Page 1 ZyWALL 2WG Internet Security Appliance User’s Guide Version 4.02 1/2007 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
• Supporting Disk Refer to the included CD for support documents. • ZyXEL Web Site Please refer to www.zyxel.com for additional support documentation and product certifications. User Guide Feedback Help us help you. Send all User Guide-related comments, questions or suggestions for improvement to the following address, or use e-mail instead.
Page 4: Document Conventions
Document Conventions Document Conventions Warnings and Notes These are how warnings and notes are shown in this User’s Guide. Warnings tell you about things that could harm you or your device. Notes tell you other important information (for example, other things you may need to configure or helpful tips) or recommendations.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyWALL icon is not an exact representation of your device. ZyWALL Computer Notebook computer Server DSLAM Firewall Telephone Switch Router ZyWALL 2WG User’s Guide...
Page 6: Safety Warnings
Safety Warnings Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • Do NOT use this product near water, for example, in a wet basement or near a swimming pool. • Do NOT expose your device to dampness, dust or corrosive liquids. •...
Page 7 Safety Warnings • Antenna Warning! This device meets ETSI and FCC certification requirements when using the included antenna(s). Only use the included antenna(s). • If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged.
Page 8 Safety Warnings ZyWALL 2WG User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................49 Getting to Know Your ZyWALL ....................51 Introducing the Web Configurator ....................55 Wizard Setup ..........................75 Tutorial ............................95 Registration ..........................107 Network ..........................111 LAN Screens ..........................113 Bridge Screens ........................125 WAN Screens ..........................
Page 10 Contents Overview SMT and Troubleshooting ....................467 Introducing the SMT ........................ 469 SMT Menu 1 - General Setup ....................477 WAN and Dial Backup Setup ....................483 LAN Setup ..........................497 Internet Access ........................503 DMZ Setup ..........................509 Route Setup ..........................513 Wireless Setup ........................
Page 11: Table Of Contents
Table of Contents Table of Contents About This User's Guide ......................3 Document Conventions......................4 Safety Warnings........................6 Contents Overview ........................9 Table of Contents........................11 List of Figures ......................... 29 List of Tables........................... 41 Part I: Introduction................. 49 Chapter 1 Getting to Know Your ZyWALL....................
Page 12 Table of Contents 2.4.5 Navigation Panel ......................65 2.4.6 Port Statistics ......................69 2.4.7 Show Statistics: Line Chart ..................70 2.4.8 DHCP Table Screen ....................71 2.4.9 VPN Status ......................... 72 2.4.10 Bandwidth Monitor ....................73 Chapter 3 Wizard Setup ........................... 75 3.1 Wizard Setup Overview ......................
Page 13 Table of Contents Part II: Network..................111 Chapter 6 LAN Screens.......................... 113 6.1 LAN, WAN and the ZyWALL ....................113 6.2 IP Address and Subnet Mask .....................113 6.2.1 Private IP Addresses ....................114 6.3 DHCP ..........................115 6.3.1 IP Pool Setup ......................115 6.4 RIP Setup ...........................115 6.5 Multicast ..........................115 6.6 WINS ..........................116 6.7 LAN .............................116...
Page 14 Table of Contents 8.8 WAN IP Address Assignment .................... 141 8.9 DNS Server Address Assignment ..................142 8.10 WAN MAC Address ......................142 8.11 WAN 1 ..........................143 8.11.1 WAN Ethernet Encapsulation ................. 143 8.11.2 PPPoE Encapsulation .................... 146 8.11.3 PPTP Encapsulation ....................149 8.12 WAN 2 (3G WAN) ......................
Page 15 Table of Contents 10.8.1 No Security ......................190 10.8.2 Static WEP ......................190 10.8.3 IEEE 802.1x Only ....................191 10.8.4 IEEE 802.1x + Static WEP ..................192 10.8.5 WPA, WPA2, WPA2-MIX ..................194 10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX ............... 195 10.9 MAC Filter ........................196 Part III: Security..................
Page 16 Table of Contents 12.3 Content Filtering with an External Database ..............234 12.4 Content Filter Categories ....................234 12.5 Content Filter Customization ..................243 12.6 Customizing Keyword Blocking URL Checking ............... 245 12.6.1 Domain Name or IP Address URL Checking ............246 12.6.2 Full Path URL Checking ..................
Page 17 Table of Contents 14.15 VPN SA Monitor ......................289 14.16 VPN Global Setting ....................... 289 14.17 Telecommuter VPN/IPSec Examples ................291 14.17.1 Telecommuters Sharing One VPN Rule Example ..........291 14.17.2 Telecommuters Using Unique VPN Rules Example ..........292 14.18 VPN and Remote Management ..................294 14.19 Hub-and-spoke VPN ......................
Page 18 Table of Contents Part IV: Advanced ................327 Chapter 17 Network Address Translation (NAT)..................329 17.1 NAT Overview ........................ 329 17.1.1 NAT Definitions ...................... 329 17.1.2 What NAT Does ..................... 330 17.1.3 How NAT Works ..................... 330 17.1.4 NAT Application ...................... 331 17.1.5 Port Restricted Cone NAT ..................
Page 19 Table of Contents 20.2 Bandwidth Classes and Filters ..................355 20.3 Proportional Bandwidth Allocation ................... 356 20.4 Application-based Bandwidth Management ..............356 20.5 Subnet-based Bandwidth Management ................356 20.6 Application and Subnet-based Bandwidth Management ..........356 20.7 Scheduler ........................357 20.7.1 Priority-based Scheduler ..................
Page 20 23.1.1 How Do I Know If I'm Using UPnP? ............... 405 23.1.2 NAT Traversal ......................405 23.1.3 Cautions with UPnP ....................405 23.1.4 UPnP and ZyXEL ....................406 23.2 Configuring UPnP ......................406 23.3 Displaying UPnP Port Mapping ..................407 23.4 Installing UPnP in Windows Example ................
Page 21 Table of Contents 23.5.1 Auto-discover Your UPnP-enabled Network Device ..........411 23.5.2 Web Configurator Easy Access ................412 Chapter 24 ALG Screen ........................... 415 24.1 ALG Introduction ......................415 24.1.1 ALG and NAT ......................415 24.1.2 ALG and the Firewall ....................415 24.1.3 ALG and Multiple WAN ..................
Page 22 Table of Contents 26.3 Configuring Password ....................452 26.4 Time and Date ........................ 453 26.5 Pre-defined NTP Time Server Pools ................456 26.5.1 Resetting the Time ....................456 26.5.2 Time Server Synchronization ................. 456 26.6 Introduction To Transparent Bridging ................457 26.7 Transparent Firewalls ......................
Page 23 Table of Contents 29.3.1 Configuring Dial Backup in Menu 2 ................ 484 29.3.2 Advanced WAN Setup ................... 485 29.3.3 Remote Node Profile (Backup ISP) ................ 487 29.3.4 Editing TCP/IP Options ..................489 29.3.5 Editing Login Script ....................490 29.3.6 Remote Node Filter ....................492 29.4 3G WAN ...........................
Page 24 Table of Contents 34.1 TCP/IP Setup ........................517 34.1.1 IP Address ......................517 34.1.2 IP Alias Setup ......................518 Chapter 35 Remote Node Setup......................521 35.1 Introduction to Remote Node Setup ................521 35.2 Remote Node Setup ......................521 35.3 Remote Node Profile Setup ..................... 521 35.3.1 Ethernet Encapsulation ..................
Page 25 Table of Contents 39.1.1 The Filter Structure of the ZyWALL ................ 556 39.2 Configuring a Filter Set ....................558 39.2.1 Configuring a Filter Rule ..................559 39.2.2 Configuring a TCP/IP Filter Rule ................560 39.2.3 Configuring a Generic Filter Rule ................562 39.3 Example Filter ........................
Page 26 Table of Contents 42.3.5 File Maintenance Over WAN .................. 588 42.3.6 Backup Configuration Using TFTP ................. 588 42.3.7 TFTP Command Example ..................589 42.3.8 GUI-based TFTP Clients ..................589 42.3.9 Backup Via Console Port ..................589 42.4 Restore Configuration ...................... 590 42.4.1 Restore Using FTP ....................
Page 27 Table of Contents Chapter 46 Call Scheduling ........................619 46.1 Introduction to Call Scheduling ..................619 Chapter 47 Troubleshooting........................623 47.1 Power, Hardware Connections, and LEDs ..............623 47.2 ZyWALL Access and Login ....................624 47.3 Internet Access ........................ 626 Part VII: Appendices and Index ............
Page 28 Table of Contents ZyWALL 2WG User’s Guide...
Page 29: List Of Figures
List of Figures List of Figures Figure 1 Secure Internet Access via Cable or DSL Modem ..............52 Figure 2 VPN Application ........................53 Figure 3 3G WAN Application ......................... 53 Figure 4 Front Panel ..........................54 Figure 5 Change Password Screen ......................56 Figure 6 Replace Certificate Screen .......................
Page 30 List of Figures Figure 39 SECURITY > FIREWALL > Rule Summary ................. 100 Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow ........... 101 Figure 41 SECURITY > FIREWALL > Rule Summary: Allow ............... 102 Figure 42 SECURITY > FIREWALL > Default Rule: Block From VPN To LAN ........102 Figure 43 Tutorial: NETWORK >...
Page 31 List of Figures Figure 82 Example of a Wireless Network ................... 173 Figure 83 NETWORK > WLAN ......................175 Figure 84 NETWORK > WLAN > Static DHCP ................... 178 Figure 85 NETWORK > WLAN > IP Alias ................... 179 Figure 86 WLAN Port Role Example ....................181 Figure 87 NETWORK >...
Page 32 List of Figures Figure 125 My Service Firewall Rule Example: Rule Summary ............230 Figure 126 SECURITY > CONTENT FILTER > General ..............232 Figure 127 Content Filtering Lookup Procedure ................... 234 Figure 128 SECURITY > CONTENT FILTER > Categories ..............236 Figure 129 SECURITY >...
Page 33 List of Figures Figure 168 Certificates on Your Computer ................... 298 Figure 169 Certificate Details ......................299 Figure 170 Certificate Configuration Overview ..................299 Figure 171 SECURITY > CERTIFICATES > My Certificates ............... 300 Figure 172 SECURITY > CERTIFICATES > My Certificates > Details ..........302 Figure 173 SECURITY >...
Page 34 List of Figures Figure 211 ADVANCED > DNS > Add (Address Record) ..............375 Figure 212 ADVANCED > DNS > Insert (Name Server Record) ............376 Figure 213 ADVANCED > DNS > Cache ..................... 378 Figure 214 ADVANCED > DNS > DHCP ....................379 Figure 215 ADVANCED >...
Page 35 List of Figures Figure 254 MAINTENANCE > General Setup ..................452 Figure 255 MAINTENANCE > Password .................... 453 Figure 256 MAINTENANCE > Time and Date ..................454 Figure 257 Synchronization in Process ....................456 Figure 258 Synchronization is Successful .................... 457 Figure 259 Synchronization Fail ......................
Page 36 List of Figures Figure 297 Internet Access Setup (PPTP) ................... 506 Figure 298 Internet Access Setup (PPPoE) ..................507 Figure 299 Menu 5: DMZ Setup ......................509 Figure 300 Menu 5.1: DMZ Port Filter Setup ..................509 Figure 301 Menu 5: DMZ Setup ......................510 Figure 302 Menu 5.2: TCP/IP and DHCP Ethernet Setup ..............
Page 37 List of Figures Figure 340 Example 3: Menu 15.2.1 ....................548 Figure 341 NAT Example 4 ........................548 Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule ............549 Figure 343 Example 4: Menu 15.1.1: Address Mapping Rules ............549 Figure 344 Menu 15.3.1: Trigger Port Setup ..................
Page 38 List of Figures Figure 383 Restore Configuration Example ..................593 Figure 384 Successful Restoration Confirmation Screen ..............593 Figure 385 Telnet Into Menu 24.7.1: Upload System Firmware ............594 Figure 386 Telnet Into Menu 24.7.2: System Maintenance ..............594 Figure 387 FTP Session Example of Firmware File Upload ..............595 Figure 388 Menu 24.7.1 As Seen Using the Console Port ..............
Page 39 List of Figures Figure 426 Windows XP: Local Area Connection Properties ............... 652 Figure 427 Windows XP: Internet Protocol (TCP/IP) Properties ............653 Figure 428 Windows XP: Advanced TCP/IP Properties ............... 654 Figure 429 Windows XP: Internet Protocol (TCP/IP) Properties ............655 Figure 430 Macintosh OS 8/9: Apple Menu ..................
Page 40 List of Figures Figure 469 Displaying Log Categories Example .................. 702 Figure 470 Displaying Log Parameters Example ................. 702 Figure 471 Routing Command Example ....................704 Figure 472 Backup Gateway ........................ 705 Figure 473 Managing the Bandwidth of an IPSec SA ................706 Figure 474 Managing the Bandwidth of an IKE SA ................
Page 41: List Of Tables
List of Tables List of Tables Table 1 Front Panel Lights ........................54 Table 2 Title Bar: Web Configurator Icons ..................... 58 Table 3 Web Configurator HOME Screen in Router Mode ..............59 Table 4 Web Configurator HOME Screen in Bridge Mode ..............63 Table 5 Bridge and Router Mode Features Comparison ...............
Page 42 List of Tables Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) ............144 Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) ............147 Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) ............150 Table 42 2G, 2.5G, 2.75G and 3G of Wireless Technologies ............... 153 Table 43 NETWORK >...
Page 43 List of Tables Table 82 VPN Example: Matching ID Type and Content ..............263 Table 83 VPN Example: Mismatching ID Type and Content ............... 263 Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ..........269 Table 85 SECURITY >...
Page 44 List of Tables Table 125 Bandwidth Borrowing Example ................... 360 Table 126 Over Allotment of Bandwidth Example ................361 Table 127 ADVANCED > BW MGMT > Summary ................362 Table 128 ADVANCED > BW MGMT > Class Setup ................363 Table 129 ADVANCED >...
Page 45 List of Tables Table 168 Attack Logs ......................... 439 Table 169 Remote Management Logs ....................441 Table 170 IPSec Logs .......................... 441 Table 171 IKE Logs ..........................442 Table 172 PKI Logs ..........................445 Table 173 Certificate Path Verification Failure Reason Codes ............446 Table 174 ACL Setting Notes ......................
Page 46 List of Tables Table 211 Menu 6.3: Route Failover ....................515 Table 212 Menu 11.1: Remote Node Profile for Ethernet Encapsulation ..........522 Table 213 Fields in Menu 11.1 (PPPoE Encapsulation Specific) ............524 Table 214 Menu 11.1: Remote Node Profile for PPTP Encapsulation ..........525 Table 215 Remote Node Network Layer Options Menu Fields ............
Page 47 List of Tables Table 254 Allowed IP Address Range By Class .................. 664 Table 255 “Natural” Masks ........................665 Table 256 Alternative Subnet Mask Notation ..................665 Table 257 Two Subnets Example ......................666 Table 258 Subnet 1 ..........................666 Table 259 Subnet 2 ..........................
Page 48 List of Tables ZyWALL 2WG User’s Guide...
Page 49: Introduction
Introduction Getting to Know Your ZyWALL (51) Introducing the Web Configurator (55) Wizard Setup (75) Tutorial (95) Registration (107)
Page 51: Getting To Know Your Zywall
H A P T E R Getting to Know Your ZyWALL This chapter introduces the main features and applications of the ZyWALL. ZyWALL Internet Security Appliance Overview The ZyWALL is loaded with security features including VPN, firewall, content filtering and certificates.
Page 52: Good Habits For Managing The Zywall
Chapter 1 Getting to Know Your ZyWALL • Vantage CNM (Centralized Network Management). The device can be remotely managed using a Vantage CNM server. 1.3 Good Habits for Managing the ZyWALL Do the following things regularly to make the ZyWALL more secure and to manage the ZyWALL more effectively.
Page 53: Vpn Application
Chapter 1 Getting to Know Your ZyWALL 1.4.2 VPN Application ZyWALL VPN is an ideal cost-effective way to securely connect branch offices, business partners and telecommuters over the Internet without the need (and expense) for leased lines between sites. Figure 2 VPN Application 1.4.3 3G WAN Application Insert a 3G card to have the ZyWALL (in router mode) wirelessly access the Internet via a 3G base station.
Page 54: Front Panel Lights
Chapter 1 Getting to Know Your ZyWALL 1.4.4 Front Panel Lights Figure 4 Front Panel The following table describes the lights. Table 1 Front Panel Lights COLOR STATUS DESCRIPTION The ZyWALL is turned off. Green The ZyWALL is ready and running. Flashing The ZyWALL is restarting.
Page 55: Introducing The Web Configurator
H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyWALL web configurator and provides an overview of its screens. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyWALL setup and management via Internet browser.
Page 56: Figure 5 Change Password Screen
Chapter 2 Introducing the Web Configurator 5 You should see a screen asking you to change your password (highly recommended) as shown next. Type a new password (and retype it to confirm) and click Apply or click Ignore. Figure 5 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device.
Page 57: Resetting The Zywall
5 Release the RESET button and wait for the ZyWALL to finish restarting. 2.3.2 Uploading a Configuration File Via Console Port 1 Download the default configuration file from the ZyXEL FTP site, unzip it and save it in a folder.
Page 58: Navigating The Zywall Web Configurator
Chapter 2 Introducing the Web Configurator 2.4 Navigating the ZyWALL Web Configurator The following summarizes how to navigate the web configurator from the HOME screen. Figure 8 HOME Screen As illustrated above, the main screen is divided into these parts: •...
Page 59: Main Window
Chapter 2 Introducing the Web Configurator 2.4.2 Main Window The main window shows the screen you select in the navigation panel. It is discussed in more detail in the rest of this document. Right after you log in, the HOME screen is displayed. The screen varies according to the device mode you select in the MAINTENANCE >...
Page 60 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 61 Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Status For the LAN, DMZ and WLAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full- duplex refers to a device's ability to send and receive simultaneously, while half- duplex indicates that traffic can flow in only one direction at a time.
Page 62: Home Screen: Bridge Mode
Chapter 2 Introducing the Web Configurator Table 3 Web Configurator HOME Screen in Router Mode (continued) LABEL DESCRIPTION Tx Bytes This displays the total number of data frames transmitted. Rx Bytes This displays the total number of data frames received. 3G Card This displays the manufacturer of your 3G card.
Page 63: Figure 10 Web Configurator Home Screen In Bridge Mode
This is the bootbase version and the date created. Version Firmware This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Click the field label to go to the screen where you can upload a new firmware file.
Page 64 The first number shows how many megabytes of the heap memory the ZyWALL is using. Heap memory refers to the memory that is not used by ZyNOS (ZyXEL Network Operating System) and is thus available for running processes like NAT, VPN and the firewall.
Page 65: Navigation Panel
Chapter 2 Introducing the Web Configurator Table 4 Web Configurator HOME Screen in Bridge Mode (continued) LABEL DESCRIPTION RSTP Active This shows whether or not RSTP is active on the corresponding port. RSTP Priority This is the RSTP priority of the corresponding port. RSTP Path Cost This is the cost of transmitting a frame from the root bridge to the corresponding port.
Page 66: Table 6 Screens Summary
Chapter 2 Introducing the Web Configurator Table 5 Bridge and Router Mode Features Comparison FEATURE BRIDGE MODE ROUTER MODE Certificates Authentication Server Static Route Policy Route Bandwidth Management Remote Management UPnP Logs Maintenance Table Key: An O in a mode’s column shows that the device mode has the specified feature. The information in this table was correct at the time of writing, although it may be subject to change.
Page 67 Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK FUNCTION General This screen allows you to configure load balancing, route priority and traffic redirect properties. WAN1 Use this screen to configure the WAN1 connection for Internet access. WAN2 Use this screen to configure the WAN2 connection for Internet access.
Page 68 Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK FUNCTION CERTIFICATES My Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests. Trusted CAs Use this screen to view and manage the list of the trusted CAs. Trusted Use this screen to view and manage the certificates belonging to Remote Hosts...
Page 69: Port Statistics
Chapter 2 Introducing the Web Configurator Table 6 Screens Summary (continued) LINK FUNCTION REMOTE Use this screen to configure through which interface(s) and from MGMT which IP address(es) users can use HTTPS or HTTP to manage the ZyWALL. Use this screen to configure through which interface(s) and from which IP address(es) users can use Secure Shell to manage the ZyWALL.
Page 70: Show Statistics: Line Chart
Chapter 2 Introducing the Web Configurator Figure 11 HOME > Show Statistics The following table describes the labels in this screen. Table 7 HOME > Show Statistics LABEL DESCRIPTION Click the icon to display the chart of throughput statistics. Port These are the ZyWALL’s interfaces.
Page 71: Dhcp Table Screen
Chapter 2 Introducing the Web Configurator Figure 12 HOME > Show Statistics > Line Chart The following table describes the labels in this screen. Table 8 HOME > Show Statistics > Line Chart LABEL DESCRIPTION Click the icon to go back to the Show Statistics screen. Port Select the check box(es) to display the throughput statistics of the corresponding interface(s).
Page 72: Vpn Status
Chapter 2 Introducing the Web Configurator Figure 13 HOME > DHCP Table The following table describes the labels in this screen. Table 9 HOME > DHCP Table LABEL DESCRIPTION Interface Select LAN, DMZ or WLAN to show the current DHCP client information for the specified interface.
Page 73: Bandwidth Monitor
Chapter 2 Introducing the Web Configurator Figure 14 HOME > VPN Status The following table describes the labels in this screen. Table 10 HOME > VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Local Network This field displays the IP address of the computer using the VPN IPSec feature of your ZyWALL.
Page 74: Figure 15 Home > Bandwidth Monitor
Chapter 2 Introducing the Web Configurator Figure 15 Home > Bandwidth Monitor The following table describes the labels in this screen. Table 11 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
Page 75: Wizard Setup
H A P T E R Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. The Internet access wizard is only applicable when the ZyWALL is in router mode. 3.1 Wizard Setup Overview The web configurator's setup wizards help you configure Internet and VPN connection settings.
Page 76: Isp Parameters
Chapter 3 Wizard Setup 3.2.1 ISP Parameters The ZyWALL offers three choices of encapsulation. They are Ethernet, PPTP or PPPoE. The wizard screen varies according to the type of encapsulation that you select in the Encapsulation field. 3.2.1.1 Ethernet For ISPs (such as Telstra) that send UDP heartbeat packets to verify that the customer is still online, please create a WAN-to-WAN/ZyWALL firewall rule for those packets.
Page 77: Figure 18 Isp Parameters: Pppoe Encapsulation
Chapter 3 Wizard Setup Table 12 ISP Parameters: Ethernet Encapsulation LABEL DESCRIPTION My WAN IP Enter your WAN IP address in this field. Address My WAN IP Enter the IP subnet mask in this field. Subnet Mask Gateway IP Enter the gateway IP address in this field. Address First DNS Server Enter the DNS server's IP address(es) in the field(s) to the right.
Page 78: Table 13 Isp Parameters: Pppoe Encapsulation
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 13 ISP Parameters: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPP over Ethernet forms a dial-up connection. Service Name Type the name of your service provider.
Page 79: Figure 19 Isp Parameters: Pptp Encapsulation
Chapter 3 Wizard Setup Figure 19 ISP Parameters: PPTP Encapsulation The following table describes the labels in this screen. Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box. To configure a PPTP client, you must configure the User Name and Password fields for a PPP connection and the PPTP parameters for a PPTP connection.
Page 80: Internet Access Wizard: Second Screen
Chapter 3 Wizard Setup Table 14 ISP Parameters: PPTP Encapsulation LABEL DESCRIPTION My IP Subnet Mask Type the subnet mask assigned to you by your ISP (if given). Server IP Address Type the IP address of the PPTP server. Connection ID/ Enter the connection ID or connection name in this field.
Page 81: Internet Access Wizard: Registration
Chapter 3 Wizard Setup Figure 21 Internet Access Setup Complete 3.2.3 Internet Access Wizard: Registration If you clicked Next in the previous screen (see Figure 20 on page 80), the following screen displays. Use this screen to register the ZyWALL with myZyXEL.com. You must register your ZyWALL before you can activate trial applications of services like content filtering, anti- spam, anti-virus and IDP.
Page 82: Figure 22 Internet Access Wizard: Registration
Chapter 3 Wizard Setup Figure 22 Internet Access Wizard: Registration The following table describes the labels in this screen. Table 15 Internet Access Wizard: Registration LABEL DESCRIPTION Device Registration If you select Existing myZyXEL.com account, only the User Name and Password fields are available.
Page 83: Internet Access Wizard: Status
Chapter 3 Wizard Setup Figure 23 Internet Access Wizard: Registration in Progress 3.2.4 Internet Access Wizard: Status This screen shows your device registration and service subscription status. Click Close to leave the wizard screen when the registration and activation are done. Figure 24 Internet Access Wizard: Status The following screen appears if the registration was not successful.
Page 84: Internet Access Wizard: Service Activation
Chapter 3 Wizard Setup 3.2.5 Internet Access Wizard: Service Activation If the ZyWALL has been registered, the Device Registration screen is read-only and the Service Activation screen appears indicating what trial applications are activated after you click Next. Figure 26 Internet Access Wizard: Registered Device Figure 27 Internet Access Wizard: Activated Services 3.3 VPN Wizard Gateway Setting Use this screen to name the VPN gateway policy (IKE SA) and identify the IPSec routers at...
