Page 1 Last Update: October 8, 2004 ZyNOS FAQ Product FAQ Firewall FAQ Content Filtering FAQ VPN FAQ Wireless FAQ Application Notes IPSec VPN Application Notes WLAN Application Notes TMSS Application Notes CI Command List Troubleshooting All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 2: Zynos Faq
ZyNOS FAQ What is ZyNOS? How do I access the Prestige SMT menu? What is the default console port baud rate? Moreover, how do I change it? How do I upload the ZyNOS firmware via console? How do I upgrade/backup the ZyNOS firmware by using TFTP client program via LAN? How do I upload ROMFILE via console? How do I backup/restore SMT configurations by using TFTP client program via LAN? Why can't I make Telnet to Prestige from WAN?
Page 3 The default console port baud rate is 9600bps, you can change it to 115200bps in Menu 24.2.2 to speed up the SMT access. 3. What is the default console port baud rate? Moreover, how do I change it? The default console port baud rate is 9600bps. When configuring the SMT, please make sure the terminal baud rate is also 9600bps.
Page 4 7. How do I backup/restore SMT configurations by using TFTP client program via LAN? a. Use the TELNET client program in your PC to login to your Prestige. b. Enter CI command 'sys stdio 0' in menu 24.8 to disable console idle timeout. c.
Page 5 In ZyNOS, you can not mix different filter groups in the same filter set. 15. How can I protect against IP spoofing attacks? The P-334WT's firewall will automatically detect the IP spoofing and drop it if the firewall is turned on.
Page 6 Active =Yes Destination IP Addr =a.b.c.d Destination IP Mask =w.x.y.z Action Matched =Drop Action No Matched =Forward Where a.b.c.d is an IP address on your local network and w.x.y.z is your netmask. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 7: Product Faq
Product FAQ General FAQ What is the P-334WT Internet Access Sharing Router? Will the P-334WT work with my Internet connection? What do I need to use the Prestige? What is PPPoE? Does the Prestige support PPPoE? How do I know I am using PPPoE?
Page 8: What Is Bootp/Dhcp
2. Will the P-334WT work with my Internet connection? The P-334WT is designed to be compatible with cable and ADSL modems. Most external Cable and ADSL modems use an Ethernet port to connect to your computer so the Prestige is placed in the line between the computer and the External modem.
Page 9 two Ethernet ports: LAN port and WAN port. You should connect the computer to the LAN port and connect the external modem to the WAN port. If the ISP uses PPPoE or RoadRunner Authentication you need the user account to enter in the Prestige. 4.
Page 10 10. What network interface does the Prestige support? The Prestige supports 10/100M Ethernet to connect to the computer and 10M Ethernet to connect to the external cable or ADSL modem.. 11. What can we do with Prestige? Browse the World Wide Web (WWW), send and receive individual e-mail, and download software. These are just a few of many benefits you can enjoy when you put the whole office on-line with the Prestige Internet Access Sharing Router.
Page 11 1. WinGate is a software only solution that needs to be installed in a dedicated Windows 95 PC based server. The total cost and complexity are many times over ATI’s product. The Prestige Internet Access Sharing Router is a plug-n-play internet appliance. 2.
Page 12 When Prestige responses nothing on your terminal (e.g. embedded HyperTerminal), please try following methods 1. Make sure the CON/AUX (which is close to the power jet) switch of P-334WT is set to CON, not AUX. 2. Please check whether RS-232 cable is well connected between Prestige and your computer.
Page 13 starting with how fast your PC can handle IP traffic, then how fast your PC to cable modem interface is, then how fast the cable modem system runs and how much congestion there is on the cable network, then how big a pipe there is at the head end to the rest of the Internet. Different models of PCs and Macs are able to handle IP traffic at varying speeds.
Page 14 If you are not able to get the Internet IP from the ISP, check which authentication method your ISP uses and troubleshoot the problem as described below. 1. Your ISP checks the 'MAC address' Some ISPs only provide an IP address to the user with an authorized MAC address. This authorized MAC can be the PC's MAC which is used by the ISP for the authentication.
Page 15 Menu 1 - General Setup System Name= zyxel Key Setting: System Name=, The system name must be the same as the PC's computer name. 3. Your ISP checks 'User ID' This authentication type is used by RoadRunner ISP, currently they use RR-TAS(Toshiba Authentication Service) and RR-Manager authentications.
Page 16 Service Type..Currently, there are two authentication types that Road Runner supports, RR-Manager. Choose the correct one for your local ISP. Server IP.....The Prestige will find the Road Runner server IP if this field is blank, otherwise enter the authentication server IP address if you know it. My Login Name...Enter the login name given to you by your ISP Password..Enter the password associated with the login name...
Page 17 Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. Thus, users on the same network can not login to the same server simultaneously. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address.
Page 18 ILA1<--->IGA1 Many-to-One ILA2<--->IGA1 (SUA/PAT) ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many ILA3<--->IGA1 Overload ILA4<--->IGA2 ILA1<--->IGA1 ILA2<--->IGA2 Many-to-Many No ILA3<--->IGA3 Overload ILA4<--->IGA4 Server 1 IP<--->IGA1 Server Server 2 IP<--->IGA1 10. What is the difference between SUA and Multi-NAT? SUA (Single User Account) in previous ZyNOS versions is a NAT set with 2 rules, Many-to-One and Server.
Page 19 Without DDNS, we always tell the users to use the WAN IP of the Prestige to reach our internal server. It is inconvenient for the users if this IP is dynamic. With DDNS supported by the Prestige, you apply a DNS name (e.g., www.zyxel.com.tw) for your server (e.g., Web server) from a DDNS server.
Page 20 21. Should I create any firewall rule by myself to allow incoming traffic when NAT is used ? Built-in firewall function is supported in P-334WT. When a session is initiated from a user located in P- 334WT's LAN network, incoming traffic will be allowed by Stateful Inspection mechanism. However, if the session is initiated from WAN side and there is no related access rule for the incoming traffic, the traffic will be blocked by P-334WT.
Page 21 2. What makes P-334WT secure? The P-334WT is pre-configured to automatically detect and thwart Denial of Service (DoS) attacks such as Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN.
Page 22 4. The P-334WT's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.
Page 23 13. Why traffic redirect/static/policy route be blocked by P-334WT? P-334WT is a secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users may want traffic to be re-routed to another Internet access devices while still be protected by Prestige.
Page 24 The above figure indicates the "triangle route" topology. It works fine if you turn off firewall function on P-334WT box. By default, your connection will be blocked by firewall because of the following reason. Step 1. Being the default gateway of PC, P-334WT will receive all "outgoing" traffic from Step 2.
Page 25 But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the protected network through the unprotected gateway. In fact, it's a security hole in protected your network. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 26 Ping of Death, SYN Flood, LAND attack, IP Spoofing, etc. It also uses stateful packet inspection to determine if an inbound connection is allowed through the firewall to the private LAN. The P-334WT supports Network Address Translation (NAT), which translates the private local addresses to one or multiple public addresses.
Page 27 4. The P-334WT's firewall is fast. It uses a hashing function to search the matched session cache instead of going through every individual rule for a packet.
Page 28 Denial of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. There are four types of DoS attacks: 1.
Page 29 13. Why traffic redirect/static/policy route be blocked by P-334WT? P-334WT is a secure gateway for all data passing between the Internet and the LAN. For some reasons (load balance or backup line), users may want traffic to be re-routed to another Internet access devices while still be protected by Prestige.
Page 30 By default, P-334WT will check the outgoing traffic by ACL and create dynamic sessions to allow return traffic to go back. To achieve Anti-DoS, P-334WT will send RST packets to the PC and the peer since it never receives the TCP SYN/ACK packet. Thus the connection will always be reset by P-334WT.
Page 31 But we would like to notify that if you allow Triangle Route, any traffic will be easily injected into the protected network through the unprotected gateway. In fact, it's a security hole in protected your network. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 32 2. What is contained in P-334WT firewall log ? By default, P-334WT pre-configures 4 ACLs, 1)LAN-to-WAN (SET1) 2)WAN-to-LAN (SET2) 3) LAN-to-LAN/P324 (SET7) 4) WAN-to-WAN/P324(SET8). Default policy of set 1 is "forward" and default policy of set 2 is "block". There are four types including No Log, Log Forward, Log Block and Log All options which users can choose which packets to log via WEB Configurator.
Page 33 6. What is the difference between the log and alert? A log entry is just added to the log inside the P-334WT and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.
Page 34: Content Filter Faq
3. What kinds of URL checking methods does P-334WT support? Full path URL checking is supported by P-334WT. Now it can parse full URL path for blocking, and the URL checking can be case insensitive. To check URL by domain and directory, users can use a CI commands “ip urlfilter customize actionFlags act5 enable / disable”...
Page 35 Where can I configure Phase 1 ID in P-334WT? How to configure P-334WT V3.60 that supports FQDN so that it can cooperate with ZyWALL V3.50 ? If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know?
Page 36 There are some reasons to use a VPN. The most common reasons are because of security and cost. Security 1). Authentication With authentication, VPN receiver can verify the source of packets and guarantee the data integrity. 2). Encryption With encryption, VPN guarantees the confidentiality of the original user data. Cost 1).
Page 37 However, in some application, remote VPN box or client software is using an IP address dynamically assigned from ISP, so P-334WT needs additional information to make the decision. Such additional information is what we call phase 1 ID. In the IKE payload, there are local and peer ID field to achieve this.
Page 38 334WT". It's not necessary to follow the format exactly. By default, P-334WT takes IP as phase 1 ID type for itself and it's remote peer. But if it's remote peer is using DNS or E-mail, you have to adjust the settings to pass phase 1 ID checking.
