Page 1 Prestige 792H G.SHDSL Router with four-port switch User's Guide Version 3.40 June 2004...
Page 3 Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 5: Federal Communications Commission
Federal Communications Commission This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Page 7: Information For Canadian Users
Prestige 792H G.SHDSL Router Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Page 9: Zyxel Limited Warranty
Prestige 792H G.SHDSL Router ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or...
Page 11: Customer Support
+45-3955-0700 www.zyxel.dk +45-3955-0707 ftp.zyxel.dk +49-2405-6909-0 www.zyxel.de +49-2405-6909-99 REGULAR MAIL ZyXEL Communications Corp., 6 Innovation Road II, Science- Based Industrial Park, Hsinchu 300, Taiwan. ZyXEL Communications Inc., 1650 Miraloma Avenue, Placentia, CA 92870, U.S.A. ZyXEL Communications A/S, Columbusvej 5, 2860 Soeborg, Denmark.
Page 13: Table Of Contents
Copyright ...ii Federal Communications Commission (FCC) Interference Statement ...iii Information for Canadian Users...iv ZyXEL Limited Warranty...v Customer Support...vi List of Figures...xvii List of Tables...xxvi Preface...xxxi Introduction to DSL...xxxiii Chapter 1 Getting to Know Your G.SHDSL Router...1-1 Features of the Prestige ...1-1 Application Scenarios for the Prestige ...1-4 1.2.1 Internet Access ...1-4 1.2.2 LAN-to-LAN Application...1-5...
Page 14 IP Address and Subnet Mask ...3-6 IP Address Assignment...3-7 3.8.1 IP Assignment with PPPoA or PPPoE Encapsulation ...3-7 3.8.2 IP Assignment with RFC 1483 Encapsulation...3-8 3.8.3 IP Assignment with ENET ENCAP Encapsulation ...3-8 3.8.4 Private IP Addresses ...3-8 Nailed-Up Connection (PPP) ...3-9 3.10 NAT ...3-9 3.11 Wizard Setup Configuration: ISP Parameters...3-9 3.11.1 PPPoA...3-9...
Page 15 5.12 Response Strings ...5-18 5.13 Configuring Advanced Modem Setup...5-18 Chapter 6 Network Address Translation (NAT)...6-1 NAT Overview...6-1 6.1.1 NAT Definitions...6-1 6.1.2 What NAT Does...6-1 6.1.3 How NAT Works ...6-2 6.1.4 NAT Application...6-2 6.1.5 NAT Mapping Types ...6-3 SUA (Single User Account) Versus NAT...6-4 SUA Server ...6-5 6.3.1 Port Forwarding: Services and Port Numbers ...6-5 6.3.2 Configuring Servers Behind SUA (Example) ...6-6...
Page 16 8.7.2 Firewall ...8-13 Chapter 9 Firewall Configuration ...9-1 Remote Management and the Firewall ...9-1 Enabling the Firewall...9-1 Configuring E-mail Alerts ...9-2 Attack Alert...9-3 9.4.1 Alerts...9-4 9.4.2 Threshold Values ...9-4 9.4.3 Half-Open Sessions...9-4 Chapter 10 Creating Custom Rules ...10-1 10.1 Rules Overview...10-1 10.2 Rule Logic Overview...10-1 10.2.1 Rule Checklist...10-1 10.2.2 Security Ramifications...10-2...
Page 17 13.2 IPSec Architecture ...13-3 13.2.1 IPSec Algorithms ...13-4 13.2.2 Key Management ...13-4 13.3 Encapsulation ...13-5 13.3.1 Transport Mode...13-5 13.3.2 Tunnel Mode ...13-5 13.4 IPSec and NAT ...13-5 Chapter 14 VPN Screens ...14-1 14.1 VPN/IPSec Overview...14-1 14.2 IPSec Algorithms ...14-1 14.2.1 AH (Authentication Header) Protocol...14-1 14.2.2 ESP (Encapsulating Security Payload) Protocol ...14-1 14.3 My IP Address...14-2 14.4 Secure Gateway Address...14-2...
Page 18 15.2 Telnet ...15-2 15.3 FTP ...15-2 15.4 Web...15-2 15.5 Configuring Remote Management...15-3 Chapter 16 Universal Plug-and-Play (UPnP) ...16-1 16.1 Universal Plug and Play Overview ...16-1 16.1.1 How do I know if I'm using UPnP? ...16-1 16.1.2 NAT Transversal...16-1 16.1.3 Cautions with UPnP...16-1 16.1.4 UPnP and ZyXEL ...16-2 16.2 Accessing the Prestige Web Configurator to Configure UPnP...16-2 16.2.1 Configuring UPnP...16-2...
Page 19 21.1.1 Configuring Dial Backup in Menu 2...21-1 21.1.2 Advanced WAN Setup ...21-2 21.2 Remote Node Profile (Backup ISP) ...21-4 21.2.1 Editing PPP Options...21-7 21.2.2 Editing TCP/IP Options ...21-7 21.2.3 Editing Filter Sets...21-9 Chapter 22 LAN Setup ...22-1 22.1 Ethernet Setup ...22-1 22.1.1 LAN Port Filter Setup ...22-1 22.1.2 IP Alias Setup...22-2 22.1.3 Route IP Setup...22-3...
Page 20 27.4.3 Example 3: Multiple Public IP Addresses With Inside Servers ...27-14 27.4.4 Example 4: NAT Unfriendly Application Programs...27-18 Chapter 28 Filter Configuration...28-1 28.1 About Filtering...28-1 28.2 Filter Set Configuration ...28-4 28.2.1 Filter Rules Summary Menus ...28-8 28.3 Filter Rule Configuration...28-9 28.3.1 TCP/IP Filter Rule ...28-10 28.3.2 Generic Filter Rule...28-14 28.4 Filter Types and NAT ...28-16...
Page 21 31.3 Restore Configuration ...31-7 31.3.1 Restore Using FTP ...31-8 31.3.2 Restore Using FTP Session Example...31-9 31.3.3 Restore Via Console Port ...31-9 31.4 Uploading Firmware and Configuration Files...31-10 31.4.1 Firmware File Upload ...31-10 31.4.2 Configuration File Upload ...31-11 31.4.3 FTP File Upload Command from the DOS Prompt Example ...31-12 31.4.4 FTP Session Example of Firmware File Upload...31-12 31.4.5 TFTP File Upload ...31-12 31.4.6 TFTP Upload Command Example ...31-13...
Page 22 35.3 Remote Management and NAT ...35-3 35.4 System Timeout ...35-3 Chapter 36 VPN/IPSec Setup...36-1 36.1 VPN/IPSec Overview ...36-1 36.2 IPSec Summary Screen...36-2 36.3 IPSec Setup ...36-5 36.4 IKE Setup...36-11 36.5 Manual Setup ...36-13 36.5.1 Active Protocol ...36-13 36.5.2 Security Parameter Index (SPI)...36-13 Chapter 37 SA Monitor ...37-1 37.1 SA Monitor Overview...37-1 37.2 Using SA Monitor...37-1...
Page 23: List Of Figures
Prestige 792H G.SHDSL Router List of Figures Figure 1-1 Internet Access Application... 1-5 Figure 1-2 LAN-to-LAN Application ... 1-5 Figure 2-1 Password Screen... 2-2 Figure 2-2 Web Configurator SITE MAP Screen... 2-3 Figure 2-3 Password... 2-4 Figure 2-4 Example Xmodem Upload ... 2-5 Figure 3-1 Wizard Screen: WAN Setup ...
Page 24 Prestige 792H G.SHDSL Router Figure 6-3 Multiple Servers Behind NAT Example...6-7 Figure 6-4 NAT Mode...6-7 Figure 6-5 Edit SUA/NAT Server Set...6-9 Figure 6-6 Address Mapping Rules ...6-11 Figure 6-7 Address Mapping Rule Edit ...6-12 Figure 7-1 DDNS...7-2 Figure 8-1 Prestige Firewall Application ...8-3 Figure 8-2 Three-Way Handshake ...8-5 Figure 8-3 SYN Flood ...8-5 Figure 8-4 Smurf Attack ...8-6...
Page 25 Prestige 792H G.SHDSL Router Figure 11-7 Rule Summary Example...11-6 Figure 12-1 Content Filter: Keyword... 12-2 Figure 12-2 Content Filter: Schedule ... 12-3 Figure 12-3 Content Filter: Trusted... 12-4 Figure 12-4 Content Filter Logs... 12-5 Figure 13-1 Encryption and Decryption... 13-2 Figure 13-2 VPN Application ...
Page 26 Prestige 792H G.SHDSL Router Figure 17-5 Diagnostic General...17-8 Figure 17-6 Diagnostic DSL Line...17-9 Figure 17-7 Firmware Upgrade ...17-10 Figure 17-8 Network Temporarily Disconnected...17-11 Figure 17-9 Error Message ...17-11 Figure 18-1 Login Screen ...19-2 Figure 18-2 Prestige Menu Overview...19-3 Figure 18-3 SMT Main Menu...19-5 Figure 18-4 Menu 23 System Password ...19-6 Figure 19-1 Menu 1 General Setup...19-2 Figure 19-2 Menu 1.1 Configure Dynamic DNS...19-3...
Page 27 Prestige 792H G.SHDSL Router Figure 24-2 Remote Node Profile ... 24-3 Figure 24-3 Remote Node Network Layer Options ... 24-6 Figure 24-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection ... 24-8 Figure 24-5 Remote Node Filter (PPPoA or PPPoE Encapsulation)... 24-8 Figure 24-6 Remote Node Filter (RFC1483 or ENET ENCAP Encapsulation) ...
Page 28 Prestige 792H G.SHDSL Router Figure 27-14 NAT Example 2 - Menu 15.2.1 ...27-14 Figure 27-15 NAT Example 3...27-15 Figure 27-16 Example 3 - Menu 11.3 ...27-15 Figure 27-17 Example 3 - Menu 15.1.1.1 ...27-16 Figure 27-18 Example 3 - Final Menu 15.1.1...27-16 Figure 27-19 Example 3- Menu 15.2...27-18 Figure 27-20 NAT Example 4...27-18 Figure 27-21 Example 4 - Menu 15.1.1.1 ...27-19...
Page 29 Prestige 792H G.SHDSL Router Figure 28-19 Filtering Ethernet Traffic ... 28-21 Figure 28-20 Filtering Remote Node Traffic ... 28-21 Figure 29-1 SNMP Management Model ... 29-1 Figure 29-2 SNMP Configuration... 29-3 Figure 30-1 System Maintenance... 30-1 Figure 30-2 System Maintenance — Status ... 30-2 Figure 30-3 System Information and Console Port Speed ...
Page 30 Prestige 792H G.SHDSL Router Figure 31-15 FTP Session Example of Firmware File Upload ...31-12 Figure 31-16 Menu 24.7.1 as seen using the Console Port...31-14 Figure 31-17 Example Xmodem Upload ...31-14 Figure 31-18 Menu 24.7.2 as seen using the Console Port...31-15 Figure 31-19 Example Xmodem Upload ...31-16 Figure 32-1 Command Mode in Menu 24 ...32-1 Figure 32-2 Valid Commands ...32-2...
Page 31 Prestige 792H G.SHDSL Router Figure 36-3 Menu 27.1 IPSec Summary... 36-2 Figure 36-4 Menu 27.1.1 IPSec Setup ... 36-6 Figure 36-5 ...36-11 Menu 27.1.1.1 IKE Setup Figure 36-6 Menu 27.1.1.2 Manual Setup ... 36-14 Figure 37-1 Menu 27.2 SA Monitor... 37-1 Figure 37-2 Example VPN Initiator IPSec Log ...
Page 33: List Of Tables
Prestige 792H G.SHDSL Router List of Tables Table 2-1 Password...2-4 Table 3-1 Wizard Screen: WAN Setup...3-4 Table 3-2 Wizard Screen: Internet Access ...3-6 Table 3-3 Internet Connection with PPPoA...3-10 Table 3-4 Internet Connection with RFC 1483 ...3-12 Table 3-5 Internet Connection with ENET ENCAP ...3-13 Table 3-6 Internet Connection with PPPoE ...3-15 Table 3-7 Wizard: LAN Configuration ...3-17 Table 4-1 LAN...4-5...
Page 34 Prestige 792H G.SHDSL Router Table 9-2 Alert ... 9-6 Table 10-1 Firewall Logs ... 10-5 Table 10-2 Firewall Rules Summary: First Screen... 10-8 Table 10-3 Predefined Services... 10-9 Table 10-4 Creating/Editing A Firewall Rule... 10-12 Table 10-5 Adding/Editing Source and Destination Addresses... 10-14 Table 10-6 Timeout ...
Page 35 Prestige 792H G.SHDSL Router Table 14-14 Sample IPSec Logs During Packet Transmission ...14-29 Table 14-15 RFC-2408 ISAKMP Payload Types ...14-30 Table 14-16 Telecommuters Sharing One VPN Rule Example ...14-31 Table 14-17 Telecommuters Using Unique VPN Rules Example...14-32 Table 15-1 Remote Management ...15-3 Table 16-1 Configuring UPnP ...16-3 Table 17-1 System Status...17-3 Table 17-2 System Status: Show Statistics ...17-4...
Page 36 Prestige 792H G.SHDSL Router Table 25-1 Edit IP Static Route ... 25-3 Table 26-1 Remote Node Bridging Options... 26-2 Table 26-2 Edit Bridge Static Route... 26-3 Table 27-1 Applying NAT to the Remote Node ... 27-3 Table 27-2 Address Mapping Rules - SUA ... 27-4 Table 27-3 Address Mapping Rules ...
Page 37 Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary ...36-2 Table 36-2 Menu 27.1.1 IPSec Setup...36-6 Table 36-3 ...36-11 Menu 27.1.1.1 IKE Setup Table 36-4 Active Protocol: Encapsulation and Security Protocol ...36-13 Table 36-5 Menu 27.1.1.2 Manual Setup...36-14 Table 37-1 Menu 27.2 SA Monitor ...37-2 Table 39-1 Troubleshooting the Start-Up of Your Prestige ...39-1 Table 39-2 Troubleshooting the LAN Interface ...39-1 Table 39-3 Troubleshooting the WAN Interface ...39-2...
Page 39: Preface
Congratulations on your purchase of the Prestige 792H G.SHDSL Router. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured Please visit our web site at www.zyxel.com Don’t forget to register your Prestige (fast, easy online registration at www.zyxel.com) for free future product updates and information.
Page 40 Prestige 792H G.SHDSL Router • The Prestige 792H may be referred to as the Prestige in this user’s guide. • Images of Prestige 792H are used throughout this document unless otherwise specified. The following section offers some background information on DSL. Skip to Chapter 1 if you wish to begin working with your router right away.
Page 41: Introduction To Dsl
Prestige 792H G.SHDSL Router Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
Page 42: Getting Started
Getting Started GETTING STARTED This part covers Getting to Know Your Prestige, Hardware Installation, Initial Setup, WAN, LAN and Internet Access.
Page 44: Chapter 1 Getting To Know Your G.shdsl Router
Prestige 792H G.SHDSL Router Chapter 1 Getting to Know Your G.SHDSL Router This chapter covers the key features and main applications of your Prestige. The Prestige 792H is high-performance G.SHDSL Router with four port switch for Internet/LAN access via a telephone line. Your Prestige supports multi-protocol routing for TCP/IP, as well as transparent bridging for other protocols.
