Page 1 P-661HW-D Series 802.11g Wireless ADSL2+ 4-port Security Gateway Support Notes Version3.40 Mar. 2006...
Page 2: Table Of Contents
13. How do I setup my P-661HW-D for routing IPSec packets over SUA? ........................15 14. What is Traffic Shaping?..............16 15. Why do we perform traffic shaping in the P-661HW-D? ....16 16. What do the parameters (PCR, SCR, MBS) mean? ......17 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 3 3. How do I view the firewall log? ..........28 4. When does the P-661HW-D generate the firewall alert? ..29 5. What is the difference between the log and alert?....29 VPN FAQ ....................30 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 4 P-661HW-D support in VPN/IPSec?.........38 15. Can P-661HW-D support VPN passthrough?.....38 16. Can P-661HW-D behave as a NAT router supporting IPSec passthrough and an IPSec gateway simultaneously? ....38 Wireless FAQ ....................39 General FAQ...................39 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 5 4. What is the difference between 40-bit and 64-bit WEP? ..45 5. What is a WEP key?.............45 6. Will 128-bit WEP communicate with 64-bit WEP? ....45 7. Can the SSID be encrypted? ..........45 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 6 1. LAN/WAN Packet Trace ..............134 　 Online Trace ...............134 　 Offline Trace ...............136 　 Capture the detailed logs by Hyper Terminal ......137 2. Firmware/Configurations Uploading and Downloading using TFTP..139 •Using TFTP client software...........139 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 7 P-661HW-D Series Support Notes •Using TFTP command on Windows NT........141 •Using TFTP command on UNIX ...........141 3. Using FTP to Upload the Firmware and Configuration Files .....142 CI Command Reference .................145 All contents copyright © 2006 ZyXEL Communications Corporation.
Page 8: Faq
5. How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN? The P-661HW-D allows you to transfer the firmware to P-661HW-D using TFTP program via LAN. The procedure for uploading ZyNOS via TFTP is as follows. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 9: How Do I Restore P-661Hw-D Configurations By Using Tftp Client Program Via Lan
9. What is SUA? When should I use SUA? SUA (Single User Account) is a unique feature supported by Prestige router which allows multiple people to access Internet concurrently for the cost of a single user account. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 10: What Is The Difference Between Sua And Full Feature Nat
Internet? How can I do it? Yes, it is possible because P-661HW-D delivers the packet to the local server by looking up to a SUA server table. Therefore, to make a local server All contents copyright © 2006 ZyXEL Communications Corporation.
Page 11: When Do I Need Select Full Feature Nat
IP address. This allows us to specify multiple servers of different types behind the NAT for outside access. Note, if you want to map each server to one unique IGA please use the One-to-One mode. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 12: How Many Network Users Can The Sua/Nat Support
The P-661HW-D's filter sets provide a means to protect against IP spoofing attacks. The basic scheme is as follows: For the input data filter: • Deny packets from the outside that claim to be from the inside All contents copyright © 2006 ZyXEL Communications Corporation.
Page 13 • Destination IP Addr =a.b.c.d • Destination IP Mask =w.x.y.z • Action Matched =Drop • Action No Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 14: Product Faq
5. What is the micro filter or splitter used for Generally, the voice band uses the lower frequency ranging from 0 to 4KHz, while ADSL data transmission uses the higher frequency. The micro filter acts All contents copyright © 2006 ZyXEL Communications Corporation.
Page 15: The P-661Hw-D Supports Bridge And Router Mode, What's The Difference Between Them
Without DDNS, we always tell the users to use the WAN IP of the P-661HW-D to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the P-661HW-D, you apply a DNS name (e.g., All contents copyright © 2006 ZyXEL Communications Corporation.
Page 16: When Do I Need Ddns Service
13. How do I setup my P-661HW-D for routing IPSec packets over SUA? For outgoing IPSec tunnels, no extra setting is required. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 17: What Is Traffic Shaping
Traffic shaping defines a set of actions taken by the P-661HW-D to avoid congestion; traffic shaping takes measures to adapt to unpredictable fluctuations in traffic flows and other problems among virtual connections. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 18: What Do The Parameters (Pcr, Scr, Mbs) Mean
Internet Content filter allows you to create and enforce Internet access policies tailored to your needs. Content filter gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for All contents copyright © 2006 ZyXEL Communications Corporation.
