Page 1 SBG3300-N Series Wireless N VDSL2 Combo WAN Small Business Security Gateway Version 1.00 Edition 1, 3/2013 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com Copyright © 2013 ZyXEL Communications Corporation...
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.
Page 3: Table Of Contents
Contents Overview Contents Overview User’s Guide ........................... 15 Introducing the Device .......................17 The Web Configurator ........................23 Quick Start ..........................31 Tutorials .............................35 Technical Reference ......................113 Status Screens ......................... 115 Broadband ..........................119 Wireless ...........................147 LAN ............................177 Routing .............................199 Quality of Service (QoS) ......................205 Network Address Translation (NAT) ..................223 Dynamic DNS Setup ........................239 Interface Group ........................243...
Page 4 Contents Overview Firmware Upgrade ........................345 Configuration ..........................347 Diagnostic ..........................350 Troubleshooting ........................355 SBG3300-N Series User’s Guide...
Page 5: Table Of Contents
Table of Contents Table of Contents Contents Overview ........................3 Table of Contents ........................5 Part I: User’s Guide ................15 Chapter 1 Introducing the Device ......................17 1.1 Overview ..........................17 1.2 Ways to Manage the Device ....................17 1.3 Good Habits for Managing the Device .................17 1.4 Applications for the Device ....................18 1.4.1 Internet Access ......................18 1.4.2 Device’s USB Support ....................19...
Page 6 Table of Contents 4.3.1 Configuring the Wireless Network Settings ..............38 4.3.2 Using WPS .........................40 4.3.3 Without WPS ......................43 4.4 Setting Up Multiple Wireless Groups ...................44 4.5 Configuring Static Route for Routing to Another Network ............47 4.6 Configuring QoS Queue and Class Setup ................50 4.7 Access the Device Using DDNS ..................53 4.7.1 Registering a DDNS Account on www.dyndns.org .............53 4.7.2 Configuring DDNS on Your Device ................54...
Page 7 Table of Contents 6.1 Overview ..........................119 6.1.1 What You Can Do in this Chapter ................119 6.1.2 What You Need to Know ...................120 6.1.3 Before You Begin ......................123 6.2 The Broadband Screen ......................123 6.2.1 Add/Edit Internet Connection ..................125 6.3 The 3G WAN Screen ......................133 6.4 The Add New 3G Dongle Screen ..................136 6.4.1 Add 3G Dongle Information ..................136 6.5 The Advanced Screen ......................137...
Page 8 Table of Contents Chapter 8 LAN ............................177 8.1 Overview ..........................177 8.1.1 What You Can Do in this Chapter ................177 8.1.2 What You Need To Know ..................178 8.1.3 Before You Begin ......................179 8.2 The LAN Setup Screen ......................179 8.3 The Static DHCP Screen ....................182 8.4 The UPnP Screen ......................184 8.5 Installing UPnP in Windows Example ................185 8.6 Using UPnP in Windows XP Example ................188...
Page 9 Table of Contents Chapter 11 Network Address Translation (NAT)..................223 11.1 Overview ..........................223 11.1.1 What You Can Do in this Chapter ................223 11.1.2 What You Need To Know ..................223 11.2 The Port Forwarding Screen ...................224 11.2.1 Add/Edit Port Forwarding ..................226 11.3 The Applications Screen ....................227 11.3.1 Add New Application ....................228 11.4 The Port Triggering Screen ....................228...
Page 10 Table of Contents 14.2.1 Before You Begin ....................248 Chapter 15 Firewall ..........................251 15.1 Overview ..........................251 15.1.1 What You Can Do in this Chapter ................251 15.1.2 What You Need to Know ..................252 15.2 The Firewall Screen ......................253 15.3 The Service Screen ......................253 15.3.1 Add/Edit a Service ....................255 15.4 The Access Control Screen .....................256 15.4.1 Add/Edit an ACL Rule ...................257...
Page 11 Table of Contents Chapter 20 IPSec VPN..........................277 20.1 Overview ..........................277 20.2 What You Can Do in this Chapter ..................277 20.3 What You Need To Know ....................278 20.4 The Setup Screen ......................278 20.4.1 Add/Edit VPN Rule ....................279 20.4.2 The VPN Connection Add/Edit Screen ..............280 20.4.3 The Default_L2TPVPN IPSec VPN Rule ..............286 20.5 The IPSec VPN Monitor Screen ..................287 20.6 The Radius Screen ......................287...
Page 12 Table of Contents 23.2 The System Log Screen ....................308 23.3 The Security Log Screen ....................309 Chapter 24 Network Status ........................311 24.1 Overview .......................... 311 24.1.1 What You Can Do in this Chapter ................311 24.2 The WAN Status Screen ....................311 24.3 The LAN Status Screen ....................312 Chapter 25 ARP Table ..........................
Page 13 Table of Contents 31.1 Overview ..........................331 31.2 The TR-069 Client Screen ....................331 Chapter 32 SNMP ............................. 333 32.1 The SNMP Agent Screen ....................333 Chapter 33 Time ............................335 33.1 Overview ..........................335 33.2 The Time Screen ......................335 Chapter 34 E-mail Notification ........................ 339 34.1 Overview ........................339 34.2 The Email Notification Screen ..................339...
Page 14 Table of Contents Chapter 39 Troubleshooting........................355 39.1 Power, Hardware Connections, and LEDs ...............355 39.2 Device Access and Login ....................356 39.3 Internet Access ........................358 39.4 Wireless Internet Access ....................359 39.5 USB Device Connection ....................360 39.6 UPnP ..........................360 Appendix A Setting up Your Computer’s IP Address ............363 Appendix B IP Addresses and Subnetting................
Page 15: User's Guide
User’s Guide...
Page 17: Introducing The Device
H A PT ER Introducing the Device 1.1 Overview The VMG1312-B Series is a wireless VDSL router and Gigabit Ethernet gateway. It has one DSL port and Gigabit Ethernet for super-fast Internet access over analog (POTS) telephone lines. The Device supports both Packet Transfer Mode (PTM) and Asynchronous Transfer Mode (ATM).
Page 18: Applications For The Device
Chapter 1 Introducing the Device 1.4 Applications for the Device Here are some example uses for which the Device is well suited. 1.4.1 Internet Access Your Device provides shared Internet access by connecting the DSL port to the DSL or MODEM jack on a splitter or your telephone jack.
Page 19: Device's Usb Support
Chapter 1 Introducing the Device You can also configure IP filtering on the Device for secure Internet access. When the IP filter is on, all incoming traffic from the Internet to your network is blocked by default unless it is initiated from your network.
Page 20: Leds
Chapter 1 Introducing the Device None of the LEDs are on if the Device is not receiving power. Table 1 LED Descriptions COLOR STATUS DESCRIPTION POWER Green The Device is receiving power and ready for use. Blinking The Device is self-testing. The Device detected an error while self-testing, or there is a device malfunction.
Page 21: The Reset Button
Chapter 1 Introducing the Device 1.6 The RESET Button If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the device to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.
Page 22 Chapter 1 Introducing the Device SBG3300-N Series User’s Guide...
Page 23: The Web Configurator
H A PT ER The Web Configurator 2.1 Overview The web configurator is an HTML-based management interface that allows easy device setup and management via Internet browser. Use Internet Explorer 6.0 and later versions or Mozilla Firefox 3 and later versions or Safari 2.0 and later versions. The recommended screen resolution is 1024 by 768 pixels.
Page 24 Chapter 2 The Web Configurator The following screen displays if you have not yet changed your password. It is strongly recommended you change the default password. Enter a new password, retype it to confirm and click Apply; alternatively click Skip to proceed to the main menu if you do not want to change the password now.
Page 25: Web Configurator Layout
Chapter 2 The Web Configurator 2.2 Web Configurator Layout Figure 8 Screen Layout As illustrated above, the main screen is divided into these parts: • A - title bar • B - main window • C - navigation panel 2.2.1 Title Bar The title bar provides some icons in the upper right corner.
Page 26: Main Window
Chapter 2 The Web Configurator 2.2.2 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. See Chapter 5 on page 115 for more information about the Status screen. If you click Virtual Device on the System Info screen, a graphic shows the connection status of the Device’s ports.
Page 27 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION Wireless General Use this screen to configure the wireless LAN settings and WLAN authentication/security settings. More AP Use this screen to configure multiple BSSs on the Device. Use this screen to block or allow wireless traffic from wireless devices Authentication of certain SSIDs and MAC addresses to the Device.
Page 28 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION Firewall General Use this screen to configure the security level of your firewall. Service Use this screen to add Internet services and configure firewall rules. Access Control Use this screen to enable specific traffic directions for network services.
Page 29 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION TR-069 Client Use this screen to configure the Device to be managed by an Auto Configuration Server (ACS). SNMP Use this screen to enable/disable and configure settings for SNMP. Time Use this screen to change your Device’s time and date.
Page 30 Chapter 2 The Web Configurator SBG3300-N Series User’s Guide...
Page 31: Quick Start
H A PT ER Quick Start 3.1 Overview Use the Quick Start screens to configure the Device’s time zone, basic Internet access, and wireless settings. Note: See the technical reference chapters (starting on page 113) for background information on the features in this chapter. 3.2 Quick Start Setup The Quick Start Wizard appears automatically after login.
Page 32 Chapter 3 Quick Start Select your current WAN interface to configure its settings. Figure 11 WAN Interface Selection Enter your Internet connection information in this screen. The screen and fields to enter may vary depending on your current connection type. Click Next. Click Next. Figure 12 Internet Connection SBG3300-N Series User’s Guide...
Page 33 Chapter 3 Quick Start Turn the wireless LAN on or off. If you keep it on, record the security settings so you can configure your wireless clients to connect to the Device. Click Save. Figure 13 Internet Connection Your Device saves your settings and attempts to connect to the Internet. SBG3300-N Series User’s Guide...
Page 34 Chapter 3 Quick Start SBG3300-N Series User’s Guide...
Page 35: Tutorials
H A PT ER Tutorials 4.1 Overview This chapter shows you how to use the Device’s various features. • Setting Up an ADSL PPPoE Connection, see page 35 • Setting Up a Secure Wireless Network, see page 38 • Setting Up Multiple Wireless Groups, see page 44 •...
Page 36 Chapter 4 Tutorials General Name MyDSLConnection Type ADSL Connection Mode Routing Encapsulation PPPoE IPv6/IPv4 Mode IPv4 ATM PVC Configuration VPI/VCI 36/48 Encapsulation Mode LLC/SNAP-Bridging Service Category UBR without PCR Account Information PPP User Name 1234@DSL-Ex.com PPP Password ABCDEF! PPPoE Service Name MyDSL Static IP Address 192.168.1.32...
Page 37 Chapter 4 Tutorials Click Apply to save your settings. SBG3300-N Series User’s Guide...
Page 38: Setting Up A Secure Wireless Network
Chapter 4 Tutorials You should see a summary of your new DSL connection setup in the Broadband screen as follows. Try to connect to a website to see if you have correctly set up your Internet connection. Be sure to contact your service provider for any information you need to configure the WAN screens.
Page 39 Chapter 4 Tutorials Click Network Setting > Wireless to open the General screen. Select More Secure as the security level and WPA-PSK as the security mode. Configure the screen using the provided parameters (see page 38). Click Apply. Go to the Wireless > Others screen and select 802.11b/g/n Mixed in the 802.11 Mode field. Click Apply.
Page 40: Using Wps
Chapter 4 Tutorials 4.3.2 Using WPS This section shows you how to set up a wireless network using WPS. It uses the Device as the AP and ZyXEL NWD210N as the wireless client which connects to the notebook. Note: The wireless client must be a WPS-aware device (for example, a WPS USB adapter or PCMCIA card).
Page 41 Chapter 4 Tutorials Note: Your Device has a WPS button located on its front panel as well as a WPS button in its configuration utility. Both buttons have exactly the same function: you can use one or the other. Note: It doesn’t matter which device’s WPS you enable first, but you must enable the second device’s WPS within two minutes of enabling the first one.
Page 42 Chapter 4 Tutorials PIN Configuration When you use the PIN configuration method, you need to use both the Device’s web configurator and the wireless client’s utility. Launch your wireless client’s configuration utility. Go to the WPS settings and select the PIN method to get a PIN number.
Page 43: Without Wps
Chapter 4 Tutorials The following figure shows you how to set up a wireless network and its security on a Device and a wireless client by using PIN method. Example WPS Process: PIN Method Wireless Client ZyXEL Device WITHIN 2 MINUTES Authentication by PIN SECURITY INFO COMMUNICATION...
Page 44: Setting Up Multiple Wireless Groups
Chapter 4 Tutorials 4.4 Setting Up Multiple Wireless Groups Company A wants to create different wireless network groups for different types of users as shown in the following figure. Each group has its own SSID and security mode. Company Guest •...
Page 45 Chapter 4 Tutorials Click Network Setting > Wireless to open the General screen. Use this screen to set up the company’s general wireless network group. Configure the screen using the provided parameters and click Apply. Click Network Setting > Wireless > More AP to open the following screen. Click the Edit icon to configure the second wireless network group.
Page 46 Chapter 4 Tutorials Configure the screen using the provided parameters and click Apply. In the More AP screen, click the Edit icon to configure the third wireless network group. SBG3300-N Series User’s Guide...
Page 47: Configuring Static Route For Routing To Another Network
Chapter 4 Tutorials Configure the screen using the provided parameters and click Apply. Check the status of VIP and Guest in the More AP screen. The yellow bulbs signify that the SSIDs are active and ready for wireless access. 4.5 Configuring Static Route for Routing to Another Network In order to extend your Intranet and control traffic flowing directions, you may connect a router to the Device’s LAN.
Page 48 Chapter 4 Tutorials network) to computer B (in N2 network), the traffic is sent to the Device’s WAN default gateway by default. In this case, B will never receive the traffic. You need to specify a static routing rule on the Device to specify R as the router in charge of forwarding traffic to N2.
Page 49 Chapter 4 Tutorials Table 4 IP Settings in this Tutorial DEVICE / COMPUTER IP ADDRESS R’s N2 192.168.10.2 192.168.10.33 To configure a static route to route traffic from N1 to N2: Log into the Device’s Web Configurator in advanced mode. Click Network Setting >...
Page 50: Configuring Qos Queue And Class Setup
Chapter 4 Tutorials 4.6 Configuring QoS Queue and Class Setup This section contains tutorials on how you can configure the QoS screen. Let’s say you are a team leader of a small sales branch office. You want to prioritize e-mail traffic because your task includes sending urgent updates to clients at least twice every hour.
Page 51 Chapter 4 Tutorials Click Network Setting > QoS > General and select Enable. Set your WAN Managed Upstream Bandwidth to 10,000 kbps (or leave this blank to have the Device automatically determine this figure). Click Apply. Tutorial: Advanced > QoS Click Queue Setup >...
Page 52 Chapter 4 Tutorials Click Class Setup > Add new Classifier to create a new class. Check Active and follow the settings as shown in the screen below. Tutorial: Advanced > QoS > Class Setup Class Name Give a class name to this traffic, such as E-mail in this example. From This is the interface from which the traffic will be coming from.
Page 53: Access The Device Using Ddns
Chapter 4 Tutorials This maps e-mail traffic coming from port 25 to the highest priority, which you have created in the previous screen (see the IP Protocol field). This also maps your computer’s IP address and MAC address to the E-mail queue (see the Source fields). Verify that the queue setup works by checking Network Setting >...
Page 54: Configuring Ddns On Your Device
Chapter 4 Tutorials 4.7.2 Configuring DDNS on Your Device Configure the following settings in the Network Setting > DNS > Dynamic DNS screen. • Select Enable Dynamic DNS. • Select www.DynDNS.com as the service provider. • Type zyxelrouter.dyndns.org in the Host Name field. •...
Page 55: Configuring The Mac Address Filter
Chapter 4 Tutorials 4.8 Configuring the MAC Address Filter Thomas noticed that his daughter Josephine spends too much time surfing the web and downloading media files. He decided to prevent Josephine from accessing the Internet so that she can concentrate on preparing for her final exams. Josephine’s computer connects wirelessly to the Internet through the Device.