Page 45: Ipsec Vpn Capability
Prestige 792H G.SHDSL Router SDSL G.HDSL (G.991.2) IPSec VPN Capability Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site lines.
Page 46: Ip Policy Routing
IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. IP Policy Routing IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator.
Page 47 Prestige 792H G.SHDSL Router IRC, ICQ, RealAudio, VDOLive, Quake and PPTP. No extra configuration is needed to support these applications. SUA address mapping can also be used for other LAN-to-LAN connections. Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
Page 48: Application Scenarios For The Prestige
Prestige 792H G.SHDSL Router Application Scenarios for the Prestige This section provides examples on how your Prestige can be used. 1.2.1 Internet Access Figure 1-1 Internet Access Application Your Prestige can act as either of the following: • A bridge for multi-computer/MAC bridging (RFC-1483, bridged Ethernet/802.3). 1.2.2 LAN-to-LAN Application You can use the Prestige to connect two geographically dispersed networks over the DSL line.
Page 49: Chapter 2 Introducing The Web Configurator
Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. Web Configurator Overview The embedded web configurator (ewc) allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Page 50: Navigating The Prestige Web Configurator
Prestige 792H G.SHDSL Router Step 6. You should now see the Site Map screen. The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you. Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the Site Map screen.
Page 51: Configuring Password
Logout Figure 2-2 Web Configurator SITE MAP Screen Click the HELP icon (located in the top right corner of most screens) to view Configuring Password It is highly recommended that you change the password for accessing the Prestige. To change your Prestige’s password, click Advanced Setup and then Password. The screen appears as shown.
Page 52: Resetting The Prestige
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. LABEL Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.
Page 53: Using The Reset Button
of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to “1234”, also. 2.5.1 Using The Reset Button Step 1. Make sure the SYS LED is on (not blinking). Step 1.
Page 55: Chapter 3 Wizard Setup
This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Introduction Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table of the Quick Start Guide or Read Me First. Your ISP may have already configured some of the fields in the wizard screens for you.
Page 56: Transfer Rates
Prestige 792H G.SHDSL Router 3.2.3 Transfer Rates The Prestige supports the following symmetrical multi-rate data transmission speeds: 72, 136, 200, 264, 392, 520, 776, 1032, 1160, 1544, 1736, 2056 and 2312Kbps. You can increase the capacity of the Internet connection (within certain limitations) without changing your ISP or buying new equipment.
Page 57: Pppoa
Prestige 792H G.SHDSL Router ATM PVC (Permanent Virtual Circuit) which connects to ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information on PPPoE, see the appendix. 3.3.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5).
Page 58: Vpi And Vci
Prestige 792H G.SHDSL Router is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs. VPI and VCI Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you.
Page 59 LABEL Service Type Select Client if your Prestige will act as a client device or Server if your Prestige will act as a server (see Service Type). Transfer Rate Rate Adaption If you enable Rate Adaption, the Prestige connects at the optimal transfer rate between the min and max rates below.
Page 60: Ip Address And Subnet Mask
Prestige 792H G.SHDSL Router Figure 3-2 Wizard Screen: Internet Access The following table describes the labels in this screen. Table 3-2 Wizard Screen: Internet Access LABEL Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account.
Page 61: Ip Address Assignment
Prestige 792H G.SHDSL Router Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Page 62: Ip Assignment With Rfc 1483 Encapsulation
Prestige 792H G.SHDSL Router 3.8.2 IP Assignment with RFC 1483 Encapsulation In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above. 3.8.3 IP Assignment with ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP.
Page 63: Nailed-Up Connection (Ppp)
Prestige 792H G.SHDSL Router Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.
Page 64: Figure 3-3 Internet Connection With Pppoa
Prestige 792H G.SHDSL Router Figure 3-3 Internet Connection with PPPoA The following table describes the labels in this screen. Table 3-3 Internet Connection with PPPoA LABEL User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given.
Page 65 Table 3-3 Internet Connection with PPPoA LABEL IP Address This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet.
Page 66: Rfc 1483
Prestige 792H G.SHDSL Router 3.11.2 RFC 1483 Select RFC 1483 from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown. Figure 3-4 Internet Connection with RFC 1483 The following table describes the labels in this screen. Table 3-4 Internet Connection with RFC 1483 LABEL IP Address...
Page 67: Figure 3-5 Internet Connection With Enet Encap
Figure 3-5 Internet Connection with ENET ENCAP The following table describes the labels in this screen. Table 3-5 Internet Connection with ENET ENCAP LABEL IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;...
Page 68: Pppoe
Prestige 792H G.SHDSL Router Table 3-5 Internet Connection with ENET ENCAP LABEL Network Address Select None, SUA Only or Full Feature from the drop-sown list box. Refer to the NAT Translation chapter for more details. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.
Page 69: Dhcp Setup
Table 3-6 Internet Connection with PPPoE LABEL Service Name Type the name of your PPPoE service here. User Name Configure User Name and Password fields for PPPoA and PPPoE encapsulation only. Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given.
Page 70: Ip Pool Setup
Prestige 792H G.SHDSL Router disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured.
Page 71: Figure 3-7 Wizard Screen: Lan Configuration
Figure 3-7 Wizard Screen: LAN COnfiguration If you want to change your Prestige LAN settings, click Change LAN Configuration to display the screen as shown next. The following table describes the labels in this screen. LABEL LAN IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default).
Page 72: Wizard Setup Configuration: Connection Tests
Prestige 792H G.SHDSL Router LABEL DHCP Server From the DHCP Server drop-down list box, select On to allow your Prestige to assign IP addresses, an IP default gateway and DNS servers to computer systems that support the DHCP client. Select Off to disable DHCP server. When DHCP server is used, set the following items: Client IP Pool Starting This field specifies the first of the contiguous addresses in the IP address pool.
Page 73: Test Your Internet Connection
Prestige 792H G.SHDSL Router Figure 3-9 Wizard Screen: Connection Tests 3.15 Test Your Internet Connection Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User’s Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.
Page 75: Chapter 4 Lan Setup
LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. 4.1.1 LANs, WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports.
Page 76: Dns Server Address Assignment
before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up.
Page 77: Factory Lan Defaults
4.4.1 Factory LAN Defaults The LAN parameters of the Prestige are preset in the factory with the following values: IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations.
Page 78: Configuring Lan
Prestige 792H G.SHDSL Router RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways).
Page 79: Table 4-1 Lan
The following table describes the labels in this screen. LABEL DHCP DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Page 80 LABEL Apply Click this button to save these settings back to the Prestige. Cancel Click this button to reset the fields in this screen. Table 4-1 LAN DESCRIPTION LAN Setup...
Page 81: Chapter 5 Wan Setup
WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. See the Wizard Setup chapter for more information on the fields in the WAN screens. Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Page 82: Pppoe Encapsulation
Prestige 792H G.SHDSL Router If you want the dial-backup route to take first priority over the traffic-redirect route or even the normal route, all you need to do is set the dial-backup route’s metric to "1" and the others to "2" (or greater). IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above (see the IP Policy Routing chapter).
Page 83: Traffic Shaping
Prestige 792H G.SHDSL Router Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections. Peak Cell Rate (PCR) is the maximum rate at which the sender can send cells.
Page 84: Configuring Wan Setup
Prestige 792H G.SHDSL Router Figure 5-1 Example of Traffic Shaping Configuring WAN Setup To change your Prestige’s WAN remote node settings, click WAN, WAN Setup. The screen differs by the encapsulation.
Page 85: Figure 5-2 Wan Setup
Prestige 792H G.SHDSL Router Figure 5-2 WAN Setup The following table describes the labels in this screen.
Page 86: Table 5-1 Wan Setup
Prestige 792H G.SHDSL Router LABEL Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the method of encapsulation used by your ISP from the drop-down list box.
Page 87 LABEL Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535. Login Information (PPPoA and PPPoE encapsulation only) Service Name (PPPoE only) Type the name of your PPPoE service here. User Name Enter the user name exactly as your ISP assigned.
Page 88: Traffic Redirect
Prestige 792H G.SHDSL Router LABEL Subnet Mask Enter a subnet mask in dotted decimal notation. (ENET ENCAP Refer to the Subnetting appendix in the to calculate a subnet mask If you are encapsulation only) implementing subnetting. ENET ENCAP You must specify a gateway IP address (supplied by your ISP) when you select ENET Gateway ENCAP in the Encapsulation field.
Page 89: Configuring Wan Backup
Prestige 792H G.SHDSL Router The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Page 90: Figure 5-5 Wan Backup
Prestige 792H G.SHDSL Router To change your Prestige’s WAN backup settings, click WAN, then WAN Backup. The screen appears as shown. Figure 5-5 WAN Backup The following table describes the fields in this screen. 5-10...
Page 91: Table 5-2 Wan Backup
LABEL Backup Type Select the method that the Prestige uses to check the DSL connection. Select DSL Link to have the Prestige check the DSL connection’s physical layer. Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields. Check WAN IP Configure this field to test your Prestige's WAN accessibility.
Page 92: Outgoing Authentication Protocol
Prestige 792H G.SHDSL Router LABEL Backup Gateway Type the IP address of your backup gateway in dotted decimal notation. The Prestige automatically forwards traffic to this IP address if the Prestige's Internet connection terminates. Dial Backup Active Select this check box to turn on dial backup. Metric This field sets this route's priority among the three routes the Prestige uses (normal, traffic redirect and dial backup).
Page 93: Configuring Advanced Wan Backup
Prestige 792H G.SHDSL Router peer disconnects right after a successful authentication, make sure that you specify the correct authentication protocol when connecting to such an implementation. Configuring Advanced WAN Backup To edit your Prestige’s advanced WAN backup settings, click WAN, WAN Backup and then the Advanced Setup button.
Page 94: Figure 5-6 Advanced Wan Backup
Prestige 792H G.SHDSL Router Figure 5-6 Advanced WAN Backup 5-14...
Page 95 The following table describes the fields in this screen. LABEL Basic Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls.
Page 96: Table 5-3 Advanced Wan Backup
