Page 1 P-660HN-F1 802.11n Wireless ADSL2+ 4-port Gateway Default Login Details IP Address http://192.168.1.1 Admin 1234 Password User user Password Firmware Version 3.7 www.zyxel.com Edition 1, 10/2010 www.zyxel.com Copyright © 2010 ZyXEL Communications Corporation...
Page 3: About This User's Guide
Graphics in this book may differ slightly from the product due to differences in operating systems, operating system versions, or if you installed updated firmware/software for your device. Every effort has been made to ensure that the information in this manual is accurate. P-660HN-F1 User’s Guide...
Page 4: Document Conventions
Syntax Conventions • The P-660HN-F1 may be referred to as the “ZyXEL Device”, the “device”, the “system” or the “product” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5 Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The ZyXEL Device icon is not an exact representation of your device. ZyXEL Device Computer Notebook computer Server Firewall Telephone Router Switch P-660HN-F1 User’s Guide...
Page 6: Safety Warnings
• Antenna Warning! This device meets ETSI and FCC certification requirements when ntenna(s). using the included antenna(s). Only use the included a • This device is for indoor use only (utilisation intérieure exclusivement). This product is recyclable. Dispose of it properly. P-660HN-F1 User’s Guide...
Page 7 Safety Warnings P-660HN-F1 User’s Guide...
Page 8 Safety Warnings P-660HN-F1 User’s Guide...
Page 9: Table Of Contents
Remote Management ......................245 Universal Plug-and-Play (UPnP) ..................... 257 Maintenance ......................... 269 System Settings ........................271 Logs ............................277 Tools ............................289 Diagnostic ..........................301 Troubleshooting and Specifications .................. 305 Product Specifications ......................307 Troubleshooting ........................315 P-660HN-F1 User’s Guide...
Page 10 Contents Overview Appendices and Index ......................319 P-660HN-F1 User’s Guide...
Page 11: Table Of Contents
2.1 Overview ..........................39 2.1.1 Accessing the Web Configurator ................39 2.2 Web Configurator Main Screen ................... 41 2.2.1 Title Bar ........................41 2.2.2 Navigation Panel ......................42 2.2.3 Main Window ......................44 2.2.4 Status Bar ........................44 P-660HN-F1 User’s Guide...
Page 12 5.3.2 Configuring More Connections Advanced Setup ............79 5.4 The WAN Backup Setup Screen ..................80 5.5 WAN Technical Reference ....................82 5.5.1 Encapsulation ......................82 5.5.2 Multiplexing ........................ 83 5.5.3 VPI and VCI ....................... 83 5.5.4 IP Address Assignment ....................84 P-660HN-F1 User’s Guide...
Page 13 7.2.1 No Security ....................... 108 7.2.2 WEP Encryption ....................... 109 7.2.3 WPA(2)-PSK ......................110 7.2.4 WPA(2) Authentication ....................111 7.2.5 Wireless LAN Advanced Setup .................113 7.2.6 MAC Filter ......................114 7.3 The More AP Screen ......................115 7.3.1 More AP Edit ......................116 P-660HN-F1 User’s Guide...
Page 14 8.6.5 NAT Mapping Types ....................146 Part IV: Security ................... 149 Chapter 9 Firewalls..........................151 9.1 Overview ..........................151 9.1.1 What You Can Do in the Firewall Screens ............... 151 9.1.2 What You Need to Know About Firewall ..............152 P-660HN-F1 User’s Guide...
Page 15 11.2.3 Editing Generic Filters .................... 181 11.2.4 Configuring Generic Packet Rules ................. 182 11.3 Packet Filter Technical Reference ................... 183 11.3.1 Filter Types and NAT ....................183 11.3.2 Firewall Versus Filters .................... 184 Chapter 12 Certificates ..........................187 12.1 Overview ......................... 187 P-660HN-F1 User’s Guide...
Page 16 14.1.3 802.1Q/1P Example ....................218 14.2 The 802.1Q/1P Group Setting Screen ................221 14.2.1 Editing 802.1Q/1P Group Setting ................223 14.3 The 802.1Q/1P Port Setting Screen ................224 Chapter 15 Quality of Service (QoS)....................... 227 15.1 Overview .......................... 227 P-660HN-F1 User’s Guide...
Page 17 Chapter 18 Universal Plug-and-Play (UPnP)..................257 18.1 Overview .......................... 257 18.1.1 What You Can Do in the UPnP Screen ..............257 18.1.2 What You Need to Know About UPnP ..............257 18.2 The UPnP Screen ......................258 P-660HN-F1 User’s Guide...
Page 18 21.4 The Restart Screen ......................299 Chapter 22 Diagnostic..........................301 22.1 Overview .......................... 301 22.1.1 What You Can Do in the Diagnostic Screens ............301 22.2 The General Diagnostic Screen ..................301 22.3 The DSL Line Diagnostic Screen ..................302 P-660HN-F1 User’s Guide...
Page 19 Appendix B Pop-up Windows, JavaScript and Java Permissions ........343 Appendix C IP Addresses and Subnetting ................351 Appendix D Wireless LANs ....................359 Appendix E Services ......................373 Appendix F Internal SPTGEN....................377 Appendix G Legal Information....................401 Appendix H Customer Support..................... 405 Index............................411 P-660HN-F1 User’s Guide...
Page 20 Table of Contents P-660HN-F1 User’s Guide...
Page 21: List Of Figures
Figure 35 Network > WAN > More Connections: Edit: Advanced Setup ..........79 Figure 36 Network > WAN > WAN Backup .................... 81 Figure 37 Example of Traffic Shaping ....................85 Figure 38 Traffic Redirect Example ......................87 P-660HN-F1 User’s Guide...
Page 22 Figure 77 How NAT Works ........................145 Figure 78 NAT Application With IP Alias ....................146 Figure 79 Default Firewall Action ......................151 Figure 80 Firewall Example: Rules ....................... 153 Figure 81 Edit Custom Port Example ....................153 P-660HN-F1 User’s Guide...
Page 23 Figure 120 Remote Host Certificates ....................210 Figure 121 Certificate Details ......................210 Figure 122 Example of Static Routing Topology ................... 213 Figure 123 Advanced > Static Route ....................214 Figure 124 Advanced > Static Route: Edit .................... 215 P-660HN-F1 User’s Guide...
Page 24 Figure 163 Internet Connection Status ....................265 Figure 164 Network Connections ......................266 Figure 165 Network Connections: My Network Places ................ 267 Figure 166 Network Connections: My Network Places: Properties: Example ........267 Figure 167 Maintenance > System > General ..................272 P-660HN-F1 User’s Guide...
Page 25 Figure 206 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties ........334 Figure 207 Macintosh OS 8/9: Apple Menu ..................335 Figure 208 Macintosh OS 8/9: TCP/IP ....................335 Figure 209 Macintosh OS X: Apple Menu .................... 336 Figure 210 Macintosh OS X: Network ....................337 P-660HN-F1 User’s Guide...
Page 26 Figure 240 Invalid Parameter Entered: Command Line Example ............378 Figure 241 Valid Parameter Entered: Command Line Example ............378 Figure 242 Internal SPTGEN FTP Download Example ................ 379 Figure 243 Internal SPTGEN FTP Upload Example ................379 P-660HN-F1 User’s Guide...
Page 27: List Of Tables
Table 35 Network > Wireless LAN > More AP ..................115 Table 36 Network > Wireless LAN > More AP: Edit ................116 Table 37 Network > Wireless LAN > WPS ....................117 Table 38 Network > Wireless LAN > WPS Station ................118 P-660HN-F1 User’s Guide...
Page 28 Table 78 Advanced > Static Route ....................... 214 Table 79 Advanced > Static Route: Edit ....................215 Table 80 Advanced > 802.1Q/1P > Group Setting ................222 Table 81 Advanced > 802.1Q/1P > Group Setting > Edit ..............223 P-660HN-F1 User’s Guide...
Page 29 Table 120 General Commands for GUI-based FTP Clients ..............294 Table 121 General Commands for GUI-based TFTP Clients .............. 295 Table 122 Maintenance > Tools > Firmware ..................296 Table 123 Restore Configuration ......................298 Table 124 Maintenance > Diagnostic > General .................. 302 P-660HN-F1 User’s Guide...
Page 30 Table 153 Menu 21.1 Filter Set #1 ....................... 391 Table 154 Menu 21.1 Filer Set #2 ......................394 Table 155 Menu 23 System Menus ..................... 398 Table 156 Menu 24.11 Remote Management Control ................. 399 Table 157 Command Examples ......................399 P-660HN-F1 User’s Guide...
Page 31: Introduction
Introduction Introducing the ZyXEL Device (33) Introducing the Web Configurator (39) Status Screens (45)
Page 33: Introducing The Zyxel Device
• “N” denotes 802.11n draft 2.0. The “N” models support 802.11n wireless connection mode. • Models ending in “1”, for example P-660HN-F1, denote a device that works over the analog telephone system, POTS (Plain Old Telephone Service). Models ending in “3”...
Page 34: Good Habits For Managing The Zyxel Device
1.4.1 Internet Access Your ZyXEL Device provides shared Internet access by connecting the DSL port to the DSL or MODEM jack on a splitter or your telephone jack. Computers can connect to the ZyXEL Device’s LAN ports (or wirelessly). P-660HN-F1 User’s Guide...
Page 35: Leds (Lights)
The ZyXEL Device is receiving power and ready for use. Blinking The ZyXEL Device is self-testing. The ZyXEL Device detected an error while self-testing, or there is a device malfunction. The ZyXEL Device is not receiving power. P-660HN-F1 User’s Guide...
Page 36: The Reset Button
You can use the WPS WLAN ON/OFF button ( ) on the top of the device to turn the wireless LAN off or on. You can also use it to activate WPS in order to quickly set up a wireless network with strong security. P-660HN-F1 User’s Guide...
Page 37: Turn The Wireless Lan Off Or On
WLAN/WPS LED should flash while the ZyXEL Device sets up a WPS connection with the wireless device. You must activate WPS in the ZyXEL Device and in another wireless device within two minutes of each other. See Section 7.9.8 on page 128 for more information. P-660HN-F1 User’s Guide...
Page 38 Chapter 1 Introducing the ZyXEL Device P-660HN-F1 User’s Guide...
Page 39: Introducing The Web Configurator
ZyXEL Device, type the admin password (1234 by default) in the password screen and click Login. Click Cancel to revert to the default user password in the password field. If you have changed the password, enter your password and click Login. P-660HN-F1 User’s Guide...
Page 40: Figure 3 Password Screen
Click Apply to create a specific certificate for the device using your computer’s MAC address. For security reasons, the ZyXEL Device automatically logs you out if you do not use the web configurator for five minutes (default). If this happens, log in again. P-660HN-F1 User’s Guide...
Page 41: Web Configurator Main Screen
As illustrated above, the main screen is divided into these parts: • A - title bar • B - navigation panel • C - main window • D - status bar 2.2.1 Title Bar The title bar provides some icons in the upper right corner. P-660HN-F1 User’s Guide...
Page 42: Navigation Panel
Use this screen to configure the dates/times to enable or disable the wireless LAN. General Use this screen to enable NAT. Port Forwarding Use this screen to make your local servers visible to the outside world. Use this screen to enable or disable SIP ALG. Security P-660HN-F1 User’s Guide...
Page 43 Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the ZyXEL Device. ICMP Use this screen to set whether or not your device will respond to pings and probes for services that you have not made available. P-660HN-F1 User’s Guide...
Page 44: Main Window
Right after you log in, the Status screen is displayed. See Chapter 3 on page 45 for more information about the Status screen. 2.2.4 Status Bar Check the status bar when you click Apply or OK to verify that the configuration has been updated. P-660HN-F1 User’s Guide...
Page 45: Status Screens
Figure 7 Status Screen Each field is described in the following table. Table 4 Status Screen LABEL DESCRIPTION Refresh Interval Enter how often you want the ZyXEL Device to update this screen. Apply Click this to update this screen immediately. P-660HN-F1 User’s Guide...
