 196 Security Settings - Java Scripting
P-660H/HW-D Series User’s Guide Figure 196 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 349: Figure 197 Security Settings - Java
P-660H/HW-D Series User’s Guide Figure 197 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window.
Page 350: Figure 198 Java (Sun)
P-660H/HW-D Series User’s Guide Figure 198 Java (Sun) Appendix M Pop-up Windows, JavaScripts and Java Permissions...
Page 351: Figure 199 Ideal Setup
P-660H/HW-D Series User’s Guide P P E N D I X Triangle Route The Ideal Setup When the firewall is on, your Prestige acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the Prestige to protect your LAN against attacks.
Page 352: Figure 200 "Triangle Route" Problem
P-660H/HW-D Series User’s Guide Figure 200 “Triangle Route” Problem The “Triangle Route” Solutions This section presents you two solutions to the “triangle route” problem. IP Aliasing IP alias allows you to partition your network into logical sections over the same Ethernet interface.
Page 353: Index
P-660H/HW-D Series User’s Guide Index Numerics Bandwidth Manager Class Configuration Bandwidth Manager Monitor Bandwidth Manager Summary 110V AC Basement 230V AC Basic wireless security Blocking Time Brute-force Attack, BW Budget Abnormal Working Conditions access point access point. See also AP.
Page 354 P-660H/HW-D Series User’s Guide Copyright Correcting Interference Corrosive Liquids EAP Authentication Covers ECHO CTS (Clear to Send) Electric Shock Custom Ports Electrical Pipes Creating/Editing Electrocution Customer Support E-Mail Customized Services E-mail Customized services Log Example embedded help Encapsulated Routing Link Protocol (ENET ENCAP)
Page 355 P-660H/HW-D Series User’s Guide Guidelines For Enhancing Security IANA (Internet Assigned Number Authority) Introduction IBSS LAN to WAN Rules ICMP echo Policies IEEE 802.11g 37, 332 Rule Checklist IEEE 802.11i Rule Logic IGMP Rule Security Ramifications Services Independent Basic Service Set...
Page 356 P-660H/HW-D Series User’s Guide How it works Mapping Types What it does Labor What NAT does LAN Setup 76, 94 NAT (Network Address Translation) LAN TCP/IP NAT mode LAN to WAN Rules NAT Traversal LAND 147, 148 navigating the web configurator...
Page 357 P-660H/HW-D Series User’s Guide Power Cord Related Documentation Power Outlet Relocate Power Supply Re-manufactured Power Supply, repair Remote Management and NAT PPPoA Remote Management Limitations PPPoE Removing Benefits Reorient PPPoE (Point-to-Point Protocol over Ethernet) Repair 5, 6 PPTP Replace Preamble Mode...
Page 358 P-660H/HW-D Series User’s Guide Separation Between Equipment and Receiver TCP Maximum Incomplete 174, 175 Serial Number TCP Security Server 134, 135, 229 TCP/IP 146, 147 Service 5, 6, 158 Teardrop Service Personnel Telecommunication Line Cord. Service Set Telephone Service Set IDentity. See SSID.
Page 359 P-660H/HW-D Series User’s Guide SSID Wireless security wireless security Value WLAN VBR (Variable Bit Rate) 85, 89 Interference VC-based Multiplexing Security parameters Vendor Workmanship Ventilation Slots Worldwide Contact Information Viewing Certifications Virtual Channel Identifier (VCI) WPA compatible virtual circuit (VC)

This manual is also suitable for:

P-660hw P-660hw-d series

ZyXEL Communications P-660H Series User Manual

Chapter 1 Getting to Know Your Zyxel Device

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup for Internet Access

Chapter 4 Bandwidth Management Wizard

Chapter 5 WAN Setup

Chapter 6 LAN Setup

Chapter 7 Wireless LAN

Chapter 8 Network Address Translation (NAT) Screens

Chapter 9 Firewalls

Chapter 10 Firewall Configuration

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications P-660H Series

Summary of Contents for ZyXEL Communications P-660H Series