Prestige 792H G.SHDSL Router LABEL Enable SUA Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server.
Page 97: At Command Strings
LABEL PPP Options Select CISCO PPP from the drop-down list box if your backup WAN device uses Encapsulation Cisco PPP encapsulation; otherwise select Standard PPP. Compression Select this check box to enable stac compression. Connection Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The Prestige will try to bring up the connection automatically if it is disconnected.
Page 98: Dtr Signal
Prestige 792H G.SHDSL Router For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both “Dial” and “Init” strings. 5.11 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE.
Page 99: Figure 5-7 Advanced Modem Setup
The following table describes the fields in this screen. LABEL AT Command Strings Dial Type the AT Command string to make a call. Example: atdt Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~+++~~ath"...
Page 100 Prestige 792H G.SHDSL Router LABEL Drop DTR When Select this check box to have the Prestige drop the DTR (Data Terminal Ready) Hang Up signal after the "AT Command String: Drop" is sent out. AT Response Strings CLID Type the keyword that precedes the CLID (Calling Line Identification) in the AT response string.
Page 101 NAT and Dynamic DNS Part II: NAT and Dynamic DNS This part covers NAT (Network Address Translation) and dynamic DNS (Domain Name Sever)
Page 103: Chapter 6 Network Address Translation (Nat)
Network Address Translation (NAT) NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 104: How Nat Works
Prestige 792H G.SHDSL Router local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world.
Page 105: Nat Mapping Types
Figure 6-2 NAT Application With IP Alias 6.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
Page 106: Sua (Single User Account) Versus Nat
5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-to-Many No Overload NAT The following table summarizes these types. TYPE One-to-One Many-to-One (SUA/PAT)
Page 107: Sua Server
Prestige 792H G.SHDSL Router 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.
Page 108: Configuring Servers Behind Sua (Example)
Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Page 109: Selecting The Nat Mode
Prestige 792H G.SHDSL Router Figure 6-3 Multiple Servers Behind NAT Example Selecting the NAT Mode Click NAT to open the following screen. Figure 6-4 NAT Mode The following table describes the labels in this screen.
Page 110: Configuring Sua Server
LABEL None Select this radio button to disable NAT. Select this radio button if you have just one public WAN IP address for your Prestige. The SUA Only Prestige uses Address Mapping Set 1 in the NAT - Edit SUA/NAT Server Set screen. Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen.
Page 111: Figure 6-5 Edit Sua/Nat Server Set
The following table describes the labels in this screen. LABEL Start Port No. Enter a port number in this field. To forward only one port, enter the port number again in the End Port No. field. To forward a series of ports, enter the start port number here and the end port number in the End Port No.
Page 112: Configuring Address Mapping
LABEL End Port No. Enter a port number in this field. To forward only one port, enter the port number again in the Start Port No. field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port No.
Page 113: Figure 6-6 Address Mapping Rules
The following table describes the labels in this screen. LABEL Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.
Page 114: Editing An Address Mapping Rule
LABEL Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
Page 115: Table 6-7 Address Mapping Rule Edit
The following table describes the labels in this screen. LABEL Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2.
Page 117: Chapter 7 Dynamic Dns Setup
This chapter discusses how to configure your Prestige to use Dynamic DNS. Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
Page 118: Figure 7-1 Ddns
The following table describes the labels in this screen. LABEL Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider. E-mail Address Type your e-mail address.
Page 119 Firewall and Content Filters Part III: Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
Page 121: Chapter 8 Firewalls
This chapter gives some background information on firewalls and introduces the Prestige firewall. Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access- control policy between two networks.
Page 122: Stateful Inspection Firewalls
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Page 123: Denial Of Service
Prestige 792H G.SHDSL Router Figure 8-1 Prestige Firewall Application Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
Page 124: Types Of Dos Attacks
8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4.
Page 125: Figure 8-2 Three-Way Handshake
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
Page 126: Figure 8-4 Smurf Attack
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
Page 127: Stateful Inspection
The only legal NetBIOS commands are the following - all others are illegal. All SMTP commands are illegal except for those displayed in the following tables. AUTH DATA EHLO QUIT RCPT RSET Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
Page 128: Stateful Inspection Process
Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works.
Page 129: Stateful Inspection And The Prestige
4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.
Page 130: Tcp Security
Prestige 792H G.SHDSL Router Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual connections" created for UDP and ICMP). 8.5.3 TCP Security The Prestige uses state information embedded in TCP packets.
Page 131: Upper Layer Protocols
8.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol.
Page 132: Packet Filtering Vs Firewall
1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk.
Page 133: Firewall
Packet filtering only checks the header portion of an IP packet. When To Use Filtering 1. To block/allow LAN packets by their MAC addresses. 2. To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 134 Prestige 792H G.SHDSL Router 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. 8-14 Firewalls...
Page 135: Chapter 9 Firewall Configuration
This chapter shows you how to enable and configure the Prestige firewall. Remote Management and the Firewall When remote management is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it.
Page 136: Configuring E-Mail Alerts
Configuring E-mail Alerts To change your Prestige’s E-mail log settings, click Advanced Setup, Firewall, and then E-mail. The screen appears as shown. This screen is not available on all models. Use the E-Mail screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige is to send.
Page 137: Attack Alert
LABEL E-mail Alerts To Alerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail. Return Address Type an E-mail address to identify the Prestige as the sender of the e-mail messages i.e., a "return-to-sender"...
Page 138: Alerts
Prestige 792H G.SHDSL Router 9.4.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Alert screen (Figure 9-3 - select the Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen (see Figure 10-5) When an event generates an alert, a message can be immediately sent to an e-mail account that you specify in the Log...
Page 139: Tcp Maximum Incomplete And Blocking Time
delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
Page 140: Figure 9-3 Alert
The following table describes the labels in this screen. LABEL Generate alert Select this check box to generate an alert whenever an attack is detected. when attack detected Denial of Services Thresholds One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
Page 141 LABEL One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts.
Page 143: Chapter 10 Creating Custom Rules
This chapter contains instructions for defining both Local Network and Internet rules. 10.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
Page 144: Security Ramifications
3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Page 145: Connection Direction
Prestige 792H G.SHDSL Router Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 10.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to...
Page 146: Wan To Lan Rules
Prestige 792H G.SHDSL Router 10.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure.
Page 147: Figure 10-3 Firewall Logs
The following table describes the labels in this screen. Table 10-1 Firewall Logs LABEL This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format.
Page 148: Rule Summary
Table 10-1 Firewall Logs LABEL Reason This field states the reason for the log; i.e., was the rule matched, not matched, or was there an attack. The set and rule coordinates (<X, Y> where X=1,2; Y=00~10) follow with a simple explanation. There are two policy sets; set 1 (X = 1) is for LAN to WAN rules and set 2 (X = 2) for WAN to LAN rules.
Page 149: Figure 10-4 Firewall Rules Summary: First Screen
Prestige 792H G.SHDSL Router Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Figure 10-4 Firewall Rules Summary: First Screen The following table describes the labels in this screen.
Page 150: Predefined Services
Table 10-2 Firewall Rules Summary: First Screen LABEL The default action for Use the drop-down list box to select whether to Block (silently discard) or packets not matching Forward (allow the passage of) packets that do not match the following rules. following rules Default Permit Log Select this check box to log all matched rules in the default set.
Page 151: Table 10-3 Predefined Services
defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. supported. Custom services may also be configured using the Custom Ports function discussed later. SERVICE AIM/NEW_ICQ(TCP:5190) AUTH(TCP:113) BGP(TCP:179) BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67)
Page 152 SERVICE NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS (TCP/UDP:162) SQL-NET(TCP:1521) 10-10 Table 10-3 Predefined Services DESCRIPTION A protocol for news groups. Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments.
Page 153: Creating/Editing Firewall Rules
SERVICE SSDP(UDP:1900) SSH(TCP/UDP:22) STRMWORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 10.7 Creating/Editing Firewall Rules To create a new rule, click a number (No.) in the last screen shown to display the following screen. Creating Custom Rules Table 10-3 Predefined Services DESCRIPTION Simple Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using UDP port 1900.
Page 154: Figure 10-5 Creating/Editing A Firewall Rule
Figure 10-5 Creating/Editing A Firewall Rule The following table describes the labels in this screen. LABEL Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to Source Address delete one. 10-12 Table 10-4 Creating/Editing A Firewall Rule DESCRIPTION Creating Custom Rules...
Page 155: Source And Destination Addresses
Table 10-4 Creating/Editing A Firewall Rule LABEL Destination Address Click DestAdd to add a new address, DestEdit to edit an existing one or DestDelete to delete one. Services Select a service in the Available Services box on the left, then click >> to select. The selected service shows up on the Selected Services box on the right.
Page 156: Timeout
Figure 10-6 Adding/Editing Source and Destination Addresses The following table describes the labels in this screen. Table 10-5 Adding/Editing Source and Destination Addresses LABEL Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
Page 157: Factors Influencing Choices For Timeout Values
10.8.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values – see section 9.4.2. Click Timeout for either Local Network or Internet. The following table describes the labels in this screen. LABEL TCP Timeout Values Connection Timeout...
Page 158 LABEL Back Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Apply Cancel Click Cancel to return to the previous configuration. 10-16 Table 10-6 Timeout DESCRIPTION Creating Custom Rules...
Page 159: Chapter 11 Customized Services