Page 46 This displays the type of security mode the ZyXEL Device is using in the wireless LAN. This displays whether WPS is activated. Click this to go to the screen where you can configure the settings. Status This displays whether WLAN is activated. Security P-660HN-F1 User’s Guide...
Page 47 Click this link to display the MAC address(es) of the wireless stations that are currently associating with the ZyXEL Device. See Section 3.4 on page Packet Click this link to view port status and packet specific statistics. See Section 3.5 on Statistics page P-660HN-F1 User’s Guide...
Page 48: Client List
3.5 Packet Statistics Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Click Status > Packet Statistics to access this screen. P-660HN-F1 User’s Guide...
Page 49: Figure 9 Packet Statistics
This field displays the number of packets received on this port. Errors This field displays the number of error packets on this port. Tx B/s This field displays the number of bytes transmitted in the last second. P-660HN-F1 User’s Guide...
Page 50: Any Ip Table
ZyXEL Device. MAC Address This field displays the MAC address of the computer that is using the ZyXEL Device but is in a different subnet than the ZyXEL Device. Refresh Click this to update this screen. P-660HN-F1 User’s Guide...
Page 51: Wizard
Wizard Internet and Wireless Setup Wizard (53)
Page 53: Internet And Wireless Setup Wizard
Apply. Otherwise, click the wizard icon ( ) in the top right corner of the web configurator to go to the wizards. Figure 11 Select a Mode 2 Click INTERNET/WIRELESS SETUP to configure the system for Internet access and wireless connection. P-660HN-F1 User’s Guide...
Page 54: Figure 12 Wizard Welcome
3b The following screen displays if a PPPoE or PPPoA connection is detected. Enter your Internet account information (username, password and/or service name) exactly as provided by your ISP. Then click Next and see Section 4.3 on page 60 wireless connection wizard setup. P-660HN-F1 User’s Guide...
Page 55: Manual Configuration
1 If the ZyXEL Device fails to detect your DSL connection type but the physical line is connected, enter your Internet access information in the wizard screen exactly as your service provider gave it to you. Leave the defaults in any fields for which you were not given information. P-660HN-F1 User’s Guide...
Page 56: Figure 16 Internet Access Wizard Setup: Isp Parameters
Click this to return to the previous screen without saving. Next Click this to continue to the next wizard screen. The next wizard screen you see depends on what protocol you chose above. Exit Click this to close the wizard screen without saving. P-660HN-F1 User’s Guide...
Page 57: Figure 17 Internet Connection With Pppoe
Type the name of your PPPoE service here. Back Click this to return to the previous screen without saving. Apply Click this to save your changes. Exit Click this to close the wizard screen without saving. Figure 18 Internet Connection with RFC 1483 P-660HN-F1 User’s Guide...
Page 58: Figure 19 Internet Connection With Enet Encap
Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP Server clients along with the IP address and the subnet mask. Second DNS As above. Server Back Click this to return to the previous screen without saving. P-660HN-F1 User’s Guide...
Page 59: Figure 20 Internet Connection With Pppoa
• If the user name and/or password you entered for PPPoE or PPPoA connection are not correct, the screen displays as shown next. Click Back to Username and Password setup to go back to the screen where you can modify them. P-660HN-F1 User’s Guide...
Page 60: Wireless Connection Wizard Setup
4.3 Wireless Connection Wizard Setup After you configure the Internet access information, use the following screens to set up your wireless LAN. 1 Select Yes and click Next to configure wireless settings. Otherwise, select No and skip to Step 6. P-660HN-F1 User’s Guide...
Page 61: Figure 23 Connection Test Successful
Click this to return to the previous screen without saving. Next Click this to continue to the next wizard screen. Exit Click this to close the wizard screen without saving. 3 Configure your wireless settings in this screen. Click Next. P-660HN-F1 User’s Guide...
Page 62: Figure 25 Wireless Lan
WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication. 4 This screen varies depending on the security mode you selected in the previous screen. Fill in the field (if available) and click Next. P-660HN-F1 User’s Guide...
Page 63: Manually Assign A Wpa-Psk Key
Click this to continue to the next wizard screen. Exit Click this to close the wizard screen without saving. 4.3.2 Manually Assign a WEP Key Choose Manually assign a WEP key to setup WEP Encryption parameters. Figure 27 Manually Assign a WEP key P-660HN-F1 User’s Guide...
Page 64: Figure 28 Wireless Lan Setup 3
6 Use the read-only summary table to check whether what you have configured is correct. Click Finish to complete and save the wizard setup. No wireless LAN settings display if you chose not to configure wireless LAN settings. P-660HN-F1 User’s Guide...
Page 65: Figure 29 Internet Access And Wlan Wizard Setup Complete
Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct. P-660HN-F1 User’s Guide...
Page 66 Chapter 4 Internet and Wireless Setup Wizard P-660HN-F1 User’s Guide...
Page 67: Network
Network WAN Setup (69) LAN Setup (89) Wireless LAN (105) Network Address Translation (NAT) (135)
Page 69: Wan Setup
To set up a WAN connection to the Internet, you need to use the same encapsulation method used by your ISP (Internet Service Provider). If your ISP offers a dial-up Internet connection using PPPoE (PPP over Ethernet) or PPPoA, they should also provide a username and password (and service name) for user authentication. P-660HN-F1 User’s Guide...
Page 70: Before You Begin
Get this information from your ISP. 5.2 The Internet Access Setup Screen Use this screen to change your ZyXEL Device’s WAN settings. Click Network > WAN > Internet Access Setup. The screen differs by the WAN type and encapsulation you select. P-660HN-F1 User’s Guide...
Page 71: Figure 31 Network > Wan >Internet Access Setup (Pppoe)
Use Multi Mode if you are not sure which mode to choose from. The ZyXEL Device dynamically diagnoses the mode supported by the ISP and selects the best compatible one for your connection. Other options are ADSL G.dmt, ADSL2, ADSL2+, ADSL2 AnnexM, ADSL2+ AnnexM, READSL2 Mode and ANSI T1.413. General P-660HN-F1 User’s Guide...
Page 72 DNS server on your LAN, or else the computers must have their DNS server addresses manually configured. If you do not configure a DNS server, you must know the IP address of a computer in order to access it. Connection (PPPoA and PPPoE encapsulation only) P-660HN-F1 User’s Guide...
Page 73: Advanced Internet Access Setup
Use this screen to edit your ZyXEL Device's advanced WAN settings. Click the Advanced Setup button in the Internet Access Setup screen. The screen appears as shown. Figure 32 Network > WAN > Internet Access Setup: Advanced Setup P-660HN-F1 User’s Guide...
Page 74: Table 18 Network > Wan > Internet Access Setup: Advanced Setup
Enter the MTU in this field. For ENET ENCAP, the MTU value is 1500. For PPPoE, the MTU value is 1492. For PPPoA and RFC 1483, the MTU is 65535. Packet Filter Incoming Filter Sets P-660HN-F1 User’s Guide...
Page 75: The More Connections Screen
Connections. The screen differs by the encapsulation you select. When you use the WAN > Internet Access Setup screen to set up Internet access, you are configuring the first WAN connection. Figure 33 Network > WAN > More Connections P-660HN-F1 User’s Guide...
Page 76: More Connections Edit
Click this to save your changes. Cancel Click this to restore your previously saved settings. 5.3.1 More Connections Edit Use this screen to configure a connection. Click the edit icon in the More Connections screen to display the following screen. P-660HN-F1 User’s Guide...
Page 77: Figure 34 Network > Wan > More Connections: Edit
Choices vary depending on the mode you select in the Mode field. If you select Bridge in the Mode field, select either PPPoA or RFC 1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET ENCAP or PPPoE. P-660HN-F1 User’s Guide...
Page 78 Select SUA Only if you have one public IP address and want to use NAT. Click Edit Detail to go to the Port Forwarding screen to edit a server mapping set. Otherwise, select None to disable NAT. Back Click this to return to the previous screen without saving. P-660HN-F1 User’s Guide...
Page 79: Configuring More Connections Advanced Setup
Select the RIP version from RIP-1, RIP-2B and RIP-2M. Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a multicast group. The ZyXEL Device supports IGMP-v1, IGMP-v2 and IGMP-v3. Select None to disable it. ATM QoS P-660HN-F1 User’s Guide...
Page 80: The Wan Backup Setup Screen
Click this to save your changes. Cancel Click this to restore your previously saved settings. 5.4 The WAN Backup Setup Screen Use this screen to configure your ZyXEL Device’s WAN backup. Click Network > WAN > WAN Backup Setup. P-660HN-F1 User’s Guide...
Page 81: Figure 36 Network > Wan > Wan Backup
The WAN connection is considered "down" after the ZyXEL Device times out the number of times specified in the Fail Tolerance field. Use a higher value in this field if your network is busy or congested. P-660HN-F1 User’s Guide...
Page 82: Wan Technical Reference
(DSL, cable, wireless, etc.) connection. The PPPoE option is for a dial-up connection using PPPoE. For the service provider, PPPoE offers an access and authentication method that works with existing access control systems (for example RADIUS). P-660HN-F1 User’s Guide...
Page 83: Multiplexing
The valid range for the VPI is 0 to 255 and for the VCI is 32 to 65535 (0 to 31 is reserved for local management of ATM traffic). Please see the appendix for more information. P-660HN-F1 User’s Guide...
Page 84: Ip Address Assignment
"1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". P-660HN-F1 User’s Guide...
Page 85: Traffic Shaping
If the PCR, SCR or MBS is set to the default of "0", the system will assign a maximum value that correlates to your upstream line rate. The following figure illustrates the relationship between PCR, SCR and MBS. Figure 37 Example of Traffic Shaping P-660HN-F1 User’s Guide...
Page 86: Atm Traffic Classes
An example application is background file transfer. 5.8 Traffic Redirect Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet. An example is shown in the figure below. P-660HN-F1 User’s Guide...
Page 87: Figure 38 Traffic Redirect Example
(Subnet 2). Configure filters that allow packets from the protected LAN (Subnet 1) to the backup gateway (Subnet 2). Figure 39 Traffic Redirect LAN Setup Subnet 1 192.168.1.0 - 192.168.1.24 Backup Gateway Subnet 2 192.168.2.0 - 192.168.2.24 P-660HN-F1 User’s Guide...
Page 88 Chapter 5 WAN Setup P-660HN-F1 User’s Guide...
Page 89: Lan Setup
6.1.2 What You Need To Know About LAN IP Address IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. P-660HN-F1 User’s Guide...
Page 90: Before You Begin
Follow these steps to configure your LAN settings. 1 Enter an IP address into the IP Address field. The IP address must be in dotted decimal notation. This will become the IP address of your ZyXEL Device. P-660HN-F1 User’s Guide...
Page 91: The Advanced Lan Ip Setup Screen
6.2.1 The Advanced LAN IP Setup Screen Use this screen to edit your ZyXEL Device's RIP, multicast, Any IP and Windows Networking settings. Click the Advanced Setup button in the LAN IP screen. The screen appears as shown. P-660HN-F1 User’s Guide...
Page 92: Figure 41 Network > Lan > Ip: Advanced Setup
PPPoE or PPTP, NetBIOS packets cause unwanted calls. However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN. P-660HN-F1 User’s Guide...
Page 93: The Dhcp Setup Screen
Click this to restore your previously saved settings. 6.3 The DHCP Setup Screen Use this screen to configure the DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN. Click Network > DHCP Setup to open this screen. P-660HN-F1 User’s Guide...
Page 94: Figure 42 Network > Lan > Dhcp Setup
If Relay is selected in the DHCP field above then enter the IP address of the Server actual remote DHCP server here. DNS Server DNS Servers The ZyXEL Device passes a DNS (Domain Name System) server IP address to Assigned by DHCP the DHCP clients. Server P-660HN-F1 User’s Guide...
Page 95: The Client List Screen
00:A0:C5:00:00:02. Use this screen to change your ZyXEL Device’s static DHCP settings. Click Network > LAN > Client List to open the following screen. Figure 43 Network > LAN > Client List P-660HN-F1 User’s Guide...
Page 96: The Ip Alias Screen
When you use IP alias, you can also configure firewall rules to control access between the LAN's logical networks (subnets). Make sure that the subnets of the logical networks do not overlap. The following figure shows a LAN divided into subnets A, B, and C. P-660HN-F1 User’s Guide...
