Page 1 ZyAIR Wireless Gateway Series User's Guide Version 3.50 July 2003...
Page 2 Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 3 ZyAIR Wireless Gateway Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 4: Zyxel Limited Warranty
ZyAIR Wireless Gateway Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and...
Page 5: Customer Support
ZyAIR Wireless Gateway Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Page 6: Table Of Contents
Customer Support............................v List of Figures ............................... xv List of Tables ..............................xxi Preface ................................ xxiv OVERVIEW..............................I Chapter 1 Getting to Know Your ZyAIR....................1-1 Introducing the ZyAIR Wireless Gateway Series ..............1-1 ZyAIR Features..........................1-1 Application for the ZyAIR......................1-6 1.3.1 Internet Access Application ....................1-6 Chapter 2 Introducing the Web Configurator ..................2-1...
Page 7 ZyAIR Wireless Gateway Series User’s Guide System Overview ........................4-1 Configuring General Setup......................4-1 Dynamic DNS ..........................4-2 4.3.1 DYNDNS Wildcard ......................4-3 Configuring Dynamic DNS......................4-3 Configuring Password ........................4-4 Configuring Time Setting......................4-5 Chapter 5 LAN Screens ..........................5-1 LAN Overview...........................5-1 LANs and WANs ........................5-1 5.2.1 LANs, WANs and the ZyAIR ....................5-1...
Page 8 ZyAIR Wireless Gateway Series User’s Guide 7.11 Configuring RADIUS ......................7-14 WAN................................III Chapter 8 WAN Screens ..........................8-1 WAN Overview .........................8-1 Configuring WAN ISP.......................8-1 8.2.1 Ethernet Encapsulation ......................8-1 8.2.2 PPPoE Encapsulation......................8-3 8.2.3 PPTP Encapsulation......................8-5 TCP/IP Priority (Metric) ......................8-6 Configuring WAN IP.........................8-7 Configuring WAN MAC ......................8-10 SUA/NAT AND STATIC ROUTE .......................IV...
Page 9 ZyAIR Wireless Gateway Series User’s Guide 11.5 Stateful Inspection........................11-7 Chapter 12 Firewall Screens ........................12-1 12.1 Access Methods ........................12-1 12.2 Firewall Policies Overview ......................12-1 12.3 Rule Logic Overview .......................12-2 12.3.1 Rule Checklist ........................12-2 12.3.2 Security Ramifications .....................12-2 12.3.3 Key Fields For Configuring Rules ...................12-3 12.4 Connection Direction Examples....................12-3...
Page 10 16.6.3 Back to Factory Defaults....................16-13 SMT GETTING STARTED MENUS.......................VIII Chapter 17 Introducing the SMT ......................17-1 17.1 Connect to your ZyAIR Using Telnet..................17-1 17.2 Connect to Your ZyAIR Using the Console Port..............17-1 17.2.1 Initial Screen ........................17-2 17.2.2 Entering Password ......................17-2 17.3 Changing the System Password ....................17-2 17.4 ZyAIR SMT Menu Overview Example...................17-3...
Page 11 ZyAIR Wireless Gateway Series User’s Guide 19.1.1 General Ethernet Port Filter Setup ...................19-1 19.2 TCP/IP Ethernet and DHCP Setup...................19-2 19.3 IP Alias.............................19-4 19.3.1 IP Alias Setup........................19-5 19.4 Wireless LAN Setup ........................19-6 19.4.1 Configuring MAC Address Filter..................19-9 19.4.2 Configuring Roaming on the ZyAIR................19-11 Chapter 20 Internet Access ........................20-1...
Page 12 28.2.6 Backup Configuration Using TFTP .................28-5 28.2.7 TFTP Command Example ....................28-5 28.2.8 GUI-based TFTP Clients ....................28-5 28.2.9 Backup Via Console Port (only for ZyAIR B-2000) ............28-6 28.3 Restore Configuration......................28-7 28.3.1 Restore Using FTP......................28-8 28.3.2 Restore Using FTP Session Example................28-9 28.3.3 Restore Via Console Port (only for ZyAIR B-2000) ............28-9...
Page 13 28.4.7 Uploading Via Console Port (only for ZyAIR B-2000) ..........28-13 28.4.8 Uploading Firmware File Via Console Port (only for ZyAIR B-2000) ......28-14 28.4.9 Example Xmodem Firmware Upload Using HyperTerminal.........28-14 28.4.10 Uploading Configuration File Via Console Port (only for ZyAIR B-2000)....28-15 28.4.11 Example Xmodem Configuration Upload Using HyperTerminal........28-15...
Page 14 ZyAIR Wireless Gateway Series User’s Guide Appendix E Wireless LAN With IEEE 802.1x ..................E-1 Appendix F Types of EAP Authentication ....................F-1 Appendix G Antenna Selection and Positioning Recommendation ............G-1 Appendix H PPPoE.............................H-1 Appendix I PPTP ............................I-1 Appendix J IP Subnetting ...........................J-1 Appendix K Command Interpreter......................K-1...
Page 15: List Of Figures
Figure 6-5 Wireless ............................6-6 Figure 6-6 Roaming Example ........................6-8 Figure 6-7 Roaming ............................6-9 Figure 7-1 ZyAIR Wireless Security Levels ....................7-1 Figure 7-2 WEP Authentication Steps......................7-2 Figure 7-3 Wireless ............................7-3 Figure 7-4 MAC Address Filter ........................7-6 Figure 7-5 EAP Authentication ........................
Page 16 ZyAIR Wireless Gateway Series User’s Guide Figure 9-1 How NAT Works...........................9-3 Figure 9-2 NAT Application with IP Alias......................9-4 Figure 9-3 Multiple Servers Behind NAT Example..................9-7 Figure 9-4 SUA/NAT Setup..........................9-8 Figure 9-5 Address Mapping ........................9-10 Figure 9-6 Address Mapping Rule........................9-11 Figure 10-1 Example of Static Routing Topology ..................10-1 Figure 10-2 IP Static Route Summary ......................10-2...
Page 17 Figure 17-2 Login Screen ..........................17-2 Figure 17-3 Menu 23.1 System Security : Change Password ..............17-3 Figure 17-4 ZyAIR B-2000 v.2 SMT Menu Overview Example..............17-4 Figure 17-5 ZyAIR B-2000 v.2 SMT Main Menu ..................17-6 Figure 18-1 Menu 1 General Setup ......................18-2 Figure 18-2 Menu 1.1 Configure Dynamic DNS ..................
Page 18 ZyAIR Wireless Gateway Series User’s Guide Figure 23-4 Menu 15.1 Address Mapping Sets.....................23-3 Figure 23-5 Menu 15.1.255 SUA Address Mapping Rules ................23-4 Figure 23-6 Menu 15.1.1 Address Mapping Rules ..................23-5 Figure 23-7 Menu 15.1.1.1 Address Mapping Rule..................23-6 Figure 23-8 Menu 15.2 Port Forwarding Setup ....................23-9 Figure 23-9 NAT Example 1........................23-10...
Page 19 ZyAIR Wireless Gateway Series User’s Guide Figure 27-3 Menu 24.2 System Information and Console Port Speed............27-3 Figure 27-4 Menu 24.2.1 System Maintenance : Information ..............27-3 Figure 27-5 Menu 24.2.2 System Maintenance : Change Console Port Speed ..........27-4 Figure 27-6 Menu 24.3 System Maintenance : Log and Trace ..............
Page 21: List Of Tables
ZyAIR Wireless Gateway Series User’s Guide List of Tables Table 1-1 Model Specific Features......................... 1-1 Table 3-1 Wizard 1: General Setup ........................ 3-3 Table 3-2 Wizard 2: Wireless LAN Setup ...................... 3-4 Table 3-3 Wizard 3: Ethernet Encapsulation....................3-6 Table 3-4 Wizard 3: PPTP Encapsulation ...................... 3-8 Table 3-5 Wizard 3: PPPoE Encapsulation ....................
Page 22 Table 16-1 System Status..........................16-2 Table 16-2 System Status: Show Statistics ....................16-3 Table 16-3 DHCP Table ..........................16-4 Table 16-4 Association List ..........................16-5 Table 16-5 Channel Usage (ZyAIR B-2000) ....................16-6 Table 16-6 Channel Usage ..........................16-7 Table 16-7 Firmware Upgrade ........................16-9 Table 16-8 Restore Configuration.......................16-12 Table 17-1 Main Menu Commands ......................17-5...
Page 23 ZyAIR Wireless Gateway Series User’s Guide Table 21-3 Menu 12.1 Edit IP Static Route....................21-8 Table 22-1 Menu 14.1- Edit Dial-in User..................... 22-2 Table 23-1 Applying NAT in Menus 4 & 11.3 ..................... 23-2 Table 23-2 Menu 15.1.255 SUA Address Mapping Rules ................23-4 Table 23-3 Menu 15.1.1 Address Mapping Rules ..................
Page 24: Preface
Features table in Chapter 1 of this user’s guide to see what features are specific to your ZyAIR model. This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the SMT.
Page 25 • The ZyAIR Wireless Gateway series may be referred to simply as the ZyAIR in the user’s guide. User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications...
Page 27: Overview
Overview Part I: OVERVIEW This part introduces the main features and applications of the ZyAIR and shows how to access the web configurator and use the Wizard to configure for Internet Access.
Page 29: Chapter 1 Getting To Know Your Zyair
ZyAIR Features The following sections describe the features of the ZyAIR Wireless Gateway series. Features vary by ZyAIR model. This table lists the difference between models; it does not include features that are common to all of the ZyAIR models.
Page 30: Reset Button
A combination of switch and router makes your ZyAIR a cost-effective and viable network solution. You can connect up to four computers to the LAN ports on you ZyAIR without the cost of a hub. 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention.
Page 31 ZyAIR Wireless Gateway Series User’s Guide ZyAIR LED The blue ZyAIR LED (also known as the Breathing LED) is on when the ZyAIR is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use the web configurator to turn this LED off even when the ZyAIR is on and data is being transmitted/received.
Page 32: Dynamic Dns Support
ADSL. The PPPoE driver on the ZyAIR is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
Page 33 It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyAIR also acts as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Page 34: Application For The Zyair
Wireless LAN Channel Usage The Wireless Channel Usage displays whether the radio channels are used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR. Application for the ZyAIR Here is an application example of what you can do with your ZyAIR.
Page 35: Figure 1-1 Internet Access Application Example
ZyAIR Wireless Gateway Series User’s Guide Figure 1-1 Internet Access Application Example Getting to Know Your ZyAIR...
Page 37: Chapter 2 Introducing The Web Configurator
Web Configurator Overview The web configurator makes it easy to configure and manage the ZyAIR. The screens you see in the web configurator may vary somewhat from the ones shown in this document due to differences between individual ZyAIR models or firmware versions.
Page 38: Resetting The Zyair
If you forget your password or cannot access the ZyAIR, you will need to reload the factory-default configuration file or use the RESET button on the side panel of the ZyAIR. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
Page 39: Uploading A Configuration File Via Console Port
This method is only applicable to ZyAIR models with a console port, such as the ZyAIR B-2000. Step 1. Download the default configuration file from the ZyAIR FTP site, unzip it and save it in a folder. Step 2. Turn off the ZyAIR, begin a terminal emulation software session and turn on the ZyAIR again.