Page 19 P-661HW-D performs content filtering. You can also specify trusted IP Addresses on LAN for which the P-661HW-D will not perform content filtering. You can configure the details about it in Web Configurator, Advanced setup, Security -> Content Filter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 20: Adsl Faq
ADSL physical layer is up. 5. How does the P-661HW-D work on a noisy ADSL? Depending on the line quality, the P-661HW-D uses "Fall Back" and "Fall Forward" to automatically adjust the date rate. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 21: Does The Vc-Based Multiplexing Perform Better Than The Llc-Based Multiplexing
8. What are the signaling pins of the ADSL connector? The signaling pins on the P-661HW-D's ADSL connector are pin 3 and pin 4. The middle two pins for a RJ11 cable. 9. What is triple play? All contents copyright © 2006 ZyXEL Communications Corporation.
Page 22 • The low priority is internet access such as ftp etc … Triple Play is a port-based policy to forward packets from different LAN port to different PVCs, thus you can configure each PVC separately to assign different QoS to different application. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 23: Firewall Faq
A key drawback of this device is performance. Stateful Inspection Firewalls restrict access by screening data packets against defined access rules. They make access control decisions based on IP All contents copyright © 2006 ZyXEL Communications Corporation.
Page 24: What Kind Of Firewall Is The P-661Hw-D
Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. There are four types of DoS attacks: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 25: What Is Ping Of Death Attack
IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 26: What Is Brute-Force Attack
Note: Don’t forget to type in the Administrator Password. 2. How do I prevent others from configuring my firewall? There are several ways to protect others from touching the settings of your firewall. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 27: Why Can't I Configure My P-661Hw-D Using Web Configurator/Telnet Over Wan
TELNET (For accessing Command Line Interface): Source IP= Telnet Client host Destination IP= router' WAN IP Service= TCP/23 Action=Forward (2)You have disabled WWW/Telnet service in Web Configurator, Advanced setup, Advanced -> Remote MGNT: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 28: Why Can't I Upload The Firmware And Configuration File Using Ftp Over Wan
FTP connection from WAN. The WAN-to-LAN ACL summary will look like as shown below. Source IP= FTP host Destination IP= P-661HW-D's WAN IP Service= FTP TCP/21, TCP/20 Action=Forward All contents copyright © 2006 ZyXEL Communications Corporation.
Page 29: Log And Alert
128 entries. Before you can view firewall logs there are two steps you need to do: (1) Enable log function in Centralized logs setup via either one of the following methods, All contents copyright © 2006 ZyXEL Communications Corporation.
Page 30: When Does The P-661Hw-D Generate The Firewall Alert
A log entry is just added to the log inside the P-661HW-D and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 31: Vpn Faq
3. What are most common VPN protocols? There are currently three major tunneling protocols for VPNs. They are Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPSec). 4. What is PPTP? All contents copyright © 2006 ZyXEL Communications Corporation.
Page 32: What Is L2Tp
IPSec service for other machines lacking of IPSec capability. In this case, Transport mode only protects the upper-layer protocols of IP payload (user data). Tunneling mode protects the entire IP payload including user data. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 33: What Is Sa
In IKE phase 1 negotiation, IP address of remote peer is treated as an indicator to decide which VPN rule must be used to serve the incoming request. However, in some application, remote VPN box or client software is using an All contents copyright © 2006 ZyXEL Communications Corporation.
Page 34: What Is Fqdn
"Aggressive mode" is recommended to be applied in phase 1 negotiation. Advanced FAQ 1. How do I configure VPN? You can configure VPN via Web Configurator, Advanced Setup, Security -> VPN -> Summary. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 35: What Kind Of Vpn Protocols Are Supported On P-661Hw-D
P-661HW-D Series Support Notes 2. What kind of VPN protocols are supported on P-661HW-D? All P-661HW-D series support IPSec VPN, in other words, we can build IPSec VPN on P-661HW-D. And also note that P-661HW-D is of VPN (IPSec, PPTP) passthrough supported NAT.