Page 85: Figure 28 Vpn Wizard: Gateway Setting
Chapter 3 Wizard Setup Figure 28 VPN Wizard: Gateway Setting The following table describes the labels in this screen. Table 16 VPN Wizard: Gateway Setting LABEL DESCRIPTION Gateway Policy Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 86: Vpn Wizard Network Setting
Chapter 3 Wizard Setup 3.4 VPN Wizard Network Setting Use this screen to name the VPN network policy (IPSec SA) and identify the devices behind the IPSec routers at either end of a VPN tunnel. Two active SAs cannot have the local and remote IP address(es) both the same. Two active SAs can have the same local or remote IP address, but not both.
Page 87: Vpn Wizard Ike Tunnel Setting (Ike Phase 1)
Chapter 3 Wizard Setup Table 17 VPN Wizard: Network Setting LABEL DESCRIPTION Starting IP When the Local Network field is configured to Single, enter a (static) IP address on Address the LAN behind your ZyWALL. When the Local Network field is configured to Range IP, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 88: Figure 30 Vpn Wizard: Ike Tunnel Setting
Chapter 3 Wizard Setup Figure 30 VPN Wizard: IKE Tunnel Setting The following table describes the labels in this screen. Table 18 VPN Wizard: IKE Tunnel Setting LABEL DESCRIPTION Negotiation Mode Select Main Mode for identity protection. Select Aggressive Mode to allow more incoming connections from dynamic IP addresses to use separate passwords.
Page 89: Vpn Wizard Ipsec Setting (Ike Phase 2)
Chapter 3 Wizard Setup Table 18 VPN Wizard: IKE Tunnel Setting (continued) LABEL DESCRIPTION Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation. It is called "pre-shared" because you have to share it with another party before you can communicate with them over a secure connection.
Page 90: Vpn Wizard Status Summary
Chapter 3 Wizard Setup The following table describes the labels in this screen. Table 19 VPN Wizard: IPSec Setting LABEL DESCRIPTION Encapsulation Mode Tunnel is compatible with NAT, Transport is not. Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems.
Page 91: Figure 32 Vpn Wizard: Vpn Status
Chapter 3 Wizard Setup Figure 32 VPN Wizard: VPN Status The following table describes the labels in this screen. Table 20 VPN Wizard: VPN Status LABEL DESCRIPTION Gateway Policy Property Name This is the name of this VPN gateway policy. Gateway Policy Setting My ZyWALL...
Page 92 Chapter 3 Wizard Setup Table 20 VPN Wizard: VPN Status (continued) LABEL DESCRIPTION Network Policy Setting Local Network Starting IP Address This is a (static) IP address on the LAN behind your ZyWALL. Ending IP Address/ When the local network is configured for a single IP address, this field is N/A. Subnet Mask When the local network is configured for a range IP address, this is the end (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 93: Vpn Wizard Setup Complete
Chapter 3 Wizard Setup 3.8 VPN Wizard Setup Complete Congratulations! You have successfully set up the VPN rule for your ZyWALL. If you already had VPN rules configured, the wizard adds the new VPN rule after the last existing VPN rule. Figure 33 VPN Wizard Setup Complete ZyWALL 2WG User’s Guide...
Page 94 Chapter 3 Wizard Setup ZyWALL 2WG User’s Guide...
Page 95: Tutorial
H A P T E R Tutorial This chapter describes how to apply security settings to VPN traffic and how to set up a 3G WAN connection. 4.1 Security Settings for VPN Traffic The ZyWALL can apply the firewall and content filtering to the traffic going to or from the ZyWALL’s VPN tunnels.
Page 96: Configuring The Vpn Rule
Chapter 4 Tutorial Figure 34 Firewall Rule for VPN 4.2.1 Configuring the VPN Rule This section shows how to configure a VPN rule on device A to let the network behind B access the FTP server. You would also have to configure a corresponding rule on device B. 1 Click Security >...
Page 97: Figure 36 Security > Vpn > Vpn Rules (Ike)> Add Gateway Policy
Chapter 4 Tutorial Figure 36 SECURITY > VPN > VPN Rules (IKE)> Add Gateway Policy 3 Click the Add Network Policy icon. ZyWALL 2WG User’s Guide...
Page 98: Figure 37 Security > Vpn > Vpn Rules (Ike): With Gateway Policy Example
Chapter 4 Tutorial Figure 37 SECURITY > VPN > VPN Rules (IKE): With Gateway Policy Example 4 Use this screen to specify which computers behind the routers can use the VPN tunnel. Configure the fields that are circled as follows and click Apply. You may notice that the example does not specify the port numbers.
Page 99: Configuring The Firewall Rules
Chapter 4 Tutorial Figure 38 SECURITY > VPN > VPN Rules (IKE)> Add Network Policy 4.2.2 Configuring the Firewall Rules Suppose you have several VPN tunnels but you only want to allow device B’s network to access the FTP server. You also only want FTP traffic to go to the FTP server, so you want to block all other traffic types (like chat, e-mail, web and so on).
Page 100: Figure 39 Security > Firewall > Rule Summary
Chapter 4 Tutorial 4.2.2.1 Firewall Rule to Allow Access Example Configure a firewall rule that allows FTP access from the VPN tunnel to the FTP server. 1 Click Security > Firewall > Rule Summary. 2 Select VPN to LAN as the packet direction and click Insert. Figure 39 SECURITY >...
Page 101: Figure 40 Security > Firewall > Rule Summary > Edit: Allow
Chapter 4 Tutorial Figure 40 SECURITY > FIREWALL > Rule Summary > Edit: Allow 4 The rule displays in the summary list of VPN to LAN firewall rules. ZyWALL 2WG User’s Guide...
Page 102: Figure 41 Security > Firewall > Rule Summary: Allow
Chapter 4 Tutorial Figure 41 SECURITY > FIREWALL > Rule Summary: Allow 4.2.2.2 Default Firewall Rule to Block Other Access Example Now you configure the default firewall rule to block all VPN to LAN traffic. This blocks any other types of access from VPN tunnels to the LAN FTP server. This means that you need to configure more firewall rules if you want to allow any other VPN tunnels to access the LAN.
Page 103: How To Set Up A 3G Wan Connection
Chapter 4 Tutorial 4.3 How to Set up a 3G WAN Connection This section shows you how to configure and set up a 3G WAN connection on the ZyWALL. In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) for Internet access at the same time.
Page 104: Configuring Load Balancing
Chapter 4 Tutorial 4.3.2 Configuring Load Balancing In this example, you have set up WAN 1 and want the ZyWALL to use both of the WAN interfaces (the physical WAN port and 3G card) at the same time. You also balance the load between the two WAN interfaces using weighted round-robin method.
Page 105: Figure 45 Tutorial: Home
Chapter 4 Tutorial 2 In the network status table, make sure the status for WAN 1 and WAN 2 is not Down and there is an IP address. If the WAN 2 connection is not up, make sure you have entered the correct information in the WAN 2 screen and the signal strength to the service provider’s base station is not too low and can connect to a network.
Page 106 Chapter 4 Tutorial ZyWALL 2WG User’s Guide...
Page 107: Registration
H A P T E R Registration 5.1 myZyXEL.com overview myZyXEL.com is ZyXEL’s online services center where you can register your ZyWALL and manage subscription services available for the ZyWALL. You need to create an account before you can register your device and activate the services at myZyXEL.com.
Page 108: Registration
Chapter 5 Registration 5.2 Registration To register your ZyWALL with myZyXEL.com and activate the content filtering service, click REGISTRATION in the navigation panel to open the screen as shown next. Figure 46 REGISTRATION The following table describes the labels in this screen. Table 21 REGISTRATION LABEL DESCRIPTION...
Page 109: Service
Chapter 5 Registration Table 21 REGISTRATION LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. If the ZyWALL is registered already, this screen is read-only and indicates whether trial services are activated.
Page 110: Figure 48 Registration > Service
Chapter 5 Registration Figure 48 REGISTRATION > Service The following table describes the labels in this screen. Table 22 REGISTRATION > Service LABEL DESCRIPTION Service Management Service This field displays the service name available on the ZyWALL. Status This field displays whether a service is activated (Active) or not (Inactive). Registration Type This field displays whether you applied for a trial application (Trial) or registered a service with your iCard’s PIN number (Standard).
Page 111: Network
Network LAN Screens (113) Bridge Screens (125) WAN Screens (131) DMZ Screens (163) Wireless LAN (173)
Page 113: Lan Screens
H A P T E R LAN Screens This chapter describes how to configure LAN settings. This chapter is only applicable when the ZyWALL is in router mode. 6.1 LAN, WAN and the ZyWALL A network is a shared communication system to which many computers are attached. The Local Area Network (LAN) includes the computers and networking devices in your home or office that you connect to the ZyWALL’s LAN ports.
Page 114: Private Ip Addresses
Chapter 6 LAN Screens Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 115: Dhcp
Chapter 6 LAN Screens 6.3 DHCP The ZyWALL can use DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) to automatically assign IP addresses subnet masks, gateways, and some network information like the IP addresses of DNS servers to the computers on your LAN. You can alternatively have the ZyWALL relay DHCP information from another DHCP server.
Page 116: Wins
Chapter 6 LAN Screens 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group.
Page 117: Figure 50 Network > Lan
Chapter 6 LAN Screens Figure 50 NETWORK > LAN The following table describes the labels in this screen. Table 23 NETWORK > LAN LABEL DESCRIPTION LAN TCP/IP IP Address Type the IP address of your ZyWALL in dotted decimal notation. 192.168.1.1 is the factory default.
Page 118 Chapter 6 LAN Screens Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 119: Lan Static Dhcp
Chapter 6 LAN Screens Table 23 NETWORK > LAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the LAN to WAN 2 and LAN and WAN2 from WAN 2 to the LAN. If your firewall is enabled with the default policy set to block WAN 2 to LAN traffic, you also need to enable the default WAN 2 to LAN firewall rule that forwards NetBIOS traffic.
Page 120: Lan Ip Alias
Chapter 6 LAN Screens Figure 51 NETWORK > LAN > Static DHCP The following table describes the labels in this screen. Table 24 NETWORK > LAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your LAN.
Page 121: Figure 52 Physical Network & Partitioned Logical Networks
Chapter 6 LAN Screens The ZyWALL has a single LAN interface. Even though more than one of ports 1~4 may be in the LAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 122: Lan Port Roles
Chapter 6 LAN Screens The following table describes the labels in this screen. Table 25 NETWORK > LAN > IP Alias LABEL DESCRIPTION Enable IP Alias 1, Select the check box to configure another LAN network for the ZyWALL. IP Address Enter the IP address of your ZyWALL in dotted decimal notation.
Page 123: Figure 54 Network > Lan > Port Roles
Chapter 6 LAN Screens Your changes are also reflected in the DMZ Port Roles and WLAN Port Roles screens. Figure 54 NETWORK > LAN > Port Roles The following table describes the labels in this screen. Table 26 NETWORK > LAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN.
Page 124 Chapter 6 LAN Screens ZyWALL 2WG User’s Guide...
Page 125: Bridge Screens
H A P T E R Bridge Screens This chapter describes how to configure bridge settings. This chapter is only applicable when the ZyWALL is in bridge mode. 7.1 Bridge Loop The ZyWALL can act as a bridge between a switch and a wired LAN or between two routers. Be careful to avoid bridge loops when you enable bridging in the ZyWALL.
Page 126: Spanning Tree Protocol (Stp)
Chapter 7 Bridge Screens 7.2 Spanning Tree Protocol (STP) STP detects and breaks network loops and provides backup links between switches, bridges or routers. It allows a bridge to interact with other STP-compliant bridges in your network to ensure that only one route exists between any two stations on the network. 7.2.1 Rapid STP The ZyWALL uses IEEE 802.1w RSTP (Rapid Spanning Tree Protocol) that allow faster convergence of the spanning tree (while also being backwards compatible with STP-only...
Page 127: Stp Port States
Chapter 7 Bridge Screens Once a stable network topology has been established, all bridges listen for Hello BPDUs (Bridge Protocol Data Units) transmitted from the root bridge. If a bridge does not get a Hello BPDU after a predefined interval (Max Age), the bridge assumes that the link to the root bridge is down.
Page 128: Figure 57 Network > Bridge
Chapter 7 Bridge Screens Figure 57 NETWORK > Bridge The following table describes the labels in this screen. Table 29 NETWORK > Bridge LABEL DESCRIPTION Bridge IP Address Setup IP Address Type the IP address of your ZyWALL in dotted decimal notation. IP Subnet Mask The subnet mask specifies the network number portion of an IP address.
Page 129: Bridge Port Roles
Chapter 7 Bridge Screens Table 29 NETWORK > Bridge (continued) LABEL DESCRIPTION Bridge Priority Enter a number between 0 and 61440 as bridge priority of the ZyWALL. Bridge priority is used in determining the root switch, root port and designated port. The switch with the highest priority (lowest numeric value) becomes the root.
Page 130: Figure 58 Network > Bridge > Port Roles
Chapter 7 Bridge Screens Figure 58 NETWORK > Bridge > Port Roles The following table describes the labels in this screen. Table 30 NETWORK > Bridge > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. Select a port’s DMZ radio button to use the port as part of the DMZ.
Page 131: Wan Screens
H A P T E R WAN Screens This chapter describes how to configure WAN settings. WAN 2 refers to the 3G card on the supported ZyWALL in router mode. 8.1 WAN Overview • Use the WAN General screen to configure load balancing, route priority and traffic redirect properties for the ZyWALL.
Page 132: Load Balancing Introduction
Chapter 8 WAN Screens The ZyWALL's NAT feature allows you to configure sets of rules for one WAN interface and separate sets of rules for the other WAN interface. Refer to Chapter 17 on page 329 for details. You can select through which WAN interface you want to send out traffic from UPnP-enabled applications (see Chapter 23 on page 405).
Page 133: Weighted Round Robin
Chapter 8 WAN Screens Figure 60 Least Load First Example If the outbound bandwidth utilization is used as the load balancing index and the measured outbound throughput of WAN 1 is 412K and WAN 2 is 198K, the ZyWALL calculates the load balancing index as shown in the table below.
Page 134: Spillover
Chapter 8 WAN Screens This algorithm is best suited for situations when the bandwidths set for the two WAN interfaces are different. For example, in the figure below, the configured available bandwidth of WAN1 is 1M and WAN2 is 512K. You can set the ZyWALL to distribute the network traffic between the two interfaces by setting the weight of WAN1 and WAN2 to 2 and 1 respectively.
Page 135: Tcp/Ip Priority (Metric)
Chapter 8 WAN Screens 8.5 TCP/IP Priority (Metric) The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1"...
Page 136: Figure 63 Network > Wan General
Chapter 8 WAN Screens Figure 63 NETWORK > WAN General ZyWALL 2WG User’s Guide...
Page 137: Table 33 Network > Wan General
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 33 NETWORK > WAN General LABEL DESCRIPTION Active/Passive Select the Active/Passive (fail over) operation mode to have the ZyWALL use the (Fail Over) Mode second highest priority WAN interface as a back up. This means that the ZyWALL will normally use the highest priority (primary) WAN interface (depending on the priorities you configure in the Route Priority fields).
Page 138 Chapter 8 WAN Screens Table 33 NETWORK > WAN General (continued) LABEL DESCRIPTION Check WAN1/2 Select the check box to have the ZyWALL periodically test the respective WAN Connectivity interface's connection. Select Ping Default Gateway to have the ZyWALL ping the WAN interface's default gateway IP address.
Page 139: Configuring Load Balancing
Chapter 8 WAN Screens Table 33 NETWORK > WAN General (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 8.7 Configuring Load Balancing To configure load balancing on the ZyWALL, click NETWORK > WAN in the navigation panel.
Page 140: Weighted Round Robin
Chapter 8 WAN Screens Table 34 Load Balancing: Least Load First (continued) LABEL DESCRIPTION Interface This field displays the name of the WAN interface (WAN 1 and WAN 2). Available This field is applicable when you select Outbound + Inbound or Inbound Only in Inbound the Load Balancing Index(es) field.
Page 141: Wan Ip Address Assignment
Chapter 8 WAN Screens Configure the Route Priority metrics in the WAN General screen to determine the primary and secondary WANs. By default, WAN 1 is the primary WAN and WAN 2 is the secondary WAN. Figure 66 Load Balancing: Spillover The following table describes the related fields in this screen.
Page 142: Dns Server Address Assignment
Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa, for instance, the IP address of www.zyxel.com is 204.217.0.2. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it.
Page 143: Wan 1
Chapter 8 WAN Screens 8.11 WAN 1 To change your ZyWALL's WAN 1 ISP, IP and MAC settings, click NETWORK > WAN > WAN 1. The screen differs by the encapsulation. The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets.
Page 144: Table 39 Network > Wan > Wan 1 (Ethernet Encapsulation)
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 145 Chapter 8 WAN Screens Table 39 NETWORK > WAN > WAN 1 (Ethernet Encapsulation) (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Page 146: Pppoe Encapsulation
Chapter 8 WAN Screens 8.11.2 PPPoE Encapsulation The ZyWALL supports PPPoE (Point-to-Point Protocol over Ethernet). PPPoE is an IETF standard (RFC 2516) specifying how a personal computer (PC) interacts with a broadband modem (DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE.
Page 147: Figure 68 Network > Wan > Wan 1 (Pppoe Encapsulation)
Chapter 8 WAN Screens Figure 68 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) The following table describes the labels in this screen. Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPPoE for a dial-up connection using PPPoE.
Page 148 Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 149: Pptp Encapsulation
Chapter 8 WAN Screens Table 40 NETWORK > WAN > WAN 1 (PPPoE Encapsulation) (continued) LABEL DESCRIPTION Enable Multicast Select this check box to turn on IGMP (Internet Group Multicast Protocol). IGMP is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.
Page 150: Figure 69 Network > Wan > Wan 1 (Pptp Encapsulation)
Chapter 8 WAN Screens Figure 69 NETWORK > WAN > WAN 1 (PPTP Encapsulation) The following table describes the labels in this screen. Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Set the encapsulation method to PPTP.
Page 151 Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued) LABEL DESCRIPTION Authentication The ZyWALL supports PAP (Password Authentication Protocol) and CHAP Type (Challenge Handshake Authentication Protocol). CHAP is more secure than PAP; however, PAP is readily available on more platforms. Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 152: Wan 2 (3G Wan)
Chapter 8 WAN Screens Table 41 NETWORK > WAN > WAN 1 (PPTP Encapsulation) (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). Choose RIP-1, RIP-2B or RIP-2M.
Page 153: Table 42 2G, 2.5G, 2.75G And 3G Of Wireless Technologies
Chapter 8 WAN Screens The 3G downstream data rate can be up to 900 Kbps and upstream data rate can be up to 384 Kbps when you use the Sierra AC850/860 3G card in the ZyWALL. The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, etc.
Page 154: Figure 70 Network > Wan > Wan 2 (3G Wan)
Chapter 8 WAN Screens The WAN 1 and WAN 2 IP addresses of a ZyWALL with multiple WAN interfaces must be on different subnets. Figure 70 NETWORK > WAN > WAN 2 (3G WAN) The following table describes the labels in this screen. Table 43 NETWORK >...
Page 155 Chapter 8 WAN Screens Table 43 NETWORK > WAN > WAN 2 (3G WAN) (continued) LABEL DESCRIPTION Retype to Type your password again to make sure that you have entered is correctly. Confirm PIN Code A PIN (Personal Identification Number) code is a key to a 3G card. Without the PIN code, you cannot use the 3G card.
Page 156: Traffic Redirect
Chapter 8 WAN Screens 8.13 Traffic Redirect Traffic redirect forwards WAN traffic to a backup gateway when the ZyWALL cannot connect to the Internet through its normal gateway. Connect the backup gateway on the WAN so that the ZyWALL still provides firewall protection for the LAN. Figure 71 Traffic Redirect WAN Setup IP alias allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ.
Page 157: Configuring Dial Backup
Chapter 8 WAN Screens Figure 73 NETWORK > WAN > Traffic Redirect The following table describes the labels in this screen. Table 44 NETWORK > WAN > Traffic Redirect LABEL DESCRIPTION Active Select this check box to have the ZyWALL use traffic redirect if the normal WAN connection goes down.
Page 158: Figure 74 Network > Wan > Dial Backup
Chapter 8 WAN Screens Figure 74 NETWORK > WAN > Dial Backup The following table describes the labels in this screen. Table 45 NETWORK > WAN > Dial Backup LABEL DESCRIPTION Dial Backup Setup Enable Dial Backup Select this check box to turn on dial backup. Basic Settings Login Name Type the login name assigned by your ISP.
Page 159 Chapter 8 WAN Screens Table 45 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION Authentication Use the drop-down list box to select an authentication protocol for outgoing calls. Type Options are: CHAP/PAP - Your ZyWALL accepts either CHAP or PAP when requested by this remote node.
Page 160: Advanced Modem Setup
Chapter 8 WAN Screens Table 45 NETWORK > WAN > Dial Backup (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets. Choose Both, In Only or Out Only.
Page 161: Dtr Signal
Chapter 8 WAN Screens 8.16.2 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE. When the Drop DTR When Hang Up check box is selected, the ZyWALL uses this hardware signal to force the WAN device to hang up, in addition to issuing the drop command ATH.
Page 162: Table 46 Network > Wan > Dial Backup > Edit
Chapter 8 WAN Screens The following table describes the labels in this screen. Table 46 NETWORK > WAN > Dial Backup > Edit LABEL DESCRIPTION AT Command Strings Dial Type the AT Command string to make a call. Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~~+++~~ath"...
Page 163: Dmz Screens
H A P T E R DMZ Screens This chapter describes how to configure the ZyWALL’s DMZ. 9.1 DMZ The DeMilitarized Zone (DMZ) provides a way for public servers (Web, e-mail, FTP, etc.) to be visible to the outside world (while still being protected from DoS (Denial of Service) attacks such as SYN flooding and Ping of Death).
Page 164: Figure 76 Network > Dmz
Chapter 9 DMZ Screens Figure 76 NETWORK > DMZ The following table describes the labels in this screen. Table 47 NETWORK > DMZ LABEL DESCRIPTION DMZ TCP/IP IP Address Type the IP address of your ZyWALL’s DMZ port in dotted decimal notation. Note: Make sure the IP addresses of the LAN, WAN, WLAN and DMZ are on separate subnets.
Page 165 Chapter 9 DMZ Screens Table 47 NETWORK > DMZ (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information. RIP-1 is probably adequate for most networks, unless you have an unusual network topology.
Page 166: Dmz Static Dhcp
Chapter 9 DMZ Screens Table 47 NETWORK > DMZ (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the DMZ to WAN 2 and DMZ and WAN 2 from WAN 2 to the DMZ. Clear this check box to block all NetBIOS packets going from the DMZ to WAN 2 and from WAN 2 to the DMZ.
Page 167: Dmz Ip Alias
Chapter 9 DMZ Screens Figure 77 NETWORK > DMZ > Static DHCP The following table describes the labels in this screen. Table 48 NETWORK > DMZ > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your DMZ.
Page 168: Figure 78 Network > Dmz > Ip Alias
Chapter 9 DMZ Screens The ZyWALL has a single DMZ interface. Even though more than one of ports 1~4 may be in the DMZ port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 169: Dmz Public Ip Address Example
Chapter 9 DMZ Screens Table 49 NETWORK > DMZ > IP Alias (continued) LABEL DESCRIPTION IP Subnet Mask Your ZyWALL will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyWALL.
Page 170: Dmz Private And Public Ip Address Example
Chapter 9 DMZ Screens Figure 79 DMZ Public Address Example 9.6 DMZ Private and Public IP Address Example The following figure shows a network setup with both private and public IP addresses on the DMZ. Lower case letters represent public IP addresses (like a.b.c.d for example). The LAN port and connected computers (A through C) use private IP addresses that are in one subnet.
Page 171: Dmz Port Roles
Chapter 9 DMZ Screens Figure 80 DMZ Private and Public Address Example 9.7 DMZ Port Roles Use the Port Roles screen to set ports as part of the LAN, DMZ and/or WLAN interface. Ports 1~4 on the ZyWALL can be part of the LAN, DMZ or WLAN interface. Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in...
Page 172: Figure 81 Network > Dmz > Port Roles
Chapter 9 DMZ Screens Figure 81 NETWORK > DMZ > Port Roles The following table describes the labels in this screen. Table 50 NETWORK > DMZ > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the ZyWALL’s LAN IP address and MAC address.
Page 173: Wireless Lan
H A P T E R Wireless LAN This chapter discusses how to configure wireless LAN on the ZyWALL. 10.1 Wireless LAN Introduction A wireless LAN can be as simple as two computers with wireless LAN adapters communicating in a peer-to-peer network or as complex as a number of computers with wireless LAN adapters communicating through access points which bridge network traffic to the wired LAN.
Page 174: Configuring Wlan
Chapter 10 Wireless LAN • Every wireless client in the same wireless network must use the same SSID. The SSID is the name of the wireless network. It stands for Service Set IDentity. • If two wireless networks overlap, they should use different channels. Like radio stations or television channels, each wireless network uses a specific channel, or frequency, to send and receive information.
Page 175: Figure 83 Network > Wlan
Chapter 10 Wireless LAN Figure 83 NETWORK > WLAN The following table describes the labels in this screen. Table 51 NETWORK > WLAN LABEL DESCRIPTION WLAN TCP/IP IP Address Type the IP address of your ZyWALL’s WLAN interface in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
Page 176 Chapter 10 Wireless LAN Table 51 NETWORK > WLAN (continued) LABEL DESCRIPTION RIP Version The RIP Version field controls the format and the broadcasting method of the RIP packets that the ZyWALL sends (it recognizes both formats when receiving). RIP-1 is universally supported but RIP-2 carries more information.
Page 177: Wlan Static Dhcp
Chapter 10 Wireless LAN Table 51 NETWORK > WLAN (continued) LABEL DESCRIPTION Allow between Select this check box to forward NetBIOS packets from the WLAN to WAN 2 and WLAN and WAN from WAN 2 to the WLAN. Clear this check box to block all NetBIOS packets going from the WLAN to WAN 2 and from WAN 2 to the WLAN.