Page 40: Navigating The Zyair Web Configurator
Navigating the ZyAIR Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen. The screen for your model may vary slightly for different ZyAIR models. Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help.
Page 41: Chapter 3 Wizard Setup
Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your ZyAIR for Internet access and set up wireless LAN. 3.1.1 Channel The range of radio frequencies used by IEEE 802.11b wireless devices is called a “channel”. Channels available depend on your geographical area.
Page 42: Wizard Setup: General Setup
ZyAIR Wireless Gateway Series User’s Guide Wizard Setup: General Setup General Setup contains administrative and system-related information. Figure 3-1 Wizard 1: General Setup The following table describes the labels in this screen. Wizard Setup...
Page 43: Wizard Setup: Wireless Lan Setup
ZyAIR Wireless Gateway Series User’s Guide Table 3-1 Wizard 1: General Setup LABEL DESCRIPTION System Name It is recommended you type your computer's "Computer name". some ISPs check this name you should enter your computer's "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
Page 44: Figure 3-2 Wizard 2: Wireless Lan Setup
ESSID Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the same ESSID in order to access the network. Choose To manually set the ZyAIR to use a channel, select a channel from the drop-down list box.
Page 45: Wizard Setup: Isp Parameters
Select this option to enter hexadecimal characters as the WEP keys. The preceding “0x” is entered automatically. Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations must use the same WEP key for data transmission.
Page 46: Figure 3-3 Wizard 3: Ethernet Encapsulation
ZyAIR Wireless Gateway Series User’s Guide Figure 3-3 Wizard 3: Ethernet Encapsulation The following table describes the labels in this screen. Table 3-3 Wizard 3: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Page 47: Pptp Encapsulation
Password Type the password associated with the username above. Login Server IP The ZyAIR will find the Roadrunner Server IP if this field is left blank. If it does not, Address then you must enter the authentication server IP address.
Page 48: Figure 3-4 Wizard 3: Pptp Encapsulation
ZyAIR Wireless Gateway Series User’s Guide Figure 3-4 Wizard 3: PPTP Encapsulation The following table describes the labels in this screen. Table 3-4 Wizard 3: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
Page 49: Pppoe Encapsulation
By implementing PPPoE directly on the ZyAIR (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyAIR does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
Page 50: Figure 3-5 Wizard 3: Pppoe Encapsulation
ZyAIR Wireless Gateway Series User’s Guide Figure 3-5 Wizard 3: PPPoE Encapsulation The following table describes the labels in this screen. Table 3-5 Wizard 3: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection.
Page 51: Wizard Setup: Wan And Dns
Select Nailed Up Connection if you do not want the connection to time out. Nailed Up Connection Idle Timeout Type the time in seconds that elapses before the ZyAIR automatically disconnects from the PPPoE server. Next Click Next to continue.
Page 52: Ip Address And Subnet Mask
Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyAIR, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered.
Page 53: Wan Mac Address
ISP does not require MAC address authentication. Your ZyAIR WAN port is always set at half-duplex mode as most cable/DSL modems only support half- duplex mode. Make sure your modem is in half-duplex mode. Your ZyAIR supports full duplex mode on the LAN side.
Page 54: Figure 3-6 Wizard 4: Wan And Dns
ZyAIR Wireless Gateway Series User’s Guide Figure 3-6 Wizard 4: WAN and DNS The following table describes the labels in this screen. Table 3-8 Wizard 4: WAN and DNS LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Page 55: Basic Setup Complete
Click Finish to complete and save the wizard setup. If you are currently using a wireless (LAN) adapter to access this ZyAIR and you made changes to the ESSID, then you will need to make the same changed to your wireless (LAN) adapter after you click the Finish button.
Page 56: Figure 3-7 Setup Complete
ZyAIR Wireless Gateway Series User’s Guide Figure 3-7 Setup Complete Well done! You have successfully set up your ZyAIR to operate on your network and access the Internet. 3-16 Wizard Setup...
Page 57: System, Lan And Wireless
System, LAN and Wireless Part II: SYSTEM, LAN AND WIRELESS This part discusses the System, LAN, and Wireless setup screens.
Page 59: Chapter 4 System Screens
ZyAIR Wireless Gateway Series User’s Guide Chapter 4 System Screens This chapter provides information on the System screens. System Overview This section provides information on general system setup. Configuring General Setup Click ADVANCED and then SYSTEM to open the General screen.
Page 60: Dynamic Dns
System DNS Servers First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyAIR's WAN IP address). The field to the right displays the (read-only) DNS server IP Second DNS address that the ISP assigns.
Page 61: Dyndns Wildcard
If you have a private WAN IP address, then you cannot use Dynamic DNS. Configuring Dynamic DNS To change your ZyAIR’s DDNS, click ADVANCED, SYSTEM and then the DDNS tab. The screen appears as shown. Figure 4-2 DDNS...
Page 62: Configuring Password
The screen appears as shown. This screen allows you to change the ZyAIR’s password. If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR or upload the default configuration file via console port (on ZyAIR B-2000 only). See the Resetting the ZyAIR section for details.
Page 63: Configuring Time Setting
Configuring Time Setting To change your ZyAIR’s time and date, click ADVANCED, SYSTEM and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone. System Screens...
Page 64: Figure 4-4 Time Setting
Select the time service protocol that your time server sends when you turn on the ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 65 (the default is tick.stdtime.gov.tw). Current Time This field displays the time of your ZyAIR. (hh:mm:ss) Each time you reload this page, the ZyAIR synchronizes the time with the time server. New Time This field displays the last updated time from the time server.
Page 67: Chapter 5 Lan Screens
5.2.1 LANs, WANs and the ZyAIR The actual physical connection determines whether the ZyAIR ports are LAN or WAN ports. There are two separate IP networks, one inside, the LAN network; the other outside: the WAN network as shown next: Figure 5-1 LAN &...
Page 68: Dhcp Setup
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
Page 69: Multicast
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The ZyAIR supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyAIR queries all directly connected networks to gather group membership. After that, the ZyAIR periodically updates this information.
Page 70: Figure 5-2 Ip
DHCP Setup (refer to your User's Guide for background information) DHCP Server Select this option to allow your ZyAIR to assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client.
Page 71 (read-only). The ZyAIR tells the DHCP clients on the LAN that the ZyAIR itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyAIR, the ZyAIR forwards the query to the ZyAIR's system DNS server (configured in the SYSTEM General screen) and relays the response back to the computer.
Page 72 ZyAIR Wireless Gateway Series User’s Guide Table 5-1 IP LABEL DESCRIPTION Reset Click Reset to reload the previous configuration for this screen. LAN Screens...
Page 73: Chapter 6 Wireless Configuration And Roaming
ZyAIR Wireless Gateway Series User’s Guide Chapter 6 Wireless Configuration and Roaming This chapter discusses how to configure the Wireless and Roaming screens on the ZyAIR. Wireless LAN Overview This section introduces the wireless LAN(WLAN) and some basic scenarios. 6.1.1 IBSS An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest WLAN configuration.
Page 74: Ess
ZyAIR Wireless Gateway Series User’s Guide Figure 6-2 Basic Service set 6.1.3 ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
Page 75: Wireless Lan Basics
ZyAIR Wireless Gateway Series User’s Guide Figure 6-3 Extended Service Set Wireless LAN Basics Refer also to the Wizard Setup chapter for more background information on Wireless LAN features, such as channels. 6.2.1 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other.
Page 76: Fragmentation Threshold
Figure 6-4 RTS/CTS When station A sends data to the ZyAIR, it might not know that station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 77: Configuring Wireless
RTS/CTS size. Configuring Wireless If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.
Page 78: Figure 6-5 Wireless
ZyAIR Wireless Gateway Series User’s Guide Figure 6-5 Wireless The following table describes the general wireless LAN labels in this screen. Table 6-1 Wireless LABEL DESCRIPTION Enable Click the check box to activate wireless LAN. Wireless LAN Wireless Configuration and Roaming...
Page 79: Configuring Roaming
Set the operating frequency/channel depending on your particular region. Channel ID To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE, WIRELESS and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
Page 80: Figure 6-6 Roaming Example
ZyAIR Wireless Gateway Series User’s Guide In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
Page 81: Requirements For Roaming
LABEL DESCRIPTION Active Select Yes from the drop-down list box to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet. All APs on the same subnet and the wireless stations must have the same ESSID to allow roaming.
Page 82 APs. The default is 16290. Make sure this port is not used by other services. Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to reload the previous configuration for this screen.
Page 83: Chapter 7 Wireless Security
WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyAIR allows you to configure up to four 64- bit or 128-bit WEP keys, but only one key can be enabled at any one time.
Page 84: Authentication
ZyAIR Wireless Gateway Series User’s Guide 7.2.2 Authentication Three different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved. Authentication Access Point Wireless Station Open System Authentication...
Page 85: Configuring Wep Encryption
The same is true for shared key authentication. However, when it is set to auto authentication, the ZyAIR will accept either type of authentication request and the ZyAIR will fall back to use open authentication if the shared key does not match.
Page 86: Table 7-1 Wireless : Wep Fields
Allowed Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within an area, decrease the output power of the ZyAIR to reduce interference with other APs. The options are 11dBm (50mW), 13dBm (32mW), 15dBm (20mW) or 17dBm (12.6mW).
Page 87: Mac Filter
Click Reset to reload the previous configuration for this screen. MAC Filter The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
Page 88: Figure 7-4 Mac Address Filter
ZyAIR Wireless Gateway Series User’s Guide Figure 7-4 MAC Address Filter The following table describes the labels in this menu. Wireless Security...
Page 89: Overview
• Accounting Keeps track of the client’s network activity. RADIUS user is a simple package exchange in which your ZyAIR acts as a message relay between the wireless station and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server...
Page 90: Eap Authentication Overview
EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server or the AP. The ZyAIR supports EAP- TLS, EAP-TTLS and DEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the four common types.
Page 91: Dynamic Wep Key Exchange