Page 36: Does P-661Hw-D Support Dynamic Secure Gateway Ip
A by specifying ASecure GW as Router A’s DNS name, even if router B itself is dynamic IP address too. Note: In the example, the VPN connection can only be initiated from Router B. 7. What VPN gateway has been tested with P-661HW-D successfully? All contents copyright © 2006 ZyXEL Communications Corporation.
Page 37: What Vpn Software Has Been Tested With P-661Hw-D Successfully
'Secure Gateway IP Address' is the Internet IP address of the remote IPSec gateway. 10. Is the host behind NAT allowed to use IPSec? NAT Condition Supported IPSec Protocol VPN Gateway embedded AH tunnel mode, ESP tunnel mode All contents copyright © 2006 ZyXEL Communications Corporation.
Page 38: How Do I Configure P-661Hw-D With Nat For Internal Servers
VPN tunnel. With this option, whenever phase 2 SA lifetime is due, IKE negotiation procedure will be invoked automatically even without traffic to make the connection stay. But to reduce the consumption of system resource, if VPN tunnels get All contents copyright © 2006 ZyXEL Communications Corporation.
Page 39: Single, Range, Subnet, Which Types Of Ip Address Do P-661Hw-D Support In Vpn/Ipsec
If P-661HW-D is to support IPSec passthrough, you have to disable the VPN function on P-661HW-D. To disable it, you can either deactivate each VPN rule or issue a CI command, "ipsec switch off" from CLI. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 40: Wireless Faq
The speed of Wireless LAN is still relatively slower than wired LAN. The setup cost of Wireless LAN is relative high because the equipment cost including access point and PCMCIA Wireless LAN card is higher than hubs and CAT 5 cables. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 41: Where Can You Find 802.11 Wireless Networks
(interoperate) with any brand of Access Point that is also Wi-Fi certified. 9. What types of devices use the 2.4GHz Band? Various spread spectrum radio communication applications use the 2.4 GHz All contents copyright © 2006 ZyXEL Communications Corporation.
Page 42: Does The 802.11 Interfere With Bluetooth Device
WLANs are generally privately owned, wireless systems that are deployed in a corporation, warehouse, hospital, or educational campus setting. Data rates are high and there are no per-packet charges for data transmission. WWANs are generally publicly shared data networks designed to provide All contents copyright © 2006 ZyXEL Communications Corporation.
Page 43: Can I Manually Swap The Wireless Module Without Damage Any Hardware
"infrastructure mode" in order to utilise access points relaying. 3. How many Access Points are required in a given area? This depends on the surrounding terrain, the diameter of the client population, All contents copyright © 2006 ZyXEL Communications Corporation.
Page 44: What Is Direct-Sequence Spread Spectrum Technology - (Dsss)
9. What is an ESSID? ESSID stands for Extended Service Set Identifier and identifies the wireless LAN. The ESSID of the mobile device must match the ESSID of the AP to All contents copyright © 2006 ZyXEL Communications Corporation.
Page 45: Security Faq
As long as the passwords match, a client will be granted access to a WLAN. You can refer to the User Guide for more information about it. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 46: What Is The Difference Between 40-Bit And 64-Bit Wep
An intruder who monitors the wireless network can apply this same attack principle on the wireless. 11. What is OTIST? How do I use it? All contents copyright © 2006 ZyXEL Communications Corporation.
Page 47 P-661HW-D for 1~5 seconds, the OTIST is actived. The P-661HW-D will enhance the Wireless Security Level to WPA-PSK automatically if no WLAN security has been set. The default setup key for OTIST is ‘01234567’. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 48: Application Notes
IP addresses for all that the ISP gives to you in the network TCP/IP settings. For Windows, we check the option 'Obtain an IP address automatically' in its TCP/IP setup, please see the example shown below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 49 We will use Web Configurator to guide you through the related menu. (1) Configure P-661HW-D as bridge mode and configure Internet setup parameters in Web Configurator, Advanced Setup, Network -> WAN -> All contents copyright © 2006 ZyXEL Communications Corporation.
Page 50: Internet Access Using P-661Hw-D Under Routing Mode
Internet access, they have to install an Internet sharing device, like a router. In this case, we use the P-661HW-D which works as a general Router plus an ADSL Modem. Set up your workstation (1) Ethernet connection All contents copyright © 2006 ZyXEL Communications Corporation.