Page 39 9. Why does VPN throughput decrease when staying in SMT menu 24.1? If P-334WT stays in menu 24.1 and 24.8 a certain of memory is allocated to generate the required statistics. So, we do not suggest to stay in menu 24.1 and 24.8 when VPN is in use.
Page 40 Secure gateway Addr= 212.125.177.2 Old ZyWALL will use the "P-334WT.dyndns.org" to find the P-334WT's current WAN IP address. And then use it for phase 1 ID content. 14. If I have NAT router between two VPN gateways, and I would like to use IP type as Phase 1 ID, what should I know? We presume your environment may look like this, VPN client: 10.1.33.33...
Page 41 IP address as the content of it's phase 1 ID. So you have to configure P-334WT's secure gateway's phase 1 ID as the private IP address of the VPN client. The configuration will be like this, 15. How can I keep a tunnel alive? To keep a tunnel alive, you can check "keep alive"...
Page 42: Wireless Faq
Wireless FAQ General FAQ What is a Wireless LAN ? What are the main advantages of Wireless LANs ? What are the disadvantages of Wireless LANs ? Where can you find wireless 802.11 networks ? What is an Access Point ? What is IEEE 802.11 ? What is IEEE 802.11b ? How fast is 802.11b ?
Page 43 Security FAQ How do I secure the data across an Access Point's radio link? What is WEP ? What is the difference between 40-bit and 64-bit WEP ? What is a WEP key ? Will 128-bit WEP communicate with 64-bit WEP ? Can the SSID be encrypted ? By turning off the broadcast of SSID, can someone still sniff the SSID ? What are Insertion Attacks?
Page 44 c. Installation Flexibility: Wireless technology allows the network to go where wire cannot go. d. Reduced Cost-of-Ownership: While the initial investment required for wireless LAN hardware can be higher than the cost of wired LAN hardware, overall installation expenses and life-cycle costs can be significantly lower. Long-term cost benefits are greatest in dynamic environments requiring frequent moves and changes.
Page 45 8. How fast is 802.11b ? The IEEE 802.11b standard has a nominal speed of 11 megabits per second (Mbps). However, depending on signal quality and how many other people are using the wireless ethernet through a particular Access Point, usable speed will be much less (on the order of 4 or 5 Mbps, which is still substantially faster than most dialup, cable and DSL modems).
Page 46 Both the 802.11b and Bluetooth devices occupy the same2.4-to-2.483-GHz unlicensed frequency range- the same band. But a Bluetooth device would not interfere with other 802.11 devices much more than another 802.11 device would interefere. While more collisions are possible with the introduction of a Bluetooth device, they are also possible with the introduction of another 802.11 device, or a new 2.4 GHz cordless phone for that matter.
Page 47 2. What is Infrastructure mode ? Infrastructure mode implies connectivity to a wired communications infrastructure. If such connectivity is required the Access Points must be used to connected to the wired LAN backbone. Wireless clients have their configurations set for "infrastructure mode" in order to utilise access points relaying. 3.
Page 48 mobile device must match the ESSID of the AP to communicate with the AP. The ESSID is a 32-character maximum string and is case-sensitive. Security FAQ 1. How do I secure the data across an Access Point's radio link ? Enable Wired Equivalency Protocol (WEP) to encrypt the payload of packets sent across a radio link.
Page 49 broadcast beacon packets. Turning off the broadcast of SSID in the beacon message (a common practice) does not prevent getting the SSID; since the SSID is sent in the clear in the probe message when a client associates to an AP, a sniffer just has to wait for a valid user to associate to the network to see the SSID. 8.
Page 50: What Is Radius
It allows user information to be sent to a central database running on a RADIUS Server, where it is verified. RADIUS also provides a mechanism for accounting. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 51 About Filter & Filter Examples Setup Syslog on UNIX Using SNMP Using DDNS Using IP Alias Upload Firmware and Configuration Files Using FTP Uploading Firmware and Configuration Files Using TFTP Using Traffic Redirect Using UPnP All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 52: Internet Connection
Internet Connection A typical Internet access application of the Prestige is shown below. For a small office, there are some components needs to be checked before accessing the Internet. Before you begin Setting up the Windows Setting up the Prestige router Troubleshooting Before you begin The Prestige is shipped with the following factory default:...
Page 53 You must first install TCP/IP software on each PC before you can use it for Internet access. If you have already installed TCP/IP, go to the next section to configure it; otherwise, follow these steps to install: In the Control Panel/Network window, click button.
Page 54 Key Settings: Option Description Encapsulation Select the encapsulation type your ISP supports Service Name Enter the 'Service Name' for the ISP User Name Enter the login user name given by the ISP Password Enter the password given by the ISP This value specifies the time in seconds that can elapse before the Prestige Idle Timeout automatically disconnects the PPPoE connection.
Page 55 5. Check if the connection is up by clicking the ADVANCED/MAINTENANCE menu. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 56 Setup the Prestige for PPPoE Connections Introduction PPP over Ethernet is an IETF draft standard specifying how a host personal computer (PC) interacts with a broadband modem (i.e. xDSL, cable, wireless, etc.) to achieve access to the high-speed data networks via a familiar PPP dialer such as 'Dial-Up Networking' user interface.
Page 57 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= PPPoE Service Type= N/A My Login= ras@pppoellc My Password= ******** Idle Timeout= 100 IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA-Only Press ENTER to Confirm or ESC to Cancel: Key Settings for making a PPPoE connection: Option...
Page 58 Outgoing: Period(hr)= 0 My Login= test Schedules= My Password= ******** Nailed-Up Connection= No Retype to Confirm= ******** Authen= CHAP/PAP Session Options: Edit Filter Sets= No Idle Timeout(sec)= 100 Edit Traffic Redirect= No All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 59 Setup the Prestige 334WT as a PPTP Client What is PPTP Client? Microsoft's Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP network.
Page 60 The PPTP client feature means the PPTP connection is initialized by the Prestige 334WT router, so this connection is transparent to the PPTP clients on the network. This eliminates the settings of every clients and does not matter whether the computers on the network are Windows, Macintosh or even UNIX, all that is required is a standard TCP/IP protocol stack.
Page 61 IP Address stactically. Network Address Set this field to 'Yes' to enable the Single User Account feature for your Translation Prestige 324. Use the space bar to toggle between 'Yes' and 'No'. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 62: Using Multi-Nat
The SUA feature that the P-334WT supports previously operates by mapping the private IP addresses to a global IP address. It is only one subset of the NAT. The P-334WT supports the most of the features of the NAT based on RFC 1631, and we call this feature as 'Multi-NAT'. For more information on IP...
Page 63 UDP source port numbers) and then forwards each packet to the Internet ISP, thus making them appear as if they had come from the NAT system itself (e.g., the P-334WT router). The P-334WT keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored.
Page 64 2. Many to One In Many-to-One mode, the P-334WT maps multiple ILA to one IGA. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyNOS routers supported (the SUA only option in today's routers).
Page 65 SUA 'visible' servers had to be of different types. The P-334WT supports NAT sets on a remote node basis. They are reusable, but only one set is allowed for each remote node. The P-334WT supports 2 sets since there is only one remote node. The default SUA (Read Only) Set in menu 15.1 is a convenient, pre- configured, read only, Many-to-One mapping set, sufficient for most purposes and helpful to people already familiar with SUA in previous ZyNOS versions.
Page 66 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: The following figure shows how you apply NAT to the remote node in menu 11.3.
Page 67 Step 1. Enter 11 from the Main Menu. Step 2. Move the cursor to the Edit IP field, press the [SPACEBAR] to toggle the default No to Yes, then press [ENTER] to bring up Menu 11.3-Remote Node Network Layer Options. The following table describes the options for Network Address Translation.
Page 68 LAN clients. Each remote node must specify which NAT Address Mapping Set to use. The P-334WT has one remote node and so allows you to configure only 1 NAT Address Mapping Set. You can see two NAT Address Mapping sets in Menu 15.1. You can only configure Set 1. Set 255 is used for SUA.
Page 69 0.0.0.0 Server Press ESC or RETURN to Exit: The following table explains the fields in this screen. Please note that the fields in this menu are read- only. Field Description Option/Example This is the name of the set you selected in Menu 15.1 or enter Set Name the name of a new set you want to create.
Page 70 Menu 15.1.1 - Address Mapping Rules Set Name= NAT_SET Local Start IP Local End IP Global Start IP Global End Type --------------- --------------- --------------- --------------- ------ Action= Edit , Select Rule= 0 Press ENTER to Confirm or ESC to Cancel: We will just look at the differences from the previous menu.
Page 71 When you choose Edit, Insert Before or Save Set in the previous field Select Rule the cursor jumps to this field to allow you to select the rule to apply the action in question. Note: Save Set in the Action field means to save the whole set. You must do this if you make any changes to the set-including deleting a rule.
Page 72 This is the ending local IP address (ILA). If the rule is for all local IPs, then put the Start IP as 0.0.0.0 and the End IP as 255.255.255.255 255.255.255.255. This field is N/A for One-to-One type. This is the starting global IP address (IGA). If you have a Start 0.0.0.0 dynamic IP, enter 0.0.0.0 as the Global Start IP.
Page 73 The following procedures show how to configure a server behind NAT. Step 1. Enter 15 in the Main Menu to go to Menu 15-NAT Setup. Step 2. Enter 2 to go to Menu 15.2-NAT Server Setup. Step 3. Enter the service port number in the Port# field and the inside IP address of the server in the IP Address field.
