ZyXEL Communications P-661HW User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Gateway
  5. p-661hw series
  6. User manual
ZyXEL Communications P-661HW User Manual

ZyXEL Communications P-661HW User Manual

802.11g wireless adsl2+ 4-port security gateway
Hide thumbs Also See for P-661HW:
Table of Contents

Advertisement

Quick Links

Download this manual
P-661H/HW Series
802.11g Wireless ADSL2+ 4-port Security Gateway
User's Guide
Version 3.40
Edition 1
5/2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the P-661HW and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications P-661HW

Summary of Contents for ZyXEL Communications P-661HW

  • Page 1 P-661H/HW Series 802.11g Wireless ADSL2+ 4-port Security Gateway User’s Guide Version 3.40 Edition 1 5/2006...

  • Page 3: Copyright

    ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.

  • Page 4: Certifications

    P-661H/HW Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
  • Page 5 P-661H/HW Series User’s Guide Certifications...

  • Page 6: Safety Warnings

    P-661H/HW Series User’s Guide For your safety, be sure to read and follow all warning notices and instructions. • Do NOT open the device or unit. Opening or removing covers can expose you to dangerous high voltage points or other risks. ONLY qualified service personnel can service the device.

  • Page 7: Zyxel Limited Warranty

    P-661H/HW Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever...

  • Page 8: Customer Support

    +7-3272-590-689 1-800-255-4101 www.us.zyxel.com +1-714-632-0882 +1-714-632-0858 ftp.us.zyxel.com +47-22-80-61-80 www.zyxel.no +47-22-80-61-81 REGULAR MAIL ZyXEL Communications Corp. 6 Innovation Road II Science Park Hsinchu 300 Taiwan ZyXEL Communications Czech s.r.o. Modranská 621 143 01 Praha 4 - Modrany Ceská Republika ZyXEL Communications A/S...
  • Page 9 Poland ZyXEL Russia Ostrovityanova 37a Str. Moscow, 117279 Russia ZyXEL Communications Arte, 21 5ª planta 28033 Madrid Spain ZyXEL Communications A/S Sjöporten 4, 41764 Göteborg Sweden ZyXEL Ukraine 13, Pimonenko Str. Kiev, 04050 Ukraine ZyXEL Communications UK Ltd.,11 The Courtyard,...
  • Page 10 P-661H/HW Series User’s Guide Customer Support...

  • Page 11: Table Of Contents

    Copyright ... 3 Certifications ... 4 Safety Warnings ... 6 ZyXEL Limited Warranty... 7 Customer Support... 8 Table of Contents ... 11 List of Figures ... 23 List of Tables ... 29 Preface ... 33 Chapter 1 Getting To Know Your ZyXEL Device ... 35 1.1 Introducing the ZyXEL Device ...35 1.2 Features ...36 1.2.1 Wireless Features (Wireless Devices Only) ...38...
  • Page 12 P-661H/HW Series User’s Guide 2.4.3 Status: Any IP Table ...53 2.4.4 Status: WLAN Status (Wireless devices only) ...54 2.4.5 Status: VPN Status ...54 2.4.6 Status: Bandwidth Status ...55 2.4.7 Status: Packet Statistics ...56 2.4.8 Changing Login Password ...57 Chapter 3 Wizards ...
  • Page 13 4.3 Traffic Shaping ...80 4.3.1 ATM Traffic Classes ...81 4.3.1.1 Constant Bit Rate (CBR) ...81 4.3.1.2 Variable Bit Rate (VBR) ...81 4.3.1.3 Unspecified Bit Rate (UBR) ...82 4.4 Zero Configuration Internet Access ...82 4.5 Internet Connection ...82 4.5.1 Configuring Advanced Internet Connection ...84 4.6 Configuring More Connections ...86 4.6.1 More Connections Edit ...87 4.6.2 Configuring More Connections Advanced Setup ...90...
  • Page 14 P-661H/HW Series User’s Guide 6.2.5 One-Touch Intelligent Security Technology (OTIST) ...112 6.3 Wireless Performance Overview ...112 6.3.1 Quality of Service (QoS) ...112 6.4 General Wireless LAN Screen ...112 6.4.1 No Security ...114 6.4.2 WEP Encryption ...114 6.4.3 WPA-PSK/WPA2-PSK ...115 6.4.4 WPA/WPA2 ...117 6.4.5 Wireless LAN Advanced Setup ...119 6.5 OTIST ...120 6.5.1 Enabling OTIST ...120...
  • Page 15 Chapter 8 Firewalls... 145 8.1 Firewall Overview ...145 8.2 Types of Firewalls ...145 8.2.1 Packet Filtering Firewalls ...145 8.2.2 Application-level Firewalls ...146 8.2.3 Stateful Inspection Firewalls ...146 8.3 Introduction to ZyXEL’s Firewall ...146 8.3.1 Denial of Service Attacks ...147 8.4 Denial of Service ...147 8.4.1 Basics ...147 8.4.2 Types of DoS Attacks ...148 8.4.2.1 ICMP Vulnerability ...150...
  • Page 16 P-661H/HW Series User’s Guide 9.4.2 Alerts ...160 9.5 Triangle Route ...160 9.5.1 The “Triangle Route” Problem ...160 9.5.2 Solving the “Triangle Route” Problem ...161 9.6 General Firewall Policy 9.7 Firewall Rules Summary ...163 9.7.1 Configuring Firewall Rules ...164 9.7.2 Customized Services ...167 9.7.3 Configuring A Customized Service ...168 9.8 Example Firewall Rule ...168 9.9 Predefined Services ...172...
  • Page 17 12.1.3.1 Encryption ...197 12.1.3.2 Data Confidentiality ...198 12.1.3.3 Data Integrity ...198 12.1.3.4 Data Origin Authentication ...198 12.1.4 VPN Applications ...198 12.2 IPSec Architecture ...199 12.2.1 IPSec Algorithms ...199 12.2.2 Key Management ...199 12.3 Encapsulation ...199 12.3.1 Transport Mode ...200 12.3.2 Tunnel Mode ...200 12.4 IPSec and NAT ...200 Chapter 13 VPN Screens...
  • Page 18 P-661H/HW Series User’s Guide 13.19 VPN and Remote Management ...229 Chapter 14 Static Route ... 231 14.1 Static Route 14.2 Configuring Static Route ...231 14.2.1 Static Route Edit ...232 Chapter 15 Bandwidth Management ... 235 15.1 Bandwidth Management Overview ...235 15.2 Application-based Bandwidth Management ...235 15.3 Subnet-based Bandwidth Management ...235 15.4 Application and Subnet-based Bandwidth Management ...236...
  • Page 19 17.3 Telnet ...253 17.4 Configuring Telnet ...253 17.5 Configuring FTP ...254 17.6 SNMP ...255 17.6.1 Supported MIBs ...256 17.6.2 SNMP Traps ...257 17.6.3 Configuring SNMP ...257 17.7 Configuring DNS ...259 17.8 Configuring ICMP ...259 17.9 TR-069 (P-661H Only) ...261 Chapter 18 Universal Plug-and-Play (UPnP) ...
  • Page 20 P-661H/HW Series User’s Guide Chapter 22 Diagnostic... 291 22.1 General Diagnostic ...291 22.2 DSL Line Diagnostic ...292 Chapter 23 Troubleshooting ... 293 23.1 Problems Starting Up the ZyXEL Device ...293 23.2 Problems with the LAN ...293 23.3 Problems with the WAN ...294 23.4 Problems Accessing the ZyXEL Device ...295 Appendix A Product Specifications ...
  • Page 21 Command Interpreter... 327 Command Syntax... 327 Command Usage ... 327 Appendix G Firewall Commands ... 329 Appendix H NetBIOS Filter Commands ... 335 Introduction ... 335 Display NetBIOS Filter Settings ... 335 NetBIOS Filter Configuration... 336 Appendix I PPPoE ... 337 PPPoE in Action...
  • Page 22 P-661H/HW Series User’s Guide Appendix L Pop-up Windows, JavaScripts and Java Permissions ... 369 Internet Explorer Pop-up Blockers ... 369 Java Permissions ... 374 Index... 377 Table of Contents...

  • Page 23: List Of Figures

    P-661H/HW Series User’s Guide List of Figures Figure 1 Protected Internet Access Applications ... 40 Figure 2 LAN-to-LAN Application Example ... 40 Figure 3 Front Panel ... 40 Figure 4 Connecting a POTS Splitter ... 42 Figure 5 Connecting a Microfilter ... 43 Figure 6 Password Screen ...
  • Page 24 P-661H/HW Series User’s Guide Figure 39 Advanced Internet Connection ... 85 Figure 40 More Connections ... 87 Figure 41 More Connections Edit ... 88 Figure 42 More Connections Advanced Setup ... 90 Figure 43 Traffic Redirect Example ... 91 Figure 44 Traffic Redirect LAN Setup ... 92 Figure 45 WAN Backup Setup ...
  • Page 25 P-661H/HW Series User’s Guide Figure 82 Stateful Inspection ... 151 Figure 83 Ideal Firewall Setup ... 160 Figure 84 “Triangle Route” Problem ... 161 Figure 85 IP Alias ... 161 Figure 86 Firewall: General ... 162 Figure 87 Firewall Rules ... 163 Figure 88 Firewall: Edit Rule ...
  • Page 26 P-661H/HW Series User’s Guide Figure 125 Two Phases to Set Up the IPSec SA ... 216 Figure 126 Advanced VPN Policies ... 219 Figure 127 VPN: Manual Key ... 222 Figure 128 VPN: SA Monitor ... 225 Figure 129 VPN: Global Setting ... 226 Figure 130 Telecommuters Sharing One VPN Rule Example ...
  • Page 27 P-661H/HW Series User’s Guide Figure 168 Log Settings ... 283 Figure 169 Firmware Upgrade ... 285 Figure 170 Firmware Upload In Progress ... 286 Figure 171 Network Temporarily Disconnected ... 286 Figure 172 Error Message ... 287 Figure 173 Configuration ... 287 Figure 174 Configuration Upload Successful ...
  • Page 28 P-661H/HW Series User’s Guide Figure 211 WPA(2)-PSK Authentication ... 367 Figure 212 Pop-up Blocker ... 369 Figure 213 Internet Options ... 370 Figure 214 Internet Options ... 371 Figure 215 Pop-up Blocker Settings ... 372 Figure 216 Internet Options ... 373 Figure 217 Security Settings - Java Scripting ...

  • Page 29: List Of Tables

    P-661H/HW Series User’s Guide List of Tables Table 1 ADSL Standards ... 35 Table 2 Front Panel LEDs ... 41 Table 3 Web Configurator Screens Summary ... 48 Table 4 Status Screen ... 51 Table 5 Status: Any IP Table ... 53 Table 6 Status: WLAN Status ...
  • Page 30 P-661H/HW Series User’s Guide Table 39 Wireless: WPA-PSK/WPA2-PSK ... 116 Table 40 Wireless: WPA/WPA2 ... 118 Table 41 Wireless LAN: Advanced ... 119 Table 42 OTIST ... 122 Table 43 MAC Address Filter ... 125 Table 44 WMM QoS Priorities ... 126 Table 45 Commonly Used Services ...
  • Page 31 P-661H/HW Series User’s Guide Table 82 Matching ID Type and Content Configuration Example ... 210 Table 83 Mismatching ID Type and Content Configuration Example ... 211 Table 84 Edit VPN Policies ... 212 Table 85 Advanced VPN Policies ... 219 Table 86 VPN: Manual Key ...
  • Page 32 P-661H/HW Series User’s Guide Table 125 Troubleshooting Accessing the ZyXEL Device ... 295 Table 126 Device ... 297 Table 127 Firmware ... 298 Table 128 Classes of IP Addresses ... 319 Table 129 Allowed IP Address Range By Class ... 320 Table 130 “Natural”...

  • Page 33: Syntax Conventions

    Congratulations on your purchase of the ZyXEL Device series ADSL 2+ ZyXEL Device has a 4-port switch that allows you to connect up to 4 computers to the ZyXEL Device without purchasing a switch/hub. Note: Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products.

  • Page 34: User Guide Feedback

    Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications Corp., 6 Innovation Road II, Science-Based Industrial Park, Hsinchu, 300, Taiwan. Thank you.

  • Page 35: Chapter 1 Getting To Know Your Zyxel Device

    Getting To Know Your ZyXEL This chapter describes the key features and applications of your ZyXEL Device 1.1 Introducing the ZyXEL Device The ZyXEL Device is an ADSL2+ gateway that allows super-fast, secure Internet access over analog (POTS) or digital (ISDN) telephone lines (depending on your model). In the ZyXEL Device product name, “H”...

  • Page 36: Features

    P-661H/HW Series User’s Guide 1.2 Features High Speed Internet Access Your ZyXEL Device ADSL/ADSL2/ADSL2+ router can support downstream transmission rates of up to 24Mbps and upstream transmission rates of 3.5Mbps. Actual speeds attained depend on the ADSL service you subscribed to, distance from your ISP, line quality, etc. Triple Play Service The ZyXEL Device is a Triple Play Gateway, capable of simultaneously transferring data, voice and video over the Internet.

  • Page 37: Dynamic Dns Support

    Media Bandwidth Management ZyXEL’s Media Bandwidth Management allows you to specify bandwidth classes based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth classes. Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the ZyXEL Device and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.

  • Page 38: Port Switch

    P-661H/HW Series User’s Guide IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.

