ZyXEL Communications SBG3300 series User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. SBG3300 series
  6. User manual

ZyXEL Communications SBG3300 series User Manual

Ipsec vpn and multiple-wan small business gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
SBG3300 Series
IPSec VPN and Multiple-WAN Small Business Gateway
(Green Product)
Support Notes
January 2013
Edition 1.0

Advertisement

Table of Contents
loading

Related Manuals for ZyXEL Communications SBG3300 series

Summary of Contents for ZyXEL Communications SBG3300 series

  • Page 1 SBG3300 Series IPSec VPN and Multiple-WAN Small Business Gateway (Green Product) Support Notes January 2013 Edition 1.0...

  • Page 2: Table Of Contents

    Content Why use the SBG3300? .................. 5 Key Application Scenario .................... 8 Access Application Notes ..................11 Web GUI ....................... 11 ADSL 2+ WAN Mode ..................13 IP Multicast Introduction ................16 NAT Introduction ..................16 Data Service FTP Downloading Scenario ............. 17 Port Forwarding Configuration ..............
  • Page 3 Why does my provider use PPPoE? ............. 62 Which Internet Applications can I use with the device? ......62 How can I configure the device? ..............62 What can we do with the device?..............63 Does the device support dynamic IP addressing? ........63 What is the difference between the internal IP and the real IP from my ISP? ........................
  • Page 4 What is Infrastructure mode? ..............73 How many Access Points are required in a given area? ......73 What is Direct-Sequence Spread Spectrum Technology – (DSSS)? ....73 What is Frequency-hopping Spread Spectrum Technology – (FHSS)? ..73 Do I need the same kind of antenna on both sides of a link? ..... 74 What is the 2.4 GHz Frequency range? ............

  • Page 5: Why Use The Sbg3300

     Dual mode VDSL2/ADSL2+ functionality SBG3300 series supports dual-mode functionality that enables service providers to support ATM or PTM on the same device. It offers bi-directional high speed VDSL2, VDSL connection with speed of up to 100/45 Mbps in PTM mode and 24/1 Mbps ADSL2+, ADSL2 and ADSL connection in ATM mode.
  • Page 6  Quality of Service (QoS) The SBG3300 series comes equipped with both ATM and IP QoS features. The service provider can base its QoS policy on the service plan to freely design and prioritize mission-critical services such as IPTV. This increases the network efficiency and productivity to enable the service provider to bring real multi-play into residential user’s life.

  • Page 8: Key Application Scenario

    Key Application Scenario  Multi-Service application Scenario The ZyXEL device provides shared Internet Access by connecting the DSL port to the DSL or Modem jack on a splitter or your telephone jack. The SBG3300 serves as a home gateway, providing high speed Internet service, and High Quality IPTV service.

  • Page 9: Internet Connection

    Internet Connection A typical Internet access application of the SBG3300 is shown below. For a small office, some components need to be checked before accessing the Internet.  Before we begin. The device is shipped with the following factory defaults: 1.
  • Page 10  In the Select Network Protocol windows, select Microsoft from the list of manufacturers, then select TCP/IP from the Network Protocols and click OK. 3. TCP/IP Configuration Follow these steps to configure Windows TCP/IP:  In the Control Panel/Network window, click the TCP/IP entry to select it and click...

  • Page 11: Access Application Notes

    Access Application Notes Web GUI The following procedure describes the most typical operation of the device using a browser. The device features an embedded Web server that allows you to use Web browser to configure it. Please make sure there is no Telnet or Console login session before configuring the router using a browser.
  • Page 12 1. Go to Network Setting> Broadband > 3G WAN. 2. Card Description will show what dongle model is plugged into SBG3300 Series. 3. If SBG3300 Series supports that dongle, 3G status will read Enable. 4. Fill in the PIN number. 5. Enter the APN string or number.