Page 178: Wlan Ip Alias
Chapter 10 Wireless LAN Figure 84 NETWORK > WLAN > Static DHCP The following table describes the labels in this screen. Table 52 NETWORK > WLAN > Static DHCP LABEL DESCRIPTION This is the index number of the Static IP table entry (row). MAC Address Type the MAC address of a computer on your WLAN.
Page 179: Figure 85 Network > Wlan > Ip Alias
Chapter 10 Wireless LAN The ZyWALL has a single WLAN interface. Even though more than one of ports 1~4 may be in the WLAN port role, they are all still part of a single physical Ethernet interface and all use the same IP address.
Page 180: Wlan Port Roles
Chapter 10 Wireless LAN Table 53 NETWORK > WLAN > IP Alias (continued) LABEL DESCRIPTION RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers. The RIP Direction field controls the sending and receiving of RIP packets.
Page 181: Figure 86 Wlan Port Role Example
Chapter 10 Wireless LAN Figure 86 WLAN Port Role Example Do the following if you are configuring from a computer connected to a LAN, DMZ or WLAN port and changing the port's role: 1 A port's IP address varies as its role changes, make sure your computer's IP address is in the same subnet as the ZyWALL's LAN, DMZ or WLAN IP address.
Page 182: Wireless Security Overview
Chapter 10 Wireless LAN The following table describes the labels in this screen. Table 54 NETWORK > WLAN > Port Roles LABEL DESCRIPTION Select a port’s LAN radio button to use the port as part of the LAN. The port will use the LAN IP address.
Page 183: Mac Address Filter
Chapter 10 Wireless LAN 10.6.2 MAC Address Filter Every wireless client has a unique identification number, called a MAC address. A MAC address is usually written using twelve hexadecimal characters ; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each wireless client, see the appropriate User’s Guide or other documentation.
Page 184: Additional Installation Requirements For Using 802.1X
Chapter 10 Wireless LAN The types of encryption you can choose depend on the type of user authentication. (See Section 10.6.3 on page 183 for information about this.) Table 55 Types of Encryption for Each Type of Authentication No Authentication RADIUS Server Weakest No Security...
Page 185: Wireless Card
Chapter 10 Wireless LAN 10.7 Wireless Card If you are configuring the ZyWALL from a computer connected to the wireless LAN and you change the ZyWALL’s SSID or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyWALL’s new settings.
Page 186: Table 56 Network > Wireless Card
Chapter 10 Wireless LAN The following table describes the labels in this screen. Table 56 NETWORK > WIRELESS CARD LABEL DESCRIPTION Enable The wireless LAN through a wireless LAN card is turned off by default, before you Wireless Card enable the wireless LAN you should configure some security by setting MAC filters and/or 802.1x security;...
Page 187: Ssid Profile
Chapter 10 Wireless LAN Table 56 NETWORK > WIRELESS CARD (continued) LABEL DESCRIPTION Select SSID An SSID profile is the set of parameters relating to one of the ZyWALL’s BSSs. The Profile SSID (Service Set IDentifier) identifies the Service Set with which a wireless client is associated.
Page 188: Configuring Wireless Security
Chapter 10 Wireless LAN Figure 90 Configuring SSID The following table describes the labels in this screen. Table 57 Configuring SSID LABEL DESCRIPTION Name Enter a name (up to 32 printable 7-bit ASCII characters) identifying this profile. SSID When a wireless client scans for an AP to associate with, this is the name that is broadcast and seen in the wireless client utility.
Page 189: Figure 91 Network > Wireless Card > Security
Chapter 10 Wireless LAN The following table describes the security modes you can configure. Table 58 Security Modes SECURITY MODE DESCRIPTION None Select this to have no data encryption. Select this to use WEP encryption. 802.1x-Only Select this to use 802.1x authentication with no data encryption. 802.1x-Static64 Select this to use 802.1x authentication with a static 64bit WEP key and an authentication server.
Page 190: No Security
Chapter 10 Wireless LAN 10.8.1 No Security If you do not enable any wireless security on your ZyWALL, your network is accessible to any wireless networking device within range. Figure 92 NETWORK > WIRELESS CARD > Security: None The following table describes the wireless LAN security labels in this screen. Table 60 NETWORK >...
Page 191: Ieee 802.1X Only
Chapter 10 Wireless LAN Figure 93 NETWORK > WIRELESS CARD > Security: WEP The following table describes the labels in this screen. Table 61 NETWORK > WIRELESS CARD > Security: WEP LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select WEP from the drop-down list.
Page 192: Ieee 802.1X + Static Wep
Chapter 10 Wireless LAN Figure 94 NETWORK > WIRELESS CARD > Security: 802.1x Only The following table describes the labels in this screen. Table 62 NETWORK > WIRELESS CARD > Security: 802.1x Only LABEL DESCRIPTION Name Type a name to identify this security profile. Security Mode Select 8021X-Only from the drop-down list.
Page 193: Figure 95 Network > Wireless Card > Security: 802.1X + Static Wep
Chapter 10 Wireless LAN Figure 95 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP The following table describes the labels in this screen. Table 63 NETWORK > WIRELESS CARD > Security: 802.1x + Static WEP LABEL DESCRIPTION Name Type a name to identify this security profile.
Page 194: Wpa, Wpa2, Wpa2-Mix
Chapter 10 Wireless LAN 10.8.5 WPA, WPA2, WPA2-MIX Click NETWORK > WIRELESS CARD > Security > Edit. Select WPA, WPA2 or WPA2-MIX from the Security Mode list. Figure 96 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX The following table describes the labels in this screen. Table 64 NETWORK >...
Page 195: Wpa-Psk, Wpa2-Psk, Wpa2-Psk-Mix
Chapter 10 Wireless LAN Table 64 NETWORK > WIRELESS CARD > Security: WPA, WPA2 or WPA2-MIX LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 10.8.6 WPA-PSK, WPA2-PSK, WPA2-PSK-MIX Click NETWORK >...
Page 196: Mac Filter
Chapter 10 Wireless LAN Table 65 NETWORK > WIRELESS CARD > Security: WPA(2)-PSK (continued) LABEL DESCRIPTION Group Key The Group Key Update Timer is the rate at which the AP sends a new group key Update Timer out to all clients. The re-keying process is the WPA equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis.
Page 197: Table 66 Network > Wireless Card > Mac Filter
Chapter 10 Wireless LAN The following table describes the labels in this menu. Table 66 NETWORK > WIRELESS CARD > MAC Filter LABEL DESCRIPTION Association Define the filter action for the list of MAC addresses in the MAC address filter table. Select Deny to block access to the router, MAC addresses not listed will be allowed to access the router.
Page 198 Chapter 10 Wireless LAN ZyWALL 2WG User’s Guide...
Page 199: Security
Security Firewall (201) Content Filtering Screens (231) Content Filtering Reports (249) IPSec VPN (257) Certificates (297) Authentication Server (323)
Page 201: Firewall
H A P T E R Firewall This chapter shows you how to configure your ZyWALL’s firewall. 11.1 Firewall Overview The networking term firewall is a system or group of systems that enforces an access-control policy between two networks. It is generally a mechanism used to protect a trusted network from an untrusted network.
Page 202: Packet Direction Matrix
Chapter 11 Firewall Your customized rules take precedence and override the ZyWALL’s default settings. The ZyWALL checks the source IP address, destination IP address and IP protocol type of network traffic against the firewall rules (in the order you list them). When the traffic matches a rule, the ZyWALL takes the action specified in the rule.
Page 203: Packet Direction Examples
Chapter 11 Firewall To set the ZyWALL to by default silently block traffic from WAN 1 from going to the DMZ interfaces, you would find where the From WAN1 row and the To DMZ column intersect and set the field to Drop as shown. Figure 101 Default Block Traffic From WAN1 to DMZ Example 11.3 Packet Direction Examples Firewall rules are grouped based on the direction of travel of packets to which they apply.
Page 204: To Vpn Packet Direction
Chapter 11 Firewall By default, the ZyWALL drops packets traveling in the following directions. • WAN 1 to LAN These rules specify which computers connected to WAN 1 can access which computers or services on the LAN. For example, you may create rules to: •...
Page 205: Figure 102 From Lan To Vpn Example
Chapter 11 Firewall For example, by default the From LAN To VPN default firewall rule allows traffic from the LAN computers to go out through any of the ZyWALL’s VPN tunnels. You could configure the From DMZ To VPN default rule to set the ZyWALL to silently block traffic from the DMZ computers from going out through any of the ZyWALL’s VPN tunnels.
Page 206: From Vpn Packet Direction
Chapter 11 Firewall 11.3.2 From VPN Packet Direction You can also apply firewall rules to traffic that comes in through the ZyWALL’s VPN tunnels. The ZyWALL decrypts the VPN traffic and then applies the firewall rules. From VPN means traffic that came into the ZyWALL through a VPN tunnel and is going to the selected “to” interface.
Page 207: From Vpn To Vpn Packet Direction
Chapter 11 Firewall Figure 105 Block VPN to LAN Traffic by Default Example 11.3.3 From VPN To VPN Packet Direction From VPN To VPN firewall rules apply to traffic that comes in through one of the ZyWALL’s VPN tunnels and terminates at the ZyWALL (like for remote management) or goes out through another of the ZyWALL’s VPN tunnels (this is called hub-and-spoke VPN, Section 14.19 on page 294 for details).
Page 208: Figure 106 From Vpn To Vpn Example
Chapter 11 Firewall Figure 106 From VPN to VPN Example You would configure the SECURITY > FIREWALL > Default Rule screen as follows. Figure 107 Block VPN to VPN Traffic by Default Example ZyWALL 2WG User’s Guide...
Page 209: Security Considerations
Chapter 11 Firewall 11.4 Security Considerations Incorrectly configuring the firewall may block valid access or introduce security risks to the ZyWALL and your protected network. Use caution when creating or deleting firewall rules and test your rules after you configure them. Consider these security ramifications before creating a rule: 1 Does this rule stop LAN users from accessing critical resources on the Internet? For example, if IRC is blocked, are there users that require this service?
Page 210: Figure 109 Limited Lan To Wan Irc Traffic Example
Chapter 11 Firewall Your firewall would have the following configuration. Table 67 Blocking All LAN to WAN IRC Traffic Example DESTINATIO SOURCE SCHEDULE SERVICE ACTION Drop Default Allow • The first row blocks LAN access to the IRC service on the WAN. •...
Page 211: Asymmetrical Routes
Chapter 11 Firewall • The first row allows the LAN computer at IP address 192.168.1.7 to access the IRC service on the WAN. • The second row blocks LAN access to the IRC service on the WAN. • The third row is (still) the firewall’s default policy of allowing all traffic from the LAN to go to the WAN.
Page 212: Firewall Default Rule (Router Mode)
Chapter 11 Firewall Figure 110 Using IP Alias to Solve the Triangle Route Problem 11.7 Firewall Default Rule (Router Mode) Click SECURITY > FIREWALL to open the Default Rule screen. Use this screen to configure general firewall settings when the ZyWALL is set to router mode. Figure 111 SECURITY >...
Page 213: Table 69 Security > Firewall > Default Rule (Router Mode)
Chapter 11 Firewall The following table describes the labels in this screen. Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. Allow If an alternate gateway on the LAN has an IP address in the same subnet as the Asymmetrical...
Page 214: Firewall Default Rule (Bridge Mode)
Chapter 11 Firewall Table 69 SECURITY > FIREWALL > Default Rule (Router Mode) (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 11.8 Firewall Default Rule (Bridge Mode) Click SECURITY >...
Page 215: Firewall Rule Summary
Chapter 11 Firewall The following table describes the labels in this screen. Table 70 SECURITY > FIREWALL > Default Rule (Bridge Mode) LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyWALL performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. From, To Set the firewall’s default actions based on the direction of travel of packets.
Page 216: Figure 113 Security > Firewall > Rule Summary
Chapter 11 Firewall The ordering of your rules is very important as rules are applied in the order that they are listed. Section 11.1 on page 201 for more information about the firewall. Figure 113 SECURITY > FIREWALL > Rule Summary The following table describes the labels in this screen.
Page 217: Firewall Edit Rule
Chapter 11 Firewall Table 71 SECURITY > FIREWALL > Rule Summary LABEL DESCRIPTION Source Address This drop-down list box displays the source addresses or ranges of addresses to which this firewall rule applies. Please note that a blank source or destination address is equivalent to Any.
Page 218: Figure 114 Security > Firewall > Rule Summary > Edit
Chapter 11 Firewall Figure 114 SECURITY > FIREWALL > Rule Summary > Edit ZyWALL 2WG User’s Guide...
Page 219: Table 72 Security > Firewall > Rule Summary > Edit
Chapter 11 Firewall The following table describes the labels in this screen. Table 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Rule Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the firewall rule. Spaces are allowed. Edit Source/ Destination Address...
Page 220: Anti-Probing
Chapter 11 Firewall Table 72 SECURITY > FIREWALL > Rule Summary > Edit LABEL DESCRIPTION Action for Use the drop-down list box to select what the firewall is to do with packets that Matched Packets match this rule. Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 221: Firewall Thresholds
Chapter 11 Firewall The following table describes the labels in this screen. Table 73 SECURITY > FIREWALL > Anti-Probing LABEL DESCRIPTION Respond to PING Select the check boxes of the interfaces that you want to reply to incoming Ping requests. Clear an interface’s check box to have the ZyWALL not respond to any Ping requests that come into that interface.
Page 222: Threshold Values
Chapter 11 Firewall 11.11.1 Threshold Values If everything is working properly, you probably do not need to change the threshold settings as the default threshold values should work for most small offices. Tune these parameters when you believe the ZyWALL has been receiving DoS attacks that are not recorded in the logs or the logs show that the ZyWALL is classifying normal traffic as DoS attacks.
Page 223: Table 74 Security > Firewall > Threshold
Chapter 11 Firewall The following table describes the labels in this screen. Table 74 SECURITY > FIREWALL > Threshold LABEL DESCRIPTION Disable DoS Attack Select the check boxes of any interfaces (or all VPN tunnels) for which you want Protection on the ZyWALL to not use the Denial of Service protection thresholds.
Page 224: Service
Chapter 11 Firewall 11.13 Service Click SECURITY > FIREWALL > Service to open the screen as shown next. Use this screen to configure custom services for use in firewall rules or view the services that are predefined in the ZyWALL. Section 11.1 on page 201 for more information about the firewall.
Page 225: Firewall Edit Custom Service
Chapter 11 Firewall Table 75 SECURITY > FIREWALL > Service (continued) LABEL DESCRIPTION Protocol This is the IP protocol type. If you selected Custom, this is the IP protocol value you entered. Attribute This is the IP port number or ICMP type and code that defines the service. Modify Click the edit icon to go to the screen where you can edit the service.
Page 226: My Service Firewall Rule Example
Chapter 11 Firewall The following table describes the labels in this screen. Table 76 SECURITY > FIREWALL > Service > Add LABEL DESCRIPTION Service Name Enter a descriptive name of up to 31 printable ASCII characters (except Extended ASCII characters) for the custom service. You cannot use the “(“ character.
Page 227: Figure 121 My Service Firewall Rule Example: Edit Custom Service
Chapter 11 Firewall Figure 121 My Service Firewall Rule Example: Edit Custom Service 3 Click Rule Summary. Select WAN to LAN from the Packet Direction drop-down list box. 4 In the Rule Summary screen, type the index number for where you want to put the rule. For example, if you type 6, your new rule becomes number 6 and the previous rule 6 (if there is one) becomes rule 7.
Page 228: Figure 123 My Service Firewall Rule Example: Rule Edit
Chapter 11 Firewall Figure 123 My Service Firewall Rule Example: Rule Edit 9 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows. Click Apply when you are done. Custom services show up with an * before their names in the Services list box and the Rule Summary list box.
Page 229: Figure 124 My Service Firewall Rule Example: Rule Configuration
Chapter 11 Firewall Figure 124 My Service Firewall Rule Example: Rule Configuration Rule 1 allows a My Service connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. ZyWALL 2WG User’s Guide...
Page 230: Figure 125 My Service Firewall Rule Example: Rule Summary
Chapter 11 Firewall Figure 125 My Service Firewall Rule Example: Rule Summary ZyWALL 2WG User’s Guide...
Page 231: Content Filtering Screens
H A P T E R Content Filtering Screens This chapter provides an overview of content filtering. 12.1 Content Filtering Overview Content filtering allows you to block certain web features, such as Cookies, and/or block access to specific websites. With content filtering, you can do the following: 12.1.1 Restrict Web Features The ZyWALL can block web features such as ActiveX controls, Java applets, cookies and disable web proxies.
Page 232: Figure 126 Security > Content Filter > General
Chapter 12 Content Filtering Screens Figure 126 SECURITY > CONTENT FILTER > General The following table describes the labels in this screen. Table 77 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION General Setup Enable Content Filter Select this check box to enable the content filter. Content filtering works on HTTP traffic that is using TCP ports 80, 119, 3128 or 8080.
Page 233 Chapter 12 Content Filtering Screens Table 77 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Block ActiveX is a tool for building dynamic and active web pages and distributed object applications. When you visit an ActiveX web site, ActiveX controls are ActiveX downloaded to your browser, where they remain in case you visit the site again.
Page 234: Content Filtering With An External Database
Chapter 12 Content Filtering Screens Table 77 SECURITY > CONTENT FILTER > General LABEL DESCRIPTION Delete Range Click Delete Range after you select the range of addresses you wish to delete. Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh.
Page 235 Chapter 12 Content Filtering Screens Use this screen to configure category-based content filtering. You can set the ZyWALL to use external database content filtering and select which web site categories to block and/or log. You must register for external content filtering before you can use it. Use the REGISTRATION screens (see Chapter 5 on page 107) to create a myZyXEL.com account,...
Page 236: Figure 128 Security > Content Filter > Categories
Chapter 12 Content Filtering Screens Figure 128 SECURITY > CONTENT FILTER > Categories The following table describes the labels in this screen. Table 78 SECURITY > CONTENT FILTER > Categories LABEL DESCRIPTION Auto Category Setup Enable External Database Enable external database content filtering to have the ZyWALL check an Content Filtering external database to find to which category a requested web page belongs.
Page 237 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Unrated Web Pages Select Block to prevent users from accessing web pages that the external database content filtering has not categorized. When the external database content filtering blocks access to a web page, it displays the denied access message that you configured in the CONTENT FILTER General screen along with the category of the blocked web page.
Page 238 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Nudity Selecting this category excludes pages containing nude or seminude depictions of the human body. These depictions are not necessarily sexual in intent or effect, but may include pages containing nude paintings or photo galleries of artistic nature.
Page 239 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Business/Economy Selecting this category excludes pages devoted to business firms, business information, economics, marketing, business management and entrepreneurship. This does not include pages that perform services that are defined in another category (such as Information Technology companies, or companies that sell travel services).
Page 240 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Health Selecting this category excludes pages that provide advice and information on general health such as fitness and well-being, personal health or medical services, drugs, alternative and complimentary therapies, medical information about ailments, dentistry, optometry, general psychiatry, self-help, and support organizations dedicated to a disease or condition.
Page 241 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Email Selecting this category excludes pages offering web-based email services, such as online email reading, e-cards, and mailing list services. Blogs/Newsgroups Selecting this category excludes pages that offer access to Usenet news groups or other messaging or bulletin board systems.
Page 242 Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Sports/Recreation/Hobbies Selecting this category excludes pages that promote or provide information about spectator sports, recreational activities, or hobbies. This includes pages that discuss or promote camping, gardening, and collecting.
Page 243: Content Filter Customization
Chapter 12 Content Filtering Screens Table 78 SECURITY > CONTENT FILTER > Categories (continued) LABEL DESCRIPTION Content Filter Service This read-only field displays the status of your category-based content Status filtering (using an external database) service subscription. License Inactive displays if you have not registered and activated the category-based content filtering service.
Page 244: Figure 129 Security > Content Filter > Customization
Chapter 12 Content Filtering Screens Figure 129 SECURITY > CONTENT FILTER > Customization The following table describes the labels in this screen. Table 79 SECURITY > CONTENT FILTER > Customization LABEL DESCRIPTION Web Site List Customization Enable Web site Select this check box to allow trusted web sites and block forbidden customization web sites.
Page 245: Customizing Keyword Blocking Url Checking
Enter host names such as www.good-site.com into this text field. Do not enter the complete URL of the site – that is, do not include “http://”. All subdomains are allowed. For example, entering “zyxel.com” also allows “www.zyxel.com”, “partner.zyxel.com”, “press.zyxel.com”, etc.
Page 246: Domain Name Or Ip Address Url Checking
12.6.2 Full Path URL Checking Full path URL checking has the ZyWALL check the characters that come before the last slash in the URL. For example, with the URL www.zyxel.com.tw/news/pressroom.php, full path URL checking searches for keywords within www.zyxel.com.tw/news/. Use the...
Page 247: Figure 130 Security > Content Filter > Cache
Chapter 12 Content Filtering Screens Figure 130 SECURITY > CONTENT FILTER > Cache The following table describes the labels in this screen. Table 80 SECURITY > CONTENT FILTER > Cache LABEL DESCRIPTION URL Cache Setup Maximum TTL Type the maximum time to live (TTL) (1 to 720 hours). This sets how long the ZyWALL is to allow an entry to remain in the URL cache before discarding it.
Page 248 Chapter 12 Content Filtering Screens ZyWALL 2WG User’s Guide...
Page 249: Content Filtering Reports
H A P T E R Content Filtering Reports This chapter describes how to view content filtering reports after you have activated the category-based content filtering subscription service. Chapter 5 on page 107 on how to create a myZyXEL.com account, register your device and activate the subscription services using the REGISTRATION screens.
Page 250: Figure 131 Myzyxel.com: Login
Figure 131 myZyXEL.com: Login 3 A welcome screen displays. Click your ZyWALL’s model name and/or MAC address under Registered ZyXEL Products. You can change the descriptive name for your ZyWALL using the Rename button in the Service Management screen (see...
Page 251: Figure 133 Myzyxel.com: Service Management
Chapter 13 Content Filtering Reports Figure 133 myZyXEL.com: Service Management 5 Enter your ZyXEL device's MAC address (in lower case) in the Name field. You can find this MAC address in the Service Management screen (Figure 133 on page 251).
Page 252: Figure 135 Content Filtering Reports Main Screen
Chapter 13 Content Filtering Reports Figure 135 Content Filtering Reports Main Screen 8 Select items under Global Reports or Single User Reports to view the corresponding reports. Figure 136 Blue Coat: Report Home 9 Select a time period in the Date Range field, either Allowed or Blocked in the Action Taken field and a category (or enter the user name if you want to view single user reports) and click Run Report.The screens vary according to the report type you selected in the Report Home screen.
Page 253: Figure 137 Global Report Screen Example
Chapter 13 Content Filtering Reports Figure 137 Global Report Screen Example 11 You can click a category in the Categories report or click URLs in the Report Home screen to see the URLs that were requested. ZyWALL 2WG User’s Guide...
Page 254: Web Site Submission
Chapter 13 Content Filtering Reports Figure 138 Requested URLs Example 13.3 Web Site Submission You may find that a web site has not been accurately categorized or that a web site’s contents have changed and the content filtering category needs to be updated. Use the following procedure to submit the web site for review.
Page 255: Figure 139 Web Page Review Process Screen
Chapter 13 Content Filtering Reports Figure 139 Web Page Review Process Screen 3 Type the web site’s URL in the field and click Submit to have the web site reviewed. ZyWALL 2WG User’s Guide...
Page 256 Chapter 13 Content Filtering Reports ZyWALL 2WG User’s Guide...
Page 257: Ipsec Vpn
H A P T E R IPSec VPN This chapter explains how to set up and maintain IPSec VPNs in the ZyWALL. First, it provides an overview of IPSec VPNs. Then, it introduces each screen for IPSec VPN in the ZyWALL.
Page 258: Ike Sa Overview
Chapter 14 IPSec VPN A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the ZyWALL and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the ZyWALL and remote IPSec router.
Page 259: Vpn Rules (Ike)
Chapter 14 IPSec VPN You can usually provide a static IP address or a domain name for the ZyWALL. Sometimes, your ZyWALL might also offer another alternative, such as using the IP address of a port or interface. You can usually provide a static IP address or a domain name for the remote IPSec router as well.
Page 260: Figure 144 Security > Vpn > Vpn Rules (Ike)
Chapter 14 IPSec VPN Figure 144 SECURITY > VPN > VPN Rules (IKE) The following table describes the labels in this screen. Table 81 SECURITY > VPN > VPN Rules (IKE) LABEL DESCRIPTION VPN Rules These VPN rules define the settings for creating VPN tunnels for secure connection to other computers or networks.
Page 261: Ike Sa Setup
Chapter 14 IPSec VPN Table 81 SECURITY > VPN > VPN Rules (IKE) (continued) LABEL DESCRIPTION Click this icon to display a screen in which you can associate a network policy to a gateway policy. Click this icon to display a screen in which you can change the settings of a gateway or network policy.
Page 262: Figure 146 Ike Sa: Main Negotiation Mode, Steps 3 - 4: Dh Key Exchange
Chapter 14 IPSec VPN See the field descriptions for information about specific encryption algorithms, authentication algorithms, and DH key groups. See Section 14.3.1.1 on page 262 for more information about DH key groups. 14.3.1.1 Diffie-Hellman (DH) Key Exchange The ZyWALL and the remote IPSec router use a DH key exchange to establish a shared secret, which is used to generate encryption keys for IKE SA and IPSec SA.