Prestige 792H G.SHDSL Router Chapter 11 Customized Services This chapter covers creating, viewing and editing custom services. 11.1 Introduction to Customized Services Configure customized services and port numbers not predefined by the Prestige (see Figure 10-5). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
Page 160: Creating/Editing A Customized Service
LABEL Customized Services This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. Name This is the name of your customized service. This shows the IP protocol (TCP, UDP or Both) that defines your customized Protocol service.
Page 161: Example Custom Service Firewall Rule
Table 11-2 Creating/Editing A Customized Service LABEL Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service.
Page 162: Figure 11-4 Configure Source Ip Example
Step 1. Click ScrAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Step 5. Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 11-5 Customized Service for MyService Example Customized services show up with an “*”...
Page 163: Figure 11-6 Syslog Rule Configuration Example
Step 4. Follow the procedures outlined earlier in this chapter to configure all your rules. Configure the rule configuration screen like the one below and apply it. Click Apply when finished. Figure 11-6 Syslog Rule Configuration Example Customized Services Prestige 792H G.SHDSL Router This is the address range of the MyService computers.
Page 164: Figure 11-7 Rule Summary Example
Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a MyService connection from the WAN.
Page 165: Chapter 12 Content Filtering
Prestige 792H G.SHDSL Router Chapter 12 Content Filtering This chapter covers how to configure content filtering. 12.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL.
Page 166: Figure 12-1 Content Filter: Keyword
The following table describes the labels in this screen. LABEL Enable Keyword Blocking Select this check box to enable this feature. Block Websites that This box contains the list of all the keywords that you have configured the Prestige contain these keywords in to block.
Page 167: Configuring The Schedule
LABEL Add Keyword Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 127 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.
Page 168: Configuring Trusted Computers
LABEL Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active.
Page 169: Configuring Logs
LABEL Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer. Click Back to return to the previous screen. Back Apply Click Apply to save your changes back to the Prestige.
Page 170: Table 12-4 Content Filter Logs
The following table describes the labels in this screen. LABEL Page Choose a page of logs from the drop-down list box to display. This is the index number of the content filter log. Time This field displays the time of the log. Source IP This field displays the IP address of the computer accessing the web site.
Page 171 VPN/IPSec Part IV: VPN/IPSec This part provides information about configuring VPN/IPSec for secure communications.
Page 173: Chapter 13 Introduction To Ipsec
13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Page 174: Vpn Applications
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Page 175: Ipsec Architecture
Prestige 792H G.SHDSL Router Figure 13-2 VPN Application 13.2 IPSec Architecture The overall IPSec architecture is shown as follows. Introduction to IPSec 13-3...
Page 176: Ipsec Algorithms
Prestige 792H G.SHDSL Router Figure 13-3 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Page 177: Encapsulation
13.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 13-4 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
Page 178: Table 13-1 Vpn And Nat
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Page 179: Chapter 14 Vpn Screens
Prestige 792H G.SHDSL Router Chapter 14 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log description 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
Page 180: My Ip Address
DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
Page 181: Vpn Summary Screen
Prestige 792H G.SHDSL Router The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 14.5 VPN Summary Screen The following figure helps explain the main fields in the web configurator. Figure 14-1 IPSec Summary Fields Local and remote IP addresses must be static.
Page 182: Figure 14-2 Vpn Summary
The following table describes the labels in this screen. LABEL This is the VPN policy index number. Click a number to edit VPN policies. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not. A "Y" signifies that this VPN policy is active.
Page 183: Keep Alive
LABEL IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay). Secure Gateway This is the IP address of the remote IPSec router. This must be a fixed, public IP address for traffic going through the Internet.
Page 184: Id Type And Content Examples
With main mode (see section 14.10.1), the ID type and content are encrypted to provide identity protection. In this case the Prestige can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Prestige can distinguish up to eight incoming SAs because you can select between two encryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see section 14.11).
Page 185: Pre-Shared Key
Table 14-5 Matching ID Type and Content Configuration Example PRESTIGE A Local ID type: E-mail Local ID content: tom@yourcompany.com Peer ID type: IP Peer ID content: 1.1.1.2 The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail.
Page 186: Figure 14-3 Vpn Ike
Prestige 792H G.SHDSL Router Figure 14-3 VPN IKE 14-8 VPN Screens...
Page 187: Table 14-7 Vpn Ike
The following table describes the labels in this screen. LABEL IPSec Setup Active Select this check box to activate this VPN policy. Keep Alive Select either Yes or No from the drop-down list box. Select Yes to have the Prestige automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic.
Page 188 LABEL Local Address Type Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige.
Page 189 LABEL End / Subnet Mask When the Remote Address Type field is configured to Single, enter the IP address in the IP Address Start field again here. When the Remote Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 190 Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
Page 191: Ike Phases
LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet Algorithm data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Page 192: Negotiation Mode
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
Page 193: Perfect Forward Secrecy (Pfs)
Prestige 792H G.SHDSL Router 14.10.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Page 194: Figure 14-5 Vpn Ike: Advanced
Prestige 792H G.SHDSL Router Figure 14-5 VPN IKE: Advanced The following table describes the labels in this screen. Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Page 195 LABEL Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Protection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select YES from the drop-down menu to enable replay detection, or select NO to disable it.
Page 196 LABEL Encryption Select DES or 3DES from the drop-down list box. Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
Page 197: Manual Key Setup
LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Page 198: Configuring Manual Key
Prestige 792H G.SHDSL Router Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 14.13 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen. This is the VPN Manual Key screen as shown next. Figure 14-6 VPN Manual Key 14-20 VPN Screens...
Page 199: Table 14-9 Vpn Manual Key
The following table describes the labels in this screen. LABEL IPSec Setup Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the Prestige drops trailing spaces. IPSec Key Mode Select IKE or Manual from the drop-down list box.
Page 200 LABEL IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your Prestige.
Page 201 LABEL My IP Address Enter the WAN IP address of your Prestige. The Prestige uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with Address...
Page 202: Viewing Sa Monitor
LABEL Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. Delete Click Delete to remove the current rule. 14.14 Viewing SA Monitor Click VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections.
Page 203: Figure 14-7 Sa Monitor
The following table describes the labels in this screen. LABEL This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay).
Page 204: Configuring Global Setting
LABEL Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige. Click Refresh to display the current active VPN connection(s). Refresh 14.15 Configuring Global Setting To change your Prestige’s global settings, click VPN and then Global Setting. The screen appears as shown. The following table describes the labels in this screen.
Page 205: Configuring Ipsec Logs
14.16 Configuring IPSec Logs To view IPSec logs in this screen, click Advanced Setup, VPN, and then Logs to open the screen shown next. The following table describes the labels in this screen. LABEL Back Click Back to return to the previous screen. Previous Page Click Previous Page to view more logs.
Page 206: Table 14-13 Sample Ike Key Exchange Logs
Double exclamation marks (!!) denote an error or warning message. The following table shows sample log messages during IKE key exchange. Table 14-13 Sample IKE Key Exchange Logs LOG MESSAGE Cannot find outbound SA for rule <#d> Send Main Mode request to <IP> Send Aggressive Mode request to <IP>...
Page 207: Table 14-14 Sample Ipsec Logs During Packet Transmission
Table 14-13 Sample IKE Key Exchange Logs LOG MESSAGE !! Local / remote IPs of incoming request conflict with rule <#d> !! Invalid IP <IP start>/<IP end> !! Remote IP <IP start> / <IP end> conflicts !! Active connection allowed exceeded !! IKE Packet Retransmit !! Failed to send IKE Packet...
Page 208: Table 14-15 Rfc-2408 Isakmp Payload Types
Table 14-14 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! Inbound packet authentication failed !! Inbound packet decryption failed Rule <#d> idle time out, disconnect The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
Page 209: Telecommuter Vpn/Ipsec Examples
14.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The Prestige at headquarters has a static public IP address. 14.17.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B...
Page 210: Telecommuters Using Unique Vpn Rules Example
14.17.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). With aggressive negotiation mode (see section 14.10.1), the Prestige can use the ID types and contents to distinguish between VPN rules.
Page 211: Vpn And Remote Management
Table 14-17 Telecommuters Using Unique VPN Rules Example HEADQUARTERS Local ID Content: bob@bigcompanyhq.com Headquarters Prestige Rule 1: Peer ID Type: IP Peer ID Content: 192.168.2.12 Secure Gateway Address: telecommuter1.com Remote Address 192.168.2.12 Headquarters Prestige Rule 2: Peer ID Type: DNS Peer ID Content: telecommuterb.com Secure Gateway Address: telecommuterb.com Remote Address 192.168.3.2...
Page 212 Remote Management and UPnP Part V: Remote Management and UPnP This part contains Remote Management and UPnP...
Page 213: Chapter 15 Remote Management Configuration
Remote Management Configuration 15.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: Internet (WAN only) LAN only To disable remote management of a service, select Disable in the corresponding Server Access field.
Page 214: System Timeout
Use the Prestige’s WAN IP address when configuring from the WAN. Use the Prestige’s LAN IP address when configuring from the LAN. 15.1.3 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections.
Page 215: Configuring Remote Management
15.5 Configuring Remote Management Click Remote Management to open the following screen. The following table describes the labels in this screen. LABEL Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige. Access Select the access interface.
Page 216: Chapter 16 Universal Plug-And-Play (Upnp)
Universal Plug-and-Play (UPnP) 16.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer- to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