Page 51 Routing mode for routing traffic. We will use Web Configurator to guide you through the related menu. (1) Configure P-661HW-D as routing mode and configure Internet setup parameters in Web Configurator, Advanced Setup, Network -> WAN -> Internet Connection. Key Settings: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 52: Setup The P-661Hw-D As A Dhcp Relay
• Setup the P-661HW-D as a DHCP Relay We could set the P-661HW-D as a DHCP Relay by the following command in CLI: Ip dhcp enif0 mode relay Ip dhcp enif0 relay server [Server IP Address] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 53: Sua Notes
Required Settings in Port Forwarding Port/IP Application Incoming Outgoing Connection Connection HTTP None 80/client IP None 21/client IP TELNET None 23/client IP (and active Telnet service from WAN) POP3 None 110/client IP SMTP None 25/client IP All contents copyright © 2006 ZyXEL Communications Corporation.
Page 54 6901/client IP 6901/client IP Microsoft Messenger Service None for Chat, File None for Chat, File 4.6/ 4.7/ 5.0/… transfer, Video and transfer ,Video and Voice (none UPnP) Voice Net2Phone None 6701/client IP All contents copyright © 2006 ZyXEL Communications Corporation.
Page 55 SUA server must be set to 192.168.1.34. The peer Cu-SeeMe user can reach this workstation by using P-661HW-D's WAN IP address which can be obtained from Web Configurator, Status -> WAN Information. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 56 Configuration To make a server visible to the outside world, specify the port number of the service and the inside address of the server in Web Configurator, Advanced All contents copyright © 2006 ZyXEL Communications Corporation.
Page 57 (3) If you want to change the port for Web Server, you could press button ‘Modify’ on corresponding rule, then modify and apply it. Default port numbers for some services Service Port Number All contents copyright © 2006 ZyXEL Communications Corporation.
Page 58 All data sent over this connection can be encrypted and compressed, and multiple network level protocols (TCP/IP, NetBEUI and IPX) can be run correctly. Windows NT Domain Login level security is preserved even across the Internet. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 59 SUA. The port number of the PPTP has to be entered in the Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding on P-661HW-D to forward to the appropriate private IP address of Windows NT server. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 60 • Before making a VPN connection from Win9x to WinNT server, you need to connect P-661HW-D router to your ISP first. • Enter the IP address of the PPTP server (WinNT server) and the port number for PPTP as shown below: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 61 ISP. You must enter this IP address in the 'VPN Server' dialog box for reaching the PPTP server. After the VPN link is established, you can start the network protocol application such as IP, IPX and NetBEUI. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 62: Using Full Feature Nat
SUA Only lookup 255’. It’s a read-only sets with two rules: Many-to-One and server mapping. Select Full Feature when you require other mapping types. Configuring NAT Address Mapping Sets and NAT Server Sets All contents copyright © 2006 ZyXEL Communications Corporation.
Page 63 IPs, then the Start IP is 0.0.0.0 and the 255.255.255.255 End IP is 255.255.255.255. Global Start This is the starting global IP address (IGA). If you 0.0.0.0 have a dynamic IP, enter 0.0.0.0 as the Global Start All contents copyright © 2006 ZyXEL Communications Corporation.
Page 64 Click the ‘Edit’ Button on the rule #1, then you can enter the window in which you can edit an individual rule and configure the Mapping Type, Local and Global Start/End IPs: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 65 P-661HW-D is 192.168.1.1) Step 2: Select one Address Mapping Set (#1~#8) by command ‘ip nat addrmap map [map #] [set name]’ (set name is optional). Suppose we configure set 2 in the example. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 66 Load the server sets of NAT into buffer “disp 1” means to display the NAT server set in buffer, ip nat server disp [1] if parameter “1” is omitted, then it will display all the All contents copyright © 2006 ZyXEL Communications Corporation.
Page 67 192.168.1.36 and a FTP server at 192.168.1.33, then you need to specify for port 80 (Web) the server at IP address 192.168.1.36 and for port 21 (FTP) another at IP address 192.168.1.33. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 68 • Examples • Internet Access Only • Internet Access with an Internal Server • Using Multiple Global IP addresses for clients and servers • Support Non NAT Friendly Applications (1) Internet Access Only All contents copyright © 2006 ZyXEL Communications Corporation.