Page 97: Configuring The Lan Ip Alias Screen
Alternatively, click the right mouse button to copy and/or paste the IP address. IP Subnet Mask Your ZyXEL Device will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use the subnet mask computed by the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 98: Lan Technical Reference
The actual physical connection determines whether the ZyXEL Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next. Figure 46 LAN and WAN IP Addresses P-660HN-F1 User’s Guide...
Page 99: Dhcp Setup
DHCP client capability. IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number. P-660HN-F1 User’s Guide...
Page 100 Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, “Address Allocation for Private Internets” and RFC 1466, “Guidelines for Management of IP Address Space”. P-660HN-F1 User’s Guide...
Page 101: Rip Setup
After that, the ZyXEL Device periodically updates this information. IP multicasting can be enabled/disabled on the ZyXEL Device LAN and/or WAN interfaces in the web configurator (LAN; WAN). Select None to disable IP multicasting on these interfaces. P-660HN-F1 User’s Guide...
Page 102: Any Ip
Media Access Control or MAC address, on the local area network. IP routing table is defined on IP Ethernet devices (the ZyXEL Device) to decide which hop to use, to help forward data along to its specified destination. P-660HN-F1 User’s Guide...
Page 103 IP routing table so it can properly forward packets intended for the computer. After all the routing information is updated, the computer can access the ZyXEL Device and the Internet as if it is in the same subnet as the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 104 Chapter 6 LAN Setup P-660HN-F1 User’s Guide...
Page 105: Wireless Lan
You don’t necessarily need to use all these screens to set up your wireless connection. For example, you may just want to set up a network name, a wireless radio channel and security in the AP screen. P-660HN-F1 User’s Guide...
Page 106: What You Need To Know About Wireless
• What advanced options do you want to configure, if any? If you want to configure advanced options such as Quality of Service, ensure that you know precisely what you want to do. If you do not want to configure advanced options, leave them as they are. P-660HN-F1 User’s Guide...
Page 107: The Ap Screen
20 MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300 Mbps. Because not all devices support 40 MHz channels, select Auto 20/40MHz to allow the ZyXEL Device to adjust the channel bandwidth automatically. P-660HN-F1 User’s Guide...
Page 108: No Security
WLAN setup. 7.2.1 No Security In the Network > Wireless LAN > AP screen, select No Security from the Security Mode list to allow wireless devices to communicate with the ZyXEL Device without any data encryption or authentication. P-660HN-F1 User’s Guide...
Page 109: Wep Encryption
WPA2-PSK if all your wireless devices support it, or use WPA or WPA2 if your wireless devices support it and you have a RADIUS server. If your wireless devices support nothing stronger than WEP, use the highest encryption level available. P-660HN-F1 User’s Guide...
Page 110: Wpa(2)-Psk
10 or 26 hexadecimal characters ("0-9", "A-F") for a 64-bit or 128-bit WEP key respectively. 7.2.3 WPA(2)-PSK Use this screen to configure and enable WPA(2)-PSK authentication. Click Network > Wireless LAN to display the AP screen. Select WPA-PSK, WPA2-PSK or WPAPSKMixed from the Security Mode list. P-660HN-F1 User’s Guide...
Page 111: Wpa(2) Authentication
7.2.4 WPA(2) Authentication Use this screen to configure and enable WPA or WPA2 authentication. Click the Wireless LAN link under Network to display the AP screen. Select WPA, WPA2 or WPAMixed from the Security Mode list. P-660HN-F1 User’s Guide...
Page 112: Figure 52 Network > Wireless Lan > Ap: Wpa(2)
The ZyXEL Device automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed. The default time interval is 3600 seconds (or 1 hour). P-660HN-F1 User’s Guide...
Page 113: Wireless Lan Advanced Setup
Use this screen to configure advanced wireless settings. Click the Advanced Setup button in the AP screen. The screen appears as shown. Section 7.9.2 on page 123 for detailed definitions of the terms listed in this screen. Figure 53 Network > Wireless LAN > AP: Advanced Setup P-660HN-F1 User’s Guide...
Page 114: Mac Filter
7.2.6 MAC Filter Use this screen to change your ZyXEL Device’s MAC filter settings. Click the Edit button in the AP screen. The screen appears as shown. Figure 54 Network > Wireless LAN > AP: MAC Address Filter P-660HN-F1 User’s Guide...
Page 115: The More Ap Screen
The following table describes the labels in this screen. Table 35 Network > Wireless LAN > More AP LABEL DESCRIPTION This is the index number of each SSID profile. Active Select the check box to activate an SSID profile. P-660HN-F1 User’s Guide...
Page 116: More Ap Edit
Security Mode Section 7.2 on page 107 for more details about this field. MAC Filter This shows whether the wireless devices with the MAC addresses listed are allowed or denied to access the ZyXEL Device using this SSID. P-660HN-F1 User’s Guide...
Page 117: The Wps Screen
This displays Unconfigured if WPS is disabled and there is no wireless or wireless security changes on the ZyXEL Device or you click Release_Configuration to remove the configured wireless and wireless security settings. P-660HN-F1 User’s Guide...
Page 118: The Wps Station Screen
You can find the PIN either on the outside of the device, or by checking the device’s settings. Note: You must also activate WPS on that device within two minutes to have it present its PIN to the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 119: The Wds Screen
At the time of writing, WDS is compatible with other ZyXEL APs only. Not all models support WDS links. Check your other AP’s documentation. Click Network > Wireless LAN > WDS. The following screen displays. Figure 59 Network > Wireless LAN > WDS P-660HN-F1 User’s Guide...
Page 120: The Qos Screen
IEEE 802.1Q or DSCP information in their headers. If a packet has no WMM information in its header, it is assigned the default priority. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 121: The Scheduling Screen
This section discusses wireless LANs in depth. For more information, see the appendix. 7.9.1 Wireless Network Overview Wireless networks consist of wireless clients, access points and bridges. • A wireless client is a radio connected to a user’s computer. P-660HN-F1 User’s Guide...
Page 122: Figure 62 Example Of A Wireless Network
• Every device in the same wireless network must use security compatible with the AP. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. P-660HN-F1 User’s Guide...
Page 123: Additional Wireless Terms
It checks IGMP packets passing through it, picks out the group registration information, and configures multicasting accordingly. IGMP snooping allows the ZyXEL Device to learn multicast groups without you having to manually configure them. P-660HN-F1 User’s Guide...
Page 124: Wireless Security Overview
MAC address. A MAC address is usually written using twelve hexadecimal characters ; for example, 00A0C5000002 or 00:A0:C5:00:00:02. To get the MAC address for each device in the wireless network, see the device’s User’s Guide or other documentation. P-660HN-F1 User’s Guide...
Page 125: Table 43 Types Of Encryption For Each Type Of Authentication
Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses. Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. P-660HN-F1 User’s Guide...
Page 126: Signal Problems
A and B can access the wired network and communicate with each other. When Intra-BSS traffic blocking is enabled, wireless station A and B can still access the wired network but cannot communicate with each other. P-660HN-F1 User’s Guide...
Page 127: Mbssid
Once the security settings of peer sides match one another, the connection between devices is made. At the time of writing, WDS security is compatible with other ZyXEL access points only. Refer to your other access point’s documentation for details. P-660HN-F1 User’s Guide...
Page 128: Wifi Protected Setup (Wps)
(SSID) and security key through an secure connection to the enrollee. If you need to make sure that WPS worked, check the list of associated wireless clients in the AP’s configuration utility. If you see the wireless client in the list, WPS was successful. P-660HN-F1 User’s Guide...
Page 129 If you cannot connect, check the list of associated wireless clients in the AP’s configuration utility. If you see the wireless client in the list, WPS was successful. The following figure shows a WPS-enabled wireless client (installed in a notebook computer) connecting to the WPS-enabled AP via the PIN method. P-660HN-F1 User’s Guide...
Page 130: Figure 65 Example Wps Process: Pin Method
If not, it generates the SSID and WPA(2)-PSK randomly. The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point. P-660HN-F1 User’s Guide...
Page 131: Figure 66 How Wps Works
When WPS is activated on both, they perform the handshake. In this example, AP1 is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is unconfigured and has no existing information. P-660HN-F1 User’s Guide...
Page 132: Figure 67 Wps: Example Network Step 1
In step 3, you add another access point (AP2) to your network. AP2 is out of range of AP1, so you cannot use AP1 for the WPS handshake with the new access point. However, you know that Client 2 supports the registrar function, so you use it to perform the WPS handshake instead. P-660HN-F1 User’s Guide...
Page 133: Figure 69 Wps: Example Network Step 3
WPS-enabled device could join the network. This is because the registrar has no way of identifying the “correct” enrollee, and cannot differentiate between your enrollee and a rogue device. This is a possible way for a hacker to gain access to a network. P-660HN-F1 User’s Guide...
Page 134 Check the MAC addresses of your wireless clients (usually printed on a label on the bottom of the device). If there is an unknown MAC address you can remove it or reset the AP. P-660HN-F1 User’s Guide...
Page 135: Network Address Translation (Nat)
IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. P-660HN-F1 User’s Guide...
Page 136: The Nat General Setup Screen
Use this screen to activate NAT. Click Network > NAT to open the following screen. You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the ZyXEL Device. Figure 70 Network > NAT > General P-660HN-F1 User’s Guide...
Page 137: The Port Forwarding Screen
You can allocate a server IP address that corresponds to a port or a range of ports. The most often used port numbers and services are shown in Appendix E on page 373. Please refer to RFC 1700 for further information about port numbers. P-660HN-F1 User’s Guide...
Page 138: Configuring The Port Forwarding Screen
IP Address assigned by ISP C=192.168.1.35 D=192.168.1.36 8.3.1 Configuring the Port Forwarding Screen Click Network > NAT > Port Forwarding to open the following screen. Appendix E on page 373 for port numbers commonly used for particular services. P-660HN-F1 User’s Guide...
Page 139: The Port Forwarding Rule Edit Screen
Click this to restore your previously saved settings. 8.3.2 The Port Forwarding Rule Edit Screen Use this screen to edit a port forwarding rule. Click the rule’s edit icon in the Port Forwarding screen to display the screen shown next. P-660HN-F1 User’s Guide...
Page 140: The Address Mapping Screen
When a rule matches the current packet, the ZyXEL Device takes the corresponding action and the remaining rules are ignored. If there are any empty rules before your new configured rule, your configured rule will be pushed up by that number of empty P-660HN-F1 User’s Guide...
Page 141: Figure 74 Network > Nat > Address Mapping
Click the edit icon to go to the screen where you can edit the address mapping rule. Click the delete icon to delete an existing address mapping rule. Note that subsequent address mapping rules move up by one when you take this action. P-660HN-F1 User’s Guide...
Page 142: The Address Mapping Rule Edit Screen
Click this link to go to the Port Forwarding screen to edit a port forwarding set that you have selected in the Server Mapping Set field. Back Click this to return to the previous screen without saving. P-660HN-F1 User’s Guide...
Page 143: The Sip Alg Screen
IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. P-660HN-F1 User’s Guide...
Page 144: What Nat Does
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL Device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this. P-660HN-F1 User’s Guide...
Page 145: Nat Application