Page 217: Upnp And Zyxel
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.
Page 218: Installing Upnp In Windows Example
FIELD Enable the Universal Plug Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) Service UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).
Page 219 Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3.
Page 220 Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. Step 1. Click start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
Page 221: Using Upnp In Windows Xp Example
16.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige. Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige. Auto-discover Your UPnP-enabled Network Device Step 1.
Page 222 Step 3. In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray UPnP mappings will be deleted automatically.
Page 223 Step 6. Double-click on the icon to display your current Internet connection status. Web Configurator Easy Access Example With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first. This comes helpful if you do not know the IP address of the Prestige. Follow the steps below to access the web configurator.
Page 224 Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays. Step 6. Right-click on the icon for your Prestige and select Properties.
Page 225 Prestige 792H G.SHDSL Router Part VI: Maintenance This part covers the maintenance screens. Troubleshooting 17-1...
Page 227: Chapter 17 Maintenance
Prestige 792H G.SHDSL Router Chapter 17 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 17.1 Maintenance Overview Use the maintenance screens to view system information, upload new firmware, manage configuration and restart your Prestige.
Page 228 Prestige 792H G.SHDSL Router Figure 17-1 System Status The following table describes the labels in this screen. 17-2 Maintenance...
Page 229: Figure 17-1 System Status
LABEL System Status System Name This is the name of your Prestige. It is for identification purposes. ZyNOS F/W Version This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. DSL FW Version This is the DSL firmware version associated with your Prestige. Standard This is the standard that your Prestige is using.
Page 230: System Statistics
Prestige 792H G.SHDSL Router 17.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 17-2 System Status: Show Statistics The following table describes the labels in this screen.
Page 231 Table 17-2 System Status: Show Statistics LABEL WAN Port Statistics This is the WAN port. Link Status This is the status of your WAN link. Transfer Rate This is the transfer rate in kbps. Upstream Speed This is the upstream speed of your Prestige. Downstream Speed This is the downstream speed of your Prestige.
Page 232: Dhcp Table Screen
LABEL above. Stop Click this button to halt the refreshing of the system statistics. 17.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it.
Page 233: Diagnostic Screens
LABEL This field displays the MAC (Media Access Control) address of the computer with the displayed Address host name. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. 17.4 Diagnostic Screens These read-only screens display information to help you identify problems with the Prestige.
Page 234: Figure 17-5 Diagnostic General
The following table describes the labels in this screen. LABEL TCP/IP Type the IP address of a computer that you want to ping in order to test a connection. Address Ping Click this button to ping the IP address that you entered. Click this button to reboot the Prestige.
Page 235: Diagnostic Dsl Line Screen
LABEL Back Click this button to go back to the main Diagnostic screen. 17.4.2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the screen shown next. The following table describes the labels in this screen. LABEL Reset xDSL Click this button to reinitialize the xDSL line.
Page 236: Firmware Screen
“Start to reset xDSL... Reset xDSL Line Successfully!” Back Click this button to go back to the main Diagnostic screen. 17.5 Firmware Screen Find firmware at www.zyxel.com extension, e.g., "Prestige.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
Page 237: Figure 17-8 Network Temporarily Disconnected
The following table describes the labels in this screen. LABEL File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Page 238 SMT General Configuration SMT General Configuration This part covers System Management Terminal configuration for general setup, LAN setup, wireless LAN setup, Internet access, remote nodes, remote node TCP/IP, static routing and NAT. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 239: Chapter 18 Introducing The Smt
This chapter explains how to access and navigate the System Management Terminal and gives an 18.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. 18.1.1 Procedure for SMT Configuration via Console Port Follow the steps below to access your Prestige via the console port.
Page 240: Prestige Smt Menu Overview
Prestige 792H G.SHDSL Router Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 18-1 Login Screen 18.1.4 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige.
Page 241: Figure 18-2 Prestige Menu Overview
Prestige 650HW Main Menu Menu 3 Menu 1 Menu 4 LAN Setup General Setup Internet Access Setup Menu 1.1 Menu 3.1 Configure Dynamic LAN Port Filter Setup Menu 3.2 Menu 3.2.1 TCP/IP and DHCP IP Alias Setup Setup Menu 3.5 Menu 3.5.1 Wireless LAN WLAN MAC...
Page 242: Navigating The Smt Interface
Prestige 792H G.SHDSL Router 18.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Page 243: System Management Terminal Interface Summary
Filter and Firewall Setup SNMP Configuration System Maintenance IP Routing Policy Setup Introducing the SMT Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Prestige 792H Main Menu Advanced Management Enter Menu Selection Number: Figure 18-3 SMT Main Menu Table 18-2 Main Menu Summary Use this menu to set up your general information.
Page 244: Changing The System Password
Prestige 792H G.SHDSL Router MENU TITLE Schedule Setup VPN/IPSec Setup Exit 18.3 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1. Enter 23 in the main menu to display Menu 23 - System Security. Step 2.
Page 245: Chapter 19 General Setup
Menu 1 - General Setup contains administrative and system-related information. 19.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Page 246: Figure 19-1 Menu 1 General Setup
Prestige 792H G.SHDSL Router System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Fill in the required fields. Refer to the table shown next for more information about these fields. FIELD System Name Enter a descriptive name for identification purposes.
Page 247: Configuring Dynamic Dns
19.2.1 Configuring Dynamic DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next. Service Provider = WWW.DynDNS.ORG Active= Yes Host= me.ddns.org...
Page 249: Chapter 20 Wan Setup
Prestige 792H G.SHDSL Router This chapter shows you how to configure the WAN settings of your Prestige 20.1 WAN Setup Use Menu 2 – WAN Setup to configure G.SHDSL settings for your WAN line. Different telephone companies deploy different types of G.SHDSL service. If you are unsure of any of this information, please check with your telephone company.
Page 250 Press [SPACE BAR] to select Enable (activate) or Disable (deactivate). Rate Adaption Transfer Max Rate Press [SPACE BAR] to select a Transfer Max Rate greater than or equal to (2312 Kbps) the Transfer Min Rate and press [ENTER] to continue. Transfer Min Rate Press [SPACE BAR] to select a Transfer Min Rate less than or equal to the (2312 Kbps)
Page 251: Chapter 21 Dial Backup
This chapter shows you how to configure Dial Backup for your Prestige 21.1 Dial Backup Overview To set up the auxiliary port (Dial Backup or CON/AUX) for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Quick Start Guide for the Hardware Installation chapter), then configure: Menu 2 - WAN Setup, Menu 2.1 - Advanced WAN Setup and...
Page 252: Advanced Wan Setup
Prestige 792H G.SHDSL Router FIELD Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No). Port Speed Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device. Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
Page 253: Figure 21-2 Advanced Wan Setup
AT Command Strings: Dial= atdt Drop= ~~+++~~ath Answer= ata Drop DTR When Hang Up= Yes AT Response Strings: CLID= NMBR = Called Id= Speed= CONNECT Table 21-2 Advanced WAN Port Setup: AT Commands Fields FIELD AT Command Strings: Dial Enter the AT Command string to make a call. Drop Enter the AT Command string to drop a call.
Page 254: Remote Node Profile (Backup Isp)
Prestige 792H G.SHDSL Router Table 21-2 Advanced WAN Port Setup: AT Commands Fields FIELD Speed Enter the keyword preceding the connection speed. Table 21-3 Advanced WAN Port Setup: Call Control Parameters FIELD Call Control Dial Timeout (sec) Enter a number of seconds for the Prestige to keep trying to set up an outgoing call before timing out (stopping).
Page 255: Figure 21-3 Remote Node Profile (Backup Isp)
Rem Node Name= ? Active= Yes Outgoing: My Login= My Password= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Figure 21-3 Remote Node Profile (Backup ISP) Table 21-4 Remote Node Profile (Backup ISP) FIELD Rem Node Enter a descriptive name for the remote node. This field can be up to Name eight characters.
Page 256 Prestige 792H G.SHDSL Router Table 21-4 Remote Node Profile (Backup ISP) FIELD Pri Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Sec Phone # Prestige dials the Secondary Phone number if available.
Page 257: Editing Ppp Options
Table 21-4 Remote Node Profile (Backup ISP) FIELD Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 21.2.1 Editing PPP Options The Prestige’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 11.1 - Remote Node Profile, and use the space bar to select Yes.
Page 258: Figure 21-6 Remote Node Network Layer Options
Prestige 792H G.SHDSL Router Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Figure 21-6 Remote Node Network Layer Options Table 21-5 Remote Node Network Layer Options FIELD...
Page 259: Editing Filter Sets
Table 21-5 Remote Node Network Layer Options FIELD Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 260: Figure 21-7 Menu 11.5: Remote Node Filter (Ethernet)
Prestige 792H G.SHDSL Router Figure 21-7 Menu 11.5: Remote Node Filter (Ethernet) 21-10 Menu 11.5 - Remote Node Filter Input Filter Sets: protocol filters= device filters= Output Filter Sets: protocol filters= device filters= Enter here to CONFIRM or ESC to CANCEL: Dial Backup...
Page 261: Chapter 22 Lan Setup
This chapter shows you how to configure the LAN settings for your Prestige 22.1 Ethernet Setup This section describes how to configure the Ethernet using Menu 3 – Ethernet Setup. From the main menu, enter 3 to open the menu as follows. 22.1.1 LAN Port Filter Setup In this menu type 1 to open Menu 3.1- LAN Port Filter Setup.
Page 262: Ip Alias Setup
Prestige 792H G.SHDSL Router If you need to define filters, please read the Filter Configuration chapter first, then return to this menu. 22.1.2 IP Alias Setup Use Menu 3.2 to configure the first network. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 —...
Page 263: Route Ip Setup
Follow the instructions in the following table to configure IP Alias parameters. FIELD IP Alias Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Page 264: Tcp/Ip Ethernet Setup And Dhcp
Prestige 792H G.SHDSL Router 22.1.4 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2 — TCP/IP and DHCP Ethernet Setup as shown next Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup:...
Page 265: Table 22-2 Tcp/Ip And Dhcp Ethernet Setup
Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD DHCP Setup DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Page 266 Prestige 792H G.SHDSL Router Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The Prestige supports both IGMP version 1 (IGMP-v1) and version 2 ( IGMP-v2). Press the [ Multicasting or select None to disable it.
Page 267: Chapter 23 Internet Access