  • Page 39: Applications For The Zyxel Device

    Both WPA and WPA2 improve data encryption by using Temporal Key Integrity Protocol (TKIP), Message Integrity Check (MIC) and IEEE 802.1x. In addition to TKIP, WPA2 also uses Advanced Encryption Standard (AES) in the Counter mode with Cipher block chaining Message authentication code Protocol (CCMP) to offer stronger encryption.

  • Page 40: Lan To Lan Application

    P-661H/HW Series User’s Guide Figure 1 Protected Internet Access Applications 1.3.2 LAN to LAN Application You can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application example is shown as follows. Figure 2 LAN-to-LAN Application Example 1.4 Front Panel LEDs The following figure shows the front panel LEDs.

  • Page 41: Hardware Connection

    The following table describes the LEDs. Table 2 Front Panel LEDs COLOR POWER Green ETHERNET Green Amber WLAN Green (wireless devices only) Green INTERNET Green 1.5 Hardware Connection Refer to the Quick Start Guide for information on hardware connection. 1.6 Splitters and Microfilters This section describes how to connect ADSL splitters and microfilters.

  • Page 42: Connecting A Pots Splitter

    P-661H/HW Series User’s Guide 1.6.1 Connecting a POTS Splitter When you use the Full Rate (G.dmt) ADSL standard, you can use a POTS (Plain Old Telephone Service) splitter to separate the telephone and ADSL signals. This allows simultaneous Internet access and telephone service on the same line. A splitter also eliminates the destructive interference conditions caused by telephone sets.

  • Page 43: Figure 5 Connecting A Microfilter

    P-661H/HW Series User’s Guide Figure 5 Connecting a Microfilter Chapter 1 Getting To Know Your ZyXEL Device...
  • Page 44 P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device...

  • Page 45: Introducing The Web Configurator

    This chapter describes how to access and navigate the web configurator. 2.1 Web Configurator Overview The web configurator is an HTML-based management interface that allows easy ZyXEL Device setup and management via Internet browser. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions.

  • Page 46: Figure 6 Password Screen

    P-661H/HW Series User’s Guide status only. Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password. Figure 6 Password Screen 6 If you entered the user password, skip the next two steps and refer to page 51 for more information about the Status screen.

  • Page 47: Resetting The Zyxel Device

    Figure 8 Select a Mode Note: The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the ZyXEL Device if this happens to you. 2.3 Resetting the ZyXEL Device If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the ZyXEL Device to reload the factory-default configuration file.

  • Page 48: Figure 9 Web Configurator: Main Screen

    P-661H/HW Series User’s Guide Figure 9 Web Configurator: Main Screen submenus to configure ZyXEL Device Note: Click the embedded help. Table 3 Web Configurator Screens Summary LINK/ICON SUB-LINK Wizard INTERNET SETUP BANDWIDTH MANAGEMENT SETUP Logout Status Network Internet Connection More Connections Use this screen to configure and place calls to a remote WAN Backup Setup icon (located in the top right corner of most screens) to view...
  • Page 49 Table 3 Web Configurator Screens Summary (continued) LINK/ICON SUB-LINK DHCP Setup Client List IP Alias Wireless LAN General (wireless devices only) OTIST MAC Filter General Port Forwarding Address Mapping Security Firewall General Rules Anti Probing Threshold TMSS General Exception List Virus Protection Parental Control Content Filter...
  • Page 50 P-661H/HW Series User’s Guide Table 3 Web Configurator Screens Summary (continued) LINK/ICON SUB-LINK Setup Monitor VPN Global Setting Advanced Static Route Bandwidth Summary MGMT Rule Setup Monitor Dynamic DNS Remote MGMT Telnet SNMP ICMP UPnP Maintenance System General Time Setting Logs View Log Log Settings...

  • Page 51: Status Screen

    2.4.2 Status Screen The following summarizes how to navigate the web configurator from the Status screen. Some fields or links are not available if you entered the user password in the login password screen (see Figure 6 on page Figure 10 Status Screen The following table describes the labels shown in the Status screen.
  • Page 52 P-661H/HW Series User’s Guide Table 4 Status Screen LABEL DESCRIPTION Default Gateway This is the IP address of the default gateway, if applicable. VPI/VCI This is the Virtual Path Identifier and Virtual Channel Identifier that you entered in the Wizard or WAN screen. LAN Information IP Address This is the LAN port IP address.

  • Page 53: Status: Any Ip Table

    Table 4 Status Screen LABEL DESCRIPTION Rate For the LAN ports, this displays the port speed and duplex setting. Ethernet port connections can be in half-duplex or full-duplex mode. Full-duplex refers to a device's ability to send and receive simultaneously, while half-duplex indicates that traffic can flow in only one direction at a time.

  • Page 54: Status: Wlan Status (Wireless Devices Only)

    P-661H/HW Series User’s Guide Table 5 Status: Any IP Table (continued) LABEL DESCRIPTION MAC Address This field displays the MAC (Media Access Control) address of the computer with the displayed IP address. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.

  • Page 55: Status: Bandwidth Status

    Figure 13 Status: VPN Status The following table describes the labels in this screen. Table 7 Status: VPN Status LABEL DESCRIPTION This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode.

  • Page 56: Status: Packet Statistics

    P-661H/HW Series User’s Guide 2.4.7 Status: Packet Statistics Click the Packet Statistics hyperlink in the Status screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 15 Status: Packet Statistics The following table describes the fields in this screen.

  • Page 57: Changing Login Password

    Table 8 Status: Packet Statistics (continued) LABEL DESCRIPTION Status This field displays Down (line is down), Up (line is up or connected) if you're using Ethernet encapsulation and Down (line is down), Up (line is up or connected), Idle (line (ppp) idle), Dial (starting to trigger a call) and Drop (dropping a call) if you're using PPPoE encapsulation.

  • Page 58: Figure 16 System General

    P-661H/HW Series User’s Guide Figure 16 System General The following table describes the fields in this screen. Table 9 System General: Password LABEL DESCRIPTION Old Password Type the default password or the existing password you use to access the system in this field.

  • Page 59: Chapter 3 Wizards

    Use these screens to configure Internet access or to configure basic bandwidth management. Note: See the advanced menu chapters for background information on these fields. To access the wizards, click Go to Wizard setup in icon ( ) in the top right corner of the web configurator. The wizard main screen appears. Figure 17 Wizard Main Screen The following table describes the fields in this screen.

  • Page 60: Internet Setup Wizard

    P-661H/HW Series User’s Guide 3.1 Internet Setup Wizard Use these screens to configure Internet access and wireless network settings (wireless devices only). To access this wizard, click INTERNET/WIRELESS SETUP in the wizard main screen. Wait while the device tries to detect your DSL connection and connection type. Figure 18 Internet Setup Wizard: Connection Test The next screen depends on the results.

  • Page 61: Manual Configuration

    3.1.2 Manual Configuration The ZyXEL Device detected the DSL connection but not the Internet settings. You should specify the Internet settings manually. 3.1.2.1 Screen 1 Figure 20 Internet Setup Wizard: Manual Configuration Click Back to return to the wizard main screen. Click Next to continue to the next screen. Click Exit to close the wizard main screen and return to the Status screen or the main window.

  • Page 62: Screen 3

    P-661H/HW Series User’s Guide The following table describes the fields in this screen. Table 11 Internet Setup Wizard: ISP Parameters LABEL DESCRIPTION Mode Select Routing (default) if your ISP allows multiple computers to share an Internet account. Otherwise, select Bridge. Encapsulation Select the encapsulation type your ISP uses from the Encapsulation drop-down list box.

  • Page 63: Figure 23 Internet Setup Wizard: Isp Parameters (Pppoe)

    The following table describes the fields in this screen. Table 12 Internet Setup Wizard: ISP Parameters (Ethernet) LABEL DESCRIPTION Obtain an IP Select this if you have a dynamic IP address. Address Automatically Static IP Select this if you have a static (fixed) IP address, and enter the information below. Address These fields appear if you select Static IP Address.

  • Page 64: Figure 24 Internet Setup Wizard: Isp Parameters (Rfc1483 + Routing Mode)

    P-661H/HW Series User’s Guide The following table describes the fields in this screen. Table 13 Internet Setup Wizard: ISP Parameters (PPPoE) LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.

  • Page 65: No Dsl Detection

    Figure 25 Internet Setup Wizard: ISP Parameters (PPPoA) The following table describes the fields in this screen. Table 15 Internet Setup Wizard: ISP Parameters (PPPoA) LABEL DESCRIPTION User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where domain identifies a service name, then enter both components exactly as given.

  • Page 66: Wireless Connection Wizard Setup (Wireless Devices Only)

    P-661H/HW Series User’s Guide Figure 26 Internet Setup Wizard: No DSL Connection Click Restart the Internet/Wireless Setup Wizard to return to the wizard main screen. Click Next to continue to the the wizard main screen and return to the Status screen or the main window. 3.2 Wireless Connection Wizard Setup (wireless devices only) After you configure the Internet access information, use the following screens to set up your...

  • Page 67: Figure 28 Wireless Lan Setup Wizard 1

    Figure 28 Wireless LAN Setup Wizard 1 The following table describes the labels in this screen. Table 16 Wireless LAN Setup Wizard 1 LABEL Active Enable OTIST Setup Key Back Next Exit 3 Configure your wireless settings in this screen. Click Next. Chapter 3 Wizards DESCRIPTION Select the check box to turn on the wireless LAN.

  • Page 68: Figure 29 Wireless Lan Setup Wizard 2

    P-661H/HW Series User’s Guide Figure 29 Wireless LAN Setup Wizard 2 The following table describes the labels in this screen. Table 17 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless Name(SSID) LAN.

  • Page 69: Manually Assign A Wpa-Psk Key

    Note: The wireless stations and ZyXEL Device must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication. 4 This screen varies depending on the security mode you selected in the previous screen. Fill in the field (if available) and click Next.

  • Page 70: Figure 31 Manually Assign A Wep Key

    P-661H/HW Series User’s Guide Figure 31 Manually assign a WEP key The following table describes the labels in this screen. Table 19 Manually assign a WEP key LABEL DESCRIPTION The WEP keys are used to encrypt data. Both the ZyXEL Device and the wireless stations must use the same WEP key for data transmission.

  • Page 71: Figure 32 Wireless Lan Setup: Apply

    Figure 32 Wireless LAN Setup: Apply Figure 33 Internet Setup Wizard: Summary Screen 6 Use the read-only summary table to check whether what you have configured is correct. Click Finish to complete and save the wizard setup.The following table describes the fields in this screen.

  • Page 72: Bandwidth Management Wizard

    P-661H/HW Series User’s Guide Table 20 Internet Setup Wizard: Summary (continued) LABEL DESCRIPTION View Device This field is displayed if you are using the user password. Status Click this to go to the Status screen. Finish Click this to close the wizard main screen and return to the Status screen or the main window.

  • Page 73: Screen 1

    Table 21 Media Bandwidth Management Setup: Services (continued) SERVICE DESCRIPTION VoIP (SIP) Sending voice signals over the Internet is called Voice over IP or VoIP. Session Initiated Protocol (SIP) is an internationally recognized standard for implementing VoIP. SIP is an application-layer control (signaling) protocol that handles the setting up, altering and tearing down of voice and multimedia sessions over the Internet.

  • Page 74: Screen 2

    P-661H/HW Series User’s Guide The following fields describe the label in this screen. Table 22 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the ZyXEL Device apply bandwidth management to traffic going out through the ZyXEL Device’s WAN, LAN or WLAN port.

  • Page 75: Screen 3

    The following table describes the labels in this screen. Table 23 Bandwidth Management Wizard: Configuration LABEL DESCRIPTION Active Select an entry’s Active check box to turn on bandwidth management for the service/ application. Service These fields display the services names. Priority Select High, Mid or Low priority for each service to have your ZyXEL Device use a priority for traffic that matches that service.
  • Page 76 P-661H/HW Series User’s Guide Chapter 3 Wizards...

  • Page 77: Chapter 4 Wan Setup

    This chapter describes how to configure WAN settings. 4.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 4.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The ZyXEL Device supports the following methods.

  • Page 78: Pppoa

    P-661H/HW Series User’s Guide By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.

  • Page 79: Ip Address Assignment

    4.1.4 IP Address Assignment A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Single User Account feature can be enabled or disabled if you have either a dynamic or static IP.

  • Page 80: Metric

    P-661H/HW Series User’s Guide 4.2 Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". RIP routing uses hop count as the measurement of cost, with a minimum of "1" for directly connected networks. The number must be between "1"...

  • Page 81: Atm Traffic Classes

    Maximum Burst Size (MBS) is the maximum number of cells that can be sent at the PCR. After MBS is reached, cell rates fall below SCR until cell rate averages to the SCR again. At this time, more cells (up to the MBS) can be sent at the PCR again. If the PCR, SCR or MBS is set to the default of "0", the system will assign a maximum value that correlates to your upstream line rate.

  • Page 82: Unspecified Bit Rate (Ubr)

    P-661H/HW Series User’s Guide The VBR-nRT (non real-time Variable Bit Rate) type is used with bursty connections that do not require closely controlled delay and delay variation. It is commonly used for "bursty" traffic typical on LANs. PCR and MBS define the burst levels, SCR defines the minimum level.