Page 69 In this case, we do exactly as the figure (use the convenient pre-configured SUA Only set) and also go to Web Configurator, Advanced Setup, Network -> NAT -> Port Forwarding to specify the Internet Server behind the NAT as All contents copyright © 2006 ZyXEL Communications Corporation.
Page 70 Rule 4 (Server type) to map a web server and mail server with ILA3 (192.168.1.20) to IGA3. Type Server allows us to specify multiple servers, of different types, to other machines behind NAT on the LAN. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 71 Rule 1 Setup: Select One-to-One type to map the FTP Server 1 with ILA1 (192.168.1.10) to IGA1 (200.0.0.1). Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2 (200.0.0.2). All contents copyright © 2006 ZyXEL Communications Corporation.
Page 72 (200.0.0.3). Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu Network -> NAT -> Address Mapping should look as follows now: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 73 IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address. The following figure illustrates this. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 74: Using The Dynamic Dns (Ddns)
(e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server. The outside users can always access the web server using the www.zyxel.com.tw regardless of the WAN IP of the P-661HW-D. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 75 Key Settings: Option Description Enter the DDNS server in this field. Currently, we support Service Provider WWW.DYNDNS.ORG. Active Toggle to 'Yes'. Host Name Enter the hostname you subscribe from the above DDNS server. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 76: Network Management Using Snmp
If any link of IDSL or WAN is up, the trap will be sent with the port number . The port number is its interface index under the interface group. 5. authenticationFailure (defined in RFC-1215) : All contents copyright © 2006 ZyXEL Communications Corporation.
Page 77 (2) For fatal error : System has to reboot for some fatal errors. And traps with the message of the fatal code will be sent. • Downloading ZyXEL's private MIB • Configure the P-661HW-D for SNMP All contents copyright © 2006 ZyXEL Communications Corporation.
Page 78 P-661HW-DHW-DX will respond to all NMS managers. Enter the community name in each sent trap to the NMS. This Trap Trap Community must match what the NMS is expecting. The default is Community 'public'. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 79: Using Syslog
'IP Alias'. In this case, an internal router is not required. For example, the network manager can divide the local network into three networks and connect them to the Internet using P-661HW-D's single user account. See the figure below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 80 P-661HW-D as shown below when the three networks are configured. If the P-661HW-D's DHCP is also enabled, the IP pool for the clients can be any of the three networks. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 81: Using Ip Policy Routing
Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing. Network administrators can use IPPR to distribute All contents copyright © 2006 ZyXEL Communications Corporation.
Page 82 The inclusion of length criterion is to differentiate between interactive and bulk traffic. Interactive applications, e.g., Telnet, tend to have short packets, while bulk traffic, e.g., file transfer, tends to have large packets. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 83 To implement this, we need to invoke the following command one by one: ip policyrouting set name Test (Set the name as Test of IP routing policy rule ) ip policyrouting set active (Enable the rule) ip policyrouting set criteria protocol All contents copyright © 2006 ZyXEL Communications Corporation.
Page 84 WAN site you apply the policy set in WAN interface. Apply to WAN Interface (Suppose we apply it to remote node in the example): wan node index wan node ippolicy All contents copyright © 2006 ZyXEL Communications Corporation.
Page 85: Using Call Scheduling
Test (Set the schedule name as Test) wan callsch active (Enable schedule) wan callsch startdate 2005 12 27 (Set schedule start date as 2005-12-27) All contents copyright © 2006 ZyXEL Communications Corporation.
Page 86 For example, if we want to apply the call schedule set 1 to remote node 1, we could use the commands: wan node index wan node callsch wan node save All contents copyright © 2006 ZyXEL Communications Corporation.
Page 87: Using Ip Multicast
The latest version is version 2 (see RFC2236). IP hosts use IGMP to report their multicast group membership to any immediate-neighbor multicast routers so the multicast routers can decide if a multicast packet All contents copyright © 2006 ZyXEL Communications Corporation.
Page 88: Using Bandwidth Management
Select how you want the bandwidth to be allocated. Priority-Based means bandwidth is allocated via priority, so the traffic with highest priority would be served first, then the second priority is served secondly and so on. If All contents copyright © 2006 ZyXEL Communications Corporation.