This chapter shows you how to configure your Prestige for Internet Access 23.1 Internet Access Overview This section provides information on configuring your Prestige for Internet access. It includes information on encapsulation types, IP address assignment and ATM networks. 23.2 Internet Access Setup Menu 4 allows you to enter the Internet Access information in one screen.
Page 268: Table 23-1 Internet Access Setup
Prestige 792H G.SHDSL Router FIELD ISP’s Name Enter the name of your Internet Service Provider. This information is for identification purposes only. Encapsulation Press [ used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP. Multiplexing Press [ used by your ISP.
Page 269 FIELD Idle Timeout This value specifies the number of idle seconds that elapse before the Prestige automatically disconnects the PPPoE session. IP Address Press [ Assignment assignment. IP Address Enter the IP address supplied by your ISP if applicable. Network Address Press [ Translation Feature.
Page 270: Advanced Applications
Advanced Applications ADVANCED APPLICATIONS This part shows how to configure Remote Nodes, Static Routes, Bridging and NAT. VIII...
Page 271: Chapter 24 Remote Node Configuration
24.1 Remote Node Overview This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use Menu 4 to set up Internet access, you are configuring one of the remote nodes.
Page 272: Encapsulation And Multiplexing Scenarios
Prestige 791R G.SHDSL Router Enter Node # to Edit: 24.2.1 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. For LAN-to-LAN applications, for example, between a branch office and corporate headquarters, prior agreement on methods is necessary because encapsulation and multiplexing cannot be automatically determined.
Page 273: Figure 24-2 Remote Node Profile
Menu 11.1 - Remote Node Profile Rem Node Name= myISP Active= Yes Encapsulation= RFC-1483 Multiplexing= VC-based Incoming: Rem Login= N/A Rem Password= N/A Outgoing: My Login= N/A My Password= N/A Authen= N/A Press Space Bar to Toggle. FIELD Rem Node Name Active Encapsulation Multiplexing...
Page 274 Prestige 791R G.SHDSL Router FIELD Rem Password Outgoing: My Login My Password Authen Route Bridge Edit IP/Bridge Edit ATM Options Telco Option Allocated Budget (min) Period (hr) 24-4 Table 24-1 Remote Node Profile DESCRIPTION Type the password used when this remote node calls your Prestige.
Page 275: Remote Node Network Layer Options
FIELD Schedule Sets Nailed up Connection Session Options Edit Filter Sets Idle Timeout (sec) When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 24.3 Remote Node Network Layer Options Perform the following steps to edit Menu 11.3 –...
Page 276: Figure 24-3 Remote Node Network Layer Options
Prestige 791R G.SHDSL Router Figure 24-3 Remote Node Network Layer Options Table 24-2 Remote Node Network Layer Options FIELD IP Options IP Address Press [SPACE BAR] and then [ENTER] to select Dynamic if the remote Assignment node is using a dynamically assigned IP address or Static if it is using a static (fixed) IP address.
Page 277: My Wan Addr Sample Ip Addresses
Table 24-2 Remote Node Network Layer Options FIELD Private This determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Page 278: Remote Node Filter
Prestige 791R G.SHDSL Router Figure 24-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection 24.4 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter. Use Menu 11.5 –...
Page 279: Editing Atm Layer Options
Figure 24-6 Remote Node Filter (RFC1483 or ENET ENCAP Encapsulation) 24.5 Editing ATM Layer Options Follow these steps to edit Menu 11.6 – Remote Node ATM Layer Options. Step 1. In Menu 11.1, move the cursor to the Edit ATM Options then press [SPACE BAR] to toggle and set the value to Yes.
Page 280: Llc-Based Multiplexing Or Ppp Encapsulation
Prestige 791R G.SHDSL Router 24.5.2 LLC-based Multiplexing or PPP Encapsulation For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 0 VCI #= 38 ATM QoS Type= UBR...
Page 281: Chapter 25 Static Route Setup
Prestige 791R G.SHDSL Router Chapter 25 Static Route Setup This chapter shows how to setup IP static routes. 25.1 Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
Page 282: Figure 25-2 Static Route Setup
Prestige 791R G.SHDSL Router Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next). See the bridging chapter for more information on Bridge Static Routes. Step 2. From Menu 12, select 1 to open Menu 12.1 – IP Static Route Setup, as shown next. Now, type the index number of one of the static routes you want to configure.
Page 283: Figure 25-4 Edit Ip Static Route
FIELD Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination.
Page 285: Chapter 26 Bridging Setup
This chapter shows you how to configure the bridging parameters of your Prestige. 26.1 Bridging Overview Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another.
Page 286: Bridge Static Route Setup
Prestige 791R G.SHDSL Router IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Press ENTER to Confirm or ESC to Cancel: Figure 26-1 Remote Node Bridging Options Table 26-1 Remote Node Bridging Options...
Page 287: Figure 26-2 Bridge Static Route Setup
Choose a static route to edit in menu 12.3. You configure bridge static routes in menu 12.3.1 as shown next. FIELD Route # This is the route index number you typed in Menu 12.3 – Bridge Static Route Setup. Route Name Type a name for the bridge static route for identification purposes.
Page 288 Prestige 791R G.SHDSL Router FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 26-4 DESCRIPTION Bridging Setup...
Page 289: Chapter 27 Network Address Translation (Nat)
Prestige 791R G.SHDSL Router Chapter 27 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 27.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Page 290: Figure 27-1 Applying Nat For Internet Access
Prestige 791R G.SHDSL Router Press Space Bar to Toggle. Figure 27-1 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu and choose a node number. Step 2.
Page 291: Nat Setup
Table 27-1 Applying NAT to the Remote Node FIELD Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your Prestige. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section 27.3.1).
Page 292: Figure 27-4 Address Mapping Sets
Prestige 791R G.SHDSL Router Enter Menu Selection Number: Enter 255 to display the next screen (see also section 27.1). The fields in this menu cannot be changed. Set Name= Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 27-5 Address Mapping Rules - SUA Table 27-2 Address Mapping Rules - SUA FIELD...
Page 293 Table 27-2 Address Mapping Rules - SUA FIELD Local Start IP Local Start IP is the starting local IP address (ILA) Local End IP is the ending local IP address (ILA). If the Local End IP rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255.
Page 294: Figure 27-6 Address Mapping Rules
Prestige 791R G.SHDSL Router Set Name= ? Local Start IP --------------- Action= Edit Press ENTER to Confirm or ESC to Cancel: If the Set Name field is left blank, the entire set will be deleted. The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.
Page 295 FIELD Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted. The default is Edit. Edit means you want to edit a selected rule (see Action following field).
Page 296: Figure 27-7 Editing/Configuring An Individual Rule In A Set
Prestige 791R G.SHDSL Router Type= One-to-One Local IP: Start= Global IP: Start= Server Mapping Set= N/A Press Space Bar to Toggle. Figure 27-7 Editing/Configuring an Individual Rule in a Set Table 27-4 Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
Page 297: Configuring A Server Behind Nat
27.3.2 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2. Enter 2 to display Menu 15.2 - NAT Server Sets as shown next. Step 3.
Page 298: Figure 27-9 Nat Server Setup
Prestige 791R G.SHDSL Router Rule --------------------------------------------------- Step 4. Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field.
Page 299: General Nat Examples
Prestige 791R G.SHDSL Router Figure 27-10 Multiple Servers Behind NAT Example 27.4 General NAT Examples This section provides some examples with Network Address Translation. 27.4.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Page 300: Figure 27-11 Nat Example 1
Prestige 791R G.SHDSL Router Figure 27-12 Internet Access & NAT Example 27-12 Figure 27-11 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= RFC-1483 Multiplexing= LLC-based VPI #= 1 VCI #= 1 ATM QoS Type= UBR Peak Cell Rate (PCR)= 5500 Sustained Cell Rate (SCR)= 0 Maximum Burst Size (MBS)= 0...
Page 301: Example 2: Internet Access With An Inside Server
Prestige 791R G.SHDSL Router From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 27.4. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case. 27.4.2 Example 2: Internet Access with an Inside Server Figure 27-13 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to...
Page 302: Example 3: Multiple Public Ip Addresses With Inside Servers
Prestige 791R G.SHDSL Router Figure 27-14 NAT Example 2 - Menu 15.2.1 27.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server.
Page 303: Figure 27-15 Nat Example 3
Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3). See the figure below. Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static...
Page 304: Figure 27-17 Example 3 - Menu 15.1.1.1
Prestige 791R G.SHDSL Router Step 5. In menu 15.1.1.1, select Type as One-to-One (direct mapping for packets going both ways), and set the local Start IP as 192.168.1.10 (the IP address of FTP Server 1) and the global Start IP as 10.132.50.1 (our first IGA). See the figure below. Type= One-to-One Local IP: Start= 192.168.1.10...
Page 305 Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu. Step 9. Enter 2 in Menu 15 - NAT Setup. Step 10. Enter 1 in Menu 15.2 - NAT Server Sets and enter 1 again to see the following menu. Configure it as shown.
Page 306: Example 4: Nat Unfriendly Application Programs
Prestige 791R G.SHDSL Router 27.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping, as port numbers do not change for Many-to- Many No Overload (and One-to-One) NAT mapping types.
Page 307: Figure 27-21 Example 4 - Menu 15.1.1.1
Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload Follow the steps outlined in example 3 to configure these two menus as follows. Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10...
Page 308: Figure 27-22 Example 4 - Menu 15.1.1
Prestige 791R G.SHDSL Router Set Name= Example4 Local Start IP --------------- 192.168.1.10 27-20 Menu 15.1.1 - Address Mapping Rules Local End IP Global Start IP --------------- --------------- 192.168.1.12 10.132.50.1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 27-22 Example 4 - Menu 15.1.1 Global End IP Type...
Page 309: Advanced Management
Advanced Management Part IX: ADVANCED MANAGEMENT This part discusses Filter Configuration, SNMP, System Maintenance and IP Policy Routing, Call Scheduling and Remote Management.
Page 311: Chapter 28 Filter Configuration
Prestige 791R G.SHDSL Router Chapter 28 Filter Configuration This chapter shows you how to create and apply filters. 28.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Page 312: Figure 28-1 Outgoing Packet Filtering Process
Prestige 791R G.SHDSL Router Outgoing Data Packet Match Drop packet Figure 28-1 Outgoing Packet Filtering Process Two sets of factory filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
Page 313: Figure 28-2 Filter Rule Process
Fetch Next Filter Set Next Filter Set Available? Drop Packet You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port. Filter Configuration Filter Set Fetch Next...
Page 314: Filter Set Configuration
Prestige 791R G.SHDSL Router For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name.
Page 315: Figure 28-4 Netbios Wan Filter Rules Summary
Filter rule sets 11 and 12 are used by the web configurator. Your custom configurator may be lost if you use rule 11 or 12. Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 4.
Page 316: Figure 28-6 Telnet_Wan Filter Rules Summary
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Enter Filter Rule Number (1-6) to Configure: Figure 28-6 Telnet_WAN Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 2 Y Gen...