  • Page 83: Figure 38 Internet Connection (Pppoe)

    Figure 38 Internet Connection (PPPoE) The following table describes the labels in this screen. Table 24 Internet Connection LABEL General Name Mode Encapsulation User Name Password Service Name Multiplexing Chapter 4 WAN Setup DESCRIPTION Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only.

  • Page 84: Configuring Advanced Internet Connection

    P-661H/HW Series User’s Guide Table 24 Internet Connection LABEL Virtual Circuit ID IP Address Obtain an IP Address Automatically Static IP Address IP Address Subnet Mask Gateway IP address (ENET ENCAP only) Enter the gateway IP address provided by your ISP. Connection Nailed-Up Connection...

  • Page 85: Figure 39 Advanced Internet Connection

    Figure 39 Advanced Internet Connection The following table describes the labels in this screen. Table 25 Advanced Internet Connection LABEL DESCRIPTION RIP & Multicast Setup RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers.

  • Page 86: Configuring More Connections

    P-661H/HW Series User’s Guide Table 25 Advanced Internet Connection LABEL DESCRIPTION cell/sec Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here.

  • Page 87: More Connections Edit

    Figure 40 More Connections The following table describes the labels in this screen. Table 26 More Connections LABEL Active Name VPI/VCI Encapsulation Modify Apply Cancel 4.6.1 More Connections Edit Click the edit icon in the More Connections screen to configure a Chapter 4 WAN Setup DESCRIPTION This is the index number of a connection.

  • Page 88: Figure 41 More Connections Edit

    P-661H/HW Series User’s Guide Figure 41 More Connections Edit The following table describes the labels in this screen. Table 27 More Connections Edit LABEL Active Name Mode Encapsulation DESCRIPTION Select the check box to activate or clear the check box to deactivate this connection.
  • Page 89 Table 27 More Connections Edit (continued) LABEL User Name Password Service Name Multiplexing IP Address Subnet Mask Gateway IP address Specify a gateway IP address (supplied by your ISP). Connection Nailed-Up Connection Connect on Demand Select Connect on Demand when you don't want the connection up all the time Max Idle Timeout Back Apply...

  • Page 90: Configuring More Connections Advanced Setup

    P-661H/HW Series User’s Guide Table 27 More Connections Edit (continued) LABEL Cancel Advanced Setup 4.6.2 Configuring More Connections Advanced Setup To edit your ZyXEL Device's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown. Figure 42 More Connections Advanced Setup The following table describes the labels in this screen.

  • Page 91: Traffic Redirect

    Table 28 More Connections Advanced Setup (continued) LABEL DESCRIPTION Peak Cell Rate Divide the DSL line rate (bps) by 424 (the size of an ATM cell) to find the Peak Cell Rate (PCR). This is the maximum rate at which the sender can send cells. Type the PCR here.

  • Page 92: Configuring Wan Backup

    P-661H/HW Series User’s Guide Figure 44 Traffic Redirect LAN Setup 4.8 Configuring WAN Backup To change your ZyXEL Device’s WAN backup settings, click WAN > WAN Backup Setup. The screen appears as shown. Chapter 4 WAN Setup...

  • Page 93: Figure 45 Wan Backup Setup

    Figure 45 WAN Backup Setup The following table describes the labels in this screen. Table 29 WAN Backup Setup LABEL DESCRIPTION Backup Type Select the method that the ZyXEL Device uses to check the DSL connection. Select DSL Link to have the ZyXEL Device check if the connection to the DSLAM is up.
  • Page 94 P-661H/HW Series User’s Guide Table 29 WAN Backup Setup (continued) LABEL DESCRIPTION Traffic Redirect Traffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet. Active Traffic Select this check box to have the ZyXEL Device use traffic redirect if the normal Redirect WAN connection goes down.

  • Page 95: Chapter 5 Lan Setup

    This chapter describes how to configure LAN settings. 5.1 LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building.

  • Page 96: Dhcp Setup

    P-661H/HW Series User’s Guide 5.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyXEL Device as a DHCP server or disable it. When configured as a server, the ZyXEL Device provides the TCP/IP configuration for the clients.

  • Page 97: Dns Server Address Assignment

    5.1.4 DNS Server Address Assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. There are two ways that an ISP disseminates the DNS server addresses.

  • Page 98: Private Ip Addresses

    P-661H/HW Series User’s Guide 5.2.1.1 Private IP Addresses Every machine on the Internet must have a unique address. If your networks are isolated from the Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: •...

  • Page 99: Multicast

    5.2.3 Multicast Traditionally, IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1. IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group - it is not used to carry user data.

  • Page 100: How Any Ip Works

    P-661H/HW Series User’s Guide Figure 47 Any IP Example The Any IP feature does not apply to a computer using either a dynamic IP address or a static IP address that is in the same subnet as the ZyXEL Device’s IP address. Note: You must enable NAT/SUA to use the Any IP feature on the ZyXEL Device.

  • Page 101: Configuring Lan Ip

    5.3 Configuring LAN IP Click LAN to open the IP screen. See Figure 48 LAN IP The following table describes the fields in this screen. Table 30 LAN IP LABEL DESCRIPTION TCP/IP IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation, for example, 192.168.1.1 (factory default).

  • Page 102: Figure 49 Advanced Lan Setup

    P-661H/HW Series User’s Guide Figure 49 Advanced LAN Setup The following table describes the labels in this screen. Table 31 Advanced LAN Setup LABEL DESCRIPTION RIP & Multicast Setup RIP Direction RIP (Routing Information Protocol, RFC 1058 and RFC 1389) allows a router to exchange routing information with other routers.

  • Page 103: Dhcp Setup

    Table 31 Advanced LAN Setup (continued) LABEL DESCRIPTION Windows NetBIOS (Network Basic Input/Output System) are TCP or UDP packets that Networking enable a computer to connect to and communicate with a LAN. For some dial-up (NetBIOS over services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. TCP/IP) However it may sometimes be necessary to allow NetBIOS packets to pass through to the WAN in order to find a computer on the WAN.

  • Page 104: Lan Client List

    P-661H/HW Series User’s Guide The following table describes the labels in this screen. Table 32 DHCP Setup LABEL DHCP Setup DHCP IP Pool Starting Address Pool Size Remote DHCP Server DNS Server DNS Servers Assigned by DHCP Server Primary DNS Server Secondary DNS Server Apply...

  • Page 105: Figure 51 Lan Client List

    Figure 51 LAN Client List The following table describes the labels in this screen. Table 33 LAN Client List LABEL DESCRIPTION IP Address Enter the IP address that you want to assign to the computer on your LAN with the MAC address specified below.

  • Page 106: Lan Ip Alias

    P-661H/HW Series User’s Guide 5.6 LAN IP Alias IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL Device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL Device itself as the gateway for each LAN network.

  • Page 107: Table 34 Lan Ip Alias

    The following table describes the labels in this screen. Table 34 LAN IP Alias LABEL DESCRIPTION IP Alias 1, 2 Select the check box to configure another LAN network for the ZyXEL Device. IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation. Alternatively, click the right mouse button to copy and/or paste the IP address.
  • Page 108 P-661H/HW Series User’s Guide Chapter 5 LAN Setup...

  • Page 109: Chapter 6 Wireless Lan

    This chapter discusses how to configure the wireless network settings in your device (wireless devices only). See the appendices for more detailed information about wireless networks. 6.1 Wireless Network Overview The following figure provides an example of a wireless network. Example of a Wireless Network The wireless network is the part in the blue circle.

  • Page 110: Wireless Security Overview

    P-661H/HW Series User’s Guide • Every device in the same wireless network must use security compatible with the ZyXEL Device. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 6.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network.

  • Page 111: Encryption

    For wireless networks, user names and passwords can be stored in a RADIUS server. This is a server used in businesses more than in homes. If you do not have a RADIUS server, you cannot set up user names and passwords for your users. Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network.

  • Page 112: One-Touch Intelligent Security Technology (Otist)

    P-661H/HW Series User’s Guide When you select WPA2 or WPA2-PSK in your ZyXEL Device, you can also select an option (WPA compatible) to support WPA as well. In this case, if some of the devices support WPA and some support WPA2, you should set up WPA2-PSK or WPA2 (depending on the type of wireless network login) and select the WPA compatible option in the ZyXEL Device.

  • Page 113: Figure 54 Wireless Lan: General

    Figure 54 Wireless LAN: General The following table describes the general wireless LAN labels in this screen. Table 36 Wireless LAN: General LABEL DESCRIPTION Active Wireless Click the check box to activate wireless LAN. Network Name (Service Set IDentity) The SSID identifies the Service Set with which a wireless client (SSID) is associated.

  • Page 114: No Security

    P-661H/HW Series User’s Guide 6.4.1 No Security Select No Security to allow wireless clients to communicate with the access points without any data encryption. Note: If you do not enable any wireless security on your ZyXEL Device, your network is accessible to any wireless networking device that is within range. Figure 55 Wireless: No Security The following table describes the labels in this screen.

  • Page 115: Wpa-Psk/Wpa2-Psk

    Figure 56 Wireless: Static WEP Encryption The following table describes the wireless LAN security labels in this screen. Table 38 Wireless: Static WEP Encryption LABEL DESCRIPTION Security Mode Choose Static WEP from the drop-down list box. Passphrase Enter a Passphrase (up to 32 printable characters) and clicking Generate. The ZyXEL Device automatically generates a WEP key.

  • Page 116: Figure 57 Wireless: Wpa-Psk/Wpa2-Psk

    P-661H/HW Series User’s Guide Figure 57 Wireless: WPA-PSK/WPA2-PSK The following table describes the wireless LAN security labels in this screen. Table 39 Wireless: WPA-PSK/WPA2-PSK LABEL DESCRIPTION Security Mode Choose WPA-PSK or WPA2-PSK from the drop-down list box. WPA Compatible This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field.

  • Page 117: Wpa/Wpa2

    Table 39 Wireless: WPA-PSK/WPA2-PSK LABEL DESCRIPTION Group Key Update The Group Key Update Timer is the rate at which the AP (if using WPA-PSK/ Timer (In WPA2-PSK key management) or RADIUS server (if using WPA(2) key Seconds) management) sends a new group key out to all clients. The re-keying process is the WPA(2) equivalent of automatically changing the WEP key for an AP and all stations in a WLAN on a periodic basis.

  • Page 118: Table 40 Wireless: Wpa/Wpa2

    P-661H/HW Series User’s Guide The following table describes the wireless LAN security labels in this screen. Table 40 Wireless: WPA/WPA2 LABEL DESCRIPTION WPA Compatible This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL Device even when the WPA2-PSK or WPA2.

  • Page 119: Wireless Lan Advanced Setup

    Table 40 Wireless: WPA/WPA2 LABEL DESCRIPTION Cancel Click Cancel to reload the previous configuration for this screen. Advanced Setup Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup. 6.4.5 Wireless LAN Advanced Setup To configure advanced wireless settings, click the Advanced Setup button in the General screen.

  • Page 120: Otist

    P-661H/HW Series User’s Guide Table 41 Wireless LAN: Advanced LABEL DESCRIPTION Preamble Select Long preamble if you are unsure what preamble mode the wireless adapters support, and to provide more reliable communications in busy wireless networks. Select Short preamble if you are sure the wireless adapters support it, and to provide more efficient communications.

  • Page 121: Figure 60 Wireless Lan: Otist

    Note: The AP and wireless client(s) MUST use the same Setup key. 6.5.1.1 AP You can enable OTIST using the RESET button or the web configurator. 6.5.1.1.1 Reset button If you use the RESET button, the default (01234567) or previous saved (through the web configurator) Setup key is used to encrypt the settings that you want to transfer.

  • Page 122: Wireless Client

    P-661H/HW Series User’s Guide The following table describes the labels in this screen. Table 42 OTIST LABEL Setup Key Yes! Start 6.5.1.2 Wireless Client On your wireless client, start the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’s and click Save.

  • Page 123: Starting Otist

    6.5.2 Starting OTIST Note: You must click Start in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing). You can start OTIST in the wireless clients and AP in any order but they must all be within range and have OTIST enabled.

  • Page 124: Mac Filter

    P-661H/HW Series User’s Guide Figure 66 Start OTIST? 2 If an OTIST-enabled wireless client loses its wireless connection for more than ten seconds, it will search for an OTIST-enabled AP for up to one minute. (If you manually have the wireless client search for an OTIST-enabled AP, there is no timeout; click Cancel in the OTIST progress screen to stop the search.) 3 When the wireless client finds an OTIST-enabled AP, you must still click Start in the AP OTIST web configurator screen or hold in the RESET button (for one to five seconds)

  • Page 125: Figure 67 Mac Address Filter

    Figure 67 MAC Address Filter The following table describes the labels in this menu. Table 43 MAC Address Filter LABEL DESCRIPTION Active MAC Select the check box to enable MAC address filtering. Filter Define the filter action for the list of MAC addresses in the MAC Address table. Filter Action Select Deny to block access to the ZyXEL Device, MAC addresses not listed will be allowed to access the ZyXEL Device...

  • Page 126: Wmm Qos

    P-661H/HW Series User’s Guide 6.7 WMM QoS WMM (Wi-Fi MultiMedia) QoS (Quality of Service) allows you to prioritize wireless traffic according to the delivery requirements of individual services. WMM is a part of the IEEE 802.11e QoS enhancement to certified Wi-Fi wireless networks. 6.7.1 WMM QoS Example When WMM QoS is not enabled, all traffic streams are given the same access throughput to the wireless network.