Page 263: Table 82 Vpn Example: Matching Id Type And Content
Chapter 14 IPSec VPN Router identity consists of ID type and ID content. The ID type can be IP address, domain name, or e-mail address, and the ID content is a specific IP address, domain name, or e-mail address. The ID content is only used for identification; the IP address, domain name, or e-mail address that you enter does not have to actually exist.
Page 264 Chapter 14 IPSec VPN • If you set the peer ID type to Any, the ZyWALL authenticates the remote IPSec router using the trusted certificates and trusted CAs you have set up. Alternatively, if you want to use a specific certificate to authenticate the remote IPSec router, you can use the information in the certificate to specify the peer ID type and ID content.
Page 265: Additional Ipsec Vpn Topics
Chapter 14 IPSec VPN Aggressive mode does not provide as much security as main mode because the identity of the ZyWALL and the identity of the remote IPSec router are not encrypted. It is usually used when the address of the initiator is not known by the responder and both parties want to use pre-shared keys for authentication (for example, telecommuters).
Page 266: Ipsec High Availability
Chapter 14 IPSec VPN Otherwise, the ZyWALL must re-negotiate the SA the next time someone wants to send traffic. If the IKE SA times out while an IPSec SA is connected, the IPSec SA stays connected. An IPSec SA can be set to nailed up. Normally, the ZyWALL drops the IPSec SA when the life time expires or after two minutes of outbound traffic with no inbound traffic.
Page 267: Encryption And Authentication Algorithms
Chapter 14 IPSec VPN • Should only have IPSec high availability settings in its corresponding IPSec rule if your ZyWALL has multiple WAN connections • Should ideally identify itself by a domain name or dynamic domain name (it must otherwise have My Address set to 0.0.0.0) •...
Page 268: Figure 150 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 14 IPSec VPN Figure 150 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy ZyWALL 2WG User’s Guide...
Page 269: Table 84 Security > Vpn > Vpn Rules (Ike) > Edit Gateway Policy
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy LABEL DESCRIPTION Property Name Type up to 32 characters to identify this VPN gateway policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 270 Chapter 14 IPSec VPN Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Fall back to Select this to have the ZyWALL change back to using the primary remote Primary Remote gateway if the connection becomes available again. Gateway when possible Fall Back Check...
Page 271 Chapter 14 IPSec VPN Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Peer ID Type Select from the following when you set Authentication Key to Pre-shared Key. Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name.
Page 272 Chapter 14 IPSec VPN Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Server Mode Select Server Mode to have this ZyWALL authenticate extended authentication clients that request this VPN connection. You must also configure the extended authentication clients’ usernames and passwords in the authentication server’s local user database or a RADIUS server (see Chapter 16 on page...
Page 273: Ipsec Sa Overview
Chapter 14 IPSec VPN Table 84 SECURITY > VPN > VPN Rules (IKE) > Edit Gateway Policy (continued) LABEL DESCRIPTION Associated The following table shows the policy(ies) you configure for this rule. Network Policies To add a VPN policy, click the add network policy ( ) icon in the VPN Rules (IKE) screen (see Figure 144 on page...
Page 274: Encapsulation
Chapter 14 IPSec VPN Usually, you should select ESP. AH does not support encryption, and ESP is more suitable with NAT. 14.6.3 Encapsulation There are two ways to encapsulate packets. Usually, you should use tunnel mode because it is more secure. Transport mode is only used when the IPSec SA is used for communication between the ZyWALL and remote IPSec router (for example, for remote management), not between computers on the local and remote networks.
Page 275: Vpn Rules (Ike): Network Policy Edit
Chapter 14 IPSec VPN If you enable PFS, the ZyWALL and remote IPSec router perform a DH key exchange every time an IPSec SA is established, changing the root key from which encryption keys are generated. As a result, if one encryption key is compromised, other encryption keys remain secure.
Page 276: Figure 152 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 14 IPSec VPN Figure 152 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy ZyWALL 2WG User’s Guide...
Page 277: Table 85 Security > Vpn > Vpn Rules (Ike) > Edit Network Policy
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 85 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy LABEL DESCRIPTION Active If the Active check box is selected, packets for the tunnel trigger the ZyWALL to build the tunnel.
Page 278 Chapter 14 IPSec VPN Table 85 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Starting IP Address When the Address Type field is configured to Single Address, enter a (static) IP address on the LAN behind your ZyWALL. When the Address Type field is configured to Range Address, enter the beginning (static) IP address, in a range of computers on the LAN behind your ZyWALL.
Page 279: Vpn Rules (Ike): Network Policy Move
Chapter 14 IPSec VPN Table 85 SECURITY > VPN > VPN Rules (IKE) > Edit Network Policy (continued) LABEL DESCRIPTION Authentication Select which hash algorithm to use to authenticate packet data in the IPSec SA. Algorithm Choices are SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower.
Page 280: Dialing The Vpn Tunnel Via Web Configurator
Chapter 14 IPSec VPN Figure 153 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy The following table describes the labels in this screen. Table 86 SECURITY > VPN > VPN Rules (IKE) > Move Network Policy LABEL DESCRIPTION Network Policy The following fields display the general network settings of this VPN policy.
Page 281: Vpn Troubleshooting
If the IPSec tunnel does not build properly, the problem is likely a configuration error at one of the IPSec routers. Log into the web configurators of both ZyXEL IPSec routers. Check the settings in each field methodically and slowly.
Page 282: Vpn Log
Chapter 14 IPSec VPN 14.10.1 VPN Log The system log can often help to identify a configuration problem. Use the web configurator LOGS Log Settings screen to enable IKE and IPSec logging at both ends, clear the log and then build the tunnel. View the log via the web configurator LOGS View Log screen or type from sys log disp...
Page 283: Ipsec Debug
Chapter 14 IPSec VPN 14.11 IPSec Debug If you are having difficulty building an IPSec tunnel to a non-ZyXEL IPSec router, advanced users may wish to examine the IPSec debug feature (in the commands). If any of your VPN rules have an active network policy set to nailed-up, using the IPSec debug feature may cause the ZyWALL to continuously display new information.
Page 284: Ipsec Sa Using Manual Keys
Chapter 14 IPSec VPN 14.12 IPSec SA Using Manual Keys You might set up an IPSec SA using manual keys when you want to establish a VPN tunnel quickly, for example, for troubleshooting. You should only do this as a temporary solution, however, because it is not as secure as a regular IPSec SA.
Page 285: Figure 159 Security > Vpn > Vpn Rules (Manual)
Chapter 14 IPSec VPN Figure 159 SECURITY > VPN > VPN Rules (Manual) The following table describes the labels in this screen. Table 87 SECURITY > VPN > VPN Rules (Manual) LABEL DESCRIPTION This is the VPN policy index number. Name This field displays the identification name for this VPN policy.
Page 286: Vpn Rules (Manual): Edit
Chapter 14 IPSec VPN Table 87 SECURITY > VPN > VPN Rules (Manual) (continued) LABEL DESCRIPTION Modify Click the edit icon to edit the VPN policy. Click the delete icon to remove the VPN policy. A window displays asking you to confirm that you want to delete the VPN rule.
Page 287: Table 88 Security > Vpn > Vpn Rules (Manual) > Edit
Chapter 14 IPSec VPN The following table describes the labels in this screen. Table 88 SECURITY > VPN > VPN Rules (Manual) > Edit LABEL DESCRIPTION Property Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 288 Chapter 14 IPSec VPN Table 88 SECURITY > VPN > VPN Rules (Manual) > Edit (continued) LABEL DESCRIPTION Gateway Policy Information My ZyWALL When the ZyWALL is in router mode, enter the WAN IP address or the domain name of your ZyWALL or leave the field set to 0.0.0.0. The ZyWALL uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0.
Page 289: Vpn Sa Monitor
Chapter 14 IPSec VPN 14.15 VPN SA Monitor In the web configurator, click SECURITY > VPN > SA Monitor. Use this screen to display and manage active VPN connections. A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This screen displays active VPN connections.
Page 290: Figure 162 Security > Vpn > Global Setting
Chapter 14 IPSec VPN Figure 162 SECURITY > VPN > Global Setting The following table describes the labels in this screen. Table 90 SECURITY > VPN > Global Setting LABEL DESCRIPTION Output Idle Timer When traffic is sent to a remote IPSec router from which no reply is received after the specified time period, the ZyWALL checks the VPN connectivity.
Page 291: Telecommuter Vpn/Ipsec Examples
Chapter 14 IPSec VPN Table 90 SECURITY > VPN > Global Setting (continued) LABEL DESCRIPTION Adjust TCP Maximum The TCP packets are larger after the ZyWALL encrypts them for VPN. The Segment Size ZyWALL fragments packets that are larger than a connection’s MTU (Maximum Transmit Unit).
Page 292: Telecommuters Using Unique Vpn Rules Example
Chapter 14 IPSec VPN Figure 163 Telecommuters Sharing One VPN Rule Example Table 91 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS HEADQUARTERS My ZyWALL: 0.0.0.0 (dynamic IP address Public static IP address assigned by the ISP) Remote Gateway Public static IP address 0.0.0.0 With this IP address only Address:...
Page 293: Figure 164 Telecommuters Using Unique Vpn Rules Example
Chapter 14 IPSec VPN Figure 164 Telecommuters Using Unique VPN Rules Example Table 92 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS HEADQUARTERS All Telecommuter Rules: All Headquarters Rules: My ZyWALL 0.0.0.0 My ZyWALL: bigcompanyhq.com Remote Gateway Address: bigcompanyhq.com Local Network - Single IP Address: 192.168.1.10 Remote Network - Single IP Address: Local ID Type: E-mail 192.168.1.10...
Page 294: Vpn And Remote Management
Chapter 14 IPSec VPN 14.18 VPN and Remote Management You can allow someone to use a service (like Telnet or HTTP) through a VPN tunnel to manage the ZyWALL. One of the ZyWALL’s ports must be part of the VPN rule’s local network.
Page 295: Hub-And-Spoke Vpn Example
Chapter 14 IPSec VPN Hub-and-spoke VPN reduces the number of VPN connections that you have to set up and maintain in the network. Small office or telecommuter IPSec routers that support a limited number of VPN tunnels are also able to use VPN to connect to more networks. Hub-and-spoke VPN makes it easier for the hub router to manage the traffic between the spoke routers.
Page 296: Hub-And-Spoke Vpn Requirements And Suggestions
Chapter 14 IPSec VPN Rule 1: • Remote Gateway: 10.0.0.2 • Local IP address: 192.168.168.0~192.168.169.255 • Remote IP address:192.168.167.0/255.255.255.0 Rule 2: • Remote Gateway: 10.0.0.3 • Local IP address: 192.168.167.0~192.168.168.255 • Remote IP address: 192.168.169.0/255.255.255.0 Branch Office B: • Remote Gateway: 10.0.0.1 •...
Page 297: Certificates
H A P T E R Certificates This chapter gives background information about public-key certificates and explains how to use them. 15.1 Certificates Overview The ZyWALL can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key.
Page 298: Advantages Of Certificates
Chapter 15 Certificates Certification authorities maintain directory servers with databases of valid and revoked certificates. A directory of certificates that have been revoked before the scheduled expiration is called a CRL (Certificate Revocation List). The ZyWALL can check a peer’s certificate against a directory server’s list of revoked certificates.
Page 299: Configuration Summary
Chapter 15 Certificates Figure 169 Certificate Details 4 Use a secure method to verify that the certificate owner has the same information in the Thumbprint Algorithm and Thumbprint fields. The secure method may very based on your situation. Possible examples would be over the telephone or through an HTTPS connection.
Page 300: My Certificates
Replace This button displays when the ZyWALL has the factory default certificate. The factory default certificate is common to all ZyWALLs that use certificates. ZyXEL recommends that you use this button to replace the factory default certificate with one that uses your ZyWALL's MAC address.
Page 301: My Certificate Details
Chapter 15 Certificates Table 93 SECURITY > CERTIFICATES > My Certificates (continued) LABEL DESCRIPTION Subject This field displays identifying information about the certificate’s owner, such as CN (Common Name), OU (Organizational Unit or department), O (Organization or company) and C (Country). It is recommended that each certificate have unique subject information.
Page 302: Figure 172 Security > Certificates > My Certificates > Details
Chapter 15 Certificates Figure 172 SECURITY > CERTIFICATES > My Certificates > Details The following table describes the labels in this screen. Table 94 SECURITY > CERTIFICATES > My Certificates > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this certificate.
Page 303 Chapter 15 Certificates Table 94 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the hierarchy of certification authorities that validate the certificate (and the certificate itself). If the issuing certification authority is one that you have imported as a trusted certification authority, it may be the only certification authority in the list (along with the certificate itself).
Page 304: My Certificate Export
Chapter 15 Certificates Table 94 SECURITY > CERTIFICATES > My Certificates > Details (continued) LABEL DESCRIPTION SHA1 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the SHA1 algorithm. Certificate in PEM This read-only text box displays the certificate or certification request in Privacy (Base-64) Encoded Enhanced Mail (PEM) format.
Page 305: My Certificate Import
Chapter 15 Certificates Figure 173 SECURITY > CERTIFICATES > My Certificates > Export The following table describes the labels in this screen. Table 95 SECURITY > CERTIFICATES > My Certificates > Export LABEL DESCRIPTION Export the certificate in Binary X.509 is an ITU-T recommendation that defines the formats for X.509 binary X.509 format.
Page 306: Certificate File Formats
Chapter 15 Certificates You must remove any spaces from the certificate’s filename before you can import it. 15.8.1 Certificate File Formats The certification authority certificate that you want to import has to be in one of these file formats: • Binary X.509: This is an ITU-T recommendation that defines the formats for X.509 certificates.
Page 307: Figure 174 Security > Certificates > My Certificates > Import
Chapter 15 Certificates Figure 174 SECURITY > CERTIFICATES > My Certificates > Import The following table describes the labels in this screen. Table 96 SECURITY > CERTIFICATES > My Certificates > Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 308: My Certificate Create
Chapter 15 Certificates 15.9 My Certificate Create Click SECURITY > CERTIFICATES > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the ZyWALL create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request. Figure 176 SECURITY >...
Page 309 Chapter 15 Certificates Table 98 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Organizational Unit Type up to 127 characters to identify the organizational unit or department to which the certificate owner belongs. You may use any character, including spaces, but the ZyWALL drops trailing spaces.
Page 310: Trusted Cas
Chapter 15 Certificates Table 98 SECURITY > CERTIFICATES > My Certificates > Create (continued) LABEL DESCRIPTION Apply Click Apply to begin certificate or certification request generation. Cancel Click Cancel to quit and return to the My Certificates screen. After you click Apply in the My Certificate Create screen, you see a screen that tells you the ZyWALL is generating the self-signed certificate or certification request.
Page 311: Trusted Ca Details
Chapter 15 Certificates The following table describes the labels in this screen. Table 99 SECURITY > CERTIFICATES > Trusted CAs LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 312: Figure 178 Security > Certificates > Trusted Cas > Details
Chapter 15 Certificates Figure 178 SECURITY > CERTIFICATES > Trusted CAs > Details The following table describes the labels in this screen. Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 313 Chapter 15 Certificates Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION Certification Path Click the Refresh button to have this read-only text box display the end entity’s certificate and a list of certification authority certificates that shows the hierarchy of certification authorities that validate the end entity’s certificate.
Page 314: Trusted Ca Import
Chapter 15 Certificates Table 100 SECURITY > CERTIFICATES > Trusted CAs > Details (continued) LABEL DESCRIPTION CRL Distribution This field displays how many directory servers with Lists of revoked certificates Points the issuing certification authority of this certificate makes available. This field also displays the domain names or IP addresses of the servers.
Page 315: Trusted Remote Hosts
Chapter 15 Certificates Figure 179 SECURITY > CERTIFICATES > Trusted CAs > Import The following table describes the labels in this screen. Table 101 SECURITY > CERTIFICATES > Trusted CAs Import LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse to find it. Browse Click Browse to find the certificate file you want to upload.
Page 316: Figure 180 Security > Certificates > Trusted Remote Hosts
Chapter 15 Certificates Figure 180 SECURITY > CERTIFICATES > Trusted Remote Hosts The following table describes the labels in this screen. Table 102 SECURITY > CERTIFICATES > Trusted Remote Hosts LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 317: Trusted Remote Hosts Import
Chapter 15 Certificates 15.14 Trusted Remote Hosts Import Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen and then click Import to open the Trusted Remote Host Import screen. You may have peers with certificates that you want to trust, but the certificates were not signed by one of the certification authorities on the Trusted CAs screen.
Page 318: Trusted Remote Host Certificate Details
Chapter 15 Certificates 15.15 Trusted Remote Host Certificate Details Click SECURITY > CERTIFICATES > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. You can use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name.
Page 319: Table 104 Security > Certificates > Trusted Remote Hosts > Details
Chapter 15 Certificates The following table describes the labels in this screen. Table 104 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details LABEL DESCRIPTION Name This field displays the identifying name of this certificate. If you want to change the name, type up to 31 characters to identify this key certificate.
Page 320: Directory Servers
Chapter 15 Certificates Table 104 SECURITY > CERTIFICATES > Trusted Remote Hosts > Details (continued) LABEL DESCRIPTION MD5 Fingerprint This is the certificate’s message digest that the ZyWALL calculated using the MD5 algorithm. The ZyWALL uses one of its own self-signed certificates to sign the imported trusted remote host certificates.
Page 321: Directory Server Add Or Edit
Chapter 15 Certificates The following table describes the labels in this screen. Table 105 SECURITY > CERTIFICATES > Directory Servers LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyWALL’s PKI storage space that is Space in Use currently in use.
Page 322: Table 106 Security > Certificates > Directory Server > Add
Chapter 15 Certificates The following table describes the labels in this screen. Table 106 SECURITY > CERTIFICATES > Directory Server > Add LABEL DESCRIPTION Directory Service Setting Name Type up to 31 ASCII characters (spaces are not permitted) to identify this directory server.
Page 323: Authentication Server
H A P T E R Authentication Server This chapter discusses how to configure the ZyWALL’s authentication server feature. 16.1 Authentication Server Overview A ZyWALL set to be a VPN extended authentication server can use either the local user database internal to the ZyWALL or an external RADIUS server for an unlimited number of users.
Page 324: Figure 185 Security > Auth Server > Local User Database
Chapter 16 Authentication Server Figure 185 SECURITY > AUTH SERVER > Local User Database ZyWALL 2WG User’s Guide...
Page 325: Radius
Chapter 16 Authentication Server The following table describes the labels in this screen. Table 107 SECURITY > AUTH SERVER > Local User Database LABEL DESCRIPTION Active Select this check box to enable the user profile. User Name Enter the user name of the user profile. Password Enter a password up to 31 characters long for this user profile.
Page 326 Chapter 16 Authentication Server Table 108 SECURITY > AUTH SERVER > RADIUS LABEL DESCRIPTION Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external authentication server and the ZyWALL. The key is not sent over the network. This key must be the same on the external authentication server and ZyWALL.
Page 327: Advanced
Advanced Network Address Translation (NAT) (329) Static Route (345) Policy Route (349) Bandwidth Management (355) DNS (371) Remote Management (383) UPnP (405) ALG Screen (415)
Page 329: Network Address Translation (Nat)
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 17.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet.
Page 330: What Nat Does
Chapter 17 Network Address Translation (NAT) NAT never changes the IP address (either local or global) of an outside host. 17.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side.
Page 331: Nat Application
Chapter 17 Network Address Translation (NAT) Figure 187 How NAT Works 17.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyWALL can communicate with three distinct WAN networks.
Page 332: Port Restricted Cone Nat
• Many to One: In Many-to-One mode, the ZyWALL maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature (the SUA option). • Many to Many Overload: In Many-to-Many Overload mode, the ZyWALL maps the multiple local IP addresses to shared global IP addresses.
Page 333: Using Nat
Chapter 17 Network Address Translation (NAT) • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world although, it is highly recommended that you use the DMZ port for these servers instead. Port numbers do not change for One-to-One and Many-One-to-One NAT mapping types.
Page 334: Nat Overview Screen
Chapter 17 Network Address Translation (NAT) Selecting SUA means (latent) multiple WAN-to-LAN and WAN-to-DMZ address translation. That means that computers on your DMZ with public IP addresses will still have to undergo NAT mapping if you’re using SUA NAT mapping. If this is not your intention, then select Full Feature NAT and don’t configure NAT mapping rules to those computers with public IP addresses on the DMZ.
Page 335: Nat Address Mapping
Chapter 17 Network Address Translation (NAT) Table 111 ADVANCED > NAT > NAT Overview (continued) LABEL DESCRIPTION WAN 1, 2 Enable NAT Select this check box to turn on the NAT feature for the WAN interface. Clear this check box to turn off the NAT feature for the WAN interface. Address Select SUA if you have just one public WAN IP address for your ZyWALL.
Page 336: Figure 191 Advanced > Nat > Address Mapping
Chapter 17 Network Address Translation (NAT) Use this screen to change your ZyWALL’s address mapping settings. Not all fields are available on all models. Ordering your rules is important because the ZyWALL applies the rules in the order that you specify.
Page 337: Nat Address Mapping Edit
One-to-One NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 338: Port Forwarding
2. Many-to-One: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature. 3. Many-to-Many Overload: Many-to-Many Overload mode maps multiple local IP addresses to shared global IP addresses.
Page 339: Default Server Ip Address
Chapter 17 Network Address Translation (NAT) You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.
Page 340: Configuring Servers Behind Port Forwarding (Example)
Chapter 17 Network Address Translation (NAT) 17.5.3 Configuring Servers Behind Port Forwarding (Example) Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Page 341: Port Forwarding Screen
Chapter 17 Network Address Translation (NAT) Figure 194 Port Translation Example 17.6 Port Forwarding Screen Click ADVANCED > NAT > Port Forwarding to open the Port Forwarding screen. If you do not assign a Default Server IP address, the ZyWALL discards all packets received for ports that are not specified here or in the remote management setup.
Page 342: Figure 195 Advanced > Nat > Port Forwarding
Chapter 17 Network Address Translation (NAT) Figure 195 ADVANCED > NAT > Port Forwarding The following table describes the labels in this screen. Table 115 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION WAN Interface Select the WAN interface for which you want to view or configure address mapping rules.
Page 343: Port Triggering
Chapter 17 Network Address Translation (NAT) Table 115 ADVANCED > NAT > Port Forwarding LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyWALL. Reset Click Reset to begin configuring this screen afresh. 17.7 Port Triggering Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side.
Page 344: Figure 197 Advanced > Nat > Port Triggering
Chapter 17 Network Address Translation (NAT) Click ADVANCED > NAT > Port Triggering to open the following screen. Use this screen to change your ZyWALL’s trigger port settings. Figure 197 ADVANCED > NAT > Port Triggering The following table describes the labels in this screen. Table 116 ADVANCED >...
Page 345: Static Route
H A P T E R Static Route This chapter shows you how to configure static routes for your ZyWALL. 18.1 IP Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyWALL has no knowledge of the networks beyond. For instance, the ZyWALL knows about network N2 in the following figure through remote node Router 1.
Page 346: Figure 199 Advanced > Static Route > Ip Static Route
Chapter 18 Static Route Figure 199 ADVANCED > STATIC ROUTE > IP Static Route The following table describes the labels in this screen. Table 117 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION This is the number of an individual static route. Name This is the name that describes or identifies this route.
Page 347: Ip Static Route Edit
Chapter 18 Static Route Table 117 ADVANCED > STATIC ROUTE > IP Static Route LABEL DESCRIPTION Gateway This is the IP address of the gateway. The gateway is a router or switch on the same network segment as the ZyWALL’s interface. The gateway helps forward packets to their destinations.
Page 348 Chapter 18 Static Route Table 118 ADVANCED > STATIC ROUTE > IP Static Route > Edit LABEL DESCRIPTION Private This parameter determines if the ZyWALL will include this route to a remote node in its RIP broadcasts. Select this check box to keep this route private and not included in RIP broadcasts. Clear this check box to propagate this route to other hosts through RIP broadcasts.
Page 349: Policy Route
H A P T E R Policy Route This chapter covers setting and applying policies used for IP routing. 19.1 Policy Route Traditionally, routing is based on the destination address only and the ZyWALL takes the shortest path to forward a packet. IP Policy Routing (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator.
Page 350: Ip Routing Policy Setup
Chapter 19 Policy Route IPPR follows the existing packet filtering facility of RAS in style and in implementation. 19.4 IP Routing Policy Setup Click ADVANCED > POLICY ROUTE to open the Policy Route Summary screen. Figure 201 ADVANCED > POLICY ROUTE > Policy Route Summary ZyWALL 2WG User’s Guide...
Page 351: Policy Route Edit
Chapter 19 Policy Route The following table describes the labels in this screen. Table 119 ADVANCED > POLICY ROUTE > Policy Route Summary LABEL DESCRIPTION This is the number of an individual policy route. Active This field shows whether the policy is active or inactive. Source This is the source IP address range and/or port number range.
Page 352: Figure 202 Edit Ip Policy Route
Chapter 19 Policy Route Figure 202 Edit IP Policy Route The following table describes the labels in this screen. Table 120 ADVANCED > POLICY ROUTE > Edit LABEL DESCRIPTION Criteria Active Select the check box to activate the policy. Rule Index This is the index number of the policy route.
Page 353 Chapter 19 Policy Route Table 120 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Length Choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Comparison Equal. Application Select a predefined application (FTP, H.323 or SIP) for the policy rule. If you do not want to use a predefined application, select Custom.
Page 354 Chapter 19 Policy Route Table 120 ADVANCED > POLICY ROUTE > Edit (continued) LABEL DESCRIPTION Gateway Select User-Defined and enter the IP address of the gateway if you want to specify the IP address of the gateway. The gateway is an immediate neighbor of your ZyWALL that will forward the packet to the destination.