Page 56: Access Your Shared Files From A Computer
Chapter 4 Tutorials Thomas can also grant access to the computers of other members of his family and friends. However, Josephine and others not listed in this screen will no longer be able to access the Internet through the Device. 4.9 Access Your Shared Files From a Computer Here is how to enable the Samba feature on the Device and access a file storage device connected to the Device’s USB port.
Page 57: Certificate Configuration For Vpn
Chapter 4 Tutorials In this example, the FileZilla program is used to browse shared files. In FileZilla, enter the IP address of the Device (the default is 192.168.1.1), your account’s user name and password and port 21 and click Quickconnect. A screen asking for password authentication appears. File Sharing via Windows Explorer Once you log in the USB device displays in the folder.
Page 58 Chapter 4 Tutorials Browse the directory in Fedora, or another system, which contains your CA certificate (e.g., cacert.pem), then click OK. In the Security > Certificates > Local Certificates screen, click Create Certificate Request. Enter your information as shown in the following screen and click Apply. SBG3300-N Series User’s Guide...
Page 59 Chapter 4 Tutorials The contents of the certificate display in the View Certificate screen. Copy the Signing Request section and paste it to a file (for example, sbg.req) in Fedora, or another system, which contains your original CA certificate. In Fedora, issue the following openssl command to generate the host certificate for the Device: openssl ca -config ./openssl.conf -policy policy_anything -out sbg.pem -infiles sbg.req Click the Load_Signed button in the View Certificate screen.
Page 60: Examples Of Configuring Ipsec Vpn Rules
Chapter 4 Tutorials 10 Now you may configure VPN to use the new certificate for authentication in the VPN > IPSec VPN > Monitor screen. 4.11 Examples of Configuring IPSec VPN Rules The first two examples show how to configure Site-to-Site rules with pre-shared secrets. The first example uses 3DES encryption and the second one uses AES128.
Page 61 Chapter 4 Tutorials Authentication SHA1 Key Group Phase 2 SA Life Time 3600 Tunnel Mode Encapsulation Tunnel Encryption 3DES Authentication SHA1 Policy Local IP Type Subnet Local IP Address 192.168.1.0 Local Subnet Mask 255.255.255.0 Remote IP Type Subnet Remote IP Address 172.23.9.0 Remote Subnet Mask 255.255.255.0...
Page 62 Chapter 4 Tutorials You can see the new IPSec VPN rule you’ve just created in the VPN > IPSec VPN > Monitor screen. Select this rule and click Connect. SBG3300-N Series User’s Guide...
Page 63: Example 2: Use Aes128 Encryption
Chapter 4 Tutorials 4.11.2 Example 2: Use AES128 Encryption Here is another example of creating a Gateway-to-Gateway IPSec VPN rule with pre-shared secrets. Click the Add New Entry button in the VPN > IPSec VPN > Setup screen. Enter vpn2 as the Connection Name. Remove the existing encryption by clicking Remove icon or Reset button.
Page 64: Example 3: Configuring A Site-To-Site With Dynamic Peer Rule
Chapter 4 Tutorials You can see the new IPSec VPN rule you’ve just created in the VPN > IPSec VPN > Monitor screen. Select this rule and click Connect. 4.11.3 Example 3: Configuring a Site-to-Site with Dynamic Peer Rule Select Site-to-Site with Dynamic Peer in the Application Scenario field in the General section.
Page 65: Pptp Vpn Tutorial
Chapter 4 Tutorials Note: The Peer Gateway Address is not shown in the screen because it is an unknown IP address to the remote access VPN client. Note: The policy for the remote VPN client is not shown in the screen because it is an unknown to the remote access VPN client.
Page 66: Configuring Pptp Vpn On Windows (Client)
Chapter 4 Tutorials • Click Apply. 4.12.2 Configuring PPTP VPN on Windows (Client) The following sections cover how to configure PPTP in remote user computers using Windows 7, Vista and XP. The example settings in these sections match the PPTP VPN configuration example in Section 4.12 on page On Windows 7 and Vista On Windows 7 and Vista, do the following to establish a PPTP VPN connection.
Page 67 Chapter 4 Tutorials Select No, create a new connection. Click Next. Select Use my Internet connection (VPN). SBG3300-N Series User’s Guide...
Page 68 Chapter 4 Tutorials Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later. Click Next. Click Create.
Page 69 Chapter 4 Tutorials Click Close. Do not connect yet. Click the Network icon in your system tray, then click Network and Sharing Center on Vista or Open Network and Sharing Center on Windows 7. On Windows 7 On Vista SBG3300-N Series User’s Guide...
Page 70 Chapter 4 Tutorials On Vista, click Manage Network Connections. On Windows 7, click Change adapter settings. SBG3300-N Series User’s Guide...
Page 71 Chapter 4 Tutorials 10 Double-click the new connection icon. 11 The connection screen appears. Click Properties. 12 The Properties window appears. Click Security. SBG3300-N Series User’s Guide...
Page 72 Chapter 4 Tutorials 13 (Vista) Select Advanced (custom settings) radio button and click Settings. 14 (Vista) Select Maximum strength encryption (disconnect if server declines) and the Allow these protocols radio button. Select Microsoft CHAP Version 2 (MS-CHAP v2) and clear all of the other check boxes.
Page 73 Chapter 4 Tutorials 15 (Vista) Click Networking. Select PPTP IPsec VPN as the Type of VPN. Then click OK. 16 (Windows 7) Select Point to Point Tunneling Protocol (PPTP) as the Type of VPN. Select Maximum strength encryption (disconnect if server declines) and the Allow these protocols radio button.
Page 74 Chapter 4 Tutorials 17 In the Connect window, enter the username and password of your Device’s account. Click Connect. Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 29 on page 325.
Page 75 Chapter 4 Tutorials 20 The Network and Sharing Center windows appear. You can view the connection status or disconnect the connection. Click View Status to open the connection status screen. 21 (Windows 7) Click the Network icon in your system tray, then right click the PPTP connection and select Status to open the connection status screen.
Page 76 Chapter 4 Tutorials 22 From the status screen, you can disconnect this connection. Or you can click Details to see the connection details. The address 10.1.1.1 and 10.1.1.17 are addresses allocated from the PPTP IP Address Pool you configured on the Device (10.1.1.1 - 10.1.1.32). 23 Access a server or other network resource on subnet 192.168.1.0 behind the Device to make sure your access works.
Page 77 Chapter 4 Tutorials Select Connect to the network at my workplace and click Next. Select Virtual Private Network connection and click Next. Type your Company Name, use PPTP to SBG3300 in this example, and click Next. SBG3300-N Series User’s Guide...
Page 78 Chapter 4 Tutorials Select Do not dial the initial connection and click Next. Enter the domain name or WAN IP address that you want to connect to (172.16.1.2 in this example). Click Next. Click Finish. SBG3300-N Series User’s Guide...
Page 79 Chapter 4 Tutorials The connection screen appears. Click Properties > Security. Select Advanced (custom settings) and click Settings. 10 Select Maximum strength encryption (disconnect if server declines) and the Allow these protocols radio button. Select Microsoft CHAP Version 2 (MS-CHAP v2) and clear all of other check boxes.
Page 80 Chapter 4 Tutorials 11 Click Networking. Select PPTP IPSec VPN as the Type of VPN. Click OK. 12 Enter the user name and password of your user account configured on the Device. Click Connect. 13 A window appears after the username and password are verified. The connection is then established.
Page 81: Configuring Pptp Vpn On Android Devices (Client)
Chapter 4 Tutorials 15 From the status screen, you can disconnect this connection. Or you can click Details to see the connection details. The address 10.1.1.1 and 10.1.1.17 are addresses allocated from the PPTP IP Address Pool you configured on the Device (10.1.1.1 - 10.1.1.32). 16 Access a server or other network resource on subnet 192.168.1.0 behind the Device to make sure your access works.
Page 82 Chapter 4 Tutorials On your Android device, select Home > Settings > Wireless and network > VPN settings. Select Add VPN > Add PPTP VPN. Fill out the following fields. • VPN Name: Enter a name for your VPN configuration. •...
Page 83: Configuring Pptp Vpn In Ios Devices (Client)
Chapter 4 Tutorials The new configuration will appear on the VPN settings screen. You can click the VPN name to begin PPTP connection. Enter the username and password of your user account configured on the Device. Note: The user account must have been configured in the Maintenance > User Account screen.
Page 84 Chapter 4 Tutorials On your iOS device, select Home > Settings > General > Network. Select VPN > Add VPN Configuration…. Select the PPTP tab. Enter the following fields. • Description: Enter a name for your VPN configuration. • Server: This is the WAN IP address of the Device, in this example, 172.16.1.2. •...
Page 85: L2Tp Vpn Tutorial
Chapter 4 Tutorials • Send All Traffic: This example uses the route-all configuration (ON). Save the configuration. The saved configuration will appear on the VPN screen. Select it and then slide the VPN bar to the ON position. Your iOS device will begin PPTP connection. 4.13 L2TP VPN Tutorial This section illustrates how to set up a basic L2TP VPN tunnel between the Device and a remote client.
Page 86: Configuring The Default_L2Tpvpn Ipsec Vpn Rule (Server)
Chapter 4 Tutorials The example uses the following settings in setting up a basic L2TP VPN tunnel. Figure 15 L2TP VPN Example 172.16.1.2 L2TP VPN IP Address Pool: 10.2.1.1 - 10.2.1.32 LAN Subnet #1: 192.168.1.0/24 LAN Subnet #2: 192.168.2.0/24 • The Device has a static IP address of 172.16.1.2 for the DSL WAN interface. •...
Page 87: Configuring The L2Tp Vpn Setup (Server)
Chapter 4 Tutorials Click Apply. 4.13.2 Configuring the L2TP VPN Setup (Server) Go to the VPN > L2TP VPN > Setup screen and configure the following: • Select the Enable checkbox. • Set Access Group 1 to 192.168.2.0/255.255.255.0. • Select DNS as User Defined and enter a DNS server address. The DNS server address in this example is 8.8.8.8.
Page 88: Configuring L2Tp Vpn In Windows (Client)
Chapter 4 Tutorials 4.13.3 Configuring L2TP VPN in Windows (Client) The following sections cover how to configure L2TP on the remote user computers using Windows 7, Vista and XP. The example settings in these sections match the L2TP VPN configuration example in Section on page 4.13.3.1 Enabling IPSec Service in Windows By default, a Windows computer should have IPSec service enabled.
Page 89 Chapter 4 Tutorials In the Services window, scroll down to find IPsec Policy Agent. Make sure the status is Started. If not, click Start the service in the left panel. For Windows XP Click Start > Run and enter "services.msc" in the text box. Click OK. SBG3300-N Series User’s Guide...
Page 90: Configuring L2Tp Vpn On Windows 7 And Vista
Chapter 4 Tutorials In the Services window, scroll down to find IPSEC Services. Make sure the status is Started. If not, click Start the service in the left panel. 4.13.4 Configuring L2TP VPN on Windows 7 and Vista In Windows 7 and Vista do the following to establish an L2TP VPN connection. Click Start >...
Page 91 Chapter 4 Tutorials Click Network and Sharing Center > Setup a connection or network > Connect to a workplace. Click Next. Select No, create a new connection. Click Next. SBG3300-N Series User’s Guide...
Page 92 Chapter 4 Tutorials Select Use my Internet connection (VPN). Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later.
Page 93 Chapter 4 Tutorials Click Create. Enter the user name and password later. Click Close. Do not connect yet. SBG3300-N Series User’s Guide...
Page 94 Chapter 4 Tutorials Click the Network icon in your system tray, then click Network and Sharing Center on Vista or Open Network and Sharing Center on Windows 7. On Windows 7 On Vista On Vista, click Manage Network Connections. SBG3300-N Series User’s Guide...
Page 95 Chapter 4 Tutorials 10 On Windows 7, click Change adapter settings. 11 Double-click the new connection icon. SBG3300-N Series User’s Guide...
Page 96 Chapter 4 Tutorials 12 The connection screen appears. Click Properties. 13 The Properties window appears. Click Security. 14 (Windows 7) Select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) as the Type of VPN. Select the Optional encryption (connect even if no encryption) and the Allow these protocols radio button.
Page 97 Chapter 4 Tutorials 15 (Windows 7) Click Advanced settings. Select the Use preshared key for authentication radio button. Enter the pre-shared key used in the IPSec configuration that the Device is using for Default_L2TPVPN IPSec VPN rule. In this example, enter 1234567890. Click OK to return to the Connect window.
Page 98 Chapter 4 Tutorials 17 (Vista) Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Microsoft CHAP Version 2 (MS-CHAP v2) and clear all of other check boxes. Click OK. 18 (Vista) Click Networking. Select L2TP IPsec VPN as the Type of VPN. Then click IPsec Settings.
Page 99 Chapter 4 Tutorials 19 (Vista) The IPsec Settings screen appears. Select the Use preshared key for authentication radio button. Enter the pre-shared key used in the IPSec configuration that the Device is using for the Default_L2TPVPN IPSec VPN rule, in this example, enter 1234567890. Click OK. 20 Enter the username and password of your user account configured on the Device.
Page 100 Chapter 4 Tutorials 22 (Windows 7) Click the Network icon in your system tray, then right click the L2TP connection and select Status to open the connection status screen. 23 From the status screen, you can disconnect this connection. Or you can click Details to see the connection details.
Page 101: Configuring L2Tp Vpn On Windows Xp
Chapter 4 Tutorials 24 (Vista) Click the Network icon in your system tray, then click the L2TP connection. 25 (Vista) The Network and Sharing Center windows appear. You can view the connection status or disconnect the connection. Click View Status to open the connection status screen. 26 Access a server or other network resource on subnet 192.168.2.0 behind the Device to make sure your access works.
Page 102 Chapter 4 Tutorials Click Start > Control Panel > Network Connections. Select Create a new connection. Click Next in the welcome screen. Select Connect to the network at my workplace and click Next. SBG3300-N Series User’s Guide...
Page 103 Chapter 4 Tutorials Select Virtual Private Network connection and click Next. Type your Company Name, in this example, use L2TP to SBG3300, and click Next. Select Do not dial the initial connection and click Next. SBG3300-N Series User’s Guide...
Page 104 Chapter 4 Tutorials Enter the domain name or WAN IP address that you want to connect to (use 172.16.1.2 in this example). Click Next. Click Finish. 10 The connection screen appears. Click Properties > Security. Select Advanced (custom settings) and click Settings. SBG3300-N Series User’s Guide...
Page 105 Chapter 4 Tutorials 11 Select Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Microsoft CHAP Version 2 (MS-CHAP v2) and clear all of other check boxes. Click OK. 12 Click IPSec Settings. Then select the Use pre-shared key for authentication checkbox. Enter the pre-shared key used in the IPSec configuration that the Device is using for the Default_L2TPVPN IPSec VPN rule.
Page 106 Chapter 4 Tutorials 13 Click Networking. Select L2TP IPSec VPN as the Type of VPN. Click OK. 14 Enter the user name and password of your user account configured on the Device. Click Connect. Note: The user account must be pre-configured in the Maintenance > User Account screen.
Page 107: Configuring L2Tp Vpn On Android Devices (Client)
Chapter 4 Tutorials 16 An icon displays in your system tray. Double-click it to open a status screen. 17 From the status screen, you can disconnect this connection. Or you can click Details to see the connection details. The address 10.2.1.1 and 10.2.1.11 are addresses allocated from the L2TP IP Address Pool you configured on the Device (10.2.1.1 - 10.2.1.32).
Page 108 Chapter 4 Tutorials On your Android device, select Home > Settings > More > VPN. Select Add VPN profile. On some Android versions, you may have to tap the button instead The Edit VPN profile screen appears. Fill out the following fields. •...
Page 109 Chapter 4 Tutorials • IPSec pre-shared key: This is your pre-shared key for your VPN connection, in this example, 1234567890. Save the configuration. The saved configuration appears on the VPN screen. Click the VPN name to use the L2TP connection. Enter the username and password of your user account configured on the Device.
Page 110: Configuring L2Tp Vpn In Ios Devices (Client)
Chapter 4 Tutorials You can see Connected when the L2TP VPN connection has been established. Click the connection name to get connection details. There you can also disconnect. 4.13.7 Configuring L2TP VPN in iOS Devices (Client) The following sections cover how to configure the built-in L2TP client in iOS devices (iPhone, iPad, iPod Touch, etc).
Page 111 Chapter 4 Tutorials Select VPN > Add VPN Configuration…. Select the L2TP tab. Enter the following fields. • Description: Enter a name for your VPN configuration. • Server: This is the WAN IP address of the Device, in this example, 172.16.1.2. •...
Page 112 Chapter 4 Tutorials The saved configuration appears on the VPN screen. Select it and then slide the VPN bar to the ON position. Your iOS device will begin L2TP connection. SBG3300-N Series User’s Guide...
Page 113: Technical Reference
Technical Reference...
Page 115: Status Screens
H A PT ER Status Screens 5.1 Overview After you log into the Web Configurator, the Status screen appears. You can use the Status screen to look at the current status of the Device, system resources, and interfaces (LAN, WAN, and WLAN).