Page 89 Step 2: Go to Web Configurator, Advanced Setup, Advanced -> Bandwidth MGMT-> Rule Setup, select the interface, Service, Priority, and Allocated Bandwidth for this rule, then click button ‘Add’ to apply this rule. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 90 Maximize Bandwidth Usage on the interface to meet the condition.) Service Select User-defined, SIP, FTP, or H.323 to specify the traffic types Destination Enter the IP address of destination that meets this class. IP Address All contents copyright © 2006 ZyXEL Communications Corporation.
Page 91: Using Zero-Configuration
Whenever system send out all the probing patterns with specific VPI/VCI, system will wait for 5~10 seconds and get the response from ISP, the response patterns will decide which kinds of ADSL All contents copyright © 2006 ZyXEL Communications Corporation.
Page 92 (2) If you want to enable all service for VC hunting, the service bits will be 1+2+4+8+16+32=63(decimal)= 3f (hex), you must input 3f Need to perform save after this by command ‘wan atm vchunt save’ All contents copyright © 2006 ZyXEL Communications Corporation.
Page 94: How Could I Configure Triple Play On P-661Hw-D
With each filter set having up to six rules, you can have a maximum of 24 rules active for a single port. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 95 Usage: node#= 1~8, corresponding to the remote node 1~8 wan node filter <incoming|outgoing> <tcpip|generic> <set1#> <set2#> <set3#> <set4#> Usage: You can apply at most four filter sets to one remote node. wan node save All contents copyright © 2006 ZyXEL Communications Corporation.
Page 96 [protocol #] Set the protocol ID of the rule sys filter set sourceroute [yes|no] Set the sourceroute yes/no sys filter set destip [address] [subnet Set the destination IP address and subnet mask of All contents copyright © 2006 ZyXEL Communications Corporation.
Page 97 Clear the current filter set sys filter set save Save the filter set parameters Display Filter set information. W/o parameter, it will sys filter set display [set#][rule#] display buffer information. sys filter set freememory Discard Changes All contents copyright © 2006 ZyXEL Communications Corporation.
Page 98: Ipsec Vpn Application Notes
PC 1 and PC 2 are secure. Because the packets go through the IPSec tunnel are encrypted. To achieve this VPN tunnel, the settings required for each Prestige are explained in the following sections. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 99 Note: For P-661HW-D, you need to login Multilingual Web Configurator using Administrator account, the default password is admin (2) Go to VPN Setup page to edit a VPN Rule. On P-661HW-D, you could begin with Security -> VPN -> Summery: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 100 Local Address Type is Single and IP Address Start is PC 1’s IP, 192.168.1.33 in the example. Remote Address Type is Single and IP Address Start is PC 2’s IP, 192.168.2.33 in the example. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 101 Select one VPN Protocol from the pull-down menu, ESP in the example. Input a proper Pre-Shared Key in the right table, 01234567 in the example. Select Encryption Algorithm to DES and Authentication Algorithm to SHA1. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 102 Remote Address Type is Single and IP Address Start is PC 1’s IP, 192.168.1.33 in the example. (2) My IP Address is the WAN IP of Prestige B, 168.10.10.66 in the example. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 103 Support Engineer for a solution. The following shows an example of dumped messages. (You can refer to Support Tool -> 1 WAN/ LAN Packet Trace -> Capture the detailed logs by Hyper Terminal to do it). All contents copyright © 2006 ZyXEL Communications Corporation.
Page 104: How To Build A Vpn Between Secure Gateway With Dynamic Wan Ip Address
Then after a successful or failed VPN connection, we could view the relevant information from Web Configurator, Maintenance -> Logs -> View Log: 2. How to build a VPN between Secure Gateway with Dynamic WAN IP Address? All contents copyright © 2006 ZyXEL Communications Corporation.
Page 105 • Prestige dynamic WAN IP v.s. peer side dynamic IP In this case, we need to use DDNS (Dynamic Domain Name Service). There are many different solutions for it: (1) Prestige v.s. Prestige Solution 1: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 106: Configure Nat For Internal Servers
Generally, without IPSec, to configure an internal server for outside access, we need to configure the server private IP and its service port in SUA/NAT Server Table. The NAT router then will forward the incoming connections to the All contents copyright © 2006 ZyXEL Communications Corporation.