EAP-MD5 authentication steps, see the IEEE 802.1x appendix. • The wireless station sends a “start” message to the ZyAIR. • The ZyAIR sends a “request identity” message to the wireless station for identity information. • The wireless station replies with identity information, including username and password. •...
Page 92: Introduction To Local User Database
Introduction to Local User Database By storing user profiles locally on the ZyAIR, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way.
Page 93: Table 7-3 Wireless Lan: 802.1X
RADIUS server has priority. Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 94 RADIUS server for a wireless station's username and password. Select Local first, then RADIUS to have the ZyAIR first check the user database on the ZyAIR for a wireless station's username and password. If the user name is not found, the ZyAIR then checks the user database on the specified RADIUS server.
Page 95: Configuring Local User Database
ZyAIR for authentication. 7.10 Configuring Local User Database To change your ZyAIR’s local user database, click ADVANCED, WIRELESS and then the Local User Database tab. The screen appears as shown (some of the screen’s blank rows are not shown).
Page 96: Configuring Radius
Type a password (up to 31 characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type. Apply Click Apply to save your changes back to the ZyAIR. Click Reset to reload the previous configuration for this screen. Reset 7.11 Configuring RADIUS...
Page 97: Table 7-5 Radius
Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyAIR. The key must be the same on the external accounting server and your ZyAIR. The key is not sent over the network.
Page 99: Wan
Part III: This part covers the web configurator screen and information about WAN.
Page 101: Chapter 8 Wan Screens
See the Wizard Setup chapter for more background information on most fields in the WAN screens. Background information on WAN fields not included in the Wizard is described here. Configuring WAN ISP To change your ZyAIR’s WAN ISP settings, click ADVANCED, WAN and then the ISP tab. The screen differs by the encapsulation.
Page 102: Figure 8-2 Service Type
RR-Manager (Roadrunner Manager authentication method), RR-Telstra or Telia Login. Choose a Roadrunner service type if your ISP is Time Warner's Roadrunner; otherwise choose Standard. Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to begin configuring this screen afresh. Service Type The screen varies according to the service type you select.
Page 103: Pppoe Encapsulation
Confirm field above was what you intended. Login Server IP The ZyAIR will find the Roadrunner Server IP address if this field is left blank. If it Address does not, then you must enter the authentication server IP address. Login Server Type the domain name of the Telia login server, for example "login1.telia.com".
Page 104: Figure 8-3 Pppoe Encapsulation
DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPP over Ethernet choice is for a dial-up connection using PPPoE. The ZyAIR supports PPPoE (Point-to-Point Protocol over Ethernet). Service Name Type the PPPoE service name provided to you. PPPoE uses a service name to identify and reach the PPPoE server.
Page 105: Pptp Encapsulation
Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to begin configuring this screen afresh. 8.2.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
Page 106: Tcp/Ip Priority (Metric)
"1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the ZyAIR’s routes to the Internet. If any two of the default routes have the same metric.
Page 107: Configuring Wan Ip
ZyAIR Wireless Gateway Series User’s Guide Configuring WAN IP To change your ZyAIR’s WAN IP settings, click ADVANCED, WAN and then the IP tab. Figure 8-5 IP Setup The following table describes the labels in this screen. Table 8-5 IP Setup...
Page 108 Enter the ZyAIR WAN IP address in this field if you selected Use Fixed IP Address. Address My WAN IP Enter the ZyAIR WAN IP subnet mask (if your ISP gave you one) in this field if you Subnet Mask selected Use Fixed IP Address.
Page 109 When set to Both or In Only, the ZyAIR will incorporate RIP information that it receives. When set to None, the ZyAIR will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.
Page 110: Configuring Wan Mac
Reset Click Reset to begin configuring this screen afresh. Configuring WAN MAC To change your ZyAIR’s WAN MAC settings, click ADVANCED, WAN and then the MAC tab. The screen appears as shown. Figure 8-6 MAC Setup The MAC address screen allows users to configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
Page 111: Sua/Nat And Static Route
SUA/NAT and Static Route Part IV: SUA/NAT AND STATIC ROUTE This part covers the information about SUA/NAT and Static Route setup.
Page 113: Chapter 9 Single User Account (Sua) / Network Address Translation (Nat)
IP address known within another network. 9.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyAIR. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 114: What Nat Does
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyAIR keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
Page 115: Nat Application
9.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyAIR can communicate with three distinct WAN networks. More examples follow at the end of this chapter. SUA/NAT...
Page 116: Nat Mapping Types
NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyAIR maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the ZyAIR maps multiple local IP addresses to one global IP address.
Page 117: Sua (Single User Account) Versus Nat
SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyAIR also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA Only or Full Feature in WAN IP.
Page 118: Port Forwarding: Services And Port Numbers
ZyAIR Wireless Gateway Series User’s Guide You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.
Page 119: Configuring Servers Behind Sua (Example)
ZyAIR Wireless Gateway Series User’s Guide Table 9-3 Services and Port Numbers SERVICES PORT NUMBER POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723 9.2.2 Configuring Servers Behind SUA (Example) Let's say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35 as shown in the next figure.
Page 120: Figure 9-4 Sua/Nat Setup
ZyAIR Wireless Gateway Series User’s Guide If you do not assign a Default Server IP address, then all packets received for ports not specified in this screen will be discarded. Click ADVANCED and then SUA/NAT to open the SUA Server screen.
Page 121: Configuring Address Mapping
Click Reset to begin configuring this screen afresh. Configuring Address Mapping Ordering your rules is important because the ZyAIR applies the rules in the order that you specify. When a rule matches the current packet, the ZyAIR takes the corresponding action and the remaining rules are ignored.
Page 122: Figure 9-5 Address Mapping
ZyAIR Wireless Gateway Series User’s Guide Figure 9-5 Address Mapping The following table describes the labels in this screen. Table 9-5 Address Mapping LABEL DESCRIPTION This field displays the index number of the address mapping rule. Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
Page 123: Configuring Address Mapping Rule
ZyAIR Wireless Gateway Series User’s Guide Table 9-5 Address Mapping LABEL DESCRIPTION Insert Click Insert to insert a new mapping rule before an existing one. Edit Click Edit to go to the Address Mapping Rule screen. Delete Click Delete to delete an address mapping rule.
Page 124 This is the ending global IP address (IGA). This field is N/A for One-to-One, Many- to-One and Server mapping types. Apply Click Apply to save your changes back to the ZyAIR. Cancel Click Cancel to exit this screen without saving.
Page 125: Chapter 10 Static Route
For instance, the ZyAIR knows about network N2 in the following figure through remote node Router 1. However, the ZyAIR is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyAIR about the networks beyond the remote nodes.
Page 126: Figure 10-2 Ip Static Route Summary
IP address of one of the remote nodes. Edit To set up a static route on the ZyAIR, click the radio button next to the static route index number you want to configure, then click Edit to go to the Static Route -Edit screen.
Page 127: Configuring Route Entry
LABEL DESCRIPTION Delete To remove a static route on the ZyAIR, click the radio button next to the static route index number you want to remove, then click Delete. 10.2.1 Configuring Route Entry Select a static route index number and click Edit. The screen shown next appears. Fill in the required information for each static route.
Page 128 Type the IP address of the gateway. Address The gateway is an immediate neighbor of your ZyAIR that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyAIR;...
Page 129: Firewall And Remote Management
Firewall and Remote Management Part V: FIREWALL AND REMOTE MANAGEMENT This part introduces firewalls in general and the ZyAIR firewall. It also explains custom ports and gives example firewall rules and information on Remote Management.
Page 131: Chapter 11 Introduction To Firewalls
ZyAIR Wireless Gateway Series User’s Guide Chapter 11 Introduction to Firewalls This chapter gives some background information on firewalls and introduces the ZyAIR firewall. This chapter is not applicable to the ZyAIR B-2000. 11.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
Page 132: Stateful Inspection Firewalls
The ZyAIR firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The ZyAIR’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyAIR can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.
Page 133: Basics
ZyAIR Wireless Gateway Series User’s Guide Figure 11-1 ZyAIR Firewall Application 11.4.1 Basics Computers share information over the Internet using a common language called TCP/IP. TCP/IP, in turn, is a set of application protocols that perform specific functions. An “extension number”, called the "TCP port" or "UDP port"...
Page 134: Types Of Dos Attacks
ZyAIR Wireless Gateway Series User’s Guide Table 11-1 Common IP Ports Telnet HTTP SMTP POP3 11.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification.
Page 135: Figure 11-2 Three-Way Handshake
ZyAIR Wireless Gateway Series User’s Guide Figure 11-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
Page 136: Figure 11-4 Smurf Attack
ZyAIR Wireless Gateway Series User’s Guide 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
Page 137: Stateful Inspection
To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyAIR blocks all IP Spoofing attempts.
Page 138: Figure 11-5 Stateful Inspection
Figure 11-5 Stateful Inspection The previous figure shows the ZyAIR’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
Page 139: Chapter 12 Firewall Screens
ZyAIR Wireless Gateway Series User’s Guide Chapter 12 Firewall Screens This chapter shows you how to configure your ZyAIR firewall. This chapter is not applicable to the ZyAIR B-2000. 12.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyAIR has to offer.
Page 140: Rule Logic Overview
ZyAIR Wireless Gateway Series User’s Guide If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.
Page 141: Key Fields For Configuring Rules
This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/ZyAIR and WAN to WAN/ZyAIR rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ZyAIR means policies for LAN-to-ZyAIR (the policies for managing the ZyAIR through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 142: Lan To Wan Rules
ZyAIR Wireless Gateway Series User’s Guide 12.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
Page 143: Enabling Firewall
The firewall is automatically enabled when you configure blocked services. When you configure a remote management menu to allow access to the ZyAIR, a firewall rule (WAN-to-WAN) is automatically created. Click ADVANCED and FIREWALL to open the Settings screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in the following screen.