Page 317: Figure 28-8 Ftp_Wan Filter Rules Summary
# A Type - - ---- -------------------------------------------------------------- - - - 1 Y IP PR=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 Figure 28-8 FTP_WAN Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=161 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=162 Enter Filter Rule Number (1-6) to Configure: 1...
Page 318: Filter Rules Summary Menus
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69 4 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 Enter Filter Rule Number (1-6) to Configure: 1 Figure 28-10 Web Set2 Filter Rules Summary 28.2.1 Filter Rules Summary Menus...
Page 319: Filter Rule Configuration
FIELD Action Not Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: FILTER TYPE 28.3 Filter Rule Configuration To configure a filter rule, type its number in Menu 21.1 –...
Page 320: Tcp/Ip Filter Rule
Prestige 791R G.SHDSL Router 28.3.1 TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1 –...
Page 321 FIELD IP Protocol This is the upper layer protocol, for example, TCP is 6, UDP is 17 and ICMP is 1. The value must be between 0 and 255. A value of O matches ANY protocol. IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination.
Page 322 Prestige 791R G.SHDSL Router FIELD Select the logging option from the following: None – No packets will be logged. Action Matched – Only packets that match the rule parameters will be logged. Action Not Matched – Only packets that do not match the rule parameters will be logged.
Page 323: Figure 28-12 Executing An Ip Filter
Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched Drop Drop Packet Filter Configuration Not Matched...
Page 324: Generic Filter Rule
Prestige 791R G.SHDSL Router 28.3.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet.
Page 325: Table 28-4 Generic Filter Rule Menu Fields
Table 28-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule. Parameters displayed below each type will be different.
Page 326: Filter Types And Nat
Prestige 791R G.SHDSL Router 28.4 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire.
Page 327: Figure 28-15 Sample Telnet Filter
Step 1. Enter 21 from the main menu to open Menu 21 — Filter Set Configuration. Step 2. Enter the index number of the filter set you want to configure (in this case 3) Step 3. Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER].
Page 328: Figure 28-16 Sample Filter Rules Summary — Menu 21.1
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Page 329: Figure 28-17 Sample Filter Rules Summary — Menu 21.3.1
Menu 21.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: There are no more rules to check.
Page 330: Applying Filters And Factory Defaults
Prestige 791R G.SHDSL Router Step 3. This brings you to menu 11.5. Enter the example filter set number in this menu as shown in the following figure. Figure 28-18 Sample Filter Rules Summary — Applying a Remote Node Filter Set 28.6 Applying Filters and Factory Defaults This section shows you where to apply the filter(s) after you design it (them).
Page 331: Remote Node Filters
filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 3, 4, 6, 11. The factory default filter set, NetBIOS_LAN, is inserted in the protocol filters field under Input Filter Sets in menu 3.1 in order to prevent local NetBIOS messages from triggering calls to the DNS server.
Page 333: Chapter 29 Snmp Configuration
Prestige 791R G.SHDSL Router Chapter 29 SNMP Configuration This chapter explains SNMP Configuration. SNMP is only available if TCP/IP is configured. 29.1 SNMP Overview Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Page 334: Supported Mibs
Prestige 791R G.SHDSL Router An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
Page 335: Snmp Traps
FIELD SNMP: Get Community Type the Get Community, which is the password for the incoming Get- and GetNext requests from the management station. Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your Prestige will only respond to SNMP messages from this address.
Page 336 Prestige 791R G.SHDSL Router TRAP # TRAP NAME warmStart (defined in RFC-1215) linkUp (defined in RFC-1215) authenticationFailure (defined in RFC-1215) linkDown (defined in RFC-1215) The port number is its interface index under the interface group. 29-4 DESCRIPTION A trap is sent after booting (software reboot). A trap is sent with the port number.
Page 337: Chapter 30 System Maintenance
This chapter covers the diagnostic tools that help you to maintain your Prestige. 30.1 System Maintenance Overview These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 30.2 System Status The first selection, System Status gives you information on the status and statistics of the ports, as shown...
Page 338: Figure 30-2 System Maintenance - Status
Prestige 791R G.SHDSL Router Node-Lnk Status 1-ENET My WAN IP (from ISP):0.0.0.0 Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.8% Figure 30-2 System Maintenance — Status Table 30-1 System Maintenance FIELD Node-Lnk This is the node index number and link type. Link types are: PPP, ENET, 1483. Status Shows the status of the remote node.
Page 339: System Information
Table 30-1 System Maintenance FIELD Rx Pkts The number of received packets from the LAN. Collision Number of collisions. Shows statistics for the WAN. Line Status Shows the current status of the xDSL line which can be Up or Down. Upstream Shows the upstream transfer rate in kbps.
Page 340: Figure 30-4 System Maintenance - Information
Menu 1 – General Setup. Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. xDSL F/W Version Refers to the DSL version. Standard This refers to the operational protocol the Prestige and the DSLAM (Digital Subscriber Line Access Multiplexer) are using.
Page 341: Console Port Speed
30.3.2 Console Port Speed You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200 and 38400 bps. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure. Menu 24.2.2 –...
Page 342: Syslog
Prestige 791R G.SHDSL Router Step 3. Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system. After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Page 343: Table 30-3 System Maintenance Menu - Syslog Parameters
Table 30-3 System Maintenance Menu — Syslog Parameters PARAMETER UNIX Syslog: Active Use [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog IP Address Type the IP address of your syslog server. Log Facility Use [SPACE BAR] and then [ENTER] to select one of seven different local options. The log facility lets you log the message in different server files.
Page 344: Diagnostic
Prestige 791R G.SHDSL Router Jul 19 11:28:56 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 Jul 19 11:29:06 192.168.102.2 ZYXEL: Packet Trigger: Protocol=1, Data=45000028240140001f06ac12c0a86614ca849a7b0427001700195b451d1430135004000077600000 SdcmdSyslogSend (SYSLOG_FILLOG, SYSLOG_NOTICE, String); String = IP[Src=xx.xx.xx.xx Dst=xx.xx.xx.xx prot spo=xxxx dpo=xxxx] S04>R01mD IP[…] is the packet header and S04>R01mD means filter set 4 (S) and rule 1 (R), match (m), drop (D).
Page 345: Table 30-4 System Maintenance Menu - Diagnostic
The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 30-4 System Maintenance Menu — Diagnostic FIELD Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Reboot System Reboot the Prestige.
Page 347: Chapter 31 Firmware And Configuration File Maintenance
Prestige 792H G.SHDSL Router Chapter 31 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 31.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Page 348: Backup Configuration
Prestige 792H G.SHDSL Router FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 31.2 Backup Configuration The Prestige displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console port or Telnet. Option 5 from Menu 24 –...
Page 349: Using The Ftp Command From The Command Line
31.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your computer. 2.
Page 350: Gui-Based Ftp Clients
Prestige 792H G.SHDSL Router 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp>...
Page 351: Backup Configuration Using Tftp
4. You have an SMT console session running. 31.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients.
Page 352: Backup Via Console Port
Prestige 792H G.SHDSL Router Table 31-3 General Commands for GUI-based TFTP Clients COMMAND Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Prestige and “Fetch” to back up the file on your computer.
Page 353: Restore Configuration
Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen. Figure 31-5 Backup Configuration Example Step 4. After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Page 354: Restore Using Ftp
Prestige 792H G.SHDSL Router DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. 31.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.
Page 355: Restore Using Ftp Session Example
31.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 31-8 Restore Using FTP Session Example Refer to section 31.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Page 356: Uploading Firmware And Configuration Files
Prestige 792H G.SHDSL Router Figure 31-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Figure 31-12 Successful Restoration Confirmation Screen 31.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Page 357: Configuration File Upload
Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Page 358: Ftp File Upload Command From The Dos Prompt Example
Prestige 792H G.SHDSL Router 31.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username.
Page 359: Tftp Upload Command Example
To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address.
Page 360: Uploading Firmware File Via Console Port
Prestige 792H G.SHDSL Router 31.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in the following screen.
Page 361: Uploading Configuration File Via Console Port
31.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1.
Page 362: Figure 31-19 Example Xmodem Upload
Prestige 792H G.SHDSL Router After the configuration upload process has completed, restart the Prestige by entering “atgo”. 31-16 Figure 31-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.
Page 363: Chapter 32 System Maintenance And Information
System Maintenance and Information 32.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
Page 364: Call Control Support
Prestige 792H G.SHDSL Router Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 32.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1.
Page 365: Figure 32-4 Budget Management
Menu 24.9.1 - System Maintenance - Budget Management Remote Node 1.MyISP 2.-------- 3.-------- 4.-------- 5.-------- 6.-------- 7.-------- 8.-------- The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset.
Page 366: Time And Date Setting
Prestige 792H G.SHDSL Router 32.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige.
Page 367: Resetting The Time
FIELD Use Time Server Enter the time service protocol that your time server sends when you turn on the when Bootup Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.
Page 369: Chapter 33 Ip Policy Routing
33.1 IP Policy Routing Overview Traditionally, routing is based on the destination address only and the IAD takes the shortest path to forward a packet. IP Routing Policy (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Page 370: Ip Routing Policy Setup
Prestige 792H G.SHDSL Router IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set.
Page 371: Figure 33-2 Sample Ip Routing Policy Setup
- - -------------------------------------------------------------------------- 1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __________________________________________________________________________ __________________________________________________________________________ 4 N __________________________________________________________________________ __________________________________________________________________________ 5 N __________________________________________________________________________ __________________________________________________________________________ 6 N __________________________________________________________________________ __________________________________________________________________________ Enter Policy Rule Number (1-6) to Configure: Figure 33-2 Sample IP Routing Policy Setup Table 33-1 IP Routing Policy Setup Abbreviations ABBREVIATION Criterion...