Address (ILA) Address (IGA) 192.168.1.11 192.168.1.10 8.6.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the ZyXEL Device can communicate with three distinct WAN networks. P-660HN-F1 User’s Guide...
Page 146: Nat Mapping Types
• Many-to-Many No Overload: In Many-to-Many No Overload mode, the ZyXEL Device maps each local IP address to a unique global IP address. • Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. P-660HN-F1 User’s Guide...
Page 147: Table 51 Nat Mapping Types
ILA2 IGA1 … Many-to-Many Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA1 ILA4 IGA2 … Many-to-Many No Overload ILA1 IGA1 ILA2 IGA2 ILA3 IGA3 … Server Server 1 IP IGA1 Server 2 IP IGA1 Server 3 IP IGA1 P-660HN-F1 User’s Guide...
Page 148 Chapter 8 Network Address Translation (NAT) P-660HN-F1 User’s Guide...
Page 149: Security
Security Firewalls (151) Content Filtering (171) Packet Filter (177) Certificates (187)
Page 151: Firewalls
• Use the Threshold screen (Section 9.4 on page 163) to set the thresholds that the ZyXEL Device uses to determine when to start dropping sessions that do not become fully established (half-open sessions). P-660HN-F1 User’s Guide...
Page 152: What You Need To Know About Firewall
9.1.3 Firewall Rule Setup Example The following Internet firewall rule example allows a hypothetical “MyService” connection from the Internet. 1 Click Security > Firewall > Rules. 2 Select WAN to LAN in the Packet Direction field. P-660HN-F1 User’s Guide...
Page 153: Figure 80 Firewall Example: Rules
Apply. Figure 81 Edit Custom Port Example 7 Select Any in the Destination Address List box and then click Delete. 8 Configure the destination address screen as follows and click Add. P-660HN-F1 User’s Guide...
Page 154: Figure 82 Firewall Example: Edit Rule: Destination Address
9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Custom services show up with an “*” before their names in the Services list box and the Rules list box. P-660HN-F1 User’s Guide...
Page 155: Figure 83 Firewall Example: Edit Rule: Select Customized Services
Figure 83 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. P-660HN-F1 User’s Guide...
Page 156: The Firewall General Screen
Chapter 9 Firewalls Figure 84 Firewall Example: Rules: MyService 9.2 The Firewall General Screen Use this screen to configure the firewall settings. Click Security > Firewall to display the following screen. Figure 85 Security > Firewall > General P-660HN-F1 User’s Guide...
Page 157: The Firewall Rule Screen
Click this to restore your previously saved settings. 9.3 The Firewall Rule Screen The ordering of your rules is very important as rules are applied in turn. Refer to Section 9.5 on page 166 for more information. P-660HN-F1 User’s Guide...
Page 158: Figure 86 Security > Firewall > Rules
(Reject) or allows the passage of packets (Permit). Schedule This field tells you whether a schedule is specified (Yes) or not (No). This field shows you whether a log is created when packets match this rule (Yes) or not (No). P-660HN-F1 User’s Guide...
Page 159: Configuring Firewall Rules
Use this screen to configure firewall rules. In the Rules screen, select an index number and click Add or click a rule’s Edit icon to display this screen and refer to the following table for information on the labels. P-660HN-F1 User’s Guide...
Page 160: Figure 87 Security > Firewall > Rules: Edit
Figure 87 Security > Firewall > Rules: Edit The following table describes the labels in this screen. Table 54 Security > Firewall > Rules: Edit LABEL DESCRIPTION Edit Rule Active Select this option to enable this firewall rule. P-660HN-F1 User’s Guide...
Page 161 Select the check box to have the ZyXEL Device generate an alert when the rule Message to is matched. Administrator When Matched Back Click this to return to the previous screen without saving. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 162: Customized Services
Click this to return to the Firewall Edit Rule screen. 9.3.3 Configuring a Customized Service Use this screen to add a customized rule or edit an existing rule. Click a rule number in the Firewall Customized Services screen to display the following screen. P-660HN-F1 User’s Guide...
Page 163: The Firewall Threshold Screen
SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. P-660HN-F1 User’s Guide...
Page 164: Threshold Values
9.4.2 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall > Threshold to bring up the next screen. P-660HN-F1 User’s Guide...
Page 165: Figure 91 Security > Firewall > Threshold
For example, if you set the maximum incomplete high to 100, the ZyXEL Device starts deleting half-open sessions when the number of existing half-open sessions rises above 100. It stops deleting half-open sessions when the number of existing half-open sessions drops below the number set as the maximum incomplete low. P-660HN-F1 User’s Guide...
Page 166: Firewall Technical Reference
By default, the ZyXEL Device’s stateful packet inspection allows packets traveling in the following directions: • LAN to LAN/ Router These rules specify which computers on the LAN can manage the ZyXEL Device (remote management) and communicate between networks or subnets connected to the LAN interface (IP alias). P-660HN-F1 User’s Guide...
Page 167 These custom rules work by comparing the source IP address, destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the ZyXEL Device’s default rules. P-660HN-F1 User’s Guide...
Page 168: Guidelines For Enhancing Security With Your Firewall
When the firewall is on, your ZyXEL Device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL Device to protect your LAN against attacks. P-660HN-F1 User’s Guide...
Page 169: Figure 92 Ideal Firewall Setup
Another solution is to use IP alias. IP alias allows you to partition your network into logical sections over the same Ethernet interface. Your ZyXEL Device supports up to three logical LAN interfaces with the ZyXEL Device being the gateway for each logical network. P-660HN-F1 User’s Guide...
Page 170: Figure 94 Ip Alias
3 The reply from the WAN goes to the ZyXEL Device. 4 The ZyXEL Device then sends it to the computer on the LAN in Subnet 1. Figure 94 IP Alias Subnet 1 ISP 1 ISP 2 Subnet 2 P-660HN-F1 User’s Guide...
Page 171: Content Filtering
1 Click Security > Content Filter to display the following screen. 2 Select Active Keyword Blocking. 3 In the Keyword field type keywords to identify websites to be blocked. 4 Click Add Keyword for each keyword to be entered. 5 Click Apply. P-660HN-F1 User’s Guide...
Page 172: Figure 95 Security > Content Filter > Keyword: Example
“192.168.1.xxx”. Bob gave his home computer a static IP address of 192.168.1.2 and the study computer a static IP address of 192.168.1.3. To exclude the study computer from keyword blocking he follows these steps. 1 Click Security > Content Filter > Trusted to display the following screen. P-660HN-F1 User’s Guide...
Page 173: The Keyword Screen
This box contains the list of all the keywords that you have configured the contain these keywords in ZyXEL Device to block. the URL: Delete Highlight a keyword in the box and click this to remove it. P-660HN-F1 User’s Guide...
Page 174: The Schedule Screen
Select the check box to have the content filtering to be active on the selected day. Start TIme Enter the time when you want the content filtering to take effect in hour-minute format. End Time Enter the time when you want the content filtering to stop in hour-minute format. P-660HN-F1 User’s Guide...
Page 175: The Trusted Screen
Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 176 Chapter 10 Content Filtering P-660HN-F1 User’s Guide...
Page 177: Packet Filter
Section 11.3 on page 183 for technical background information on packet filters. 11.2 The Packet Filter Screen Use this screen to set up packet filters on your ZyXEL Device. Click Security > Packet Filter to display the following screen. P-660HN-F1 User’s Guide...
Page 178: Editing Protocol Filters
IP and the upper layer protocol, for example, UDP and TCP headers. In the Packet Filter screen, select Protocol Filter from the Filter Type field. Then click the Edit button from the Modify field to display the following screen. P-660HN-F1 User’s Guide...
Page 179: Configuring Protocol Filter Rules
Cancel Click this to restore your previously saved settings. 11.2.2 Configuring Protocol Filter Rules Use this screen to configure protocol filter rules. In the Edit (Protocol Filter) screen, click an Edit icon to display the following screen. P-660HN-F1 User’s Guide...
Page 180: Figure 103 Security > Packet Filter > Edit (Protocol Filter) > Edit Rule
TCP Estab This field is only available when you select TCP in the Protocol field. Select Yes to have the rule match packets that want to establish a TCP connection. This field is ignored if you select No. P-660HN-F1 User’s Guide...
Page 181: Editing Generic Filters
In the Packet Filter screen, select Generic Filter from the Filter Type field. Then click the Edit button from the Modify field to display the following screen. Figure 104 Security > Packet Filter > Edit (Generic Filter) P-660HN-F1 User’s Guide...
Page 182: Configuring Generic Packet Rules
Enter the byte count of the data portion in the packet that you wish to compare. The range for this field is 0 to 8. Mask Enter the mask (in hexadecimal notation) to apply to the data portion before comparison. P-660HN-F1 User’s Guide...
Page 183: Packet Filter Technical Reference
The interface can be an Ethernet port or any other hardware port. The following diagram illustrates this. Figure 106 Protocol and Generic Filter Sets Route Incoming Protocol Generic Interface Filters Filters Outgoing P-660HN-F1 User’s Guide...
Page 184: Firewall Versus Filters
5 Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. 6 The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. P-660HN-F1 User’s Guide...
Page 185 Chapter 11 Packet Filter P-660HN-F1 User’s Guide...
Page 186 Chapter 11 Packet Filter P-660HN-F1 User’s Guide...
Page 187: Certificates
(Section 12.4 on page 201) to import self-signed certificates. • Use the Directory Servers screens (Section 12.5 on page 206) to configure a list of addresses of directory servers (that contain lists of valid and revoked certificates). P-660HN-F1 User’s Guide...
Page 188: What You Need To Know About Certificates
This is the ZyXEL Device’s summary list of certificates and certification requests. Certificates display in black and certification requests display in gray. Click Security > Certificates > My Certificates to open the My Certificates screen. Figure 108 My Certificates P-660HN-F1 User’s Guide...
Page 189: Table 66 My Certificates
Note that subsequent certificates move up by one when you take this action Create Click this to go to the screen where you can have the ZyXEL Device generate a certificate or a certification request. P-660HN-F1 User’s Guide...
Page 190: My Certificate Import
ZyXEL Device. The certificate you import replaces the corresponding request in the My Certificates screen. You must remove any spaces from the certificate’s filename before you can import it. Figure 109 My Certificate Import P-660HN-F1 User’s Guide...
Page 191: My Certificate Create
You do not have to fill in every field, although the Common Name is mandatory. The certification authority may add fields (such as a serial number) to the subject information when it issues a certificate. It is recommended that each certificate have unique subject information. P-660HN-F1 User’s Guide...
Page 192 You must have the certification authority’s certificate already imported in the Trusted CAs screen. Click Trusted CAs to go to the Trusted CAs screen where you can view (and manage) the ZyXEL Device's list of certificates of trusted certification authorities. P-660HN-F1 User’s Guide...
Page 193: My Certificate Details
ZyXEL Device. Click Security > Certificates > My Certificates to open the My Certificates screen (see Figure 108 on page 188). Click the edit icon to open the My Certificate Details screen. P-660HN-F1 User’s Guide...
Page 194: Figure 111 My Certificate Details
This certificates. automatically clears the check box in the details screen of the certificate that was previously set to sign the imported trusted remote host certificates. P-660HN-F1 User’s Guide...
Page 195 Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. MD5 Fingerprint This is the certificate’s message digest that the ZyXEL Device calculated using the MD5 algorithm. P-660HN-F1 User’s Guide...
Page 196: The Trusted Cas Screen
Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Figure 112 Trusted CAs P-660HN-F1 User’s Guide...
Page 197: Trusted Ca Import
ZyXEL Device. Click Security > Certificates > Trusted CAs to open the Trusted CAs screen and then click Import to open the Trusted CA Import screen. You must remove any spaces from the certificate’s filename before you can import the certificate. P-660HN-F1 User’s Guide...
