Page 1 P-660HW-Dx v2 802.11g Wireless ADSL2+ 4-port Gateway User’s Guide Version 3.40 3/2007 Edition 2 www.zyxel.com...
Page 3: About This User's Guide
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the ZyXEL Device using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Syntax Conventions • The P-660HW-D may be referred to as the “ZyXEL Device”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device. ZyXEL Device Computer Notebook computer Server DSLAM Firewall Telephone Switch Router...
Page 6: Safety Warnings
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7 Safety Warnings P-660HW-Dx v2 User’s Guide...
Page 8 Safety Warnings P-660HW-Dx v2 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................31 Introducing the ZyXEL Device ....................33 Introducing the Web Configurator ....................39 Wizards ........................... 51 Wizard Setup for Internet Access ....................53 Bandwidth Management Wizard ....................67 Network ........................... 73 WAN Setup ..........................75 LAN Setup ..........................
Page 10 Contents Overview P-660HW-Dx v2 User’s Guide...
Page 11: Table Of Contents
Introducing the ZyXEL Device ....................33 1.1 Overview ..........................33 1.2 Ways to Manage the ZyXEL Device ..................35 1.3 Good Habits for Managing the ZyXEL Device ..............35 1.4 LEDs ............................ 35 1.5 Hardware Connections ......................36 1.5.1 Splitters and Microfilters ..................... 36 Chapter 2 Introducing the Web Configurator ..................
Page 12 Table of Contents 2.4.6 Status: Packet Statistics ..................... 48 2.4.7 Changing Login Password ..................50 Part II: Wizards ..................51 Chapter 3 Wizard Setup for Internet Access..................53 3.1 Introduction .......................... 53 3.2 Internet Access Wizard Setup ..................... 53 3.2.1 Automatic Detection ....................55 3.2.2 Manual Configuration ....................
Page 13 5.8 Configuring WAN Backup ....................89 Chapter 6 LAN Setup..........................93 6.1 LAN Overview ........................93 6.1.1 LANs, WANs and the ZyXEL Device ................93 6.1.2 DHCP Setup ....................... 94 6.1.3 DNS Server Address ....................94 6.1.4 DNS Server Address Assignment ................94 6.2 LAN TCP/IP .........................
Page 14 9.2.1 Packet Filtering Firewalls ..................143 9.2.2 Application-level Firewalls ..................144 9.2.3 Stateful Inspection Firewalls ..................144 9.3 Introduction to ZyXEL’s Firewall ..................144 9.3.1 Denial of Service Attacks ..................145 9.4 Denial of Service ....................... 145 9.4.1 Basics ........................145...
Page 15 9.4.2 Types of DoS Attacks ....................146 9.5 Stateful Inspection ......................148 9.5.1 Stateful Inspection Process ..................149 9.5.2 Stateful Inspection and the ZyXEL Device ............... 150 9.5.3 TCP Security ......................150 9.5.4 UDP/ICMP Security ....................151 9.5.5 Upper Layer Protocols ..................... 151 9.6 Guidelines for Enhancing Security with Your Firewall ............
Page 16 Table of Contents Part V: Advanced ................. 181 Chapter 12 Static Route ........................... 183 12.1 Static Route ........................183 12.2 Configuring Static Route ....................183 12.2.1 Static Route Edit ....................184 Chapter 13 Bandwidth Management....................... 187 13.1 Bandwidth Management Overview ................. 187 13.2 Application-based Bandwidth Management ..............
Page 17 16.1.1 How do I know if I'm using UPnP? ................. 213 16.1.2 NAT Traversal ......................213 16.1.3 Cautions with UPnP ....................213 16.2 UPnP and ZyXEL ......................214 16.2.1 Configuring UPnP ....................214 16.3 Installing UPnP in Windows Example ................215 16.3.1 Installing UPnP in Windows Me ................
Page 18 Chapter 21 Troubleshooting........................259 21.1 Power, Hardware Connections, and LEDs ..............259 21.2 ZyXEL Device Access and Login ..................260 21.3 Internet Access ........................ 261 Part VII: Appendices and Index ............263 Appendix A Product Specifications and Wall Mounting ............265 Appendix B Wireless LANs ....................
Page 19 Table of Contents Index............................351 P-660HW-Dx v2 User’s Guide...
Page 20 Table of Contents P-660HW-Dx v2 User’s Guide...
Page 21: List Of Figures
Figure 4 Connecting a POTS Splitter ..................... 37 Figure 5 Connecting a Microfilter ......................37 Figure 6 Connecting a Microfilter and Y-Connector ................38 Figure 7 ZyXEL Device with ISDN ......................38 Figure 8 Password Screen ........................40 Figure 9 User status screen ........................40 Figure 10 Change Password at Login ....................
Page 22 List of Figures Figure 39 Wizard: Welcome ........................69 Figure 40 Bandwidth Management Wizard: General Information ............69 Figure 41 Bandwidth Management Wizard: Configuration ..............70 Figure 42 Bandwidth Management Wizard: Complete ................71 Figure 43 Example of Traffic Shaping ....................79 Figure 44 Internet Connection (PPPoE) ....................
Page 23 List of Figures Figure 82 Port Forwarding Rule Setup ....................137 Figure 83 Address Mapping Rules ....................... 138 Figure 84 Edit Address Mapping Rule ....................139 Figure 85 Firewall Application ......................145 Figure 86 Three-Way Handshake ......................146 Figure 87 SYN Flood ..........................147 Figure 88 Smurf Attack .........................
Page 24 List of Figures Figure 125 Add/Remove Programs: Windows Setup: Communication: Components ......216 Figure 126 Network Connections ......................216 Figure 127 Windows Optional Networking Components Wizard ............217 Figure 128 Networking Services ......................217 Figure 129 Network Connections ......................218 Figure 130 Internet Connection Properties ..................
Page 25 List of Figures Figure 168 Windows XP: Local Area Connection Properties ............... 290 Figure 169 Windows XP: Internet Protocol (TCP/IP) Properties ............291 Figure 170 Windows XP: Advanced TCP/IP Properties ............... 292 Figure 171 Windows XP: Internet Protocol (TCP/IP) Properties ............293 Figure 172 Macintosh OS 8/9: Apple Menu ..................
Page 26 List of Figures P-660HW-Dx v2 User’s Guide...
Page 27: List Of Tables
List of Tables List of Tables Table 1 ADSL Standards ........................34 Table 2 Front Panel LEDs ........................36 Table 3 Web Configurator Screens Summary ..................43 Table 4 Status Screen ..........................45 Table 5 Status: Any IP Table ........................47 Table 6 Status: WLAN Status .........................
Page 28 List of Tables Table 39 MAC Address Filter ....................... 121 Table 40 WMM QoS Priorities ......................122 Table 41 Commonly Used Services ..................... 123 Table 42 Wireless Lan: QoS ........................ 125 Table 43 Application Priority Configuration ..................126 Table 44 NAT Definitions ........................129 Table 45 NAT Mapping Types ......................
Page 29 List of Tables Table 82 Remote Management: WWW ....................205 Table 83 Remote Management: Telnet ....................206 Table 84 Remote Management: FTP ....................207 Table 85 SNMP Traps .......................... 209 Table 86 Remote Management: SNMP ....................210 Table 87 Remote Management: DNS ....................211 Table 88 Remote Management: ICMP ....................
Page 30 List of Tables Table 125 IP Address Network Number and Host ID Example ............302 Table 126 Subnet Masks ........................303 Table 127 Maximum Host Numbers ....................303 Table 128 Alternative Subnet Mask Notation ..................303 Table 129 Subnet 1 ..........................305 Table 130 Subnet 2 ..........................
Page 31: Introduction
Introduction Introducing the ZyXEL Device (33) Introducing the Web Configurator (39)
Page 33: Introducing The Zyxel Device
Internet access over analog (POTS), digital (ISDN) telephone lines (depending on your model) or by wireless. In the ZyXEL Device product name, “H” denotes an integrated 4-port switch (hub) and “W” denotes an included wireless LAN card that provides wireless connectivity. D MEANS WHAT? See the Product Specifications appendix for a full list of features.
Page 34: Figure 1 Protected Internet Access Applications
Chapter 1 Introducing the ZyXEL Device Figure 1 Protected Internet Access Applications You can also use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application example is shown as follows. Figure 2 LAN-to-LAN Application Example The ZyXEL Device is compatible with the ADSL/ADSL2/ADSL2+ standards.
Page 35: Ways To Manage The Zyxel Device
1.3 Good Habits for Managing the ZyXEL Device Do the following things regularly to make the ZyXEL Device more secure and to manage the ZyXEL Device more effectively. • Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
Page 36: Hardware Connections
Blinking The ZyXEL Device is sending/receiving data. The LAN is not connected. WLAN Green The ZyXEL Device is ready, but is not sending/receiving data through the wireless LAN. Blinking The ZyXEL Device is sending/receiving data through the wireless LAN. The wireless LAN is not ready or has failed.
Page 37: Figure 4 Connecting A Pots Splitter
Figure 4 Connecting a POTS Splitter 1 Connect the side labeled “Phone” to your telephone. 2 Connect the side labeled “Modem” or “DSL” to your ZyXEL Device. 3 Connect the side labeled “Line” to the telephone wall jack. 1.5.1.2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz.
Page 38: Figure 6 Connecting A Microfilter And Y-Connector
2 Connect a cable from the double jack end of the Y-Connector to the “wall side” of the microfilter. 3 Connect another cable from the double jack end of the Y-Connector to the ZyXEL Device. 4 Connect the “phone side” of the microfilter to your telephone as shown in the following figure.
Page 39: Introducing The Web Configurator
LAN port for initial configuration. 1 Make sure your ZyXEL Device hardware is properly connected (refer to the Quick Start Guide). 2 Prepare your computer/computer network to connect to the ZyXEL Device (refer to the Quick Start Guide).
Page 40: User Access
Chapter 2 Introducing the Web Configurator 5 A window displays as shown. Figure 8 Password Screen 2.2.1 User Access 1 For user access enter the default user password user to view the status only. The following window will appear. Figure 9 User status screen 2.2.2 Administrator Access 1 For administrator access enter the default admin password 1234 to configure the wizards and the advanced features.
Page 41: Figure 10 Change Password At Login
Figure 11 Select a Mode The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyXEL Device if this happens. P-660HW-Dx v2 User’s Guide...
Page 42: Resetting The Zyxel Device
If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.
Page 43: Table 3 Web Configurator Screens Summary
Use this screen to block sites containing certain keywords in the URL. Schedule Use this screen to set the days and times for the ZyXEL Device to perform content filtering. Trusted Use this screen to exclude a range of users on the LAN from content filtering on your ZyXEL Device.
Page 44: Status Screen
