Summary of Contents for ZyXEL Communications ZyXEL Prestige 792H
Page 1
Prestige 792H G.SHDSL Router with four-port switch User's Guide Version 3.40 June 2004...
Page 3
Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Federal Communications Commission This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
Prestige 792H G.SHDSL Router Information for Canadian Users The Industry Canada label identifies certified equipment. This certification means that the equipment meets certain telecommunications network protective, operation, and safety requirements. The Industry Canada does not guarantee that the equipment will operate to a user's satisfaction. Before installing this equipment, users should ensure that it is permissible to be connected to the facilities of the local telecommunications company.
Prestige 792H G.SHDSL Router ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or...
Copyright ...ii Federal Communications Commission (FCC) Interference Statement ...iii Information for Canadian Users...iv ZyXEL Limited Warranty...v Customer Support...vi List of Figures...xvii List of Tables...xxvi Preface...xxxi Introduction to DSL...xxxiii Chapter 1 Getting to Know Your G.SHDSL Router...1-1 Features of the Prestige ...1-1 Application Scenarios for the Prestige ...1-4 1.2.1 Internet Access ...1-4 1.2.2 LAN-to-LAN Application...1-5...
Page 14
IP Address and Subnet Mask ...3-6 IP Address Assignment...3-7 3.8.1 IP Assignment with PPPoA or PPPoE Encapsulation ...3-7 3.8.2 IP Assignment with RFC 1483 Encapsulation...3-8 3.8.3 IP Assignment with ENET ENCAP Encapsulation ...3-8 3.8.4 Private IP Addresses ...3-8 Nailed-Up Connection (PPP) ...3-9 3.10 NAT ...3-9 3.11 Wizard Setup Configuration: ISP Parameters...3-9 3.11.1 PPPoA...3-9...
Page 15
5.12 Response Strings ...5-18 5.13 Configuring Advanced Modem Setup...5-18 Chapter 6 Network Address Translation (NAT)...6-1 NAT Overview...6-1 6.1.1 NAT Definitions...6-1 6.1.2 What NAT Does...6-1 6.1.3 How NAT Works ...6-2 6.1.4 NAT Application...6-2 6.1.5 NAT Mapping Types ...6-3 SUA (Single User Account) Versus NAT...6-4 SUA Server ...6-5 6.3.1 Port Forwarding: Services and Port Numbers ...6-5 6.3.2 Configuring Servers Behind SUA (Example) ...6-6...
Page 28
Prestige 792H G.SHDSL Router Figure 27-14 NAT Example 2 - Menu 15.2.1 ...27-14 Figure 27-15 NAT Example 3...27-15 Figure 27-16 Example 3 - Menu 11.3 ...27-15 Figure 27-17 Example 3 - Menu 15.1.1.1 ...27-16 Figure 27-18 Example 3 - Final Menu 15.1.1...27-16 Figure 27-19 Example 3- Menu 15.2...27-18 Figure 27-20 NAT Example 4...27-18 Figure 27-21 Example 4 - Menu 15.1.1.1 ...27-19...
Page 29
Prestige 792H G.SHDSL Router Figure 28-19 Filtering Ethernet Traffic ... 28-21 Figure 28-20 Filtering Remote Node Traffic ... 28-21 Figure 29-1 SNMP Management Model ... 29-1 Figure 29-2 SNMP Configuration... 29-3 Figure 30-1 System Maintenance... 30-1 Figure 30-2 System Maintenance — Status ... 30-2 Figure 30-3 System Information and Console Port Speed ...
Page 30
Prestige 792H G.SHDSL Router Figure 31-15 FTP Session Example of Firmware File Upload ...31-12 Figure 31-16 Menu 24.7.1 as seen using the Console Port...31-14 Figure 31-17 Example Xmodem Upload ...31-14 Figure 31-18 Menu 24.7.2 as seen using the Console Port...31-15 Figure 31-19 Example Xmodem Upload ...31-16 Figure 32-1 Command Mode in Menu 24 ...32-1 Figure 32-2 Valid Commands ...32-2...