Page 198: Trusted Ca Details
Click Security > Certificates > Trusted CAs to open the Trusted CAs screen. Click the details icon to open the Trusted CA Details screen. P-660HN-F1 User’s Guide...
Page 199: Figure 114 Trusted Ca Details
Certificate Revocation List revocation lists (CRL). (CRLs) Clear this check box to have the ZyXEL Device not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL). P-660HN-F1 User’s Guide...
Page 200 This field displays general information about the certificate. For example, Subject Type=CA means that this is a certification authority’s certificate and “Path Length Constraint=1” means that there can only be one certification authority in the certificate’s path. P-660HN-F1 User’s Guide...
Page 201: The Trusted Remote Hosts Screens
You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the ZyXEL Device automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy. P-660HN-F1 User’s Guide...
Page 202: Figure 115 Trusted Remote Hosts
Click this to open a screen where you can save the certificate of a remote host (which you trust) from your computer to the ZyXEL Device. Refresh Click this to display the current validity status of the certificates. P-660HN-F1 User’s Guide...
Page 203: Trusted Remote Hosts Import
Use this screen to view in-depth information about the trusted remote host’s certificate and/or change the certificate’s name. Click Security > Certificates > Trusted Remote Hosts to open the Trusted Remote Hosts screen. Click the details icon to open the Trusted Remote Host Details screen. P-660HN-F1 User’s Guide...
Page 204: Figure 117 Trusted Remote Host Details
CA-signed. The ZyXEL Device is the Certification Authority that signed the certificate. X.509 means that this certificate was created and signed according to the ITU-T X.509 recommendation that defines the formats for public-key certificates. P-660HN-F1 User’s Guide...
Page 205 Click this to return to the previous screen without saving. Export Click this and then Save in the File Download screen. The Save As screen opens, browse to the location that you want to use and click Save. P-660HN-F1 User’s Guide...
Page 206: The Directory Servers Screens
Address This field displays the IP address or domain name of the directory server. Port This field displays the port number that the directory server uses. Protocol This field displays the protocol that the directory server uses. P-660HN-F1 User’s Guide...
Page 207: Directory Server Add And Edit
Access Protocol field. You may change the server port number if needed, however you must use the same server port number that the directory server uses. 389 is the default server port number for LDAP. Login Setting P-660HN-F1 User’s Guide...
Page 208: Certificates Technical Reference
PKI (Public-Key Infrastructure). Advantages of Certificates Certificates offer the following benefits. • The ZyXEL Device only has to store the certificates of the certification authorities that you decide to trust, no matter how many devices you need to authenticate. P-660HN-F1 User’s Guide...
Page 209: Private-Public Certificates
The following procedure describes how to use a certificate’s fingerprint to verify that you have the remote host’s correct certificate. 1 Browse to where you have the remote host’s certificate saved on your computer. 2 Make sure that the certificate has a “.cer” or “.crt” file name extension. P-660HN-F1 User’s Guide...
Page 210: Figure 120 Remote Host Certificates
3 Double-click the certificate’s icon to open the Certificate window. Click the Details tab and scroll down to the Thumbprint Algorithm and Thumbprint fields. Figure 121 Certificate Details 4 Verify (over the phone for example) that the remote host has the same information in the Thumbprint Algorithm and Thumbprint fields. P-660HN-F1 User’s Guide...
Page 211: Advanced
Advanced Static Route (213) 802.1Q/1P (217) Quality of Service (QoS) (227) Dynamic DNS Setup (241) Remote Management (245) Universal Plug-and-Play (UPnP) (257)
Page 213: Static Route
Figure 122 Example of Static Routing Topology 13.1.1 What You Can Do in the Static Route Screens Use the Static Route screens (Section 13.2 on page 214) to view and configure IP static routes on the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 214: The Static Route Screen
Click the Remove icon to remove a static route from the ZyXEL Device. A window displays asking you to confirm that you want to delete the route. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 215: Static Route Edit
Section 5.3 on page 75 for details on configuring a remote node. Back Click this to return to the previous screen without saving. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 216 Chapter 13 Static Route P-660HN-F1 User’s Guide...
Page 217: Q/1P
- they are not confined to the device on which they were created. The VLAN ID associates a frame with a specific VLAN and provides the information that devices need to process the frame across the network. P-660HN-F1 User’s Guide...
Page 218: Q/1P Example
You want to create high priority for this type of traffic, so you want to group these ports into one VLAN (VLAN2) and then to a PVC (PVC1) where the priority is set to high level of service. You would start with the following steps. P-660HN-F1 User’s Guide...
Page 219: Figure 127 Advanced > 802.1Q/1P > Group Setting > Edit: Example
1 Click Advanced > 802.1Q/1P > Port Setting to display the following screen. 2 Type 2 in the 802.1Q PVID column for LAN1, LAN2 and PVC1. 3 Select 7 from the 802.1P Priority drop-down list box for LAN1, LAN2 and PVC1. 4 Click Apply. P-660HN-F1 User’s Guide...
Page 220: Figure 128 Advanced > 802.1Q/1P > Port Setting: Example
PVC3 into one VLAN (VLAN4). PVC3 priority is set to medium level of service. Follow the same steps as in VLAN2 to configure the settings for VLAN3 and VLAN4. The summary screen should then display as follows. P-660HN-F1 User’s Guide...
Page 221: The 802.1Q/1P Group Setting Screen
Figure 129 Advanced > 802.1Q/1P > Group Setting: Example This completes the 802.1Q/1P setup. 14.2 The 802.1Q/1P Group Setting Screen Use this screen to activate 802.1Q/1P and display the VLAN groups. Click Advanced > 802.1Q/1P to display the following screen. P-660HN-F1 User’s Guide...
Page 222: Figure 130 Advanced > 802.1Q/1P > Group Setting
T, an untagged port is marked as U and ports not participating in a VLAN are marked as “–“. Modify Click the Edit button to configure the the ports in the VLAN group. Click the Remove button to delete the VLAN group. P-660HN-F1 User’s Guide...
Page 223: Editing 802.1Q/1P Group Setting
This field displays the types of ports available to join the VLAN group. Control Select Fixed for the port to be a permanent member of the VLAN group. Select Forbidden if you want to prohibit the port from joining the VLAN group. P-660HN-F1 User’s Guide...
Page 224: The 802.1Q/1P Port Setting Screen
This field displays the types of ports available to join the VLAN group. 802.1Q PVID Assign a VLAN ID for the port. The valid VID range is between 1 and 4094. The ZyXEL Device assigns the PVID to untagged frames or priority-tagged frames received on this port. P-660HN-F1 User’s Guide...
Page 225 You may choose a priority level from 0-7, with 0 being the lowest level and 7 being the highest level. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 226 Chapter 14 802.1Q/1P P-660HN-F1 User’s Guide...
Page 227: Quality Of Service (Qos)
Class of Service (CoS) is a way of managing traffic in a network by grouping similar types of traffic together and treating each type as a class. You can use CoS to give different priorities to different packet types. P-660HN-F1 User’s Guide...
Page 228: Qos Class Setup Example
5. Traffic that does not match these two classes are assigned priority queue based on the internal QoS mapping table on the ZyXEL Device. Figure 133 QoS Example VoIP: Queue 6 50 Mbps Boss: Queue 5 IP=192.168.1.23 P-660HN-F1 User’s Guide...
Page 229: Figure 134 Qos Class Example: Voip -1
Chapter 15 Quality of Service (QoS) Figure 134 QoS Class Example: VoIP -1 Figure 135 QoS Class Example: VoIP -2 P-660HN-F1 User’s Guide...
Page 230: Figure 136 Qos Class Example: Boss -1
Chapter 15 Quality of Service (QoS) Figure 136 QoS Class Example: Boss -1 Figure 137 QoS Class Example: Boss -2 P-660HN-F1 User’s Guide...
Page 231: The Qos General Screen
Section 15.5.4 on page for more information. If you select OFF, traffic which does not match a class is mapped to queue two. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 232: The Class Setup Screen
Click this to restore your previously saved settings. 15.3.1 The Class Configuration Screen Use this screen to configure a classifier. Click the Add button or the Edit icon in the Modify field to display the following screen. P-660HN-F1 User’s Guide...
Page 233: Figure 140 Advanced > Qos > Class Setup: Edit
Chapter 15 Quality of Service (QoS) Figure 140 Advanced > QoS > Class Setup: Edit P-660HN-F1 User’s Guide...
Page 234: Table 85 Advanced > Qos > Class Setup: Edit
Select the check box and enter the source IP address in dotted decimal notation. A blank source IP address means any source IP address. Subnet Enter the source subnet mask. Refer to the appendix for more information on IP Netmask subnetting. P-660HN-F1 User’s Guide...
Page 235 Select this option and enter the minimum and maximum packet length (from 28 to 1500) in the fields provided. DSCP Select this option and specify a DSCP (DiffServ Code Point) number between 0 and 63 in the field provided. P-660HN-F1 User’s Guide...
Page 236: The Qos Monitor Screen
This shows how many packets mapped to this priority queue are transmitted successfully. Drop This shows how many packets mapped to this priority queue are dropped. Poll Interval(s) Enter the time interval for refreshing statistics in this field. P-660HN-F1 User’s Guide...
Page 237: Qos Technical Reference
IP precedence uses three bits of the eight-bit ToS (Type of Service) field in the IP header. There are eight classes of services (ranging from zero to seven) in IP precedence. Zero is the lowest priority level and seven is the highest. P-660HN-F1 User’s Guide...
Page 238: Diffserv
Table 88 Internal Layer2 and Layer3 QoS Mapping LAYER 2 LAYER 3 PRIORITY IEEE 802.1P USER QUEUE PRIORITY TOS (IP IP PACKET DSCP (ETHERNET PRECEDENCE) LENGTH (BYTE) PRIORITY) 000000 000000 >1100 P-660HN-F1 User’s Guide...
Page 239 IEEE 802.1P USER QUEUE PRIORITY TOS (IP IP PACKET DSCP (ETHERNET PRECEDENCE) LENGTH (BYTE) PRIORITY) 001110 250~1100 001100 001010 001000 010110 010100 010010 010000 011110 <250 011100 011010 011000 100110 100100 100010 100000 101110 101000 110000 111000 P-660HN-F1 User’s Guide...
Page 240 Chapter 15 Quality of Service (QoS) P-660HN-F1 User’s Guide...
Page 241: Dynamic Dns Setup
If you have a private WAN IP address, then you cannot use Dynamic DNS. 16.2 The Dynamic DNS Screen Use this screen to change your ZyXEL Device’s DDNS. Click Advanced > Dynamic DNS. The screen appears as shown. P-660HN-F1 User’s Guide...
Page 242: Figure 142 Advanced > Dynamic Dns
Check with your Dynamic DNS service provider to have traffic redirected to a URL (that you can specify) while you are off line. IP Address Update Policy Use WAN IP Select this option to update the IP address of the host name(s) to the WAN IP Address address. P-660HN-F1 User’s Guide...
Page 243 Use specified IP Type the IP address of the host name(s). Use this if you have a static IP address. Address Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 244 Chapter 16 Dynamic DNS Setup P-660HN-F1 User’s Guide...
Page 245: Remote Management
You may only have one remote management session running at a time. The ZyXEL Device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts. The priorities for the different types of remote management sessions are as follows. P-660HN-F1 User’s Guide...
Page 246: What You Can Do In The Remote Management Screens
There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL Device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling. P-660HN-F1 User’s Guide...
Page 247: The Www Screen
2 HTTP connection requests from a web browser go to port 80 (by default) on the ZyXEL Device’s WS (web server). Figure 144 HTTPS Implementation If you disable the WWW service in the Remote MGMT > WWW screen, then the ZyXEL Device blocks all HTTP connection attempts. P-660HN-F1 User’s Guide...
Page 248: Configuring The Www Screen
You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service. P-660HN-F1 User’s Guide...
Page 249: The Telnet Screen
Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL Device using this service. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 250: The Ftp Screen