  • Page 127: Services

    6.7.3 Services The commonly used services and port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.

  • Page 128: Qos Screen

    P-661H/HW Series User’s Guide Table 45 Commonly Used Services SERVICE PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS(TCP/UDP:162) SQL-NET(TCP:1521) SSH(TCP/UDP:22) STRM WORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 6.8 QoS Screen The QoS screen by default allows you to automatically give a service a priority level according to the ToS value in the IP header of the packets it sends.

  • Page 129: Tos (Type Of Service) And Wmm Qos

    6.8.1 ToS (Type of Service) and WMM QoS ToS defines the DS (Differentiated Service) field in the IP packet header. The ToS value of outgoing packets is between 0 and 255. 0 is the lowest priority. WMM QoS checks the ToS in the header of transmitted data packets. It gives the application a priority according to this number.

  • Page 130: Application Priority Configuration

    P-661H/HW Series User’s Guide Table 46 Wireless LAN: QoS LABEL Dest Port Priority Modify Apply Cancel 6.8.2 Application Priority Configuration To edit a WMM QoS application entry, click the edit icon under Modify. The following screen displays. Figure 69 Application Priority Configuration The following table describes the fields in this screen.
  • Page 131 Table 47 Application Priority Configuration LABEL Service Dest Port Priority Apply Cancel Chapter 6 Wireless LAN DESCRIPTION The following is a description of the applications you can prioritize with WMM QoS. Select a service from the drop-down list box. • File Transfer Program enables fast transfer of files, including large files that may not be possible by e-mail.
  • Page 132 P-661H/HW Series User’s Guide Chapter 6 Wireless LAN...

  • Page 133: Network Address Translation (Nat) Screens

    Network Address Translation This chapter discusses how to configure NAT on the ZyXEL Device. 7.1 NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.

  • Page 134: What Nat Does

    P-661H/HW Series User’s Guide 7.1.2 What NAT Does In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host.

  • Page 135: Nat Application

    7.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyXEL Device can communicate with three distinct WAN networks. More examples follow at the end of this chapter. Figure 71 NAT Application With IP Alias 7.1.5 NAT Mapping Types NAT supports five types of IP/port mapping.

  • Page 136: Sua (Single User Account) Versus Nat

    P-661H/HW Series User’s Guide Port numbers do NOT change for One-to-One and Many-to-Many No Overload NAT mapping types. The following table summarizes these types. Table 49 NAT Mapping Types TYPE One-to-One Many-to-One (SUA/PAT) Many-to-Many Overload Many-to-Many No Overload Server 7.2 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.

  • Page 137: Port Forwarding

    Figure 72 NAT General The following table describes the labels in this screen. Table 50 NAT General LABEL DESCRIPTION Active Select this check box to enable NAT. Network Address Translation (NAT) SUA Only Select this radio button if you have just one public WAN IP address for your ZyXEL Device.

  • Page 138: Default Server Ip Address

    P-661H/HW Series User’s Guide 7.4.1 Default Server IP Address In addition to the servers for specified services, NAT supports a default server IP address. A default server receives packets from ports that are not specified in this screen. Note: If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

  • Page 139: Configuring Port Forwarding

    Figure 73 Multiple Servers Behind NAT Example 7.5 Configuring Port Forwarding Note: The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

  • Page 140: Port Forwarding Rule Edit

    P-661H/HW Series User’s Guide The following table describes the fields in this screen. Table 52 Port Forwarding LABEL Default Server Setup Default Server In addition to the servers for specified services, NAT supports a default server. A default server receives packets from ports that are not specified in this screen. If you do not assign a Default Server IP address, the ZyXEL Device discards all packets received for ports that are not specified here or in the remote management setup.

  • Page 141: Address Mapping

    The following table describes the fields in this screen. Table 53 Port Forwarding Rule Setup LABEL Active Click this check box to enable the rule. Service Name Enter a name to identify this port-forwarding rule. Start Port Enter a port number in this field. To forward only one port, enter the port number again in the End Port field.

  • Page 142: Figure 76 Address Mapping Rules

    P-661H/HW Series User’s Guide Figure 76 Address Mapping Rules The following table describes the fields in this screen. Table 54 Address Mapping Rules LABEL DESCRIPTION This is the rule index number. Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping.

  • Page 143: Address Mapping Rule Edit

    7.6.1 Address Mapping Rule Edit To edit an address mapping rule, click the rule’s edit icon in the Address Mapping screen to display the screen shown next. Figure 77 Edit Address Mapping Rule The following table describes the fields in this screen. Table 55 Edit Address Mapping Rule LABEL Type...
  • Page 144 P-661H/HW Series User’s Guide Table 55 Edit Address Mapping Rule (continued) LABEL Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh. DESCRIPTION Chapter 7 Network Address Translation (NAT) Screens...

  • Page 145: Chapter 8 Firewalls

    This chapter gives some background information on firewalls and introduces the ZyXEL Device firewall. 8.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access-control policy between two networks.

  • Page 146: Application-Level Firewalls

    P-661H/HW Series User’s Guide 8.2.2 Application-level Firewalls Application-level firewalls restrict access by serving as proxies for external servers. Since they use programs written for specific Internet services, such as HTTP, FTP and telnet, they can evaluate network packets for valid application-specific data. Application-level gateways have a number of general advantages over the default mode of permitting application traffic directly to internal hosts: Information hiding prevents the names of internal systems from being made known via DNS...

  • Page 147: Denial Of Service Attacks

    • The LAN (Local Area Network) port attaches to a network of computers, which needs security from the outside world. These computers will have access to Internet services such as e-mail, FTP, and the World Wide Web. However, “inbound access” will not be allowed unless you configure remote management or create a firewall rule to allow a remote host to use a specific service.

  • Page 148: Types Of Dos Attacks

    P-661H/HW Series User’s Guide Table 56 Common IP Ports Telnet SMTP 8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.

  • Page 149: Figure 80 Syn Flood

    Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. •...

  • Page 150: Icmp Vulnerability

    P-661H/HW Series User’s Guide Figure 81 Smurf Attack 8.4.2.1 ICMP Vulnerability ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 57 ICMP Commands That Trigger Alerts REDIRECT TIMESTAMP_REQUEST TIMESTAMP_REPLY ADDRESS_MASK_REQUEST ADDRESS_MASK_REPLY 8.4.2.2 Illegal Commands (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.

  • Page 151: Traceroute

    8.4.2.3 Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall. Often, many DoS attacks also employ a technique known as "IP Spoofing"...

  • Page 152: Stateful Inspection Process

    P-661H/HW Series User’s Guide The previous figure shows the ZyXEL Device’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed. However other Telnet traffic initiated from the WAN is blocked.

  • Page 153: Tcp Security

    • Allow certain types of traffic from the Internet to specific hosts on the LAN. • Allow access to a Web server to everyone but competitors. • Restrict use of certain protocols, such as Telnet, to authorized users on the LAN. These custom rules work by evaluating the network traffic’s Source IP address, Destination IP address, IP protocol type, and comparing these to rules set by the administrator.

  • Page 154: Upper Layer Protocols

    P-661H/HW Series User’s Guide A similar situation exists for ICMP, except that the ZyXEL Device is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies.

  • Page 155: Packet Filtering Vs Firewall

    • Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk. Produce lists like this one! •...

  • Page 156: When To Use Filtering

    P-661H/HW Series User’s Guide 8.7.1.1 When To Use Filtering • To block/allow LAN packets by their MAC addresses. • To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. • To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...

  • Page 157: Chapter 9 Firewall Configuration

    This chapter shows you how to enable and configure the ZyXEL Device firewall. 9.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL Device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator.

  • Page 158: Rule Logic Overview

    P-661H/HW Series User’s Guide Note: If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them. For example, you may create rules to: •...

  • Page 159: Key Fields For Configuring Rules

    4 Does a rule that allows Internet users access to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are allowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers. 5 Does this rule conflict with any existing rules? 6 Once these questions have been answered, adding rules is simply a matter of plugging the information into the correct fields in the web configurator screens.

  • Page 160: Lan To Wan Rules

    P-661H/HW Series User’s Guide 9.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.

  • Page 161: Solving The "Triangle Route" Problem

    As a result, the ZyXEL Device resets the connection, as the connection has not been acknowledged. Figure 84 “Triangle Route” Problem 9.5.2 Solving the “Triangle Route” Problem You can have the ZyXEL Device allow triangle route sessions. However this can allow traffic from the WAN to go directly to a LAN computer without passing through the ZyXEL Device and its firewall protection.

  • Page 162: General Firewall Policy

    P-661H/HW Series User’s Guide 9.6 General Firewall Policy Click Security > Firewall to display the following screen. Activate the firewall by selecting the Active Firewall check box as seen in the following screen. Refer to Section 8.1 on page 145 Figure 86 Firewall: General The following table describes the labels in this screen.

  • Page 163: Firewall Rules Summary

    Table 60 Firewall: General (continued) LABEL DESCRIPTION Default Action Use the drop-down list boxes to select the default action that the firewall is take on packets that are traveling in the selected direction and do not match any of the firewall rules.

  • Page 164: Configuring Firewall Rules

    P-661H/HW Series User’s Guide The following table describes the labels in this screen. Table 61 Firewall Rules LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the ZyXEL Device's memory for recording Storage Space firewall rules it is currently using. When you are using 80% or less of the storage in Use space, the bar is green.

  • Page 165: Figure 88 Firewall: Edit Rule

    P-661H/HW Series User’s Guide In the Rules screen, select an index number and click Add or click a rule’s Edit icon to display this screen and refer to the following table for information on the labels. Figure 88 Firewall: Edit Rule Chapter 9 Firewall Configuration...

  • Page 166: Table 62 Firewall: Edit Rule

    P-661H/HW Series User’s Guide The following table describes the labels in this screen. Table 62 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to enable this firewall rule. Action for Matched Use the drop-down list box to select what the firewall is to do with packets that Packet match this rule.

  • Page 167: Customized Services

    Table 62 Firewall: Edit Rule (continued) LABEL DESCRIPTION Apply Click Apply to save your customized settings and exit this screen. Cancel Click Cancel to exit this screen without saving. 9.7.2 Customized Services Configure customized services and port numbers not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.

  • Page 168: Configuring A Customized Service

    P-661H/HW Series User’s Guide 9.7.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This action displays the following screen. Refer to Section 8.1 on page 145 Figure 90 Firewall: Configure Customized Services The following table describes the labels in this screen.

  • Page 169: Figure 91 Firewall Example: Rules

    Figure 91 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule becomes number 7 and the previous rule 7 (if there is one) becomes rule 8.

  • Page 170: Figure 93 Firewall Example: Edit Rule: Destination Address

    P-661H/HW Series User’s Guide Figure 93 Firewall Example: Edit Rule: Destination Address 9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Note: Custom services show up with an “*” before their names in the Services list box and the Rules list box.

  • Page 171: Figure 94 Firewall Example: Edit Rule: Select Customized Services

    P-661H/HW Series User’s Guide Figure 94 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN.

  • Page 172: Predefined Services

    P-661H/HW Series User’s Guide Figure 95 Firewall Example: Rules: MyService 9.9 Predefined Services The Available Services list box in the Edit Rule screen (see displays all predefined services that the ZyXEL Device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP).
  • Page 173 Table 65 Predefined Services (continued) SERVICE H.323(TCP:1720) HTTP(TCP:80) HTTPS ICQ(UDP:4000) IPSEC_TRANSPORT/ TUNNEL(AH:0) IPSEC_TUNNEL(ESP:0) IRC(TCP/UDP:6667) MSN Messenger(TCP:1863) MULTICAST(IGMP:0) NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS (TCP/ UDP:162) SQL-NET(TCP:1521) Chapter 9 Firewall Configuration P-661H/HW Series User’s Guide DESCRIPTION Net Meeting uses this protocol.

  • Page 174: Anti-Probing

    P-661H/HW Series User’s Guide Table 65 Predefined Services (continued) SERVICE SSDP(UDP:1900) SSH(TCP/UDP:22) STRMWORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 9.10 Anti-Probing If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists.

  • Page 175: Dos Thresholds

    The following table describes the labels in this screen. Table 66 Firewall: Anti Probing LABEL DESCRIPTION Respond to PING The ZyXEL Device does not respond to any incoming Ping requests when Disable is selected. Select LAN to reply to incoming LAN Ping requests. Select WAN to reply to incoming WAN Ping requests.

  • Page 176: Half-Open Sessions

    P-661H/HW Series User’s Guide If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are often busy), then the default values should be reduced. You should make any changes to the threshold values before you continue configuring firewall rules.

  • Page 177: Configuring Firewall Thresholds

    9.11.3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold and timeout apply to all TCP connections. Click Firewall, and Threshold to bring up the next screen. Figure 97 Firewall: Threshold The following table describes the labels in this screen.
  • Page 178 P-661H/HW Series User’s Guide Table 67 Firewall: Threshold (continued) LABEL DESCRIPTION Maximum This is the number of existing half-open Incomplete Low sessions that causes the firewall to stop deleting half-open sessions. The ZyXEL Device continues to delete half-open requests as necessary, until the number of existing half-open sessions drops below this number.