Page 107: Vpn Routing Between Branch Office Through Headquarter
Through VPN routing, Prestige series now provide you a solution to let PCs in branch offices talk to each other through the existing VPN tunnels concentrated on the headquarter. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 108 Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter. We don’t make any advanced setup in the example. Step 2: Setup VPN in branch office B All contents copyright © 2006 ZyXEL Communications Corporation.
Page 109 B. Remote Address Type is Range Address and IP Address Start is 192.168.3.0, IP Address End is 192.168.3.255. This section covers the LAN segment of branch office A. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 110 • The correspondent rule for Branch_B_1 in headquarter (1) Local Address Type is Range Address and IP Address Start is 192.168.1.0, IP Address End is 192.168.1.255. This section covers the LAN segment of Headquarter office. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 111 Advanced button. Please make sure that parameters you set in this menu match with all the parameters with the corresponding VPN rule in headquarter. We don’t make any advanced setup in the example. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 112: Wireless Application Notes
Step 1: Double click on the utility icon in your windows task bar the utility will pop up on your windows screen. Step 2: Select configuration tab. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 113 Step 4: Since there is no DHCP server to give the host IP you must first designate a static IP for your station. From Windows Start select Control Panel >Network Connection>Wireless Network Connection. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 114 Step1: Double click on the utility icon in your windows task bar the utility will pop up on your windows screen. Step 2: Select configuration tab. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 115 Step 4: Since there is no DHCP server to give the host IP you must first designate a static IP for your station. From Windows Start select Control Panel >Network Connection>Wireless Network Connection. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 116: Configuring Infrastructure Mode
For Infrastructure WLANs, multiple Access Points(APs) like the WLAN to the wired network and allow users to efficiently share network resources. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 117 Step 1: Login Web Configurator, Advanced Setup, Network -> Wireless LAN -> General. Configure the basic parameters for Wireless LAN. Step 2: You could click the button ‘Advanced Setup’ for more detailed configuration: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 118 Adapter please follow the following steps. Step 1: Double click on the utility icon in your windows task bar the utility will pop up on your windows screen. Step 2: Select configuration tab. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 119 Change to take effect. Step 4: Click on Site Survey tab, and press search all the available AP will be listed. Step 5: Double click on the AP you want to associated with. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 120: Mac Filter
This provides an additional layer of control layer in that only stations with registered MAC addresses can connect. This approach requires that the list of MAC addresses be configured. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 121 Association is selected in this field, hosts with MAC addresses configured in this list Filter Action will be allowed to associate with AP. If Deny Association is selected in this field, hosts with MAC addresses configured in this list will be blocked. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 122: Setup Wep (Wired Equivalent Privacy)
You can set up the Access Point from Web configurator， Advanced Setup, Network -> Wireless LAN -> General. (You can also configure it via CLI): Step 1: Select ‘Static WEP’ from the pull down menu ‘Security Mode’ in Web Configurator: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 123 256-bit WEP key (secret key) with 58 hexadecimal digits There are two ways you can configure the WEP Key. (1) You can put in a special WEP key in the ‘WEP Key’ menu directly. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 124 WEP Key for you: • Setting up the Station Step 1: Double click on the utility icon in your windows task bar or right click the utility icon then select 'Show Config Utility'. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 125 Note: If the utility icon doesn't exist in your task bar, click Start -> Programs -> …… to start the utility. Step 2: Select the 'Configuration' tab. Select ‘Set Security’ to configure encryption type and parameters correspond with access point. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 126 Key 1 by default. Key settings The WEP Encryption type of station has to equal to the access point. Check 'ASCII' field for characters WEP key or uncheck 'ASCII' field for Hexadecimal digits WEP key. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 127: Site Survey
Survey on Site Step 1: With the diagram with all information you gathered in the preparation phase. Now you are ready to make the survey. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 128 Record down the changes at point where transfer rate drop and the link quality and signal strength information on the diagram as you go alone. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 129 Step 8: Repeat step 1~6 of survey on site as necessary, upon completion you will have an diagram and information of site survey. As illustrated below. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 130: Configure 802.1X And Wpa
WPA authentication purpose since the local user database uses MD5 EAP which can not to generate keys. WPA improves data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check and IEEE 802.1x. Temporal Key Integrity All contents copyright © 2006 ZyXEL Communications Corporation.