Page 116 Chapter 5 Status Screens Table 5 Status Screen (continued) LABEL DESCRIPTION WAN Information (These fields display when you have a WAN connection.) WAN Type This field displays the current WAN connection type. MAC Address This shows the WAN Ethernet adapter MAC (Media Access Control) Address of your Device. IP Address This field displays the current IP address of the Device in the WAN.
Page 117 Chapter 5 Status Screens Table 5 Status Screen (continued) LABEL DESCRIPTION WAN Status Status The field displays Up when the Device is using the interface and Down when the Device is Mode The field displays whether the interface is in Active or Passive mode. IP Address The field displays the IP address of the interface.
Page 118 Chapter 5 Status Screens SBG3300-N Series User’s Guide...
Page 119: Broadband
H A PT ER Broadband 6.1 Overview This chapter discusses the Device’s Broadband screens. Use these screens to configure your Device for Internet access. A WAN (Wide Area Network) connection is an outside connection to another network or the Internet. It connects your private networks, such as a LAN (Local Area Network) and other networks, so that a computer in one location can communicate with computers in other locations.
Page 120: What You Need To Know
Chapter 6 Broadband • Use the Add New 3G Dongle screen to view or add a new 3G dongle (Section 6.4 on page 136). • Use the Advanced screen to enable or disable PTM over ADSL, Annex M, and DSL PhyR functions (Section 6.4.1 on page 136).
Page 121 Chapter 6 Broadband Asynchronous Transfer Mode (ATM) is a WAN networking technology that provides high-speed data transfer. ATM uses fixed-size packets of information called cells. With ATM, a high QoS (Quality of Service) can be guaranteed. ATM uses a connection-oriented model and establishes a virtual circuit (VC) between Finding Out More Packet Transfer Mode (PTM) is packet-oriented and supported by the VDSL2 standard.
Page 122 Chapter 6 Broadband compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. IPv6 Subnet Masking Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation.
Page 123: Before You Begin
Chapter 6 Broadband Figure 20 Dual Stack Lite - IPv6 - IPv6 - IPv4 in IPv6 - IPv4 ISP (IPv6) IPv6 Internet IPv6 IPv6 IPv4 IPv4 in IPv6 AFTR IPv4 Internet 6.1.3 Before You Begin You need to know your Internet access settings such as encapsulation and WAN IP address. Get this information from your ISP.
Page 124 Chapter 6 Broadband Table 7 Network Setting > Broadband (continued) LABEL DESCRIPTION 802.1p This indicates the 802.1p priority level assigned to traffic sent through this connection. This displays N/A when there is no priority level assigned. 802.1q This indicates the VLAN ID number assigned to traffic sent through this connection. This displays N/A when there is no VLAN ID number assigned.
Page 125: Add/Edit Internet Connection
Chapter 6 Broadband 6.2.1 Add/Edit Internet Connection Click Add new WAN Interface in the Broadband screen or the Edit icon next to an existing WAN interface to configure a WAN connection. The screen varies depending on the interface type, mode, encapsulation, and IPv6/IPv4 mode you select.
Page 126 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Type Select whether it is ADSL/VDSL over PTM, ADSL over ATM, or Ethernet connection. • ADSL/VDSL over PTM: The Device uses the VDSL technology for data transmission over the DSL port. •...
Page 127 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Encapsulation Select the method of multiplexing used by your ISP from the drop-down list box. Choices Mode are: • LLC/SNAP-BRIDGING: In LCC encapsulation, bridged PDUs are encapsulated by identifying the type of the bridged media in the SNAP header. This is available only when you select IPoE or PPPoE in the Select DSL Link Type field.
Page 128 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION PPPoE This field is available when you select PPPoE encapsulation. Passthrough In addition to the Device’s built-in PPPoE client, you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the Device.
Page 129 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Prefix Enter the address prefix length to specify how many most significant bits in an IPv6 address Length compose the network address. Next Hop Enter the IP address of the next-hop gateway. The gateway is a router or switch on the same segment as your Device's interface(s).
Page 130 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Rate Limit Enter the rate limit for the connection. This is the maximum transmission rate allowed for traffic on this connection. MTU Size Enter the MTU (Maximum Transfer Unit) size for this traffic. Apply Click Apply to save your changes back to the Device.
Page 131 Chapter 6 Broadband Table 9 Bridge Mode (ADSL/VDSL over PTM) (continued) LABEL DESCRIPTION VLAN This section is available only when you select ADSL/VDSL over PTM in the Type field. Active Select this to add the VLAN Tag (specified below) to the outgoing traffic through this connection.
Page 132 Chapter 6 Broadband Table 10 Bridge Mode (ADSL over ATM) (continued) LABEL DESCRIPTION Mode Select Bridge when your ISP provides you more than one IP address and you want the connected computers to get individual IP address from ISP’s DHCP server directly. If you select Bridge, you cannot use routing functions, such as QoS, Firewall, DHCP server and NAT on traffic from the selected LAN port(s).
Page 133: The 3G Wan Screen
Chapter 6 Broadband Table 10 Bridge Mode (ADSL over ATM) (continued) LABEL DESCRIPTION Rate Limit Enter the rate limit for the connection. This is the maximum transmission rate allowed for traffic on this connection. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving.
Page 134 Chapter 6 Broadband Note: The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, and so on. Figure 25 Network Setting > Broadband > 3G WAN SBG3300-N Series User’s Guide...
Page 135 Chapter 6 Broadband The following table describes the labels in this screen. Table 11 Network Setting > Broadband > 3G WAN LABEL DESCRIPTION 3G Connection Settings Card This field displays the manufacturer and model name of your 3G card if you inserted one in description the Device.
Page 136: The Add New 3G Dongle Screen
Chapter 6 Broadband 6.4 The Add New 3G Dongle Screen Use the Add New 3G Dongle screen to view and manage the list of 3G dongles the Device can use for a 3G backup connection. Click Network Setting > Broadband > Add New 3G Dongle to display the following screen. Figure 26 Network Setting >...
Page 137: The Advanced Screen
Chapter 6 Broadband The following table describes the labels in this screen. Table 13 Add 3G Dongle Information LABEL DESCRIPTION Default VID Enter the default vendor ID of the 3G dongle. Default PID Enter the default product ID of the 3G dongle. Target VID Enter the target vendor ID of the 3G dongle.
Page 138: The 802.1X Screen
Chapter 6 Broadband Table 14 Network Setting > Network Setting > Advanced (continued) LABEL DESCRIPTION PhyR DS Enable or disable PhyR DS (downstream) for downstream transmission from the WAN. PhyR DS should be enabled if data being transmitted downstream is sensitive to noise. However, enabling PhyR DS can decrease the DS line rate.
Page 139: Edit 802.1X Settings
Chapter 6 Broadband 6.6.1 Edit 802.1x Settings Use this screen to edit a 802.1x authentication’s settings. Click the Edit icon next to the rule you want to edit. The screen shown next appears. Figure 30 802.1x: Add/Edit The following table describes the labels in this screen. Table 16 802.1x: Add/Edit LABEL DESCRIPTION...
Page 140: Add/Edit Multi-Wan
Chapter 6 Broadband You can only configure one rule for each interface. Click Network Setting > Broadband > multi- WAN to display the following screen. Figure 31 Network Setting > Broadband > multi-WAN The following table describes the labels in this screen. Table 17 Network Setting >...
Page 141: How To Configure Multi-Wan For Load Balancing And Failover
Chapter 6 Broadband The following table describes the labels in this screen. Table 18 multi-WAN: Add/Edit LABEL DESCRIPTION Interface If you are adding a new entry, select the interface that you want to configure this rule for. The list shows the interfaces that have not configured multi-WAN rules. If no interface is shown in the list, this means all interfaces already have existing rules.
Page 142: Technical Reference
Chapter 6 Broadband Click the Edit icon next to the ETHWAN WAN connection. This brings up the edit window. Change the weight field to 3 and click the Apply button. You have finished the configuration. When both the ETHWAN and ADSL connections are up, the Device will send traffic over these two connections in a 3:1 ratio.
Page 143 Chapter 6 Broadband Encapsulation Be sure to use the encapsulation method required by your ISP. The Device can work in bridge mode or routing mode. When the Device is in routing mode, it supports the following methods. IP over Ethernet IP over Ethernet (IPoE) is an alternative to PPPoE.
Page 144 Chapter 6 Broadband Variable Bit Rate (VBR) The Variable Bit Rate (VBR) ATM traffic class is used with bursty connections. Connections that use the Variable Bit Rate (VBR) traffic class can be grouped into real time (VBR-RT) or non-real time (VBR-nRT) connections.
Page 145 Chapter 6 Broadband across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier), residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Control Information), starts after the source address field of the Ethernet frame).
Page 146 Chapter 6 Broadband IPv6 Addressing The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways: • Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0.
Page 147: Wireless
H A PT ER Wireless 7.1 Overview This chapter describes the Device’s Network Setting > Wireless screens. Use these screens to set up your Device’s wireless connection. 7.1.1 What You Can Do in this Chapter This section describes the Device’s Wireless screens. Use these screens to set up your Device’s wireless connection.
Page 148: What You Need To Know
Chapter 7 Wireless 7.1.2 What You Need to Know Wireless Basics “Wireless” is essentially radio communication. In the same way that walkie-talkie radios send and receive information over the airwaves, wireless networking devices exchange information with one another. A wireless networking device is just like a radio that lets your computer exchange information with radios attached to other computers.
Page 149 Chapter 7 Wireless Click Network Setting > Wireless to open the General screen. Figure 33 Network Setting > Wireless > General The following table describes the general wireless LAN labels in this screen. Table 19 Network Setting > Wireless > General LABEL DESCRIPTION Wireless Network Setup...
Page 150 Chapter 7 Wireless Table 19 Network Setting > Wireless > General (continued) LABEL DESCRIPTION Bandwidth Select whether the Device uses a wireless channel width of 20MHz or 40MHz. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300 Mbps.
Page 151: No Security
Chapter 7 Wireless Table 19 Network Setting > Wireless > General (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. 7.2.1 No Security Select No Security to allow wireless stations to communicate with the access points without any data encryption or authentication.
Page 152 Chapter 7 Wireless In order to configure and enable WEP encryption, click Network Setting > Wireless to display the General screen, then select Basic as the security level. Figure 35 Wireless > General: Basic (WEP) The following table describes the labels in this screen. Table 21 Wireless >...
Page 153: More Secure (Wpa(2)-Psk)
Chapter 7 Wireless 7.2.3 More Secure (WPA(2)-PSK) The WPA-PSK security mode provides both improved data encryption and user authentication over WEP. Using a Pre-Shared Key (PSK), both the Device and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA, WPA2 or even WPA2-PSK.
Page 154: Wpa(2) Authentication
Chapter 7 Wireless Table 22 Wireless > General: More Secure: WPA(2)-PSK (continued) LABEL DESCRIPTION Encryption Select the encryption type (AES or TKIP+AES) for data encryption. Select AES if your wireless clients can all use AES. Select TKIP+AES to allow the wireless clients to use either TKIP or AES. Group Key The Group Key Update Timer is the rate at which the RADIUS server sends a new group Update Timer...
Page 155: The More Ap Screen
Chapter 7 Wireless Table 23 Wireless > General: More Secure: WPA(2) (continued) LABEL DESCRIPTION IP Address Enter the IP address of the external authentication server in dotted decimal notation. Port Enter the port number of the external authentication server. The default port number is Number 1812.
Page 156: Edit More Ap
Chapter 7 Wireless The following table describes the labels in this screen. Table 24 Network Setting > Wireless > More AP LABEL DESCRIPTION This is the index number of the entry. Status This field indicates whether this SSID is active. A yellow bulb signifies that this SSID is active.
Page 157 Chapter 7 Wireless The following table describes the fields in this screen. Table 25 More AP: Edit LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field. Passphrase If you set security for the wireless LAN and have the Device generate a password, the Type setting in this field determines how the Device generates the password.
Page 158: Mac Authentication
Chapter 7 Wireless 7.4 MAC Authentication This screen allows you to configure the ZyXEL Device to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 159: The Wps Screen
Chapter 7 Wireless 7.5 The WPS Screen Use this screen to configure WiFi Protected Setup (WPS) on your Device. WPS allows you to quickly set up a wireless network with strong security, without having to configure security settings manually. Set up each WPS connection between two devices. Both devices must support WPS.
Page 160: The Wmm Screen
Chapter 7 Wireless Table 27 Network Setting > Wireless > WPS (continued) LABEL DESCRIPTION Connect Click this button to add another WPS-enabled wireless device (within wireless range of the Device) to your wireless network. This button may either be a physical button on the outside of device, or a menu button similar to the Connect button on this screen.
Page 161: The Others Screen
Chapter 7 Wireless The following table describes the labels in this screen. Table 28 Network Setting > Wireless > WMM LABEL DESCRIPTION Select On to have the Device automatically give a service a priority level according to the ToS value in the IP header of packets it sends. WMM QoS (Wifi MultiMedia Quality of Service) gives high priority to voice and video, which makes them run more smoothly.
Page 162 Chapter 7 Wireless Table 29 Network Setting > Wireless > Others (continued) LABEL DESCRIPTION Auto Channel If you set the channel to Auto in the Network Setting > Wireless > General screen, Timer specify the interval in minutes for how often the Device scans for the best channel. Enter 0 to disable the periodical scan.
Page 163: The Channel Status Screen
Chapter 7 Wireless 7.8 The Channel Status Screen Use the Channel Status screen to scan wireless LAN channel noises and view the results. Click Network Setting > Wireless > Channel Status. The screen appears as shown. Click Scan to scan the wireless LAN channels. You can view the results in the Channel Scan Result section. Figure 44 Network Setting >...
Page 164 Chapter 7 Wireless • An “infrastructure” type of network has one or more access points and one or more wireless clients. The wireless clients connect to the access points. • An “ad-hoc” type of network is one in which there is no access point. Wireless clients connect to one another in order to exchange information.
Page 165: Additional Wireless Terms
Chapter 7 Wireless variety of networks to exist in the same place without interfering with one another. When you create a network, you must select a channel to use. Since the available unlicensed spectrum varies from one country to another, the number of available channels also varies.
Page 166 Chapter 7 Wireless Because of the damage that can be done by a malicious attacker, it’s not just people who have sensitive information on their network who should use security. Everybody who uses any wireless network should ensure that effective security is in place. A good way to come up with effective security keys, passwords and so on is to use obscure information that you personally will easily remember, and to enter it in a way that appears random and does not include real words.
Page 167: Signal Problems
Chapter 7 Wireless wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network. 7.9.3.4 Encryption Wireless networks can use encryption to protect the information that is sent in the wireless network.
Page 168: Bss
Chapter 7 Wireless coincidental emitters such as electric motors or microwaves. Problems with absorption occur when physical objects (such as thick walls) are between the two radios, muffling the signal. 7.9.5 BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Page 169: Preamble Type
Chapter 7 Wireless • You must use different keys for different BSSs. If two wireless devices have different BSSIDs (they are in different BSSs), but have the same keys, they may hear each other’s communications (but not communicate with each other). •...
Page 170 Chapter 7 Wireless Look for a WPS button on each device. If the device does not have one, log into its configuration utility and locate the button (see the device’s User’s Guide for how to do this - for the Device, see Section 7.6 on page 160).
Page 171 Chapter 7 Wireless The following figure shows a WPS-enabled wireless client (installed in a notebook computer) connecting to the WPS-enabled AP via the PIN method. Figure 47 Example WPS Process: PIN Method ENROLLEE REGISTRAR This device’s WPS PIN: 123456 Enter WPS PIN from other device: START START...
Page 172 Chapter 7 Wireless The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point. Figure 48 How WPS works ACTIVATE ACTIVATE WITHIN 2 MINUTES WPS HANDSHAKE ENROLLEE REGISTRAR SECURE TUNNEL SECURITY INFO COMMUNICATION The roles of registrar and enrollee last only as long as the WPS setup process is active (two minutes).