Page 144: Figure 12-3 Firewall Settings
LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyAIR performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. LAN to WAN To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs, Log Settings screen.
Page 145: Configuring Content Filtering
Active X components, Java applets and cookies. Finally you can schedule when the ZyAIR performs content filtering by day and time. Click ADVANCED, FIREWALL and then the Filter tab to open the Filter screen.
Page 146: Figure 12-4 Firewall Filter
ZyAIR Wireless Gateway Series User’s Guide Figure 12-4 Firewall Filter The following table describes the labels in this screen. Table 12-2 Firewall Filter LABEL DESCRIPTION Restrict Web Select the categories of web features that you want to restrict. Features 12-8...
Page 147 ZyAIR Wireless Gateway Series User’s Guide Table 12-2 Firewall Filter LABEL DESCRIPTION ActiveX ActiveX is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.
Page 148: Configuring Firewall Services
ZyAIR Wireless Gateway Series User’s Guide 12.5.2 Configuring Firewall Services Click ADVANCED, FIREWALL and then the Services tab to open the Services screen. Use this screen to enable service blocking, enter/delete/modify the services you want to block and the date/time you want to block them.
Page 149: Table 12-3 Creating/Editing A Firewall Rule
ZyAIR Wireless Gateway Series User’s Guide Table 12-3 Creating/Editing A Firewall Rule LABEL DESCRIPTION Enable Services Select the check box to activate service blocking. Blocking Available Services This is a list of pre-defined services (ports) you may prohibit your LAN computers from using.
Page 150: Predefined Services
The Available Services list box in the Services screen (see Figure 12-5) displays all predefined services that the ZyAIR already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Page 151 ZyAIR Wireless Gateway Series User’s Guide Table 12-4 Predefined Services SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 152 ZyAIR Wireless Gateway Series User’s Guide Table 12-4 Predefined Services SERVICE DESCRIPTION TFTP(UDP:69) Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE(TCP:7000) Another videoconferencing solution.
Page 153: Chapter 13 Remote Management
ZyAIR B-2000. 13.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyAIR interface (if any) from which computers. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility.
Page 154: Remote Management And Nat
There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyAIR automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 155: Configuring Telnet
Select the interface(s) through which a computer may access the ZyAIR using this service. Secured Client A secured client is a “trusted” computer that is allowed to communicate with the ZyAIR IP Address using this service. Select All to allow any computer to access the ZyAIR using this service.
Page 156: Configuring Ftp
ZyAIR Wireless Gateway Series User’s Guide 13.4 Configuring FTP You can upload and download the ZyAIR’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Page 157: Configuring Www
Reset Click Reset to begin configuring this screen afresh. 13.5 Configuring WWW To change your ZyAIR’s World Wide Web settings, click ADVANCED, REMOTE MANAGEMENT and then the WWW tab. The screen appears as shown. Figure 13-4 WWW The following table describes the labels in this screen.
Page 158: Configuring Snmp
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
Page 159: Figure 13-5 Snmp Management Model
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyAIR). An agent translates the local management information from the managed device into a form compatible with SNMP.
Page 160: Supported Mibs
Trap - Used by the agent to inform the manager of some events. 13.6.1 Supported MIBs The ZyAIR supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 161: Remote Management: Snmp
ZyAIR Wireless Gateway Series User’s Guide 13.6.3 REMOTE MANAGEMENT: SNMP To change your ZyAIR’s SNMP settings, click ADVANCED, REMOTE MANAGEMENT and then the SNMP tab. The screen appears as shown. Figure 13-6 SNMP The following table describes the labels in this screen.
Page 162: Configuring Dns
Enter the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyAIR will only respond to SNMP messages from this address. A blank (default) field means your ZyAIR will respond to all SNMP messages it receives, regardless of source.
Page 163: Configuring Security
Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyAIR, an ICMP response packet is automatically returned. This allows the outside user to know the ZyAIR exists. The ZyAIR series support...
Page 164: Figure 13-8 Security
Select this option to prevent hackers from finding the ZyAIR by probing for unused to requests for ports. If you select this option, the ZyAIR will not send ICMP response packets to port unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyAIR unseen.
Page 165: Upnp And Logs
UPnP and Logs Part VI: UPNP AND LOGS This part provides information and configuration instructions for UPnP (Universal Plug and Play) and the logs.
Page 167: Chapter 14 Upnp Screen
ZyAIR Wireless Gateway Series User’s Guide Chapter 14 UPnP Screen This chapter introduces the Universal Plug and Play feature. 14.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
Page 168: Cautions With Upnp
ZyAIR Wireless Gateway Series User’s Guide 14.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Page 169: Figure 14-1 Configuring Upnp
Select this check box to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the web configurator's login screen without entering the ZyAIR's IP address (although you must still enter the password to access the web configurator). Allow users to make...
Page 170: Installing Upnp In Windows Example
LABEL DESCRIPTION Allow UPnP to pass Select this check box to create a static LAN to LAN/ZyAIR rule that allows through Firewall forwarding of ports 1900 and 80. Selecting this check box also creates a dynamic firewall rule every time a NAT forwarding port is reserved for UPnP.
Page 171: Installing Upnp In Windows Xp
ZyAIR Wireless Gateway Series User’s Guide Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4. Click OK to go back to the Add/Remove Programs Properties window and click Next.
Page 172: Using Upnp In Windows Xp Example
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyAIR. Make sure the computer is connected to a LAN port of the ZyAIR. Turn on your computer and the ZyAIR. 14.5.1 Auto-discover Your UPnP-enabled Network Device Step 1.
Page 173 ZyAIR Wireless Gateway Series User’s Guide Step 3. Step 4. In the Internet Connection Properties You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings that were automatically created. manually add port mappings.
Page 174: Web Configurator Easy Access
14.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyAIR without finding out the IP address of the ZyAIR first. This is helpful if you do not know the IP address of the ZyAIR.
Page 175 ZyAIR Wireless Gateway Series User’s Guide Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network.
Page 176 ZyAIR Wireless Gateway Series User’s Guide Step 6. Right-click the icon for your ZyAIR and select Properties. A properties window displays with basic information about the ZyAIR. 14-10 UPnP Screens...
Page 177: Chapter 15 Logs Screens
15.1 Using the View Log Screen The web configurator allows you to look at all of the ZyAIR’s logs in one location. Click ADVANCED and then LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see section 15.2).
Page 178: Figure 15-1 View Log
ZyAIR Wireless Gateway Series User’s Guide Figure 15-1 View Log The following table describes the labels in this screen. Table 15-1 View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category.
Page 179: Configuring Log Settings
Use the Log Settings screen to configure to where the ZyAIR is to send the logs; the schedule for when the ZyAIR is to send the logs and which logs and/or immediate alerts the ZyAIR is to send.
Page 180: Figure 15-2 Log Settings
ZyAIR Wireless Gateway Series User’s Guide Figure 15-2 Log Settings 15-4 Logs Screens...
Page 181: Table 15-2 Log Settings
ZyAIR Wireless Gateway Series User’s Guide The following table describes the labels in this screen. Table 15-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Page 182: Configuring Reports
Click Reset to begin configuring this screen afresh. 15.3 Configuring Reports To change your ZyAIR’s log reports, click ADVANCED, LOGS and then the Reports tab. The screen appears as shown. The Reports screen displays which computers on the LAN send and receive the most traffic, what kinds of traffic are used the most and which web sites are visited the most often.
Page 183: Figure 15-3 Reports
The ZyAIR records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyAIR may count these as hits, thus the web hit count is not (yet) 100% accurate.
Page 184: Viewing Protocol/Port
Hits 15.3.1 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyAIR record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Page 185: Figure 15-4 Protocol/Port Report
Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyAIR. The protocols or service ports are listed in descending order with the most used protocol or service port listed first. Start Collection/...
Page 186: Viewing Lan Ip Address
In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyAIR record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
Page 187: Reports Specifications
ZyAIR Wireless Gateway Series User’s Guide Table 15-5 LAN IP Address Report LABEL DESCRIPTION The button text shows Start Collection when the ZyAIR is not recording report data and Start Collection/ Stop Collection Stop Collection when the ZyAIR is recording report data.
Page 188: Maintenance
Maintenance Part VII: MAINTENANCE This part describes the Maintenance web configurator screens.
Page 190: Chapter 16 Maintenance
ZyAIR. 16.2 System Status Screen Click MAINTENANCE to open the System Status screen, where you can use to monitor your ZyAIR. Note that these fields are READ-ONLY and are meant to be used for diagnostic purposes. Figure 16-1 System Status The following table describes the labels in this screen.
Page 191: System Statistics
This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Routing Protocols This shows the routing protocol – IP for which the ZyAIR is configured. WAN Port IP Address This is the WAN port IP address.
Page 192: Dhcp Table Screen
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
Page 193: Wireless Screen
Refresh Click Refresh to reload the DHCP table. 16.4 Wireless Screen View the wireless stations that are currently associated to the ZyAIR in the Association List screen. Click MAINTENANCE and then WIRELESS to display the screen as shown next. 16-4...
Page 194: Channel Usage
This is the index number of an associated wireless station. MAC Address This field displays the MAC address of an associated wireless station. Association Time This field displays the time a wireless station first associated with the ZyAIR. Refresh Click Refresh to reload the screen. 16.4.1 Channel Usage The Channel Usage screen displays whether a channel is used by another wireless network or not.
Page 195: Figure 16-5 Channel Usage (Zyair B-2000)
ZyAIR Wireless Gateway Series User’s Guide Figure 16-5 Channel Usage (ZyAIR B-2000) The following table describes the labels in this screen. Table 16-5 Channel Usage (ZyAIR B-2000) LABEL DESCRIPTION This is the index number of the channel currently used by the associated AP in an Channel Infrastructure wireless network or wireless station in an Ad-Hoc wireless network.
Page 196: Figure 16-6 Channel Usage
ZyAIR Wireless Gateway Series User’s Guide Figure 16-6 Channel Usage The following table describes the labels in this screen. Table 16-6 Channel Usage LABEL DESCRIPTION This is the Service Set IDentification name of the AP in an infrastructure wireless network or wireless station in an Ad-Hoc wireless network.