Page 74 www-http (Web) PPTP (Point-to-Point Tunneling 1723 Protocol) Examples Internet Access Only Internet Access with an Internal Server Using Multiple Global IP addresses for clients and servers Support Non NAT Friendly Applications 1. Internet Access Only In our Internet Access example, we only need one rule where all our ILAs map to one IGA assigned by the ISP.
Page 75 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: From Menu 4 shown above simply choose the SUA Only option from the NAT field.
Page 76 In this case, we do exactly as above (use the convenient pre-configured SUA Only set) and also go to Menu 15.2.1-NAT Server Setup (Used for SUA Only) to specify the Internet Server behind the NAT as shown in the NAT as shown below. Menu 15.2 - NAT Server Setup Rule Start Port No.
Page 77 3. Using Multiple Global IP addresses for clients and servers (One-to-One, Many-to-One, Server Set mapping types are used) In this case we have 3 IGAs (IGA1, IGA2 and IGA3) from the ISP. We have two very busy internal FTP servers and also an internal general server for the web and mail. In this case, we want to assign the 3 IGAs by the following way using 4 NAT rules.
Page 78 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server IP= N/A IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Address= N/A Network Address Translation= Full Feature Press ENTER to Confirm or ESC to Cancel: Step 2:...
Page 79 Rule 2 Setup: Selecting One-to-One type to map the FTP Server 2 with ILA2 (192.168.1.11) to IGA2. Menu 15.1.1.2 - - Rule 2 Type: One-to-One Local IP: Start= 192.168.1.11 = N/A Global IP: Start= [Enter IGA2] = N/A Press ENTER to Confirm or ESC to Cancel: Rule 3 Setup: Select Many-to-One type to map the other clients to IGA3.
Page 80 Rule 4 Setup: Select Server type to map our web server and mail server with ILA3 (192.168.1.20) to IGA3. Menu 15.1.1.4 - - Rule 4 Type: Server Local IP: Start= N/A = N/A Global IP: Start=[Enter IGA3] = N/A Press ENTER to Confirm or ESC to Cancel: When we have configured all four rules Menu 15.1.1 should look as follows.
Page 81 [IGA3] Server Press ESC or RETURN to Exit: Step 3: Now we configure all other incoming traffic to go to our web server aand mail server from Menu 15.2.2 - NAT Server Setup (not Set 1, Set 1 is used for SUA Only case). Menu 15.2 - NAT Server Setup Rule Start Port No.
Page 82 4. Support Non NAT Friendly Applications Some servers providing Internet applications such as some mIRC servers do not allow users to login using the same IP address. In this case it is better to use Many-to-Many No Overload or One-to-One NAT mapping types, thus each user login to the server using a unique global IP address.
Page 83 The three rules configured for using One-to-One mapping type is shown below. Menu 15.1.1.1 - - Rule 1 Type: One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= [Enter IGA1] = N/A Press ENTER to Confirm or ESC to Cancel: Menu 15.1.1.2 - - Rule 2 Type:...
Page 84 Menu 15.1.1.3 - - Rule 3 Type: One-to-One Local IP: Start= 192.168.1.12 = N/A Global IP: Start= [Enter IGA3] = N/A Press ENTER to Confirm or ESC to Cancel: All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 85: Configure A Pptp Server Behind Sua
Configure a PPTP server behind SUA Introduction PPTP is a tunneling protocol defined by the PPTP forum that allows PPP packets to be encapsulated within Internet Protocol (IP) packets and forwarded over any IP network, including the Internet itself. In order to run the Windows9x PPTP client, you must be able to establish an IP connection with a tunnel server such as the Windows NT Server 4.0 Remote Access Server.
Page 86 This application note explains how to establish a PPTP connection with a remote private network in the Prestige 324 SUA case. In ZyNOS, all PPTP packets can be forwarded to the internal PPTP Server (WinNT server) behind SUA. The port number of the PPTP has to be entered in the SMT Menu 15 for Prestige 324 to forward to the appropriate private IP address of Windows NT server.
Page 87 Menu 15 - SUA Server Setup Port # Address ------ --------------- 1.Default 0.0.0.0 2. 1723 192.168.1.10 3. 0 0.0.0.0 4. 0 0.0.0.0 5. 0 0.0.0.0 6. 0 0.0.0.0 7. 0 0.0.0.0 8. 0 0.0.0.0 9. 0 0.0.0.0 When you have finished the above settings, you can ping to the remote Win9x client from WinNT. This ping command is used to demonstrate that remote the Win9x can be reached across the Internet.
Page 89 Configure an Internal Server Behind SUA Introduction If you wish, you can make internal servers (e.g., Web, ftp or mail server) accessible for outside users, even though SUA makes your LAN appear as a single machine to the outside world. A service is identified by the port number. Also, since you need to specify the IP address of a server in the Prestige, a server must have a fixed IP address and not be a DHCP client whose IP address potentially changes each time it is powered on.
Page 90 0.0.0.0 4. 0 0.0.0.0 5. 0 0.0.0.0 6. 0 0.0.0.0 7. 0 0.0.0.0 8. 0 0.0.0.0 Port numbers for some services Service Port Number Telnet SMTP DNS (Domain Name Server) www-http (Web) All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 91 Tested SUA/NAT Applications (e.g., Cu-SeeMe, ICQ, NetMeeting) Introduction Generally, SUA makes your LAN appear as a single machine to the outside world. LAN users are invisible to outside users. However, some applications such as Cu-SeeMe, and ICQ will need to connect to the local user behind the Prestige. In such case, a SUA server must be entered in menu 15 to forward the incoming packets to the true destination behind SUA.
Page 92 None for Chat. mIRC For DCC, please set Default/Client IP Windows PPTP None 1723/client IP ICQ 99a None for Chat. Default/client IP For DCC, please set: ICQ -> preference -> connections -> firewall and set the firewall time out to 80 seconds in firewall setting.
Page 93 None Microsoft Xbox Live Since SUA enables your LAN to appear as a single computer to the Internet, it is not possible to configure similar servers on the same LAN behind SUA. For example, you can have two WEB servers using TCP:80 in the same LAN. They must have different port numbers.
Page 94 7. 0 0.0.0.0 8. 0 0.0.0.0 All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 95 Using UPnP What is UPnP Use UPnP in ZyXEL devices View dynamic ports opened by UPnP 1. What is UPnP UPnP (Universal Plug and Play) makes connecting PCs of all form factors, intelligent appliances, and wireless devices in the home, office, and everywhere in between easier and even automatic by leveraging TCP/IP and Web technologies.
Page 96 UPnP Operations Addressing: UPnPv1 devices MAY support IPv4, IPv6, or both. For IPv4, each devices should have DHCP client, when the device gets connected to the network, it will discover DHCP server on network to get an IP address. If not, then Auto-IP mechanism should be supported so that the device can give itself an IP address. (169.254.0.0/16) Discovery: Whenever a device is added on the network, it will advertise it's service over the network.
Page 97 Device: PPPoE Dial-up Router Service: NAT function provided by PPPoE Dial-up Router Control Point: PC1 1. Enable UPnP function in ZyXEL device Go to Advanced->UPnP, check two boxes, Enable PnP feature and Allow users to make... The first check box enables UPnP function in this device. The second check box allow users' application to change configuration in this device.
Page 98 2. After getting IP address, you can go to open MSN application on PC and sign in MSN server.
Page 99 3. Start a Video conversation with one online user.
Page 100 4. On the opposite side, your partner select Accept to accept your conversation request.
Page 101 5. Finally, your video conversation is achieved.
Page 102 3. View dynamic ports opened by UPnP When using UPnP, if the ZyXEL device is configured as "Allow users to make configuration changes through UPnP", the device will accept any port opening request sent by UPnP protocol. And actually, such behaviour also add some risks to your internal LAN. For security sake, we provide a CI command for users to view currently opened ports.
Page 103 ras> ip nat server disp Server Set: 1 Rule name Svr P Range Server IP LeasedTime Active protocol Int Svr P Range Remote Host IP Range -------------------------------------------------- 1 DMZ default 0.0.0.0 0 - 0 0.0.0.0 - 0.0.0.0 0 - 0 0.0.0.0 0 - 0 0.0.0.0 - 0.0.0.0...
Page 105 A filter for blocking the web service A Filter for blocking the FTP connection from WAN A filter for blocking a specific client A filter for blocking a specific MAC address A filter for blocking the NetBIOS packets All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 106 Filter Structure The P-334WT allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system. You can apply up to four filter sets to a particular port to block multiple types of packets.
Page 107 SUA for WAN incoming IP packets. But at the same time, the Generic filter rules must be applied at the point when the P-334WT is receiving and sending the packets; i.e. the ISDN interface. So, the execution sequence has to be changed. The logic flow of the filter is shown in Figure 1 and the sequence of the logic flow for the packet from LAN to WAN is: 1.
Page 108 Generic TCP/IP (and IPX) filter rules are in different filter sets. The SMT will detect and prevent the mixing of different category rules within any filter set in Menu 21. In the following example, you will receive an error message 'Protocol and device filter rules cannot be active together' if you try to activate a TCP/IP (or IPX) filter rule in a filter set that has already had one or more active Generic filter rules.
Page 109 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None...
Page 110 Menu 11.1 - Remote Node Profile Rem Node Name= LAN Route= IP Active= Yes Bridge= No Encapsulation= PPP Edit PPP Options= Incoming: Rem IP Addr= ? Rem Login= test Edit IP/IPX/ Bridge= No Rem Password= ******** Outgoing: Session Options: My Login= testt Edit Filter Sets= Yes My Password= *****...
Page 111 In order to avoid operational problems later, the P-334WT will disable its routing/bridging functions if there is an inconsistency among its filter rules. All contents copyright (c) 2004 ZyXEL Communications Corporation...