This screen contains administrative and system-related information and also allows you to change your password. Time Setting Use this screen to change your ZyXEL Device’s time and date. Logs View Log Use this screen to view the logs for the categories that you selected.
Page 45: Figure 13 Status Screen
MAC Address This is the MAC (Media Access Control) or Ethernet address unique to your ZyXEL Device. ZyNOS Firmware This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. DSL Firmware This is the DSL firmware version associated with your ZyXEL Device.
Page 46 Network Operating System) and is thus available for running processes like NAT, VPN and the firewall. The bar displays what percent of the ZyXEL Device's heap memory is in use. The bar turns from green to red when the maximum is being approached.
Page 47: Status: Any Ip Table
Click the Any IP Table hyperlink in the Status screen. The Any IP table shows current read- only information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the ZyXEL Device. Figure 14 Status: Any IP Table The following table describes the labels in this screen.
Page 48: Status: Bandwidth Status
MAC Address This field displays the MAC (Media Access Control) address of an associated wireless station. Association This field displays the time a wireless station first associated with the ZyXEL Device. TIme Refresh Click Refresh to reload this screen. 2.4.5 Status: Bandwidth Status Click the Bandwidth Status hyperlink in the Status screen.
Page 49: Figure 17 Status: Packet Statistics
System Monitor System up Time This is the elapsed time the system has been up. Current Date/Time This field displays your ZyXEL Device’s present date and time. CPU Usage This field specifies the percentage of CPU utilization. Memory Usage This field specifies the percentage of memory utilization.
Page 50: Changing Login Password
Click this button to halt the refreshing of the system statistics. 2.4.7 Changing Login Password It is highly recommended that you periodically change the password for accessing the ZyXEL Device. If you didn’t change the default one after you logged in or you want to change to a new password again, then click Maintenance >...
Page 51: Wizards
Wizards Wizard Setup for Internet Access (53) Bandwidth Management Wizard (67)
Page 53: Wizard Setup For Internet Access
H A P T E R Wizard Setup for Internet Access This chapter provides information on the Wizard Setup screens for Internet access in the web configurator. 3.1 Introduction Use the wizard setup screens to configure your system for Internet access with the information given to you by your ISP.
Page 54: Figure 20 Wizard: Welcome
Figure 21 on page 54), check your hardware connections and click Restart the Internet/ Wireless Setup Wizard to have the ZyXEL Device detect your connection again. Figure 21 Auto Detection: No DSL Connection If the wizard still cannot detect a connection type and the following screen appears (see...
Page 55: Automatic Detection
Figure 23 Auto-Detection: PPPoE 3.2.2 Manual Configuration 1 If the ZyXEL Device fails to detect your DSL connection type, enter the Internet access information given to you by your ISP exactly in the wizard screen. If not given, leave the fields set to the default.
Page 56: Figure 24 Internet Access Wizard Setup: Isp Parameters
Chapter 3 Wizard Setup for Internet Access Figure 24 Internet Access Wizard Setup: ISP Parameters The following table describes the fields in this screen. Table 8 Internet Access Wizard Setup: ISP Parameters LABEL DESCRIPTION Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account.
Page 57: Figure 25 Internet Connection With Pppoe
Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. Figure 26 Internet Connection with RFC 1483 The following table describes the fields in this screen.
Page 58: Figure 27 Internet Connection With Enet Encap
As above. Server Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. P-660HW-Dx v2 User’s Guide...
Page 59: Figure 28 Internet Connection With Pppoa
Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. • If the user name and/or password you entered for PPPoE or PPPoA connection are not correct, the screen displays as shown next.
Page 60: Wireless Connection Wizard Setup
Chapter 3 Wizard Setup for Internet Access Figure 30 Connection Test Failed-2. 3.3 Wireless Connection Wizard Setup After you configure the Internet access information, use the following screens to set up your wireless LAN. 1 Select Yes and click Next to configure wireless settings. Otherwise, select No and skip to Step 6.
Page 61: Figure 32 Wireless Lan Setup Wizard 1
Select the check box to turn on the wireless LAN. Enable OTIST Select the check box to enable OTIST if you want to transfer your ZyXEL Device’s SSID and WPA-PSK security settings to wireless clients that support OTIST and are within transmission range.
Page 62: Figure 33 Wireless Lan Setup Wizard 2
Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless Name(SSID) LAN. If you change this field on the ZyXEL Device, make sure all wireless stations use the same SSID in order to access the network. Channel The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a...
Page 63: Manually Assign A Wpa-Psk Key
Chapter 3 Wizard Setup for Internet Access The wireless stations and ZyXEL Device must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication. 4 This screen varies depending on the security mode you selected in the previous screen.
Page 64: Figure 35 Manually Assign A Wep Key
LABEL DESCRIPTION The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission. Enter any 5, 13 or 29 ASCII characters or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or 256-bit WEP key respectively.
Page 65: Figure 37 Internet Access And Wlan Wizard Setup Complete
Click Finish to complete and save the wizard setup. Figure 37 Internet Access and WLAN Wizard Setup Complete 7 Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features.
Page 66 Chapter 3 Wizard Setup for Internet Access P-660HW-Dx v2 User’s Guide...
Page 67: Bandwidth Management Wizard
Bandwidth management allows you to control the amount of bandwidth going out through the ZyXEL Device’s WAN port and prioritize the distribution of the bandwidth according to service bandwidth requirements. This helps keep one service from using all of the available bandwidth and shutting out other users.
Page 68: Bandwidth Management Wizard Setup
Chapter 4 Bandwidth Management Wizard Table 17 Media Bandwidth Management Setup: Services (continued) SERVICE DESCRIPTION NetMeeting A multimedia communications product from Microsoft that enables groups to (H.323) teleconference and videoconference over the Internet. NetMeeting supports VoIP, text chat sessions, a whiteboard, file transfers and application sharing. NetMeeting uses H.323.
Page 69: Figure 39 Wizard: Welcome
Table 18 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device’s port(s). Select Services Setup to allocate bandwidth based on the service requirements. Back Click Back to display the previous screen.
Page 70: Figure 41 Bandwidth Management Wizard: Configuration
These fields display the services names. Priority Select High, Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service. A service with High priority is given as much bandwidth as it needs.
Page 71: Figure 42 Bandwidth Management Wizard: Complete
LABEL DESCRIPTION Apply Click Apply to save your changes to the ZyXEL Device. Exit Click Exit to close the wizard screen without saving your changes. 5 Follow the on-screen instructions and click Finish to complete the wizard setup and save your configuration.
Page 72 Chapter 4 Bandwidth Management Wizard P-660HW-Dx v2 User’s Guide...
Page 73: Network
Network WAN Setup (75) LAN Setup (93) Wireless LAN (105) Network Address Translation (NAT) Screens (129)
Page 75: Wan Setup
5.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 5.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods. 5.1.1.1 ENET ENCAP The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol.
Page 76: Multiplexing
PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection. The ZyXEL Device encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider’s (ISP) DSLAM (digital access multiplexer).
Page 77: Vpi And Vci
The ZyXEL Device does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyXEL Device will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 78: Nat
"1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the ZyXEL Device’s routes to the Internet. If any two of the default routes have the same metric, the ZyXEL Device uses the following pre-defined priorities: •...
Page 79: Atm Traffic Classes
Chapter 5 WAN Setup Sustained Cell Rate (SCR) is the mean cell rate of each bursty traffic source. It specifies the maximum average rate at which cells can be sent over the virtual connection. SCR may not be greater than the PCR. Maximum Burst Size (MBS) is the maximum number of cells that can be sent at the PCR.
Page 80: Zero Configuration Internet Access
An example application is background file transfer. 5.4 Zero Configuration Internet Access Once you turn on and connect the ZyXEL Device to a telephone jack, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes.
Page 81: Figure 44 Internet Connection (Pppoe)
Chapter 5 WAN Setup Figure 44 Internet Connection (PPPoE) The following table describes the labels in this screen. Table 20 Internet Connection LABEL DESCRIPTION General Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account.
Page 82: Configuring Advanced Internet Connection Setup
Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected. Connect on Select Connect on Demand when you don't want the connection up all the time Demand and specify an idle time-out in the Max Idle Timeout field.
Page 83: Figure 45 Advanced Internet Connection Setup
Select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The ZyXEL Device supports both IGMP version 1 (IGMP-v1) and IGMP-v2. Select None to disable it. ATM QoS...
Page 84: Configuring More Connections
LAN to use PPPoE client software on their computers to connect to the ISP via the ZyXEL Device. Each host can have a separate account and a public WAN IP address.
Page 85: More Connections Edit
Chapter 5 WAN Setup The following table describes the labels in this screen. Table 22 More Connections LABEL DESCRIPTION This is the index number of a connection. Active This display whether this connection is activated. Clear the check box to disable the connection.
Page 86: Figure 47 More Connections Edit
Select Routing from the drop-down list box if your ISP allows multiple computers to share an Internet account. If you select Bridge, the ZyXEL Device will forward any packet that it does not route to this remote node; otherwise, the packets are discarded.
Page 87 Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The ZyXEL Device will try to bring up the connection automatically if it is disconnected. Connect on Select Connect on Demand when you don't want the connection up all the time Demand and specify an idle time-out in the Max Idle Timeout field.
Page 88: Configuring More Connections Advanced Setup
Chapter 5 WAN Setup 5.6.2 Configuring More Connections Advanced Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown. Figure 48 More Connections Advanced Setup The following table describes the labels in this screen.
Page 89: Traffic Redirect
LAN. Use IP alias to configure the LAN into two or three logical networks with the ZyXEL Device itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Page 90: Figure 51 Wan Backup Setup
Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up. Select ICMP to have the ZyXEL Device periodically ping the IP addresses configured in the Check WAN IP Address fields.