Page 197: F/W Upload Screen
(usually) uses the system model name with a "*.bin" extension, e.g., "zyair.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See the Firmware and Configuration File Maintenance chapter for upgrading firmware using FTP/TFTP commands.
Page 198: Figure 16-8 Firmware Upload In Process
After you see the Firmware Upload in Process screen, wait two minutes before logging into the device again. Figure 16-8 Firmware Upload In Process The ZyAIR automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 16-9 Network Temporarily Disconnected...
Page 199: Configuration Screen
16.6.1 Backup Configuration Backup configuration allows you to backup (save) the current system (ZyAIR) configuration to your computer. Backup is highly recommended once your ZyAIR is functioning properly. Click Backup to save your current ZyAIR configuration to your computer.
Page 200: Restore Configuration
Restore configuration replaces your ZyAIR's current configuration (content filters, firewall settings, etc.) with a previously saved configuration. Restore files (usually) have a .ROM extension, e.g., "zyair.rom". The system reboots automatically after the file transfer is complete and uses the configured values in the file.
Page 201: Figure 16-13 Configuration Upload Successful
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyAIR IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
Page 202: Back To Factory Defaults
16.6.3 Back to Factory Defaults Clicking the Reset button in this section clears all user-entered configuration information and returns the ZyAIR to its factory defaults as shown on the screen. This will erase all configurations that you have applied. Click the Default tab to display the screen shown next.
Page 203: Figure 16-17 Reset Warning Message
ZyAIR Wireless Gateway Series User’s Guide Figure 16-17 Reset Warning Message You can also press the RESET button on the side panel to reset the factory defaults of your ZyAIR. Refer to the Resetting the ZyAIR section for more information on the RESET button.
Page 204: Smt Getting Started Menus
SMT Getting Started Menus Part VIII: SMT GETTING STARTED MENUS This part introduces the SMT (System Management Terminal) and discusses the “Getting Started” SMT menus. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT. VIII...
Page 206: Chapter 17 Introducing The Smt
The following procedure details how to telnet into your ZyAIR. Step 1. Make sure your computer IP address and the ZyAIR IP address are on the same subnet. Refer to the Setting Up Your Computer IP Address appendix. Step 2.
Page 207: Initial Screen
ZyAIR will automatically log you out. 17.2.1 Initial Screen When you turn on your ZyAIR, it performs several internal tests as well as line initialization. After the initialization, the ZyAIR asks you to press [ENTER] to continue, as shown.
Page 208: Zyair Smt Menu Overview Example
Note that as you type a password, the screen displays an asterisk “*” for each character you type. 17.4 ZyAIR SMT Menu Overview Example We use the ZyAIR B-2000 v.2 SMT menus in this guide as an example. The SMT menus for your model may vary slightly for different ZyAIR wireless gateway models.
Page 209: Figure 7-3 Wireless
System Maintenance -- Upload System Upload System Firmware Upload Firmware Diagnostic Configuration File Menu 24.6 Menu 24.5 System Maintenance -- System Maintenance -- Restore Configuration Backup Configuration Figure 17-4 ZyAIR B-2000 v.2 SMT Menu Overview Example 17-4 Introducing the SMT...
Page 210: Navigating The Smt Interface
ZyAIR Wireless Gateway Series User’s Guide 17.5 Navigating the SMT Interface Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 17-1 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION...
Page 211: System Management Terminal Interface Summary
Static Routing Setup Use this menu to set up static routes. Dial-in User Setup Use this menu to set up local user profiles on the ZyAIR. NAT Setup Use this menu to specify inside servers when NAT is enabled. Filter and Firewall Setup Use this menu to set up filters and firewall to provide security, etc.
Page 212 ZyAIR Wireless Gateway Series User’s Guide Table 17-2 Main Menu Summary MENU TITLE DESCRIPTION Exit Use this to exit from SMT and return to a blank screen. Introducing the SMT 17-7...
Page 214: Chapter 18 General And Wan Setup
To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The ZyAIR supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service.
Page 215: Figure 18-1 Menu 1 General Setup
ZyAIR Wireless Gateway Series User’s Guide Menu 1 - General Setup System Name= Domain Name= zyxel.com.tw First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= None IP Address= N/A...
Page 216: Procedure To Configure Dynamic Dns
ZyAIR Wireless Gateway Series User’s Guide Table 18-1 Menu 1 General Setup FIELD DESCRIPTION EXAMPLE Edit Dynamic DNS Press [SPACE BAR] to select Yes and press [ENTER] to configure Menu 1.1 – Configure Dynamic DNS (discussed next). When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Page 217 IP address of the host name(s) with the ZyAIR’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the ZyAIR must have a public WAN IP address in order for DDNS to work.
Page 218: Wan Setup
IP address of the host name(s) to the IP address User Specified IP specified below. Address Only select Yes if the ZyAIR uses or is behind a static public IP address. Enter the static public IP address if you select Yes in the User IP Address Specified IP Addr field.
Page 219 ZyAIR Wireless Gateway Series User’s Guide Table 18-3 Menu 2 WAN Setup FIELD DESCRIPTION EXAMPLE Assigned By Press [SPACE BAR] to select Factory default and press [ENTER] to Factory default use the factory assigned MAC address. Select IP address attached on LAN and enter the IP address in the IP Address field below to clone the MAC address of the computer on the Ethernet.
Page 220: Chapter 19 Lan Setup
ZyAIR Wireless Gateway Series User’s Guide Chapter 19 LAN Setup This chapter shows you how to configure the LAN on your ZyAIR. 19.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 – LAN Setup. From the main menu, enter 3 to display menu 3.
Page 221: Figure 19-3 Menu 3.2 Tcp/Ip And Dhcp Ethernet Setup
19.2 TCP/IP Ethernet and DHCP Setup Use menu 3.2 to configure your ZyAIR for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3-Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2-TCP/IP and DHCP Ethernet Setup, as shown next...
Page 222: Table 19-1 Menu 3.2 Dhcp Ethernet Setup
(default) If set to None, the DHCP server will be disabled. If set to Relay, the ZyAIR acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server in this case.
Page 223: Ip Alias
IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single physical Ethernet interface with the ZyAIR itself as the gateway for each LAN network.
Page 224: Ip Alias Setup
ZyAIR Wireless Gateway Series User’s Guide 19.3.1 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.
Page 225: Wireless Lan Setup
19.4 Wireless LAN Setup Use menu 3.5 to set up your ZyAIR as the wireless access point. To edit menu 3.5, enter 3 from the main menu to display Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.5 –...
Page 226: Figure 19-8 Menu 3.5 Wireless Lan Setup
ZyAIR Wireless Gateway Series User’s Guide Menu 3.5 - Wireless LAN Setup ESSID= Wireless Hide ESSID= No Channel ID= CH01 2412MHz RTS Threshold= 0 Frag. Threshold= 2432 WEP Encryption= Disable Default Key= N/A Key1= N/A Key2= N/A Key3= N/A Key4= N/A Authen.
Page 227 Select 64-bit WEP or 128-bit WEP to enable data encryption. Default Key Enter the key number (1 to 4) in this field. Only one key can be enabled at any one time. This key must be the same on the ZyAIR and the wireless stations to communicate.
Page 228: Configuring Mac Address Filter
[ESC] to cancel and go back to the previous screen. 19.4.1 Configuring MAC Address Filter Your ZyAIR checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication.
Page 229: Figure 19-10 Menu 3.5.1 Wlan Mac Address Filter
Define the filter action for the list of MAC addresses in the MAC address filter table. To deny access to the ZyAIR, press [SPACE BAR] to select Deny Association and press [ENTER]. MAC addresses not listed will be allowed to access the router.
Page 230: Configuring Roaming On The Zyair
ZyAIR Wireless Gateway Series User’s Guide 19.4.2 Configuring Roaming on the ZyAIR Enable the roaming feature if you have two or more ZyAIRs on the same subnet. Follow the steps below to allow roaming on your ZyAIR. Step 1. From the main menu, enter 3 to display Menu 3 – LAN Setup.
Page 231: Table 19-6 Menu 3.5.2 Roaming Configuration
FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet. Port # Enter the port number to communicate roaming information between access points. The port number must be the same on all access points.
Page 232: Chapter 20 Internet Access
Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your ZyAIR for Internet access, you need to collect your Internet account information from your ISP and telephone company.
Page 233: Internet Access Setup
Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 20-1 Menu 4 Internet Access Setup The following table contains instructions on how to configure your ZyAIR for Internet access. Table 20-2 Menu 4 Internet Access Setup FIELD...
Page 234 ] at any time to cancel. If all your settings are correct your ZyAIR should connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.
Page 235: Smt Advanced Application Menus
SMT Advanced Applications Menus Part IX: SMT ADVANCED APPLICATION MENUS This part shows how to configure Remote Node, Static Routing, Dial-in User and NAT.
Page 237: Chapter 21 Remote Node Configuration
The ZyAIR does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyAIR will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 238: Figure 21-1 Menu 11.1 Remote Node Profile
ZyAIR Wireless Gateway Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
Page 239 Table 21-1 Menu 11.1 Remote Node Profile FIELD DESCRIPTION EXAMPLE Outgoing: My Login Type the login name assigned by your ISP when the ZyAIR calls this remote node. My Password Type the password assigned by your ISP when the ZyAIR calls this remote node. Authen This field sets the authentication protocol used for outgoing calls.
Page 240: Outgoing Authentication Protocol
Idle Timeout (sec) Type the number of seconds (0-9999) that can elapse when the ZyAIR is idle (there is no traffic going to the remote node), before (default) the ZyAIR automatically disconnects the remote node. 0 means that the session will not timeout.
Page 241: Figure 21-2 Menu 11.3 Remote Node Network Layer Options
IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number. In that case, type the IP address assigned to the WAN port of your ZyAIR. Remote Node Configuration...
Page 242: Remote Node Filter
Use Menu 11.5 - Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyAIR and also to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by comma, for example, 1, 5, 9, 12, in each filter field.
Page 243: Ip Static Route Setup
Each remote node specifies only the network to which the gateway is directly connected and the ZyAIR has no knowledge of the networks beyond. For instance, the ZyAIR knows about network N2 in the following figure through remote node Router 1.
Page 244: Figure 21-5 Menu 12.1 Ip Static Route Setup
ZyAIR Wireless Gateway Series User’s Guide Configuration Step 1. To configure an IP static route, use Menu 12 - Static Route Setup as shwon next. Menu 12 - IP Static Route Setup 1. ________ 2. ________ 3. ________ 4. ________ 5.