Page 173 Chapter 7 Wireless is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is unconfigured and has no existing information. Figure 49 WPS: Example Network Step 1 ENROLLEE REGISTRAR SECURITY INFO...
Page 174 Chapter 7 Wireless In step 3, you add another access point (AP2) to your network. AP2 is out of range of AP1, so you cannot use AP1 for the WPS handshake with the new access point. However, you know that Client 2 supports the registrar function, so you use it to perform the WPS handshake instead.
Page 175 Chapter 7 Wireless • When you use the PBC method, there is a short period (from the moment you press the button on one device to the moment you press the button on the other device) when any WPS-enabled device could join the network. This is because the registrar has no way of identifying the “correct”...
Page 176 Chapter 7 Wireless SBG3300-N Series User’s Guide...
Page 177: Lan
H A PT ER 8.1 Overview A Local Area Network (LAN) is a shared communication system to which many networking devices are connected. It is usually located in one immediate area such as a building or floor of a building. Use the LAN screens to help you configure a LAN DHCP server and manage IP addresses.
Page 178: What You Need To Know
Chapter 8 LAN 8.1.2 What You Need To Know 8.1.2.1 About LAN IP Address IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet Mask Subnet masks determine the maximum number of possible hosts on a network.
Page 179: Before You Begin
Chapter 8 LAN • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the Chapter 11 on page 223 for more information on NAT. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues.
Page 180 Chapter 8 LAN Click Apply to save your settings. Figure 52 Network Setting > LAN > LAN Setup The following table describes the fields in this screen. Table 32 Network Setting > LAN > LAN Setup LABEL DESCRIPTION Interface Group Group Name Select the interface group name for which you want to configure LAN settings.
Page 181 Chapter 8 LAN Table 32 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION DHCP Relay This field is only available when you select DHCP Relay in the DHCP field. Server Address IP Address Enter the IP address of the actual remote DHCP server in this field. IP Addressing This field is only available when you select Enable in the DHCP field.
Page 182: The Static Dhcp Screen
Chapter 8 LAN Table 32 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION LAN IPv6 Select how you want to obtain an IPv6 address: Address Assign • stateless + DNS send by RADVD: The Device uses IPv6 stateless autoconfiguration. Setup RADVD (Router Advertisement Daemon) is enabled to have the Device send IPv6 prefix information in router advertisements periodically and in response to router solicitations.
Page 183 Chapter 8 LAN Use this screen to change your Device’s static DHCP settings. Click Network Setting > LAN > Static DHCP to open the following screen. Figure 53 Network Setting > LAN > Static DHCP The following table describes the labels in this screen. Table 33 Network Setting >...
Page 184: The Upnp Screen
Chapter 8 LAN Table 34 Static DHCP: Add/Edit (continued) LABEL DESCRIPTION Select Device Info If you select Manual Input, you can manually type in the MAC address and IP address of a computer on your LAN. You can also choose the name of a computer from the drop list and have the MAC Address and IP Address auto-detected.
Page 185: Installing Upnp In Windows Example
Chapter 8 LAN The following table describes the labels in this screen. Table 35 Network Setting > LAN > UPnP LABEL DESCRIPTION UPnP Select Enable to activate UPnP. Be aware that anyone could use a UPnP application to open the web configurator's login screen without entering the Device's IP address (although you must still enter the password to access the web configurator).
Page 186 Chapter 8 LAN Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Add/Remove Programs: Windows Setup: Communication In the Communications window, select the Universal Plug and Play check box in the Components selection box. Add/Remove Programs: Windows Setup: Communication: Components SBG3300-N Series User’s Guide...
Page 187 Chapter 8 LAN Click OK to go back to the Add/Remove Programs Properties window and click Next. Restart the computer when prompted. Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. Click Start and Control Panel. Double-click Network Connections.
Page 188: Using Upnp In Windows Xp Example
Chapter 8 LAN In the Networking Services window, select the Universal Plug and Play check box. Networking Services Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 8.6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP.
Page 189 Chapter 8 LAN Right-click the icon and select Properties. Network Connections In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Internet Connection Properties SBG3300-N Series User’s Guide...
Page 190 Chapter 8 LAN You may edit or delete the port mappings or click Add to manually add port mappings. Internet Connection Properties: Advanced Settings Internet Connection Properties: Advanced Settings: Add When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
Page 191 Chapter 8 LAN Double-click on the icon to display your current Internet connection status. Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the Device without finding out the IP address of the Device first. This comes helpful if you do not know the IP address of the Device. Follow the steps below to access the web configurator.
Page 192 Chapter 8 LAN Select My Network Places under Other Places. Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your Device and select Invoke. The web configurator login screen displays.
Page 193 Chapter 8 LAN Right-click on the icon for your Device and select Properties. A properties window displays with basic information about the Device. Network Connections: My Network Places: Properties: Example SBG3300-N Series User’s Guide...
Page 194: The Additional Subnet Screen
Chapter 8 LAN 8.7 The Additional Subnet Screen Use the Additional Subnet screen to configure IP alias and public static IP. IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The Device supports multiple logical LAN interfaces via its physical Ethernet interface with the Device itself as the gateway for the LAN network.
Page 195: The 5Th Ethernet Port Screen
Chapter 8 LAN Table 36 Network Setting > LAN > Additional Subnet (continued) LABEL DESCRIPTION Offer Public IP Select the checkbox to enable the Device to provide public IP addresses by DHCP server. by DHCP Enable ARP Select the checkbox to enable the ARP (Address Resolution Protocol) proxy. Proxy Apply Click Apply to save your changes.
Page 196: Lans, Wans And The Device
Chapter 8 LAN 8.9.1 LANs, WANs and the Device The actual physical connection determines whether the Device ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next.
Page 197: Lan Tcp/Ip
Chapter 8 LAN • Some ISPs choose to disseminate the DNS server addresses using the DNS server extensions of IPCP (IP Control Protocol) after the connection is up. If your ISP did not give you explicit DNS servers, chances are the DNS servers are conveyed through IPCP negotiation. The Device supports the IPCP DNS server extensions through the DNS proxy feature.
Page 198 Chapter 8 LAN You can obtain your IP address from the IANA, from an ISP or it can be assigned from a private network. If you belong to a small organization and your Internet access is through an ISP, the ISP can provide you with the Internet addresses for your local networks.
Page 199: Routing
H A PT ER Routing 9.1 Overview The Device usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the Device send data to devices not reachable through the default gateway, use static routes.
Page 200: The Routing Screen
Chapter 9 Routing 9.2 The Routing Screen Use this screen to view and configure the static route rules on the Device. Click Network Setting > Routing > Static Route to open the following screen. Figure 60 Network Setting > Routing > Static Route The following table describes the labels in this screen.
Page 201: Add/Edit Static Route
Chapter 9 Routing 9.2.1 Add/Edit Static Route Use this screen to add or edit a static route. Click Add new static route in the Routing screen or the Edit icon next to the static route you want to edit. The screen shown next appears. Figure 61 Routing: Add/Edit The following table describes the labels in this screen.
Page 202 Chapter 9 Routing You can use source-based policy forwarding to direct traffic from different users through different connections or distribute traffic among multiple paths for load sharing. The Policy Forwarding screen let you view and configure routing policies on the Device. Click Network Setting >...
Page 203: Add/Edit Policy Forwarding
Chapter 9 Routing 9.3.1 Add/Edit Policy Forwarding Click Add new Policy Forward Rule in the Policy Forwarding screen or click the Edit icon next to a policy. Use this screen to configure the required information for a policy route. Figure 63 Policy Forwarding: Add/Edit The following table describes the labels in this screen.
Page 204 Chapter 9 Routing Click Network Setting > Routing > RIP to open the RIP screen. Figure 64 RIP The following table describes the labels in this screen. Table 42 Network Setting > Routing > RIP LABEL DESCRIPTION Interface This is the name of the interface in which the RIP setting is used. Version The RIP version controls the format and the broadcasting method of the RIP packets that the Device sends (it recognizes both formats when receiving).
Page 205: Quality Of Service (Qos)
HAPTER Quality of Service (QoS) 10.1 Overview Quality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely to be dropped when the network is congested.
Page 206: What You Need To Know
Chapter 10 Quality of Service (QoS) 10.2 What You Need to Know The following terms and concepts may help as you read through this chapter. QoS versus Cos QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Page 207: The Quality Of Service General Screen
Chapter 10 Quality of Service (QoS) Traffic Policing Traffic policing is the limiting of the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Traffic policing methods measure traffic flows against user-defined criteria and identify it as either conforming, exceeding or violating the criteria. Traffic Rate Traffic Rate Time...
Page 208: The Queue Setup Screen
Chapter 10 Quality of Service (QoS) The following table describes the labels in this screen. Table 43 Network Setting > QoS > General LABEL DESCRIPTION Select the Enable check box to turn on QoS to improve your network performance. WAN Managed Enter the amount of upstream bandwidth for the WAN interfaces that you want to allocate Upstream using QoS.
Page 209 Chapter 10 Quality of Service (QoS) Use this screen to configure QoS queue assignment. Figure 66 Network Setting > QoS > Queue Setup The following table describes the labels in this screen. Table 44 Network Setting > QoS > Queue Setup LABEL DESCRIPTION Add new Queue...
Page 210: Adding A Qos Queue
Chapter 10 Quality of Service (QoS) 10.4.1 Adding a QoS Queue Click Add new Queue or the edit icon in the Queue Setup screen to configure a queue. Figure 67 Queue Setup: Add The following table describes the labels in this screen. Table 45 Queue Setup: Add LABEL DESCRIPTION...
Page 211 Chapter 10 Quality of Service (QoS) You can give different priorities to traffic that the Device forwards out through the WAN interface. Give high priority to voice and video to make them run more smoothly. Similarly, give low priority to many large file downloads so that they do not reduce the quality of other applications. Click Network Setting >...
Page 212: Add/Edit Qos Class
Chapter 10 Quality of Service (QoS) 10.5.1 Add/Edit QoS Class Click Add new Classifier in the Class Setup screen or the Edit icon next to a classifier to open the following screen. Figure 69 Class Setup: Add/Edit SBG3300-N Series User’s Guide...
Page 213 Chapter 10 Quality of Service (QoS) The following table describes the labels in this screen. Table 47 Class Setup: Add/Edit LABEL DESCRIPTION Active Select this to enable this classifier. Class Name Enter a descriptive name of up to 15 printable English keyboard characters, not including spaces.
Page 214 Chapter 10 Quality of Service (QoS) Table 47 Class Setup: Add/Edit (continued) LABEL DESCRIPTION Service This field is available only when you select IP in the Ether Type field. This field simplifies classifier configuration by allowing you to select a predefined application.
Page 215: The Qos Policer Setup Screen
Chapter 10 Quality of Service (QoS) Table 47 Class Setup: Add/Edit (continued) LABEL DESCRIPTION To Queue Index Select a queue that applies to this class. You should have configured a queue in the Queue Setup screen already. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving.
Page 216: Add/Edit A Qos Policer
Chapter 10 Quality of Service (QoS) 10.6.1 Add/Edit a QoS Policer Click Add new Policer in the Policer Setup screen or the Edit icon next to a policer to show the following screen. Figure 71 Policer Setup: Add/Edit The following table describes the labels in this screen. Table 49 Policer Setup: Add/Edit LABEL DESCRIPTION...
Page 217: The Qos Monitor Screen
Chapter 10 Quality of Service (QoS) Table 49 Policer Setup: Add/Edit (continued) LABEL DESCRIPTION Non- Specify what the Device does for packets that exceed the excess burst size or peak rate and Conforming burst size (red-marked packets). Action • Drop: Discard the packets. •...
Page 218: Technical Reference
Chapter 10 Quality of Service (QoS) Table 50 Network Setting > QoS > Monitor (continued) LABEL DESCRIPTION Pass Rate This shows how many packets assigned to this queue are transmitted successfully. Drop Rate This shows how many packets assigned to this queue are dropped. 10.8 Technical Reference The following section contains additional technical information about the Device features described in this chapter.
Page 219 Chapter 10 Quality of Service (QoS) negotiate paths or remember state information for every flow. In addition, applications do not have to request a particular service or give advanced notice of where the traffic is going. DSCP and Per-Hop Behavior DiffServ defines a new Differentiated Services (DS) field to replace the Type of Service (TOS) field in the IP header.
Page 220 Chapter 10 Quality of Service (QoS) Table 52 Internal Layer2 and Layer3 QoS Mapping LAYER 2 LAYER 3 PRIORITY IEEE 802.1P USER QUEUE PRIORITY TOS (IP IP PACKET DSCP (ETHERNET PRECEDENCE) LENGTH (BYTE) PRIORITY) 010110 010100 010010 010000 011110 <250 011100 011010 011000...
Page 221 Chapter 10 Quality of Service (QoS) Configure the bucket size to be equal to or less than the amount of the bandwidth that the interface can support. It does not help if you set it to a bucket size over the interface’s capability. The smaller the bucket size, the lower the data transmission rate and that may cause outgoing packets to be dropped.
Page 222 Chapter 10 Quality of Service (QoS) All packets are evaluated against the PIR. If a packet exceeds the PIR it is marked red. Otherwise it is evaluated against the CIR. If it exceeds the CIR then it is marked yellow. Finally, if it is below the CIR then it is marked green.
Page 223: Network Address Translation (Nat)
HAPTER Network Address Translation (NAT) 11.1 Overview This chapter discusses how to configure NAT on the Device. NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 224: The Port Forwarding Screen
Chapter 11 Network Address Translation (NAT) WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
Page 225 Chapter 11 Network Address Translation (NAT) third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 73 Multiple Servers Behind NAT Example A=192.168.1.33 B=192.168.1.34 192.168.1.1...
Page 226: Add/Edit Port Forwarding
Chapter 11 Network Address Translation (NAT) Table 53 Network Setting > NAT > Port Forwarding (continued) LABEL DESCRIPTION Protocol This shows the IP protocol supported by this virtual server, whether it is TCP, UDP, or TCP/ UDP. Modify Click the Edit icon to edit this rule. Click the Delete icon to delete an existing rule.
Page 227: The Applications Screen
Chapter 11 Network Address Translation (NAT) Table 54 Port Forwarding: Add/Edit (continued) LABEL DESCRIPTION End Port Enter the last port of the original destination port range. To forward only one port, enter the port number in the Start Port field above and then enter it again in this field.
Page 228: Add New Application
Chapter 11 Network Address Translation (NAT) 11.3.1 Add New Application This screen lets you create new NAT application rules. Click Add new application in the Applications screen to open the following screen. Figure 77 Applications: Add The following table describes the labels in this screen. Table 56 Applications: Add LABEL DESCRIPTION...
Page 229 Chapter 11 Network Address Translation (NAT) For example: Figure 78 Trigger Port Forwarding Process: Example Jane requests a file from the Real Audio server (port 7070). Port 7070 is a “trigger” port and causes the Device to record Jane’s computer IP address. The Device associates Jane's computer IP address with the "open"...
Page 230: Add/Edit Port Triggering Rule
Chapter 11 Network Address Translation (NAT) Table 57 Network Setting > NAT > Port Triggering (continued) LABEL DESCRIPTION Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 231: The Dmz Screen
Chapter 11 Network Address Translation (NAT) Table 58 Port Triggering: Configuration Add/Edit (continued) LABEL DESCRIPTION Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The Device forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 232: The Alg Screen
Chapter 11 Network Address Translation (NAT) 11.6 The ALG Screen Some NAT routers may include a SIP Application Layer Gateway (ALG). A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When the Device registers with the SIP register server, the SIP ALG translates the Device’s private IP address inside the SIP data stream to a public IP address.
Page 233: Add/Edit Address Mapping Rule