  • Page 179: Trend Micro Security Services

    Trend Micro Security Services This chapter contains information about configuring Trend Micro Security Services (TMSS). 10.1 Trend Micro Security Services Overview TMSS helps protect computers on a network that access the Internet through the ZyXEL Device. TMSS scans computers behind the ZyXEL Device for potential vulnerabilities such as spyware, missing security patches, trojans, etc.

  • Page 180: Figure 99 Download Activex To View Tmss Web Page

    P-661H/HW Series User’s Guide Figure 99 Download ActiveX to View TMSS Web Page 2 In the TMSS web page, click Service Summary. Figure 100 TMSS Web Page (Dashboard) 3 Click Activate My Services to begin a 3-step process to activate TMSS. Figure 101 TMSS Service Summary 4 Click Next to begin the process as outlined in the screen.

  • Page 181: Figure 102 Tmss 3 Steps

    Figure 102 TMSS 3 Steps 5 Fill in the registration form and submit it. Figure 103 TMSS Registration Form 6 After you submit the registration form, you will receive an e-mail with instructions for validating your e-mail address. Follow the instructions. 7 Download TMSS to each computer (behind the ZyXEL Device) that you want TMSS to monitor.

  • Page 182: Configuring Tmss On The Zyxel Device

    P-661H/HW Series User’s Guide Figure 104 Example TMSS Activated Service Summary Screen You need a Parental Control license to activate configure Parental Control categories on the ZyXEL Device (see Figure 110 on page Parental Control screen with TMSS activated. Figure 105 Example TMSS Activated Parental Controls Screen After the free trial expires, you can buy the Trend micro Internet Security (TIS) package contains anti-virus software and a license for Parental Control (to forbid access to undesirable web site content based on pre-defined web site categories).

  • Page 183: Figure 106 General Tmss Settings

    Figure 106 General TMSS Settings The following table describes the labels in this screen. Table 68 General TMSS Settings LABEL TMSS & Parental Control Setup Enable Trend Micro Security Services Enable Parental Controls Select the check box to enable this feature on your ZyXEL Device. Security Services Display Interval Automatically display...

  • Page 184: Tmss Exception List

    P-661H/HW Series User’s Guide Table 68 General TMSS Settings LABEL Apply Reset 10.2.2 TMSS Exception List Use this screen to exempt computers from TMSS monitoring. Click Security > TMSS > Exception List to display the screen. Note: At the time of writing, TMSS may monitor up to 10 ZyXEL Device LAN computers with TMSS installed.

  • Page 185: Tmss Virus Protection

    Table 69 TMSS Exception List LABEL Apply Cancel 10.3 TMSS Virus Protection Use this screen to look at the status of computers under TMSS monitoring. Click Security > TMSS > Virus Protection to display the screen. Figure 108 Virus Protection The following table describes the labels in this screen.

  • Page 186: Parental Controls

    P-661H/HW Series User’s Guide Table 70 Virus Protection (continued) LABEL Status Refresh 10.4 Parental Controls Use this screen to schedule and block web pages based on pre-defined web site categories such as pornography, gambling, etc. Note: You need a Trend Micro Parental Control license in order to configure this screen.

  • Page 187: Figure 110 Parental Controls

    Figure 110 Parental Controls The following table describes the labels in this screen. Table 71 Parental Controls LABEL Restrict Web Features Blocking Schedule Day to Block Time of Day to Block (24- Hour Format) Chapter 10 Trend Micro Security Services DESCRIPTION Select the web features you want to disable.

  • Page 188: Parental Controls Statistics

    P-661H/HW Series User’s Guide Table 71 Parental Controls LABEL Select Categories Pornography Illegal/Questionable Violence/Hate/Racism Illegal Drugs Alcohol/Tobacco Gambling Abortion Apply Statistics Reset 10.4.1 Parental Controls Statistics This screen displays a record of attempted entries to web pages or actual entries to web pages from a list of categories.

  • Page 189: Activex Controls In Internet Explorer

    Figure 111 Parental Controls Statistics The following table describes the labels in this screen. Table 72 Parental Controls Statistics LABEL Category Access Attempts Actual Accesses Cancel Refresh 10.5 ActiveX Controls in Internet Explorer If ActiveX is disabled, you will not be able to download ActiveX controls or to use Trend Micro Security Services.

  • Page 190: Figure 112 Internet Options Security

    P-661H/HW Series User’s Guide Figure 112 Internet Options Security 3 Scroll down to ActiveX controls and plug-ins. 4 Under Download signed ActiveX controls select the Prompt radio button. 5 Under Run ActiveX controls and plug-ins make sure the Enable radio button is selected.

  • Page 191: Figure 113 Security Setting Activex Controls

    P-661H/HW Series User’s Guide Figure 113 Security Setting ActiveX Controls Chapter 10 Trend Micro Security Services...
  • Page 192 P-661H/HW Series User’s Guide Chapter 10 Trend Micro Security Services...

  • Page 193: Chapter 11 Content Filtering

    This chapter covers how to configure content filtering. 11.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL.

  • Page 194: Configuring The Schedule

    P-661H/HW Series User’s Guide The following table describes the labels in this screen. Table 73 Content Filter: Keyword LABEL Active Keyword Blocking Block Websites that contain these keywords in the URL: Delete Clear All Keyword Add Keyword Apply Cancel 11.3 Configuring the Schedule To set the days and times for the ZyXEL Device to perform content filtering, click Security >...

  • Page 195: Configuring Trusted Computers

    The following table describes the labels in this screen. Table 74 Content Filter: Schedule LABEL DESCRIPTION Schedule Select Active Everyday to Block to make the content filtering active everyday. Otherwise, select Edit Daily to Block and configure which days of the week (or everyday) and which time of the day you want the content filtering to be active.
  • Page 196 P-661H/HW Series User’s Guide Chapter 11 Content Filtering...

  • Page 197: Chapter 12 Introduction To Ipsec

    This chapter introduces the basics of IPSec VPNs. 12.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.

  • Page 198: Data Confidentiality

    P-661H/HW Series User’s Guide Figure 117 Encryption and Decryption 12.1.3.2 Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. 12.1.3.3 Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission.

  • Page 199: Ipsec Architecture

    12.2 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 118 IPSec Architecture 12.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms).

  • Page 200: Transport Mode

    P-661H/HW Series User’s Guide Figure 119 Transport and Tunnel Mode IPSec Encapsulation 12.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).

  • Page 201: Table 76 Vpn And Nat

    NAT is incompatible with the AH protocol in both Transport and Tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet. When using AH protocol, packet contents (the data payload) are not encrypted.
  • Page 202 P-661H/HW Series User’s Guide Chapter 12 Introduction to IPSec...

  • Page 203: Chapter 13 Vpn Screens

    This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the appendix for IPSec log descriptions. 13.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections. 13.2 IPSec Algorithms The ESP and AH protocols are necessary to create a Security Association (SA), the foundation of an IPSec VPN.

  • Page 204: My Ip Address

    P-661H/HW Series User’s Guide Table 77 AH and ESP DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys ENCRYPTION...

  • Page 205: Secure Gateway Address

    13.4 Secure Gateway Address Secure Gateway Address is the WAN IP address or domain name of the remote IPSec router (secure gateway). If the remote secure gateway has a static WAN IP address, enter it in the Secure Gateway Address field. You may alternatively enter the remote secure gateway’s domain name (if it has one) in the Secure Gateway Address field.

  • Page 206: Figure 121 Vpn Setup

    P-661H/HW Series User’s Guide Figure 121 VPN Setup The following table describes the fields in this screen. Table 78 VPN Setup LABEL DESCRIPTION This is the VPN policy index number. Click a number to edit VPN policies. Active This field displays whether the VPN policy is active or not. A Yes signifies that this VPN policy is active.

  • Page 207: Keep Alive

    Table 78 VPN Setup LABEL DESCRIPTION Modify Click the Edit icon to go to the screen where you can edit the VPN configuration. Click the Remove icon to remove an existing VPN configuration. Back Click Back to return to the previous screen. 13.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the ZyXEL Device automatically renegotiates the tunnel when the IPSec SA lifetime period expires (see...

  • Page 208: Remote Dns Server

    P-661H/HW Series User’s Guide Figure 122 NAT Router Between IPSec Routers Normally you cannot set up an IKE SA with a NAT router between the two IPSec routers because the NAT router changes the header of the IPSec packet. NAT traversal solves the problem by adding a UDP port 500 header to the IPSec packet.

  • Page 209: Id Type And Content

    The following figure depicts an example where three VPN tunnels are created from ZyXEL Device A; one to branch office 2, one to branch office 3 and another to headquarters. In order to access computers that use private domain names on the headquarters (HQ) network, the ZyXEL Device at branch office 1 uses the Intranet DNS server in headquarters.

  • Page 210: Id Type And Content Examples

    P-661H/HW Series User’s Guide The type of ID can be a domain name, an IP address or an e-mail address. The content is the IP address, domain name, or e-mail address. Table 80 Local ID Type and Content Fields LOCAL ID TYPE= CONTENT= Type the IP address of your computer or leave the field blank to have the ZyXEL Device automatically use its own IP address.

  • Page 211: Pre-Shared Key

    Table 82 Matching ID Type and Content Configuration Example ZYXEL DEVICE A Peer ID type: IP Peer ID content: 1.1.1.2 The two ZyXEL Devices in this example cannot complete their negotiation because ZyXEL Device B’s Local ID type is IP, but ZyXEL Device A’s Peer ID type is set to E-mail. An “ID mismatched”...

  • Page 212: Figure 124 Edit Vpn Policies

    P-661H/HW Series User’s Guide Figure 124 Edit VPN Policies The following table describes the fields in this screen. Table 84 Edit VPN Policies LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. This option determines whether a VPN rule is applied before a packet leaves the firewall.
  • Page 213 Table 84 Edit VPN Policies LABEL DESCRIPTION NAT Traversal This function is available if the VPN protocol is ESP. Select this check box if you want to set up a VPN tunnel when there are NAT routers between the ZyXEL Device and remote IPSec router. The remote IPSec router must also enable NAT traversal, and the NAT routers have to forward UDP port 500 packets to the remote IPSec router behind the NAT router.
  • Page 214 P-661H/HW Series User’s Guide Table 84 Edit VPN Policies LABEL DESCRIPTION Remote Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when the Secure Gateway IP Address field is configured to 0.0.0.0. In this case only the remote IPSec router can initiate the VPN.
  • Page 215 Table 84 Edit VPN Policies LABEL DESCRIPTION Peer ID Type Select IP to identify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address. Content The configuration of the peer content depends on the peer ID type.

  • Page 216: Ike Phases

    P-661H/HW Series User’s Guide Table 84 Edit VPN Policies LABEL DESCRIPTION Encryption Select DES, 3DES, AES or NULL from the drop-down list box. Algorithm When you use one of these encryption algorithms for data communications, both the sending device and the receiving device must use the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.

  • Page 217: Negotiation Mode

    • Choose an authentication algorithm. • Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). • Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires.

  • Page 218: Diffie-Hellman (Dh) Key Groups

    P-661H/HW Series User’s Guide 13.12.2 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a shared secret over an unsecured communications channel. Diffie-Hellman is used within IKE SA setup to establish session keys. 768-bit (Group 1 - DH1) and 1024-bit (Group 2 – DH2) Diffie-Hellman groups are supported.

  • Page 219: Figure 126 Advanced Vpn Policies

    Figure 126 Advanced VPN Policies The following table describes the fields in this screen. Table 85 Advanced VPN Policies LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
  • Page 220 P-661H/HW Series User’s Guide Table 85 Advanced VPN Policies (continued) LABEL DESCRIPTION Negotiation Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode. Pre-Shared Key Type your pre-shared key in this field. A pre-shared key identifies a communicating party during a phase 1 IKE negotiation.

  • Page 221: Manual Key Setup

    Table 85 Advanced VPN Policies (continued) LABEL DESCRIPTION Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower.

  • Page 222: Figure 127 Vpn: Manual Key

    P-661H/HW Series User’s Guide Figure 127 VPN: Manual Key The following table describes the fields in this screen. Table 86 VPN: Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the ZyXEL Device drops trailing spaces.
  • Page 223 Table 86 VPN: Manual Key (continued) LABEL DESCRIPTION DNS Server (for If there is a private DNS server that services the VPN, type its IP address here. IPSec VPN) The ZyXEL Device assigns this additional DNS server to the ZyXEL Device 's DHCP clients that have IP addresses in this IPSec rule's range of local addresses.

  • Page 224: Viewing Sa Monitor

    P-661H/HW Series User’s Guide Table 86 VPN: Manual Key (continued) LABEL DESCRIPTION My IP Address Enter the WAN IP address of your ZyXEL Device. The VPN tunnel has to be rebuilt if this IP address changes. The following applies if this field is configured as 0.0.0.0: The ZyXEL Device uses the current ZyXEL Device WAN IP address (static or dynamic) to set up the VPN tunnel.

  • Page 225: Configuring Global Setting

    When there is outbound traffic but no inbound traffic, the SA times out automatically after two minutes. A tunnel with no outbound or inbound traffic is "idle" and does not timeout until the SA lifetime period expires. See Device renegotiate an IPSec SA when the SA lifetime expires, even if there is no traffic. Figure 128 VPN: SA Monitor The following table describes the fields in this screen.

  • Page 226: Telecommuter Vpn/Ipsec Examples

    P-661H/HW Series User’s Guide Figure 129 VPN: Global Setting The following table describes the fields in this screen. Table 88 VPN: Global Setting LABEL Windows Networking (NetBIOS over TCP/IP) Allow NetBIOS Traffic Through All IPSec Tunnels Apply Cancel 13.18 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL Device at headquarters.