Page 91 DESCRIPTION Timeout Type the number of seconds (3 recommended) for your ZyXEL Device to wait for a ping response from one of the IP addresses in the Check WAN IP Address field before timing out the request. The WAN connection is considered "down" after the ZyXEL Device times out the number of times specified in the Fail Tolerance field.
Page 92 Chapter 5 WAN Setup P-660HW-Dx v2 User’s Guide...
Page 93: Lan Setup
6.1.1 LANs, WANs and the ZyXEL Device The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next.
Page 94: Dhcp Setup
If the Primary and Secondary DNS Server fields in the DHCP Setup screen are not specified, for instance, left as 0.0.0.0, the ZyXEL Device tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the ZyXEL Device, the ZyXEL Device forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 95: Lan Tcp/Ip
If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. • The ZyXEL Device acts as a DNS proxy when the Primary and Secondary DNS Server fields are left as 0.0.0.0 in the DHCP Setup screen.
Page 96: Rip Setup
• Both - the ZyXEL Device will broadcast its routing table periodically and incorporate the RIP information that it receives. • In Only - the ZyXEL Device will not send any RIP packets but will accept all RIP packets received.
Page 97: Any Ip
Traditionally, you must set the IP addresses and the subnet masks of a computer and the ZyXEL Device to be in the same subnet to allow the computer to access the Internet (through the ZyXEL Device). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the ZyXEL Device.
Page 98: Configuring Lan Ip
Media Access Control or MAC address, on the local area network. IP routing table is defined on IP Ethernet devices (the ZyXEL Device) to decide which hop to use, to help forward data along to its specified destination.
Page 99: Configuring Advanced Lan Setup
Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup. 6.3.1 Configuring Advanced LAN Setup To edit your ZyXEL Device's advanced LAN settings, click the Advanced Setup button in the LAN IP screen. The screen appears as shown. Figure 55 Advanced LAN Setup The following table describes the labels in this screen.
Page 100: Dhcp Setup
Cancel Click Cancel to begin configuring this screen afresh. 6.4 DHCP Setup Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN. Figure 56 DHCP Setup P-660HW-Dx v2 User’s Guide...
Page 101: Lan Client List
DHCP clients along with the IP address and the subnet mask. If the fields are left as 0.0.0.0, the ZyXEL Device acts as a DNS proxy and forwards the DHCP client’s DNS query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 102: Lan Ip Alias
IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.
Page 103: Figure 58 Physical Network & Partitioned Logical Networks
The following figure shows a LAN divided into subnets A, B, and C. Figure 58 Physical Network & Partitioned Logical Networks To change your ZyXEL Device’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown.
Page 104: Table 30 Lan Ip Alias
RIP packets. Select the RIP direction from None/ Both/In Only/Out Only. When set to Both or Out Only, the ZyXEL Device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...
Page 105: Wireless Lan
The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyXEL Device is the AP. Every wireless network must follow these basic guidelines.
Page 106: Wireless Security Overview
Chapter 7 Wireless LAN • Every wireless client in the same wireless network must use security compatible with the Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 7.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network.
Page 107: Encryption
Chapter 7 Wireless LAN • In a RADIUS server: this is a server used in businesses more than in homes. If your AP does not provide a local user database and if you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network.
Page 108: One-Touch Intelligent Security Technology (Otist)
With ZyXEL’s OTIST, you set up the SSID and WPA-PSK on the ZyXEL Device. Then, the ZyXEL Device transfers them to the devices in the wireless networks. As a result, you do not have to set up the SSID and encryption on every device in the wireless network.
Page 109: No Security
Select No Security to allow wireless clients to communicate with the access points without any data encryption. If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range.
Page 110: Wep Encryption
Both the wireless clients and the access points must use the same WEP key. Your ZyXEL Device allows you to configure up to four 64-bit, 128-bit or 256-bit WEP keys but only one key can be enabled at any one time.
Page 111: Wpa-Psk/Wpa2-Psk
ZyXEL Device automatically generates a WEP key. WEP Key The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless clients must use the same WEP key for data transmission. If you want to manually set the WEP key, enter any 5, 13 or 29 characters (ASCII string) or 10, 26 or 58 hexadecimal characters ("0-9", "A-F") for a 64-bit, 128-bit or...
Page 112: Figure 64 Wireless: Wpa-Psk/Wpa2-Psk
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. Pre-Shared Key The encryption mechanisms used for WPA/WPA2 and WPA-PSK/WPA2-PSK are the same.
Page 113: Wpa/Wpa2
LABEL DESCRIPTION Idle Timeout (In The ZyXEL Device automatically disconnects a wireless station from the wireless Seconds) network after a period of inactivity. The wireless station needs to send the username and password again before it can use the wireless network again.
Page 114: Figure 65 Wireless: Wpa/Wpa2
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the ZyXEL Device is using WPA2-PSK or WPA2. ReAuthentication...
Page 115: Wireless Lan Advanced Setup
Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyXEL Device. The key must be the same on the external authentication server and your ZyXEL Device. The key is not sent over the network.
Page 116: Figure 66 Advanced
256 and 2432. Output Power Set the output power of the ZyXEL Device in this field. This control changes the strength of the ZyXEL Device's antenna gain or transmission power. Antenna gain is the increase in coverage. Higher antenna gain improves the range of the signal for better communications.
Page 117: Otist
Table 37 Wireless LAN: Advanced (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to reload the previous configuration for this screen. 7.4 OTIST In a wireless network, the wireless clients must have the same SSID and security settings as the access point (AP) or wireless router (we will refer to both as “AP”...
Page 118: Figure 67 Otist
ZyXEL Device. You must also activate and start OTIST on the wireless client(s) all within three minutes. 7.4.1.2 Wireless Client Start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’s and click Save. P-660HW-Dx v2 User’s Guide...
Page 119: Starting Otist
Chapter 7 Wireless LAN Figure 68 Example Wireless Client OTIST Screen 7.4.2 Starting OTIST You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing). You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled.
Page 120: Notes On Otist
Figure 71 OTIST in progress (Client) In the wireless client, you see this screen if it can’t find an OTIST-enabled AP (with the same Setup key). Click OK to go back to the ZyXEL utility main screen. Figure 72 No AP with OTIST Found •...
Page 121: Mac Filter
Chapter 7 Wireless LAN 7.5 MAC Filter The MAC filter screen allows you to configure the ZyXEL Device to give exclusive access to up to 32 devices (Allow) or exclude up to 32 devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 122: Wmm Qos
Enter the MAC addresses of the wireless client that are allowed or denied access to Address the ZyXEL Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
Page 123: Services
A popular videoconferencing solution from White Pines Software. 24032) DNS(UDP/TCP:53) Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. FINGER(TCP:79) Finger is a UNIX or Internet related command that can be used to find out if a user is logged on.
Page 124: Qos Screen
Chapter 7 Wireless LAN Table 41 Commonly Used Services (continued) SERVICE DESCRIPTION PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable. POP3(TCP:110) Post Office Protocol version 3 lets a client computer get e-mail from a POP3 server through a temporary connection (TCP/IP or other).
Page 125: Tos (Type Of Service) And Wmm Qos
LABEL DESCRIPTION Enable WMM QoS Select the check box to enable WMM QoS on the ZyXEL Device. WMM QoS Policy Select Default to have the ZyXEL Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends.
Page 126: Application Priority Configuration
Application Priority Configuration screen. Click the Remove icon to delete an application entry. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to reload the previous configuration for this screen. 7.7.2 Application Priority Configuration To edit a WMM QoS application entry, click the edit icon ( ) under Modify.
Page 127 Priority Select a priority from the drop-down list box. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to return to the previous screen without saving your changes. P-660HW-Dx v2 User’s Guide...
Page 128 Chapter 7 Wireless LAN P-660HW-Dx v2 User’s Guide...
Page 129: Network Address Translation (Nat) Screens
IP address known within another network. 8.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyXEL Device, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 130: What Nat Does
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
Page 131: Nat Mapping Types
8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyXEL Device maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyXEL Device maps multiple local IP addresses to one global IP address.
Page 132: Sua (Single User Account) Versus Nat
When the ZyXEL Device registers with the SIP register server, the SIP ALG translates the ZyXEL Device’s private IP address inside the SIP data stream to a public IP address. You do not need to use STUN or an outbound proxy if your ZyXEL Device is behind a SIP ALG. P-660HW-Dx v2 User’s Guide...
Page 133: Nat General Setup
Address Translation (NAT) SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device. Full Feature Select this radio button if you have multiple public WAN IP addresses for your ZyXEL Device.
Page 134: Default Server Ip Address
If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 135: Configuring Servers Behind Port Forwarding (Example)
The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 136: Port Forwarding Rule Edit
If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.
Page 137: Address Mapping
The Address Mapping screen is available only when you select Full Feature in the NAT > General screen. Ordering your rules is important because the ZyXEL Device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored.
Page 138: Figure 83 Address Mapping Rules
4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. To change your ZyXEL Device’s address mapping settings, click Network > NAT > Address Mapping to open the following screen.
Page 139: Address Mapping Rule Edit
One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 140: Table 51 Edit Address Mapping Rule
• Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only. • Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Page 141: Security
Security Firewalls (143) Firewall Configuration (155) Content Filtering (177) Certificates (145)
Page 143: Firewalls
H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 9.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.
Page 144: Application-Level Firewalls
The ZyXEL Device also has packet filtering capabilities. The ZyXEL Device is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
Page 145: Denial Of Service Attacks
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyXEL Device is pre-configured to automatically detect and thwart all known DoS attacks.
Page 146: Types Of Dos Attacks
Chapter 9 Firewalls 9.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data. 4 IP Spoofing.
Page 147: Figure 87 Syn Flood