Page 112: Filter Example
Filter Example A filter for blocking the web service Configuration Before configuring a filter, you need to know the following information: 1. The outbound packet type (protocol & port number) 2. The source IP address Generally, the outbound packets for Web service could be as following: a.
Page 113 Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- Web Request _______________ _______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: 2.
Page 114 Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: 3.Rule 2 for (b).DNS request, TCP(06)/Port number 53 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0...
Page 115 Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 53 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None...
Page 116 Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel:...
Page 117 The P-334WT supports the firmware and configuration files upload using FTP connections via LAN and WAN. So, it is possible that anyone can make a FTP connection over the Internet to your P-334WT. To prevent outside users from connecting to your P-334WT via FTP, you can configure a filter to block FTP connections from WAN.
Page 118 Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- NetBIOS_WAN _______________ NetBIOS_LAN _______________ Telnet_WAN _______________ FTP_WAN _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= FTP_WAN Edit Comments= Press ENTER to Confirm or ESC to Cancel: Rule 1- block the inbound FTP packet, TCP (06) protocol with port number 20 Menu 21.4.1 - TCP/IP Filter Rule Filter #: 4,1...
Page 119 IP Mask= 0.0.0.0 Port #= Port # Comp= None TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 2- block the inbound FTP packet, TCP (06) protocol with port number 21 Menu 21.4.2 - TCP/IP Filter Rule Filter #: 4,2 Filter Type= TCP/IP Filter Rule...
Page 120 'Input Protocol Filter Set' in menu 11.5 for activating the FTP_WAN filter. Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= All contents copyright © 2004 ZyXEL Communications Corporation.
Page 121 Filter Example A filter for blocking a specific client Configuration 1. Create a filter set in Menu 21, e.g., set 1 Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- Block a client _______________ _______________ _______________...
Page 122 Menu 21.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= Port # Comp= None Source: IP Addr= 192.168.1.5 IP Mask= 255.255.255.255 Port #= Port # Comp= None...
Page 123 Press ENTER to Confirm or ESC to Cancel: After this filter set is applied to this field, the client (192.168.1.5) will not be allowed to access the Internet. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 124 Before you configure the filter, you need to know the MAC address of the client first. The MAC address can be provided by the NICs. If there is the LAN packet passing through the P-334WT you can identify the uninteresting MAC address from the P-334WT's LAN packet trace. Please have a look at the following example to know the trace of the LAN packets.
Page 125 - Optional Data: (32 bytes) Configurations From the above first trace, we know a client is trying to ping request the P-334WT router. And from the second trace, we know the P-334WT router will send a reply to the client accordingly. The following...
Page 126 Set to '6' since MAC address has 6 octets. Mask (in hexadecimal) Specify the value that the P-334WT will logically qualify (logical AND) the data in the packet. Since the Length is set to 6 octets the Mask for it should be 12 hexadecimal numbers. In this...
Page 127 Value (in hexadecimal) Specify the MAC address [00 80 c8 4c ea 63] that the P-334WT should use to compare with the masked packet. If the result from the masked packet matches the 'Value', then the packet is considered matched.
Page 128 Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= device filters= 1 Output Filter Sets: protocol filters= device filters= All contents copyright © 2004 ZyXEL Communications Corporation.
Page 129 The NETBIOS protocol is used to share a Microsoft comupter of a workgroup. For the security concern, the NetBIOS connection to a outside host is blocked by P-334WT router as factory defaults. Users can remove the filter sets applied to menu 3.1 and menu 4.1 for activating the NetBIOS services. The details of the filter settings are described as follows.
Page 130 Menu 21 - Filter Set Configuration Filter Filter Set # Comments Set # Comments ------ ----------------- ------ ----------------- NetBIOS_WAN _______________ NetBIOS_LAN _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ _______________ Enter Filter Set Number to Configure= 1 Edit Comments= Press ENTER to Confirm or ESC to Cancel: Configure the first filter set 'NetBIOS_WAN' by selecting the Filter Set number 1.
Page 131 Press ENTER to Confirm or ESC to Cancel: Rule 2-Destination port number 137 with protocol number 17 (UDP) Menu 21.1.2 - TCP/IP Filter Rule Filter #: 1,2 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137...
Page 132 Menu 21.1.3 - TCP/IP Filter Rule Filter #: 1,3 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 138 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None...
Page 133 Port # Comp= None TCP Estab= N/A More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 5-Destination port number 139 with protocol number 6 (TCP) Menu 21.1.5 - TCP/IP Filter Rule Filter #: 1,5 Filter Type= TCP/IP Filter Rule Active= Yes...
Page 134 Menu 21.1.6 - TCP/IP Filter Rule Filter #: 1,6 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 17 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 139 Port # Comp= Equal Source: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 0 Port # Comp= None...
Page 135 Apply the first filter set 'NetBIOS_WAN' to the 'Output Protocol Filter' in menu 11.5 for activating it. Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Call Filter Sets: protocol filters= device filters= Press ENTER to Confirm or ESC to Cancel:...
Page 136 TCP Estab= No More= No Log= None Action Matched= Drop Action Not Matched= Check Next Rule Press ENTER to Confirm or ESC to Cancel: Rule 2-Source port number 137, Destination port number 53 with protocol number 17 (UDP) Menu 21.2.2 - TCP/IP Filter Rule Filter #: 2,2 Filter Type= TCP/IP Filter Rule Active= Yes...
Page 137 'Input protocol filters=' in the Menu 3 for blocking the packets from LAN Menu 3.1 - General Ethernet Setup Input Filter Sets: protocol filters= 2 device filters= Output Filter Sets: protocol filters= device filters= All contents copyright © 2004 ZyXEL Communications Corporation.
Page 138: Unix Setup
Setting Up the Syslog Prestige Setup UNIX Setup The Prestige is able to send four types of system log to a Syslog deamon such as Unix Syslogd. Prestige Setup Menu 24.3.2 - System Maintenance - Syslog Logging Syslog: Active= Yes Syslog Server IP Address= 192.168.1.34 Log Facility= Local 1 Configuration:...
Page 139 2. Edit the file /etc/syslog.conf by adding the following line at the end of the /etc/syslog.conf file. local1.* /var/log/zyxel.log Where /var/log/zyxel.log is the full path of the log file. 3. Restart syslogd. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 140: Network Management Using Snmp
Network Management Using SNMP 1. SNMP Overview The Simple Network Management Protocol (SNMP) is an applications-layer protocol used to exchange the management information between network devices (e.g., routers). By using SNMP, network administrators can more easily manage network performance, find and solve network problems. The SNMP is a member of the TCP/IP protocol suite, it uses the UDP to exchange messages between a management Client and an Agent, residing in a network node.
Page 141 The Internet Management Model is as shown in figure 1. Interactions between the NMS and managed devices can be any of four different types of commands: 1. Reads Read is used to monitor the managed devices, NMSs read variables that are maintained by the devices.
Page 142 2. ZyXEL SNMP Implementation ZyXEL currently includes SNMP support in some Prestige routers. It is implemented based on the SNMPv1, so it will be able to communicate with SNMPv1 NMSs. Further, users can also add ZyXEL's private MIB in the NMS to monitor and control additional system variables. The ZyXEL's private MIB tree is shown in figure 3.
Page 143 If the machine coldstarts, the trap will be sent after booting. 2. warmStart (defined in RFC-1215) : If the machine warmstarts, the trap will be sent after booting. 3. linkDown (defined in RFC-1215) : If any link of IDSL or WAN is down, the trap will be sent with the port number . The port number is its interface index under the interface group.
Page 144 3. Configure the Prestige for SNMP The SNMP related settings in Prestige are configured in menu 22, SNMP Configuration. The following steps describe a simple setup procedure for configuring all SNMP settings.
Page 145 NMS is expecting. The default is 'public'. Trap Enter the IP address of the NMS that you wish to send the traps to. If 0.0.0.0 is Destination entered, the Prestige will not send trap any NMS manager. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 146: Using The Dynamic Dns (Ddns)
Using the Dynamic DNS (DDNS) What is DDNS? The DDNS service, an IP Registry provides a public central database where information such as email addresses, hostnames, IPs etc. can be stored and retrieved. This solves the problems if your DNS server uses an IP associated with dynamic IPs.
Page 147 Menu 1 - General Setup System Name= P-334WT Domain Name= First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= From ISP IP Address= N/A Edit Dynamic DNS= Yes Menu 1.1 - Configure Dynamic DNS...
Page 148 Enter the password that the DDNS server gives to you. Enter the hostname for the wildcard function that the WWW.DYNDNS.ORG Enable Wildcard supports. Note that Wildcard option is available only when the provider is WWW.DYNDNS.ORG. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 149: Using Ip Alias
Using IP Alias What is IP Alias ? In a typical environment, a LAN router is required to connect two local networks. The Prestige supports to connect three local networks to the ISP or a remote node, we call this function as 'IP Alias'. In this case, an internal router is not required.
Page 150: Dhcp Setup
Copyright (c) 1994 - 1999 ZyXEL Communications Corp. ras> ip ro st Dest FF Len Interface Gateway Metric stat Timer 192.168.3.0 00 24 enif0:1 192.168.3.1 041b 0 192.168.2.0 00 24 enif0:0 192.168.2.1 041b 0 192.168.1.0 00 24 enif0 192.168.1.1 041b 0 ras>...
Page 151: Tcp/Ip Setup
Toggle to 'Yes' and enter the third LAN IP address for the Prestige. This will create the IP Alias 2 third route in the enif0:1 interface. All contents copyright © 1999 ZyXEL Communications Corporation.
Page 152 Using FTP to Upload the Firmware and Configuration Files In addition to upload the firmware and configuration file via the console port and TFTP client, you can also upload the firmware and configuration files to the Prestige using FTP. To use this feature, your workstation must have a FTP client software. There are two examples as shown below.