Page 355: Bandwidth Management
H A P T E R Bandwidth Management This chapter describes the functions and configuration of bandwidth management with multiple levels of sub-classes. 20.1 Bandwidth Management Overview Bandwidth management allows you to allocate an interface’s outgoing capacity to specific types of traffic. It can also help you make sure that the ZyWALL forwards certain types of traffic (especially real-time applications) with minimum delay.
Page 356: Proportional Bandwidth Allocation
Chapter 20 Bandwidth Management 20.3 Proportional Bandwidth Allocation Bandwidth management allows you to define how much bandwidth each class gets; however, the actual bandwidth allotted to each class decreases or increases in proportion to actual available bandwidth. 20.4 Application-based Bandwidth Management You can create bandwidth classes based on individual applications (like VoIP, Web, FTP, E- mail and Video for example).
Page 357: Scheduler
Chapter 20 Bandwidth Management Table 121 Application and Subnet-based Bandwidth Management Example TRAFFIC TYPE FROM SUBNET A FROM SUBNET B E-mail 64 Kbps 64 Kbps Video 64 Kbps 64 Kbps 20.7 Scheduler The scheduler divides up an interface’s bandwidth among the bandwidth classes. The ZyWALL has two types of scheduler: fairness-based and priority-based.
Page 358: Maximize Bandwidth Usage Example
Chapter 20 Bandwidth Management 2 Do not enable the interface’s Maximize Bandwidth Usage option. 3 Do not enable bandwidth borrowing on the sub-classes that have the root class as their parent (see Section 20.8 on page 359). 20.7.5 Maximize Bandwidth Usage Example Here is an example of a ZyWALL that has maximize bandwidth usage enabled on an interface.
Page 359: Bandwidth Borrowing
Chapter 20 Bandwidth Management 20.7.5.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 124 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps Administration: 1024 kbps Sales: 3072 kbps Marketing: 3072 kbps...
Page 360: Maximize Bandwidth Usage With Bandwidth Borrowing
Chapter 20 Bandwidth Management Refer to the product specifications in the appendix to see how many class levels you can configure on your ZyWALL. Table 125 Bandwidth Borrowing Example BANDWIDTH CLASSES AND BANDWIDTH BORROWING SETTINGS Root Class: Administration: Borrowing Enabled Sales: Borrowing Disabled Sales USA: Borrowing Bill: Borrowing Enabled...
Page 361: Over Allotment Of Bandwidth
Chapter 20 Bandwidth Management 4 If the bandwidth requirements of all of the traffic classes are met and there is still some unbudgeted bandwidth, the ZyWALL assigns it to traffic that does not match any of the classes. 20.10 Over Allotment of Bandwidth It is possible to set the bandwidth management speed for an interface higher than the interface’s actual transmission speed.
Page 362: Figure 204 Advanced > Bw Mgmt > Summary
Chapter 20 Bandwidth Management Figure 204 ADVANCED > BW MGMT > Summary The following table describes the labels in this screen. Table 127 ADVANCED > BW MGMT > Summary LABEL DESCRIPTION Class These read-only labels represent the physical interfaces. Select an interface’s check box to enable bandwidth management on that interface.
Page 363: Configuring Class Setup
Chapter 20 Bandwidth Management 20.12 Configuring Class Setup The Class Setup screen displays the configured bandwidth classes by individual interface. Select an interface and click the buttons to perform the actions described next. Click “+” to expand the class tree or click “-“ to collapse the class tree. Each interface has a permanent root class.
Page 364: Bandwidth Manager Class Configuration
Chapter 20 Bandwidth Management Table 128 ADVANCED > BW MGMT > Class Setup (continued) LABEL DESCRIPTION Enabled classes This list displays the interface’s active bandwidth management classes (the ones Search Order that have the bandwidth filter enabled). The ZyWALL applies the classes in the order that they appear here.
Page 365: Figure 206 Advanced > Bw Mgmt > Class Setup > Add Sub-Class
Chapter 20 Bandwidth Management Figure 206 ADVANCED > BW MGMT > Class Setup > Add Sub-Class The following table describes the labels in this screen. Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class LABEL DESCRIPTION Class Configuration Class Name Use the auto-generated name or enter a descriptive name of up to 20 alphanumeric characters, including spaces.
Page 366 Chapter 20 Bandwidth Management Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Enable Bandwidth Select Enable Bandwidth Filter to have the ZyWALL use this bandwidth filter Filter when it performs bandwidth management. You must enter a value in at least one of the following fields (other than the Subnet Mask fields which are only available when you enter the destination or source IP address).
Page 367: Bandwidth Management Statistics
Chapter 20 Bandwidth Management Table 129 ADVANCED > BW MGMT > Class Setup > Add Sub-Class (continued) LABEL DESCRIPTION Source End Address If you are configuring a range of IP addresses, enter the ending IP address / Subnet Mask here. If you are configuring a subnet of addresses, enter the subnet mask here. Refer to Appendix E on page 663 for more information on IP subnetting.
Page 368: Bandwidth Manager Monitor
Chapter 20 Bandwidth Management Figure 207 ADVANCED > BW MGMT > Class Setup > Statistics The following table describes the labels in this screen. Table 131 ADVANCED > BW MGMT > Class Setup > Statistics LABEL DESCRIPTION Class Name This field displays the name of the class the statistics page is showing. Budget (kbps) This field displays the amount of bandwidth allocated to the class.
Page 369: Figure 208 Advanced > Bw Mgmt > Monitor
Chapter 20 Bandwidth Management Figure 208 ADVANCED > BW MGMT > Monitor The following table describes the labels in this screen. Table 132 ADVANCED > BW MGMT > Monitor LABEL DESCRIPTION Interface Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth classes.
Page 370 Chapter 20 Bandwidth Management ZyWALL 2WG User’s Guide...
Page 371: Dns
H A P T E R This chapter shows you how to configure the DNS screens. 21.1 DNS Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it.
Page 372: Address Record
An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Page 373: System Screen
Chapter 21 DNS Figure 209 Private DNS Server Example If you do not specify an Intranet DNS server on the remote network, then the VPN host must use IP addresses to access the computers on the remote private network. 21.6 System Screen Click ADVANCED >...
Page 374: Figure 210 Advanced > Dns > System Dns
(FQDN) to an IP address. An FQDN consists of a host and domain name and includes the top-level domain. For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain.
Page 375: Adding An Address Record
This is the index number of the name server record. Domain Zone A domain zone is a fully qualified domain name without the host. For example, zyxel.com.tw is the domain zone for the www.zyxel.com.tw fully qualified domain name. From This field displays whether the IP address of a DNS server is from a WAN interface (and which it is) or specified by the user.
Page 376: Inserting A Name Server Record
For example, www.zyxel.com.tw is a fully qualified domain name, where “www” is the host, “zyxel” is the second-level domain, and “com.tw” is the top level domain. IP Address If this entry is for one of the WAN ports on a ZyWALL with multiple WAN ports, select WAN Interface and select WAN 1 or WAN 2 from the drop-down list box.
Page 377: Dns Cache
For example, whenever the ZyWALL receives needs to resolve a zyxel.com.tw domain name, it can send a query to the recorded name server IP address. Leave this field blank if all domain zones are served by the specified DNS server(s).
Page 378: Figure 213 Advanced > Dns > Cache
Chapter 21 DNS Figure 213 ADVANCED > DNS > Cache The following table describes the labels in this screen. Table 136 ADVANCED > DNS > Cache LABEL DESCRIPTION DNS Cache Setup Cache Positive DNS Select the check box to record the positive DNS resolutions in the cache. Resolutions Caching positive DNS resolutions helps speed up the ZyWALL’s processing of commonly queried domain names and reduces the amount of traffic that the...
Page 379: Configuring Dns Dhcp
Chapter 21 DNS Table 136 ADVANCED > DNS > Cache LABEL DESCRIPTION IP Address This is the (resolved) IP address of a host. This field displays 0.0.0.0 for negative DNS resolution entries. Remaining Time This is the number of seconds left before the DNS resolution entry is discarded (sec) from the cache.
Page 380: Dynamic Dns
Chapter 21 DNS Table 137 ADVANCED > DNS > DHCP LABEL DESCRIPTION Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address). Use the drop-down list box to select a DNS server IP address that the ISP assigns in the field to the right. Select User-Defined if you have the IP address of a DNS server.
Page 381: High Availability
Chapter 21 DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. 21.10.2 High Availability A DNS server maps a domain name to a port's IP address. If that WAN port loses its connection, high availability allows the router to substitute another port's IP address for the domain name mapping.
Page 382 Chapter 21 DNS Table 138 ADVANCED > DNS > DDNS LABEL DESCRIPTION Username Enter your user name. You can use up to 31 alphanumeric characters (and the underscore). Spaces are not allowed. Password Enter the password associated with the user name above. You can use up to 31 alphanumeric characters (and the underscore).
Page 383: Remote Management
H A P T E R Remote Management This chapter provides information on the Remote Management screens. 22.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. The following figure shows secure and insecure management of the ZyWALL coming in from the WAN.
Page 384: Remote Management Limitations
Chapter 22 Remote Management 3 Telnet 4 HTTPS and HTTP Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. 22.1.1 Remote Management Limitations Remote management does not work when: 1 You have not enabled that service on the interface in the corresponding remote management screen.
Page 385: Www
Chapter 22 Remote Management 1 HTTPS connection requests from an SSL-aware web browser go to port 443 (by default) on the ZyWALL’s WS (web server). 2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyWALL’s WS (web server).
Page 386: Figure 218 Advanced > Remote Mgmt > Www
Chapter 22 Remote Management Figure 218 ADVANCED > REMOTE MGMT > WWW The following table describes the labels in this screen. Table 139 ADVANCED > REMOTE MGMT > WWW LABEL DESCRIPTION HTTPS Server Select the Server Certificate that the ZyWALL will use to identify itself. The Certificate ZyWALL is the SSL server and must always authenticate itself to the SSL client (the computer which requests the HTTPS connection with the ZyWALL).
Page 387: Https Example
Chapter 22 Remote Management Table 139 ADVANCED > REMOTE MGMT > WWW (continued) LABEL DESCRIPTION Server Access Select the interface(s) through which a computer may access the ZyWALL using this service. Secure Client IP A secure client is a “trusted” computer that is allowed to communicate with the Address ZyWALL using this service.
Page 388: Avoiding The Browser Warning Messages
Chapter 22 Remote Management If Accept this certificate temporarily for this session is selected, then click OK to continue in Netscape. Select Accept this certificate permanently to import the ZyWALL’s certificate into the SSL client. Figure 220 Security Certificate 1 (Netscape) Figure 221 Security Certificate 2 (Netscape) 22.4.3 Avoiding the Browser Warning Messages The following describes the main reasons that your browser displays warnings about the...
Page 389: Login Screen
Chapter 22 Remote Management • The actual IP address of the HTTPS server (the IP address of the ZyWALL’s port that you are trying to access) does not match the common name specified in the ZyWALL’s HTTPS server certificate that your browser received. Do the following to check the common name specified in the certificate that your ZyWALL sends to HTTPS clients.
Page 390: Figure 223 Replace Certificate
Chapter 22 Remote Management Figure 223 Replace Certificate Click Apply in the Replace Certificate screen to create a certificate using your ZyWALL’s MAC address that will be specific to this device. Click CERTIFICATES to open the My Certificates screen. You will see information similar to that shown in the following figure. Figure 224 Device-specific Certificate Click Ignore in the Replace Certificate screen to use the common ZyWALL certificate.
Page 391: Ssh
Chapter 22 Remote Management Figure 225 Common ZyWALL Certificate 22.5 SSH You can use SSH (Secure SHell) to securely access the ZyWALL’s SMT or command line interface. Specify which interfaces allow SSH access and from which IP address the access can come.
Page 392: Ssh Implementation On The Zywall
Chapter 22 Remote Management Figure 227 How SSH Works 1 Host Identification The SSH client sends a connection request to the SSH server. The server identifies itself with a host key. The client encrypts a randomly generated session key with the host key and server key and sends the result back to the server.
Page 393: Configuring Ssh
Chapter 22 Remote Management 22.8 Configuring SSH Click ADVANCED > REMOTE MGMT > SSH to change your ZyWALL’s Secure Shell settings. It is recommended that you disable Telnet and FTP when you configure SSH for secure connections. Figure 228 ADVANCED > REMOTE MGMT > SSH The following table describes the labels in this screen.
Page 394: Secure Telnet Using Ssh Examples
Chapter 22 Remote Management 22.9 Secure Telnet Using SSH Examples This section shows two examples using a command interface and a graphical interface SSH client program to remotely access the ZyWALL. The configuration and connection steps are similar for most SSH client programs. Refer to your SSH client program user’s guide. 22.9.1 Example 1: Microsoft Windows This section describes how to access the ZyWALL using the Secure Shell Client program.
Page 395: Secure Ftp Using Ssh Example
Chapter 22 Remote Management 2 Enter “ssh –1 192.168.1.1”. This command forces your computer to connect to the ZyWALL using SSH version 1. If this is the first time you are connecting to the ZyWALL using SSH, a message displays prompting you to save the host information of the ZyWALL.
Page 396: Telnet
Chapter 22 Remote Management Figure 232 Secure FTP: Firmware Upload Example $ sftp -1 192.168.1.1 Connecting to 192.168.1.1... The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA1 key fingerprint is 21:6c:07:25:7e:f4:75:80:ec:af:bd:d4:3d:80:53:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.1' (RSA1) to the list of known hosts.
Page 397: Ftp
Chapter 22 Remote Management The following table describes the labels in this screen. Table 141 ADVANCED > REMOTE MGMT > Telnet LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 398: Snmp
Chapter 22 Remote Management The following table describes the labels in this screen. Table 142 ADVANCED > REMOTE MGMT > FTP LABEL DESCRIPTION Server Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.
Page 399: Supported Mibs
Chapter 22 Remote Management Figure 235 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyWALL). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 400: Snmp Traps
A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Page 401: Dns
Chapter 22 Remote Management The following table describes the labels in this screen. Table 144 ADVANCED > REMOTE MGMT > SNMP LABEL DESCRIPTION SNMP Configuration Get Community Enter the Get Community, which is the password for the incoming Get and GetNext requests from the management station.
Page 402: Introducing Vantage Cnm
Vantage CNM (Centralized Network Management) is a browser-based global management solution that allows an administrator from any location to easily configure, manage, monitor and troubleshoot ZyXEL devices located worldwide. See the Vantage CNM User's Guide for details. If you allow your ZyWALL to be managed by the Vantage CNM server, then you should not do any configurations directly to the ZyWALL (using either the web configurator, SMT menus or commands) without notifying the Vantage CNM administrator.
Page 403: Figure 238 Advanced > Remote Mgmt > Cnm
Chapter 22 Remote Management Figure 238 ADVANCED > REMOTE MGMT > CNM The following table describes the labels in this screen. Table 146 ADVANCED > REMOTE MGMT > CNM LABEL DESCRIPTION Registration Information Registration Status This read only field displays Not Registered when Enable is not selected. It displays Registering when the ZyWALL first connects with the Vantage CNM server and then Registered after it has been successfully registered with the Vantage CNM server.
Page 404 LABEL DESCRIPTION Vantage CNM Server If the Vantage server is on the same subnet as the ZyXEL device, enter the Address private or public IP address of the Vantage server. If the Vantage CNM server is on a different subnet to the ZyWALL, enter the public IP address of the Vantage server.
Page 405: Upnp
H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. This chapter is only applicable when the ZyWALL is in router mode. 23.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 406: Upnp And Zyxel
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 23.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device).
Page 407: Displaying Upnp Port Mapping
Chapter 23 UPnP Table 147 ADVANCED > UPnP LABEL DESCRIPTION Allow UPnP to pass Select this check box to allow traffic from UPnP-enabled applications to through Firewall bypass the firewall. Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets).
Page 408: Installing Upnp In Windows Example
Chapter 23 UPnP Table 148 ADVANCED > UPnP > Ports (continued) LABEL DESCRIPTION Remote Host This field displays the source IP address (on the WAN) of inbound IP packets. Since this is often a wildcard, the field may be blank. When the field is blank, the ZyWALL forwards all traffic sent to the External Port on the WAN interface to the Internal Client on the Internal Port.
Page 409: Installing Upnp In Windows Me
Chapter 23 UPnP 23.4.1 Installing UPnP in Windows Me Follow the steps below to install UPnP in Windows Me. 1 Click Start, Settings and Control Panel. Double-click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box.
Page 410: Installing Upnp In Windows Xp
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.
Page 411: Auto-Discover Your Upnp-Enabled Network Device
Chapter 23 UPnP 23.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings.
Page 412: Web Configurator Easy Access
23.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
Page 413 3 Select My Network Places under Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. ZyWALL 2WG User’s Guide...
Page 414 Chapter 23 UPnP 6 Right-click the icon for your ZyXEL device and select Properties. A properties window displays with basic information about the ZyXEL device. ZyWALL 2WG User’s Guide...
Page 415: Alg Screen
H A P T E R ALG Screen This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. 24.1 ALG Introduction An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer.
Page 416: Alg And Multiple Wan
Chapter 24 ALG Screen 24.1.3 ALG and Multiple WAN When the ZyWALL has two WAN interfaces and uses the second highest priority WAN interfaces as a back up, traffic cannot pass through when the primary WAN connection fails. The ZyWALL does not automatically change the connection to the secondary WAN interfaces.
Page 417: Figure 241 H.323 Alg Example
Chapter 24 ALG Screen • You must configure the firewall and port forwarding to allow incoming (peer-to-peer) calls from the WAN to a private IP address on the LAN, DMZ or WLAN. The following example shows H.323 signaling (1) and audio (2) sessions between H.323 devices A and Figure 241 H.323 ALG Example •...
Page 418: Sip
Chapter 24 ALG Screen Figure 243 H.323 Calls from the WAN with Multiple Outgoing Calls • The H.323 ALG operates on TCP packets with a port 1720 destination. • The ZyWALL allows H.323 audio connections. • The ZyWALL can also apply bandwidth management to traffic that goes through the H.323 ALG.
Page 419: Sip Signaling Session Timeout
Chapter 24 ALG Screen Figure 244 SIP ALG Example 24.5.3 SIP Signaling Session Timeout Most SIP clients have an “expire” mechanism indicating the lifetime of signaling sessions. The SIP user agent sends registration packets to the SIP server periodically and keeps the session alive in the ZyWALL.
Page 420: Figure 245 Advanced > Alg
Chapter 24 ALG Screen Figure 245 ADVANCED > ALG The following table describes the labels in this screen. Table 149 ADVANCED > ALG LABEL DESCRIPTION Enable FTP Select this check box to allow FTP sessions to pass through the ZyWALL. FTP (File Transfer Program) is a program that enables fast transfer of files, including large files that may not be possible by e-mail.
Page 421: Reports, Logs And Maintenance
Reports, Logs and Maintenance Logs Screens (423) Maintenance (451)
Page 423: Logs Screens
H A P T E R Logs Screens This chapter contains information about configuring general log settings and viewing the ZyWALL’s logs. Refer to Section 25.5 on page 434 for example log message explanations. 25.1 Configuring View Log The web configurator allows you to look at all of the ZyWALL’s logs in one location. Click LOGS to open the View Log screen.
Page 424: Log Description Example
Chapter 25 Logs Screens The following table describes the labels in this screen. Table 150 LOGS > View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings page (see Section 25.3 on page 426) display in the drop-down list box. Select a category of logs to view;...
Page 425: About The Certificate Not Trusted Log
Chapter 25 Logs Screens Table 151 Log Description Example LABEL DESCRIPTION notes The ZyWALL blocked the packet. message The ZyWALL blocked the packet in accordance with the firewall’s default policy of blocking sessions that are initiated from the WAN. “UDP” means that this was a User Datagram Protocol packet.
Page 426: Configuring Log Settings
Chapter 25 Logs Screens Figure 248 myZyXEL.com: Certificate Download 25.3 Configuring Log Settings To change your ZyWALL’s log settings, click LOGS > Log Settings. The screen appears as shown. Use the Log Settings screen to configure to where the ZyWALL is to send logs; the schedule for when the ZyWALL is to send the logs and which logs and/or immediate alerts the ZyWALL is to send.
Page 427: Figure 249 Logs > Log Settings
Chapter 25 Logs Screens Figure 249 LOGS > Log Settings ZyWALL 2WG User’s Guide...
Page 428: Table 152 Logs > Log Settings
Chapter 25 Logs Screens The following table describes the labels in this screen. Table 152 LOGS > Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 429: Configuring Reports
Chapter 25 Logs Screens Table 152 LOGS > Log Settings (continued) LABEL DESCRIPTION Send Immediate Alert Select the categories of alerts for which you want the ZyWALL to instantly e- mail alerts to the e-mail address specified in the Send Alerts To field. Log Consolidation Active Some logs (such as the Attacks logs) may be so numerous that it becomes...
Page 430: Figure 250 Logs > Reports
Chapter 25 Logs Screens Figure 250 LOGS > Reports Enabling the ZyWALL’s reporting function decreases the overall throughput by about 1 Mbps. The following table describes the labels in this screen. Table 153 LOGS > Reports LABEL DESCRIPTION Collect Select the check box and click Apply to have the ZyWALL record report data. Statistics Send Raw Select the check box and click Apply to have the ZyWALL send unprocessed traffic...
Page 431: Viewing Web Site Hits
Chapter 25 Logs Screens All of the recorded reports data is erased when you turn off the ZyWALL. 25.4.1 Viewing Web Site Hits In the Reports screen, select Web Site Hits from the Report Type drop-down list box to have the ZyWALL record and display which web sites have been visited the most often and how many times they have been visited.
Page 432: Viewing Protocol/Port
Chapter 25 Logs Screens Computers take turns using dynamically assigned LAN, DMZ or WLAN IP addresses. The ZyWALL continues recording the bytes sent to or from a LAN, DMZ or WLAN IP address when it is assigned to a different computer. Figure 252 LOGS >...
Page 433: Figure 253 Logs > Reports: Protocol/Port Example
Chapter 25 Logs Screens Figure 253 LOGS > Reports: Protocol/Port Example The following table describes the labels in this screen. Table 156 LOGS > Reports: Protocol/ Port LABEL DESCRIPTION Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyWALL.
Page 434: System Reports Specifications
Chapter 25 Logs Screens 25.4.4 System Reports Specifications The following table lists detailed specifications on the reports feature. Table 157 Report Specifications LABEL DESCRIPTION Number of web sites/protocols or ports/IP addresses listed: Hit count limit: Up to 2 hits can be counted per web site. The count starts over at 0 if it passes four billion.
Page 435 Chapter 25 Logs Screens Table 158 System Maintenance Logs (continued) LOG MESSAGE DESCRIPTION The router got the time and date from the NTP server. Time initialized by NTP server The router was not able to connect to the Daytime server. Connect to Daytime server fail The router was not able to connect to the Time server.
Page 436: Table 159 System Error Logs
Chapter 25 Logs Screens Table 159 System Error Logs LOG MESSAGE DESCRIPTION This attempt to create a NAT session exceeds the maximum %s exceeds the max. number of NAT session table entries allowed to be created per number of session per host.
Page 437: Table 161 Tcp Reset Logs
Chapter 25 Logs Screens Table 161 TCP Reset Logs LOG MESSAGE DESCRIPTION The router sent a TCP reset packet when a host was under a SYN Under SYN flood attack, flood attack (the TCP incomplete count is per destination host.) sent TCP RST The router sent a TCP reset packet when the number of TCP Exceed TCP MAX...
Page 438: Table 164 Cdr Logs
Chapter 25 Logs Screens Table 163 ICMP Logs (continued) LOG MESSAGE DESCRIPTION The router blocked a packet that didn’t have a Packet without a NAT table entry corresponding NAT table entry. blocked: ICMP The firewall does not support this kind of ICMP packets Unsupported/out-of-order ICMP: or the ICMP packets are out of order.
Page 439: Table 167 Content Filtering Logs
Chapter 25 Logs Screens Table 167 Content Filtering Logs LOG MESSAGE DESCRIPTION The content of a requested web page matched a user defined %s: Keyword blocking keyword. The web site is not in a trusted domain, and the router blocks all traffic %s: Not in trusted web except trusted domain sites.
Page 440 Chapter 25 Logs Screens Table 168 Attack Logs (continued) LOG MESSAGE DESCRIPTION The firewall detected an IP spoofing attack on the WAN port. ip spoofing - WAN [ TCP | UDP | IGMP | ESP | GRE | OSPF ] The firewall detected an ICMP IP spoofing attack on the WAN ip spoofing - WAN ICMP port.
Page 441: Table 169 Remote Management Logs
Chapter 25 Logs Screens Table 169 Remote Management Logs LOG MESSAGE DESCRIPTION Attempted use of FTP service was blocked according to Remote Management: FTP denied remote management settings. Attempted use of TELNET service was blocked Remote Management: TELNET denied according to remote management settings. Attempted use of HTTP or UPnP service was blocked Remote Management: HTTP or UPnP according to remote management settings.
Page 442: Table 171 Ike Logs
Chapter 25 Logs Screens Table 171 IKE Logs LOG MESSAGE DESCRIPTION The IKE process for a new connection failed because the limit Active connection allowed of simultaneous phase 2 SAs has been reached. exceeded Phase 2 Quick Mode has started. Start Phase 2: Quick Mode The connection failed during IKE phase 2 because the router Verifying Remote ID failed:...
Page 443 Chapter 25 Logs Screens Table 171 IKE Logs (continued) LOG MESSAGE DESCRIPTION The security gateway is set to “0.0.0.0” and the router used Remote IP <Remote IP> / the peer’s “Local Address” as the router’s “Remote Address”. <Remote IP> conflicts This information conflicted with static rule #d;...