Chapter 9 Firewalls Figure 87 SYN Flood • In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 148: Stateful Inspection
To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyXEL Device blocks all IP Spoofing attempts. 9.5 Stateful Inspection With stateful inspection, fields of the packets are compared to packets that are already known to be trusted.
Page 149: Stateful Inspection Process
Chapter 9 Firewalls are allowed in. The ZyXEL Device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL Device’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 150: Stateful Inspection And The Zyxel Device
Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyXEL Device itself (as with the "virtual connections" created for UDP and ICMP).
Page 151: Udp/Icmp Security
IP addresses, TCP ports, sequence numbers, etc. When the ZyXEL Device receives any subsequent packet (from the Internet or from the LAN), its connection information is extracted and checked against the cache. A packet is only allowed to pass through if it corresponds to a valid connection (that is, if it is a response to a connection which originated on the LAN).
Page 152: Guidelines For Enhancing Security With Your Firewall
Chapter 9 Firewalls 9.6 Guidelines for Enhancing Security with Your Firewall • Change the default password via CLI (Command Line Interpreter) or web configurator. • Limit who can telnet into your router. • Don't enable any local service (such as SNMP or NTP) that you don't use. Any enabled service could present a potential security risk.
Page 153: Packet Filtering Vs Firewall
9.7 Packet Filtering Vs Firewall Below are some comparisons between the ZyXEL Device’s filtering and firewall functions. 9.7.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 154 Chapter 9 Firewalls • To selectively block/allow inbound or outbound traffic between inside host/networks and outside host/networks. Remember that filters can not distinguish traffic originating from an inside host or an outside host by IP address. • The firewall performs better than filtering if you need to check many rules. •...
Page 155: Firewall Configuration
10.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.CLI (Command Line Interpreter) commands provide limited configuration options and are only recommended for advanced users.
Page 156: Rule Logic Overview
These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the ZyXEL Device’s default rules. 10.3 Rule Logic Overview Study these points carefully before configuring rules.
Page 157: Key Fields For Configuring Rules
LAN to LAN/ Router and WAN to WAN/ Router rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ Router means policies for LAN-to-ZyXEL Device (the policies for managing the ZyXEL Device through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 158: Lan To Wan Rules
Chapter 10 Firewall Configuration 10.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 159: Firewall Rules Summary
Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the ZyXEL Device firewall permit the use of triangle Route route topology on the network. See the appendix for more on triangle route topology.
Page 160: Figure 91 Firewall Rules
Table 57 Firewall Rules LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the ZyXEL Device's memory for recording Storage Space firewall rules it is currently using. When you are using 80% or less of the storage in Use space, the bar is green.
Page 161: Configuring Firewall Rules
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. 10.6.1 Configuring Firewall Rules Refer to Section 9.1 on page 143...
Page 162: Figure 92 Firewall: Edit Rule
Chapter 10 Firewall Configuration Figure 92 Firewall: Edit Rule P-660HW-Dx v2 User’s Guide...
Page 163: Table 58 Firewall: Edit Rule
Log Settings page and select the Access Control logs category to have the ZyXEL Device record these logs. Alert Send Alert Select the check box to have the ZyXEL Device generate an alert when the rule Message to is matched. Administrator When Matched P-660HW-Dx v2 User’s Guide...
Page 164: Customized Services
Click Cancel to exit this screen without saving. 10.6.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 10.8 on page...
Page 165: Example Firewall Rule
Chapter 10 Firewall Configuration Refer to Section 9.1 on page 143 for more information. Figure 94 Firewall: Configure Customized Services The following table describes the labels in this screen. Table 60 Firewall: Configure Customized Services LABEL DESCRIPTION Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box.
Page 166: Figure 95 Firewall Example: Rules
Chapter 10 Firewall Configuration Figure 95 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
Page 167: Figure 97 Firewall Example: Edit Rule: Destination Address
Chapter 10 Firewall Configuration Figure 97 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Custom services show up with an “*” before their names in the Services list box and the Rules list box.
Page 168: Figure 98 Firewall Example: Edit Rule: Select Customized Services
Chapter 10 Firewall Configuration Figure 98 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.
Page 169: Predefined Services
Section 10.6.1 on page 161) displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type.
Page 170 Chapter 10 Firewall Configuration Table 61 Predefined Services (continued) SERVICE DESCRIPTION HTTP(TCP:80) Hyper Text Transfer Protocol - a client/server protocol for the world wide web. HTTPS HTTPS is a secured http session often used in e-commerce. ICQ(UDP:4000) This is a popular Internet chat program. IPSEC_TRANSPORT/ The IPSEC AH (Authentication Header) tunneling protocol uses this TUNNEL(AH:0)
Page 171: Anti-Probing
Another videoconferencing solution. 10.9 Anti-Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. The ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent.
Page 172: Dos Thresholds
Select this option to prevent hackers from finding the ZyXEL Device by probing for to Requests for unused ports. If you select this option, the ZyXEL Device will not respond to port Unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device Services.
Page 173: Half-Open Sessions
• If the Blocking Time timeout is 0 (the default), then the ZyXEL Device deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
Page 174: Figure 101 Firewall: Threshold
This is the rate of new half-open sessions 80 existing half-open sessions. that causes the firewall to stop deleting half- open sessions. The ZyXEL Device continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.
Page 175 TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256). Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. P-660HW-Dx v2 User’s Guide...
Page 176 Chapter 10 Firewall Configuration P-660HW-Dx v2 User’s Guide...
Page 177: Content Filtering
Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the ZyXEL Device performs content filtering. You can also specify trusted IP addresses on the LAN for which the ZyXEL Device will not perform content filtering.
Page 178: Configuring The Schedule
Click Cancel to return to the previously saved settings. 11.3 Configuring the Schedule To set the days and times for the ZyXEL Device to perform content filtering, click Security > Content Filter > Schedule. The screen appears as shown. Figure 103 Content Filter: Schedule...
Page 179: Configuring Trusted Computers
Click Cancel to return to the previously saved settings. 11.4 Configuring Trusted Computers To exclude a range of users on the LAN from content filtering on your ZyXEL Device, click Security > Content Filter > Trusted. The screen appears as shown.
Page 180 Chapter 11 Content Filtering P-660HW-Dx v2 User’s Guide...
Page 181: Advanced
Advanced Static Route (183) Bandwidth Management (187) Dynamic DNS Setup (199) Remote Management Configuration (203) Universal Plug-and-Play (UPnP) (213)
Page 183: Static Route
Device knows about network N2 in the following figure through remote node Router 1. However, the ZyXEL Device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyXEL Device about the networks beyond the remote nodes.
Page 184: Static Route Edit
Click the Edit icon to go to the screen where you can set up a static route on the ZyXEL Device. Click the Delete icon to remove a static route from the ZyXEL Device. A window displays asking you to confirm that you want to delete the route.
Page 185: Figure 107 Static Route Edit
LAN or WAN port. The gateway helps forward packets to their destinations. Back Click Back to return to the previous screen without saving. Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. P-660HW-Dx v2 User’s Guide...
Page 186 Chapter 12 Static Route P-660HW-Dx v2 User’s Guide...
Page 187: Bandwidth Management
(bandwidth budgets) to different bandwidth rules. The ZyXEL Device applies bandwidth management to traffic that it forwards out through an interface. The ZyXEL Device does not control the bandwidth of traffic that comes into an interface. Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.
Page 188: Application And Subnet-Based Bandwidth Management
64 Kbps 64 Kbps 13.5 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyXEL Device has two types of scheduler: fairness-based and priority-based. 13.5.1 Priority-based Scheduler With the priority-based scheduler, the ZyXEL Device forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes.
Page 189: Fairness-Based Scheduler
192). 13.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps.
Page 190: Table 71 Priority-Based Allotment Of Unused And Unbudgeted Bandwidth Example
• The sales and marketing are first to get extra bandwidth because they have the highest priority (6). If they each require 1536 kbps or more of extra bandwidth, the ZyXEL Device divides the total 3072 kbps total of unbudgeted and unused bandwidth equally between the sales and marketing departments (1536 kbps extra to each for a total of 3584 kbps for each) because they both have the highest priority level.
Page 191: Bandwidth Management Priorities
Chapter 13 Bandwidth Management 13.6.3 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface. Table 73 Bandwidth Management Priorities PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.
Page 192: Bandwidth Management Rule Setup
You can also set this number lower than the interface’s actual transmission speed. If you do not enable Max Bandwidth Usage, this will cause the ZyXEL Device to not use some of the interface’s available bandwidth. Scheduler Select either Priority-Based or Fairness-Based from the drop-down menu to control the traffic flow.
Page 193: Figure 110 Bandwidth Management: Rule Setup
Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing rule. Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
Page 194: Diffserv
Chapter 13 Bandwidth Management 13.10 DiffServ DiffServ is a class of service (CoS) model that marks packets so that they receive specific per- hop treatment at DiffServ-compliant network devices along the route based on the application types and traffic flow. Packets are marked with DiffServ Code Points (DSCPs) indicating the level of service desired.
Page 195: Figure 112 Bandwidth Management Rule Configuration
LABEL DESCRIPTION Rule Configuration Active Select this check box to have the ZyXEL Device apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule.
Page 196 Chapter 13 Bandwidth Management Table 78 Bandwidth Management Rule Configuration (continued) LABEL DESCRIPTION DiffServ mark Select the marking rule from the drop-down list. The first three digits are the DiffServ code point. A packet with the lowest priority mark will be dropped when the line is busy.
Page 197: Bandwidth Monitor
1723 13.11 Bandwidth Monitor To view the ZyXEL Device’s bandwidth usage and allotments, click Advanced > Bandwidth MGMT > Monitor. The screen appears as shown. Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth rules. The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use.