Page 153 ftp: 924512 bytes sent in 4.83Seconds 191.41Kbytes/sec. ftp> Here, the 'p312.bin' is the local file and 'ras' is the remote file that will be saved in the Prestige. The Prestige reboots automatically after the uploading is finished. 2. Using FTP client software Rename the local firmware and configuration files to 'ras' and 'rom-0', because we can not Step 1 specify the remote file name in the FTP client software.
Page 154 2. Press 'OK' to ignore the 'Username' prompt. 3. To upload the firmware file, we transfer the local 'ras' file to overwrite the remote 'ras' file. To upload the configuration file, we transfer the local 'rom-0' to overwrite the remote 'rom-0' file.
Page 155 4.The Prestige reboots automatically after the uploading is finished. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 156: Firmware/Configurations Uploading And Downloading Using Tftp
Firmware/Configurations Uploading and Downloading using TFTP Using TFTP client software Using TFTP command on Windows NT Using TFTP command on UNIX Downloading Walusoft TFTP from http://www.walusoft.co.uk Using TFTP client software Upload/download ZyNOS via LAN Upload/download SMT configurations via LAN Using TFTP to upload/download ZyNOS via LAN TELNET to your Prestige first before running the TFTP software Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8...
Page 157 The 192.168.1.1 is the IP address of the Prestige. The local file is the source file of the ZyNOS firmware that is available in your hard disk. The remote file is the file name that will be saved in Prestige. Check the port number 69 and 512-Octet blocks for TFTP.
Page 158 1. TELNET to your Prestige first before using TFTP command 2. Type the CI command 'sys stdio 0' to disable console idle timeout in Menu 24.8 and stay in Menu 24.8 Upload ZyNOS via LAN c:\tftp -i [PrestigeIP] put [localfile] Download ZyNOS via LAN c:\tftp -i [Prestige IP] get ras [localfile]...
Page 159 [cppwu@faelinux cppwu]$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Password: **** Copyright (c) 1994 - 2004 ZyXEL Communications Corp. Prestige 334WT Main Menu Getting Started Advanced Management 1. General Setup 21. Filter and Firewall Setup 2. WAN Setup 22.
Page 160 9. Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: 8 Copyright (c) 1994 - 2004 ZyXEL Communications Corp. ras> sys stdio 0 ras> (press Ctrl+] to escape to Telnet prompt) telnet> [1]+ Stopped telnet 192.168.1.1...
Page 161 Using Traffic Redirect What is Traffic Redirect ? How to deploy backup gateway? Are you using Prestige family? What is Traffic Redirect ? Traffic redirect forwards WAN traffic to a backup gateway when Prestige cannot connect to the Internet through it's normal gateway.
Page 162 Traffic Redirect on LAN port Traffic Redirect Setup Configure parameters that determine when Prestige will forward WAN traffic to the backup gateway using SMT Menu 11.6- Traffic Redirect Setup. Menu 11.1 - Remote Node Profile Menu 11.6 - Traffic Redirect Setup Active= Yes Configuration: Backup Gateway IP Address= 192.168.1.50...
Page 163 In case your are using Presitge with firewall function turns on, it's strongly recommended that you deploy the backup gateway in IP alias segment. You can refer to here for how to use IP alias in Prestige, and firewall FAQ for the reason why we make such suggestion. All contents copyright © 2004 ZyXEL Communications Corporation.
Page 164 Using P-334WT IPSec VPN P-334WT to ZyWALL Tunneling Suecure Gateway with Dynamic WAN IP Address Configure NAT for internal servers Configure P-334WT behind a NAT router Relaying NetBIOS Broadcast over IPSec tunnel All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 165 View Log This page guides us to setup a VPN connection between P-334WT and ZyWALL router. Please note that, in addition to P-334WT to ZyWALL, P-334WT can also talk to other VPN hardwards. The tested VPN hardware are shown below.
Page 166 2. In this example, we presume that P-334WT's model name is P-334WT. And since it's P-334WT, so only 1 PC can use the tunnel. 3. In this example, we presume that ZyWALL's model name is ZyWALL10W. 1. Setup P-334WT 1. Using a web browser, login P-334WT by giving the LAN IP address of P-334WT in URL field. Default LAN IP is 192.168.1.1, default password to login web configurator is 1234.
Page 167 Note: You may assign a range of Local/Remote IP addresses for multiple VPN sessions. 8. My IP Addr is the WAN IP of ZyWALL. 9. Secure Gateway IP Addr is the remote secure gateway IP, that is P-334WT's WAN IP in this example. 10. Select Encapsulation Mode to Tunnel.
Page 168 Menu 27.2, SA Monitor Through menu 27.2, you can monitor every IPSec connections running in P-334WT presently. The second column of each entry indicates the IPSec rule name. So, if you can't see the name of your IPSec rule, it means that the SA establishment fails. Please go back Menu 27 to check your settings.
Page 169 If IPSec connection fails, please dump 'ipsec debug 1' for our analysis. The following shows an example of dumped messages. P-334WT> ipsec debug 1 IPSEC debug level 1 P-334WT> catcher(): recv pkt numPkt<1> get_hdr nxt_payload<1> exchMode<2> m_id<0> len<80> f76af206 b187aae3 00000000 00000000 01100200 00000000 00000050 00000034 00000001 00000001 00000028 01010001 00000020 01010000 80010001 80020001...
Page 170 IP will not be available to pre-defined in the VPN box. There are some tips when configuring ZyWALL in any dynamic case. ZyWALL static WAN IP v.s. peer side dynamic IP 1. In VPN settings of P-334WT, please specify the IP address of Secure Gateway as 0.0.0.0.
Page 171 In this case, W2K won't capture the dynamic IP address automatically for you. You have to obtain your dynamic IP address and then go back to IPSec configuration to setup your current IP address. P-334WT dynamic WAN IP v.s. peer side static IP...
Page 172 1. In VPN settings of P-334WT, please specify the IP address of My IP as 0.0.0.0. P-334WT will automatically bind it's current WAN IP address to IPSec.
Page 173 2. IPSec tunnel in this case, can ONLY be initiated from P-334WT.
Page 174: Configure Nat For Internal Servers
IP entered in SUA/ NAT Server Table. However, if both NAT and IPSec is enabled in P-334WT, the edit of the table is necessary only if the connection is a non-secure connections. For secure connections, none SUA server settings are required since private IP is reachable in the VPN case.
Page 175 SUA/NAT Server Table. 2. WAN IP of the NAT router is the tunneling endpoint for this case, not the WAN IP of P-334WT. 3. If firewall is turned on in P-334WT, you must forward IKE port in Internet interface.
Page 176 Relaying NetBIOS Broadcast over IPSec tunnel. ¡@ By NetBIOS broadcast supported in VPN tunnel, users of Microsoft Windows can search computers in remote VPN network by "Computer Name". Users don¡¦t need to pre-edit lmhosts in his/her local computer nor setup WINS server in between.
Page 177 Phase 2 - Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None ---------- NetBios Setup ---------- Broadcast Pass Through /*<------broadcast is not turned on yet.*/ Status: Inactive Group: none ras>...
Page 178: Wireless Application Notes
Wireless Application Notes Infrastructure Mode Wireless MAC Address Filtering WEP Configurations IEEE 802.1x Site Survey All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 179: Configuring Infrastructure Mode
Configuration Wireless Access Point to Infrastructure mode using SMT. To configure Infrastructure mode of your P-334WT wireless AP please follow the steps below. 1. From the SMT main menu, enter 3 to display Menu 3 ¡V LAN Setup.
Page 180 3. Configure ESSID, Channel ID, WEP, Default Key and Keys as you desire. Configuration Wireless Access Point to Infrastructure mode using Web configurator. To configure Infrastructure mode of your P-334WT please follow the steps below. 1. From the web configurator main menu, go to Main Menu/Wireless LAN/Wireless.
Page 181 3. Configure the desired configuation on P-334WT. 4. Finished. Configuration Wireless Station to Infrastructure mode To configure Infrastructure mode on your ZyAIR B-100/B-200/B-300 wireless NIC card please follow the following steps. 1. Double click on the utility icon in your windows task bar the utility will pop up on your windows screen.
Page 182 3. Select Infrastructure from the operation mode pull down menu, fill in an SSID or leave it as any if you wish to connect to any AP than press Apply Change to take effect. 4. Click on Site Survey tab, and press search all the available AP will be listed.
Page 183 5. Double click on the AP you want to associated with.
Page 184 6. After the client have associated with the selected AP. The linked AP's channel, current linkup rate, SSID, link quality, and signal strength will show on the Link Info page. You now successfully associate with the selected AP with Infrastructure Mode.
Page 185: Mac Filter
MAC Filter MAC Filter Overview ZyXEL MAC Filter Implementation Configure the WLAN MAC Filter 1. MAC Filter Overview Users can use MAC Filter as a method to restrict unauthorized stations from accessing the APs. ZyXEL's APs provide the capability for checking MAC address of the station before allowing it to connect to the network. This provides an additional layer of control layer in that only stations with registered MAC addresses can connect.
Page 186 Menu 3.5.1 - WLAN MAC Address Filter Active= No Filter Action= Allowed Association ------------------------------------------------------------------------------ 1= 00:00:00:00:00:00 13= 00:00:00:00:00:00 25= 00:00:00:00:00:00 2= 00:00:00:00:00:00 14= 00:00:00:00:00:00 26= 00:00:00:00:00:00 3= 00:00:00:00:00:00 15= 00:00:00:00:00:00 27= 00:00:00:00:00:00 4= 00:00:00:00:00:00 16= 00:00:00:00:00:00 28= 00:00:00:00:00:00 5= 00:00:00:00:00:00 17= 00:00:00:00:00:00 29= 00:00:00:00:00:00 6= 00:00:00:00:00:00 18= 00:00:00:00:00:00 30= 00:00:00:00:00:00 7= 00:00:00:00:00:00 19= 00:00:00:00:00:00 31= 00:00:00:00:00:00 8= 00:00:00:00:00:00 20= 00:00:00:00:00:00 32= 00:00:00:00:00:00...