Chapter 11 Network Address Translation (NAT) The following table describes the fields in this screen. Table 61 Network Setting > NAT > Address Mapping LABEL DESCRIPTION Add new rule Click this to create a new rule. This is the index number of the address mapping set. Local Start IP This is the starting Inside Local IP Address (ILA).
Page 234: Technical Reference
Chapter 11 Network Address Translation (NAT) The following table describes the fields in this screen. Table 62 Address Mapping: Add/Edit LABEL DESCRIPTION Type Choose the IP/port mapping type from one of the following. One-to-One: This mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type.
Page 235: What Nat Does
Chapter 11 Network Address Translation (NAT) Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side.
Page 236: How Nat Works
Chapter 11 Network Address Translation (NAT) 11.8.3 How NAT Works Each packet has two addresses – a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN.
Page 237: Nat Application
Chapter 11 Network Address Translation (NAT) 11.8.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP alias) behind the Device can communicate with three distinct WAN networks. Figure 86 NAT Application With IP Alias Port Forwarding: Services and Port Numbers The most often used port numbers are shown in the following table.
Page 238 Chapter 11 Network Address Translation (NAT) Port Forwarding Example Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a third (C in the example).
Page 239: Dynamic Dns Setup
HAPTER Dynamic DNS Setup 12.1 Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. In addition to the system DNS server(s), each WAN interface (service) is set to have its own static or dynamic DNS server list.
Page 240: What You Need To Know
Chapter 12 Dynamic DNS Setup 12.1.2 What You Need To Know DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
Page 241: Add/Edit Dns Entry
Chapter 12 Dynamic DNS Setup 12.2.1 Add/Edit DNS Entry You can manually add or edit the Device’s DNS name and IP address entry. Click Add new DNS entry in the DNS Entry screen or the Edit icon next to the entry you want to edit. The screen shown next appears.
Page 242 Chapter 12 Dynamic DNS Setup The following table describes the fields in this screen. Table 67 Network Setting > DNS > > Dynamic DNS LABEL DESCRIPTION Dynamic DNS Select Enable to use dynamic DNS. Service Select your Dynamic DNS service provider from the drop-down list box. Provider Hostname Type the domain name assigned to your Device by your Dynamic DNS provider.
Page 243: Interface Group
HAPTER Interface Group 13.1 Overview By default, the four LAN interfaces on the Device are in the same group and can communicate with each other. Creating a new interface will create a new LAN bridge interface (subnet) (for example, 192.168.2.0/24) that acts as a dependent LAN network, and is a different subnet from default LAN subnet (192.168.1.0/24).
Page 244: Interface Group Configuration
Chapter 13 Interface Group Table 68 Network Setting > Interface Group (continued) LABEL DESCRIPTION Criteria This shows the filtering criteria for the group. Modify Click the Delete icon to remove the group. 13.2.1 Interface Group Configuration Click the Add New Interface Group button in the Interface Group screen to open the following screen.
Page 245: Interface Grouping Criteria
Chapter 13 Interface Group Table 69 Interface Group Configuration (continued) LABEL DESCRIPTION Filter Criteria This shows the filtering criteria. The LAN interface on which the matched traffic is received will belong to this group automatically. WildCard This shows if wildcard on DHCP option 60 is enabled. Support Remove Click the Remove icon to delete this rule from the Device.
Page 246 Chapter 13 Interface Group Table 70 Interface Grouping Criteria (continued) LABEL DESCRIPTION IAID Enter the Identity Association Identifier (IAID) of the device, for example, the WAN connection index number. DUID type Select DUID-LLT (DUID Based on Link-layer Address Plus Time) to enter the hardware type, a time value and the MAC address of the device.
Page 247: Usb Service
HAPTER USB Service 14.1 Overview The Device has a USB port used to share files via a USB memory stick or a USB hard drive. In the USB Service screens, you can enable the file-sharing server. 14.1.1 What You Can Do in this Chapter •...
Page 248: The File Sharing Screen
Chapter 14 USB Service Samba SMB is a client-server protocol used by Microsoft Windows systems for sharing files, printers, and so on. Samba is a free SMB server that runs on most Unix and Unix-like systems. It provides an implementation of an SMB client and server for use with non-Microsoft operating systems. It allows file and print sharing between computers running Windows and computers running Unix.
Page 249 Chapter 14 USB Service The Device detects the USB device and makes its contents available for browsing. If you are connecting a USB hard drive that comes with an external power supply, make sure it is connected to an appropriate power source that is on. Note: If your USB device cannot be detected by the Device, see the troubleshooting for suggestions.
Page 250 Chapter 14 USB Service SBG3300-N Series User’s Guide...
Page 251: Firewall
HAPTER Firewall 15.1 Overview This chapter shows you how to enable and configure the Device’s security settings. Use the firewall to protect your Device and network from attacks by hackers on the Internet and control access to it. By default the firewall: •...
Page 252: What You Need To Know
Chapter 15 Firewall 15.1.2 What You Need to Know SYN Attack A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue.
Page 253: The Firewall Screen
Chapter 15 Firewall 15.2 The Firewall Screen Use this screen to set the security level of the firewall on the Device. Firewall rules are grouped based on the direction of travel of packets to which they apply. Click Security > Firewall to display the General screen. Figure 97 Security >...
Page 254 Chapter 15 Firewall Click Security > Firewall > Service to display the following screen. Figure 98 Security > Firewall > Service The following table describes the labels in this screen. Table 73 Security > Firewall > Service LABEL DESCRIPTION Add new Click this to add a new service.
Page 255: Add/Edit A Service
Chapter 15 Firewall 15.3.1 Add/Edit a Service Use this screen to add a customized service rule that you can use in the firewall’s ACL rule configuration. Click Add new service entry or the edit icon next to an existing service rule in the Service screen to display the following screen.
Page 256: The Access Control Screen
Chapter 15 Firewall Table 74 Service: Add/Edit (continued) LABEL DESCRIPTION Service Enter a description for your customized port. Description Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 15.4 The Access Control Screen Click Security >...
Page 257: Add/Edit An Acl Rule
Chapter 15 Firewall 15.4.1 Add/Edit an ACL Rule Click Add new ACL rule or the Edit icon next to an existing ACL rule in the Access Control screen. The following screen displays. Figure 101 Access Control: Add/Edit The following table describes the labels in this screen. Table 76 Access Control: Add/Edit LABEL DESCRIPTION...
Page 258: The Dos Screen
Chapter 15 Firewall Table 76 Access Control: Add/Edit (continued) LABEL DESCRIPTION Select Protocol Select the transport layer protocol that defines your customized port from the drop-down list box. The specific protocol rule sets you add in the Security > Firewall > Service > Add screen display in this list.
Page 259 Chapter 15 Firewall The following table describes the labels in this screen. Table 77 Security > Firewall > DoS LABEL DESCRIPTION DoS Protection Select Enable to enable protection against DoS attacks. Blocking Deny Ping Select Enable to block ping request packets. Response Apply Click Apply to save your changes.
Page 260 Chapter 15 Firewall SBG3300-N Series User’s Guide...
Page 261: Mac Filter
HAPTER MAC Filter 16.1 Overview You can configure the Device to permit access to clients based on their MAC addresses in the MAC Filter screen. This applies to wired and wireless connections. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 262 Chapter 16 MAC Filter The following table describes the labels in this screen. Table 78 Security > MAC Filter LABEL DESCRIPTION MAC Address Filter Select Enable to activate the MAC filter function. This is the index number of the MAC address. Allow Select Allow to permit access to the Device.
Page 263: User Access Control
HAPTER User Access Control 17.1 Overview User Access control allows you to block web sites with the specific URL. You can also define time periods and days during which the Device performs User Access control on a specific user. 17.2 The User Access Control Screen Use this screen to enable User Access control, view the User Access control rules and schedules.
Page 264: Add/Edit A User Access Control Rule
Chapter 17 User Access Control Table 79 Security > User Access Control (continued) LABEL DESCRIPTION Network This shows whether the network service is configured. If not, None will be shown. Service Website Block This shows whether the website block is configured. If not, None will be shown. Modify Click the Edit icon to go to the screen where you can edit the rule.
Page 265 Chapter 17 User Access Control The following table describes the fields in this screen. Table 80 User Access Control Rule: Add/Edit LABEL DESCRIPTION General Active Select the checkbox to activate this User Access control rule. User Access Enter a descriptive name for the rule. Control Profile Name Network User...
Page 266 Chapter 17 User Access Control SBG3300-N Series User’s Guide...
Page 267: Scheduler Rules
HAPTER Scheduler Rules 18.1 Overview You can define time periods and days during which the Device performs scheduled rules of certain features (such as Firewall Access Control, User Access Control) on a specific user in the Scheduler Rules screen. 18.2 The Scheduler Rules Screen Use this screen to view, add, or edit time schedule rules.
Page 268: Add/Edit A Schedule
Chapter 18 Scheduler Rules 18.2.1 Add/Edit a Schedule Click the Add button in the Scheduler Rules screen or click the Edit icon next to a schedule rule to open the following screen. Use this screen to configure a restricted access schedule for a specific user on your network.
Page 269: Certificates
HAPTER Certificates 19.1 Overview The Device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 19.1.1 What You Can Do in this Chapter •...
Page 270: The Local Certificates Screen
Chapter 19 Certificates 19.3 The Local Certificates Screen Click Security > Certificates to open the Local Certificates screen. This is the Device’s summary list of certificates and certification requests. Figure 108 Security > Certificates > Local Certificates The following table describes the labels in this screen. Table 83 Security >...
Page 271: Create Certificate Request
Chapter 19 Certificates 19.3.1 Create Certificate Request Click Security > Certificates > Local Certificates and then Create Certificate Request to open the following screen. Use this screen to have the Device generate a certification request. Figure 109 Create Certificate Request The following table describes the labels in this screen.
Page 272: Load Signed Certificate
Chapter 19 Certificates Figure 110 Certificate Request Created 19.3.2 Load Signed Certificate After you create a certificate request and have it signed by a Certificate Authority, in the Local Certificates screen click the certificate request’s Load Signed icon to import the signed certificate into the Device.
Page 273: The Trusted Ca Screen
Chapter 19 Certificates The following table describes the labels in this screen. Table 85 Load Signed Certificate LABEL DESCRIPTION Certificate This is the name of the signed certificate. Name Certificate Copy and paste the signed certificate into the text box to store it on the Device. Apply Click Apply to save your changes.
Page 274: View Trusted Ca Certificate
Chapter 19 Certificates 19.4.1 View Trusted CA Certificate Click the View icon in the Trusted CA screen to open the following screen. Use this screen to view in-depth information about the certification authority’s certificate. Figure 113 Trusted CA: View The following table describes the fields in this screen. Table 87 Trusted CA: View LABEL DESCRIPTION...
Page 275: Import Trusted Ca Certificate
Chapter 19 Certificates 19.4.2 Import Trusted CA Certificate Click the Import Certificate button in the Trusted CA screen to open the following screen. The Device trusts any valid certificate signed by any of the imported trusted CA certificates. Figure 114 Trusted CA: Import Certificate The following table describes the fields in this screen.
Page 276 Chapter 19 Certificates SBG3300-N Series User’s Guide...
Page 277: Ipsec Vpn
HAPTER IPSec VPN 20.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 278: What You Need To Know
Chapter 20 IPSec VPN 20.3 What You Need To Know A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the Device and the remote IPSec router will use.
Page 279: Add/Edit Vpn Rule
Chapter 20 IPSec VPN Click VPN > IPSec VPN to display the Setup screen. This is a read-only menu of your IPSec VPN rules (tunnels). Edit a VPN rule by clicking the Edit icon. Note: The default IPsec rule Default_L2TPVPN cannot be disconnected on the VPN > IPSec VPN >...
Page 280: The Vpn Connection Add/Edit Screen
Chapter 20 IPSec VPN 20.4.2 The VPN Connection Add/Edit Screen Configure the VPN connection settings in the IPSec VPN > Setup > Edit screen. Figure 119 VPN > IPSec VPN > Setup > Edit The following table describes the labels in this screen. Table 90 VPN >...
Page 281 Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Connection Name Enter a name to identify this VPN policy. If you are editing an existing policy, this field is not editable. Note: The Connection Name of an IPsec rule must be unique and cannot be changed once it has been created.
Page 282 Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Pre-Shared Key Select this to have the Device and remote IPSec router use a pre-shared key (password) to identify each other when they negotiate the IKE SA. Type the pre-shared key in the field to the right.
Page 283 Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Phase 1 Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You cannot use phase 1 Encryption, Authentication, and Key Group pairs that already exist in other enabled IPsec rules with Remote Access selected as the Application Scenario.
Page 284 Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to...
Page 285 Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Encapsulation Select which type of encapsulation the IPSec SA uses. Choices are: Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data.
Page 286: The Default_L2Tpvpn Ipsec Vpn Rule
Chapter 20 IPSec VPN Table 90 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Local/Remote IP If you select Single in the Local/Remote IP Type field, specify the IP addresses of Address the devices behind the Device that can use the VPN tunnel. The local IP addresses must correspond to the remote IPSec router's configured remote IP addresses.
Page 287: The Ipsec Vpn Monitor Screen
Chapter 20 IPSec VPN 20.5 The IPSec VPN Monitor Screen In the Web Configurator, click VPN > IPSec VPN > Monitor. Use this screen to display and manage active VPN connections. Figure 120 VPN > IPSec VPN > Monitor The following table describes the labels in this screen. Table 92 VPN >...
Page 288: Technical Reference
Chapter 20 IPSec VPN The following table describes the labels in this screen. Table 93 VPN > IPSec VPN > Radius LABEL DESCRIPTION Radius Setup Server Address Enter the address of the RADIUS server. Authentication Port Specify the port number on the RADIUS server to which the Device sends authentication requests.
Page 289: Ipsec Architecture
Chapter 20 IPSec VPN 20.7.1 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 122 IPSec Architecture IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).
Page 290: Encapsulation
Chapter 20 IPSec VPN 20.7.2 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. At the time of writing, the Device supports Tunnel mode only. Figure 123 Transport and Tunnel Mode IPSec Encapsulation Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet.
Page 291: Ike Phases
Chapter 20 IPSec VPN 20.7.3 IKE Phases There are two phases to every IKE (Internet Key Exchange) negotiation – phase 1 (Authentication) and phase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSec.
Page 292: Ipsec And Nat
Chapter 20 IPSec VPN • Main Mode ensures the highest level of security when the communicating parties are negotiating authentication (phase 1). It uses 6 messages in three round trips: SA negotiation, Diffie-Hellman exchange and an exchange of nonces (a nonce is a random number). This mode features identity protection (your identity is not revealed in the negotiation).
Page 293: Id Type And Content
Chapter 20 IPSec VPN NAT is not normally compatible with ESP in transport mode either, but the Device’s NAT Traversal feature provides a way to handle this. NAT traversal allows you to set up an IKE SA when there are NAT routers between the two IPSec routers.
Page 294: Pre-Shared Key
Chapter 20 IPSec VPN distinguish incoming SAs because you can select between three encryption algorithms (DES, 3DES and AES), two authentication algorithms (MD5 and SHA1) and eight key groups when you configure a VPN rule (see Section 20.4 on page 278).
Page 295: Diffie-Hellman (Dh) Key Groups
Chapter 20 IPSec VPN 20.7.9 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are supported.
Page 296: Pptp Vpn
HAPTER PPTP VPN 21.1 Overview Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a VPN using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 297: Pptp Vpn Setup
Chapter 21 PPTP VPN 21.3 PPTP VPN Setup Use this screen to configure settings for a Point to Point Tunneling Protocol (PPTP) server. Click VPN > PPTP VPN to open the Setup screen as shown next. Figure 127 VPN > PPTP VPN > Setup This screen contains the following fields: Table 99 VPN >...
Page 298: The Pptp Vpn Monitor Screen
Chapter 21 PPTP VPN Table 99 VPN > PPTP VPN > Setup (continued) LABEL DESCRIPTION Keep Alive Timer The Device sends a Hello message after waiting this long without receiving any traffic from the remote user. The Device disconnects the VPN tunnel if the remote user does not respond.