Page 444 Chapter 25 Logs Screens Table 171 IKE Logs (continued) LOG MESSAGE DESCRIPTION The listed rule’s IKE phase 2 authentication algorithm did not Rule [%d] Phase 2 match between the router and the peer. authentication algorithm mismatch The listed rule’s IKE phase 2 encapsulation did not match Rule [%d] Phase 2 between the router and the peer.
Page 445: Table 172 Pki Logs
Chapter 25 Logs Screens Table 172 PKI Logs LOG MESSAGE DESCRIPTION The SCEP online certificate enrollment was successful. The Enrollment successful Destination field records the certification authority server IP address and port. The SCEP online certificate enrollment failed. The Destination field Enrollment failed records the certification authority server’s IP address and port.
Page 446: Table 173 Certificate Path Verification Failure Reason Codes
Chapter 25 Logs Screens Table 173 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints. Key usage mismatch between the certificate and the search constraints. Certificate was not valid in the time interval. (Not used) Certificate is not valid.
Page 447: Table 175 Icmp Notes
Chapter 25 Logs Screens Table 174 ACL Setting Notes (continued) PACKET DIRECTION DIRECTION DESCRIPTION (L to L/ZW) LAN to LAN/ ACL set for packets traveling from the LAN to the LAN or ZyWALL the ZyWALL. (W to W/ZW) WAN to WAN/ ACL set for packets traveling from the WAN to the WAN ZyWALL or the ZyWALL.
Page 448: Syslog Logs
Chapter 25 Logs Screens Table 175 ICMP Notes (continued) TYPE CODE DESCRIPTION Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message 25.6 Syslog Logs...
Page 449: Table 177 Rfc-2408 Isakmp Payload Types
Chapter 25 Logs Screens Table 176 Syslog Logs (continued) LOG MESSAGE DESCRIPTION This message is sent by the device ("RAS" displays as the Event Log: <Facility*8 + system name if you haven’t configured one) at the time Severity>Mon dd hr:mm:ss when this syslog is generated.
Page 450 Chapter 25 Logs Screens Table 177 RFC-2408 ISAKMP Payload Types (continued) LOG DISPLAY PAYLOAD TYPE Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID ZyWALL 2WG User’s Guide...
Page 451: Maintenance
H A P T E R Maintenance This chapter displays information on the maintenance screens. 26.1 Maintenance Overview The maintenance screens can help you view system information, upload new firmware, manage configuration and restart your ZyWALL. 26.2 General Setup and System Name General Setup contains administrative and system-related information.
Page 452: Configuring Password
Chapter 26 Maintenance Figure 254 MAINTENANCE > General Setup The following table describes the labels in this screen. Table 178 MAINTENANCE > General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...
Page 453: Time And Date
Chapter 26 Maintenance Figure 255 MAINTENANCE > Password The following table describes the labels in this screen. Table 179 MAINTENANCE > Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.
Page 454: Figure 256 Maintenance > Time And Date
Chapter 26 Maintenance Figure 256 MAINTENANCE > Time and Date The following table describes the labels in this screen. Table 180 MAINTENANCE > Time and Date LABEL DESCRIPTION Current Time and Date Current Time This field displays the ZyWALL’s present time. Current Date This field displays the ZyWALL’s present date.
Page 455 Chapter 26 Maintenance Table 180 MAINTENANCE > Time and Date (continued) LABEL DESCRIPTION Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 456: Pre-Defined Ntp Time Server Pools
Chapter 26 Maintenance 26.5 Pre-defined NTP Time Server Pools When you turn on the ZyWALL for the first time, the date and time start at 2000-01-01 00:00:00. The ZyWALL then attempts to synchronize with an NTP time server from one of the 0.pool.ntp.org, 1.pool.ntp.org or 2.pool.ntp.org NTP time server pools.
Page 457: Introduction To Transparent Bridging
Chapter 26 Maintenance Figure 258 Synchronization is Successful If the update was not successful, the following screen appears. Click Return to go back to the Time and Date screen. Figure 259 Synchronization Fail 26.6 Introduction To Transparent Bridging A transparent bridge is invisible to the operation of a network in that it does not modify the frames it forwards.
Page 458: Transparent Firewalls
Chapter 26 Maintenance For example, if a bridge receives a frame via port 1 from host A (MAC address 00a0c5123478), the bridge associates host A with port 1. When the bridge receives another frame on one of its ports with destination address 00a0c5123478, it forwards the frame directly through port 1 after checking the internal table.
Page 459: Figure 260 Maintenance > Device Mode (Router Mode)
Chapter 26 Maintenance You can use the firewall and VPN in bridge mode. See the user’s guide for a list of other features that are available in bridge mode. The following applies when the ZyWALL is in router mode. Figure 260 MAINTENANCE > Device Mode (Router Mode) The following table describes the labels in this screen.
Page 460: Configuring Device Mode (Bridge)
Chapter 26 Maintenance 26.9 Configuring Device Mode (Bridge) Click MAINTENANCE > Device Mode to open the following screen. Use this screen to configure your ZyWALL as a router or a bridge. In bridge mode, the ZyWALL functions as a transparent firewall (also known as a bridge firewall).
Page 461: F/W Upload Screen
Click Reset to begin configuring this screen afresh. 26.10 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "zywall.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Page 462: Figure 262 Maintenance > Firmware Upload
Chapter 26 Maintenance Figure 262 MAINTENANCE > Firmware Upload The following table describes the labels in this screen. Table 184 MAINTENANCE > Firmware Upload LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 463: Backup And Restore
Chapter 26 Maintenance Figure 264 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the HOME screen. If the upload was not successful, the following screen will appear. Click Return to go back to the F/W Upload screen.
Page 464: Backup Configuration
Chapter 26 Maintenance Figure 266 MAINTENANCE > Backup and Restore 26.11.1 Backup Configuration Backup configuration allows you to back up (save) the ZyWALL’s current configuration to a file on your computer. Once your ZyWALL is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 465: Back To Factory Defaults
Chapter 26 Maintenance After you see a “restore configuration successful” screen, you must then wait one minute before logging into the ZyWALL again. Figure 267 Configuration Upload Successful The ZyWALL automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop.
Page 466: Restart Screen
Chapter 26 Maintenance Figure 270 Reset Warning Message You can also press the hardware RESET button to reset the factory defaults of your ZyWALL. Refer to Section 2.3 on page 57 for more information on the RESET button. 26.12 Restart Screen System restart allows you to reboot the ZyWALL without turning the power off.
Page 467: Smt And Troubleshooting
SMT and Troubleshooting Introducing the SMT (469) SMT Menu 1 - General Setup (477) WAN and Dial Backup Setup (483) LAN Setup (497) Internet Access (503) DMZ Setup (509) Route Setup (513) Wireless Setup (517) Remote Node Setup (521) IP Static Route Setup (529) Network Address Translation (NAT) (533) Introducing the ZyWALL Firewall (553) Filter Configuration (555)
Page 468 Troubleshooting (623)
Page 469: Introducing The Smt
H A P T E R Introducing the SMT This chapter explains how to access the System Management Terminal and gives an overview of its menus. 27.1 Introduction to the SMT The ZyWALL’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection.
Page 470: Entering The Password
Chapter 27 Introducing the SMT Figure 272 Initial Screen Copyright (c) 1994 - 2006 ZyXEL Communications Corp. initialize ch =0, ethernet address: 00:A0:C5:01:23:45 initialize ch =1, ethernet address: 00:A0:C5:01:23:46 initialize ch =2, ethernet address: 00:A0:C5:01:23:47 initialize ch =3, ethernet address: 00:A0:C5:01:23:48 initialize ch =4, ethernet address: 00:00:00:00:00:00 AUX port init .
Page 471: Main Menu
27.3.1 Main Menu After you enter the password, the SMT displays the ZyWALL Main Menu, as shown next. Figure 274 Main Menu (Router Mode) Copyright (c) 1994 - 2006 ZyXEL Communications Corp. ZyWALL 2WG Main Menu Getting Started Advanced Management 1.
Page 472: Figure 275 Main Menu (Bridge Mode)
Chapter 27 Introducing the SMT Figure 275 Main Menu (Bridge Mode) Copyright (c) 1994 - 2006 ZyXEL Communications Corp. ZyWALL 2WG Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 22. SNMP Configuration 23. System Password 24.
Page 473: Smt Menus Overview
Chapter 27 Introducing the SMT Table 187 Main Menu Summary MENU TITLE FUNCTION Schedule Setup Use this menu to schedule outgoing calls. Exit Use this menu to exit (necessary for remote configuration). 27.3.2 SMT Menus Overview The following table gives you an overview of your ZyWALL’s various SMT menus. Table 188 SMT Menus Overview MENUS SUB MENUS...
Page 474: Changing The System Password
Chapter 27 Introducing the SMT Table 188 SMT Menus Overview (continued) MENUS SUB MENUS 15 NAT Setup 15.1 Address Mapping Sets 15.1.x Address Mapping 15.1.x.x Address Rules Mapping Rule 15.2 NAT Server Sets 15.2.x NAT Server Setup 15.2.x.x - NAT Server Configuration 15.3 Trigger Ports 15.3.x Trigger Port Setup...
Page 475: Resetting The Zywall
Chapter 27 Introducing the SMT Figure 276 Menu 23: System Password Menu 23 - System Password Old Password= ? New Password= ? Retype to confirm= ? Enter here to CONFIRM or ESC to CANCEL: 2 Type your existing password and press [ENTER]. 3 Type your new system password and press [ENTER].
Page 476 Chapter 27 Introducing the SMT ZyWALL 2WG User’s Guide...
Page 477: Smt Menu 1 - General Setup
H A P T E R SMT Menu 1 - General Setup Menu 1 - General Setup contains administrative and system-related information. 28.1 Introduction to General Setup Menu 1 - General Setup contains administrative and system-related information. 28.2 Configuring General Setup 1 Enter 1 in the main menu to open Menu 1 - General Setup.
Page 478: Figure 278 Menu 1: General Setup (Bridge Mode)
Chapter 28 SMT Menu 1 - General Setup Table 189 Menu 1: General Setup (Router Mode) (continued) FIELD DESCRIPTION Device Mode Press [SPACE BAR] and then [ENTER] to select Router Mode. Edit Dynamic Press [SPACE BAR] and then [ENTER] to select Yes or No (default). Select Yes to configure Menu 1.1: Configure Dynamic DNS discussed next.
Page 479: Configuring Dynamic Dns
Chapter 28 SMT Menu 1 - General Setup 28.2.1 Configuring Dynamic DNS To configure Dynamic DNS, set the ZyWALL to router mode in menu 1 or in the MAINTENANCE Device Mode screen and go to Menu 1 - General Setup and press [SPACE BAR] to select Yes in the Edit Dynamic DNS field.
Page 480: Figure 280 Menu 1.1.1: Ddns Host Summary
Chapter 28 SMT Menu 1 - General Setup Figure 280 Menu 1.1.1: DDNS Host Summary Menu 1.1.1 DDNS Host Summary Summary --- - ------------------------------------------------------- Hostname=ZyWALL, Type=Dynamic,WC=Yes,Offline=No,Policy=DDNS Server Detect, WAN1, HA=Yes _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ _______________________________________________________ Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 481: Figure 281 Menu 1.1.1: Ddns Edit Host
Chapter 28 SMT Menu 1 - General Setup Figure 281 Menu 1.1.1: DDNS Edit Host Menu 1.1.1 - DDNS Edit Host Hostname= ZyWALL DDNS Type= DynamicDNS Enable Wildcard Option= Yes Enable Off Line Option= N/A Bind WAN= 1 HA= Yes IP Address Update Policy: Let DDNS Server Auto Detect= Yes Use User-Defined= N/A...
Page 482 Chapter 28 SMT Menu 1 - General Setup Table 193 Menu 1.1.1: DDNS Edit Host (continued) FIELD DESCRIPTION IP Address You can select Yes in either the Let DDNS Server Auto Detect field (recommended) Update Policy: or the Use User-Defined field, but not both. With the Let DDNS Server Auto Detect and Use User-Defined fields both set to No, the DDNS server automatically updates the IP address of the host name(s) with the ZyWALL’s WAN IP address.
Page 483: Wan And Dial Backup Setup
H A P T E R WAN and Dial Backup Setup This chapter describes how to configure the WAN using menu 2 and dial-backup using menus 2.1 and 11.1. 29.1 Introduction to WAN, 3G WAN and Dial Backup Setup This chapter explains how to configure settings for your WAN interface(s), a 3G WAN connection and a dial backup connection using the SMT menus.
Page 484: Dial Backup
Chapter 29 WAN and Dial Backup Setup The following table describes the fields in this screen. Table 194 MAC Address Cloning in WAN Setup FIELD DESCRIPTION WAN 1 MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address.
Page 485: Advanced Wan Setup
Chapter 29 WAN and Dial Backup Setup Figure 283 Menu 2: Dial Backup Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No 3G Modem Setup: APN=...
Page 486: Figure 284 Menu 2.1: Advanced Wan Setup
Chapter 29 WAN and Dial Backup Setup To edit the advanced setup for the Dial Backup port, move the cursor to the Edit Advanced Setup field in Menu 2 - WAN Setup, press the [SPACE BAR] to select Yes and then press [ENTER].
Page 487: Remote Node Profile (Backup Isp)
Chapter 29 WAN and Dial Backup Setup Table 197 Advanced WAN Port Setup: Call Control Parameters FIELD DESCRIPTION Call Control Dial Timeout (sec) Enter a number of seconds for the ZyWALL to keep trying to set up an outgoing call before timing out (stopping). The ZyWALL times out and stops if it cannot set up an outgoing call within the timeout value.
Page 488: Table 198 Menu 11.3: Remote Node Profile (Backup Isp)
Chapter 29 WAN and Dial Backup Setup The following table describes the fields in this menu. Table 198 Menu 11.3: Remote Node Profile (Backup ISP) FIELD DESCRIPTION Rem Node Enter a descriptive name for the remote node. This field can be up to eight Name characters.
Page 489: Editing Tcp/Ip Options
Chapter 29 WAN and Dial Backup Setup 29.3.4 Editing TCP/IP Options Move the cursor to the Edit IP field in menu 11.3, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3.2 - Remote Node Network Layer Options. Figure 286 Menu 11.3.2: Remote Node Network Layer Options Menu 11.3.2 - Remote Node Network Layer Options IP Address Assignment= Static...
Page 490: Editing Login Script
Chapter 29 WAN and Dial Backup Setup Table 199 Menu 11.3.2: Remote Node Network Layer Options FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for the...
Page 491: Figure 287 Menu 11.3.3: Remote Node Script
Chapter 29 WAN and Dial Backup Setup Please note that the ordering of the sets is significant, i.e., starting from set 1, the ZyWALL will wait until the ‘Expect’ string is matched before it proceeds to set 2, and so on for the rest of the script.
Page 492: Remote Node Filter
Chapter 29 WAN and Dial Backup Setup 29.3.6 Remote Node Filter Move the cursor to the field Edit Filter Sets in menu 11.3, and then press [SPACE BAR] to set the value to Yes. Press [ENTER] to open Menu 11.3.4 - Remote Node Filter. Use menu 11.3.4 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyWALL to prevent certain packets from triggering calls.
Page 493: Remote Node Profile (3G Wan)
Chapter 29 WAN and Dial Backup Setup Figure 289 3G Modem Setup in WAN Setup Menu 2 - WAN Setup WAN 1 MAC Address: Assigned By= Factory default IP Address= N/A Dial-Backup: Active= No Port Speed= 115200 AT Command String: Init= at&fs0=0 Edit Advanced Setup= No 3G Modem Setup:...
Page 494: Figure 290 Menu 11.2: Remote Node Profile (3G Wan)
Chapter 29 WAN and Dial Backup Setup Figure 290 Menu 11.2: Remote Node Profile (3G WAN) Menu 11.2 - Remote Node Profile (3G WAN) Rem Node Name= WAN 2 Active= Yes Edit IP= No Outgoing: Edit Script Options= No My Login= test My Password= ******** Retype to Confirm= ******** Authen= CHAP/PAP...
Page 495 Chapter 29 WAN and Dial Backup Setup Table 202 Menu 11.2: Remote Node Profile (3G WAN) (continued) FIELD DESCRIPTION Always On Press [SPACE BAR] to select Yes to set this connection to be on all the time, regardless of whether or not there is any traffic. Select No to have this connection act as a dial-up connection.
Page 496 Chapter 29 WAN and Dial Backup Setup ZyWALL 2WG User’s Guide...
Page 497: Lan Setup
H A P T E R LAN Setup This chapter describes how to configure the LAN using Menu 3 - LAN Setup. 30.1 Introduction to LAN Setup This chapter describes how to configure the ZyWALL for LAN and wireless LAN connections.
Page 498: Tcp/Ip And Dhcp Ethernet Setup Menu
Chapter 30 LAN Setup Figure 292 Menu 3.1: LAN Port Filter Setup Menu 3.1 - LAN Port Filter Setup Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel: 30.4 TCP/IP and DHCP Ethernet Setup Menu From the main menu, enter 3 to open Menu 3 - LAN Setup to configure TCP/IP (RFC 1155) and DHCP Ethernet setup.
Page 499: Figure 294 Menu 3.2: Tcp/Ip And Dhcp Ethernet Setup
Chapter 30 LAN Setup Figure 294 Menu 3.2: TCP/IP and DHCP Ethernet Setup Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP= Server TCP/IP Setup: Client IP Pool: Starting Address= 192.168.1.33 IP Address= 192.168.1.1 Size of Client IP Pool= 128 IP Subnet Mask= 255.255.255.0 RIP Direction= Both Version= RIP-1...
Page 500: Table 204 Menu 3.2: Lan Tcp/Ip Setup Fields
Chapter 30 LAN Setup Table 203 Menu 3.2: DHCP Ethernet Setup Fields FIELD DESCRIPTION First DNS Server The ZyWALL passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. Second DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyWALL's WAN IP address).
Page 501: Ip Alias Setup
Chapter 30 LAN Setup 30.4.1 IP Alias Setup IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyWALL supports three logical LAN interfaces via its single physical Ethernet interface with the ZyWALL itself as the gateway for each LAN network. Use menu 3.2 to configure the first network.
Page 502 Chapter 30 LAN Setup ZyWALL 2WG User’s Guide...
Page 503: Internet Access
H A P T E R Internet Access This chapter shows you how to configure your ZyWALL for Internet access. 31.1 Introduction to Internet Access Setup Use information from your ISP along with the instructions in this chapter to set up your ZyWALL to access the Internet.
Page 504: Figure 296 Menu 4: Internet Access Setup (Ethernet)
Chapter 31 Internet Access Figure 296 Menu 4: Internet Access Setup (Ethernet) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A...
Page 505: Configuring The Pptp Client
Chapter 31 Internet Access Table 206 Menu 4: Internet Access Setup (Ethernet) (continued) FIELD DESCRIPTION Gateway IP Enter the gateway IP address associated with your static IP. Address Network Network Address Translation (NAT) allows the translation of an Internet protocol Address address used within one network (for example a private IP address used in a local Translation...
Page 506: Configuring The Pppoe Client
Chapter 31 Internet Access Figure 297 Internet Access Setup (PPTP) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPTP Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 507: Basic Setup Complete
Chapter 31 Internet Access Figure 298 Internet Access Setup (PPPoE) Menu 4 - Internet Access Setup ISP's Name= WAN_1 Encapsulation= PPPoE Service Type= N/A My Login= My Password= ******** Retype to Confirm= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A...
Page 508 Chapter 31 Internet Access ZyWALL 2WG User’s Guide...
Page 509: Dmz Setup
H A P T E R DMZ Setup This chapter describes how to configure the ZyWALL’s DMZ using Menu 5 - DMZ Setup. 32.1 Configuring DMZ Setup From the main menu, enter 5 to open Menu 5 – DMZ Setup. Figure 299 Menu 5: DMZ Setup Menu 5 - DMZ Setup...
Page 510: Tcp/Ip Setup
Chapter 32 DMZ Setup 32.3 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 113. 32.3.1 IP Address From the main menu, enter 5 to open Menu 5 - DMZ Setup to configure TCP/IP (RFC 1155). Figure 301 Menu 5: DMZ Setup Menu 5 - DMZ Setup 1.
Page 511: Ip Alias Setup
Chapter 32 DMZ Setup DMZ, WLAN and LAN IP addresses must be on separate subnets. You must also configure NAT for the DMZ port (see Chapter 37 on page 533) in menus 15.1 and 15.2. 32.3.2 IP Alias Setup Use menu 5.2 to configure the first network. Move the cursor to the Edit IP Alias field, press [SPACE BAR] to choose Yes and press [ENTER] to open Menu 5.2.1 - IP Alias Setup, as shown next.
Page 512 Chapter 32 DMZ Setup ZyWALL 2WG User’s Guide...
Page 513: Route Setup
H A P T E R Route Setup This chapter describes how to configure the ZyWALL's traffic redirect. 33.1 Configuring Route Setup From the main menu, enter 6 to open Menu 6 - Route Setup. Figure 304 Menu 6: Route Setup Menu 6 - Route Setup 1.
Page 514: Traffic Redirect
Chapter 33 Route Setup The following table describes the fields in this menu. Table 209 Menu 6.1: Route Assessment FIELD DESCRIPTION Probing WAN 1/2 Press [SPACE BAR] and then press [ENTER] to choose Yes to test your Check Point ZyWALL's WAN accessibility. If you do not select No in the Use Default Gateway as Check Point field and enter a domain name or IP address of a reliable nearby computer (for example, your ISP's DNS server address) in the Check Point field, the ZyWALL will use...
Page 515: Route Failover
Chapter 33 Route Setup 33.4 Route Failover This menu allows you to configure how the ZyWALL uses the route assessment ping check function. Figure 307 Menu 6.3: Route Failover Menu 6.3 - Route Failover Period= 5 Timeout=: 3 Fail Tolerance= 3 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this menu.
Page 516 Chapter 33 Route Setup ZyWALL 2WG User’s Guide...
Page 517: Wireless Setup
H A P T E R Wireless Setup Use menu 7 to configure the IP address for ZyWALL’s WLAN interface, other TCP/IP and DHCP settings. 34.1 TCP/IP Setup For more detailed information about RIP setup, IP Multicast and IP alias, please refer to Chapter 6 on page 113.
Page 518: Ip Alias Setup
Chapter 34 Wireless Setup Figure 309 Menu 7.2: TCP/IP and DHCP Ethernet Setup Menu 7.2 - TCP/IP and DHCP Ethernet Setup DHCP= None TCP/IP Setup: Client IP Pool: Starting Address= N/A IP Address= 0.0.0.0 Size of Client IP Pool= N/A IP Subnet Mask= 0.0.0.0 RIP Direction= None Version= N/A...
Page 519: Figure 310 Menu 7.2.1: Ip Alias Setup
Chapter 34 Wireless Setup Figure 310 Menu 7.2.1: IP Alias Setup Menu 7.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A IP Alias 2= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A...
Page 520 Chapter 34 Wireless Setup ZyWALL 2WG User’s Guide...
Page 521: Remote Node Setup
H A P T E R Remote Node Setup This chapter shows you how to configure a remote node. 35.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.
Page 522: Ethernet Encapsulation
Chapter 35 Remote Node Setup 35.3.1 Ethernet Encapsulation There are three variations of menu 11.1 depending on whether you choose Ethernet Encapsulation, PPPoE Encapsulation or PPTP Encapsulation. You must choose the Ethernet option when the WAN port is used as a regular Ethernet. The first menu 11.1 screen you see is for Ethernet encapsulation shown next.
Page 523: Pppoe Encapsulation
Chapter 35 Remote Node Setup Table 212 Menu 11.1: Remote Node Profile for Ethernet Encapsulation (continued) FIELD DESCRIPTION Server This field is valid only when RoadRunner is selected in the Service Type field. The ZyWALL will find the RoadRunner Server IP automatically if this field is left blank. If it does not, then you must enter the authentication server IP address here.
Page 524: Pptp Encapsulation
Chapter 35 Remote Node Setup 35.3.2.1 Outgoing Authentication Protocol Generally speaking, you should employ the strongest authentication protocol possible, for obvious reasons. However, some vendor’s implementation includes a specific authentication protocol in the user profile. It will disconnect if the negotiated protocol is different from that in the user profile, even when the negotiated protocol is stronger than specified.
Page 525: Edit Ip
Chapter 35 Remote Node Setup Figure 314 Menu 11.1: Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
Page 526: Figure 315 Menu 11.1.2: Remote Node Network Layer Options For Ethernet Encapsulation
Chapter 35 Remote Node Setup Figure 315 Menu 11.1.2: Remote Node Network Layer Options for Ethernet Encapsulation Menu 11.1.2 - Remote Node Network Layer Options IP Address Assignment= Dynamic Rem IP Addr= N/A Rem Subnet Mask= N/A My WAN Addr= N/A Network Address Translation= SUA Only NAT Lookup Set= 255 Metric= 1...
Page 527: Remote Node Filter
Chapter 35 Remote Node Setup Table 215 Remote Node Network Layer Options Menu Fields (continued) FIELD DESCRIPTION NAT Lookup If you select SUA Only in the Network Address Translation field, it displays 255 and indicates the SMT will use the pre-configured Set 255 (read only) in menu 15.1. If you select Full Feature or None in the Network Address Translation field, it displays 1, 2 or 3 and indicates the SMT will use the pre-configured Set 1 in menu 15.1 for the first WAN port, Set 2 in menu 15.1 for the second WAN port and Set 3 for...