Page 188 Setup WEP Wired Equivalent Privacy) Introduction Setting up the Access Point Setting up the Station Introduction The 802.11 standard describes the communication that occurs in wireless LANs. The Wired Equivalent Privacy (WEP) algorithm is used to protect wireless communication from eavesdropping, because wireless transmissions are easier to intercept than transmissions over wired networks, and wireless is a shared medium, everything that is transmitted or received over a wireless network can be intercepted.
Page 189 Setting up the Access Point Most access points and clients have the ability to hold up to 4 WEP keys simultaneously. You need to specify one of the 4 keys as default Key for data encryption. To set up the Access Point, you will need to set the one of the following parameters: 64-bit WEP key (secret key) with 5 characters 64-bit WEP key (secret key) with 10 hexadecimal digits 128-bit WEP key (secret key) with 13 characters...
Page 190 Setting up the Access Point from SMT Menu 3.5 B1000 hold up to 4 WEP Keys. You have to specify one of the 4 keys as default Key which be used to encrypt wireless data transmission. For example, Menu 3.5 - Wireless LAN Setup ESSID= B1000 Hide ESSID= No Channel ID= CH01 2412MHz...
Page 191 So, the Key 3 of station has to equal to the Key 3 of access point. Though access point use Key 3 as default key, but the station can use the other Key as its default key to encrypt wireless data transmission.
Page 192 The utility will pop up on your windows screen. Note: If the utility icon doesn't exist in your task bar, click Start -> Programs -> IEEE802.11b WLAN Card -> IEEE802.11b WLAN Card. 2. Select the 'Encryption' tab. Select encryption type correspond with access point. Set up 4 Keys which correspond with the WEP Keys of access point.
Page 193 Key settings The WEP Encryption type of station has to equal to the access point. Check 'ASCII' field for characters WEP key or uncheck 'ASCII' field for Hexadecimal digits WEP key.
Page 194 Hexadecimal digits don't need to preceded by '0x'. For example, 64-bits with characters WEP key : Key1= 2e3f4 Key2= 5y7js Key3= 24fg7 Key4= 98jui 64-bits with hexadecimal digits WEP key : Key1= 123456789A Key2= 23456789AB Key3= 3456789ABC Key4= 456789ABCD All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 195 Setup IEEE 802.1x Access Control (Authentication and Accounting) What is IEEE 802.1x ? IEEE 802.1x Introduction Authentication Port State and Authentication Control Re-Authentication EAPOL Setup 802.1x in Wireless Access Point Enable 802.1x Using Internal Authentication Server Using External RADIUS Authentication Server Setup 802.1x client in the Station IEEE 802.1x Introduction IEEE 802.1x port-based authentication is desired to prevent unauthorized devices (clients) from gaining access to the network.
Page 196 The device (i.e. Wireless AP) facilitates authentication for the supplicant (Wireless client) attached on the Wireless network. Authenticator controls the physical access to the network based on the authentication status of the client. The authenticator acts as an intermediary (proxy) between the client and the authentication server (i.e. RADIUS server), requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client.
Page 197 1. Force Authorized : Disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default port control setting. While AP is setup as Force Authorized, Wireless client (supported 802.1x client or none-802.1x client) can always access the network.
Page 198 However, if during bootup, the supplicant does not receive an EAP-request/identity frame from the Wireless AP, the client can initiate authentication by sending an EAPOL-Start frame, which prompts the switch to request the supplicant’s identity. In above case, authenticator co-locate with authentication server. When the supplicant supplies its identity, the authenticator directly exchanges EAPOL to the supplicant until authentication succeeds or fails.
Page 199 EAP-Packet : Both the supplicant and the authenticator send this packet when authentication is taking place. This is the packet that contains either the MD5-Challenge or TLS information required for authentication. EAPOL-Start : This supplicant sends this packet when it wants to initiate the authentication process. EAPOL-Logoff : The supplicant sends this packet when it wants to terminate its 802.1x session.
Page 200 Press [SPACE BAR] to select from Force Authorized, Force UnAuthorized or Auto. The default is Force Authorized. Auto : Enables 802.1x function to authorize all wireless client, only the wireless client supported 802.1x client can access the network. Authentication Control Force Authorized : Disable 802.1x function, allow any wireless client access to your wireless network without authentication.
Page 201 Using External RADIUS Authentication Server In addition to the internal authentication server inside ZyXEL AP, you can use external RADIUS authentication server to centrally manage the user account profile. RADIUS is based on a client-server model that supports authentication, authorization and accounting. The wireless AP is the client and the server is the RADIUS server.
Page 202 1. From the SMT main menu, enter Menu 23.2 to setup System Security - RADIUS Server to setup the RADIUS authentication server. Menu 23.2 - System Security - RADIUS Server Authentication Server: Active= Server Address= 192.168.1.100 Port #= 1812 Shared Secret= ***** Accounting Server: Active= Yes Server Address= 192.168.1.100...
Page 203 Press [SPACE BAR] to select Yes and press [Enter] to enable 802.1x user authentication through an external Active RADIUS authentication server. Select No to enable authentication using ZyXEL AP internal authentication server. Server Address Enter the IP address of the external RADIUS authentication server. The default port of RADIUS server for authentication is 1812.
Page 205 Setup 802.1x client in the station Setup Windows XP 802.1x client Setup MeetingHouse AEGIS 802.1x client Setup 802.1x client in the station The EAP protocol can support multiple authentication mechanisms, such as MD5-challenge, One-Time Passwords, Generic Token Card, TLS and TTLS etc. So far, ZyXEL Wireless AP only supports MD-5 challenge authentication mechanism, but will support TLS and TTLS in the future.
Page 206 4. In Authentication tab, check Enable network access control using IEEE 8021.x and choose the MD5-Challenge in the EAP type: list, as shown below.
Page 207 5. Connect to ZyXEL AP, in Wireless Network Connection, choose View Available Wireless Networks...
Page 208 6. In the Connect to Wireless Network window, select the AP you would like to connect in the Available networks field then click Connect button for connection.
Page 209 7. Windows XP will show you the message "Click here to enter your user name and password for the network <AP_name>" where the <AP_name> is the AP's name you chose on previous step. Click on the message box or the icon shown on the icon list. 8.
Page 210 9. Windows XP completes the negotiation and changes the status for you automatically as shown on following figure. Setup MeetingHouse AEGIS 802.1x client...
Page 211 1. Please connect your wireless client to AP before configuring AEGIS 802.1x client. 2. Open AEGIS Client- Running window, choose Client --> Configure --> Select User settings tag -- > Type the username into the Identity field --> Select MD5-Challenge authentication type --> Type password into Password field -->...
Page 213 3. Right click the specified wireless client adapter in the AEGIS Client --> Select Start to start the 802.1x authentication on the specified wireless clinet adapter. 4. AEGIS 8021.x client completes the negotiation and changes status automatically. Before 802.1x authentication : After 802.1x authentication is completed :...
Page 215: Site Survey
Site Survey Site survey introduction Preparation Survey on site Introduction What is Site Survey? An RF site survey is a MAP to RF contour of RF coverage in a particular facility. With wireless system it is very difficult to predict the propagation of radio waves and detect the presence of interfering signals. Walls, doors, elevator shafts, and other obstacles offer different degree of attenuation.
Page 216 2. Install an access point at the preliminary location. 3. User a notebook with wireless client installed and run it's utility. An utility will provide information such as connection speed, current used channel, associated rate, link quality, signal strength and etc information as shown in utility below.
Page 217 5. When you reach the farthest point of connection mark the spot. Now you move the access point to this new spot as have already determine the farthest point of the access point installation spot if wireless service is required from corner of the room.
Page 218 Note: If there are more than one access point is needed be sure to make the adjacent access point service area over lap one another. So the wireless station are able to roam. For more information please refer to roaming at...
Page 219 TMSS Application Notes Registration Steps(Demo) All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 220 TMSS TMSS Introduction TMSS Registration Demo TMSS Introduction What is TMSS? Help to identify vulnerabilities and to protect PCs and networks that are connected to the Internet via a router. Integrated with chosen hardware partners, TMSS is designed to address the security needs of PCs that access the Internet via broadband routers.
Page 221 3. When you apply "Continue" button, the web page will redirect to TMSS dashboard as below.
Page 222 4. Click "Service Summary", in this page you can activate the TMSS service. (You can press the "?" mark in the page for more detail information)
Page 223 5. Click "Activate My Services", you will receive the pages below. (Please follow instruction in the page to finish the steps of registration.)
Page 226 6. After you receive the registration mail from TMSS, please follow the instruction in the mail to validate your account. After you validate your account, you will be redirect to the page below and you can download TIS 60 days trial version. (Trend Micro Internet Security )
Page 227 7. You can back to TMSS dashboard, you can see the status already change. (If you want extend you TMSS service after Trial expired, please check the Online Support or press "?" mark for more detail information.)
Page 228 8. You can use "Security Scan" for security scan on your PC or the entire PCs in your network (under LAN of the device.) After security scan is finished, the TMSS will generate a report to indicate the result of security scan.
Page 230 9. Before you validate your account, the status of Parental Control will like below.
Page 231 10. Below is the page which you validate your account.