Your ZyXEL Device supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyXEL Device through the network. The ZyXEL Device supports SNMP version one (SNMPv1) and version two (SNMPv2). The next figure illustrates an SNMP management operation. P-660HN-F1 User’s Guide...
Page 251: Figure 148 Snmp Management Model
Get operation, followed by a series of GetNext operations. • Set - Allows the manager to set values for object variables within an agent. • Trap - Used by the agent to inform the manager of some events. P-660HN-F1 User’s Guide...
Page 252: Supported Mibs
A trap is sent with the message of the fatal code if the system reboots because of fatal errors. 17.5.3 Configuring SNMP To change your ZyXEL Device’s SNMP settings, click Advanced > Remote MGMT > SNMP. The screen appears as shown. P-660HN-F1 User’s Guide...
Page 253: Figure 149 Advanced > Remote Management > Snmp
SNMP manager. The default is public and allows all requests. TrapDestination Type the IP address of the station to send your SNMP traps to. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 254: The Dns Screen
This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent. This keeps outsiders from discovering your ZyXEL Device when unsupported ports are probed. P-660HN-F1 User’s Guide...
Page 255: Figure 151 Advanced > Remote Management > Icmp
TCP reset packet for a blocked TCP packet (or an ICMP port- unreachable packet for a blocked UDP packets) or just drop the packets without sending a response packet. Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 256 Chapter 17 Remote Management P-660HN-F1 User’s Guide...
Page 257: Universal Plug-And-Play (Upnp)
The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. P-660HN-F1 User’s Guide...
Page 258: The Upnp Screen
ZyXEL Device, for example by using NAT traversal, UPnP applications automatically reserve a NAT forwarding port in order to communicate with another UPnP enabled device; this eliminates the need to manually configure port forwarding for the UPnP enabled application. P-660HN-F1 User’s Guide...
Page 259: Installing Upnp In Windows Example
2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Figure 153 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. P-660HN-F1 User’s Guide...
Page 260: Figure 154 Add/Remove Programs: Windows Setup: Communication: Components
3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 155 Network Connections 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. P-660HN-F1 User’s Guide...
Page 261: Figure 156 Windows Optional Networking Components Wizard
Figure 156 Windows Optional Networking Components Wizard 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 157 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. P-660HN-F1 User’s Guide...
Page 262: Using Upnp In Windows Xp Example
1 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. Figure 158 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. P-660HN-F1 User’s Guide...
Page 263: Figure 159 Internet Connection Properties
Chapter 18 Universal Plug-and-Play (UPnP) Figure 159 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. P-660HN-F1 User’s Guide...
Page 264: Figure 160 Internet Connection Properties: Advanced Settings
5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. P-660HN-F1 User’s Guide...
Page 265: Figure 162 System Tray Icon
IP address of the ZyXEL Device first. This comes helpful if you do not know the IP address of the ZyXEL Device. Follow the steps below to access the web configurator. 1 Click Start and then Control Panel. 2 Double-click Network Connections. 3 Select My Network Places under Other Places. P-660HN-F1 User’s Guide...
Page 266: Figure 164 Network Connections
Chapter 18 Universal Plug-and-Play (UPnP) Figure 164 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. P-660HN-F1 User’s Guide...
Page 267: Figure 165 Network Connections: My Network Places
Figure 165 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 166 Network Connections: My Network Places: Properties: Example P-660HN-F1 User’s Guide...
Page 268 Chapter 18 Universal Plug-and-Play (UPnP) P-660HN-F1 User’s Guide...
Page 269: Maintenance
Maintenance System Settings (271) Logs (277) Tools (289) Diagnostic (301)
Page 271: System Settings
• In Windows 2000, click Start, Settings, Control Panel and then double-click System. Click the Network Identification tab and then the Properties button. Note the entry for the Computer name field and enter it as the System Name. P-660HN-F1 User’s Guide...
Page 272: Figure 167 Maintenance > System > General
Type your new user password (up to 30 characters). Note that as you type a Password password, the screen displays a (*) for each character you type. After you change the password, use the new password to access the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 273: The Time Setting Screen
Use this screen to configure the ZyXEL Device’s time based on your local time zone. To change your ZyXEL Device’s time and date, click Maintenance > System > Time Setting. The screen appears as shown. Figure 168 Maintenance > System > Time Setting P-660HN-F1 User’s Guide...
Page 274: Table 99 Maintenance > System > Time Setting
Daylight saving is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening. Select this option if you use Daylight Saving Time. P-660HN-F1 User’s Guide...
Page 275 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click this to save your changes. Cancel Click this to restore your previously saved settings. P-660HN-F1 User’s Guide...
Page 276 Chapter 19 System Settings P-660HN-F1 User’s Guide...
Page 277: Logs
278). Click Maintenance > Logs to open the View Log screen. Entries in red indicate alerts. The log wraps around and deletes the old entries after it fills. Click a column heading to sort the entries. A triangle indicates ascending or descending sort order. P-660HN-F1 User’s Guide...
Page 278: The Log Settings Screen
Alerts are e-mailed as soon as they happen. Logs may be e-mailed as soon as the log is full. Selecting many alert and/or log categories (especially Access Control) may result in many e- mails being sent. P-660HN-F1 User’s Guide...
Page 279: Figure 170 Maintenance > Logs > Log Settings
Enter the E-mail address where the alert messages will be sent. Alerts include system errors, attacks and attempted access to blocked web sites. If this field is left blank, alert messages will not be sent via E-mail. P-660HN-F1 User’s Guide...
Page 280: Smtp Error Messages
-1 means ZyXEL Device out of socket -2 means tcp SYN fail -3 means smtp server OK fail -4 means HELO fail -5 means MAIL FROM fail -6 means RCPT TO fail -7 means DATA fail -8 means mail data send fail P-660HN-F1 User’s Guide...
Page 281: Example E-Mail Log
Someone has logged on to the router's web configurator Successful WEB login interface. Someone has failed to log on to the router's web configurator WEB login failed interface. Someone has logged on to the router via telnet. Successful TELNET login P-660HN-F1 User’s Guide...
Page 282: Table 104 System Error Logs
The router failed to allocate memory for the NetBIOS filter setNetBIOSFilter: calloc settings. error The router failed to allocate memory for the NetBIOS filter readNetBIOSFilter: calloc settings. error A WAN connection is down. You cannot access the network WAN connection is down. through this interface. P-660HN-F1 User’s Guide...
Page 283: Table 105 Access Control Logs
TOS (firewall dynamic sessions) until incomplete connections < “Maximum Incomplete Low”. The router sends a TCP RST packet and generates this log if you Access block, sent TCP turn on the firewall TCP reset mechanism (via CI command: "sys firewall tcprst"). P-660HN-F1 User’s Guide...
Page 284: Table 107 Packet Filter Logs
LOG MESSAGE DESCRIPTION The PPP connection’s Link Control Protocol stage has started. ppp:LCP Starting The PPP connection’s Link Control Protocol stage is opening. ppp:LCP Opening The PPP connection’s Challenge Handshake Authentication Protocol stage is ppp:CHAP Opening opening. P-660HN-F1 User’s Guide...
Page 285: Table 111 Upnp Logs
The firewall detected a TCP teardrop attack. teardrop TCP The firewall detected an UDP teardrop attack. teardrop UDP The firewall detected an ICMP teardrop attack. teardrop ICMP (type:%d, code:%d) The firewall detected a TCP illegal command attack. illegal command TCP P-660HN-F1 User’s Guide...
Page 286: Table 114 802.1X Logs
ACL set for packets traveling from the LAN to the LAN or ZyXEL Device the ZyXEL Device. (W to W/ZyXEL WAN to WAN/ ACL set for packets traveling from the WAN to the WAN Device) ZyXEL Device or the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 287: Table 116 Icmp Notes
Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message P-660HN-F1 User’s Guide...
Page 288: Table 117 Syslog Logs
RFC 2408 for detailed information on each type. Table 118 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID P-660HN-F1 User’s Guide...
Page 289: Tools
DHCP Setup, TCP/IP Setup, etc. It arrives from ZyXEL with a “rom” filename extension. Once you have customized the ZyXEL Device's settings, they can be saved back to your computer under a filename of your choosing. P-660HN-F1 User’s Guide...
Page 290: Before You Begin
• Ensure you have either created a firewall rule to allow access from the WAN or turned the firewall off, otherwise the FTP will not function. • Make sure the FTP service has not been disabled in the Remote Management screen. P-660HN-F1 User’s Guide...
Page 291: Tool Examples
FTP client. The following sections give examples of how to upload the firmware and the configuration files. FTP File Upload Command from the DOS Prompt Example 1 Launch the FTP client on your computer. P-660HN-F1 User’s Guide...
Page 292: Figure 173 Ftp Session Example Of Firmware File Upload
Enter “command sys stdio 5” to restore the five-minute management idle timeout (default) when the file transfer is complete. 3 Launch the TFTP client on your computer and connect to the device. Set the transfer mode to binary before starting data transfer. P-660HN-F1 User’s Guide...
Page 293: Figure 174 Ftp Session Example
230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp> quit P-660HN-F1 User’s Guide...
Page 294: Table 120 General Commands For Gui-Based Ftp Clients
” is the ZyXEL Device IP address, “ ” transfers the file source on the ZyXEL Device host , name of the configuration file on the ZyXEL Device) to the file destination on the rom-0 computer and renames it config.rom. P-660HN-F1 User’s Guide...
Page 295: The Firmware Screen
Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See Section 21.1.4 on page 291 for upgrading firmware using FTP/TFTP commands. Do NOT turn off the ZyXEL Device while firmware upload is in progress! Figure 175 Maintenance > Tools > Firmware P-660HN-F1 User’s Guide...
Page 296: Figure 176 Firmware Upload In Progress
Figure 177 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the Status screen. If the upload was not successful, the following screen will appear. Click Return to go back to the Firmware screen. P-660HN-F1 User’s Guide...
Page 297: The Configuration Screen
The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the ZyXEL Device’s current configuration to your computer. P-660HN-F1 User’s Guide...
Page 298: Figure 180 Configuration Upload Successful
IP address (192.168.1.1). See Appendix A on page 321 for details on how to set up your computer’s IP address. If the upload was not successful, the following screen will appear. Click Return to go back to the Configuration screen. P-660HN-F1 User’s Guide...
Page 299: The Restart Screen
System restart allows you to reboot the ZyXEL Device remotely without turning the power off. You may need to do this if the ZyXEL Device hangs, for example. Click Maintenance > Tools > Restart. Click Restart to have the ZyXEL Device reboot. This does not affect the ZyXEL Device's configuration. P-660HN-F1 User’s Guide...
Page 300: Figure 185 Maintenance > Tools >Restart
Chapter 21 Tools Figure 185 Maintenance > Tools >Restart P-660HN-F1 User’s Guide...
Page 301: Diagnostic
302) to view the DSL line statistics and reset the ADSL line. 22.2 The General Diagnostic Screen Use this screen to ping an IP address. Click Maintenance > Diagnostic to open the screen shown next. Figure 186 Maintenance > Diagnostic > General P-660HN-F1 User’s Guide...
Page 302: The Dsl Line Diagnostic Screen
22.3 The DSL Line Diagnostic Screen Use this screen to view the DSL line statistics and reset the ADSL line. Click Maintenance > Diagnostic > DSL Line to open the screen shown next. Figure 187 Maintenance > Diagnostic > DSL Line P-660HN-F1 User’s Guide...
Page 303: Table 125 Maintenance > Diagnostic > Dsl Line