Page 131 Step 1: To change your P-661HW-D's authentication settings, login Web Configurator, Advanced Setup, Network -> Wireless LAN -> General ->Security Step 2: Select ‘Security Mode’ as WAP-PSK. Step 3: Type the Pre Shared Key in the Pre-Shared Key field. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 132 Step 1: Double click on your wireless utility icon in your windows task bar, the utility will pop up on your windows screen. Step 2: Select the configuration tab, type in the SSID (Service Set Identifier), select the operating Mode as Infrastructure, and select proper channel. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 133 P-661HW-D Series Support Notes Step 3: Click Set Security to configure the security parameters: Step 4: Click OK for finish, and begin to Site survey. Connect to the AP as you have configured. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 134 P-661HW-D Series Support Notes Step 5: Click Link Info tab, if the PC associated and authenticated with AP successfully, we will see the following information. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 135: Support Tool
& sys trcl sw on • Display the brief trace online by entering: sys trcd brief • Display the detailed trace online by entering: sys trcd parse Example: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 136 & sys trcl sw on • Display the brief trace online by entering: sys trcd brief • Display the detailed trace online by entering: sys trcd parse Example: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 137: Offline Trace
• Disable the trace log by entering: sys trcp sw off & sys trcl sw off • Display the trace briefly by entering: sys trcp brief • Display specific packets by using: sys trcp parse <from_index> <to_index> All contents copyright © 2006 ZyXEL Communications Corporation.
Page 138: Capture The Detailed Logs By Hyper Terminal
• Capture the detailed logs by Hyper Terminal Step 1: Initiate a hyper terminal connection from your PC(suppose you connected to the LAN port of P-661HW-D) Step 2: Click the ‘properties’ to configure parameters to telnet to the P-661HW-D. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 140: Firmware/Configurations Uploading And Downloading Using Tftp
Step 5:To upload the firmware, please save the remote file as 'ras' to Prestige. After the transfer is complete, the Prestige will program the upgraded firmware into FLASH ROM and reboot itself. An example: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 141 Step 4: To download the P-661HW-D configuration, please get the remote file 'rom-0' from the Prestige. Step 5: To upload the P-661HW-D configuration, please save the remote file as 'rom-0' in the Prestige. An example: All contents copyright © 2006 ZyXEL Communications Corporation.
Page 142: Using Tftp Command On Windows Nt
<- change to binary mode -I 192.168.1.1 get rom-0 [local-rom] <- download configurations [cppwu@faelinux cppwu]$ tftp <- upload configurations -I 192.168.1.1 put [local-rom] rom-0 [cppwu@faelinux cppwu]$ tftp <- download firmware -I 192.168.1.1 get ras [local-ras ] All contents copyright © 2006 ZyXEL Communications Corporation.
Page 143: Using Ftp To Upload The Firmware And Configuration Files
Step 5 Use 'put' command to transfer the file to the Prestige. Example: Step 1: Connect to the Prestige by entering the Prestige's IP and Administrator password in the FTP software. Set the transfer type to 'Auto-Detect' or All contents copyright © 2006 ZyXEL Communications Corporation.
Page 144 Step 3: To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 145 P-661HW-D Series Support Notes Step 4: The Prestige reboots automatically after the uploading is finished. Please do not power off the router at this moment. All contents copyright © 2006 ZyXEL Communications Corporation.
Page 146: Ci Command Reference
The latest CI Command list is available in release note of every ZyXEL firmware release. Please goto ZyXEL public WEB site http://www.zyxel.com/support/download_index.php to download firmware package (*.zip), you should unzip the package to get the release note in PDF format. All contents copyright © 2006 ZyXEL Communications Corporation.

ZyXEL Communications P-661HW-D Series Support Note

Faq

Firewall FAQ

Vpn Faq

Wireless FAQ

Application Notes

Support Tool

CI Command Reference

Quick Links

Related Manuals for ZyXEL Communications P-661HW-D Series

Summary of Contents for ZyXEL Communications P-661HW-D Series

Table of Contents