Page 198: Figure 113 Bandwidth Management: Monitor
Chapter 13 Bandwidth Management Figure 113 Bandwidth Management: Monitor Table 80 Bandwidth Management Monitor LABEL DESCRIPTION Monitor This section allows you to select which network to monitor. You may select either a LAN, WLAN, or WAN. After selecting a network to monitor, information on active services and their bandwidth usage will appear.
Page 199: Dynamic Dns Setup
H A P T E R Dynamic DNS Setup This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS. 14.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Page 200: Figure 114 Dynamic Dns
Select the type of service that you are registered for from your Dynamic DNS Type service provider. Host Name Type the domain name assigned to your ZyXEL Device by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma (","). User Name Type your user name.
Page 201 Table 81 Dynamic DNS (continued) LABEL DESCRIPTION Dynamic DNS Select this option only when there are one or more NAT routers between the ZyXEL server auto Device and the DDNS server. This feature has the DDNS server automatically detect IP detect and use the IP address of the NAT router that has a public IP address.
Page 202 Chapter 14 Dynamic DNS Setup P-660HW-Dx v2 User’s Guide...
Page 203: Remote Management Configuration
To disable remote management of a service, select Disable in the corresponding Access Status field. You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.
Page 204: Remote Management Limitations
There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Page 205: Telnet
15.3 Telnet You can configure your ZyXEL Device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL Device. Figure 116 Telnet Configuration on a TCP/IP Network 15.4 Configuring Telnet Click Advanced >...
Page 206: Telnet Login
Use the following steps to Telnet into your ZyXEL Device’s command interpreter. If your computer is connected to the ZyXEL Device over the Internet, skip to the next step. Make sure your computer IP address and the ZyXEL Device IP address are on the same subnet.
Page 207: Configuring Ftp
FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your ZyXEL Device’s FTP settings, click Advanced > Remote MGMT > FTP tab. The screen appears as shown.
Page 208: Figure 119 Snmp Management Model
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 209: Supported Mibs
Chapter 15 Remote Management Configuration 15.7.1 Supported MIBs The ZyXEL Device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. 15.7.2 SNMP Traps...
Page 210: Configuring Dns
To change your ZyXEL Device’s DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown. Use this screen to set from which IP address the ZyXEL Device will accept DNS queries and on which interface it can send them your ZyXEL Device’s DNS settings.
Page 211: Configuring Icmp
To change your ZyXEL Device’s security settings, click Advanced > Remote MGMT > ICMP. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists.
Page 212: Figure 122 Remote Management: Icmp
Select this option to prevent hackers from finding the ZyXEL Device by probing for requests for unused ports. If you select this option, the ZyXEL Device will not respond to port unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyXEL Device services unseen.
Page 213: Universal Plug-And-Play (Upnp)
H A P T E R Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 16.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 214: Upnp And Zyxel
You must have IIS (Internet Information Services) enabled on the Windows web server for UPnP to work. 16.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
Page 215: Installing Upnp In Windows Example
Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets). Apply Click Apply to save the setting to the ZyXEL Device. Cancel Click Cancel to return to the previously saved settings. 16.3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP.
Page 216: Installing Upnp In Windows Xp
Chapter 16 Universal Plug-and-Play (UPnP) Figure 125 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted. 16.3.2 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP.
Page 217: Using Upnp In Windows Xp Example
16.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL Device. P-660HW-Dx v2 User’s Guide...
Page 218: Auto-Discover Your Upnp-Enabled Network Device
Chapter 16 Universal Plug-and-Play (UPnP) Make sure the computer is connected to a LAN port of the ZyXEL Device. Turn on your computer and the ZyXEL Device. 16.4.1 Auto-discover Your UPnP-enabled Network Device 1 Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
Page 219: Figure 130 Internet Connection Properties
Chapter 16 Universal Plug-and-Play (UPnP) Figure 130 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 131 Internet Connection Properties: Advanced Settings P-660HW-Dx v2 User’s Guide...
Page 220: Figure 132 Internet Connection Properties: Advanced Settings: Add
Chapter 16 Universal Plug-and-Play (UPnP) Figure 132 Internet Connection Properties: Advanced Settings: Add When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 5 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.
Page 221: Web Configurator Easy Access
16.4.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first. This comes helpful if you do not know the IP address of the ZyXEL Device.
Page 222: Figure 135 Network Connections
Figure 135 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. P-660HW-Dx v2 User’s Guide...
Page 223: Figure 136 Network Connections: My Network Places
Chapter 16 Universal Plug-and-Play (UPnP) Figure 136 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 137 Network Connections: My Network Places: Properties: Example...
Page 224 Chapter 16 Universal Plug-and-Play (UPnP) P-660HW-Dx v2 User’s Guide...
Page 225: Maintenance And Troubleshooting
Maintenance and Troubleshooting System (227) Logs (233) Tools (251) Diagnostic (257) Troubleshooting (259)
Page 227: System
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the ZyXEL Device via DHCP.
Page 228: Figure 138 System General Setup
(not recommended). Password User Password If you log in with the user password, you can only view the ZyXEL Device status. The default user password is user. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Page 229: Time Setting
17.2 Time Setting To change your ZyXEL Device’s time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the ZyXEL Device’s time based on your local time zone. Figure 139 System Time Setting...
Page 230: Table 91 System Time Setting
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the ZyXEL Device get the time and date from the Server time server you specified below.
Page 231 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
Page 232 Chapter 17 System P-660HW-Dx v2 User’s Guide...
Page 233: Logs
The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server.
Page 234: Configuring Log Settings
This field displays additional information about the log entry. 18.3 Configuring Log Settings Use the Log Settings screen to configure to where the ZyXEL Device is to send logs; the schedule for when the ZyXEL Device is to send the logs and which logs and/or immediate alerts the ZyXEL Device is to record.
Page 235: Figure 141 Log Settings
ZyXEL Device sends. Not all ZyXEL models have this field. Send Log To The ZyXEL Device sends logs to the e-mail address specified in this field. If this field is left blank, the ZyXEL Device does not send logs via e-mail.
Page 236: Example E-Mail Log
Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to Sending Log send the logs. Clear log after Select the checkbox to delete all the logs after the ZyXEL Device sends an E-mail of sending mail the logs. Syslog Logging The ZyXEL Device sends a log to an external syslog server.
Page 237: Log Descriptions
Chapter 18 Logs Figure 142 E-mail Log Example Subject: Firewall Alert From xxxxx Date: Fri, 07 Apr 2000 10:05:42 From: user@zyxel.com user@zyxel.com 1|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |default policy |forward | 09:54:03 |UDP src port:00520 dest port:00520 |<1,00> 2|Apr 7 00 |From:192.168.1.131 To:192.168.1.255...
Page 238: Table 95 System Error Logs
Chapter 18 Logs Table 94 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION Starting Connectivity Monitor. Starting Connectivity Monitor The router got the time and date from the Daytime server. Time initialized by Daytime Server The router got the time and date from the time server. Time initialized by Time server The router got the time and date from the NTP server.
Page 239: Table 97 Tcp Reset Logs
Chapter 18 Logs Table 96 Access Control Logs (continued) LOG MESSAGE DESCRIPTION The firewall allowed a triangle route session to pass Triangle route packet forwarded: through. [TCP | UDP | IGMP | ESP | GRE | OSPF] The router blocked a packet that didn't have a Packet without a NAT table entry corresponding NAT table entry.
Page 240: Table 99 Icmp Logs
Chapter 18 Logs Table 99 ICMP Logs LOG MESSAGE DESCRIPTION ICMP access matched the default policy and was Firewall default policy: ICMP blocked or forwarded according to the user's setting. For <Packet Direction>, <type:%d>, type and code details, see Table 110 on page 248.
Page 241: Table 102 Upnp Logs
The ZyXEL Device cannot get the IP address of the external content DNS resolving failed filtering via DNS query. Creating socket failed The ZyXEL Device cannot issue a query because TCP/IP socket creation failed, port:port number. The connection to the external content filtering server failed.
Page 242: Table 104 Attack Logs
Chapter 18 Logs Table 104 Attack Logs LOG MESSAGE DESCRIPTION The firewall detected a TCP/UDP/IGMP/ESP/GRE/OSPF attack. attack [TCP | UDP | IGMP | ESP | GRE | OSPF] The firewall detected an ICMP attack. For type and code details, attack ICMP (type:%d, Table 110 on page 248.
Page 243: Table 106 Ike Logs
Chapter 18 Logs Table 105 IPSec Logs (continued) LOG MESSAGE DESCRIPTION The router dropped a connection that had outbound traffic and no Rule <%d> idle time inbound traffic for a certain time period. You can use the "ipsec timer out, disconnect chk_conn"...
Page 244 Chapter 18 Logs Table 106 IKE Logs (continued) LOG MESSAGE DESCRIPTION IKE uses ISAKMP to transmit data. Each ISAKMP packet Recv <packet> contains many different types of payloads. All of them show in the LOG. Refer to RFC2408 – ISAKMP for a list of all ISAKMP payload types.
Page 245 Chapter 18 Logs Table 106 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 1 authentication method did not Rule [%d] Phase 1 match between the router and the peer. authentication method mismatch The listed rule’s IKE phase 1 key group did not match Rule [%d] Phase 1 key group between the router and the peer.
Page 246: Table 107 Pki Logs
Chapter 18 Logs Table 107 PKI Logs LOG MESSAGE DESCRIPTION The SCEP online certificate enrollment was successful. The Enrollment successful Destination field records the certification authority server IP address and port. The SCEP online certificate enrollment failed. The Destination field Enrollment failed records the certification authority server’s IP address and port.
Page 247: Table 108 Certificate Path Verification Failure Reason Codes
ACL set for packets traveling from the LAN to the LAN or ZyXEL Device the ZyXEL Device. (W to W) WAN to WAN/ ACL set for packets traveling from the WAN to the WAN ZyXEL Device or the ZyXEL Device. P-660HW-Dx v2 User’s Guide...
Page 248: Table 110 Icmp Notes
Chapter 18 Logs Table 110 ICMP Notes TYPE CODE DESCRIPTION Echo Reply Echo reply message Destination Unreachable Net unreachable Host unreachable Protocol unreachable Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space...
Page 249: Table 111 Syslog Logs