  • Page 13: Adsl 2+ Wan Mode

    Application Scenario The following example demonstrates a Triple Play service configuration running Data and IPTV. The step by step guide beneath the following scenario illustration will take you through the setup of the WAN Interface, NAT Port forwarding (using FTP service to demonstrate Data service), Quality of Service and WLAN setting (to demonstrate WPS setup).
  • Page 14 1. Go to Networking Setting > Broadband and select Broadband tag. 2. Click the “Add new WAN Interface” button to create the data WAN interface. 3. In Add New Interface, give this interface a name (e.g. IPTV) and select the ADSL over ATM interface Type.
  • Page 15 After completion, you will see two new WAN interfaces as shown in the following screenshot.

  • Page 16: Ip Multicast Introduction

    IP Multicast Introduction  What is the IP Multicast? Traditionally, the IP packets are transmitted in two ways: unicast or broadcast. Multicast is a third way to deliver the IP packets to a group of hosts. Host groups are identified by class D IP addresses, i.e., those with "1110" as their higher-order bits. In dotted decimal notation, host group addresses range from 224.0.0.0 to 239.255.255.255.

  • Page 17: Data Service Ftp Downloading Scenario

    your network will be filtered out by the CPE, thus preventing intruders from probing your network. For more information on IP address translation, please refer to RFC 1631, The IP Network Address Translator (NAT).  How does NAT work? According to the following figure, we define the local IP addresses as the Internal Local Addresses (ILA) and the global IP addresses as the Inside Global Addresses (IGA).
  • Page 18 NAT provides system administrators with an easy solution to create a private IP network for security and IP management. Powered by NAT technology, the SBG3300 supports complete NAT mapping and most popular Internet multimedia applications. This functionality is best demonstrated with the NAT port forwarding feature implemented in the CPE.

  • Page 19: Port Forwarding Configuration

    Port Forwarding Configuration a. Create a port forwarding rule for the FTP server. Go to Network Setting> NAT > Port Forwarding and click “add new rule”. Write the Service Name, e.g. “FTP”. Select the WAN Interface, e.g. “ETHWAN”. Enter the Server IP Address, e.g. “192.168.1.33”. Click Apply.

  • Page 20: How To Switch Use Mode From Storage To Modem

    How to switch USE mode from storage to modem To add new 3G USB dongle, there are several information you need to fill in. These information is Default VID, Default PID and Message Content. To get above information, we need to plug the 3G usb dongle into the USB port of SBG-3300 and then connect the console cable to SBG3300.
  • Page 21 First step is to mount the USB dongle with the command “mount –t usbfs” If you saw “usbfs on /proc/bus/usb, then it means this step was success, also you can use command “mount” to show. The secondary step is to show the USB dongle information with command “cat /proc/bus/usb/devices”.
  • Page 22 Open a web Brower and go to below link (http://www.draisberghof.de/usb_modeswitch/device_reference.txt) At above link, you can find the message content via search DefaultVendor =0x12d1 and DefaultProduct = 0x1446 and the message content we found is 55534243123456780000000000000011060000000000000000000000000000 After got all information, we can open the web browser again and go to Broadband > Add New 3G Dongle page.

  • Page 23: File Sharing

    We can find the value of Driver already changed to usbserial_generic. This means that the step to add a new 3G USB dongle is already done. File Sharing This feature allows sharing files on a USB memory stick or hard drive connected to the SBG3300 with other users on the network.
  • Page 24 8. Add a new user: Click “Add new user” to add a new user. Enter a Password, using the Password format structure: at least one numeric, at least one alphabetic character, and the Password must NOT contain the account User Name. The Password MUST have a minimum length of 6 characters.
  • Page 25 9. Edit user: Click the “Edit” button to edit a user. When changing the Password, you must follow the format structure: at least one numeric, at least one alphabetic character, and the password must NOT contain the account User Name. The Password MUST have a minimum length of 6 characters.