Page 245 Type the IP address of the gateway. The gateway is an immediate neighbor of your Address ZyAIR that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyAIR; over WAN, the gateway must be the IP address of one of the remote nodes.
Page 247: Chapter 22 Dial-In User Setup
This chapter shows you how to create user accounts on the ZyAIR. 22.1 Dial-in User Setup By storing user profiles locally, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your ZyAIR.
Page 248: Table 22-1 Menu 14.1- Edit Dial-In User
ZyAIR Wireless Gateway Series User’s Guide Table 22-1 Menu 14.1- Edit Dial-in User FIELD DESCRIPTION User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive. Active Press [SPACE BAR] to select Yes and press [ENTER] to enable the user profile.
Page 249: Chapter 23 Network Address Translation (Nat)
ZyAIR Wireless Gateway Series User’s Guide Chapter 23 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyAIR. 23.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 250: Nat Setup
Press [SPACE BAR] and then [ENTER] to select Full Feature if you Full Feature Address have multiple public WAN IP addresses for your ZyAIR. Mapping Select None to disable NAT. When you select SUA Only, the SMT uses Address Mapping Set 255 (menu 15.1 - see Section 23.2.1).
Page 251: Address Mapping Sets
ZyAIR Wireless Gateway Series User’s Guide Menu 15 – NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: Figure 23-3 Menu 15 NAT Setup 23.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 – Address Mapping Sets.
Page 252: Figure 23-5 Menu 15.1.255 Sua Address Mapping Rules
ZyAIR Wireless Gateway Series User’s Guide Menu 15.1.1 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Figure 23-5 Menu 15.1.255 SUA Address Mapping Rules The following table explains the fields in this menu.
Page 253: Figure 23-6 Menu 15.1.1 Address Mapping Rules
ZyAIR Wireless Gateway Series User’s Guide User-Defined Address Mapping Sets Now let’s look at option 1 in menu 15.1. Enter 1 to bring up this menu. We’ll just look at the differences from the previous menu. Note the extra Action and Select Rule fields mean you can configure rules in this screen.
Page 254: Configuring Individual Rule
ZyAIR Wireless Gateway Series User’s Guide You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken.
Page 255: Port Forwarding Setup - Nat Server Sets
Confirm…” to save your configuration, or press [ESC] to cancel. Ordering Your Rules Ordering your rules is important because the ZyAIR applies the rules in the order that you specify. When a rule matches the current packet, the ZyAIR takes the corresponding action and the remaining rules are ignored.
Page 256: Configuring A Server Behind Nat
ZyAIR Wireless Gateway Series User’s Guide In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.
Page 257: General Nat Examples
ZyAIR Wireless Gateway Series User’s Guide Menu 15.2 – Port Forwarding Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 23-8 Menu 15.2 Port Forwarding Setup...
Page 258: Figure 23-10 Menu 4 Internet Access Setup
ZyAIR Wireless Gateway Series User’s Guide Figure 23-9 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server= N/A IP Address Assignment= Dynamic IP Address= N/A...
Page 259: Example 2: Internet Access With An Inside Server
ZyAIR Wireless Gateway Series User’s Guide 23.4.2 Example 2: Internet Access with an Inside Server Figure 23-11 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and then go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.
Page 260: Example 3: Multiple Public Ip Addresses With Inside Servers
ZyAIR Wireless Gateway Series User’s Guide 23.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
Page 261: Figure 23-14 Menu 11.3 Remote Node Network Layer Options
ZyAIR Wireless Gateway Series User’s Guide Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) as shown in the finger below.
Page 262: Figure 23-16 Menu 15.1.1 Address Mapping Rules
ZyAIR Wireless Gateway Series User’s Guide Step 6. Repeat the previous step for rules 2 to 4 as outlined above. Step 7. When finished, menu 15.1.1 should look like as shown next. Menu 15.1.1 - Address Mapping Rules Set Name= Eample3...
Page 263: Example 4: Nat Unfriendly Application Programs
ZyAIR Wireless Gateway Series User’s Guide 23.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many One-to-One mapping as port numbers do not change for Many One-to-One (and One-to-One) NAT mapping types.
Page 264: Trigger Port Setup
23.5 Trigger Port Setup The ZyAIR records the IP address of a LAN computer that requests a service that you have defined as a “trigger port”. The response from the Internet can then be forwarded directly to the LAN computer. Trigger ports are transient;...
Page 265: Figure 23-21 Menu 15.3 Trigger Port Setup
ZyAIR Wireless Gateway Series User’s Guide 2. Port 7070 is a “trigger” port and causes the ZyAIR to record Jane’s computer IP address. The ZyAIR associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3. The Real Audio server responds using a port number ranging between 6970-7170.
Page 266 7170 Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyAIR to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers.
Page 267: Smt Advanced Management Menus
SMT Advanced Management Menus Part X: SMT ADVANCED MANAGEMENT MENUS This part discusses Filtering and Firewall setup, SNMP, System Security, System Information and Diagnosis, Firmware and Configuration File Maintenance, System Maintenance and Information, Call Scheduling and Remote Management.
Page 269: Chapter 24 Filter And Firewall Configuration
24.1 About Filtering Your ZyAIR uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
Page 270: Figure 24-2 Filter Rule Process
ZyAIR Wireless Gateway Series User’s Guide Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
Page 271: Configuring A Filter Set
24 rules active for a single port. For incoming packets, your ZyAIR applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.
Page 272: Figure 24-4 Netbios_Wan Filter Rules Summary
ZyAIR Wireless Gateway Series User’s Guide Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138...
Page 273: Filter Rules Summary Menus
ZyAIR Wireless Gateway Series User’s Guide 24.2.1 Filter Rules Summary Menus The following tables briefly describe the abbreviations used in menus 21.1.x. Table 24-1 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number: 1 to 6.
Page 274: Configuring A Filter Rule
If you include a protocol filter set in a device filters field or vice versa, the ZyAIR will warn you and will not allow you to save.
Page 275: Figure 24-7 Menu 21.1.1 Tcp/Ip Filter Rule
ZyAIR Wireless Gateway Series User’s Guide Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 276 ZyAIR Wireless Gateway Series User’s Guide Table 24-3 Menu 21.1.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE IP Addr Type the destination IP address of the packet you want to filter. This field is ignored if it is 0.0.0.0. IP Mask Type the IP mask to apply to the Destination: IP Addr field.
Page 277 ZyAIR Wireless Gateway Series User’s Guide Table 24-3 Menu 21.1.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE Action Matched Select the action for a matching packet. Choices are Check Check Next Rule Next Rule, Forward or Drop. (default) Action Not Matched Select the action for a packet not matching the rule.
Page 278: Figure 24-8 Executing An Ip Filter
ZyAIR Wireless Gateway Series User’s Guide Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
Page 279: Generic Filter Rule
For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyAIR treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyAIR applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match.
Page 280: Filter Types And Nat
NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic (or device) filters are applied to the raw packets that appear on the wire. They are applied at the point where the ZyAIR 24-12...
Page 281: Example Filter
The following figure illustrates this. Figure 24-10 Protocol and Device Filter Sets 24.5 Example Filter Let’s look at an example to block outside users from telnetting into the ZyAIR. Figure 24-11 Sample Telnet Filter Step 1. Enter 1 in menu 21 to open Menu 21.1 – Filter Set Configuration.
Page 282: Figure 24-12 Sample Filter - Menu 21.1.3.1
ZyAIR Wireless Gateway Series User’s Guide Step 4. Press [ENTER] at the message Press ENTER to confirm or ESC to cancel” to open Menu “ 21.1.3.1 – TCP/IP Filter Rule. Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next.
Page 283: Applying Filters And Factory Defaults
See earlier in this chapter for information on filters. Output Filter Sets: Apply filters for traffic leaving the ZyAIR. You may apply filter rules for protocol or device filters. See earlier in this section for information on types of filters.
Page 284: Ethernet Traffic
ZyAIR Wireless Gateway Series User’s Guide 24.6.1 Ethernet Traffic You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate.
Page 285: Firewall Setup
By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyAIR firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
Page 287: Chapter 25 Snmp Configuration
Trusted Host If you enter a trusted host, your ZyAIR will only respond to SNMP 0.0.0.0 messages from this address. A blank (default) field means your ZyAIR will respond to all SNMP messages it receives, regardless of source.
Page 288 ZyAIR Wireless Gateway Series User’s Guide Table 25-1 Menu 22 SNMP Configuration FIELD DESCRIPTION EXAMPLE Community Type the trap community, which is the password sent with each public trap to the SNMP manager. Destination Type the IP address of the station to send your SNMP traps to.
Page 289: Chapter 26 System Security
You should change the default password. If you forget your password you have to restore the default configuration file. Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the ZyAIR in the Introducing the Web Configurator chapter. 26.1.2 Configuring External RADIUS Server Enter 23 in the main menu to display Menu 23 –...
Page 290: Figure 26-3 Menu 23.2 System Security : Radius Server
The key is not sent over the network. This key must be the same on the external authentication server and ZyAIR. Accounting Server Press [SPACE BAR] to select Yes and press [ENTER] to enable Active user authentication through an external accounting server.
Page 291: Figure 26-4 Menu 23 System Security
The IEEE802.1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management. Follow the steps below to enable EAP authentication on your ZyAIR. Step 1. From the main menu, enter 23 to display Menu23 – System Security.
Page 292: Figure 26-5 Menu 23.4 System Security : Ieee802.1X
1800 seconds (or 30 minutes). Idle Timeout The ZyAIR automatically disconnects a client from the wired network after a period of inactivity. The client needs to enter the username and password again before access to the wired network is allowed.
Page 293 ZyAIR cannot reach the RADIUS server, the ZyAIR then checks the local user database on the ZyAIR. When the user name is not found or password does not match in the RADIUS server, the ZyAIR will not check the local user database and the authentication fails.
Page 295: Chapter 27 System Information And Diagnosis
The first selection, System Status gives you information on the status and statistics of the ports, as shown in the next figure. System Status is a tool that can be used to monitor your ZyAIR. Specifically, it gives you information on your LAN and wireless LAN status, number of packets sent and received.
Page 296: Figure 27-2 Menu 24.1 System Maintenance : Status
ZyAIR Wireless Gateway Series User’s Guide Menu 24.1 - System Maintenance - Status 00:47:45 Sat. Jan. 01, 2000 Port Status TxPkts RxPkts Cols Tx B/s Rx B/s Up Time Down 0:00:00 100M/Full 1252 3200 0:47:43 WLAN 0:47:43 Port Ethernet Address...
Page 297: System Information