  • Page 227: Telecommuters Using Unique Vpn Rules Example

    Figure 130 Telecommuters Sharing One VPN Rule Example Table 89 Telecommuters Sharing One VPN Rule Example FIELDS TELECOMMUTERS My IP Address: 0.0.0.0 (dynamic IP address assigned by the ISP) Secure Gateway IP Public static IP address Address: Local IP Address: Telecommuter A: 192.168.2.12 Telecommuter B: 192.168.3.2 Telecommuter C: 192.168.4.15...

  • Page 228: Figure 131 Telecommuters Using Unique Vpn Rules Example

    P-661H/HW Series User’s Guide Figure 131 Telecommuters Using Unique VPN Rules Example Table 90 Telecommuters Using Unique VPN Rules Example TELECOMMUTERS All Telecommuter Rules: My IP Address 0.0.0.0 Secure Gateway Address: bigcompanyhq.com Remote IP Address: 192.168.1.10 Peer ID Type: E-mail Peer ID Content: bob@bigcompanyhq.com Telecommuter A (telecommutera.dydns.org) Local ID Type: IP...

  • Page 229: Vpn And Remote Management

    13.19 VPN and Remote Management If a VPN tunnel uses Telnet, FTP, WWW, then you should configure remote management (Remote Management) to allow access for that service. Chapter 13 VPN Screens P-661H/HW Series User’s Guide...
  • Page 230 P-661H/HW Series User’s Guide Chapter 13 VPN Screens...

  • Page 231: Chapter 14 Static Route

    This chapter shows you how to configure static routes for your ZyXEL Device. 14.1 Static Route Each remote node specifies only the network to which the gateway is directly connected, and the ZyXEL Device has no knowledge of the networks beyond. For instance, the ZyXEL Device knows about network N2 in the following figure through remote node Router 1.

  • Page 232: Static Route Edit

    P-661H/HW Series User’s Guide Figure 133 Static Route The following table describes the labels in this screen. Table 91 Static Route LABEL DESCRIPTION This is the number of an individual static route. Active This field shows whether this static route is active (Yes) or not (No). Name This is the name that describes or identifies this route.

  • Page 233: Figure 134 Static Route Edit

    Figure 134 Static Route Edit The following table describes the labels in this screen. Table 92 Static Route Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Route Name Enter the name of the IP static route. Leave this field blank to delete this static route. Destination IP This parameter specifies the IP network address of the final destination.
  • Page 234 P-661H/HW Series User’s Guide Chapter 14 Static Route...

  • Page 235: Chapter 15 Bandwidth Management

    Bandwidth Management This chapter contains information about configuring bandwidth management, editing rules and viewing the ZyXEL Device’s bandwidth management logs. 15.1 Bandwidth Management Overview ZyXEL’s Bandwidth Management allows you to specify bandwidth management rules based on an application and/or subnet. You can allocate specific amounts of bandwidth capacity (bandwidth budgets) to different bandwidth rules.

  • Page 236: Application And Subnet-Based Bandwidth Management

    P-661H/HW Series User’s Guide Figure 135 Subnet-based Bandwidth Management Example 15.4 Application and Subnet-based Bandwidth Management You could also create bandwidth classes based on a combination of a subnet and an application. The following example table shows bandwidth allocations for application specific traffic from separate LAN subnets.

  • Page 237: Fairness-Based Scheduler

    15.5.2 Fairness-based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one bandwidth class from using all of the interface’s bandwidth. 15.6 Maximize Bandwidth Usage The maximize bandwidth usage option (see Device to divide up any available bandwidth on the interface (including unallocated bandwidth and any allocated bandwidth that a class is not using) among the bandwidth classes that require more bandwidth.

  • Page 238: Maximize Bandwidth Usage Example

    P-661H/HW Series User’s Guide 15.6.2 Maximize Bandwidth Usage Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps.

  • Page 239: Fairness-Based Allotment Of Unused And Unbudgeted Bandwidth

    • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unused bandwidth goes to the higher priority sales and marketing classes. 15.6.2.2 Fairness-based Allotment of Unused and Unbudgeted Bandwidth The following table shows the amount of bandwidth that each class gets. Table 96 Fairness-based Allotment of Unused and Unbudgeted Bandwidth Example BANDWIDTH CLASSES AND ALLOTMENTS Root Class: 10240 kbps...

  • Page 240: Bandwidth Management Priorities

    P-661H/HW Series User’s Guide 15.6.4 Bandwidth Management Priorities The following table describes the priorities that you can apply to traffic that the ZyXEL Device forwards out through an interface. Table 98 Bandwidth Management Priorities PRIORITY LEVELS: TRAFFIC WITH A HIGHER PRIORITY GETS THROUGH FASTER WHILE TRAFFIC WITH A LOWER PRIORITY IS DROPPED IF THE NETWORK IS CONGESTED.

  • Page 241: Bandwidth Management Rule Setup

    Table 99 Media Bandwidth Management: Summary (continued) LABEL DESCRIPTION Speed (kbps) Enter the amount of bandwidth for this interface that you want to allocate using bandwidth management. This appears as the bandwidth budget of the interface’s root class. The recommendation is to set this speed to match the interface’s actual transmission speed.

  • Page 242: Figure 137 Bandwidth Management: Rule Setup

    P-661H/HW Series User’s Guide Figure 137 Bandwidth Management: Rule Setup The following table describes the labels in this screen. Table 100 Bandwidth Management: Rule Setup LABEL DESCRIPTION Direction Select the direction of traffic to which you want to apply bandwidth management. Service Select a service for your rule or you can select User define to go to the screen where you can define your own.

  • Page 243: Rule Configuration

    15.8.1 Rule Configuration Click the Edit icon or select User define in the Service field to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets. Figure 138 Bandwidth Management Rule Configuration The following table describes the labels in this screen.
  • Page 244 P-661H/HW Series User’s Guide Table 101 Bandwidth Management Rule Configuration (continued) LABEL Use All Managed Bandwidth Filter Configuration Service Destination Address Enter the destination IP address in dotted decimal notation. Destination Subnet Netmask Destination Port Source Address Source Subnet Netmask Source Port Protocol Back...

  • Page 245: Bandwidth Monitor

    Table 102 Services and Port Numbers SERVICES ECHO FTP (File Transfer Protocol) SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 15.9 Bandwidth Monitor...
  • Page 246 P-661H/HW Series User’s Guide Chapter 15 Bandwidth Management...

  • Page 247: Chapter 16 Dynamic Dns Setup

    This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS. 16.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.

  • Page 248: Figure 140 Dynamic Dns

    P-661H/HW Series User’s Guide Figure 140 Dynamic DNS The following table describes the fields in this screen. Table 103 Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Dynamic Select this check box to use dynamic DNS. Service Provider This is the name of your Dynamic DNS service provider. Dynamic DNS Select the type of service that you are registered for from your Dynamic DNS Type...
  • Page 249 Table 103 Dynamic DNS (continued) LABEL DESCRIPTION Dynamic DNS Select this option only when there are one or more NAT routers between the ZyXEL server auto Device and the DDNS server. This feature has the DDNS server automatically detect IP detect and use the IP address of the NAT router that has a public IP address.
  • Page 250 P-661H/HW Series User’s Guide Chapter 16 Dynamic DNS Setup...

  • Page 251: Remote Management Configuration

    This chapter provides information on configuring remote management. 17.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyXEL Device interface (if any) from which computers. Note: When you configure remote management to allow management from the WAN, you still need to configure a firewall rule to allow access.

  • Page 252: Remote Management And Nat

    P-661H/HW Series User’s Guide • The IP address in the Secured Client IP field does not match the client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately. • There is already another remote management session with an equal or higher priority running.

  • Page 253: Telnet

    The following table describes the labels in this screen. Table 104 Remote Management: WWW LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.

  • Page 254: Configuring Ftp

    P-661H/HW Series User’s Guide Figure 143 Remote Management: Telnet The following table describes the labels in this screen. Table 105 Remote Management: Telnet LABEL Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management.

  • Page 255: Snmp

    Figure 144 Remote Management: FTP The following table describes the labels in this screen. Table 106 Remote Management: FTP LABEL DESCRIPTION Port You may change the server port number for a service if needed, however you must use the same port number in order to use that service for remote management. Access Status Select the interface(s) through which a computer may access the ZyXEL Device using this service.

  • Page 256: Supported Mibs

    P-661H/HW Series User’s Guide Figure 145 SNMP Management Model An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL Device). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 257: Snmp Traps

    17.6.2 SNMP Traps The ZyXEL Device will send traps to the SNMP manager when any one of the following events occurs: Table 107 SNMPv1 Traps TRAP # TRAP NAME coldStart (defined in RFC-1215) warmStart (defined in RFC-1215) whyReboot (defined in ZYXEL- MIB) For intentional reboot: For fatal error:...

  • Page 258: Figure 146 Remote Management: Snmp

    P-661H/HW Series User’s Guide Figure 146 Remote Management: SNMP The following table describes the labels in this screen. Table 109 Remote Management: SNMP LABEL SNMP Port Access Status Secured Client IP SNMP Configuration Get Community Set Community Trap Community Destination Apply Cancel DESCRIPTION...

  • Page 259: Configuring Dns

    17.7 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on LAN for background information. To change your ZyXEL Device’s DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown.

  • Page 260: Figure 148 Remote Management: Icmp

    P-661H/HW Series User’s Guide If an outside user attempts to probe an unsupported port on your ZyXEL Device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL Device exists. Your ZyXEL Device supports anti-probing, which prevents the ICMP response packet from being sent.

  • Page 261: P-661H Only)

    17.9 TR-069 (P-661H Only) TR-069 is a protocol that defines how your ZyXEL Device can be managed via a management server such as ZyXEL’s Vantage CNM Access. An administrator can use CNM Access to remotely set up the ZyXEL Device, modify settings, perform firmware upgrades as well as monitor and diagnose the ZyXEL Device.
  • Page 262 P-661H/HW Series User’s Guide Table 112 TR-069 Commands Command or Root Subdirectory Command Description Whether or not the device must periodically send periodicEnable information to CNM Access. It is recommended to set this [0:Disable/ value to 1 in order for the ZyXEL Device to send 1:Enable] information to CNM Access.

  • Page 263: Universal Plug-And-Play (Upnp)

    Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configurator. 18.1 Introducing Universal Plug and Play Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.

  • Page 264: Cautions With Upnp

    P-661H/HW Series User’s Guide 18.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. All UPnP-enabled devices may communicate freely with each other without additional configuration.

  • Page 265: Installing Upnp In Windows Example

    The following table describes the fields in this screen. Table 113 Configuring UPnP LABEL Active the Universal Plug and Play (UPnP) Feature Allow users to make configuration changes through UPnP Apply Cancel 18.3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me.

  • Page 266: Figure 151 Add/Remove Programs: Windows Setup: Communication

    P-661H/HW Series User’s Guide Figure 151 Add/Remove Programs: Windows Setup: Communication 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box. Figure 152 Add/Remove Programs: Windows Setup: Communication: Components 4 Click OK to go back to the Add/Remove Programs Properties window and click Next. 5 Restart the computer when prompted.

  • Page 267: Figure 153 Network Connections

    Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. 1 Click Start and Control Panel. 2 Double-click Network Connections. 3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….

  • Page 268: Using Upnp In Windows Xp Example

    P-661H/HW Series User’s Guide 5 In the Networking Services window, select the Universal Plug and Play check box. Figure 155 Networking Services 6 Click OK to go back to the Windows Optional Networking Component Wizard window and click Next. 18.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP.

  • Page 269: Figure 156 Network Connections

    P-661H/HW Series User’s Guide Figure 156 Network Connections 3 In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Chapter 18 Universal Plug-and-Play (UPnP)

  • Page 270: Figure 157 Internet Connection Properties

    P-661H/HW Series User’s Guide Figure 157 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Chapter 18 Universal Plug-and-Play (UPnP)

  • Page 271: Figure 158 Internet Connection Properties: Advanced Settings

    Figure 158 Internet Connection Properties: Advanced Settings Figure 159 Internet Connection Properties: Advanced Settings: Add 5 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. 6 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray.

  • Page 272: Figure 160 System Tray Icon

    P-661H/HW Series User’s Guide Figure 160 System Tray Icon 7 Double-click on the icon to display your current Internet connection status. Figure 161 Internet Connection Status Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL Device without finding out the IP address of the ZyXEL Device first.

  • Page 273: Figure 162 Network Connections

    Figure 162 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your ZyXEL Device and select Invoke. The web configurator login screen displays. Chapter 18 Universal Plug-and-Play (UPnP) P-661H/HW Series User’s Guide...

  • Page 274: Figure 163 Network Connections: My Network Places

    P-661H/HW Series User’s Guide Figure 163 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Properties. A properties window displays with basic information about the ZyXEL Device. Figure 164 Network Connections: My Network Places: Properties: Example Chapter 18 Universal Plug-and-Play (UPnP)

  • Page 275: Chapter 19 System

    Use this screen to configure the ZyXEL Device’s time and date settings. 19.1 General Setup 19.1.1 General Setup and System Name General Setup contains administrative and system-related information. System Name is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".