The better (or shorter) the line, the higher the number of bits transmitted for a DMT tone. The maximum number of bits that can be transmitted per DMT tone is 15. There will be some tones without any bits as there has to be space between the upstream and downstream channels. P-660HN-F1 User’s Guide...
Page 304 Reset ADSL Line Successfully!" Capture All Logs Click this to display information and statistics about your ZyXEL Device’s ATM statistics, DSL connection statistics, DHCP settings, firmware version, WAN and gateway IP address, VPI/VCI and LAN IP address. P-660HN-F1 User’s Guide...
Page 305: Troubleshooting And Specifications
Troubleshooting and Specifications Product Specifications (307) Troubleshooting (315)
Page 307: Product Specifications
Table 127 Firmware Specifications Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits) Default User Password user Default Admin 1234 Password DHCP Server IP Pool 192.168.1.32 to 192.168.1.64 Static DHCP Addresses Content Filtering Web page blocking by URL keyword. P-660HN-F1 User’s Guide...
Page 308 Remote Management This allows you to decide whether a service (HTTP or FTP traffic for example) from a computer on a network (LAN or WAN for example) can access the ZyXEL Device. P-660HN-F1 User’s Guide...
Page 309 Auto-negotiating rate adaptation ADSL physical connection ATM AAL5 (ATM Adaptation Layer type 5) Multi-protocol over AAL5 (RFC2684/1483) PPP over ATM AAL5 (RFC2364) PPP over Ethernet for DSL connection (RFC2516) VC-based and LLC-based multiplexing I.610 F4/F5 OAM Annex L/M TR-067/TR-100 P-660HN-F1 User’s Guide...
Page 310: Wireless Features
Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i security standard. Key differences between WPA and WEP are user authentication and improved data encryption. WPA2 WPA 2 is a wireless security standard that defines stronger encryption, authentication and key management than WPA. P-660HN-F1 User’s Guide...
Page 311: Table 129 Standards Supported
PPP over AAL5 (PPP over ATM over ADSL) RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) RFC 2516 A Method for Transmitting PPP Over Ethernet (PPPoE) RFC 2684 Multiprotocol Encapsulation over ATM Adaptation Layer 5. RFC 2766 Network Address Translation - Protocol P-660HN-F1 User’s Guide...
Page 312: Power Adaptor Specifications
NORTH AMERICAN PLUG STANDARDS AC Power Adapter Model 12V 1A SOCB PA Input Power AC 120Volts/60Hz Output Power DC 12Volts/1.0A Power Consumption 7.7 Watt max Safety Standards ANSI/UL 60950-1, CSA 60950-1 EUROPEAN PLUG STANDARDS AC Power Adapter Model P-660HN-F1 User’s Guide...
Page 313 Chapter 23 Product Specifications Table 130 ZyXEL Device Series Power Adaptor Specifications (continued) Input Power AC 230Volts/50Hz Output Power DC 12Volts/1.0A Power Consumption 8.3 Watt max Safety Standards CE, GS or TUV, EN60950-1 P-660HN-F1 User’s Guide...
Page 314 Chapter 23 Product Specifications P-660HN-F1 User’s Guide...
Page 315: Troubleshooting
2 Check the hardware connections. See the Quick Start Guide. 3 Inspect your cables for damage. Contact the vendor to replace any damaged cables. 4 Turn the ZyXEL Device off and on. 5 If the problem continues, contact the vendor. P-660HN-F1 User’s Guide...
Page 316: Zyxel Device Access And Login
321. Your ZyXEL Device is a DHCP server by default. • If there is no DHCP server on your network, make sure your computer’s IP address is in the same subnet as the ZyXEL Device. See Appendix A on page 321. P-660HN-F1 User’s Guide...
Page 317 I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. P-660HN-F1 User’s Guide...
Page 318: Internet Access
4 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions. Advanced Suggestions • Check the settings for QoS. If it is disabled, you might consider activating it. If it is enabled, you might consider raising or lowering the priority for some applications. P-660HN-F1 User’s Guide...
Page 319: Part Viii: Appendices And Index
VIII Appendices and Index The appendices provide general information. Some details may not apply to your ZyXEL Device. Setting up Your Computer’s IP Address (321) Pop-up Windows, JavaScript and Java Permissions (343) IP Addresses and Subnetting (351) Wireless LANs (359) Services (373) Internal SPTGEN (377) Legal Information (401)
Page 321: Appendix A Setting Up Your Computer's Ip Address
If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. P-660HN-F1 User’s Guide...
Page 322: Figure 188 Windows 95/98/Me: Network: Configuration
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. P-660HN-F1 User’s Guide...
Page 323: Figure 189 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). P-660HN-F1 User’s Guide...
Page 324: Figure 190 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
3 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. 1 Click start (Start in Windows 2000/NT), Settings, Control Panel. P-660HN-F1 User’s Guide...
Page 325: Figure 191 Windows Xp: Start Menu
Appendix A Setting up Your Computer’s IP Address Figure 191 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 192 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. P-660HN-F1 User’s Guide...
Page 326: Figure 193 Windows Xp: Control Panel: Network Connections: Properties
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. P-660HN-F1 User’s Guide...
Page 327: Figure 195 Windows Xp: Internet Protocol (Tcp/Ip) Properties
To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. P-660HN-F1 User’s Guide...
Page 328: Figure 196 Windows Xp: Advanced Tcp/Ip Properties
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. P-660HN-F1 User’s Guide...
Page 329: Figure 197 Windows Xp: Internet Protocol (Tcp/Ip) Properties
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Windows Vista This section shows screens from Windows Vista Enterprise Version 6.0. 1 Click the Start icon, Control Panel. P-660HN-F1 User’s Guide...
Page 330: Figure 198 Windows Vista: Start Menu
2 In the Control Panel, double-click Network and Internet. Figure 199 Windows Vista: Control Panel 3 Click Network and Sharing Center. Figure 200 Windows Vista: Network And Internet 4 Click Manage network connections. Figure 201 Windows Vista: Network and Sharing Center P-660HN-F1 User’s Guide...
Page 331: Figure 202 Windows Vista: Network And Sharing Center
During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. Figure 202 Windows Vista: Network and Sharing Center 6 Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Figure 203 Windows Vista: Local Area Connection Properties P-660HN-F1 User’s Guide...
Page 332: Figure 204 Windows Vista: Internet Protocol Version 4 (Tcp/Ipv4) Properties
To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. P-660HN-F1 User’s Guide...
Page 333: Figure 205 Windows Vista: Advanced Tcp/Ip Properties
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. P-660HN-F1 User’s Guide...
Page 334: Figure 206 Windows Vista: Internet Protocol Version 4 (Tcp/Ipv4) Properties
2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Macintosh OS 8/9 1 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. P-660HN-F1 User’s Guide...
Page 335: Figure 207 Macintosh Os 8/9: Apple Menu
2 Select Ethernet built-in from the Connect via list. Figure 208 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. P-660HN-F1 User’s Guide...
Page 336: Figure 209 Macintosh Os X: Apple Menu
2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. P-660HN-F1 User’s Guide...
Page 337: Figure 210 Macintosh Os X: Network
Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. P-660HN-F1 User’s Guide...
Page 338: Figure 211 Red Hat 9.0: Kde: Network Configuration: Devices
Figure 211 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 212 Red Hat 9.0: KDE: Ethernet Device: General P-660HN-F1 User’s Guide...
Page 339: Figure 213 Red Hat 9.0: Kde: Network Configuration: Dns
Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. • If you have a dynamic IP address, enter in the field. The dhcp BOOTPROTO= following figure shows an example. P-660HN-F1 User’s Guide...
Page 340: Figure 215 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Figure 218 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] P-660HN-F1 User’s Guide...
Page 341: Figure 219 Red Hat 9.0: Checking Tcp/Ip Properties
HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# P-660HN-F1 User’s Guide...
Page 342 Appendix A Setting up Your Computer’s IP Address P-660HN-F1 User’s Guide...
Page 343: Appendix B Pop-Up Windows, Javascript And Java Permissions
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 220 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. P-660HN-F1 User’s Guide...
Page 344: Figure 221 Internet Options: Privacy
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. P-660HN-F1 User’s Guide...
Page 345: Figure 222 Internet Options: Privacy
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 223 Pop-up Blocker Settings P-660HN-F1 User’s Guide...
Page 346: Figure 224 Internet Options: Security
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. P-660HN-F1 User’s Guide...
Page 347: Figure 225 Security Settings - Java Scripting
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 226 Security Settings - Java P-660HN-F1 User’s Guide...
Page 348: Figure 227 Java (Sun)
Figure 227 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears. P-660HN-F1 User’s Guide...
Page 349: Figure 228 Mozilla Firefox: Tools > Options
Appendix B Pop-up Windows, JavaScript and Java Permissions Figure 228 Mozilla Firefox: Tools > Options Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 229 Mozilla Firefox Content Security P-660HN-F1 User’s Guide...
Page 350 Appendix B Pop-up Windows, JavaScript and Java Permissions P-660HN-F1 User’s Guide...
Page 351: Appendix C Ip Addresses And Subnetting
Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. P-660HN-F1 User’s Guide...
Page 352: Figure 230 Network Number And Host Id
Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes. P-660HN-F1 User’s Guide...
Page 353: Table 132 Subnet Masks
For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. The following table shows some possible subnet masks using both notations. Table 134 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 P-660HN-F1 User’s Guide...
Page 354: Figure 231 Subnetting Example: Before Subnetting
The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. The following figure shows the company network after subnetting. There are now two sub- networks, A and B. P-660HN-F1 User’s Guide...
Page 355: Figure 232 Subnetting Example: After Subnetting
Table 135 Subnet 1 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.1 192.168.1.0 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 P-660HN-F1 User’s Guide...
Page 356: Table 136 Subnet 2
Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 139 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS P-660HN-F1 User’s Guide...
Page 357: Table 140 24-Bit Network Number Subnet Planning
SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 P-660HN-F1 User’s Guide...
Page 358: Configuring Ip Addresses
Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. P-660HN-F1 User’s Guide...
Page 359: Appendix D Wireless Lans
Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. P-660HN-F1 User’s Guide...
Page 360: Figure 234 Basic Service Set
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. P-660HN-F1 User’s Guide...
Page 361: Figure 235 Infrastructure Wlan
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. P-660HN-F1 User’s Guide...
Page 362: Figure 236 Rts/Cts
AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. P-660HN-F1 User’s Guide...
Page 363: Table 142 Ieee 802.11G
DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. P-660HN-F1 User’s Guide...
Page 364: Table 143 Wireless Security Levels
RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. • Authorization P-660HN-F1 User’s Guide...
Page 365 EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . P-660HN-F1 User’s Guide...
Page 366 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. P-660HN-F1 User’s Guide...
Page 367: Table 144 Comparison Of Eap Authentication Types
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. P-660HN-F1 User’s Guide...
Page 368 AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. P-660HN-F1 User’s Guide...
Page 369: Figure 237 Wpa(2) With Radius Application Example
(PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols). 2 The AP checks each wireless client's password and allows it to join the network only if the password matches. P-660HN-F1 User’s Guide...
Page 370: Figure 238 Wpa(2)-Psk Authentication
Enable without Dynamic WEP Key Open Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable Shared Enable with Dynamic WEP Key Enable without Dynamic WEP Key Disable TKIP/AES Enable WPA-PSK TKIP/AES Disable WPA2 TKIP/AES Enable WPA2-PSK TKIP/AES Disable P-660HN-F1 User’s Guide...
Page 371: Antenna Overview