  • Page 26: Qos Support

    QoS Support Introduction of QoS  Quality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and to the networking methods used to control the use of bandwidth. QoS allows the ZyXEL device to group and prioritize application traffic and fine-tune network performance.
  • Page 27 4. Again, Click “Add new Queue”, activate the new queue, name it “Dat_IPTV”, set priority to 5 and weight to 8 5. Click on the “Class Setup” tab to set up QoS Classifiers 6. Configure the first Class rule for IPTV. Select “Data_IPTV” in “To Queue:”...
  • Page 28 9. Click “Apply”. Now we have completed the Class rule for the IPTV service. 10. Click “Add new Classifier” to add the second class rule. 11. To make sure the Class rules are correctly configured, you can go to Network Setting > QoS > Monitor. Select 5 sec as the refresh interval time, and monitor the ZyXEL device’s QoS packet statistics.

  • Page 29: Wireless Application Notes

    Wireless Application Notes Wireless Introduction WEP Configuration (Wired Equivalent Privacy) Introduction The 802.11 standard describes the communication that occurs in wireless LANs. The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping, because wireless transmissions are easier to intercept than transmissions over wired networks, and wireless is a shared medium.
  • Page 30 The WEP has defenses against the playback attack. To avoid encrypting two cipher texts with the same key stream, an Initialization Vector (IV) is used to augment the shared WEP key (secret key) and produce a different RC4 key for each packet.
  • Page 31 Setting up the Access Point Most access points and clients have the ability to hold up to 4 WEP keys simultaneously. You need to specify one of the 4 keys as the default Key for data encryption. To set up the Access Point, you will need to set one of the following parameters: 64-bit WEP key (secret key) with 5 characters.
  • Page 32 characteristics, and of preventing access to that port in case of the failure of authentication process. The IEEE 802.1x authentication is a client-server architecture delivered with the EAPOL (Extensible Authentication Protocol over LAN). The authentication server authenticates each client connected to an Access Point (for Wireless LAN) or switch port (for Ethernet) before accessing any services offered by the Wireless AP.
  • Page 33 2. Supplicant: The station (i.e. Wireless client) that is being authenticated by an authenticator attached to the Wireless network. The supplicant requests access to the LAN services and responds to the requests from the authenticator. The station must be running 802.1x-compliant client software, such as that offered in the Microsoft Windows XP operating system, Meeting House AEGIS 802.1x client or Odyssey 802.1x client.
  • Page 34 When 802.1x is enabled, the authenticator controls the port authorization state by using the following control parameters. The following three authentication control parameters are applied in the Wireless AP. 1. Force Authorized: Disables the 802.1x and causes the port to transit to the authorized state without any authentication exchange required.
  • Page 35 setup as Auto, only the Wireless clients supporting the 802.1x client can access the network.  Re-Authentication The administrator can enable periodic 802.1x client re-authentication and specify how often it occurs. When the re-authentication is time runs out, the authenticator will send the EAP-Request/Identity to reinitiate the authentication process.
  • Page 36 Wireless AP only supports the MD-5 challenge authentication mechanism, but will support the TLS and TTLS in the future. EAPOL Exchange between 802.1x Authenticator and Supplicant The authenticator or supplicant can initiate the authentication. If you enable 802.1x authentication on the Wireless AP, the authenticator must initiate authentication when it determines that the Wireless link state transits from down to up.
  • Page 37 The EAPOL packet contains the following fields: protocol version, packet type, packet body length, and packet body. Most of the fields are obvious. The packet type can have four different values and these values are described as follows:...
  • Page 38  EAP-Packet: Both the supplicant and authenticator send this packet when the authentication is taking place. This is the packet that contains either the MD5-Challenge or TLS information required for authentication.  EAPOL-Start: This supplicant sends this packet when it wants to initiate the authentication process.