Page 528: Figure 316 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation)
Chapter 35 Remote Node Setup Figure 316 Menu 11.1.4: Remote Node Filter (Ethernet Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Figure 317 Menu 11.1.4: Remote Node Filter (PPPoE or PPTP Encapsulation) Menu 11.1.4 - Remote Node Filter Input Filter Sets:...
Page 529: Ip Static Route Setup
H A P T E R IP Static Route Setup This chapter shows you how to configure static routes with your ZyWALL. 36.1 IP Static Route Setup Enter 12 from the main menu. Select one of the IP static routes as shown next to configure IP static routes in menu 12.1.
Page 530: Figure 318 Menu 12: Ip Static Route Setup
Chapter 36 IP Static Route Setup Figure 318 Menu 12: IP Static Route Setup Menu 12 - IP Static Route Setup 1.Reserved 16.________ 2.Reserved 17.________ 3.________ 18.________ 4.________ 19.________ 5.________ 20.________ 6.________ 21.________ 7.________ 22.________ 8.________ 23.________ 9.________ 24.________ 10.________ 25.________ 11.________ 26.________...
Page 531 Chapter 36 IP Static Route Setup Table 216 Menu 12. 1: Edit IP Static Route FIELD DESCRIPTION IP Subnet Mask Enter the IP subnet mask for this destination. Gateway IP Enter the IP address of the gateway. The gateway is an immediate neighbor of your Address ZyWALL that will forward the packet to the destination.
Page 532 Chapter 36 IP Static Route Setup ZyWALL 2WG User’s Guide...
Page 533: Network Address Translation (Nat)
H A P T E R Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyWALL. 37.1 Using NAT You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyWALL. 37.1.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 534: Figure 320 Menu 4: Applying Nat For Internet Access
Chapter 37 Network Address Translation (NAT) Figure 320 Menu 4: Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Page 535: Nat Setup
Chapter 37 Network Address Translation (NAT) The following table describes the fields in this menu. Table 217 Applying NAT in Menus 4 & 11.1.2 FIELD DESCRIPTION OPTIONS Network When you select this option the SMT will use Address Mapping Set 1 Full Address (menu 15.1 - see...
Page 536: Address Mapping Sets
Chapter 37 Network Address Translation (NAT) Configure DMZ, WLAN and LAN IP addresses in NAT menus 15.1 and 15.2. DMZ, WLAN and LAN IP addresses must be on separate subnets. 37.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 - Address Mapping Sets. Figure 323 Menu 15.1: Address Mapping Sets Menu 15.1 - Address Mapping Sets 1.
Page 537: Table 218 Sua Address Mapping Rules
Chapter 37 Network Address Translation (NAT) Menu 15.1.255 is read-only. Table 218 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.
Page 538: Figure 325 Menu 15.1.1: First Set
Chapter 37 Network Address Translation (NAT) Figure 325 Menu 15.1.1: First Set Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server...
Page 539: Figure 326 Menu 15.1.1.1: Editing/Configuring An Individual Rule In A Set
Chapter 37 Network Address Translation (NAT) Table 219 Fields in Menu 15.1.1 (continued) FIELD DESCRIPTION Action The default is Edit. Edit means you want to edit a selected rule (see following field). Insert Before means to insert a rule before the rule selected. The rules after the selected rule will then be moved down by one rule.
Page 540: Configuring A Server Behind Nat
Chapter 37 Network Address Translation (NAT) The following table describes the fields in this menu. Table 220 Menu 15.1.1.1: Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in Chapter 17 on page 329.
Page 541: Figure 328 Menu 15.2.X: Nat Server Sets
Chapter 37 Network Address Translation (NAT) 3 Enter 1 or 2 to go to Menu 15.2.x - NAT Server Setup and configure the address mapping rules for the WAN 1 or WAN 2 interface on a ZyWALL with multiple WAN interfaces.
Page 542: Figure 330 Menu 15.2.1: Nat Server Setup
Chapter 37 Network Address Translation (NAT) The following table describes the fields in this screen. Table 221 15.2.x.x: NAT Server Configuration FIELD DESCRIPTION On a ZyWALL with two WAN ports, you can configure port forwarding and trigger port rules for the first WAN port and separate sets of rules for the second WAN port. This is the WAN port (server set) you select in menu 15.2.
Page 543: General Nat Examples
Chapter 37 Network Address Translation (NAT) Figure 331 Server Behind NAT Example 37.4 General NAT Examples The following are some examples of NAT configuration. 37.4.1 Internet Access Only In the following Internet access example, you only need one rule where all your ILAs (Inside Local addresses) map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 544: Example 2: Internet Access With A Default Server
Chapter 37 Network Address Translation (NAT) Figure 333 Menu 4: Internet Access & NAT Example Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A Relogin Every (min)= IP Address Assignment= Dynamic IP Address= N/A...
Page 545: Example 3: Multiple Public Ip Addresses With Inside Servers
Chapter 37 Network Address Translation (NAT) Figure 335 Menu 15.2.1: Specifying an Inside Server Menu 15.2.1 - NAT Server Setup Default Server: 192.168.1.10 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None...
Page 546: Figure 336 Nat Example 3
Chapter 37 Network Address Translation (NAT) Figure 336 NAT Example 3 1 In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) in Figure 337 on page 546.
Page 547: Figure 338 Example 3: Menu 15.1.1.1
Chapter 37 Network Address Translation (NAT) Figure 338 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Server Mapping Set= N/A Press ENTER to Confirm or ESC to Cancel: Figure 339 Example 3: Final Menu 15.1.1 Menu 15.1.1 - Address Mapping Rules Set Name= Example3...
Page 548: Example 4: Nat Unfriendly Application Programs
Chapter 37 Network Address Translation (NAT) Figure 340 Example 3: Menu 15.2.1 Menu 15.2.1 - NAT Server Setup Default Server: 0.0.0.0 Rule Act. Start Port End Port IP Address ------------------------------------------------------ 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Select Command= None Select Rule= N/A Press ENTER to Confirm or ESC to Cancel:...
Page 549: Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule
Chapter 37 Network Address Translation (NAT) Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-One-to-One mapping types. Follow the steps outlined in example 3 above to configure these two menus as follows. Figure 342 Example 4: Menu 15.1.1.1: Address Mapping Rule Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One...
Page 550: Trigger Port Forwarding
Chapter 37 Network Address Translation (NAT) 37.5 Trigger Port Forwarding Some services use a dedicated range of ports on the client side and a dedicated range of ports on the server side. With regular port forwarding you set a forwarding port in NAT to forward a service (coming in from the server on the WAN) to the IP address of a computer on the client side (LAN).
Page 551: Figure 344 Menu 15.3.1: Trigger Port Setup
Chapter 37 Network Address Translation (NAT) Figure 344 Menu 15.3.1: Trigger Port Setup Menu 15.3.1 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port -------------------------------------------------------------- Real Audio 6970 7170 7070 7070 Press ENTER to Confirm or ESC to Cancel: HTTP:80 FTP:21 Telnet:23...
Page 552 Chapter 37 Network Address Translation (NAT) ZyWALL 2WG User’s Guide...
Page 553: Introducing The Zywall Firewall
H A P T E R Introducing the ZyWALL Firewall This chapter shows you how to get started with the ZyWALL firewall. 38.1 Using ZyWALL SMT Menus From the main menu enter 21 to go to Menu 21 - Filter Set and Firewall Configuration to display the screen shown next.
Page 554: Figure 346 Menu 21.2: Firewall Setup
Chapter 38 Introducing the ZyWALL Firewall Figure 346 Menu 21.2: Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.
Page 555: Filter Configuration
H A P T E R Filter Configuration This chapter shows you how to create and apply filters. 39.1 Introduction to Filters Your ZyWALL uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 556: The Filter Structure Of The Zywall
Chapter 39 Filter Configuration 39.1.1 The Filter Structure of the ZyWALL A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyWALL allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.
Page 557: Figure 348 Filter Rule Process
Chapter 39 Filter Configuration Figure 348 Filter Rule Process You can apply up to four filter sets to a particular port to block multiple types of packets. With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port.
Page 558: Configuring A Filter Set
Chapter 39 Filter Configuration 39.2 Configuring a Filter Set The ZyWALL includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21. Figure 349 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1.
Page 559: Configuring A Filter Rule
Chapter 39 Filter Configuration Table 223 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP. Filter Rules These parameters are displayed here.
Page 560: Configuring A Tcp/Ip Filter Rule
Chapter 39 Filter Configuration 39.2.2 Configuring a TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers.
Page 561 Chapter 39 Filter Configuration Table 225 Menu 21.1.1.1: TCP/IP Filter Rule FIELD DESCRIPTION Port # Comp Press [SPACE BAR] and then [ENTER] to select the comparison to apply to the destination port in the packet against the value given in Destination: Port #. Options are None, Equal, Not Equal, Less and Greater.
Page 562: Configuring A Generic Filter Rule
Chapter 39 Filter Configuration Figure 352 Executing an IP Filter 39.2.3 Configuring a Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. ZyWALL 2WG User’s Guide...
Page 563: Figure 353 Menu 21.1.1.1: Generic Filter Rule
Chapter 39 Filter Configuration For generic rules, the ZyWALL treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.
Page 564: Example Filter
Chapter 39 Filter Configuration Table 226 Generic Filter Rule Menu Fields FIELD DESCRIPTION Select the logging option from the following: None - No packets will be logged. Action Matched - Only packets that match the rule parameters will be logged. Action Not Matched - Only packets that do not match the rule parameters will be logged.
Page 565: Figure 355 Example Filter: Menu 21.1.3.1
Chapter 39 Filter Configuration Figure 355 Example Filter: Menu 21.1.3.1 Menu 21.1.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 23 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 566: Filter Types And Nat
Chapter 39 Filter Configuration After you’ve created the filter set, you must apply it. 1 Enter 11 from the main menu to go to menu 11. 2 Enter 1 or 2 to open Menu 11.x - Remote Node Profile. 3 Go to the Edit Filter Sets field, press [SPACE BAR] to select Yes and press [ENTER]. 4 This brings you to menu 11.1.4.
Page 567: Firewall
Chapter 39 Filter Configuration 39.5.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 568: Applying Lan Filters
Chapter 39 Filter Configuration If you do not activate the firewall, it is advisable to apply filters. 39.6.1 Applying LAN Filters LAN traffic filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and enter the number(s) of the filter set(s) that you want to apply as appropriate.
Page 569: Applying Remote Node Filters
Chapter 39 Filter Configuration 39.6.3 Applying Remote Node Filters Go to menu 11.1.4 (shown below – note that call filter sets are only present for PPPoE encapsulation) and enter the number(s) of the filter set(s) as appropriate. You can cascade up to four filter sets by entering their numbers separated by commas.
Page 570 Chapter 39 Filter Configuration ZyWALL 2WG User’s Guide...
Page 571: Snmp Configuration
H A P T E R SNMP Configuration This chapter explains SNMP configuration menu 22. 40.1 SNMP Configuration To configure SNMP, enter 22 from the main menu to display Menu 22 - SNMP Configuration as shown next. The “community” for Get, Set and Trap fields is SNMP terminology for password.
Page 572: Snmp Traps
A trap is sent to the manager when receiving any RFC-1215) SNMP get or set requirements with the wrong community (password). whyReboot (defined in ZYXEL- A trap is sent with the reason of restart before rebooting MIB) when the system is going to restart (warm start).
Page 573: System Information & Diagnosis
H A P T E R System Information & Diagnosis This chapter covers SMT menus 24.1 to 24.4. 41.1 Introduction to System Status This chapter covers the diagnostic tools that help you to maintain your ZyWALL. These tools include updates on system status, port status and log and trace capabilities. Select menu 24 in the main menu to open Menu 24 - System Maintenance, as shown below.
Page 574: Figure 363 Menu 24.1: System Maintenance: Status
Chapter 41 System Information & Diagnosis 3 There are three commands in Menu 24.1 - System Maintenance - Status. Entering 1 or 2 drops the WAN1 or WAN2 connection, 9 resets the counters and [ESC] takes you back to the previous screen. Figure 363 Menu 24.1: System Maintenance: Status Menu 24.1 - System Maintenance - Status 03:13:41...
Page 575: System Information And Console Port Speed
Chapter 41 System Information & Diagnosis Table 229 System Maintenance: Status Menu Fields (continued) FIELD DESCRIPTION Ethernet Address This is the MAC address of the port listed on the left. IP Address This is the IP address of the port listed on the left. IP Mask This is the IP mask of the port listed on the left.
Page 576: Console Port Speed
Name= xxx.baboo.mickey.com Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the version of ZyXEL's Network Operating System software. Country Code Refers to the country code of the firmware. Ethernet Address Refers to the Ethernet MAC (Media Access Control) address of your ZyWALL.
Page 577: Log And Trace
Chapter 41 System Information & Diagnosis Figure 366 Menu 24.2.2: System Maintenance: Change Console Port Speed Menu 24.2.2 - System Maintenance - Change Console Port Speed Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel:Press Space Bar to Toggle. 41.4 Log and Trace There are two logging facilities in the ZyWALL.
Page 578: Syslog Logging
Chapter 41 System Information & Diagnosis Figure 368 Examples of Error and Information Messages 52 Thu Jul 1 05:54:53 2004 PP05 ERROR Wireless LAN init fail, code=15 53 Thu Jul 1 05:54:53 2004 PINI INFO Channel 0 ok 54 Thu Jul 1 05:54:56 2004 PP05 -WARN SNMP TRAP 3: interface 3: link up 55 Thu Jul...
Page 579 L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZyXEL: board 0 line 0 channel 0, call 1, C02 Call Terminated...
Page 580 IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m) drop (D). Src: Source Address Dst: Destination Address prot: Protocol ("TCP","UDP","ICMP") spo: Source port dpo: Destination portMar 03 10:39:43 202.132.155.97 ZyXEL: GEN[fffffffffffnordff0080] }S05>R01mF Mar 03 10:41:29 202.132.155.97 ZyXEL: GEN[00a0c5f502fnord010080] }S05>R01mF Mar 03 10:41:34 202.132.155.97 ZyXEL: IP[Src=192.168.2.33 Dst=202.132.155.93 ICMP]}S04>R01mF Mar 03 11:59:20 202.132.155.97 ZyXEL:...
Page 581: Call-Triggering Packet
Chapter 41 System Information & Diagnosis 5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information) Dst: Destination Address dpo: Destination port (empty means no destination port information) prot: Protocol ("TCP","UDP","ICMP", "IGMP", "GRE", "ESP")
Page 582: Diagnostic
Chapter 41 System Information & Diagnosis Figure 370 Call-Triggering Packet Example IP Frame: ENET0-RECV Size: Time: 17:02:44.262 Frame Type: IP Header: IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x002C (44) Identification = 0x0002 (2) Flags = 0x00 Fragment Offset...
Page 583: Wan Dhcp
Chapter 41 System Information & Diagnosis Figure 371 Menu 24.4: System Maintenance: Diagnostic Menu 24.4 - System Maintenance - Diagnostic TCP/IP 1. Ping Host 2. WAN DHCP Release 3. WAN DHCP Renewal 4. PPPoE/PPTP/3G Setup Test System 11. Reboot System Enter Menu Selection Number: WAN= Host IP Address= N/A...
Page 584: Table 232 System Maintenance Menu Diagnostic
Chapter 41 System Information & Diagnosis Table 232 System Maintenance Menu Diagnostic FIELD DESCRIPTION Ping Host Enter 1 to ping any machine (with an IP address) on your LAN, DMZ, WLAN or WAN. Enter its IP address in the Host IP Address field below. WAN DHCP Release Enter 2 to release your WAN DHCP settings.
Page 585: Firmware And Configuration File Maintenance
The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyWALL's settings, they can be saved back to your computer under a filename of your choosing.
Page 586: Backup Configuration
Chapter 42 Firmware and Configuration File Maintenance The following table is a summary. Please note that the internal filename refers to the filename on the ZyWALL and the external filename refers to the filename not on the ZyWALL, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary.
Page 587: Using The Ftp Command From The Command Line
331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 588: Gui-Based Ftp Clients
Chapter 42 Firmware and Configuration File Maintenance 42.3.4 GUI-based FTP Clients The following table describes some of the commands that you may see in GUI-based FTP clients. Table 234 General Commands for GUI-based FTP Clients COMMAND DESCRIPTION Host Address Enter the address of the host server. Login Type Anonymous.
Page 589: Tftp Command Example
Chapter 42 Firmware and Configuration File Maintenance 4 Launch the TFTP client on your computer and connect to the ZyWALL. Set the transfer mode to binary before starting data transfer. 5 Use the TFTP client (see the example below) to transfer files between the ZyWALL and the computer.
Page 590: Restore Configuration
Chapter 42 Firmware and Configuration File Maintenance Figure 375 System Maintenance: Backup Configuration Ready to backup Configuration via Xmodem. Do you want to continue (y/n): 2 The following screen indicates that the Xmodem download has started. Figure 376 System Maintenance: Starting Xmodem Download Screen You can enter ctrl-x to terminate operation any time.
Page 591: Restore Using Ftp
Chapter 42 Firmware and Configuration File Maintenance FTP is the preferred method for restoring your current computer configuration to your ZyWALL since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete. WARNING! Do not interrupt the file transfer process as this may PERMANENTLY DAMAGE YOUR ZyWALL.
Page 592: Restore Using Ftp Session Example
Chapter 42 Firmware and Configuration File Maintenance 8 Enter “quit” to exit the ftp prompt. The ZyWALL will automatically restart after a successful restore process. 42.4.2 Restore Using FTP Session Example Figure 380 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK...
Page 593: Uploading Firmware And Configuration Files
Chapter 42 Firmware and Configuration File Maintenance Figure 383 Restore Configuration Example Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. 4 After a successful restoration you will see the following screen. Press any key to restart the ZyWALL and return to the SMT menu.
Page 594: Configuration File Upload
Chapter 42 Firmware and Configuration File Maintenance Figure 385 Telnet Into Menu 24.7.1: Upload System Firmware Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2.
Page 595: Ftp File Upload Command From The Dos Prompt Example
Chapter 42 Firmware and Configuration File Maintenance 42.5.3 FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open”, followed by a space and the IP address of your ZyWALL. 3 Press [ENTER] when prompted for a username. 4 Enter your password as requested (the default is “1234”).
Page 596: Tftp Upload Command Example
Chapter 42 Firmware and Configuration File Maintenance 2 Put the SMT in command interpreter (CI) mode by entering 8 in Menu 24 – System Maintenance. 3 Enter the command “sys stdio 0” to disable the console timeout, so the TFTP transfer will not be interrupted.
Page 597: Example Xmodem Firmware Upload Using Hyperterminal
Chapter 42 Firmware and Configuration File Maintenance Figure 388 Menu 24.7.1 As Seen Using the Console Port Menu 24.7.1 - System Maintenance - Upload System Firmware To upload system firmware: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 598: Example Xmodem Configuration Upload Using Hyperterminal
Chapter 42 Firmware and Configuration File Maintenance Figure 390 Menu 24.7.2 As Seen Using the Console Port Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1. Enter "y" at the prompt below to go into debug mode. 2.
Page 599: System Maintenance Menus 8 To 10
Enter the CI from the SMT by selecting menu 24.8. Access can be by Telnet or by a serial connection to the console port, although some commands are only available with a serial connection. See the included disk or zyxel.com for more detailed information on CI commands. Enter 8 from Menu 24 - System Maintenance.
Page 600: Command Syntax
A list of commands can be found by typing help or ? at the command prompt. Always type the full command. Type exit to return to the SMT main menu when finished. Figure 393 Valid Commands Copyright (c) 1994 - 2006 ZyXEL Communications Corp. ras> ? Valid commands are:...
Page 601: Call Control Support
Chapter 43 System Maintenance Menus 8 to 10 Table 236 Valid Commands COMMAND DESCRIPTION These commands configure bandwidth management settings and display bandwidth management information. These commands configure intrusion detection and prevention settings. These commands configure anti-virus settings. These commands configure anti-spam settings. certificates These commands display certificate information and configure certificate settings.
Page 602: Call History
Chapter 43 System Maintenance Menus 8 to 10 Figure 395 Budget Management Menu 24.9.1 - Budget Management Remote Node Connection Time/Total Budget Elapsed Time/Total Period 1.WAN_1 No Budget No Budget 2.WAN_2 No Budget No Budget 3.Dial No Budget No Budget Reset Node (0 to update screen): The total budget is the time limit on the accumulated time for outgoing calls to a remote node.
Page 603: Time And Date Setting
Chapter 43 System Maintenance Menus 8 to 10 Figure 396 Call History Menu 24.9.2 - Call History Phone Number Rate #call Total Enter Entry to Delete(0 to exit): The following table describes the fields in this screen. Table 238 Call History FIELD DESCRIPTION Phone Number...
Page 604: Figure 397 Menu 24: System Maintenance
Chapter 43 System Maintenance Menus 8 to 10 Figure 397 Menu 24: System Maintenance Menu 24 - System Maintenance System Status System Information and Console Port Speed Log and Trace Diagnostic Backup Configuration Restore Configuration Upload Firmware Command Interpreter Mode Call Control 10.
Page 605: Table 239 Menu 24.10 System Maintenance: Time And Date Setting
Chapter 43 System Maintenance Menus 8 to 10 The following table describes the fields in this screen. Table 239 Menu 24.10 System Maintenance: Time and Date Setting FIELD DESCRIPTION Time Protocol Enter the time service protocol that your timeserver uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 606 Chapter 43 System Maintenance Menus 8 to 10 ZyWALL 2WG User’s Guide...
Page 607: Remote Management
H A P T E R Remote Management This chapter covers remote management found in SMT menu 24.11. 44.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyWALL interface (if any) from which computers. When you configure remote management to allow management from any network except the LAN, you still need to configure a firewall rule to allow access.
Page 608: Figure 399 Menu 24.11 - Remote Management Control
Chapter 44 Remote Management Figure 399 Menu 24.11 – Remote Management Control Menu 24.11 - Remote Management Control TELNET Server: Port = 23 Access = Disable Secure Client IP = 0.0.0.0 FTP Server: Port = 21 Access = LAN+WAN1+DMZ+WLAN+WAN2 Secure Client IP = 0.0.0.0 SSH Server: Certificate = auto_generated_self_signed_cert Port = 22...
Page 609: Remote Management Limitations
Chapter 44 Remote Management Table 240 Menu 24.11 – Remote Management Control (continued) FIELD DESCRIPTION Authenticate Select Yes by pressing [SPACE BAR], then [ENTER] to require the SSL client to Client authenticate itself to the ZyWALL by sending the ZyWALL a certificate. To do that Certificates the SSL client must have a CA-signed certificate from a CA that has been imported as a trusted CA on the ZyWALL (see...
Page 610 Chapter 44 Remote Management ZyWALL 2WG User’s Guide...
Page 611: Ip Policy Routing
H A P T E R IP Policy Routing This chapter covers setting and applying policies used for IP routing. 45.1 IP Routing Policy Summary Menu 25 shows the summary of a policy rule, including the criteria and the action of a single policy, and whether a policy is active or not.
Page 612: Ip Routing Policy Setup
Chapter 45 IP Policy Routing Table 241 Menu 25: Sample IP Routing Policy Summary (continued) FIELD DESCRIPTION Criteria/Action This displays the details about to which packets the policy applies and how the policy has the ZyWALL handle those packets. Refer to Table 242 on page 612 detailed information.
Page 613: Figure 401 Menu 25.1: Ip Routing Policy Setup
Chapter 45 IP Policy Routing 2 Select Edit in the Select Command field; type the index number of the rule you want to configure in the Select Rule field and press [ENTER] to open Menu 25.1 - IP Routing Policy Setup (see the next figure). Figure 401 Menu 25.1: IP Routing Policy Setup Menu 25.1 - IP Routing Policy Setup Rule Index= 1...
Page 614: Applying Policy To Packets
Chapter 45 IP Policy Routing Table 243 Menu 25.1: IP Routing Policy Setup FIELD DESCRIPTION addr start / end Destination IP address range from start to end. port start / end Destination port number range from start to end; applicable only for TCP/UDP. Action Specifies whether action should be taken on criteria Matched or Not Matched.
Page 615: Ip Policy Routing Example
Chapter 45 IP Policy Routing Figure 402 Menu 25.1.1: IP Routing Policy Setup Menu 25.1.1 - IP Routing Policy Setup Apply policy to packets received from: LAN= No DMZ= No WLAN= No ALL WAN= Yes Selected Remote Node index= N/A Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.
Page 616: Figure 403 Example Of Ip Policy Routing
Chapter 45 IP Policy Routing Figure 403 Example of IP Policy Routing To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the ZyWALL, follow the steps as shown next. 1 Create a rule in Menu 25.1 - IP Routing Policy Setup as shown next.
Page 617: Figure 405 Ip Routing Policy Example 2
Chapter 45 IP Policy Routing 2 Select Yes in the LAN field in menu 25.1.1 to apply the policy to packets received on the LAN port. 3 Check Menu 25 - IP Routing Policy Summary to see if the rule is added correctly. 4 Create another rule in menu 25.1 for this rule to route packets from any host (IP=0.0.0.0 means any host) with protocol TCP and port FTP access through another gateway (192.168.1.100).
Page 618 Chapter 45 IP Policy Routing ZyWALL 2WG User’s Guide...
Page 619: Call Scheduling
H A P T E R Call Scheduling Call scheduling allows you to dictate when a remote node should be called and for how long. 46.1 Introduction to Call Scheduling The call scheduling feature allows the ZyWALL to manage a remote node and dictate when a remote node should be called and for how long.
Page 620: Figure 407 Schedule Set Setup
Chapter 46 Call Scheduling To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] or [DEL] in the Edit Name field. To set up a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 - Schedule Set Setup as shown next.