Page 372: Figure 33-3 Ip Routing Policy
Prestige 792H G.SHDSL Router Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test Active= Yes Criteria: IP Protocol Type of Service= Normal Precedence Source:...
Page 373: Applying An Ip Policy
FIELD Len Comp Press [SPACE BAR] and then [ENTER] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source: addr start / end Source IP address range from start to end. port start / end Source port number range from start to end;...
Page 374: Figure 33-4 Tcp/Ip And Dhcp Ethernet Setup
Prestige 792H G.SHDSL Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0...
Page 375: Ip Policy Routing Example
33.4 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next.
Page 376: Figure 33-7 Ip Routing Policy Example
Prestige 792H G.SHDSL Router Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr Type of Service= No Change Precedence Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 377: Figure 33-8 Ip Routing Policy
Policy Set Name= set2 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 0.0.0.0 port start= 0 Destination: addr start= 0.0.0.0 port start= 20 Action= Matched Gateway addr Type of Service= No Change Precedence Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Page 379: Chapter 34 Call Scheduling
Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a 34.1 Call Scheduling Overview The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
Page 380: Figure 34-2 Schedule Set Setup
Prestige 792H G.SHDSL Router To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 —...
Page 381 FIELD How Often Should this schedule set recur weekly or be used just once only? Press the [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.
Page 382: Figure 34-3 Applying Schedule Set(S) To A Remote Node (Pppoe)
Prestige 792H G.SHDSL Router Rem Node Name= ? Active= Yes Encapsulation= PPPoE Multiplexing=VC-based Service Name= Incoming Rem Login= Rem Password= ******** Outgoing= My Login=? My Password= ******** Authen= CHAP/PAP Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 34-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
Page 383: Chapter 35 Remote Management
35.1 Remote Management Overview Remote management setup is for managing Telnet, FTP and Web services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility. You may manage your Prestige from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
Page 384: Remote Management And Web Services
Prestige 791R G.SHDSL Router 35.1.3 Remote Management and Web Services You can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details. 35.1.4 Disabling Remote Management To disable remote management of a service, select Disable in the corresponding Server Access field. 35.2 Remote Management Setup Enter 11 in menu 24 to display Menu 24.11 —...
Page 385: Remote Management Limitations
FIELD Secured Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the Prestige. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Page 386 SMT VPN/IPSec and Internal SPTGEN Part X: SMT VPN/IPSec and Internal SPTGEN This part provides information about configuring VPN/IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
Page 387: Chapter 36 Vpn/Ipsec Setup
36.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
Page 388: Ipsec Summary Screen
36.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
Page 389 FIELD Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active. Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Start Single, this is a static IP address on the LAN behind your Prestige.
Page 390 FIELD Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
Page 391: Ipsec Setup
FIELD Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Page 392: Figure 36-4 Menu 27.1.1 Ipsec Setup
Index= 1 Active= Yes Local ID type= IP My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: IP Addr Start= 1.1.1.1 Remote: IP Addr Start= 4.4.4.4 Enable Replay Detection = No Key Management= IKE Edit Key Management Setup= No The following table describes the fields in this menu.
Page 393 FIELD Content When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Prestige.
Page 394 FIELD Secure Type the IP address or the domain name (up to 31 characters) of the Gateway IPSec router with which you’re making the VPN connection. Address Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE, see later).
Page 395 Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE End/Subnet When the Addr Type field is configured to Single, this field is N/A. 192.168.1.38 Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your Prestige.
Page 396 FIELD End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 397: Ike Setup
36.4 IKE Setup To edit this menu, the Key Management field in Menu 27.1.1 – IPSec Setup must be set to IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup; press [SPACE BAR] to select Yes and then press [ENTER] to display Menu 27.1.1.1 –...
Page 398 FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Prestige DES encryption algorithm uses a 56-bit key.
Page 399: Manual Setup
FIELD Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number.
Page 400: Figure 36-6 Menu 27.1.1.2 Manual Setup
Active Protocol= ESP Tunnel ESP Setup AH Setup The following table describes the fields in this menu. FIELD Active Protocol Press [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH Transport and then press [ENTER]. Choosing an ESP combination causes the AH Setup fields to be non-applicable (N/A) ESP Setup The ESP Setup fields are N/A if you chose an AH Active Protocol.
Page 401 FIELD Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must be unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 authentication.
Page 403: Chapter 37 Sa Monitor
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 37.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
Page 404: Table 37-1 Menu 27.2 Sa Monitor
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
Page 405: Viewing Ipsec Log
37.3 Viewing IPSec Log To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Index: Date/Time: ------------------------------------------------------------...
Page 407: Chapter 38 Internal Sptgen
Prestige 792H G.SHDSL Router Chapter 38 Internal SPTGEN 38.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file –...
Page 408: Internal Sptgen File Modification - Important Points To Remember
This is the name of the menu. / Menu 1 General Setup 10000000 = Configured 10000001 = System Name 10000002 = Location 10000003 = Contact Person’s Name 10000004 = Route IP 10000005 = Route IPX 10000006 = Bridge This is the Field Identification Number column.
Page 409: Internal Sptgen Ftp Download Example
field value is not legal error:-1 ROM-t is not saved, error Line ID:10000000 reboot to get the original configuration Bootbase Version: V2.02 | 2/22/2001 13:33:11 RAM: Size = 8192 Kbytes FLASH: Intel 8M *2 Figure 38-2 Invalid Parameter Entered: Command Line Example The Prestige will display the following if you enter parameter(s) that are valid.
Page 410: Internal Sptgen Ftp Upload Example
You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 38.4 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary.
Page 411: Appendices And Index
Appendices and Index Part XI: Appendices and Index This part contains the Appendices and Index.
Page 413: Chapter 39 Troubleshooting
This chapter covers potential problems and the corresponding remedies. 39.1 Problems Starting Up the Prestige Table 39-1 Troubleshooting the Start-Up of Your Prestige PROBLEM None of the LEDs Make sure that the Prestige’s power adapter is connected to the Prestige and plugged turn on when I turn in to an appropriate power source.
Page 414: Problems With The Wan Interface
Header 39.3 Problems with the WAN Interface Table 39-3 Troubleshooting the WAN Interface PROBLEM I cannot get a WAN The WAN IP is provided when the ISP recognizes the user as an authorized user after IP address from verifying the MAC address, Host Name or User ID. the ISP.
Page 415: Problems With The Password
39.5 Problems with the Password Table 39-5 Troubleshooting the Password PROBLEM The Password and Username fields are case-sensitive. Make sure that you enter the I cannot access the Prestige. correct password and username using the proper casing. Restore the factory default configuration file. This will restore all of the factory defaults including the password.
Page 417: Appendix Apppoe
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 418 Header The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
Page 419: Appendix B Virtual Circuit Topology
ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate. The terminology for virtual circuits is as follows: • Virtual Channel • Virtual Path • Virtual Circuit Think of a virtual path as a cable that contains a bundle of wires. The cable connects two points and wires within the cable provide individual circuits between the two points.
Page 420: Appendix C Power Adapter Specifications
AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AUSTRALIA AND NEW ZELAND PLUG STANDARDS AC Power Adapter Model Input Power Output Power...
Page 421 AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption...
Page 422 Power Consumption Safety Standards CCEE (GB8898) Power Adapter Specifications...
Page 423: Index
10/100 MB Auto-negotiation ... 1-3 Action for Matched Packets... 10-13 Active... 21-5, 21-7 Address Assignment ... 4-2 Allocated Budget ... 21-6 Application Scenario ... 1-4 Application-level Firewalls... 8-1 AT command ... 21-2, 21-3, 31-1 Attack Alert ..9-2, 9-3, 9-5, 9-6, 10-5, 12-5, 14-27 Attack Types...
Page 424 DTR ... 5-18, 21-3 Dynamic DNS...7-1, 19-2 DYNDNS Wildcard ... 7-1 ECHO... 6-6 Edit IP ... 21-6 Encapsulation... 1-3, 3-2, 23-2, 24-2 ENET ENCAP ... 3-2 PPP over Ethernet ... 3-2 PPPoA... 3-3 RFC 1483... 3-3 ENET ENCAP ... 1-3 Error Log...
Page 425 HyperTerminal program ... 31-6, 31-9 IANA ... 3-8 ICMP echo... 8-6 Idle Timeout ... 21-6 IGMP ... 4-3, 4-4 IGMP support ... 24-7 Install UPnP... 16-3 Windows Me ... 16-4 Windows XP... 16-5 Installation Ease ... 1-4 Interactive Applications... 33-1 Internal SPTGEN...
Page 426 Metric... 5-1, 21-8, 24-6, 25-3 Multicast ...4-3, 21-9, 24-7 Multiple Protocol over ATM ... 1-3 Multiplexing LLC-based ... 3-3 VC-based ... 3-3 Multiplexing...3-3, 23-2, 24-2 Multiprotocol Encapsulation... 3-3 My Login ... 21-5 My Password... 21-5 My WAN Address ... 21-8, 24-6 Nailed-Up Connection ...3-9, 21-6 NAT ...
Page 427 retry count... 21-4 retry interval ... 21-4 RFC-1483 ... 1-3, 1-5, 24-2 RFC-2364 ... 1-3, 24-2, 24-3 RIP...21-9, 22-5, 24-7. See Routing Information Protocol Routing Information Protocol... 4-3 Direction... 4-3 Version ... 4-3 Routing Policy ... 33-1 Rule Summary ... 10-6, 11-6 Rules ...
Page 428 TCP/IP ...8-3, 8-4, 15-2, 21-7, 28-16, 30-9, 35-1 TCP/IP Options... 24-9 Teardrop... 8-4 Telnet ... 15-2, 35-1 Telnet Configuration ... 15-2, 35-1 Telnet Under NAT ... 35-1 Text File Format ... 38-1 TFTP And FTP Over WAN} ... 35-3 Restrictions ... 35-3 TFTP and FTP over WAN Will Not Work When…...

This manual is also suitable for:

Prestige 792h - v3.40

ZyXEL Communications ZyXEL Prestige 792H User Manual

Chapter 1 Getting to Know Your G.SHDSL Router

Chapter 2 Introducing the Web Configurator

Chapter 3 Wizard Setup

Chapter 4 LAN Setup

Chapter 5 WAN Setup

Chapter 6 Network Address Translation (NAT)

Chapter 7 Dynamic DNS Setup

Chapter 8 Firewalls

Chapter 9 Firewall Configuration

Chapter 10 Creating Custom Rules

Chapter 11 Customized Services

Chapter 12 Content Filtering

Chapter 13 Introduction to Ipsec

Chapter 14 VPN Screens

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications ZyXEL Prestige 792H

Summary of Contents for ZyXEL Communications ZyXEL Prestige 792H