Page 31
Prestige 792H G.SHDSL Router Figure 36-3 Menu 27.1 IPSec Summary... 36-2 Figure 36-4 Menu 27.1.1 IPSec Setup ... 36-6 Figure 36-5 ...36-11 Menu 27.1.1.1 IKE Setup Figure 36-6 Menu 27.1.1.2 Manual Setup ... 36-14 Figure 37-1 Menu 27.2 SA Monitor... 37-1 Figure 37-2 Example VPN Initiator IPSec Log ...
Prestige 792H G.SHDSL Router List of Tables Table 2-1 Password...2-4 Table 3-1 Wizard Screen: WAN Setup...3-4 Table 3-2 Wizard Screen: Internet Access ...3-6 Table 3-3 Internet Connection with PPPoA...3-10 Table 3-4 Internet Connection with RFC 1483 ...3-12 Table 3-5 Internet Connection with ENET ENCAP ...3-13 Table 3-6 Internet Connection with PPPoE ...3-15 Table 3-7 Wizard: LAN Configuration ...3-17 Table 4-1 LAN...4-5...
Page 37
Prestige 792H G.SHDSL Router Table 36-1 Menu 27.1 IPSec Summary ...36-2 Table 36-2 Menu 27.1.1 IPSec Setup...36-6 Table 36-3 ...36-11 Menu 27.1.1.1 IKE Setup Table 36-4 Active Protocol: Encapsulation and Security Protocol ...36-13 Table 36-5 Menu 27.1.1.2 Manual Setup...36-14 Table 37-1 Menu 27.2 SA Monitor ...37-2 Table 39-1 Troubleshooting the Start-Up of Your Prestige ...39-1 Table 39-2 Troubleshooting the LAN Interface ...39-1 Table 39-3 Troubleshooting the WAN Interface ...39-2...
Congratulations on your purchase of the Prestige 792H G.SHDSL Router. Use the web configurator, System Management Terminal (SMT) or command interpreter interface to configure your Prestige. Not all features can be configured Please visit our web site at www.zyxel.com Don’t forget to register your Prestige (fast, easy online registration at www.zyxel.com) for free future product updates and information.
Page 40
Prestige 792H G.SHDSL Router • The Prestige 792H may be referred to as the Prestige in this user’s guide. • Images of Prestige 792H are used throughout this document unless otherwise specified. The following section offers some background information on DSL. Skip to Chapter 1 if you wish to begin working with your router right away.
Prestige 792H G.SHDSL Router Introduction to DSL DSL (Digital Subscriber Line) technology enhances the data capacity of the existing twisted-pair wire that runs between the local telephone company switching offices and most homes and offices. While the wire itself can handle higher frequencies, the telephone switching equipment is designed to cut off signals above 4,000 Hz to filter noise off the voice line, but now everybody is searching for ways to get more bandwidth to improve access to the Web - hence DSL technologies.
Prestige 792H G.SHDSL Router Chapter 1 Getting to Know Your G.SHDSL Router This chapter covers the key features and main applications of your Prestige. The Prestige 792H is high-performance G.SHDSL Router with four port switch for Internet/LAN access via a telephone line. Your Prestige supports multi-protocol routing for TCP/IP, as well as transparent bridging for other protocols.
Prestige 792H G.SHDSL Router SDSL G.HDSL (G.991.2) IPSec VPN Capability Establish a Virtual Private Network (VPN) to connect with business partners and branch offices using data encryption and the Internet to provide secure communications without the expense of leased site-to-site lines.
IP Alias IP Alias allows you to partition a physical network into logical networks over the same Ethernet interface. The Prestige supports three logical LAN interfaces via its single physical Ethernet interface with the Prestige itself as the gateway for each LAN network. IP Policy Routing IP Policy Routing provides a mechanism to override the default routing behavior and alter packet forwarding based on the policies defined by the network administrator.