The angle of the beam determines the width of the coverage pattern. Angles typically range from 20 degrees (very directional) to 120 degrees (less directional). Directional antennas are ideal for hallways and outdoor point-to-point applications. P-660HN-F1 User’s Guide...
Page 372 For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. P-660HN-F1 User’s Guide...
Page 373: Appendix E Services
Finger is a UNIX or Internet related command that can be used to find out if a user is logged on. File Transfer Protocol, a program to enable fast transfer of files, including large files that may not be possible by e-mail. P-660HN-F1 User’s Guide...
Page 374 (TCP/IP or other). POP3S This is a more secure version of POP3 that runs over SSL. PPTP 1723 Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. P-660HN-F1 User’s Guide...
Page 375 Access Controller Access Control System). TELNET Telnet is the login and terminal emulation protocol common on the Internet and in UNIX environments. It operates over TCP/ IP networks. Its primary function is to allow users to log into remote host systems. P-660HN-F1 User’s Guide...
Page 376 Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE 7000 A videoconferencing solution. The UDP port number is specified in the application. user- defined P-660HN-F1 User’s Guide...
Page 377: Appendix F Internal Sptgen
DO NOT alter or delete any field except parameters in the Input column. This appendix introduces Internal SPTGEN. All menus shown in this appendix are example menus meant to show SPTGEN usage. Actual menus for your product may differ. P-660HN-F1 User’s Guide...
Page 378: Figure 240 Invalid Parameter Entered: Command Line Example
The name “ ” is the configuration filename on the ZyXEL Device. rom-t 4 Edit the " " file using a text editor (do not use a word processor). You must leave rom-t this FTP screen to edit. P-660HN-F1 User’s Guide...
Page 379: Figure 242 Internal Sptgen Ftp Download Example
200 Type I OK ftp> put rom-t ftp>bye Example Internal SPTGEN Screens This section covers ZyXEL Device Internal SPTGEN screens. Table 147 Abbreviations Used in the Example Internal SPTGEN Screens Table ABBREVIATION MEANING Field Identification Number Field Name P-660HN-F1 User’s Guide...
Page 380: Table 148 Menu 1 General Setup
= 256 30100015 = Output device filters Set 3 = 256 30100016 = Output device filters Set 4 = 256 / Menu 3.2 TCP/IP and DHCP Ethernet Setup INPUT 30200001 = DHCP <0(None) | 1(Server) | 2(Relay)> P-660HN-F1 User’s Guide...
Page 381: Table 149 Menu 3
Set 2 30201008 = IP Alias #1 Incoming protocol filters = 256 Set 3 30201009 = IP Alias #1 Incoming protocol filters = 256 Set 4 30201010 = IP Alias #1 Outgoing protocol filters = 256 Set 1 P-660HN-F1 User’s Guide...
Page 382 <0(No) | 1(Yes)> 30500003 = Channel ID <1|2|3|4|5|6| 7|8|9|10|11|1 2|13> 30500004 = RTS Threshold <0 ~ 2432> = 2432 30500005 = FRAG. Threshold <256 ~ 2432> = 2432 30500006 = <0(DISABLE) | 1(64-bit WEP) | 2(128-bit WEP)> P-660HN-F1 User’s Guide...
Page 383: Table 150 Menu 4 Internet Access Setup
<0(No) | 1(Yes)> 40000001 = <0(No) | 1(Yes)> 40000002 = Active <0(No) | 1(Yes)> 40000003 = ISP's Name = ChangeMe 40000004 = Encapsulation <2(PPPOE) | 3(RFC 1483)| 4(PPPoA )| 5(ENET ENCAP)> 40000005 = Multiplexing <1(LLC-based) | 2(VC-based) P-660HN-F1 User’s Guide...
Page 384 Peak Cell Rate (PCR) 40000029 = Sustain Cell Rate (SCR) 40000030 = Maximum Burst Size(MBS) 40000031= RIP Direction <0(None) | 1(Both) | 2(In Only) | 3(Out Only)> 40000032= RIP Version <0(Rip-1) | 1(Rip-2B) |2(Rip-2M)> 40000033= Nailed-up Connection <0(No) |1(Yes)> P-660HN-F1 User’s Guide...
Page 385 IP Static Route set #4, Name <Str> 120104002 = IP Static Route set #4, Active <0(No) |1(Yes)> 120104003 = IP Static Route set #4, Destination = 0.0.0.0 IP address 120104004 = IP Static Route set #4, Destination IP subnetmask P-660HN-F1 User’s Guide...
Page 386: Table 151 Menu 12
/ Menu 12.1.8 IP Static Route Setup INPUT 120108001 = IP Static Route set #8, Name <Str> 120108002 = IP Static Route set #8, Active <0(No) |1(Yes)> 120108003 = IP Static Route set #8, Destination = 0.0.0.0 IP address P-660HN-F1 User’s Guide...
Page 387 120111007 = IP Static Route set #11, Private <0(No) |1(Yes)> */ Menu 12.1.12 IP Static Route Setup INPUT 120112001 = IP Static Route set #12, Name <Str> 120112002 = IP Static Route set #12, Active <0(No) |1(Yes)> P-660HN-F1 User’s Guide...
Page 388 IP subnetmask 120115005 = IP Static Route set #15, Gateway = 0.0.0.0 120115006 = IP Static Route set #15, Metric 120115007 = IP Static Route set #15, Private <0(No) |1(Yes)> */ Menu 12.1.16 IP Static Route Setup INPUT P-660HN-F1 User’s Guide...
Page 389: Table 152 Menu 15 Sua Server Setup
SUA Server #5 Protocol <0(All)|6(TCP)|17(U DP)> 150000019 = SUA Server #5 Port Start 150000020 = SUA Server #5 Port End 150000021 = SUA Server #5 Local IP address = 0.0.0.0 150000022 = SUA Server #6 Active <0(No) | 1(Yes)> = P-660HN-F1 User’s Guide...
Page 390 SUA Server #12 Active <0(No) | 1(Yes)> 150000053 = SUA Server #12 Protocol <0(All)|6(TCP)|17(U DP)> 150000054 = SUA Server #12 Port Start 150000055 = SUA Server #12 Port End 150000056 = SUA Server #12 Local IP address = 0.0.0.0 P-660HN-F1 User’s Guide...
Page 391: Table 153 Menu 21.1 Filter Set #1
210102006 = IP Filter Set 1,Rule 2 Dest Port = 138 210102007 = IP Filter Set 1,Rule 2 Dest Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> 210102008 = IP Filter Set 1,Rule 2 Src IP address = 0.0.0.0 P-660HN-F1 User’s Guide...
Page 392 IP Filter Set 1,Rule 4 Type <2(TCP/IP)> 210104002 = IP Filter Set 1,Rule 4 Active <0(No)|1(Yes)> 210104003 = IP Filter Set 1,Rule 4 Protocol = 17 210104004 = IP Filter Set 1,Rule 4 Dest IP address = 0.0.0.0 P-660HN-F1 User’s Guide...
Page 393 IP Filter Set 1,Rule 5 Src Port Comp <0(none)|1(equal) |2(not equal)|3(less)|4( greater)> 210105013 = IP Filter Set 1,Rule 5 Act Match <1(check next)|2(forward)| 3(drop)> 210105014 = IP Filter Set 1,Rule 5 Act Not Match <1(Check Next) |2(Forward)|3(Dro p)> P-660HN-F1 User’s Guide...
Page 394: Table 154 Menu 21.1 Filer Set #2
IP Filter Set 2, Rule 1 Protocol 210201004 = IP Filter Set 2, Rule 1 Dest IP = 0.0.0.0 address 210201005 = IP Filter Set 2, Rule 1 Dest Subnet Mask 210201006 = IP Filter Set 2, Rule 1 Dest Port = 137 P-660HN-F1 User’s Guide...
Page 395 210202010 = IP Filter Set 2,Rule 2 Src Port 210202011 = IP Filter Set 2, Rule 2 Src Port <0(none)|1(equal)| Comp 2(not equal)|3(less)|4(g reater)> 210202013 = IP Filter Set 2, Rule 2 Act Match <1(check next)|2(forward)|3 (drop)> P-660HN-F1 User’s Guide...
Page 396 = 17 210204004 = IP Filter Set 2, Rule 4 Dest IP = 0.0.0.0 address 210204005 = IP Filter Set 2, Rule 4 Dest Subnet Mask 210204006 = IP Filter Set 2, Rule 4 Dest Port = 137 P-660HN-F1 User’s Guide...
Page 397 210205010 = IP Filter Set 2, Rule 5 Src Port 210205011 = IP Filter Set 2, Rule 5 Src Port <0(none)|1(equal)| Comp 2(not equal)|3(less)|4(g reater)> 210205013 = IP Filter Set 2, Rule 5 Act Match <1(check next)|2(forward)|3 (drop)> P-660HN-F1 User’s Guide...
Page 398: Table 155 Menu 23 System Menus
= 0.0.0.0 241100007 = WEB Server Port = 80 241100008 = WEB Server Access <0(all)|1(none)|2( Lan) |3(Wan)> 241100009 = WEB Server Secured IP address = 0.0.0.0 Table 155 Menu 23 System Menus */ Menu 23.1 System Password Setup P-660HN-F1 User’s Guide...
Page 399: Table 156 Menu 24.11 Remote Management Control
Table 157 Command Examples INPUT /ci command (for annex a): wan adsl opencmd INPUT 990000001 = ADSL OPMD <0(glite)|1(t1.413 )|2(gdmt)|3(multim ode)> /ci command (for annex B): wan adsl opencmd INPUT 990000001 = ADSL OPMD <0(etsi)|1(normal) |2(gdmt)|3(multimo de)> P-660HN-F1 User’s Guide...
Page 400 Appendix F Internal SPTGEN P-660HN-F1 User’s Guide...
Page 402 10 mW (10 dB) dans le cadre d'une installation WiFi en extérieur pour les fréquences comprises entre 2454 MHz et 2483,5 MHz. This Class B digital apparatus complies with Canadian ICES-003. P-660HN-F1 User’s Guide...
Page 403: Zyxel Limited Warranty
Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. P-660HN-F1 User’s Guide...
Page 404 Appendix G Legal Information P-660HN-F1 User’s Guide...
Page 405: Appendix H Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan China - ZyXEL Communications (Beijing) Corp. • Support E-mail: cso.zycn@zyxel.cn • Sales E-mail: sales@zyxel.cn •...
Page 406 Czech Republic • E-mail: info@cz.zyxel.com • Telephone: +420-241-091-350 • Fax: +420-241-091-359 • Web: www.zyxel.cz • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk •...
Page 407 • Fax: +81-3-6847-3705 • Web: www.zyxel.co.jp • Regular Mail: ZyXEL Japan, 3F, Office T&U, 1-10-10 Higashi-Gotanda, Shinagawa-ku, Tokyo 141-0022, Japan Kazakhstan • Support: http://zyxel.kz/support • Sales E-mail: sales@zyxel.kz • Telephone: +7-3272-590-698 • Fax: +7-3272-590-689 • Web: www.zyxel.kz P-660HN-F1 User’s Guide...
Page 408 • Support Telephone: +1-800-978-7222 • Sales E-mail: sales@zyxel.com • Sales Telephone: +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.zyxel.com • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no •...
Page 409 • Support E-mail: support@zyxel.es • Sales E-mail: sales@zyxel.es • Telephone: +34-902-195-420 • Fax: +34-913-005-345 • Web: www.zyxel.es • Regular Mail: ZyXEL Communications, Arte, 21 5ª planta, 28033 Madrid, Spain Sweden • Support E-mail: support@zyxel.se • Sales E-mail: sales@zyxel.se • Telephone: +46-31-744-7700 •...
Page 410 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 0845 122 0301 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) P-660HN-F1 User’s Guide...
Page 411: Index
141, 142, 146 traffic redirect 82, 86 Address Resolution Protocol, see ARP bandwidth management administrator password 40, 273 Basic Service Set, See BSS Advanced Encryption Standard Basic Service Set, see BSS See AES. broadcast 126, 359 alerts example P-660HN-F1 User’s Guide...
Page 412 Class of Service, see CoS customized services 161, 162, 163 classifiers 802.1Q tags activation configuration creation DSCP 234, 235 data fragment threshold 114, 123 priority default server, NAT 138, 139 remote node deletion, certificates routing policy P-660HN-F1 User’s Guide...
Page 413 WPA-PSK packet filtering pre-shared key rules 158, 166 ENET ENCAP 72, 77, 82 schedules enrollment security options, certificates status protocols, certificates three-way handshake triangle route 157, 168, 169 solutions exporting firmware 290, 295 remote hosts, certificates P-660HN-F1 User’s Guide...
Page 414 81, 152, 254 limitations IEEE 802.11g wireless LAN IGMP 70, 90, 92, 101, 123 snooping 114, 123 Local Area Network, see LAN login importing directory servers cerfiticates passwords 39, 40 remote hosts logs remote hosts, certificates alerts trusted CA P-660HN-F1 User’s Guide...
Page 415 78, 135, 136, 143, 144, 358 users activation address mapping 74, 80, 85 rules Peak Cell Rate, see PCR types 141, 142, 146 196, 201, 205 applications PIN, WPS 117, 118, 129 IP alias example default server IP address 138, 139 P-660HN-F1 User’s Guide...
Page 416 RTS (Request To Send) DiffServ threshold 361, 362 DSCP 234, 235, 238 RTS threshold 114, 123 example rules, port forwarding IP precedence monitor priority queue remote node routing policy safety warnings Quality of Service, see QoS SCEP schedules P-660HN-F1 User’s Guide...
Page 417 TR-069 DSL connections trademarks firewalls traffic priority 217, 225 firmware version traffic redirect 82, 86 traffic shaping packet statistics example wireless LAN triangle route 157, 168, 169 WLAN solutions trusted CA 196, 198 136, 137 algorithm P-660HN-F1 User’s Guide...
Page 418 72, 78, 83 channel 107, 123 configuration encryption 108, 125 example fragmentation threshold 114, 123 IGMP snooping IGMP snooping ATM QoS 74, 80, 86 limitations backup MAC address filter 106, 108, 114, 115, 124 DSL link P-660HN-F1 User’s Guide...
Page 419 111, 126, 367 authentication key caching pre-authentication reauthentication user authentication vs WPA-PSK wireless client supplicant with RADIUS application example WPA2 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 367, 368 P-660HN-F1 User’s Guide...
Page 420 Index P-660HN-F1 User’s Guide...

ZyXEL Communications P-660HN-F1 User Manual

About this User's Guide

Document Conventions

Safety Warnings

Contents Overview

Table of Contents

List of Figures

List of Tables

Introduction

PART I Introduction

Chapter 1 Introducing the Zyxel Device

Chapter 2 Introducing the Web Configurator

Chapter 3 Status Screens

Wizard

Part II: Wizard

Chapter 4 Internet and Wireless Setup Wizard

Network

Part III: Network

Chapter 5 WAN Setup

Chapter 6 LAN Setup

Chapter 7 Wireless LAN

Chapter 8 Network Address Translation (NAT)

Security

Part IV: Security

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications P-660HN-F1

Summary of Contents for ZyXEL Communications P-660HN-F1