  • Page 276: Figure 165 System General Setup

    P-661H/HW Series User’s Guide Figure 165 System General Setup The following table describes the labels in this screen. Table 114 System General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identification purposes. It is recommended you enter your computer’s “Computer name”...

  • Page 277: Time Setting

    Table 114 System General Setup LABEL DESCRIPTION Admin Password In addition to the wizard setup, a user logs in with the admin password can also view and configure the advanced features on the ZyXEL Device. Old Password Type the default administrator password (1234) or the existing password you use to access the system for configuring advanced features in this field.

  • Page 278: Table 115 System Time Setting

    P-661H/HW Series User’s Guide The following table describes the fields in this screen. Table 115 System Time Setting LABEL DESCRIPTION Current Time and Date Current Time This field displays the time of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synchronizes the time with the time server.
  • Page 279 Table 115 System Time Setting (continued) LABEL DESCRIPTION Start Date Configure the day and time when Daylight Saving Time starts if you selected Enable Daylight Saving. The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time starts in most parts of the United States on the first Sunday of April.
  • Page 280 P-661H/HW Series User’s Guide Chapter 19 System...

  • Page 281: Chapter 20 Logs

    This chapter contains information about configuring general log settings and viewing the ZyXEL Device’s logs. Refer to the appendix for example log message explanations. 20.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the ZyXEL Device log and then display the logs or have the ZyXEL Device send them to an administrator (as e-mail) or to a syslog server.

  • Page 282: Configuring Log Settings

    P-661H/HW Series User’s Guide The following table describes the fields in this screen. Table 116 View Log LABEL DESCRIPTION Display The categories that you select in the Log Settings screen display in the drop-down list box. Select a category of logs to view; select All Logs to view logs from all of the log categories that you selected in the Log Settings page.

  • Page 283: Figure 168 Log Settings

    Figure 168 Log Settings The following table describes the fields in this screen. Table 117 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
  • Page 284 P-661H/HW Series User’s Guide Table 117 Log Settings LABEL DESCRIPTION Enable SMTP SMTP (Simple Mail Transfer Protocol) is the message-exchange standard for the Authentication Internet. SMTP enables you to move messages from one e-mail server to another. Select the check box to activate SMTP authentication. If mail server authentication is needed but this feature is disabled, you will not receive the e-mail logs.

  • Page 285: Chapter 21 Tools

    This chapter covers uploading new firmware, managing configuration and restarting your ZyXEL Device. 21.1 Firmware Upgrade Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, "ZyXEL Device.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.

  • Page 286: Figure 170 Firmware Upload In Progress

    P-661H/HW Series User’s Guide Table 118 Firmware Upgrade (continued) LABEL DESCRIPTION Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click Upload to begin the upload process. This process may take up to two minutes.

  • Page 287: Configuration

    Figure 172 Error Message 21.2 Configuration Use this screen to back up or restore the configuration of the ZyXEL Device. You can also use this screen to reset the ZyXEL Device to the factory default settings. To access this screen, click Maintenance >...

  • Page 288: Figure 174 Configuration Upload Successful

    P-661H/HW Series User’s Guide Table 119 Configuration LABEL DESCRIPTION File Path Enter the location of the file you want to upload, or click Browse... to find it. Browse Click this to find the file you want to upload. Upload Click this to restore the selected configuration file. See below for more information about this.

  • Page 289: Restart

    Figure 175 Network Temporarily Disconnected If the ZyXEL Device’s IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.168.5.1).
  • Page 290 P-661H/HW Series User’s Guide Chapter 21 Tools...

  • Page 291: Chapter 22 Diagnostic

    These read-only screens display information to help you identify problems with the ZyXEL Device. 22.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next. Figure 178 Diagnostic: General The following table describes the fields in this screen. Table 120 Diagnostic: General LABEL DESCRIPTION...

  • Page 292: Dsl Line Diagnostic

    P-661H/HW Series User’s Guide 22.2 DSL Line Diagnostic Click Maintenance > Diagnostic > DSL Line to open the screen shown next. Figure 179 Diagnostic: DSL Line The following table describes the fields in this screen. Table 121 Diagnostic: DSL Line LABEL ATM Status Click this button to view ATM status.

  • Page 293: Chapter 23 Troubleshooting

    This chapter covers potential problems and the corresponding remedies. 23.1 Problems Starting Up the ZyXEL Device Table 122 Troubleshooting Starting Up Your ZyXEL Device PROBLEM CORRECTIVE ACTION None of the Make sure that the ZyXEL Device’s power adaptor is connected to the ZyXEL Device LEDs turn on and plugged in to an appropriate power source.

  • Page 294: Problems With The Wan

    P-661H/HW Series User’s Guide 23.3 Problems with the WAN Table 124 Troubleshooting the WAN PROBLEM CORRECTIVE ACTION The DSL LED is Check the telephone wire and connections between the ZyXEL Device DSL port off. and the wall jack. Make sure that the telephone company has checked your phone line and set it up for DSL service.

  • Page 295: Problems Accessing The Zyxel Device

    23.4 Problems Accessing the ZyXEL Device Table 125 Troubleshooting Accessing the ZyXEL Device PROBLEM CORRECTIVE ACTION I cannot The default user password is “user” and admin password is “1234”.The Password access the field is case-sensitive. Make sure that you enter the correct password using the proper ZyXEL Device.
  • Page 296 P-661H/HW Series User’s Guide Chapter 23 Troubleshooting...

  • Page 297: Appendix A Product Specifications

    See also the Introduction chapter for a general overview of the key features. Specification Tables Table 126 Device Default IP Address Default Subnet Mask Default Password DHCP Pool Dimensions (W x D x H) Power Specification Built-in Switch Operation Temperature Storage Temperature Operation Humidity Storage Humidity...

  • Page 298: Table 127 Firmware

    P-661H/HW Series User’s Guide Table 127 Firmware ADSL Standards Other Protocol Support Management Wireless Multi-Mode standard (ANSI T1.413,Issue 2; G.dmt(G.992.1); G.lite(G992.2)). ADSL2 G.dmt.bis (G.992.3) ADSL2 G.lite.bis (G.992.4) ADSL2+ (G.992.5) Reach-Extended ADSL (RE ADSL) SRA (Seamless Rate Adaptation) Auto-negotiating rate adaptation ADSL physical connection ATM AAL5 (ATM Adaptation Layer type 5) Multi-protocol over AAL5 (RFC2684/1483) PPP over ATM AAL5 (RFC 2364)
  • Page 299 Table 127 Firmware (continued) Firewall NAT/SUA Content Filtering Static Routes Other Features Appendix A Stateful Packet Inspection. Prevent Denial of Service attacks such as Ping of Death, SYN Flood, LAND, Smurf etc. Real time E-mail alerts. Reports and logs. Port Forwarding 1024 NAT sessions Multimedia application PPTP under NAT/SUA...
  • Page 300 P-661H/HW Series User’s Guide Appendix A...

  • Page 301: Appendix B About Adsl

    Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted- pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
  • Page 302 P-661H/HW Series User’s Guide cable modems, transmission speeds drop significantly as more users go on-line because the line is shared. 3 ADSL can be "always on" (connected). This means that there is no time wasted dialing up the service several times a day and waiting to be connected; ADSL is on standby, ready for use whenever you need it.

  • Page 303: Wall-Mounting Instructions

    Do the following to hang your ZyXEL Device on a wall. Note: See the product specifications appendix for the size of screws to use and how far apart to place them. 1 Locate a high position on wall that is free of obstructions. Use a sturdy wall. 2 Drill two holes for the screws.
  • Page 304 P-661H/HW Series User’s Guide Appendix C...

  • Page 305: Setting Up Your Computer's Ip Address

    P-661H/HW Series User’s Guide Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.

  • Page 306: Figure 181 Windows 95/98/Me: Network: Configuration

    Figure 181 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add. 2 Select Adapter and then click Add.

  • Page 307: Figure 182 Windows 95/98/Me: Tcp/Ip Properties: Ip Address

    P-661H/HW Series User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. Configuring 1 In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties 2 Click the IP Address tab.

  • Page 308: Figure 183 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration

    Figure 183 Windows 95/98/Me: TCP/IP Properties: DNS Configuration 4 Click the Gateway tab. • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. 5 Click OK to save and close the TCP/IP Properties window.

  • Page 309: Figure 184 Windows Xp: Start Menu

    P-661H/HW Series User’s Guide Figure 184 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 185 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.

  • Page 310: Figure 186 Windows Xp: Control Panel: Network Connections: Properties

    Figure 186 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. Figure 187 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).

  • Page 311: Figure 188 Windows Xp: Internet Protocol (Tcp/Ip) Properties

    P-661H/HW Series User’s Guide • Click Advanced. Figure 188 Windows XP: Internet Protocol (TCP/IP) Properties 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...

  • Page 312: Figure 189 Windows Xp: Advanced Tcp/Ip Properties

    Figure 189 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields.

  • Page 313: Macintosh Os X

    P-661H/HW Series User’s Guide Figure 190 Windows XP: Internet Protocol (TCP/IP) Properties 8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).

  • Page 314: Figure 191 Macintosh Os X: Apple Menu

    Figure 191 Macintosh OS X: Apple Menu 2 Click Network in the icon bar. • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list. Figure 192 Macintosh OS X: Network 4 For statically assigned settings, do the following: •...

  • Page 315: Linux

    P-661H/HW Series User’s Guide 6 Restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. Linux This section shows you how to configure your computer’s TCP/IP settings in Red Hat Linux 9.0. Procedure, screens and file location may vary depending on your Linux distribution and release version.

  • Page 316: Figure 194 Red Hat 9.0: Kde: Ethernet Device: General

    Figure 194 Red Hat 9.0: KDE: Ethernet Device: General • If you have a dynamic IP address, click Automatically obtain IP address settings with and select dhcp from the drop down list. • If you have a static IP address, click Statically set IP Addresses and fill in the Address, Subnet mask, and Default Gateway Address fields.

  • Page 317: Figure 196 Red Hat 9.0: Kde: Network Configuration: Activate

    P-661H/HW Series User’s Guide Figure 196 Red Hat 9.0: KDE: Network Configuration: Activate 7 After the network card restart process is complete, make sure the Status is Active in the Network Configuration screen. Using Configuration Files Follow the steps below to edit the network configuration files and set your computer IP address.

  • Page 318: Figure 198 Red Hat 9.0: Static Ip Address Setting In Ifconfig-Eth0

    Figure 198 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.10 NETMASK=255.255.255.0 USERCTL=no PEERDNS=yes TYPE=Ethernet 2 If you know your DNS server IP address(es), enter the DNS server information in the file in the resolv.conf two DNS server IP addresses are specified. Figure 199 Red Hat 9.0: DNS Settings in resolv.conf nameserver 172.23.5.1 nameserver 172.23.5.2...

  • Page 319: Appendix Eip Subnetting

    IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.

  • Page 320: Subnet Masks

    P-661H/HW Series User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...

  • Page 321: Example: Two Subnets

    Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet. This is usually specified by writing a “/”...

  • Page 322: Table 133 Subnet 1

    P-661H/HW Series User’s Guide Note: In the following charts, shaded/bolded last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet.

  • Page 323: Example: Four Subnets

    Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00, 01, 10 and 11. The subnet mask is 26 bits (11111111.11111111.11111111.11000000) or 255.255.255.192.

  • Page 324: Example Eight Subnets

    P-661H/HW Series User’s Guide Table 138 Subnet 4 IP/SUBNET MASK IP Address IP Address (Binary) Subnet Mask (Binary) Subnet Address: 192.168.1.192 Broadcast Address: 192.168.1.255 Example Eight Subnets Similarly use a 27-bit mask to create 8 subnets (001, 010, 011, 100, 101, 110). The following table shows class C IP address last octet values for each subnet.

  • Page 325: Subnetting With Class A And Class B Networks

    Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID. A class “B” address has two host ID octets available for subnetting and a class “A” address has three host ID octets (see The following table is a summary for class “B”...
  • Page 326 P-661H/HW Series User’s Guide Appendix E...

  • Page 327: Command Interpreter

    The following describes how to use the command interpreter. You can use telnet to access the CLI (Command Line Interface) commands. See the included disk or zyxel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
  • Page 328 P-661H/HW Series User’s Guide Appendix F...

  • Page 329: Appendix G Firewall Commands

    The following describes the firewall commands. Table 142 Firewall Commands FUNCTION COMMAND Firewall SetUp config edit firewall active <yes | no> config retrieve firewall config save firewall Display config display firewall config display firewall set <set #> config display firewall set <set #>...
  • Page 330 P-661H/HW Series User’s Guide Table 142 Firewall Commands (continued) FUNCTION COMMAND config edit firewall e-mail return-addr <e-mail address> config edit firewall e-mail email-to <e-mail address> config edit firewall e-mail policy <full | hourly | daily | weekly> config edit firewall e-mail day <sunday | monday | tuesday | wednesday | thursday | friday | saturday>...
  • Page 331 Table 142 Firewall Commands (continued) FUNCTION COMMAND config edit firewall attack minute-low <0-255> config edit firewall attack max-incomplete-high <0-255> config edit firewall attack max-incomplete-low <0-255> config edit firewall attack tcp-max-incomplete <0-255> Sets config edit firewall set <set #> name <desired name> Config edit firewall set <set #>...
  • Page 332 P-661H/HW Series User’s Guide Table 142 Firewall Commands (continued) FUNCTION COMMAND Config edit firewall set <set #> log <yes | no> Rules Config edit firewall set <set #> rule <rule #> permit <forward | block> Config edit firewall set <set #>...
  • Page 333 Table 142 Firewall Commands (continued) FUNCTION COMMAND config edit firewall set <set #> rule <rule #> destaddr- subnet <ip address> <subnet mask> config edit firewall set <set #> rule <rule #> destaddr- range <start ip address> <end ip address> config edit firewall set <set #>...
  • Page 334 P-661H/HW Series User’s Guide Appendix G...