Page 47
Prestige 792H G.SHDSL Router IRC, ICQ, RealAudio, VDOLive, Quake and PPTP. No extra configuration is needed to support these applications. SUA address mapping can also be used for other LAN-to-LAN connections. Universal Plug and Play (UPnP) Using the standard TCP/IP protocol, the Prestige and other UPnP enabled devices can dynamically join a network, obtain an IP address and convey its capabilities to other devices on the network.
Prestige 792H G.SHDSL Router Application Scenarios for the Prestige This section provides examples on how your Prestige can be used. 1.2.1 Internet Access Figure 1-1 Internet Access Application Your Prestige can act as either of the following: • A bridge for multi-computer/MAC bridging (RFC-1483, bridged Ethernet/802.3). 1.2.2 LAN-to-LAN Application You can use the Prestige to connect two geographically dispersed networks over the DSL line.
Introducing the Web Configurator This chapter describes how to access and navigate the web configurator. Web Configurator Overview The embedded web configurator (ewc) allows you to manage the Prestige from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer 6.0 and later or Netscape Navigator 7.0 and later versions with JavaScript enabled.
Prestige 792H G.SHDSL Router Step 6. You should now see the Site Map screen. The Prestige automatically times out after five minutes of inactivity. Simply log back into the Prestige if this happens to you. Navigating the Prestige Web Configurator The following summarizes how to navigate the web configurator from the Site Map screen.
Logout Figure 2-2 Web Configurator SITE MAP Screen Click the HELP icon (located in the top right corner of most screens) to view Configuring Password It is highly recommended that you change the password for accessing the Prestige. To change your Prestige’s password, click Advanced Setup and then Password. The screen appears as shown.
Prestige 792H G.SHDSL Router The following table describes the labels in this screen. LABEL Old Password Type the default password or the existing password you use to access the system in this field. New Password Type the new password in this field. Retype to Confirm Type the new password again in this field.
of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none. The password will be reset to “1234”, also. 2.5.1 Using The Reset Button Step 1. Make sure the SYS LED is on (not blinking). Step 1.
This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Introduction Use the Wizard Setup screens to configure your system for Internet access settings and fill in the fields with the information in the Internet Account Information table of the Quick Start Guide or Read Me First. Your ISP may have already configured some of the fields in the wizard screens for you.
Prestige 792H G.SHDSL Router 3.2.3 Transfer Rates The Prestige supports the following symmetrical multi-rate data transmission speeds: 72, 136, 200, 264, 392, 520, 776, 1032, 1160, 1544, 1736, 2056 and 2312Kbps. You can increase the capacity of the Internet connection (within certain limitations) without changing your ISP or buying new equipment.
Prestige 792H G.SHDSL Router ATM PVC (Permanent Virtual Circuit) which connects to ADSL Access Concentrator where the PPP session terminates. One PVC can support any number of PPP sessions from your LAN. For more information on PPPoE, see the appendix. 3.3.3 PPPoA PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5).
Prestige 792H G.SHDSL Router is not practical to have a separate VC for each carried protocol, for example, if charging heavily depends on the number of simultaneous VCs. VPI and VCI Be sure to use the correct Virtual Path Identifier (VPI) and Virtual Channel Identifier (VCI) numbers assigned to you.
Page 59
LABEL Service Type Select Client if your Prestige will act as a client device or Server if your Prestige will act as a server (see Service Type). Transfer Rate Rate Adaption If you enable Rate Adaption, the Prestige connects at the optimal transfer rate between the min and max rates below.
Prestige 792H G.SHDSL Router Figure 3-2 Wizard Screen: Internet Access The following table describes the labels in this screen. Table 3-2 Wizard Screen: Internet Access LABEL Mode From the Mode drop-down list box, select Routing (default) if your ISP allows multiple computers to share an Internet account.
Prestige 792H G.SHDSL Router Where you obtain your network number depends on your particular situation. If the ISP or your network administrator assigns you a block of registered IP addresses, follow their instructions in selecting the IP addresses and the subnet mask. If the ISP did not explicitly give you an IP network number, then most likely you have a single user account and the ISP will assign you a dynamic IP address when the connection is established.