Page 299 Chapter 21 PPTP VPN Action: Check the client device’s Internet connection. b. Incorrect server address configured on the client device. (1) If the Local WAN Interface is “Any”: From the Device’s GUI, click Status. The client device should be configured with one of the WAN interface IP addresses.
Page 300 Chapter 21 PPTP VPN b. The access group is not configured correctly. From the Device’s GUI, go to VPN > PPTP VPN > Setup to check. Note that all local hosts are by default accessible unless access group is configured. c.
Page 301: L2Tp Vpn
HAPTER L2TP VPN 22.1 Overview The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel (defined by the IPSec VPN rule Default_L2TPVPN, refer to Section 20.4.3 on page 286) is established first and then an L2TP tunnel is built inside it.
Page 302: L2Tp Vpn Screen
Chapter 22 L2TP VPN 22.2 L2TP VPN Screen Click VPN > L2TP VPN to open the Setup screen. Use this screen to configure the Device’s L2TP VPN settings. Figure 130 VPN > L2TP VPN > Setup The following table describes the fields in this screen. Table 101 VPN >...
Page 303: The L2Tp Vpn Monitor Screen
Chapter 22 L2TP VPN Table 101 VPN > L2TP VPN > Setup (continued) LABEL DESCRIPTION DNS Server Specify the IP addresses of DNS servers to assign to the remote users. (Optional) You can choose from one of the DNS servers from the list, or choose User Defined to enter the static IP addresses for the first and second DNS servers manually.
Page 304 Chapter 22 L2TP VPN b. Incorrect server address configured on the client device. Action: From the Device’s GUI, click VPN > IPSec VPN > Setup. (1) If the Local Gateway Address for Default_L2TPVPN is set to “Any”: From the Device’s GUI, click Status. The client device should be configured with one of the WAN interface IP addresses.
Page 305 Chapter 22 L2TP VPN An L2TP client is disconnected unexpectedly. Tip: An L2TP connection will be dropped when one of the followings occurs on the Device: (1) Client has no activity for a period of time. (2) Client loses connectivity to the Device for a period of time. (3) Any IPSec VPN configuration change is applied on the Device.
Page 306 Chapter 22 L2TP VPN Device. The algorithms in red in Table 103 on page 306 indicate the ones that will be accepted based on Table 91 on page 286. Table 103 Phase 1 IPSec proposals provided by the built-in L2TP client in popular operating systems (Encryption/Authentication/Key Group) WINDOWS XP WINDOWS VISTA...
Page 307: Log
HAPTER 23.1 Overview The web configurator allows you to choose which categories of events and/or alerts to have the Device log and then display the logs or have the Device send them to an administrator (as e-mail) or to a syslog server. 23.1.1 What You Can Do in this Chapter •...
Page 308: The System Log Screen
Chapter 23 Log Table 105 Syslog Severity Levels CODE SEVERITY Notice: There is a normal but significant condition on the system. Informational: The syslog contains an informational message. Debug: The message is intended for debug-level purposes. 23.2 The System Log Screen Use the System Log screen to see the system logs.
Page 309: The Security Log Screen
Chapter 23 Log 23.3 The Security Log Screen Use the Security Log screen to see the security-related logs for the categories that you select. Click System Monitor > Log > Security Log to open the following screen. Figure 133 System Monitor > Log > Security Log The following table describes the fields in this screen.
Page 310 Chapter 23 Log SBG3300-N Series User’s Guide...
Page 311: Network Status
HAPTER Network Status 24.1 Overview Use the Network Status screens to look at network Network Status and statistics of the WAN and LAN interfaces. 24.1.1 What You Can Do in this Chapter • Use the WAN screen to view the WAN traffic statistics (Section 24.2 on page 311).
Page 312: The Lan Status Screen
Chapter 24 Network Status The following table describes the fields in this screen. Table 108 System Monitor > Network Status > WAN LABEL DESCRIPTION Connected Interface This shows the name of the WAN interface that is currently connected. Packets Sent Data This indicates the number of transmitted packets on this interface.
Page 313 Chapter 24 Network Status The following table describes the fields in this screen. Table 109 System Monitor > Network Status > LAN LABEL DESCRIPTION Refresh Interval Select how often you want the Device to update this screen. Interface This shows the LAN or WLAN interface. Bytes Sent This indicates the number of bytes transmitted on this interface.
Page 314 Chapter 24 Network Status SBG3300-N Series User’s Guide...
Page 315: Arp Table
HAPTER ARP Table 25.1 Overview Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. An IP (version 4) address is 32 bits long.
Page 316 Chapter 25 ARP Table Table 110 System Monitor > ARP Table (continued) LABEL DESCRIPTION MAC Address This is the MAC address of the device with the listed IP address. Device This is the type of interface used by the device. You can click on the device type to go to its configuration screen.
Page 317: Routing Table
HAPTER Routing Table 26.1 Overview Routing is based on the destination address only and the Device takes the shortest path to forward a packet. 26.2 The Routing Table Screen Click System Monitor > Routing Table to open the following screen. Figure 137 System Monitor >...
Page 318 Chapter 26 Routing Table Table 111 System Monitor > Routing Table (continued) LABEL DESCRIPTION Service This indicates the name of the service used to forward the route. Interface This indicates the name of the interface through which the route is forwarded. br0 indicates the LAN interface.
Page 319: Igmp Status
HAPTER IGMP Status 27.1 Overview Use the IGMP Status screens to look at IGMP group status and traffic statistics. 27.2 The IGMP Group Status Screen Use this screen to look at the current list of multicast groups the Device has joined and which ports have joined it.
Page 320 Chapter 27 IGMP Status SBG3300-N Series User’s Guide...
Page 321: Xdsl Statistics
HAPTER xDSL Statistics 28.1 The xDSL Statistics Screen Use this screen to view detailed DSL statistics. Click System Monitor > xDSL Statistics to open the following screen. Figure 139 System Monitor > xDSL Statistics SBG3300-N Series User’s Guide...
Page 322 Chapter 28 xDSL Statistics The following table describes the labels in this screen. Table 113 System Monitor > xDSL Statistics LABEL DESCRIPTION Refresh Interval Select the time interval for refreshing statistics. xDSL Training This displays the current state of setting up the DSL connection. Status Mode This displays the ITU standard used for this connection.
Page 323 Chapter 28 xDSL Statistics Table 113 System Monitor > xDSL Statistics (continued) LABEL DESCRIPTION Downstream These are the statistics for the traffic direction coming into the port from the service provider. Upstream These are the statistics for the traffic direction going out from the port to the service provider.
Page 324 Chapter 28 xDSL Statistics SBG3300-N Series User’s Guide...
Page 325: User Account
HAPTER User Account 29.1 Overview Use the User Account screen to manage user accounts, which includes configuring the username, password, retry times, file sharing, captive portal, and customizing the login message. 29.2 The User Account Screen Click Maintenance > User Account to open the following screen. Figure 140 Maintenance >...
Page 326: Add/Edit A Users Account
Chapter 29 User Account Table 114 Maintenance > User Account (continued) LABEL DESCRIPTION Lock Period This field indicates the number of minutes for the lockout period. A user cannot log into the Device during the lockout period, even if he/she enters correct account information. Group This field displays the login account type of the user.
Page 327 Chapter 29 User Account The following table describes the labels in this screen. Table 115 Users Configuration: Add/Edit LABEL DESCRIPTION User Name This field is read-only if you are editing the user account. Enter a descriptive name for the user account. The user name can be up to 15 alphanumeric characters (0-9, A-Z, a-z, -, _ with no spaces).
Page 328 Chapter 29 User Account SBG3300-N Series User’s Guide...
Page 329: Remote Management
HAPTER Remote Management 30.1 Overview Remote Management allows you to manage your Device from a remote location through the following interfaces: • LAN • WAN • Trust Domain Note: The Device is managed using the Web Configurator. 30.2 The Remote MGMT Screen Use this screen to configure through which interface(s) users can use which service(s) to manage the Device.
Page 330 Chapter 30 Remote Management The following table describes the fields in this screen. Table 116 Maintenance > Remote MGMT LABEL DESCRIPTION Trust Domain Status This field displays whether the Trust Domain is active or not. IP Address Enter the Trust Domain IP address. Services This is the service you may use to access the Device.
Page 331: Client
HAPTER TR-069 Client 31.1 Overview This chapter explains how to configure the Device’s TR-069 auto-configuration settings. 31.2 The TR-069 Client Screen TR-069 defines how Customer Premise Equipment (CPE), for example your Device, can be managed over the WAN by an Auto Configuration Server (ACS). TR-069 is based on sending Remote Procedure Calls (RPCs) between an ACS and a client device.
Page 332 Chapter 31 TR-069 Client The following table describes the fields in this screen. Table 117 Maintenance > TR-069 Client LABEL DESCRIPTION Inform Select Enable for the Device to send periodic inform via TR-069 on the WAN. Otherwise, select Disable. Inform Interval Enter the time interval (in seconds) at which the Device sends information to the auto- configuration server.
Page 333: Snmp
HAPTER SNMP 32.1 The SNMP Agent Screen Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your Device supports SNMP agent functionality, which allows a manager station to manage and monitor the Device through the network. The Device supports SNMP version one (SNMPv1) and version two (SNMPv2c).
Page 334 Chapter 32 SNMP • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 335: Time
HAPTER Time 33.1 Overview This chapter shows you how to configure system related settings, such as system time, password, name, the domain name and the inactivity timeout interval. 33.2 The Time Screen To change your Device’s time and date, click Maintenance > Time. The screen appears as shown. Use this screen to configure the Device’s time based on your local time zone.
Page 336 Chapter 33 Time The following table describes the fields in this screen. Table 119 Maintenance > Time Setting LABEL DESCRIPTION Current Date/Time Current Time This field displays the time of your Device. Each time you reload this page, the Device synchronizes the time with the time server. Current Date This field displays the date of your Device.
Page 337 Chapter 33 Time Table 119 Maintenance > Time Setting (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3300-N Series User’s Guide...
Page 338 Chapter 33 Time SBG3300-N Series User’s Guide...
Page 339: E-Mail Notification
HAPTER E-mail Notification 34.1 Overview A mail server is an application or a computer that runs such an application to receive, forward and deliver e-mail messages. To have the Device send reports, logs or notifications via e-mail, you must specify an e-mail server and the e-mail addresses of the sender and receiver.
Page 340: Email Notification Edit
Chapter 34 E-mail Notification 34.2.1 Email Notification Edit Click the Add button in the Email Notification screen. Use this screen to configure the required information for sending e-mail via a mail server. Figure 148 Email Notification > Add The following table describes the labels in this screen. Table 121 Email Notification >...
Page 341: Logs Setting
HAPTER Logs Setting 35.1 Overview You can configure where the Device sends logs and which logs and/or immediate alerts the Device records in the Logs Setting screen. 35.2 The Log Setting Screen To change your Device’s log settings, click Maintenance > Logs Setting. The screen appears as shown.
Page 342: Example E-Mail Log
Chapter 35 Logs Setting The following table describes the fields in this screen. Table 122 Maintenance > Logs Setting LABEL DESCRIPTION Syslog Setting Syslog Logging The Device sends a log to an external syslog server. Select Enable to enable syslog logging.
Page 343 Chapter 35 Logs Setting • The date format here is Day-Month-Year. • The date format here is Month-Day-Year. The time format is Hour-Minute-Second. • "End of Log" message shows that a complete log has been sent. Figure 150 E-mail Log Example Subject: Firewall Alert From Date:...
Page 344 Chapter 35 Logs Setting SBG3300-N Series User’s Guide...
Page 345: Firmware Upgrade
HAPTER Firmware Upgrade 36.1 Overview This chapter explains how to upload new firmware to your Device. You can download new firmware releases from your nearest ZyXEL FTP site (or www.zyxel.com) to use to upgrade your device’s performance. Only use firmware for your device’s specific model. Refer to the label on the bottom of your Device.
Page 346 Chapter 36 Firmware Upgrade After you see the firmware updating screen, wait two minutes before logging into the Device again. Figure 152 Firmware Uploading The Device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 153 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the Status screen.
Page 347: Configuration
HAPTER Configuration 37.1 Overview The Configuration screen allows you to backup and restore device configurations. You can also reset your device settings back to the factory default. 37.2 The Configuration Screen Click Maintenance > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears in this screen, as shown next.
Page 348 Chapter 37 Configuration Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your Device. Table 124 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 349: The Reboot Screen
Chapter 37 Configuration Reset to Factory Defaults Click the Reset button to clear all user-entered configuration information and return the Device to its factory defaults. The following warning screen appears. Figure 158 Reset Warning Message Figure 159 Reset In Process Message You can also press the RESET button on the rear panel to reset the factory defaults of your Device.
Page 350: Diagnostic
HAPTER Diagnostic 38.1 Overview The Diagnostic screens display information to help you identify problems with the Device. The route between a CO VDSL switch and one of its CPE may go through switches owned by independent organizations. A connectivity fault point generally takes time to discover and impacts subscriber’s network access.
Page 351: Ping & Traceroute & Nslookup
Chapter 38 Diagnostic 38.3 Ping & TraceRoute & NsLookup Use this screen to ping, traceroute, or nslookup an IP address. Click Maintenance > Diagnostic > Ping & TraceRoute & NsLookup to open the screen shown next. Figure 161 Maintenance > Diagnostic > Ping & TraceRoute & NsLookup The following table describes the fields in this screen.
Page 352 Chapter 38 Diagnostic 38.4 802.1ag Click Maintenance > Diagnostic > 8.2.1ag to open the following screen. Use this screen to perform CFM actions. Figure 162 Maintenance > Diagnostic > 802.1ag The following table describes the fields in this screen. Table 126 Maintenance > Diagnostic > 802.1ag LABEL DESCRIPTION 802.1ag Connectivity Fault Management...
Page 353: Oam Ping Test
Chapter 38 Diagnostic 38.5 OAM Ping Test Click Maintenance > Diagnostic > OAM Ping Test to open the screen shown next. Use this screen to perform an OAM (Operation, Administration and Maintenance) F4 or F5 loopback test on a PVC. The Device sends an OAM F4 or F5 packet to the DSLAM or ATM switch and then returns it to the Device.
Page 354 Chapter 38 Diagnostic Note: This screen is available only when you configure an ATM layer-2 interface. Figure 164 Maintenance > Diagnostic > OAM Ping Test The following table describes the fields in this screen. Table 127 Maintenance > Diagnostic > OAM Ping Test LABEL DESCRIPTION Select a PVC on which you want to perform the loopback test.
Page 355: Troubleshooting
HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • Device Access and Login • Internet Access • Wireless Internet Access •...
Page 356: Device Access And Login
Chapter 39 Troubleshooting If the problem continues, contact the vendor. 39.2 Device Access and Login I forgot the IP address for the Device. The default LAN IP address is 192.168.1.1. If you changed the IP address and have forgotten it, you might get the IP address of the Device by looking up the IP address of the default gateway for your computer.
Page 357 Chapter 39 Troubleshooting Reset the device to its factory defaults, and try to access the Device with the default IP address. Section 1.6 on page If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.
Page 358: Internet Access
Chapter 39 Troubleshooting 39.3 Internet Access I cannot access the Internet. Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page Make sure you entered your ISP account information correctly in the Network Setting > Broadband screen.
Page 359: Wireless Internet Access
Chapter 39 Troubleshooting Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.5 on page Turn the Device off and on. If the problem continues, contact your ISP. 39.4 Wireless Internet Access What factors may cause intermittent or unstabled wireless connection? How can I solve this problem? The following factors may cause interference:...
Page 360: Usb Device Connection
Chapter 39 Troubleshooting The available security modes in your Device are as follows: • WPA2-PSK: (recommended) This uses a pre-shared key with the WPA2 standard. • WPA-PSK: This has the device use either WPA-PSK or WPA2-PSK depending on which security mode the wireless client uses.
Page 361 Chapter 39 Troubleshooting The Local Area Connection icon for UPnP disappears in the screen. Restart your computer. I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. Wait more than three minutes. Restart the applications.
Page 362 Chapter 39 Troubleshooting SBG3300-N Series User’s Guide...