  • Page 335: Netbios Filter Commands

    The following describes the NetBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN. For some dial-up services such as PPPoE or PPTP, NetBIOS packets cause unwanted calls. You can configure NetBIOS filters to do the following: •...

  • Page 336: Netbios Filter Configuration

    P-661H/HW Series User’s Guide The filter types and their default settings are as follows. Table 143 NetBIOS Filter Default Settings NAME DESCRIPTION Between LAN This field displays whether NetBIOS packets are blocked or forwarded and WAN between the LAN and the WAN. IPSec Packets This field displays whether NetBIOS packets sent through a VPN connection are blocked or forwarded.

  • Page 337: Appendix Ipppoe

    PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your computer to an ATM PVC (Permanent Virtual Circuit) which connects to a DSL Access Concentrator where the PPP session terminates (see support any number of PPP sessions from your LAN.

  • Page 338: How Pppoe Works

    P-661H/HW Series User’s Guide Figure 202 Single-Computer per Router Hardware Configuration How PPPoE Works The PPPoE driver makes the Ethernet appear as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).

  • Page 339: Appendix J Log Descriptions

    This appendix provides descriptions of example log messages. Table 144 System Maintenance Logs LOG MESSAGE Time calibration is successful Time calibration failed WAN interface gets IP:%s DHCP client IP expired DHCP server assigns%s Successful WEB login WEB login failed Successful TELNET login TELNET login failed Successful FTP login FTP login failed...

  • Page 340: Table 145 System Error Logs

    P-661H/HW Series User’s Guide Table 144 System Maintenance Logs (continued) LOG MESSAGE Successful HTTPS login HTTPS login failed Table 145 System Error Logs LOG MESSAGE %s exceeds the max. number of session per host! setNetBIOSFilter: calloc error readNetBIOSFilter: calloc error WAN connection is down.

  • Page 341: Table 147 Tcp Reset Logs

    Table 147 TCP Reset Logs LOG MESSAGE Under SYN flood attack, sent TCP RST Exceed TCP MAX incomplete, sent TCP RST Peer TCP state out of order, sent TCP RST Firewall session time out, sent TCP RST Exceed MAX incomplete, sent TCP RST Access block, sent TCP Table 148 Packet Filter Logs...

  • Page 342: Table 149 Icmp Logs

    P-661H/HW Series User’s Guide Table 149 ICMP Logs LOG MESSAGE Firewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d> Firewall rule [NOT] match: ICMP <Packet Direction>, <rule:%d>, <type:%d>, <code:%d> Triangle route packet forwarded: ICMP Packet without a NAT table entry blocked: ICMP Unsupported/out-of-order ICMP: ICMP Router reply ICMP packet: ICMP...

  • Page 343: Table 152 Upnp Logs

    Table 151 PPP Logs (continued) LOG MESSAGE ppp:LCP Closing ppp:IPCP Closing Table 152 UPnP Logs LOG MESSAGE UPnP pass through Firewall Table 153 Content Filtering Logs LOG MESSAGE %s: Keyword blocking %s: Not in trusted web list %s: Forbidden Web site The web site is in the forbidden web site list. %s: Contains ActiveX %s: Contains Java applet...

  • Page 344: Table 154 Attack Logs

    P-661H/HW Series User’s Guide Table 153 Content Filtering Logs (continued) LOG MESSAGE Connecting to content filter server fail License key is invalid The external content filtering license key is invalid. Table 154 Attack Logs LOG MESSAGE attack [TCP | UDP | IGMP | ESP | GRE | OSPF] attack ICMP (type:%d, code:%d)

  • Page 345: Table 155 Ipsec Logs

    Table 155 IPSec Logs LOG MESSAGE Discard REPLAY packet Inbound packet authentication failed Receive IPSec packet, but no corresponding tunnel exists Rule <%d> idle time out, disconnect WAN IP changed to <IP> Table 156 IKE Logs LOG MESSAGE Active connection allowed exceeded Start Phase 2: Quick Mode Verifying Remote ID failed:...
  • Page 346 P-661H/HW Series User’s Guide Table 156 IKE Logs (continued) LOG MESSAGE Cannot resolve Secure Gateway Addr for rule <%d> Peer ID: <peer id> <My remote type> -<My local type> vs. My Remote <My remote> - <My remote> vs. My Local <My local>-<My local>...
  • Page 347 Table 156 IKE Logs (continued) LOG MESSAGE XAUTH fail! Username: <Username> Rule[%d] Phase 1 negotiation mode mismatch Rule [%d] Phase 1 encryption algorithm mismatch Rule [%d] Phase 1 authentication algorithm mismatch Rule [%d] Phase 1 authentication method mismatch Rule [%d] Phase 1 key group mismatch Rule [%d] Phase 2 protocol mismatch...

  • Page 348: Table 157 Pki Logs

    P-661H/HW Series User’s Guide Table 156 IKE Logs (continued) LOG MESSAGE Rule [%d] phase 2 mismatch Rule [%d] Phase 2 key length mismatch Table 157 PKI Logs LOG MESSAGE Enrollment successful Enrollment failed Failed to resolve <SCEP CA server url> Enrollment successful Enrollment failed Failed to resolve <CMP...

  • Page 349: Table 158 Certificate Path Verification Failure Reason Codes

    Table 157 PKI Logs (continued) LOG MESSAGE Rcvd data <size> too large! Max size allowed: <max size> Cert trusted: <subject name> Due to <reason codes>, cert not trusted: <subject name> Table 158 Certificate Path Verification Failure Reason Codes CODE DESCRIPTION Algorithm mismatch between the certificate and the search constraints.

  • Page 350: Table 159 802.1X Logs

    P-661H/HW Series User’s Guide Table 158 Certificate Path Verification Failure Reason Codes (continued) CODE DESCRIPTION Database method failed. Path was not verified. Maximum path length reached. Table 159 802.1X Logs LOG MESSAGE Local User Database accepts user. Local User Database reports user credential error.

  • Page 351: Table 160 Acl Setting Notes

    Table 160 ACL Setting Notes PACKET DIRECTION (L to W) (W to L) (L to L) (W to W) Table 161 ICMP Notes TYPE CODE Appendix J DIRECTION DESCRIPTION LAN to WAN ACL set for packets traveling from the LAN to the WAN. WAN to LAN ACL set for packets traveling from the WAN to the LAN.

  • Page 352: Table 162 Syslog Logs

    P-661H/HW Series User’s Guide Table 161 ICMP Notes (continued) TYPE CODE Table 162 Syslog Logs LOG MESSAGE <Facility*8 + Severity>Mon dd hr:mm:ss hostname src="<srcIP:srcPort>" dst="<dstIP:dstPort>" msg="<msg>" note="<note>" devID="<mac address last three numbers>" cat="<category> The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.

  • Page 353: Log Commands

    Log Commands Go to the command interpreter interface. Configuring What You Want the ZyXEL Device to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record. 2 Use sys logs category to view a list of the log categories.

  • Page 354: Log Command Example

    P-661H/HW Series User’s Guide • Use the sys logs clear command to erase all of the ZyXEL Device’s logs. Log Command Example This example shows how to set the ZyXEL Device to record the access logs and alerts and then view the results. ras>...

  • Page 355: Wireless Lans (Wireless Devices Only)

    Wireless LANs (wireless devices only) Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an Ad-hoc network or Independent Basic Service Set (IBSS).

  • Page 356: Figure 207 Basic Service Set

    P-661H/HW Series User’s Guide Figure 207 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.

  • Page 357: Channel

    Figure 208 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.11a/b/g wireless devices. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a different channel than an adjacent AP (access point) to reduce interference.

  • Page 358: Fragmentation Threshold

    P-661H/HW Series User’s Guide Figure 209 RTS/CTS When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

  • Page 359: Preamble Type

    A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previously) you set then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

  • Page 360: Wireless Security Overview

    P-661H/HW Series User’s Guide Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. Wireless security methods available on the ZyXEL Device are data encryption, wireless client authentication, restricting access by device MAC address and hiding the ZyXEL Device identity.

  • Page 361: Radius

    RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: • Authentication Determines the identity of the users. •...

  • Page 362: Types Of Authentication

    P-661H/HW Series User’s Guide In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

  • Page 363: Dynamic Wep Key Exchange

    PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.

  • Page 364: Wpa And Wpa2

    P-661H/HW Series User’s Guide WPA and WPA2 Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA or WPA2 and WEP are improved data encryption and user authentication.

  • Page 365: Wpa With Radius Application Example

    By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network. The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same.

  • Page 366: Figure 210 Wpa(2) With Radius Application Example

    P-661H/HW Series User’s Guide 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then sets up a key hierarchy and management system, using the pair-wise key to dynamically generate unique data encryption keys to encrypt every data packet that is wirelessly communicated between the AP and the wireless clients.

  • Page 367: Security Parameters Summary

    Figure 211 WPA(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 167 Wireless Security Relational Matrix AUTHENTICATION METHOD/ KEY...
  • Page 368 P-661H/HW Series User’s Guide Appendix K...

  • Page 369: Pop-Up Windows, Javascripts And Java Permissions

    Pop-up Windows, JavaScripts and Java In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here. Screens for other Internet Explorer versions may vary.

  • Page 370: Figure 213 Internet Options

    P-661H/HW Series User’s Guide Figure 213 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen.

  • Page 371: Figure 214 Internet Options

    P-661H/HW Series User’s Guide Figure 214 Internet Options 3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites.

  • Page 372: Figure 215 Pop-Up Blocker Settings

    P-661H/HW Series User’s Guide Figure 215 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScripts If pages of the web configurator do not display properly in Internet Explorer, check that JavaScripts are allowed.

  • Page 373: Figure 216 Internet Options

    P-661H/HW Series User’s Guide Figure 216 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window.

  • Page 374: Java Permissions

    P-661H/HW Series User’s Guide Figure 217 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer, click Tools, Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window.

  • Page 375: Figure 218 Security Settings - Java

    P-661H/HW Series User’s Guide Figure 218 Security Settings - Java JAVA (Sun) 1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window.

  • Page 376: Figure 219 Java (Sun)

    P-661H/HW Series User’s Guide Figure 219 Java (Sun)

  • Page 377: Index

    Numerics 110V AC 230V AC Abnormal Working Conditions Accessories Acts of God Address Assignment Address Resolution Protocol (ARP) ADSL standards Advanced Encryption Standard AH Protocol Airflow Alternative Subnet Mask Notation Antenna gain Any IP 36, 99 How it works note Any IP Setup AP (access point) Application-level Firewalls...
  • Page 378 P-661H/HW Series User’s Guide Correcting Interference Corrosive Liquids Covers CTS (Clear to Send) Custom Ports Creating/Editing Customer Support Customized Services Customized services Dampness Danger Data Confidentiality Data Integrity Data Origin Authentication Dealer default LAN IP address Defective Denial of Service 146, 147, 176 Denmark, Contact Information Destination Address...
  • Page 379 Alerts Anti-Probing Creating/Editing Rules Custom Ports Enabling Firewall Vs Filters Guidelines For Enhancing Security Introduction LAN to WAN Rules Policies Rule Checklist Rule Logic Rule Security Ramifications Services Types When To Use firmware upgrade upload upload error Fitness Fragmentation Threshold Fragmentation threshold France, Contact Information 137, 138, 251, 254...
  • Page 380 P-661H/HW Series User’s Guide Keep Alive Key Fields For Configuring Rules Labor LAN Setup 77, 95 LAN TCP/IP LAN to WAN Rules LAND 148, 149 Legal Rights Liability License Lightning Liquids, Corrosive Logs MAC Address Filter Action MAC Address Filtering MAC Filter Management Information Base (MIB) Materials...
  • Page 381 Permission Photocopying Ping of Death Pipes Point to Point Protocol over ATM Adaptation Layer 5 (AAL5) Point-to-Point Point-to-Point Tunneling Protocol Pool POP3 138, 147, 148 Postage Prepaid. Power Cord PPPoE 77, 337 Benefits PPPoE (Point-to-Point Protocol over Ethernet) PPTP Preamble Mode Pre-Shared Key Priorities 126, 240...
  • Page 382 P-661H/HW Series User’s Guide Safety Warnings Saving the State Scheduler Secure Gateway Address Security Association Security In General Security Parameter Index Security Parameters Security Ramifications Separation Between Equipment and Receiver Serial Number Server 135, 136, 278 Service 6, 7, 159 Service Personnel Service Set Service Type...
  • Page 383 Worldwide Contact Information WPA2 WPA2-Pre-Shared Key WPA2-PSK WPA-PSK Written Permission Zero Configuration Internet Access Zero configuration Internet access ZyNOS ZyXEL Communications Corporation ZyXEL Home Page ZyXEL Limited Warranty Note ZyXEL Network Operating System ZyXEL_s Firewall Introduction P-661H/HW Series User’s Guide...

This manual is also suitable for:

P-661h seriesPrestige 661hw

Table of Contents