Chapter 18 Logs Table 111 Syslog Logs LOG MESSAGE DESCRIPTION "This message is sent by the system ("RAS" displays as <Facility*8 + Severity>Mon dd the system name if you haven’t configured one) when the hr:mm:ss hostname router generates a syslog. The facility is defined in the web src="<srcIP:srcPort>"...
Page 250 Chapter 18 Logs P-660HW-Dx v2 User’s Guide...
Page 251: Tools
ZyXEL Device. 19.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 252: Figure 144 Firmware Upload In Progress
Click Upload to begin the upload process. This process may take up to two minutes. Do NOT turn off the ZyXEL Device while firmware upload is in progress! After you see the Firmware Upload in Progress screen, wait two minutes before logging into the ZyXEL Device again.
Page 253: Configuration Screen
Backup configuration allows you to back up (save) the ZyXEL Device’s current configuration to a file on your computer. Once your ZyXEL Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 254: Restore Configuration
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL Device IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
Page 255: Back To Factory Defaults
19.3 Restart System restart allows you to reboot the ZyXEL Device without turning the power off. Click Maintenance > Tools > Restart. Click Restart to have the ZyXEL Device reboot. This does not affect the ZyXEL Device's configuration. Figure 151 Restart Screen...
Page 256 Chapter 19 Tools P-660HW-Dx v2 User’s Guide...
Page 257: Diagnostic
H A P T E R Diagnostic These read-only screens display information to help you identify problems with the ZyXEL Device. 20.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 152 Diagnostic: General The following table describes the fields in this screen.
Page 258: Figure 153 Diagnostic: Dsl Line
Click this button to start the ATM loopback test. Make sure you have configured at Test least one PVC with proper VPIs/VCIs before you begin this test. The ZyXEL Device sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the ZyXEL Device.
Page 259: Troubleshooting
2 Make sure you are using the power adaptor or cord included with the ZyXEL Device. 3 Make sure the power adaptor or cord is connected to the ZyXEL Device and plugged in to an appropriate power source. Make sure the power source is turned on.
Page 260: Zyxel Device Access And Login
To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig. The IP address of the Default Gateway might be the IP address of the ZyXEL Device (it depends on the network), so enter this IP address in your Internet browser.
Page 261: Internet Access
Chapter 21 Troubleshooting 5 Reset the device to its factory defaults, and try to access the ZyXEL Device with the default IP address. See Section 2.3 on page 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.
Page 262 5 If the problem continues, contact your ISP. I cannot access the Internet anymore. I had access to the Internet (with the ZyXEL Device), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4 on page...
Page 263: Appendices And Index
Appendices and Index Product Specifications and Wall Mounting (265) Wireless LANs (271) Setting up Your Computer’s IP Address (285) IP Addresses and Subnetting (301) Firewall Commands (311) Internal SPTGEN (317) Command Interpreter (331) Pop-up Windows, JavaScripts and Java Permissions (333) NetBIOS Filter Commands (339) Splitters and Microfilters (341) Triangle Route (341)
Page 265: Appendix A Product Specifications And Wall Mounting
ZyXEL Device. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyXEL Device. Note: Only upload firmware for your specific model!
Page 266 Table 118 Firmware Specifications FEATURE DESCRIPTION Configuration Backup & Make a copy of the ZyXEL Device’s configuration. You can put it back on Restoration the ZyXEL Device later if you decide to revert back to an earlier configuration. Network Address Each computer on your network must have its own unique IP address.
Page 267: Table 119 Wireless Firmware Specifications
Instead, WPA(2)-PSK uses pre-shared keys (PSKs) to authenticate devices on the wireless network. Output Power Management This allows you to alter the level of power used by the ZyXEL Device. For example, when access points are placed closely together power output levels may be reduced.
Page 268 Appendix A Product Specifications and Wall Mounting Table 120 Standards Supported (continued) STANDARD DESCRIPTION RFC 1305 Network Time Protocol (NTP version 3) RFC 1441 SNMPv2 Simple Network Management Protocol version 2 RFC 1483 Multiprotocol Encapsulation over ATM Adaptation Layer 5 RFC 1631 IP Network Address Translator (NAT) RFC 1661...
Page 269: Figure 154 Wall-Mounting Example
5 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the ZyXEL Device with the connection cables. 6 Align the holes on the back of the ZyXEL Device with the screws on the wall. Hang the ZyXEL Device on the screws.
Page 270: Figure 155 Masonry Plug And M4 Tap Screw
Appendix A Product Specifications and Wall Mounting Figure 155 Masonry Plug and M4 Tap Screw P-660HW-Dx v2 User’s Guide...
Page 271: Appendix B Wireless Lans
P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 272: Figure 157 Basic Service Set
Appendix B Wireless LANs Figure 157 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 273: Figure 158 Infrastructure Wlan
Appendix B Wireless LANs Figure 158 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Page 274: Figure 159 Rts/Cts
Appendix B Wireless LANs Figure 159 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 275: Table 121 Ieee 802.11G
Use the dynamic setting to automatically use short preamble when all wireless devices on the network support it, otherwise the ZyXEL Device uses long preamble. The wireless devices MUST use the same preamble mode in order to communicate.
Page 276: Table 122 Wireless Security Levels
Appendix B Wireless LANs Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyXEL Device.
Page 277: Types Of Radius Messages
Appendix B Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 278 Appendix B Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Page 279: Table 123 Comparison Of Eap Authentication Types
Appendix B Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the wireless security configuration screen.
Page 280 Appendix B Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Page 281: Wireless Client Wpa Supplicants
Appendix B Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.
Page 282: Figure 161 Wpa(2)-Psk Authentication
Appendix B Wireless LANs 3 The AP and wireless clients generate a common PMK (Pairwise Master Key). The key itself is not sent over the network, but is derived from the PSK and the SSID. 4 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys.
Page 283: Antenna Characteristics
Appendix B Wireless LANs Antenna Overview An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. Positioning the antennas properly increases the range and coverage area of a wireless LAN.
Page 284: Positioning Antennas
Appendix B Wireless LANs Positioning Antennas In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. For omni-directional antennas mounted on a table, desk, and so on, point the antenna up.
Page 285: Appendix C Setting Up Your Computer's Ip Address
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Page 286: Figure 162 Windows 95/98/Me: Network: Configuration
Appendix C Setting up Your Computer’s IP Address Figure 162 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 287: Figure 163 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
Appendix C Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. •...
Page 288: Figure 164 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL Device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.
Page 289: Figure 165 Windows Xp: Start Menu
Appendix C Setting up Your Computer’s IP Address Figure 165 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 166 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. P-660HW-Dx v2 User’s Guide...
Page 290: Figure 167 Windows Xp: Control Panel: Network Connections: Properties
Appendix C Setting up Your Computer’s IP Address Figure 167 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 168 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 291: Figure 169 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Appendix C Setting up Your Computer’s IP Address Figure 169 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 292: Figure 170 Windows Xp: Advanced Tcp/Ip Properties
Appendix C Setting up Your Computer’s IP Address Figure 170 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 293: Figure 171 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your ZyXEL Device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Page 294: Figure 172 Macintosh Os 8/9: Apple Menu
Appendix C Setting up Your Computer’s IP Address Figure 172 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 173 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Page 295: Figure 174 Macintosh Os X: Apple Menu
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Close the TCP/IP Control Panel.
Page 296: Figure 175 Macintosh Os X: Network
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL Device in the Router address box. 5 Click Apply Now and close the window.
Page 297: Figure 176 Red Hat 9.0: Kde: Network Configuration: Devices
Appendix C Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 298: Figure 178 Red Hat 9.0: Kde: Network Configuration: Dns
Appendix C Setting up Your Computer’s IP Address • If you have a dynamic IP address click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 299: Figure 180 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Appendix C Setting up Your Computer’s IP Address Figure 180 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter in the field. Type static BOOTPROTO= = followed by the IP address (in dotted decimal notation) and type IPADDR NETMASK...
Page 300: Figure 184 Red Hat 9.0: Checking Tcp/Ip Properties
Appendix C Setting up Your Computer’s IP Address Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 184 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
Page 301: Appendix D Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 302: Figure 185 Network Number And Host Id
Appendix D IP Addresses and Subnetting Figure 185 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation).
Page 303: Table 126 Subnet Masks
Appendix D IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 126 Subnet Masks BINARY DECIMAL 4TH OCTET OCTET...
Page 304: Figure 186 Subnetting Example: Before Subnetting
Appendix D IP Addresses and Subnetting Table 128 Alternative Subnet Mask Notation (continued) ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.192 1100 0000 255.255.255.224 1110 0000 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.
Page 305: Figure 187 Subnetting Example: After Subnetting
Appendix D IP Addresses and Subnetting Figure 187 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 2 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address).
Page 306: Table 130 Subnet 2
Appendix D IP Addresses and Subnetting Table 130 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.65 192.168.1.64 Broadcast Address: Highest Host ID: 192.168.1.126 192.168.1.127 Table 131 Subnet 3...
Page 307: Table 134 24-Bit Network Number Subnet Planning
Appendix D IP Addresses and Subnetting Table 133 Eight Subnets (continued) SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 134 24-bit Network Number Subnet Planning NO.
Page 308: Configuring Ip Addresses
You must also enable Network Address Translation (NAT) on the ZyXEL Device. Once you have decided on the network number, pick an IP address for your ZyXEL Device that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address.
Page 309: Figure 188 Conflicting Computer Ip Addresses Example