  • Page 39: Wireless Configuration

    implementation of the ratified IEEE 802.11i standard. WPA2 implements the National Institute of Standards and Technology (NIST) recommendation whose security is higher than WPA, as it introduces an AES-based algorithm and Cipher Block Chaining Message Authentication Code Protocol (CCMP) and offers stronger encryption than WPA uses (TKIP).
  • Page 40 You can choose to “Generate password automatically”. Click Apply. View all the available wireless networks on your notebook (802.11bg wireless NIC required):...
  • Page 41 Enter the WPA-PSK pre-shared key. We can see that the notebook is now connected to the WLAN interface of the SBG3300. b. Wireless Setup Hiding the SSID. Go to Network Setting > Wireless LAN > General. Check the Enable Wireless LAN box. Enter the Wireless Network Name (SSID), e.g.
  • Page 42 Select the Security Mode, e.g. “WPA2-PSK”. Enter the Pre-Shared Key, e.g. “E3617BF1AC ”. Click Apply. View all the available wireless networks on your notebook: As we can see, we cannot find the SSID “TEST_01”. To connect to “TEST_01”, we need to configure the “Wireless Network Connection Properties”...
  • Page 43 Go to the “Connection” tab and check “Connect when this network is in range” checkbox. We can then see the notebook connects to the “TEST_01”, even though the SSID is not displayed in the broadcast network list.

  • Page 44: Virtual Private Network Application Notes

    Virtual Private Network Application Notes What is a Virtual Private Network? VPN stands for ‘Virtual Private Network’. In the past, when we needed to transmit data in a secure way, we would need to have a site-to-site leased line between the sites. This incurred very high costs for installing the lines. A VPN gives users a secure way to access corporate network resources over the Internet or other public or private networks without the expense of leasing site-to-site lines.

  • Page 45: Ipsec Vpn Configuration

    L2TP/IPSec VPN Overview The Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). However, it does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.
  • Page 46 Check the “Enable” box for IPSec VPN. Select the scenario that best describes your intended VPN connection. Site-to-site - Choose this if the remote IPSec router has a static IP address or a domain name. This SP Gateway can initiate the VPN tunnel. Site-to-site with Dynamic Peer - Choose this if the remote IPSec router has a dynamic IP address.
  • Page 47 Click the “Apply” button. Download the GreenBow VPN Client version 4.7 and install it on your PC. Note: GreenBow VPN Client v5.0 will sometimes become unresponsive and a reboot of the PC is required for the client to work again, so we recommend using version 4.7.

  • Page 48: L2Tp Vpn Configuration

    Click “Monitor” to check the VPN status L2TP VPN configuration Go to VPN >L2TP VPN Check the “Enable” box for L2TP.

  • Page 49: Pptp Vpn Overview

    PPTP VPN Overview The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing VPN. It allows a user to create a secure VPN connection remotely to the local networks. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products.
  • Page 50 Go to VPN >PPTP VPN. Check the “Enable” box for PPTP VPN. Use the Windows 7 built-in PPTP VPN client. Go to Start and click on Control Panel. Proceed to click View network status Network and Sharing Center window will appear, proceed to click on Set up a new connection or network.
  • Page 51 Set up a Connection or Network window appears. Choose Connect to a workplace option and click Next. Proceed to click on Use my Internet connection (VPN) (your computer should be connected to the network).
  • Page 52 Fill in the IP address or host name of the VPN server computer that you plan to connect to and also name the connection. Click Next.
  • Page 53 Type your VPN user name and password, after that click on Create. Please click on Connect now to establish the VPN connection if you are ready. If not, click Close and connect it later. If you click on network icon (right hand corner of taskbar area), you will notice that new VPN connection item has been created and you can click Connect to establish the VPN connection.

  • Page 54: Wps Application Notes

    WPS Application Notes What is WPS? Wi-Fi Protected Setup (WPS) is a standard created by the Wi-Fi Alliance for easy and secure establishment of a wireless home/office network. The goal of the WPS protocol is to simplify the process of configuring the security of the wireless network, and thus is called Wi-Fi Protected Setup.