Prestige 792H G.SHDSL Router 3.8.2 IP Assignment with RFC 1483 Encapsulation In this case the IP Address Assignment must be static with the same requirements for the IP Address and ENET ENCAP Gateway fields as stated above. 3.8.3 IP Assignment with ENET ENCAP Encapsulation In this case you can have either a static or dynamic IP.
Prestige 792H G.SHDSL Router Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space.
Prestige 792H G.SHDSL Router Figure 3-3 Internet Connection with PPPoA The following table describes the labels in this screen. Table 3-3 Internet Connection with PPPoA LABEL User Name Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given.
Page 65
Table 3-3 Internet Connection with PPPoA LABEL IP Address This option is available if you select Routing in the Mode field. A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed; the ISP assigns you a different one each time you connect to the Internet.
Prestige 792H G.SHDSL Router 3.11.2 RFC 1483 Select RFC 1483 from the Encapsulation drop-down list box in the first wizard screen to display the screen as shown. Figure 3-4 Internet Connection with RFC 1483 The following table describes the labels in this screen. Table 3-4 Internet Connection with RFC 1483 LABEL IP Address...
Figure 3-5 Internet Connection with ENET ENCAP The following table describes the labels in this screen. Table 3-5 Internet Connection with ENET ENCAP LABEL IP Address A static IP address is a fixed IP that your ISP gives you. A dynamic IP address is not fixed;...
Prestige 792H G.SHDSL Router Table 3-5 Internet Connection with ENET ENCAP LABEL Network Address Select None, SUA Only or Full Feature from the drop-sown list box. Refer to the NAT Translation chapter for more details. Back Click Back to go back to the first wizard screen. Next Click Next to continue to the next wizard screen.
Table 3-6 Internet Connection with PPPoE LABEL Service Name Type the name of your PPPoE service here. User Name Configure User Name and Password fields for PPPoA and PPPoE encapsulation only. Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain as given.
Prestige 792H G.SHDSL Router disable it. When configured as a server, the Prestige provides the TCP/IP configuration for the clients. If you turn DHCP service off, you must have another DHCP server on your LAN, or else the computer must be manually configured.
Figure 3-7 Wizard Screen: LAN COnfiguration If you want to change your Prestige LAN settings, click Change LAN Configuration to display the screen as shown next. The following table describes the labels in this screen. LABEL LAN IP Address Enter the IP address of your Prestige in dotted decimal notation, for example, 192.168.1.1 (factory default).
Prestige 792H G.SHDSL Router LABEL DHCP Server From the DHCP Server drop-down list box, select On to allow your Prestige to assign IP addresses, an IP default gateway and DNS servers to computer systems that support the DHCP client. Select Off to disable DHCP server. When DHCP server is used, set the following items: Client IP Pool Starting This field specifies the first of the contiguous addresses in the IP address pool.
Prestige 792H G.SHDSL Router Figure 3-9 Wizard Screen: Connection Tests 3.15 Test Your Internet Connection Launch your web browser and navigate to www.zyxel.com. Internet access is just the beginning. Refer to the rest of this User’s Guide for more detailed information on the complete range of Prestige features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the Wizard Setup are correct.
LAN Overview A Local Area Network (LAN) is a shared communication system to which many computers are attached. A LAN is a computer network limited to the immediate area, usually the same building or floor of a building. The LAN screens can help you configure a LAN DHCP server and manage IP addresses. 4.1.1 LANs, WANs and the Prestige The actual physical connection determines whether the Prestige ports are LAN or WAN ports.
before you can access it. The DNS server addresses that you enter in the DHCP setup are passed to the client machines along with the assigned IP address and subnet mask. There are two ways that an ISP disseminates the DNS server addresses. The first is for an ISP to tell a customer the DNS server addresses, usually in the form of an information sheet, when s/he signs up.
4.4.1 Factory LAN Defaults The LAN parameters of the Prestige are preset in the factory with the following values: IP address of 192.168.1.1 with subnet mask of 255.255.255.0 (24 bits) DHCP server enabled with 32 client IP addresses starting from 192.168.1.33. These parameters should work for the majority of installations.