Appendix D IP Addresses and Subnetting IP Address Conflicts Each device on a network must have a unique IP address. Devices with duplicate IP addresses on the same network will not be able to access the Internet or other resources. The devices may also be unreachable through the network.
Page 310: Figure 190 Conflicting Computer And Router Ip Addresses Example
Appendix D IP Addresses and Subnetting Conflicting Computer and Router IP Addresses Example More than one device can not use the same IP address. In the following example, the computer and the router’s LAN port both use 192.168.1.1 as the IP address. The computer cannot access the Internet.
Page 311: Appendix E Firewall Commands
P P E N D I X Firewall Commands The following describes the firewall commands. Table 136 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall SetUp This command turns the firewall on or off. config edit firewall active <yes | no> This command returns the previously saved config retrieve firewall firewall settings.
Page 312 This command sets the day on which the config edit firewall e-mail current firewall log is sent through e-mail if the day <sunday | monday | tuesday ZyXEL Device is set to send it on a weekly | wednesday | thursday | basis. friday | saturday>...
Page 313 This command sets the threshold of half-open config edit firewall attack TCP sessions with the same destination tcp-max-incomplete <0-255> where the ZyXEL Device starts dropping half- open sessions to that destination. Sets This command sets a name to identify a config edit firewall set <set...
Page 314 ZyXEL Device check for traffic with this #> rule <rule #> srcaddr- individual source address. single <ip address> This command sets a rule to have the ZyXEL config edit firewall set <set Device check for traffic from a particular #> rule <rule #> srcaddr- subnet (defined by IP address and subnet subnet <ip address>...
Page 315 ZyXEL Device check for traffic with this #> rule <rule #> destaddr- individual destination address. single <ip address> This command sets a rule to have the ZyXEL config edit firewall set <set Device check for traffic with a particular #> rule <rule #> destaddr- subnet destination (defined by IP address and subnet <ip address>...
Page 316 Appendix E Firewall Commands Table 136 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command removes the specified rule in a config delete firewall set firewall configuration set. <set #> rule<rule #> P-660HW-Dx v2 User’s Guide...
Page 317: Appendix F Internal Sptgen
– eliminating the need to navigate and configure individual screens for each ZyXEL Device. You can use FTP to get the Internal SPTGEN file. Then edit the file in a text editor and use FTP to upload it again to the same device or another one.
Page 318: Figure 192 Invalid Parameter Entered: Command Line Example
Figure 191 on page 317), then you disable every field in this menu. If you enter a parameter that is invalid in the Input column, the ZyXEL Device will not save the configuration and the command line will display the Field Identification Number.
Page 319: Figure 194 Internal Sptgen Ftp Download Example
2 Enter " ". The command “ ” sets the transfer mode to binary. 3 Upload your “ ” file from your computer to the ZyXEL Device using the “ ” rom-t command. computer to the ZyXEL Device. 4 Exit this FTP application.
Page 320: Table 137 Abbreviations Used In The Example Internal Sptgen Screens Table
MEANING Field Identification Number Field Name Parameter Values Allowed INPUT An example of what you may enter Applies to the ZyXEL Device. Table 138 Menu 1 General Setup / Menu 1 General Setup INPUT 10000000 = Configured <0(No) | 1(Yes)>...
Page 321 Appendix F Internal SPTGEN Table 139 Menu 3 / Menu 3.2 TCP/IP and DHCP Ethernet Setup INPUT 30200001 = DHCP <0(None) | 1(Server) | 2(Relay)> 30200002 = Client IP Pool Starting Address 192.168.1.33 30200003 = Size of Client IP Pool = 32 30200004 = Primary DNS Server...
Page 322: Table 140 Menu 4 Internet Access Setup
Appendix F Internal SPTGEN Table 139 Menu 3 30201008 = IP Alias #1 Incoming protocol filters = 256 Set 3 30201009 = IP Alias #1 Incoming protocol filters = 256 Set 4 30201010 = IP Alias #1 Outgoing protocol filters = 256 Set 1 30201011 =...
Page 323 Appendix F Internal SPTGEN Table 140 Menu 4 Internet Access Setup (continued) 40000001 = <0(No) | 1(Yes)> 40000002 = Active <0(No) | 1(Yes)> 40000003 = ISP's Name = ChangeMe 40000004 = Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA )| 5(ENET ENCAP)> 40000005 = Multiplexing <1(LLC-based)
Page 324: Table 141 Menu 12
Appendix F Internal SPTGEN Table 140 Menu 4 Internet Access Setup (continued) 40000031= RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> 40000032= RIP Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> 40000033= Nailed-up Connection <0(No) |1(Yes)> Table 141 Menu 12 / Menu 12.1.1 IP Static Route Setup INPUT 120101001 =...
Page 325 Appendix F Internal SPTGEN Table 142 Menu 15 SUA Server Setup (continued) 150000004 = SUA Server #2 Port Start 150000005 = SUA Server #2 Port End 150000006 = SUA Server #2 Local IP address = 0.0.0.0 150000007 = SUA Server #3 Active <0(No) | 1(Yes)>...
Page 326: Table 143 Menu 21.1 Filter Set #1
Appendix F Internal SPTGEN Table 142 Menu 15 SUA Server Setup (continued) 150000038 = SUA Server #9 Protocol <0(All)|6(TCP)|17(U DP)> 150000039 = SUA Server #9 Port Start 150000040 = SUA Server #9 Port End 150000041 = SUA Server #9 Local IP address = 0.0.0.0 150000042 = SUA Server #10 Active...
Page 327: Table 144 Menu 21.1 Filer Set #2
Appendix F Internal SPTGEN Table 143 Menu 21.1 Filter Set #1 (continued) 210101009 = IP Filter Set 1,Rule 1 Src Subnet Mask 210101010 = IP Filter Set 1,Rule 1 Src Port 210101011 = IP Filter Set 1,Rule 1 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4(...
Page 328 Appendix F Internal SPTGEN Table 144 Menu 21.1 Filer Set #2, (continued) INPUT 210201001 = IP Filter Set 2, Rule 1 Type <0(none)|2(TCP/ IP)> 210201002 = IP Filter Set 2, Rule 1 Active <0(No)|1(Yes)> 210201003 = IP Filter Set 2, Rule 1 Protocol 210201004 = IP Filter Set 2, Rule 1 Dest IP = 0.0.0.0...
Page 329: Table 145 Menu 23 System Menus
Appendix F Internal SPTGEN Table 144 Menu 21.1 Filer Set #2, (continued) 210202009 = IP Filter Set 2, Rule 2 Src Subnet Mask 210202010 = IP Filter Set 2,Rule 2 Src Port 210202011 = IP Filter Set 2, Rule 2 Src Port <0(none)|1(equal)| Comp 2(not...
Page 330: Table 146 Menu 24.11 Remote Management Control
Appendix F Internal SPTGEN Table 145 Menu 23 System Menus (continued) 230400002 = ReAuthentication Timer (in second) = 555 230400003 = Idle Timeout (in second) = 999 230400004 = Authentication Databases <0(Local User Database Only) |1(RADIUS Only) |2(Local,RADIUS) |3(RADIUS,Local)> 230400005 = Key Management Protocol <0(8021x) |1(WPA) |2(WPAPSK)>...
Page 331: Table 147 Command Examples
Appendix F Internal SPTGEN Command Examples The following are example Internal SPTGEN screens associated with the ZyXEL Device’s command interpreter commands. Table 147 Command Examples INPUT /ci command (for annex a): wan adsl opencmd INPUT 990000001 = ADSL OPMD <0(glite)|1(t1.413 )|2(gdmt)|3(multim ode)>...
Page 332 Appendix F Internal SPTGEN P-660HW-Dx v2 User’s Guide...
Page 333: Appendix G Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Page 334: Figure 197 Internet Options: Privacy
Appendix G Pop-up Windows, JavaScripts and Java Permissions 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 197 Internet Options: Privacy 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Page 335: Figure 198 Internet Options: Privacy
Appendix G Pop-up Windows, JavaScripts and Java Permissions Figure 198 Internet Options: Privacy 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 199 Pop-up Blocker Settings P-660HW-Dx v2 User’s Guide...
Page 336: Figure 200 Internet Options: Security
Appendix G Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 337: Figure 201 Security Settings - Java Scripting
Appendix G Pop-up Windows, JavaScripts and Java Permissions Figure 201 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 338: Figure 203 Java (Sun)
Appendix G Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 203 Java (Sun) P-660HW-Dx v2 User’s Guide...
Page 339: Appendix H Netbios Filter Commands
• Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for The ZyXEL Device. NetBIOS Display Filter Settings Command Example =========== NetBIOS Filter Status ===========...
Page 340: Table 148 Netbios Filter Default Settings
Appendix H NetBIOS Filter Commands The filter types and their default settings are as follows. Table 148 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN Forward connection are blocked or forwarded.
Page 341: Appendix I Triangle Route
Triangle Route The Ideal Setup When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks.
Page 342: Figure 205 "Triangle Route" Problem
WAN. 2 The ZyXEL Device reroutes the packet to Gateway A, which is in Subnet 2. 3 The reply from WAN goes through the ZyXEL Device to the computer on the LAN in Subnet 1. Figure 206 IP Alias...
Page 343: Appendix J Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 344 Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. P-660HW-Dx v2 User’s Guide...
Page 345: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 346 Appendix J Legal Information P-660HW-Dx v2 User’s Guide...
Page 347: Appendix K Customer Support
• Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 348 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-69 •...
Page 349 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 350 Appendix K Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
Page 351 Index Index AAL5 backup access point backup gateway see AP backup settings address assignment backup type Address Resolution Protocol bandwidth see ARP budget ADSL bandwidth management 67, 187 standards bandwidth manager ADSL line class configuration reinitialize monitor ADSL standards summary Advanced Encryption Standard Basic Service Set, See BSS See AES.
Page 352 Index schedule dynamic DNS trusted computers dynamic WEP key exchange URL keyword blocking DYNDNS wildcard Continuous Bit Rate see CBR copyright CTS (Clear to Send) custom ports EAP Authentication creating / editing ECHO customer support E-Mail customized services e-mail log example Encapsulated Routing Link Protocol see ENET ENCAP encapsulation...
Page 353 Index guidelines for enhancing security points to remember introduction text file LAN to WAN rules Internet access 34, 53 policies wizard setup rule checklist Internet Assigned Numbers Authority rule configuration key fields See IANA rule logic see IANA rule security ramifications Internet Control Message Protocol services see ICMP...
Page 354 Index managing the device one-minute low good habits using FTP. See FTP. using Telnet. See command interface. using the command interface. See command interface. maximize bandwidth usage packet filtering Maximum Burst Size when to use see MBS packet filtering firewalls max-incomplete high Pairwise Master Key (PMK) 280, 282...
Page 355 NAT setup, general remote management limitations Single User Account reset see SUA reset button resetting the ZyXEL device restart 251, 255 SIP application layer gateway restore configuration SMTP restore settings smurf RFC 1483 SNMP...
Page 356 Index TCP/IP address Virtual Channel Identifier see VCI teardrop virtual circuit Telnet 67, 205 see VC temperature Virtual Path Identifier Temporal Key Integrity Protocol (TKIP) see VPI TFTP restrictions Voice over IP three-way handshake see VoIP threshold values VoIP time and date settings timeout tools traceroute...
Page 357 RADIUS application example WPA compatibility WPA2 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 279, 280 application example WPA-PSK 279, 280 application example zero configuration Internet access ZyXEL’s firewall introduction P-660HW-Dx v2 User’s Guide...
Page 358 Index P-660HW-Dx v2 User’s Guide...