Page 363: Appendix A Setting Up Your Computer's Ip Address
PP EN D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 364 Appendix A Setting up Your Computer’s IP Address Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 365 Appendix A Setting up Your Computer’s IP Address • If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields. Figure 166 Windows 95/98/Me: TCP/IP Properties: IP Address Click the DNS Configuration tab.
Page 366 Appendix A Setting up Your Computer’s IP Address Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window.
Page 367 Appendix A Setting up Your Computer’s IP Address In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 169 Windows XP: Control Panel Right-click Local Area Connection and then click Properties. Figure 170 Windows XP: Control Panel: Network Connections: Properties SBG3300-N Series User’s Guide...
Page 368 Appendix A Setting up Your Computer’s IP Address Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 171 Windows XP: Local Area Connection Properties The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). •...
Page 369 Appendix A Setting up Your Computer’s IP Address • Click Advanced. Figure 172 Windows XP: Internet Protocol (TCP/IP) Properties If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 370 Appendix A Setting up Your Computer’s IP Address • Click OK when finished. Figure 173 Windows XP: Advanced TCP/IP Properties In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 371 Appendix A Setting up Your Computer’s IP Address If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. Figure 174 Windows XP: Internet Protocol (TCP/IP) Properties Click OK to close the Internet Protocol (TCP/IP) Properties window. Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window.
Page 372 Appendix A Setting up Your Computer’s IP Address Click the Start icon, Control Panel. Figure 175 Windows Vista: Start Menu In the Control Panel, double-click Network and Internet. Figure 176 Windows Vista: Control Panel Click Network and Sharing Center. Figure 177 Windows Vista: Network And Internet SBG3300-N Series User’s Guide...
Page 373 Appendix A Setting up Your Computer’s IP Address Click Manage network connections. Figure 178 Windows Vista: Network and Sharing Center Right-click Local Area Connection and then click Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue.
Page 374 Appendix A Setting up Your Computer’s IP Address Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Figure 180 Windows Vista: Local Area Connection Properties The Internet Protocol Version 4 (TCP/IPv4) Properties window opens (the General tab). • If you have a dynamic IP address click Obtain an IP address automatically. •...
Page 375 Appendix A Setting up Your Computer’s IP Address • Click Advanced. Figure 181 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 376 Appendix A Setting up Your Computer’s IP Address • Click OK when finished. Figure 182 Windows Vista: Advanced TCP/IP Properties In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 377 Appendix A Setting up Your Computer’s IP Address If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. Figure 183 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window. 11 Click Close to close the Local Area Connection Properties window.
Page 378 Appendix A Setting up Your Computer’s IP Address Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 184 Macintosh OS 8/9: Apple Menu SBG3300-N Series User’s Guide...
Page 379 Appendix A Setting up Your Computer’s IP Address Select Ethernet built-in from the Connect via list. Figure 185 Macintosh OS 8/9: TCP/IP For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: •...
Page 380 Appendix A Setting up Your Computer’s IP Address • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. For dynamically assigned settings, select Using DHCP from the Configure list. Figure 187 Macintosh OS X: Network For statically assigned settings, do the following: •...
Page 381 Appendix A Setting up Your Computer’s IP Address Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version. Note: Make sure you are logged in as the root administrator.
Page 382 Appendix A Setting up Your Computer’s IP Address Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 189 Red Hat 9.0: KDE: Ethernet Device: General • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list.
Page 383 Appendix A Setting up Your Computer’s IP Address Click the Activate button to apply the changes. The following screen displays. Click Yes to save the changes in all screens. Figure 191 Red Hat 9.0: KDE: Network Configuration: Activate After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen.
Page 384 Appendix A Setting up Your Computer’s IP Address If you know your DNS server IP address(es), enter the DNS server information in the resolv.conf file in the /etc directory. The following figure shows an example where two DNS server IP addresses are specified.
Page 385: Appendix B Ip Addresses And Subnetting
PP EN D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 386 Appendix B IP Addresses and Subnetting The following figure shows an example IP address in which the first three octets (192.168.1) are the network number, and the fourth octet (16) is the host ID. Figure 197 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask.
Page 387 Appendix B IP Addresses and Subnetting Subnet masks can be referred to by the size of the network number part (the bits with a “1” value). For example, an “8-bit mask” means that the first 8 bits of the mask are ones and the remaining 24 bits are zeroes.
Page 388 Appendix B IP Addresses and Subnetting The following table shows some possible subnet masks using both notations. Table 131 Alternative Subnet Mask Notation ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.0 0000 0000 255.255.255.128 1000 0000 255.255.255.192 1100 0000 255.255.255.224 1110 0000...
Page 389 Appendix B IP Addresses and Subnetting The following figure shows the company network after subnetting. There are now two sub- networks, A and B. Figure 199 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 2 –...
Page 390 Appendix B IP Addresses and Subnetting Table 132 Subnet 1 (continued) LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE Subnet Address: Lowest Host ID: 192.168.1.1 192.168.1.0 Broadcast Address: Highest Host ID: 192.168.1.62 192.168.1.63 Table 133 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE...
Page 391 Appendix B IP Addresses and Subnetting Table 136 Eight Subnets (continued) SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 137 24-bit Network Number Subnet Planning NO.
Page 392 Appendix B IP Addresses and Subnetting Configuring IP Addresses Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 393: Appendix C Pop-Up Windows, Javascript And Java Permissions
PP EN D I X Pop-up Windows, JavaScript and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScript (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here.
Page 394 Appendix C Pop-up Windows, JavaScript and Java Permissions Clear the Block pop-ups check box in the Pop-up Blocker section of the screen. This disables any web pop-up blockers you may have enabled. Figure 201 Internet Options: Privacy Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps.
Page 395 Appendix C Pop-up Windows, JavaScript and Java Permissions Select Settings…to open the Pop-up Blocker Settings screen. Figure 202 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”.
Page 396 Appendix C Pop-up Windows, JavaScript and Java Permissions Click Add to move the IP address to the list of Allowed sites. Figure 203 Pop-up Blocker Settings Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScript If pages of the web configurator do not display properly in Internet Explorer, check that JavaScript are allowed.
Page 397 Appendix C Pop-up Windows, JavaScript and Java Permissions In Internet Explorer, click Tools, Internet Options and then the Security tab. Figure 204 Internet Options: Security Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default).
Page 398 Appendix C Pop-up Windows, JavaScript and Java Permissions Click OK to close the window. Figure 205 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM.
Page 399 Appendix C Pop-up Windows, JavaScript and Java Permissions Click OK to close the window. Figure 206 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. SBG3300-N Series User’s Guide...
Page 400 Appendix C Pop-up Windows, JavaScript and Java Permissions Click OK to close the window. Figure 207 Java (Sun) Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears.
Page 401 Appendix C Pop-up Windows, JavaScript and Java Permissions Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 209 Mozilla Firefox Content Security SBG3300-N Series User’s Guide...
Page 402 Appendix C Pop-up Windows, JavaScript and Java Permissions SBG3300-N Series User’s Guide...
Page 403: Appendix D Wireless Lans
PP EN D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 404 Appendix D Wireless LANs disabled, wireless client A and B can still access the wired network but cannot communicate with each other. Figure 211 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network.
Page 405 Appendix D Wireless LANs An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. Figure 212 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area.
Page 406 Appendix D Wireless LANs cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. RTS/CTS Figure 213 When station A sends data to the AP, it might not know that the station B is already using the channel.
Page 407 Appendix D Wireless LANs If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard.
Page 408 Appendix D Wireless LANs IEEE 802.1x In June 2001, the IEEE 802.1x standard was designed to extend the features of IEEE 802.11 to support extended authentication as well as providing additional accounting and control features. It is supported by Windows XP and a number of network devices. Some advantages of IEEE 802.1x are: •...
Page 409 Appendix D Wireless LANs • Accounting-Request Sent by the access point requesting accounting. • Accounting-Response Sent by the RADIUS server to indicate that it has started or stopped accounting. In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know.
Page 410 Appendix D Wireless LANs EAP-TTLS (Tunneled Transport Layer Service) EAP-TTLS is an extension of the EAP-TLS authentication that uses certificates for only the server- side authentications to establish a secure connection. Client authentication is then done by sending username and password through the secure connection, thus client identity is protected. For client authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2.
Page 411 Appendix D Wireless LANs WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.
Page 412 Appendix D Wireless LANs password-guessing attacks but it’s still an improvement over WEP as it employs a consistent, single, alphanumeric password to derive a PMK which is used to generate unique temporal encryption keys. This prevent all wireless devices sharing the same encryption keys. (a weakness of WEP) User Authentication WPA and WPA2 apply IEEE 802.1x and Extensible Authentication Protocol (EAP) to authenticate...
Page 413 Appendix D Wireless LANs The RADIUS server distributes the PMK to the AP. The AP then sets up a key hierarchy and management system, using the PMK to dynamically generate unique data encryption keys. The keys are used to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.
Page 414 Appendix D Wireless LANs Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 142 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTIO...
Page 415 Appendix D Wireless LANs 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna.
Page 416 Appendix D Wireless LANs SBG3300-N Series User’s Guide...
Page 417: Appendix E Ipv6
PP EN D I X IPv6 Overview IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 10 addresses.
Page 418 Appendix E IPv6 Global Address A global address uniquely identifies a device on the Internet. It is similar to a “public IP address” in IPv4. A global unicast address starts with a 2 or 3. Unspecified Address An unspecified address (0:0:0:0:0:0:0:0 or ::) is used as the source address when a device does not have its own address.
Page 419 Appendix E IPv6 Table 145 Reserved Multicast Address (continued) MULTICAST ADDRESS FF08:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0 Subnet Masking Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F).
Page 420 Appendix E IPv6 the time T2 is reached and the server does not respond, the client sends a Rebind message to any available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's discretion.
Page 421 Appendix E IPv6 • Neighbor advertisement: A response from a node to announce its link-layer address. • Router solicitation: A request from a host to locate a router that can act as the default router and forward packets. • Router advertisement: A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters.
Page 422 Appendix E IPv6 Example - Enabling IPv6 on Windows XP/2003/Vista By default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the ipv6 install command on Windows XP/2003 to enable IPv6. This also displays how to use the ipconfig command to see auto-generated IP addresses.
Page 423 Appendix E IPv6 Double click Dibbler - a DHCPv6 client. Click Start and then OK. Now your computer can obtain an IPv6 address from a DHCPv6 server. Example - Enabling IPv6 on Windows 7 Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer.
Page 424 Appendix E IPv6 Click Close to exit the Local Area Connection Status screen. Select Start > All Programs > Accessories > Command Prompt. Use the ipconfig command to check your dynamic IPv6 address. This example shows a global address (2001:b021:2d::1000) obtained from a DHCP server. C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection:...
Page 425: Appendix F Services
P P EN D I X Services The following table lists some commonly-used services and their associated protocols and port numbers. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.
Page 426 Appendix F Services Table 146 Examples of Services NAME PROTOCOL PORT(S) DESCRIPTION AH (IPSEC_TUNNEL) User-Defined The IPSEC AH (Authentication Header) tunneling protocol uses this service. 5190 AOL’s Internet Messenger service. AUTH Authentication protocol used by some servers. Border Gateway Protocol. BOOTP_CLIENT DHCP Client.
Page 427 Appendix F Services Table 146 Examples of Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION NEW-ICQ 5190 An Internet chat program. NEWS A protocol for news groups. 2049 Network File System - NFS is a client/ server distributed file service that provides transparent file sharing for network environments.
Page 428 Appendix F Services Table 146 Examples of Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SQL-NET 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. SSDP 1900 The Simple Service Discovery Protocol...
Page 429: Appendix G Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 430 Appendix G Legal Information ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition.
Page 431 Appendix G Legal Information [Finnish] ZyXEL vakuuttaa täten että laitteet tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen. [Swedish] Härmed intygar ZyXEL att denna utrustning står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EC.
Page 432 Appendix G Legal Information List of national codes COUNTRY ISO 3166 2 LETTER CODE COUNTRY ISO 3166 2 LETTER CODE Austria Malta Belgium Netherlands Cyprus Poland Czech Republic Portugal Denmark Slovakia Estonia Slovenia Finland Spain France Sweden Germany United Kingdom Greece Iceland Hungary...
Page 433: Index
Index Index ACL rule 269, 409 Canonical Format Indicator See CFI activation CCMs firewalls certificate SIP ALG factory default SSID Certificate Authority Address Resolution Protocol See CA. administrator password certificates authentication algorithms creating alternative subnet mask notation public key antenna replacing directional storage space...
Page 434 Index ECHO CoS technologies e-mail log example creating certificates Encapsulation CTS (Clear to Send) CTS threshold 161, 165 PPP over Ethernet encapsulation 120, 290 encryption 167, 411 data fragment threshold 161, 165 Extended Service Set IDentification 150, 157 DDoS Extended Service Set, See ESS default server address Denials of Service, see DoS DHCP...
Page 435 Index IPSec algorithms architecture hidden node HTTP IPSec. See also VPN. IPv6 121, 417 addressing 121, 146, 417 EUI-64 global address interface ID IANA link-local address Internet Assigned Numbers Authority Neighbor Discovery Protocol see IANA ping IBSS prefix 121, 146, 417 ID type and content prefix delegation IEEE 802.11g...
Page 436 Index Network Address Translation see NAT Network Address Translation, see NAT Network Map NNTP MAC address 158, 183 filter 158, 166 MAC authentication Mac filter other documentation Maintenance Association, see MA outside header Maintenance Domain, see MD Maintenance End Point, see MEP Management Information Base (MIB) managing the device good habits...
Page 437 Index push button, WPS security wireless LAN security associations. See VPN. Security Log 205, 218 marking Security Parameter Index, see SPI setup service access control tagging Service Set 150, 157 versus CoS Services Quality of Service, see QoS setup Quick Start Guide firewalls static route 139, 201, 241, 326...
Page 438 Index subnetting installation NAT traversal SYN attack USB features syslog protocol severity levels system firmware version passwords 23, 24 Virtual Local Area Network See VLAN reset Virtual Private Network. See VPN. status VLAN Introduction wireless LAN number of possible VIDs time priority frame static...
Page 439 Index authentication application example 165, 166 169, 171 example example channel limitations encryption example example fragmentation threshold push button 161, 165 21, 169 limitations MAC address filter 158, 166 MBSSID preamble 162, 165 RADIUS server RTS/CTS threshold 161, 165 security SSID activation status...
Page 440 Index SBG3300-N Series User’s Guide...
Page 441 Index SBG3300-N Series User’s Guide...
Page 442 Index SBG3300-N Series User’s Guide...