Prestige 792H G.SHDSL Router RFC 2236. The class D IP address is used to identify host groups and can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is not assigned to any group and is used by IP multicast computers. The address 224.0.0.1 is used for query messages and is assigned to the permanent group of all IP hosts (including gateways).
The following table describes the labels in this screen. LABEL DHCP DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Page 80
LABEL Apply Click this button to save these settings back to the Prestige. Cancel Click this button to reset the fields in this screen. Table 4-1 LAN DESCRIPTION LAN Setup...
WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. See the Wizard Setup chapter for more information on the fields in the WAN screens. Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost".
Prestige 792H G.SHDSL Router If you want the dial-backup route to take first priority over the traffic-redirect route or even the normal route, all you need to do is set the dial-backup route’s metric to "1" and the others to "2" (or greater). IP Policy Routing overrides the default routing behavior and takes priority over all of the routes mentioned above (see the IP Policy Routing chapter).
Prestige 792H G.SHDSL Router Traffic Shaping Traffic Shaping is an agreement between the carrier and the subscriber to regulate the average rate and fluctuations of data transmission over an ATM network. This agreement helps eliminate congestion, which is important for transmission of real time data such as audio and video connections. Peak Cell Rate (PCR) is the maximum rate at which the sender can send cells.
Prestige 792H G.SHDSL Router Figure 5-1 Example of Traffic Shaping Configuring WAN Setup To change your Prestige’s WAN remote node settings, click WAN, WAN Setup. The screen differs by the encapsulation.
Prestige 792H G.SHDSL Router LABEL Name Enter the name of your Internet Service Provider, e.g., MyISP. This information is for identification purposes only. Mode Select Routing (default) from the drop-down list box if your ISP allows multiple computers to share an Internet account. Otherwise select Bridge. Encapsulation Select the method of encapsulation used by your ISP from the drop-down list box.
Page 87
LABEL Maximum Burst Size Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the peak rate. Type the MBS, which is less than 65535. Login Information (PPPoA and PPPoE encapsulation only) Service Name (PPPoE only) Type the name of your PPPoE service here. User Name Enter the user name exactly as your ISP assigned.
Prestige 792H G.SHDSL Router LABEL Subnet Mask Enter a subnet mask in dotted decimal notation. (ENET ENCAP Refer to the Subnetting appendix in the to calculate a subnet mask If you are encapsulation only) implementing subnetting. ENET ENCAP You must specify a gateway IP address (supplied by your ISP) when you select ENET Gateway ENCAP in the Encapsulation field.
Prestige 792H G.SHDSL Router The following network topology allows you to avoid triangle route security issues when the backup gateway is connected to the LAN or DMZ. Use IP alias to configure the LAN into two or three logical networks with the Prestige itself as the gateway for each LAN network. Put the protected LAN in one subnet (Subnet 1 in the following figure) and the backup gateway in another subnet (Subnet 2).
Prestige 792H G.SHDSL Router To change your Prestige’s WAN backup settings, click WAN, then WAN Backup. The screen appears as shown. Figure 5-5 WAN Backup The following table describes the fields in this screen. 5-10...
LABEL Backup Type Select the method that the Prestige uses to check the DSL connection. Select DSL Link to have the Prestige check the DSL connection’s physical layer. Select ICMP to have the Prestige periodically ping the IP addresses configured in the Check WAN IP Address fields. Check WAN IP Configure this field to test your Prestige's WAN accessibility.
Prestige 792H G.SHDSL Router LABEL Backup Gateway Type the IP address of your backup gateway in dotted decimal notation. The Prestige automatically forwards traffic to this IP address if the Prestige's Internet connection terminates. Dial Backup Active Select this check box to turn on dial backup. Metric This field sets this route's priority among the three routes the Prestige uses (normal, traffic redirect and dial backup).
Prestige 792H G.SHDSL Router peer disconnects right after a successful authentication, make sure that you specify the correct authentication protocol when connecting to such an implementation. Configuring Advanced WAN Backup To edit your Prestige’s advanced WAN backup settings, click WAN, WAN Backup and then the Advanced Setup button.