  • Page 55: Wps Configuration

    PBC Method: A simple action of “pushing a button” suffices the process to activate the security of the wireless network and at the same time subscribe the device to it. WPS configuration a. WPS Setup Go to Network Setting > Wireless > WPS. Check the “Enable”...

  • Page 56: Maintenance Log

    Maintenance Log Internal Maintenance The SBG3300 has the ability to record the events occurring in the CPE in a system log (according to the severity) and maintain this log in itself. a. Activate the Maintenance Log. Go to Maintenance > Log setting. Select “Enable”...
  • Page 57 b. View the log in the Web GUI. Go to System Monitor > Log.

  • Page 58: Maintenance Tools

    Maintenance Tools Maintenance Procedure a. Upgrading Firmware. Go to Maintenance > Firmware Upgrade. Click “Browse”. Select the Firmware to upload and click “Open”. Click “Upload”.
  • Page 59 b. Backing-up the Configuration. Go to Maintenance > Backup/Restore. Click “Backup”. Click “Save”. Select the directory to save the configuration file and click “Save”.
  • Page 60 c. Upload Configuration. Go to Maintenance > Tools > Configuration. Click “Browse”. Select the configuration file to upload and click Open.

  • Page 61: Product Faq

    Product FAQ Will the device work with my Internet connection? SBG3300 is designed to be compatible with major ISPs that utilize ADSL as a broadband service. SBG3300 offers Ethernet ports to connect to your computer so the device is placed in the line between the computer and your ISP. If your ISP supports PPPoE you can also use the device, because PPPoE is supported by the device.

  • Page 62: Does The Device Support Pppoe

    Does the device support PPPoE? Yes. The device supports PPPoE. How do I know I am using PPPoE? PPPoE requires a user account to log in to the provider's server. If you need to configure a user name and password on your computer to connect to the ISP you are probably using PPPoE.

  • Page 63: What Can We Do With The Device

    What can we do with the device? Browse the World Wide Web (WWW), send and receive individual e-mail, and download software. These are just a few of many benefits you can enjoy when you put the whole office on-line with the device. Does the device support dynamic IP addressing? The device supports either a static or dynamic IP address from the ISP.

  • Page 64: How Do I Use The Reset Button, And What Parameters Will Be Reset By The Reset Button

    How do I use the reset button, and what parameters will be reset by the reset button? You can use a blunt pointed object (e.g. paperclip) and insert it into the little reset button hole beside the power connector. Press down the reset button and hold down for approx.

  • Page 65: What Is Bootp/Dhcp

    When NAT is enabled the local computers are not accessible from outside. You can use Multi-NAT to make an internal server accessible from outside. b. Support Non-NAT Friendly Applications Some servers providing Internet applications such as some IRC servers do not allow users to login using the same IP address.

  • Page 66: When Do I Need Ddns Service

    When do I need DDNS service? When you want your internal server to be accessed by using DNS name rather than using the dynamic IP address we can use the DDNS service. The DDNS server allows to alias a dynamic IP address to a static hostname. Whenever the ISP assigns you a new IP, the device sends this IP to the DDNS server to update its records.

  • Page 67: Wireless Faq

    Wireless FAQ What is a Wireless LAN? Wireless LANs provide all the functionality of wired LANs, without the need for physical connections (wires). Data is modulated onto a radio frequency carrier and transmitted through the ether. Typical bit-rates are 11 Mbps and 54 Mbps, although in practice data throughput is half of this.

  • Page 68: What Are The Disadvantages Of Wireless Lans

    of specific applications and installations. Configurations are easily changed and range from peer-to-peer networks suitable for a small number of users to full infrastructure networks of thousands of users that enable roaming over a broad area. What are the disadvantages of Wireless LANs? The speed of Wireless LANs is still relatively slower than that of wired LAN.