Page 232 11. After you finish your TMSS registration and install the TIS software, in Web GUI will display as below. (the information of Client Antivirus Protection Status and the setting column of Parental Control.)
Page 235 TMSS FAQ Entire network result will never be "Risk Free". If user sets incorrect DNS setting for router, parental controls will not work. If router's web server does not use port 80, TMSS service will not work. The scanning result will be sent to default gateway. If the client is in exception list but router reboots, web console will not display this client.
Page 236 4. The scanning result will be sent to default gateway. If our network topology is using multiple routers, e.g. ADSL-----TMSS router------ router2(default gateway)------PC It will assume that the default gateway is the TMSS router. In hence, data will not go to the true TMSS router.
Page 237 16. Script error when using IE5 to view other client's report. No error happens if running IE version 5.5 or later. 17. If user register his name in Chinese , it won't be shown in the verification mail, and become ??? instead. All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 238 CI Command List Command Class List Table System Related Command Exit Command Device Related Command Ethernet Related Command POE Related Command PPTP Related Command Configuration Related Command IP Related Command IPSec Related Command Firewall Related Command Wireless LAN Related Command Bridge Related Command Radius Related Command 802.1x Related Command...
Page 239 System Related Command Home Command Description adjtime retrive date and time from Internet callhist display display call history remove <index> remove entry from call history countrycode [countrycode] set country code date [year month date] set/display date domainname display domain name edit <filename>...
Page 240 hostname [hostname] display system hostname logs category access [0:none/1:log/2:alert/3:both] record the access control logs attack [0:none/1:log/2:alert/3:both] record and alert the firewall attack logs display display the category setting error [0:none/1:log/2:alert/3:both] record and alert the system error logs ipsec [0:none/1:log/2:alert/3:both] record the access control logs ike [0:none/1:log/2:alert/3:both] record the access control logs javablocked [0:none/1:log]...
Page 241 disp clear log error online turn on/off error log online display load load the log setting buffer mail alertAddr [mail address] send alerts to this mail address display display mail setting logAddr [mail address] send logs to this mail address schedule display display mail schedule schedule hour [0-23]...
Page 242 server [domainName/IP] syslog server to send the logs clear clear log error disp display log error online [on|off] turn on/off error log online display resolve Resolve mail server and syslog server address mbuf link link list system mbuf link pool <id>...
Page 243 <none|sua|full_feature> config remote node nat nailup <no|yes> config remote node nailup <value> set remote node mtu save [entry no.] save remote node information not support in this product stdio [minute] change terminal timeout value time [hour [min [sec]]] display/set system time trcdisp monitor packets trclog...
Page 244 romreset restore default romfile server access <telnet|ftp|web|icmp|snmp|dns> set server access type <value> load load server information disp display server information port <telnet|ftp|web|snmp> <port> set server port save save server information secureip <telnet|ftp|web|icmp|snmp|dns> set server secure ip addr <ip> fwnotify load load fwnotify entry from spt save save fwnotify entry to spt...
Page 245 disp <ch-name> show the connection trace of this channel clear <ch-name> clear the connection trace of this channel <ch-name> show channel connection related counter socket display system socket information filter netbios roadrunner debug <level> enable/disable roadrunner service 0: diable <default> 1: enable display <iface name>...
Page 246 netbios upnp active [0:no/1:yes] Activate or deactivate the saved upnp settings config [0:deny/1:permit] Allow users to make configuration changes. through UPnP display display upnp information firewall [0:deny/1:pass] Allow UPnP to pass through Firewall. load save upnp information save save upnp information Exit Command Home Command...
Page 247 dial <node#> dial to remote node Ethernet Related Command Home Command Description ether config display LAN configuration information driver disp <name> display ether driver counters ioctl <ch_name> Useless in this stage. status <ch_name> see LAN status version see ethernet device type pkttest disp packet <level>...
Page 248 disp <ch_name> display ethernet debug infomation level <ch_name> <level> set the ethernet debug level level 0: disable debug log level 1:enable debug log (default) edit load <ether no.> load ether data from spt <value> set ether data mtu accessblock <0:disable 1:enable> block internet access save save ether data to spt...
Page 249 dial <rn-name> dial a remote node drop <rn-name> drop a remote node call tunnel <tunnel id> display pptp tunnel information Configuration Related Command Home Command Description config The parameters of config are listed below. edit firewall active Activate or deactivate the saved firewall <yes|no>...
Page 250 e-mail mail-server Edit the mail server IP to send the alert <mail server IP> return-addr <e- Edit the mail address for returning an mail address> email alert e-mail-to <e- Edit the mail address to send the alert mail address> policy <full | Edit email schedule when log is full or hourly |daily | per hour, day, week.
Page 251 minute-high The threshold to start to delete the old <0~255> half-opened sessions to minute-low minute-low The threshold to stop deleting the old <0~255> half-opened session max- The threshold to start to delete the old incomplete- half-opened sessions to max-incomplete- high <0~255> max- The threshold to stop deleting the half- incomplete-low...
Page 252 pnc <yes|no> PNC is allowed when 'yes' is set even there is a rule to block PNC log <yes|no> Switch on/off sending the log for matching the default permit rule <rule#> permit <forward|block> Edit whether a packet is dropped or allowed when it matches this rule active <yes|no>...
Page 253 destaddr-range <start ip Select and edit a destination address address> <end ip range of a packet which complies to this address> rule. tcp destport-single Select and edit the destination port of a <port#> packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers.
Page 254 set <set#> rule <rule#> Insert a specified rule in a set to the firewall configuration Display the choices of command list. debug <1|0> Turn on|off trace for firewall debug information. IP Related Command Home Command Description address [addr] display host ip address alias <iface>...
Page 255 server <primary> [secondary] [third] set dns server stats clear clear dns statistics disp display dns statistics httpd icmp status display icmp statistic counter discovery <iface> [on|off] set icmp router discovery flag ifconfig [iface] [ipaddr] [broadcast configure network interface <addr> |mtu <value>|dynamic] ping <hostid>...
Page 256 stroute display [rule # | buf] display rule index or detail message in rule. load <rule #> load static route rule in buffer save save rule from buffer to spt. config name <site name> set name for static route. destination <dest addr>[/<bits>] set static route destination address and <gateway>...
Page 257 reginfo display display urlfilter registration information name set urlfilter registration name eMail <size> set urlfilter registration email addr country <size> set urlfilter registration country clearAll clear urlfilter register information category display display urlfilter category webFeature [block/nonblock] block or unblock webfeature [activex/java/cookei/webproxy] logAndBlock [log/ set log only or log and block...
Page 258 time [pending] set time clearAll clear all listupdate information exemptZone display display exemptzone information actionFlags [type(1-3)][enable/ set action flags disable] add [ip1] [ip2] add exempt range delete [ip1] [ip2] delete exempt range clearAll clear exemptzone information customize display display customize action flags logFlags [type(1-3)][enable/ set log flags disable]...
Page 259 tredir failcount <count> set tredir failcount partner <ipaddr> set tredir partner target <ipaddr> set tredir target timeout <timeout> set tredir timeout checktime <period> set tredir checktime active <on|off> set tredir active save save tredir information disp display tredir information debug <value>...
Page 260 edit remotehost <start ip> [end set nat server remote host ip edit leasetime [time] set nat server lease time edit rulename [name] set nat server rule name edit forwardip [ip] set nat server server ip edit protocol [protocol id] set nat server protocol edit clear clear one rule in the set service...
Page 261 <iface> query send query on iface <iface> rsptime [time] set igmp response time <iface> start turn on of igmp on iface <iface> stop turn off of igmp on iface <iface> ttl <threshold> set ttl threshold <iface> v1compat [on|off] turn on/off v1compat on iface robustness <num>...
Page 262 <on|off> After a packet is IPSec processed and will be sent to WAN side, this switch is to control if this packet can be applied IPSec again. Remark: Command available since 3.50(WA.3) show_runtime display runtime phase 1 and phase 2 SA information When a dynamic rule accepts a request and a tunnel is established, a...
Page 263 - 0 means never timeout update_peer <0~255> - Adjust auto-timer to update IPSec rules which use domain name as the secure gateway IP. - Interval is in minutes - Default is 30 minutes - 0 means never update Remark: Command available since 3.50(WA.3) updatePeerIp Force system to update IPSec rules...
Page 264 keep_alive <rule #> <on|off> Set ipsec keep_alive flag load <rule #> Load ipsec rule save Save ipsec rules config netbios active <on|off> Set netbios active flag group <group index1, group Set netbios group index2…> name <string> Set rule name name <string>...
Page 265 lcPortEnd <port> Set local end port rmAddrType <0:single | 1:range | 2:subnet> Set remote address type rmAddrStart <IP> Set remote start address rmAddrEndMask <IP> Set remote end address or mask rmPortStart <port> Set remote start port rmPortEnd <port> Set remote end port antiReplay <Yes | No>...
Page 266 p2SaLifeTime <seconds> Set sa life time in phase 2 in IKE encap <0:Tunnel | 1: set encapsulation in phase 2 in IKE Transport> pfs <0:None | 1:DH1 | 2:DH2> set pfs in phase 2 in IKE manual activeProtocol <0:AH | 1: Set active protocol in manual ESP>...
Page 267 Command Description Firewall disp Display specific ACL set # rule #, or all ACLs. active <yes|no> Active firewall or deactivate firewall clear Clear firewall log disp Display firewall log type and count. clear Clear firewall log count. disp Display firewall log online Set firewall log online.