Table 27-1 Menu 24.1 System Maintenance : Status FIELD DESCRIPTION System Up Time This is the time the ZyAIR is up and running from the last reboot. 27.2 System Information To get to the System Information: Step 1. Enter 24 to display Menu 24 – System Maintenance.
Page 298: Console Port Speed
Press ENTER to Confirm or ESC to Cancel: Figure 27-5 Menu 24.2.2 System Maintenance : Change Console Port Speed After you changed the console port speed on your ZyAIR, you must also make the same change to the console port speed parameter of your communication software.
Page 299: Log And Trace
ZyAIR Wireless Gateway Series User’s Guide 27.3 Log and Trace There are two logging facilities in the ZyAIR. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.
Page 300: Unix Syslog
ZyAIR Wireless Gateway Series User’s Guide 27.3.2 UNIX Syslog The ZyAIR uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog can be configured in Menu 24.3.2 – System Maintenance – UNIX Syslog, as shown next.
Page 301: Call-Triggering Packet
Equivalent information is available in menu 24.1 in hexadecimal format. 27.4 Diagnostic The diagnostic facility allows you to test the different aspects of your ZyAIR to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown in the following figure.
Page 302 ZyAIR Wireless Gateway Series User’s Guide Table 27-4 Menu 24.4 System Maintenance : Diagnostic FIELD DESCRIPTION DHCP Renewal Get a new IP address from the DHCP server. Internet Setup Use this option to test your Internet connection. Test Reboot System Reboot the ZyAIR.
Page 303: Chapter 28 Firmware And Configuration File Maintenance
The following table is a summary. Please note that the internal filename refers to the filename on the ZyAIR and the external filename refers to the filename not on the ZyAIR, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 –...
Page 304: Backup Configuration
Telnet. Option 5 from Menu 24 – System Maintenance allows you to backup the current ZyAIR configuration to your computer. Backup is highly recommended once your ZyAIR is functioning properly. FTP is the preferred methods for backing up your current configuration to your computer since they are faster.
Page 305: Backup Configuration
Enter “bin” to set transfer mode to binary. Step 6. Use “get” to transfer files from the ZyAIR to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyAIR to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions.
Page 306: Example Of Ftp Commands From The Command Line
ZyAIR Wireless Gateway Series User’s Guide 28.2.3 Example of FTP Commands from the Command Line 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Page 307: Backup Configuration Using Tftp
Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyAIR to the computer and “binary” to set binary transfer mode.
Page 308: Backup Via Console Port (Only For Zyair B-2000)
Enter the IP address of the ZyAIR. 192.168.1.1 is the ZyAIR’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyAIR and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer.
Page 309: Restore Configuration
FTP is the preferred method for restoring your current computer configuration to your ZyAIR since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete.
Page 310: Restore Using Ftp
Find the “rom” file (on your computer) that you want to restore to your ZyAIR. Step 7. Use “put” to transfer files from the ZyAIR to the computer, for example, “put config.rom rom- 0” transfers the configuration file “config.rom” on your computer to the ZyAIR. See earlier in this chapter for more information on filename conventions.
Page 311: Restore Using Ftp Session Example
Figure 28-8 Restore Using FTP Session Example Refer to section 28.2.5 to read about configurations that disallow TFTP and FTP over WAN. 28.3.3 Restore Via Console Port (only for ZyAIR B-2000) Restore configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.
Page 312: Uploading Firmware And Configuration Files
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyAIR, you will see the following screens for uploading firmware and the configuration file using FTP.
Page 313: Configuration File Upload
ZyAIR Wireless Gateway Series User’s Guide Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system.
Page 314: Ftp File Upload Command From The Dos Prompt Example
Enter “bin” to set transfer mode to binary. Step 6. Use “put” to transfer files from the computer to the ZyAIR, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyAIR and renames it “ras”.
Page 315: Tftp Upload Command Example
The file name for the firmware is “ras”. Note that the telnet connection must be active and the ZyAIR in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
Page 316: Uploading Firmware File Via Console Port (Only For Zyair B-2000)
Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 28-17 Example Xmodem Upload After the firmware upload process has completed, the ZyAIR will automatically restart. 28-14 Firmware and Configuration File Maintenance...
Page 317: Uploading Configuration File Via Console Port (Only For Zyair B-2000)
ZyAIR Wireless Gateway Series User’s Guide 28.4.10Uploading Configuration File Via Console Port (only for ZyAIR B- 2000) Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen.
Page 318: Figure 28-19 Example Xmodem Upload
Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 28-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyAIR by entering “atgo”. 28-16 Firmware and Configuration File Maintenance...
Page 319: Command Interpreter Mode
Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Figure 29-1 Menu 24 System Maintenance Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether...
Page 320: Call Control Support
Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyAIR within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
Page 321: Call History
ZyAIR Wireless Gateway Series User’s Guide After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
Page 322: Time And Date Setting
ZyAIR. Menu 24.10 allows you to update the time and date settings of your ZyAIR. The real time is then displayed in the ZyAIR error logs.
Page 323: Resetting The Time
Enter the time service protocol that your time server sends when you turn on the when Bootup ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 325: Chapter 30 Remote Management
You can configure your ZyAIR for remote Telnet access as shown next. Figure 30-1 Telnet Configuration on a TCP/IP Network 30.2 FTP You can upload and download ZyAIR firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 30.3 Web You can use the ZyAIR’s embedded web configurator for configuration and file management.
Page 326: Remote Management Setup
Remote management setup is for managing Telnet, FTP and Web services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility. You may manage your ZyAIR from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
Page 327: Remote Management Limitations
The default 0.0.0.0 allows any client to use this service to remotely 0.0.0.0 manage the ZyAIR. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Page 328: Remote Management And Nat
Use the ZyAIR’s LAN IP address when configuring from the LAN. 30.6 System Timeout There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your ZyAIR will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Page 329: Chapter 31 Call Scheduling
1, 2, 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2, 3 and 4 as the ZyAIR, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.
Page 330: Figure 31-2 Menu 26.1 Schedule Set Setup
Figure 31-2 Menu 26.1 Schedule Set Setup If a connection has been already established, your ZyAIR will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 331 ZyAIR Wireless Gateway Series User’s Guide Table 31-1 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Once: Date If you selected Once in the How Often field above, then enter the date 2000-01-01 the set should activate here in year-month-date format.
Page 332: Figure 31-3 Applying Schedule Set(S) To A Remote Node (Pptp)
ZyAIR Wireless Gateway Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 Apply your schedule sets...
Page 333: Appendices
Appendices Part XI: APPENDICES This part provides contains troubleshooting and additional background information on setting up your computer’s IP address, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting. It also provides information on the command interpreter interface, NetBIOS commands and logs.
Page 335: Appendix A Troubleshooting
Use the RESET button on the side panel of the ZyAIR to restore the factory default configuration file (hold this button in for more than five seconds). This will restore all of the factory defaults including the password.
Page 336: Problems With The Ethernet Interface
Check for faulty Ethernet cables. Make sure the computer’s Ethernet adapter is installed and working properly. Verify that the IP addresses and the subnet masks of the ZyAIR and the computer are on the same subnet. I cannot ping any If all of the LAN LEDs on the front panel are off, check the Ethernet cable connection between your ZyAIR and the computer connected to the LAN port.
Page 337: Problems With Internet Access
Internet Access chapter (SMT). Make sure you entered the correct user name and password. For wireless stations, check that both the ZyAIR and wireless station(s) are using the same ESSID, channel and WEP keys (if WEP encryption is activated). Internet connection If you use PPTP or PPPoE encapsulation, check the idle time-out setting.
Page 338: Problems With The Wlan Interface
Chart A-7 Troubleshooting the WLAN Interface PROBLEM CORRECTIVE ACTION I cannot ping any Make sure the wireless card is properly inserted in the ZyAIR and the WLAN LED is computer on the WLAN. Make sure the wireless adapter on the wireless station is working properly.
Page 339: Appendix B Brute-Force Password Guessing Protection
ZyAIR Wireless Gateway Series User’s Guide Appendix B Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure.
Page 341: Appendix C Setting Up Your Computer's Ip Address
"communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyAIR's LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Page 342 ZyAIR Wireless Gateway Series User’s Guide If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: In the Network window, click Add.
Page 343 ZyAIR Wireless Gateway Series User’s Guide Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 344 Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your ZyAIR and restart your computer when prompted. Verifying Your Computer’s IP Address Click Start and then Run.
Page 345 ZyAIR Wireless Gateway Series User’s Guide For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections.
Page 346 ZyAIR Wireless Gateway Series User’s Guide Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 347 ZyAIR Wireless Gateway Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 348 Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. 10. Turn on your ZyAIR and restart your computer (if prompted). Verifying Your Computer’s IP Address Click Start, All Programs, Accessories and then Command Prompt.
Page 349 ZyAIR Wireless Gateway Series User’s Guide Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list.
Page 350: Macintosh Os X
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyAIR in the Router address box. Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration.
Page 351 -Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyAIR in the Router address box. Click Apply Now and close the window. Turn on your ZyAIR and restart your computer (if prompted).
Page 353: Benefits Of A Wireless Lan
ZyAIR Wireless Gateway Series User’s Guide Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection.
Page 354: Infrastructure Wireless Lan Configuration
ZyAIR Wireless Gateway Series User’s Guide Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data.