This manual is also suitable for:

Sbg3300-nb00 Sbg3300-n series

ZyXEL Communications SBG3300-N000 User Manual

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the Device

Chapter 2 The Web Configurator

Chapter 3 Quick Start

Chapter 4 Tutorials

Technical Reference

Part II: Technical Reference

Chapter 5 Status Screens

Chapter 6 Broadband

Chapter 7 Wireless

Chapter 8 LAN

Chapter 9 Routing

Chapter 10 Quality of Service (Qos)

Chapter 11 Network Address Translation (NAT)

Chapter 12 Dynamic DNS Setup

Chapter 13 Interface Group

Chapter 14 USB Service

Chapter 15 Firewall

Chapter 16 MAC Filter

Chapter 17 User Access Control

Chapter 18 Scheduler Rules

Chapter 19 Certificates

Chapter 20 Ipsec VPN

Chapter 21 PPTP VPN

Chapter 22 L2TP VPN

Chapter 23 Log

Chapter 24 Network Status

Chapter 25 ARP Table

Chapter 26 Routing Table

Chapter 27 IGMP Status

Chapter 28 Xdsl Statistics

Chapter 29 User Account

Chapter 30 Remote Management

Chapter 31 TR-069 Client

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications SBG3300-N000

Summary of Contents for ZyXEL Communications SBG3300-N000