Page 268 smtp Set SMTP DoS defender on/off display Display SMTP DoS defender setting. ignore Set if firewall ignore DoS in lan/wan/dmz/wlan ignore Set if firewall ignore DoS in lan/wan/dmz/wlan triangle Set if firewall ignore triangle route in lan/wan/dmz/wlan Wireless LAN Related Command Home Command Description...
Page 269 Bridge related to bridge routing statistic table Disp display bridge route counter Clear clear bridge route counter stat related to bridge packet statistic table Disp display bridge route packet counter Clear clear bridge route packet counter Radius Related Command Command Description Radius show current radius authentication server...
Page 270 Trace show all supplications in the supplication table User [username] show the specified user status in the supplicant table All contents copyright (c) 2004 ZyXEL Communications Corporation.
Page 271 Prestige 334WT Troubleshooting Unable to get the WAN IP from the ISP Unable to run applications Embedded packet trace Debug PPPoE connection...
Page 272 WAN MAC of the P-334WT. The WAN MAC of the P-334WT can be obtained from menu 24.1. In case the ISP does not allow you to use a new MAC, the P-334WT can clone the MAC from the first PC you installed as the WAN MAC and send it to the ISP. To clone the MAC from the PC you need to enter that PC's IP in menu 2.
Page 273 When first installing, the ISP's tech people configure the host name as the 'Computer Name' of the PC in the 'Networking' settings. When the P-334WT is attached to the cable modem to connect to the ISP, we should configure this host name in the P-334WT's system (menu 1).
Page 274 RR-Manager. Choose the correct one for your local ISP. Server IP.....The P-334WT will find the Road Runner server IP if this field is blank, otherwise enter the authentication server IP address if you know it. My Login Name...Enter the login name given to you by your ISP Password..Enter the password associated with the login name...
Page 275 otherwise, select Static. IP Address & Subnet Mask & Gateway IP Address...Enter the IP address, subnet mask & gateway IP when Static Assignment is selected above.
Page 276 ZyXEL SUA Support Table. Please check all the required settings suggested in the table to configure your P-334WT. 2. If your application is not in the table or it is in the table but still does not work, please configure the workstation which runs the applications as the SUA default server in SMT 15 and try again.
Page 277 LAN or WAN end of P-334WT. It is also very helpful for diagnostics if you have compatibility problems with your ISP or if you want to know the details of a packet for configuring a filter rule.
Page 278 P324> sys trcp channel enet1 none P324> sys trcp channel enet0 bothway P324> sys trcp sw on P324> sys trcl sw on P324> sys trcd brief 11880.160 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80 11883.100 ENET0-R[0062] TCP 192.168.1.2:1108->192.31.7.130:80 11883.330 ENET0-T[0058] TCP 192.31.7.130:80->192.168.1.2:1108 11883.340 ENET0-R[0060] TCP 192.168.1.2:1108->192.31.7.130:80 11883.340 ENET0-R[0339] TCP 192.168.1.2:1108->192.31.7.130:80 11883.610 ENET0-T[0054] TCP 192.31.7.130:80->192.168.1.2:1108 11883.620 ENET0-T[0102] TCP 192.31.7.130:80->192.168.1.2:1108...
Page 279 Destination Port = 0x0050 (80) Sequence Number = 0x00BD15A7 (12391847) Ack Number = 0x00000000 (0) Header Length = 28 Flags = 0x02 (..S.) Window Size = 0x2000 (8192) Checksum = 0xBEC3 (48835) Urgent Ptr = 0x0000 (0) Options 0000: 02 04 05 B4 01 01 04 02 RAW DATA: 0000: 00 A0 C5 92 13 11 00 80-C8 4C EA 63 08 00 45 00 ..L.
Page 280 TCP Header: Source Port = 0x0050 (80) Destination Port = 0x045C (1116) Sequence Number = 0x4AD1B57F (1255257471) Ack Number = 0x00BD15A8 (12391848) Header Length = 24 Flags = 0x12 (.A..S.) Window Size = 0xFAF0 (64240) Checksum = 0xF877 (63607) Urgent Ptr = 0x0000 (0) Options 0000: 02 04 05 B4...
Page 281 Source IP = 0xC0A80102 (192.168.1.2) Destination IP = 0xC01F0782 (192.31.7.130) TCP Header: Source Port = 0x045C (1116) Destination Port = 0x0050 (80) Sequence Number = 0x00BD15A8 (12391848) Ack Number = 0x4AD1B580 (1255257472) Header Length = 20 Flags = 0x10 (.A..) Window Size = 0x2238 (8760) Checksum...
Page 282 P324> sys trcp channel enet0 none P324> sys trcp channel enet1 bothway P324> sys trcp sw on P324> sys trcl sw on P324> sys trcd brief 12367.680 ENET1-R[0070] UDP 202.132.155.95:520- >202.132.155.255:520 12370.980 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 12373.940 ENET1-T[0062] TCP 202.132.155.97:10261->192.31.7.130:80 12374.930 ENET1-R[0064] TCP 192.31.7.130:80->202.132.155.97:10261 12374.940 ENET1-T[0054] TCP 202.132.155.97:10261->192.31.7.130:80 12374.940 ENET1-T[0438] TCP 202.132.155.97:10261->192.31.7.130:80 12375.320 ENET1-R[0064] TCP 192.31.7.130:80->202.132.155.97:10261...
Page 283 Sequence Number = 0xD3E95985 (3555285381) Ack Number = 0x00C18F63 (12685155) Header Length = 20 Flags = 0x19 (.AP..F) Window Size = 0xFAF0 (64240) Checksum = 0x3735 (14133) Urgent Ptr = 0x0000 (0) TCP Data: (Length=1127, Captured=42) 0000: DF 33 AF 62 58 37 52 3D-79 99 A5 3C 2B 59 E2 78 .3.bX7R=y..<...
Page 284 Idetification = 0x7A0C (31244) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x7F (127) Protocol = 0x06 (TCP) Header Checksum = 0x543C (21564) Source IP = 0xCA849B61 (202.132.155.97) Destination IP = 0xC01F0782 (192.31.7.130) TCP Header: Source Port = 0x281E (10270) Destination Port = 0x0050 (80)
Page 285 1.2 Enable to capture the LAN packet by entering: sys trcp channel enet0 bothway 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-334WT over LAN...
Page 286 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.6 Display the trace briefly by entering: sys trcp brief 1.7 Display specific packets by using: sys trcp parse <from_index> <to_index> Exmaple: P324> sys trcp channel enet1 none P324>...
Page 287 1.3 Enable the trace log by entering: sys trcp sw on & sys trcl sw on 1.4 Wait for packet passing through P-334WT over WAN 1.5 Disable the trace log by entering: sys trcp sw off & sys trcl sw off 1.6 Display the trace briefly by entering:...
Page 288 P324> sys trcp channel enet0 none P324> sys trcp channel enet1 bothway P324> sys trcl sw on P324> sys trcp sw on P324> sys trcl sw off P324> sys trcp sw off P324> sys trcp brief 12864.800 ENET1-T[0411] TCP 202.132.155.97:10278- >204.217.0.2:80 12864.890 ENET1-R[0247] TCP 204.217.0.2:80- >202.132.155.97:10282...
Page 289 TCP Header: Source Port = 0x0050 (80) Destination Port = 0x2826 (10278) Sequence Number = 0x4D713D8A (1299266954) Ack Number = 0x00C8C015 (13156373) Header Length = 20 Flags = 0x18 (.AP...) Window Size = 0x2238 (8760) Checksum = 0xAB57 (43863) Urgent Ptr = 0x0000 (0) TCP Data: (Length=193, Captured=42) 0000: 48 54 54 50 2F 31 2E 31-20 33 30 34 20 4E 6F 74...
Page 290 IP Version Header Length = 20 Type of Service = 0x00 (0) Total Length = 0x018D (397) Idetification = 0xF20C (61964) Flags = 0x02 Fragment Offset = 0x00 Time to Live = 0x7F (127) Protocol = 0x06 (TCP) Header Checksum = 0xD59C (54684) Source IP = 0xCA849B61 (202.132.155.97)
Page 292 1 (dial remote node 1) 5. After all, if the P-334WT crashes and you can do nothing, please send the above log back to us. 6. If the P-334WT crashes and you are able to enter commands, please type 'atds' in debug mode to dump the log and send the log to us.
Page 293 bdcastSendInit: l1.pktTx() failed, pch poe0 ch enet0 poePut1SrvcName: '' len 0 host-uniq 31303030 len 4 putPoeHdr: ver 1 type 1 code x09 sess-id 0 len 12(x000C) ### Hit any key to continue.### $$$ DIALING dev=6 ch=0..poeI/C: ver 1 type 1 code x07 sessId x0000 len 274(x0112) poeCtrlI/C: pkt len 274 poeGetTags() service-name...
Page 294 0x00000000 r12=0x56FF54FF sp= 0x0001EDBC lr= 0x00004F64 0x00013954 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F e5bdbfe0: e2 8f 00 06 e5 d5 20 06 e5 d5 20 0a e5 d5 20 0e ...b...f... j...n e5bdbff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ed 2b ...b...f...
Page 295 Enter Debug Mode atgo Bootbase Version: V1.12 | 1/27/2000 11:00:09 RAM: Size = 4096 Kbytes FLASH: Intel 8M RAS Version: V3.20(M.01)b2 | 8/18/2000 14:05:08 Press any key to enter debug mode within 3 seconds............. initialize ch =0, ethernet address: 00:a0:c5:e1:ee:d8 initialize ch =1, ethernet address: 00:a0:c5:e1:ee:d9 Press ENTER to continue...

ZyXEL Communications P-334WT Support Notes

Quick Links

Related Manuals for ZyXEL Communications P-334WT

Summary of Contents for ZyXEL Communications P-334WT

Table of Contents