Page 355 ZyAIR Wireless Gateway Series User’s Guide points can provide wireless coverage for an entire building or campus. All communications between stations or between a station and a wired network client go through the access point. The Extended Service Set (ESS) shown in the next figure consists of a series of overlapping BSSs (each containing an Access Point) connected together by means of a Distribution System (DS).
Page 357: Appendix E Wireless Lan With Ieee 802.1X
ZyAIR Wireless Gateway Series User’s Guide Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 358 ZyAIR Wireless Gateway Series User’s Guide RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Client computer access authorized. Client computer access not authorized.
Page 359: Appendix F Types Of Eap Authentication
ZyAIR Wireless Gateway Series User’s Guide Appendix F Types of EAP Authentication This appendix discusses the four popular EAP authentication types: EAP-MD5, EAP-TLS, EAP-TTLS and PEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 360 ZyAIR Wireless Gateway Series User’s Guide hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5 and EAP- MSCHAPv2, for client authentication. For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, simple user name and password pair is more practical.
Page 361: Appendix G Antenna Selection And Positioning Recommendation
ZyAIR Wireless Gateway Series User’s Guide Appendix G Antenna Selection and Positioning Recommendation An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air.
Page 362: Positioning Antennas
For directional antennas, point the antenna in the direction of the desired coverage area. Connector Type The ZyAIR is equipped with a reverse polarity SMA jack, so it will work with any 2.4GHz wireless antenna with a reverse polarity SMA plug.
Page 363: Appendix Hpppoe
ZyAIR Wireless Gateway Series User’s Guide Appendix H PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
Page 364: How Pppoe Works
ZyAIR as a PPPoE Client When using the ZyAIR as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
Page 365: Appendix Ipptp
NT clients to an NT server in a remote location. The pass-through feature allows users on the network to access a different remote server using the ZyAIR's Internet connection. In NAT mode, the ZyAIR is able to pass the PPTP packets to the internal PPTP server (i.e. NT server) behind the NAT. Users need to forward PPTP packets to port 1723 by configuring the server in Menu 15.2 - Server Set Setup.
Page 366 Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the ZyAIR, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server.
Page 367 ZyAIR Wireless Gateway Series User’s Guide Diagram I-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 369 ZyAIR Wireless Gateway Series User’s Guide Appendix J IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
Page 370: Subnet Masks
ZyAIR Wireless Gateway Series User’s Guide A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 371 ZyAIR Wireless Gateway Series User’s Guide sequence of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
Page 372 ZyAIR Wireless Gateway Series User’s Guide Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets;...
Page 373 ZyAIR Wireless Gateway Series User’s Guide to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets.
Page 374: Example Eight Subnets
ZyAIR Wireless Gateway Series User’s Guide Broadcast Address: 192.168.1.191 Highest Host ID: 192.168.1.190 Chart J-10 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: 192.168.1.192 Lowest Host ID: 192.168.1.193 Broadcast Address: 192.168.1.255...
Page 375: Subnetting With Class A And Class B Networks
ZyAIR Wireless Gateway Series User’s Guide Chart J-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks.
Page 376: Appendix J Ip Subnetting
ZyAIR Wireless Gateway Series User’s Guide Chart J-13 Class B Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.192 1024 (/26) 255.255.255.224 2048 (/27) 255.255.255.240 4096 (/28) 255.255.255.248 8192 (/29) 255.255.255.252 16384 (/30) 255.255.255.254...
Page 377: Appendix K Command Interpreter
ZyAIR Wireless Gateway Series User’s Guide Appendix K Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
Page 379: Appendix L Netbios Filter Commands
Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyAIR. =============== NetBIOS Filter Status =============== LAN to WAN: Forward...
Page 380: Netbios Filter Configuration
ZyAIR Wireless Gateway Series User’s Guide Chart L-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the LAN. IPSec This field displays whether NetBIOS packets sent through a VPN...
Page 381: Appendix M Boot Commands
The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyAIR, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug...
Page 382 ZyAIR Wireless Gateway Series User’s Guide just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
Page 383: Appendix N Log Descriptions
ZyAIR Wireless Gateway Series User’s Guide Appendix N Log Descriptions Chart N-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 384 ZyAIR Wireless Gateway Series User’s Guide Chart N-2 System Maintenance Logs LOG MESSAGE DESCRIPTION FTP Login Someone has logged on to the router via FTP. Successfully FTP Login Fail Someone has failed to log on to the router via FTP.
Page 385 ZyAIR Wireless Gateway Series User’s Guide Chart N-4 ICMP Notes TYPE CODE DESCRIPTION A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Page 386: Log Commands
Use the sys logs save command to store the settings in the ZyAIR (you must do this in order to record logs). Log Descriptions...
Page 387: Log Command Example
Use the sys logs clear command to erase all of the ZyAIR’s logs. Log Command Example This example shows how to set the ZyAIR to record the error logs and alerts and then view the results. ras> sys logs load ras>...
Page 388 ZyAIR Wireless Gateway Series User’s Guide 4|11/11/2002 15:10:10 |192.168.10.1:520 |192.168.10.255:520 |ACCESS BLOCK Firewall default policy: UDP(set:8) 5|11/11/2002 15:10:10 |172.21.4.67:137 |172.21.255.255:137 |ACCESS BLOCK Log Descriptions...
Page 389: Appendix O Power Adaptor Specifications
ZyAIR Wireless Gateway Series User’s Guide Appendix O Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adaptor Model AD48-1201200DUY Input Power AC120Volts/60Hz/0.25A Output Power DC12Volts/1.2A Power Consumption 10 W Safety Standards UL, CUL (UL 1950, CSA C22.2 No.234-M90) NORTH AMERICAN PLUG STANDARDS...
Page 390 ZyAIR Wireless Gateway Series User’s Guide JAPAN PLUG STANDARDS AC Power Adaptor Model JOD-48-1124 Input Power AC100Volts/ 50/60Hz/ 27VA Output Power DC12Volts/1.2A Power Consumption 10 W Safety Standards T-Mark (Japan Dentori) AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC Power Adaptor Model...
Page 391: Appendix P Index
ZyAIR Wireless Gateway Series User’s Guide Appendix P Index Call History ......... 29-3, 29-4 Call Scheduling ..........31-1 Maximum Number of Schedule Sets..31-1 4-Port Switch ..........1-2 PPPoE............31-3 Precedence ..........31-1 Precedence Example ....See precedence CDR ..............27-6 Address Assignment ......3-11, 3-12 CDR (Call Detail Record) ......27-6 Ad-hoc Configuration ........D-2...
Page 392 ZyAIR Wireless Gateway Series User’s Guide Distribution System ........D-3 Filter..............19-1 DMZ Setup ............. 8-1 Applying Filters ........24-15 DNS ...........13-10, 19-3 Ethernet traffic ........24-16 Domain Name....... 3-3, 3-12, 9-6, 23-8 Ethernet Traffic........24-16 Filter Rules..........24-5 Basics............11-3 Filter Structure ..........24-3 Types ............11-4 Generic Filter Rule........24-11...
Page 393 ZyAIR Wireless Gateway Series User’s Guide FTP....4-2, 5-2, 9-5, 9-6, 13-1, 13-4, 30-3 IP Address .. 3-11, 3-12, 5-5, 9-6, 9-8, 16-3, 19-3, Restrictions ..........30-3 21-9, 24-8, 27-4, 27-8 FTP File Transfer ........28-10 IP Addressing..........K-1 FTP Restrictions........13-1, 28-4 IP Alias Setup..........19-5...
Page 394 ZyAIR Wireless Gateway Series User’s Guide Many to Many No Overload....See NAT Packet Triggered ...........27-6 Many to Many Overload......See NAT Packets ............27-2 Many to One ..........See NAT PAP ...............21-3 MD5..............F-1 Password ......4-4, 17-2, 21-3, 25-1 Message Digest Algorithm 5 ....See MD5 Ping ...............27-7...
Page 395 ZyAIR Wireless Gateway Series User’s Guide Consideration ..........15-7 Stateful Inspection..1-4, 11-1, 11-2, 11-7, 11-8, Required fields ..........17-5 24-17 Restore ............16-11 Static Route ...........10-1 Restore Configuration ........28-7 Static Route Setup .........21-7 RF signals............D-2 Static Routing Topology .......21-7 RIP ..........5-2, 19-3, 21-6 SUA...........9-5, 9-6, 9-7, 9-8...
Page 396 ZyAIR Wireless Gateway Series User’s Guide TFTP and FTP over WAN Will Not Work When…............. 28-4 Valid CI Commands ........29-1 TFTP and FTP Over WAN} ......13-1 VPN ..............8-5 TFTP File Transfer ........28-12 TFTP Restrictions........13-1, 28-4 Three-Way Handshake ......... 11-5 Time and Date Setting ........
Page 397 ZyAIR Wireless Gateway Series User’s Guide Appendix Q Index Call History ......... 29-3, 29-4 Call Scheduling ..........31-1 Maximum Number of Schedule Sets..31-1 4-Port Switch ..........1-2 PPPoE............31-3 Precedence ..........31-1 Precedence Example ....See precedence CDR ..............27-6 Address Assignment ......3-11, 3-12 CDR (Call Detail Record) ......27-6 Ad-hoc Configuration ........D-2...
Page 398 ZyAIR Wireless Gateway Series User’s Guide Distribution System ........D-3 Filter..............19-1 DMZ Setup ............. 8-1 Applying Filters ........24-15 DNS ...........13-10, 19-3 Ethernet traffic ........24-16 Domain Name....... 3-3, 3-12, 9-6, 23-8 Ethernet Traffic........24-16 Filter Rules..........24-5 Basics............11-3 Filter Structure ..........24-3 Types ............11-4 Generic Filter Rule........24-11...
Page 399 ZyAIR Wireless Gateway Series User’s Guide FTP....4-2, 5-2, 9-5, 9-6, 13-1, 13-4, 30-3 IP Address .. 3-11, 3-12, 5-5, 9-6, 9-8, 16-3, 19-3, Restrictions ..........30-3 21-9, 24-8, 27-4, 27-8 FTP File Transfer ........28-10 IP Addressing..........K-1 FTP Restrictions........13-1, 28-4 IP Alias Setup..........19-5...
Page 400 ZyAIR Wireless Gateway Series User’s Guide Many to Many No Overload....See NAT Packet Triggered ...........27-6 Many to Many Overload......See NAT Packets ............27-2 Many to One ..........See NAT PAP ...............21-3 MD5..............F-1 Password ......4-4, 17-2, 21-3, 25-1 Message Digest Algorithm 5 ....See MD5 Ping ...............27-7...
Page 401 ZyAIR Wireless Gateway Series User’s Guide Consideration ..........15-7 Stateful Inspection..1-4, 11-1, 11-2, 11-7, 11-8, Required fields ..........17-5 24-17 Restore ............16-11 Static Route ...........10-1 Restore Configuration ........28-7 Static Route Setup .........21-7 RF signals............D-2 Static Routing Topology .......21-7 RIP ..........5-2, 19-3, 21-6 SUA...........9-5, 9-6, 9-7, 9-8...
Page 402 ZyAIR Wireless Gateway Series User’s Guide TFTP and FTP over WAN Will Not Work When…............. 28-4 Valid CI Commands ........29-1 TFTP and FTP Over WAN} ......13-1 VPN ..............8-5 TFTP File Transfer ........28-12 TFTP Restrictions........13-1, 28-4 Three-Way Handshake ......... 11-5 Time and Date Setting ........

ZyXEL Communications ZyAIR User Manual

Chapter 1 Getting to Know Your Zyair

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 System Screens

Chapter 5 LAN Screens

Chapter 6 Wireless Configuration and Roaming

Chapter 7 Wireless Security

Chapter 8 WAN Screens

Chapter 9 Single User Account (SUA) / Network Address Translation (NAT)

Chapter 10 Static Route

Chapter 11 Introduction to Firewalls

Chapter 12 Firewall Screens

Chapter 13 Remote Management

Chapter 14 Upnp Screen

Chapter 15 Logs Screens

Chapter 16 Maintenance

Quick Links

Related Manuals for ZyXEL Communications ZyAIR

Summary of Contents for ZyXEL Communications ZyAIR