This manual is also suitable for:

P-660hw-d1 v2

ZyXEL Communications P660HW-DX V2 - V3.40 User Manual

Contents Overview

List of Figures

Chapter 1 Introducing the Zyxel Device

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup for Internet Access

Chapter 4 Bandwidth Management Wizard

Chapter 5 WAN Setup

Chapter 6 LAN Setup

Chapter 7 Wireless LAN

Chapter 8 Network Address Translation (NAT) Screens

Chapter 9 Firewalls

Chapter 10 Firewall Configuration

Chapter 11 Content Filtering

Chapter 12 Static Route

Chapter 13 Bandwidth Management

Chapter 14 Dynamic DNS Setup

Chapter 15 Remote Management Configuration

Chapter 16 Universal Plug-And-Play (Upnp)

Chapter 17 System

Chapter 18 Logs

Chapter 19 Tools

Chapter 20 Diagnostic

Chapter 21 Troubleshooting

Appendix A Product Specifications and Wall Mounting

Appendix B Wireless Lans

Appendix C Setting up Your Computer's IP Address

Appendix D IP Addresses and Subnetting

Appendix E Firewall Commands

Appendix F Internal SPTGEN

Appendix G Pop-Up Windows, Javascripts and Java Permissions

Appendix H Netbios Filter Commands

Appendix I Triangle Route

Appendix J Legal Information

Appendix K Customer Support

Quick Links

Chapters

Troubleshooting

Related Manuals for ZyXEL Communications P660HW-DX V2 - V3.40

Summary of Contents for ZyXEL Communications P660HW-DX V2 - V3.40