  • Page 69: What Is 802.11B

    The IEEE 802.11 is a wireless LAN industry standard, and the objective of IEEE 802.11 is to make sure that different manufacturers' wireless LAN devices can communicate with each other. 802.11 provides 1 or 2 Mbps transmission data rates in the 2.4 GHz ISM band using either FHSS or DSSS modulation.

  • Page 70: What Is 802.11G

    What is 802.11g? 802.11g is an extension of 802.11b. 802.11g increases 802.11b's data rates to 54 Mbps and still utilizes the 2.4 GHz ISM band. Modulation is based upon OFDM (orthogonal frequency division multiplexing) technology. An 802.11b radio card will interface directly with an 802.11g access point (and vice versa) at 11 Mbps or lower depending on range.

  • Page 71: What Types Of Devices Use The 2.4 Ghz Band

    certified, that means that it will work (interoperate) with any brand of Access Point that is also Wi-Fi certified. What types of devices use the 2.4 GHz Band? Various spread spectrum radio communication applications use the 2.4 GHz band. This includes WLAN systems (not necessarily of the type IEEE 802.11b), cordless phones, wireless medical telemetry equipment and Bluetooth™...

  • Page 72: What Are Potential Factors That May Cause Interference For Wlan Products

    What are potential factors that may cause interference for WLAN products? Factors of interference: 1. Obstacles: walls, ceilings, furniture… etc. 2. Building Materials: metal doors, aluminum studs. 3. Electrical devices: microwaves, monitors, electric motors. Solution: 1. Minimize the number of walls and ceilings between clients and APs. 2.

  • Page 73: What Is Infrastructure Mode

    What is Infrastructure mode? Infrastructure mode implies connectivity to a wired communications infrastructure. If such connectivity is required the Access Points must be used to connect to the wired LAN backbone. Wireless clients have their configurations set for "infrastructure mode" in order to utilize access points for relaying data. How many Access Points are required in a given area? This depends on the surrounding terrain, the diameter of the client population, and the number of clients.

  • Page 74: Do I Need The Same Kind Of Antenna On Both Sides Of A Link

    their hopping sequences synchronized to create the effect of a single "logical channel". To an unsynchronized receiver an FHSS transmission appears to be short-duration impulse noise. 802.11 may use FHSS or DSSS. Do I need the same kind of antenna on both sides of a link? No.

  • Page 75: How Do I Secure The Data Across An Access Point's Radio Link

    ESSID stands for Extended Service Set Identifier and identifies the wireless LAN. The ESSID of the mobile device must match the ESSID of the AP to communicate with the AP. The ESSID is an up to 32-character string and is case-sensitive. How do I secure the data across an Access Point's radio link? Enable Wired Equivalency Protocol (WEP) or Wi-Fi Protected Access (WPA) to encrypt...

  • Page 76: What Is A Wep Key

    What is a WEP key? A WEP key is a user defined string of characters used to encrypt and decrypt data. Can the SSID be encrypted? WEP, the encryption standard for 802.11, only encrypts the data packets, not the 802.11 management packets; however, the SSID is in the beacon and probe management messages.

  • Page 77: What Is A Wireless Sniffer

    What is a Wireless Sniffer? An attacker can sniff and capture legitimate traffic. Many of the sniffer tools for Ethernet are based on capturing the first part of the connection session, where the data would typically include the username and password. An intruder can masquerade as that user by using this captured information.

  • Page 78: What Is Aaa

    required, No access allowed and Authentication required? No authentication required—disables 802.1X and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1X-based authentication of the client. No access allowed—causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.

  • Page 79: What Is Wpa

    What is WPA? WPA (Wi-Fi Protected Access) is a subset of the IEEE 802.11i security specification draft. Key difference between WPA and WEP are user authentication and improved data encryption. What is WPA-PSK? WPA-PSK (Wi-Fi Protected Access Pre-Shared Key) can be used if users do not have a RADIUS server but still want to benefit from WPA security, because WPA-PSK only requires a single password to be entered on wireless AP/gateway and wireless client.

Table of Contents