Page 621: Figure 408 Applying Schedule Set(S) To A Remote Node (Pppoe)
Chapter 46 Call Scheduling Table 245 Schedule Set Setup (continued) FIELD DESCRIPTION If you selected Weekly in the How Often field above, then select the day(s) when the set should activate (and recur) by going to that day(s) and pressing [SPACE BAR] to select Yes, then press [ENTER].
Page 622: Figure 409 Applying Schedule Set(S) To A Remote Node (Pptp)
Chapter 46 Call Scheduling Figure 409 Applying Schedule Set(s) to a Remote Node (PPTP) Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Allocated Budget(min)= 0 Outgoing= Period(hr)= 0 My Login=...
Page 623: Troubleshooting
H A P T E R Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • ZyWALL Access and Login • Internet Access 47.1 Power, Hardware Connections, and LEDs The ZyWALL does not turn on.
Page 624: Zywall Access And Login
Chapter 47 Troubleshooting 47.2 ZyWALL Access and Login I forgot the LAN IP address for the ZyWALL. 1 The default LAN IP address is 192.168.1.1. 2 Use the console port to log in to the ZyWALL. 3 If you changed the IP address and have forgotten it, you might get the IP address of the ZyWALL by looking up the IP address of the default gateway for your computer.
Page 625 Chapter 47 Troubleshooting • If there is a DHCP server on your network, make sure your computer is using a dynamic IP address. See Appendix D on page 647. Your ZyWALL is a DHCP server by default. 6 Reset the device to its factory defaults, and try to access the ZyWALL with the default IP address.
Page 626: Internet Access
Chapter 47 Troubleshooting See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware.
Page 627 Chapter 47 Troubleshooting I cannot access the Internet anymore. I had access to the Internet (with the ZyWALL), but my Internet connection is not available anymore. 1 Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.4.4 on page 2 Check the schedule rules.
Page 628 Chapter 47 Troubleshooting ZyWALL 2WG User’s Guide...
Page 629: Appendices And Index
Appendices and Index Product Specifications (631) Wall-mounting Instructions (639) Pop-up Windows, JavaScripts and Java Permissions (641) Setting up Your Computer’s IP Address (647) IP Addresses and Subnetting (663) Common Services (671) Wireless LANs (675) VPN Setup (689) Importing Certificates (691) Command Interpreter (701) NetBIOS Filter Commands (709) Brute-Force Password Guessing Protection (711)
Page 631: Appendix A Product Specifications
P P E N D I X Product Specifications The following tables summarize the ZyWALL’s hardware and firmware features. Table 246 Hardware Specifications Dimensions 220 (W) x 148 (D) x 30.5 (H) mm Weight 517 g Power Specification 12V DC Ethernet Interface LAN/DMZ Four LAN/DMZ/WLAN auto-negotiating, auto MDI/MDI-X 10/100 Mbps RJ-...
Page 632 (WEP, WPA(2), WPA(2)-PSK) and/or MAC filtering to protect your wireless network. Firmware Upgrade Download new firmware (when available) from the ZyXEL web site and use the web configurator, an FTP or a TFTP tool to put it on the ZyWALL.
Page 633: Table 248 Feature Specifications
Appendix A Product Specifications Table 247 Firmware Specifications FEATURE DESCRIPTION Content Filter The ZyWALL blocks or allows access to web sites that you specify and blocks access to web sites with URLs that contain keywords that you specify. You can define time periods and days during which content filtering is enabled.
Page 634 Appendix A Product Specifications Table 249 Performance (continued) CATEGORY PERFORMANCE Simultaneous IPSec VPN Connections Output Power (Maximum) IEEE 802.11a: 14 dBm at 54 Mbps OFDM IEEE 802.11b: 18 dBm at 11 Mbps CCK, QPSK, BPSK IEEE 802.11g: 17 dBm at 54 Mbps OFDM Compatible 3G Card At the time of writing, you can only use the Sierra AC850/860 3G wireless card in the ZyWALL.
Page 635 Appendix A Product Specifications EUROPEAN PLUG STANDARDS OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX. SAFETY STANDARDS TUV, CE (EN 60950-1) UNITED KINGDOM PLUG STANDARDS AC POWER ADAPTOR MODEL PSA18R-120P (ZK)-R INPUT POWER 100-240VAC, 50/60HZ, 0.5A OUTPUT POWER 12VDC, 1.5A POWER CONSUMPTION 18 W MAX.
Page 636: Figure 410 Console/Dial Backup Cable Db-9 End Pin Layout
Appendix A Product Specifications The console cable and dial backup cable each have an RJ-45 connector and a DB-9 connector. The pin layout for the DB-9 connector end of the cables is as follows. Figure 410 Console/Dial Backup Cable DB-9 End Pin Layout Table 250 Console Cable Pin Assignments DB-9M (MALE) PIN DEFINITION RJ-45 END...
Page 637 Appendix A Product Specifications Table 252 Ethernet Cable Pin Assignments WAN / LAN ETHERNET CABLE PIN LAYOUT 1 IRD + 1 OTD 1 IRD + 1 IRD + 2 IRD - 2 OTD - 2 IRD - 2 IRD - 3 OTD 3 IRD + 3 OTD +...
Page 638 Appendix A Product Specifications ZyWALL 2WG User’s Guide...
Page 639: Appendix B Wall-Mounting Instructions
P P E N D I X Wall-mounting Instructions Do the following to hang your ZyWALL on a wall. See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions. Use a sturdy wall. 2 Drill two holes for the screws.
Page 640: Figure 411 Wall-Mounting Example
Appendix B Wall-mounting Instructions Figure 411 Wall-mounting Example ZyWALL 2WG User’s Guide...
Page 641: Appendix C Pop-Up Windows, Javascripts And Java Permissions
P P E N D I X Pop-up Windows, JavaScripts and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Internet Explorer 6 screens are used here.
Page 642: Figure 413 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions 1 In Internet Explorer, select Tools, Internet Options, Privacy. 2 Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 413 Internet Options 3 Click Apply to save this setting.
Page 643: Figure 414 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 414 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 415 Pop-up Blocker Settings ZyWALL 2WG User’s Guide...
Page 644: Figure 416 Internet Options
Appendix C Pop-up Windows, JavaScripts and Java Permissions 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.
Page 645: Figure 417 Security Settings - Java Scripting
Appendix C Pop-up Windows, JavaScripts and Java Permissions Figure 417 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected.
Page 646: Figure 419 Java (Sun)
Appendix C Pop-up Windows, JavaScripts and Java Permissions JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 419 Java (Sun) ZyWALL 2WG User’s Guide...
Page 647: Appendix D Setting Up Your Computer's Ip Address
P P E N D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/ IP on your computer.
Page 648: Figure 420 Windows 95/98/Me: Network: Configuration
Appendix D Setting up Your Computer’s IP Address Figure 420 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.
Page 649: Figure 421 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
Appendix D Setting up Your Computer’s IP Address Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. •...
Page 650: Figure 422 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
Appendix D Setting up Your Computer’s IP Address Figure 422 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.
Page 651: Figure 423 Windows Xp: Start Menu
Appendix D Setting up Your Computer’s IP Address Figure 423 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 424 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. ZyWALL 2WG User’s Guide...
Page 652: Figure 425 Windows Xp: Control Panel: Network Connections: Properties
Appendix D Setting up Your Computer’s IP Address Figure 425 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 426 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).
Page 653: Figure 427 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Appendix D Setting up Your Computer’s IP Address Figure 427 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 654: Figure 428 Windows Xp: Advanced Tcp/Ip Properties
Appendix D Setting up Your Computer’s IP Address Figure 428 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 655: Figure 429 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Appendix D Setting up Your Computer’s IP Address Figure 429 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
Page 656: Figure 430 Macintosh Os 8/9: Apple Menu
Appendix D Setting up Your Computer’s IP Address Figure 430 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 431 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: •...
Page 657: Figure 432 Macintosh Os X: Apple Menu
Appendix D Setting up Your Computer’s IP Address • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyWALL in the Router address box. 5 Close the TCP/IP Control Panel.
Page 658: Figure 433 Macintosh Os X: Network
Appendix D Setting up Your Computer’s IP Address Figure 433 Macintosh OS X: Network 4 For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 659: Figure 434 Red Hat 9.0: Kde: Network Configuration: Devices
Appendix D Setting up Your Computer’s IP Address Make sure you are logged in as the root administrator. Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. 1 Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 660: Figure 436 Red Hat 9.0: Kde: Network Configuration: Dns
Appendix D Setting up Your Computer’s IP Address • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.
Page 661: Figure 438 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Appendix D Setting up Your Computer’s IP Address Figure 438 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter in the field. Type static BOOTPROTO= = followed by the IP address (in dotted decimal notation) and type IPADDR NETMASK...
Page 662: Figure 442 Red Hat 9.0: Checking Tcp/Ip Properties
Appendix D Setting up Your Computer’s IP Address Verifying Settings Enter in a terminal screen to check your TCP/IP properties. ifconfig Figure 442 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1...
Page 663: Appendix E Ip Addresses And Subnetting
P P E N D I X IP Addresses and Subnetting This appendix introduces IP addresses, IP address classes and subnet masks. You use subnet masks to subdivide a network into smaller logical networks. Introduction to IP Addresses An IP address has two parts: the network number and the host ID. Routers use the network number to send packets to the correct network, while the host ID identifies a single device on the network.
Page 664: Table 254 Allowed Ip Address Range By Class
Appendix E IP Addresses and Subnetting Table 253 Classes of IP Addresses (continued) IP ADDRESS OCTET 1 OCTET 2 OCTET 3 OCTET 4 Class B Network number Network number Host ID Host ID Class C Network number Network number Network number Host ID An IP address with host IDs of all zeros is the IP address of the network (192.168.1.0 for example).
Page 665: Table 255 "Natural" Masks
Appendix E IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The “natural” masks for class A, B and C IP addresses are as follows. Table 255 “Natural” Masks CLASS NATURAL MASK 255.0.0.0 255.255.0.0 255.255.255.0 Subnetting...
Page 666: Table 257 Two Subnets Example
Appendix E IP Addresses and Subnetting Example: Two Subnets As an example, you have a class “C” address 192.168.1.0 with subnet mask of 255.255.255.0. Table 257 Two Subnets Example IP/SUBNET MASK NETWORK NUMBER HOST ID IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001.
Page 667: Table 260 Subnet 1
Appendix E IP Addresses and Subnetting Table 259 Subnet 2 (continued) IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE Subnet Address: Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 Host IDs of all zeros represent the subnet itself and host IDs of all ones are the broadcast address for that subnet, so the actual number of hosts available on each subnet in the example above is 2 –...
Page 668: Table 262 Subnet 3
Appendix E IP Addresses and Subnetting Table 262 Subnet 3 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 10000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.129 192.168.1.128 Broadcast Address: Highest Host ID: 192.168.1.190 192.168.1.191 Table 263 Subnet 4...
Page 669: Table 266 Class B Subnet Planning
Appendix E IP Addresses and Subnetting Table 265 Class C Subnet Planning (continued) NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks. For class “A”...
Page 670 Appendix E IP Addresses and Subnetting ZyWALL 2WG User’s Guide...
Page 671: Appendix F Common Services
CU-SEEME 7648 A popular videoconferencing solution from White Pines Software. 24032 TCP/UDP Domain Name Server, a service that matches web names (e.g. www.zyxel.com) to IP numbers. User-Defined The IPSEC ESP (Encapsulation Security (IPSEC_TUNNEL) Protocol) tunneling protocol uses this service. FINGER...
Page 672 Appendix F Common Services Table 267 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323 1720 NetMeeting uses this protocol. HTTP Hyper Text Transfer Protocol - a client/ server protocol for the world wide web.
Page 673 Appendix F Common Services Table 267 Commonly Used Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION RTELNET Remote Telnet. RTSP TCP/UDP The Real Time Streaming (media control) Protocol (RTSP) is a remote control for multimedia on the Internet. SFTP Simple File Transfer Protocol. SMTP Simple Mail Transfer Protocol is the message-exchange standard for the...
Page 674 Appendix F Common Services ZyWALL 2WG User’s Guide...
Page 675: Appendix G Wireless Lans
P P E N D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 676: Figure 444 Basic Service Set
Appendix G Wireless LANs Figure 444 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 677: Figure 445 Infrastructure Wlan
Appendix G Wireless LANs Figure 445 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.
Page 678: Figure 446 Rts/Cts
Appendix G Wireless LANs Figure 446 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 679: Table 268 Ieee 802.11G
Appendix G Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. Preamble Type Preamble is used to signal that data is coming to the receiver.
Page 680: Table 269 Wireless Security Levels
Appendix G Wireless LANs Wireless security methods available on the ZyWALL are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyWALL identity. The following figure shows the relative effectiveness of these wireless security methods available on your ZyWALL.
Page 681: Types Of Radius Messages
Appendix G Wireless LANs Determines the network services available to authenticated users once they are connected to the network. • Accounting Keeps track of the client’s network activity. RADIUS is a simple package exchange in which your AP acts as a message relay between the wireless client and the network RADIUS server.
Page 682 Appendix G Wireless LANs For EAP-TLS authentication type, you must first have a wired connection to the network and obtain the certificate(s) from a certificate authority (CA). A certificate (also called digital IDs) can be used to authenticate users and a CA issues certificates and guarantees the identity of each certificate owner.
Page 683: Table 270 Comparison Of Eap Authentication Types
Appendix G Wireless LANs Dynamic WEP Key Exchange The AP maps a unique key that is generated with the RADIUS server. This key expires when the wireless connection times out, disconnects or reauthentication times out. A new WEP key is generated each time reauthentication is performed. If this feature is enabled, it is not necessary to configure a default encryption key in the Wireless screen.
Page 684 Appendix G Wireless LANs Encryption Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. WPA and WPA2 use Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption than TKIP.
Page 685: Figure 447 Wpa(2) With Radius Application Example
Appendix G Wireless LANs Wireless Client WPA Supplicants A wireless client supplicant is the software that runs on an operating system instructing the wireless client how to use WPA. At the time of writing, the most widely available supplicant is the WPA patch for Windows XP, Funk Software's Odyssey client.
Page 686: Figure 448 Wpa(2)-Psk Authentication
Appendix G Wireless LANs 4 The AP and wireless clients use the TKIP or AES encryption process to encrypt data exchanged between them. Figure 448 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type.
Page 687: Figure 449 Roaming Example
Appendix G Wireless LANs In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
Page 688 Appendix G Wireless LANs 3 The adjacent access points should use different radio channels when their coverage areas overlap. 4 All access points must use the same port number to relay roaming information. 5 The access points must be connected to the Ethernet and be able to get IP addresses from a DHCP server if using dynamic IP address assignment.
Page 689 Appendix G Wireless LANs • Omni-directional antennas send the RF signal out in all directions on a horizontal plane. The coverage area is torus-shaped (like a donut) which makes these antennas ideal for a room environment. With a wide coverage area, it is possible to make circular overlapping coverage areas with multiple access points.
Page 690 Appendix G Wireless LANs ZyWALL 2WG User’s Guide...
Page 691: Appendix H Importing Certificates
P P E N D I X Importing Certificates This appendix shows importing certificates examples using Internet Explorer 5. Import ZyWALL Certificates into Netscape Navigator In Netscape Navigator, you can permanently trust the ZyWALL’s server certificate by importing it into your operating system as a trusted certification authority. Select Accept This Certificate Permanently in the following screen to do this.
Page 692: Figure 451 Login Screen
Appendix H Importing Certificates Figure 451 Login Screen 2 Click Install Certificate to open the Install Certificate wizard. Figure 452 Certificate General Information before Import 3 Click Next to begin the Install Certificate wizard. ZyWALL 2WG User’s Guide...
Page 693: Figure 453 Certificate Import Wizard 1
Appendix H Importing Certificates Figure 453 Certificate Import Wizard 1 4 Select where you would like to store the certificate and then click Next. Figure 454 Certificate Import Wizard 2 5 Click Finish to complete the Import Certificate wizard. ZyWALL 2WG User’s Guide...
Page 694: Figure 455 Certificate Import Wizard 3
Appendix H Importing Certificates Figure 455 Certificate Import Wizard 3 6 Click Yes to add the ZyWALL certificate to the root store. Figure 456 Root Certificate Store ZyWALL 2WG User’s Guide...
Page 695: Figure 457 Certificate General Information After Import
Appendix H Importing Certificates Figure 457 Certificate General Information after Import Enrolling and Importing SSL Client Certificates The SSL client needs a certificate if Authenticate Client Certificates is selected on the ZyWALL. You must have imported at least one trusted CA to the ZyWALL in order for the Authenticate Client Certificates to be active (see the Certificates chapter for details).
Page 696: Figure 458 Zywall Trusted Ca Screen
Appendix H Importing Certificates Figure 458 ZyWALL Trusted CA Screen The CA sends you a package containing the CA’s trusted certificate(s), your personal certificate(s) and a password to install the personal certificate(s). Installing the CA’s Certificate 1 Double click the CA’s trusted certificate to produce a screen similar to the one shown next.
Page 697: Figure 459 Ca Certificate Example
Appendix H Importing Certificates Figure 459 CA Certificate Example 2 Click Install Certificate and follow the wizard as shown earlier in this appendix. Installing Your Personal Certificate(s) You need a password in advance. The CA may issue the password or you may have to specify it during the enrollment.
Page 698: Figure 461 Personal Certificate Import Wizard 2
Appendix H Importing Certificates 2 The file name and path of the certificate you double-clicked should automatically appear in the File name text box. Click Browse if you wish to import a different certificate. Figure 461 Personal Certificate Import Wizard 2 3 Enter the password given to you by the CA.
Page 699: Figure 463 Personal Certificate Import Wizard 4
Appendix H Importing Certificates Figure 463 Personal Certificate Import Wizard 4 5 Click Finish to complete the wizard and begin the import process. Figure 464 Personal Certificate Import Wizard 5 6 You should see the following screen when the certificate is correctly installed on your computer.
Page 700: Figure 466 Access The Zywall Via Https
Appendix H Importing Certificates Using a Certificate When Accessing the ZyWALL Example Use the following procedure to access the ZyWALL via HTTPS. 1 Enter ‘https://ZyWALL IP Address/ in your browser’s web address field. Figure 466 Access the ZyWALL Via HTTPS 2 When Authenticate Client Certificates is selected on the ZyWALL, the following screen asks you to select a personal certificate to send to the ZyWALL.
Page 701: Appendix I Command Interpreter
Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
Page 702: Figure 469 Displaying Log Categories Example
Appendix I Command Interpreter Configuring What You Want the ZyWALL to Log 1 Use the command to load the log setting buffer that allows you to sys logs load configure which logs the ZyWALL is to record. 2 Use to view a list of the log categories. sys logs category Figure 469 Displaying Log Categories Example ras>...
Page 703 Appendix I Command Interpreter Log Command Example This example shows how to set the ZyWALL to record the access logs and alerts and then view the results. ras> sys logs load ras> sys logs category access 3 ras> sys logs save ras>...
Page 704: Figure 471 Routing Command Example
Appendix I Command Interpreter Figure 471 Routing Command Example ras> ip nat routing 2 1 Routing can work in NAT when no NAT rule match. ----------------------------------------------- LAN: no DMZ: yes WLAN: yes ARP Behavior and the ARP ackGratuitous Commands The ZyWALL does not accept ARP reply information if the ZyWALL did not send out a corresponding request.
Page 705: Figure 472 Backup Gateway
Appendix I Command Interpreter is on and set to force updates, the ZyWALL receives the gratuitous ARP request and updates its ARP table. This way the ZyWALL has a correct gateway ARP entry to forward packets through the backup gateway. If ackGratuitous is off or not set to force updates, the ZyWALL will not update the gateway ARP entry and cannot forward packets through gateway B.
Page 706: Figure 473 Managing The Bandwidth Of An Ipsec Sa
Appendix I Command Interpreter Figure 473 Managing the Bandwidth of an IPSec SA with this command to set the ZyWALL to use the outer source and destination IP addresses of VPN packets in managing the bandwidth of the VPN traffic. These are the IP addresses of the ZyWALL and the remote IPSec router.
Page 707: Figure 475 Routing Command Example
Appendix I Command Interpreter By default the ZyWALL uses a 128 bit AES encryption key for phase 2 IPSec tunnels. Use this command to edit an existing VPN rule to use a longer AES encryption key. See the following example. Say you have a VPN rule one that uses AES for the phase 2 encryption and you want it to use 192 bit encryption.
Page 708 Appendix I Command Interpreter ZyWALL 2WG User’s Guide...
Page 709: Appendix J Netbios Filter Commands
P P E N D I X NetBIOS Filter Commands The following describes the NetBIOS packet filter commands. See Appendix I on page 701 information on the command structure. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
Page 710: Table 272 Netbios Filter Default Settings
Appendix J NetBIOS Filter Commands The filter types and their default settings are as follows. Table 272 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block and WAN between the LAN and the WAN. Between LAN This field displays whether NetBIOS packets are blocked or forwarded Block...
Page 711: Appendix K Brute-Force Password Guessing Protection
P P E N D I X Brute-Force Password Guessing Protection Brute-force password guessing protection allows you to specify a wait-time that must expire before entering a fourth password after three incorrect passwords have been entered. The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password.
Page 712 Appendix K Brute-Force Password Guessing Protection ZyWALL 2WG User’s Guide...
Page 713: Appendix L Legal Information
Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.
Page 714 Appendix L Legal Information If this device does cause harmful interference to radio/television reception, which can be determined by turning the device off and on, the user is encouraged to try to correct the interference by one or more of the following measures: 1 Reorient or relocate the receiving antenna.
Page 715: Zyxel Limited Warranty
Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.
Page 716 Appendix L Legal Information ZyWALL 2WG User’s Guide...
Page 717: Appendix M Customer Support
• Telephone: +506-2017878 • Fax: +506-2015098 • Web Site: www.zyxel.co.cr • FTP Site: ftp.zyxel.co.cr • Regular Mail: ZyXEL Costa Rica, Plaza Roble Escazú, Etapa El Patio, Tercer Piso, San José, Costa Rica Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 •...
Page 718 • E-mail: info@zyxel.fr • Telephone: +33-4-72-52-97-97 • Fax: +33-4-72-52-19-20 • Web Site: www.zyxel.fr • Regular Mail: ZyXEL France, 1 rue des Vergers, Bat. 1 / C, 69760 Limonest, France Germany • Support E-mail: support@zyxel.de • Sales E-mail: sales@zyxel.de • Telephone: +49-2405-6909-0 •...
Page 719 • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web Site: www.us.zyxel.com • FTP Site: ftp.us.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 720 Appendix M Customer Support • Web Site: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 • Fax: +46-31-744-7701 • Web Site: www.zyxel.se • Regular Mail: ZyXEL Communications A/S, Sjöporten 4, 41764 Göteborg, Sweden Ukraine •...
Page 721: Index
Index Index Numerics AT command 485, 586 authentication authentication algorithms 261, 267 and active protocol introduction Authentication Header. See AH. 3G. see third generation authentication protocol 488, 494, 524 9600 baud authentication type CHAP Access point See also AP. access point backup configuration 464, 586 active protocol...
Page 722 Index contact information content filter general content filtering 297, 682 categories 231, 234 call back delay customizing call control days and times call history filter list restrict web features call scheduling URL for blocked access max number of schedule sets PPPoE copyright precedence...
Page 723 Index port filter setup factory-default configuration file setup FCC interference statement TCP/IP setup feature specifications file backup DNS Server console port For VPN Host file maintenance DNS server address assignment over WAN DNS service file upload domain name 451, 576 console port Domain Name System.
Page 724 380, 397 extended authentication commands ID content file upload ID type firmware upload IP address, remote IPSec router GUI-based clients IP address, ZyXEL device restoring files local identity service main mode 258, 264 NAT traversal negotiation mode password peer identity...
Page 725 Index SA life time maximum incomplete high Security Parameter Index (SPI) (manual keys) maximum incomplete low transport mode Media Access Control. See MAC address. tunnel mode menu overview when IKE SA is disconnected 266, 273 Message Integrity Check (MIC) IPSec SA. See also VPN. metric 135, 347, 490, 524, 527, 531 IPSec.
Page 726 Index precedence pre-shared key private 348, 490, 527, 531 one minute high private IP address 114, 141 one minute low product overview online services center product registration outgoing protocol filter protocol filter incoming outgoing packet filtering Pairwise Master Key (PMK) 684, 685 488, 494, 524 parity...
Page 727 Index reports life time host IP address 430, 431 safety warnings protocol/port 430, 432 schedule 523, 525 web site hits 430, 431 duration required fields scheduler reset button secure FTP using SSH resetting the time secure Telnet using SSH resetting the ZyWALL security associations.
Page 728 Index hide Time protocol SSID profile time protocol Daytime stateful inspection firewall static route 345, 529 Time static WEPkey time setting stop bit timeout system BPDU Hello BPDU trace how it works Max Age trademarks port states traffic STUN redirect transparent firewall 62, 127, 458, 460 subnet...
Page 729 WPA supplicants protocol wireless LAN introduction wireless network basic guidelines channel encryption example ZyNOS 576, 586 MAC address filter ZyWALL registration overview ZyXEL’s Network Operating System. See ZyNOS. security SSID wireless security 174, 679 IEEE 802.1x ZyWALL 2WG User’s Guide...
Page 730 Index ZyWALL 2WG User’s Guide...

ZyXEL Communications ZYWALL 2 WG User Manual

Chapter 1 Getting to Know Your Zywall

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 Tutorial

Chapter 5 Registration

Chapter 6 LAN Screens

Chapter 7 Bridge Screens

Chapter 8 WAN Screens

Chapter 9 DMZ Screens

Chapter 10 Wireless LAN

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZYWALL 2 WG

Summary of Contents for ZyXEL Communications ZYWALL 2 WG