Prestige 792H G.SHDSL Router Figure 5-6 Advanced WAN Backup 5-14...
Page 95
The following table describes the fields in this screen. LABEL Basic Login Name Type the login name assigned by your ISP. Password Type the password assigned by your ISP. Retype to Confirm Type your password again to make sure that you have entered is correctly. Authentication Type Use the drop-down list box to select an authentication protocol for outgoing calls.
Prestige 792H G.SHDSL Router LABEL Enable SUA Network Address Translation (NAT) allows the translation of an Internet protocol address used within one network to a different IP address known within another network. SUA (Single User Account) is a subset of NAT that supports two types of mapping: Many-to-One and Server.
LABEL PPP Options Select CISCO PPP from the drop-down list box if your backup WAN device uses Encapsulation Cisco PPP encapsulation; otherwise select Standard PPP. Compression Select this check box to enable stac compression. Connection Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The Prestige will try to bring up the connection automatically if it is disconnected.
Prestige 792H G.SHDSL Router For ISDN lines, there are many more protocols and operational modes. Please consult the documentation of your TA. You may need additional commands in both “Dial” and “Init” strings. 5.11 DTR Signal The majority of WAN devices default to hanging up the current call when the DTR (Data Terminal Ready) signal is dropped by the DTE.
The following table describes the fields in this screen. LABEL AT Command Strings Dial Type the AT Command string to make a call. Example: atdt Drop Type the AT Command string to drop a call. "~" represents a one second wait, for example, "~~+++~~ath"...
Page 100
Prestige 792H G.SHDSL Router LABEL Drop DTR When Select this check box to have the Prestige drop the DTR (Data Terminal Ready) Hang Up signal after the "AT Command String: Drop" is sent out. AT Response Strings CLID Type the keyword that precedes the CLID (Calling Line Identification) in the AT response string.
Page 101
NAT and Dynamic DNS Part II: NAT and Dynamic DNS This part covers NAT (Network Address Translation) and dynamic DNS (Domain Name Sever)
Network Address Translation (NAT) NAT Overview NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Prestige 792H G.SHDSL Router local address before forwarding it to the original inside host. Note that the IP address (either local or global) of an outside host is never changed. The global IP addresses for the inside hosts can be either static or dynamically assigned by the ISP. In addition, you can designate servers, for example, a web server and a telnet server, on your local network and make them accessible to the outside world.
Figure 6-2 NAT Application With IP Alias 6.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: 1. One to One: In One-to-One mode, the Prestige maps one local IP address to one global IP address. 2. Many to One: In Many-to-One mode, the Prestige maps multiple local IP addresses to one global IP address.
5. Server: This type allows you to specify inside servers of different services behind the NAT to be accessible to the outside world. Port numbers do not change for One-to-One and Many-to-Many No Overload NAT The following table summarizes these types. TYPE One-to-One Many-to-One (SUA/PAT)
Prestige 792H G.SHDSL Router 1. Choose SUA Only if you have just one public WAN IP address for your Prestige. 2. Choose Full Feature if you have multiple public WAN IP addresses for your Prestige. SUA Server A SUA server set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though SUA makes your whole inside network appear as a single computer to the outside world.
Many residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Prestige 792H G.SHDSL Router Figure 6-3 Multiple Servers Behind NAT Example Selecting the NAT Mode Click NAT to open the following screen. Figure 6-4 NAT Mode The following table describes the labels in this screen.
LABEL None Select this radio button to disable NAT. Select this radio button if you have just one public WAN IP address for your Prestige. The SUA Only Prestige uses Address Mapping Set 1 in the NAT - Edit SUA/NAT Server Set screen. Edit Details Click this link to go to the NAT - Edit SUA/NAT Server Set screen.
The following table describes the labels in this screen. LABEL Start Port No. Enter a port number in this field. To forward only one port, enter the port number again in the End Port No. field. To forward a series of ports, enter the start port number here and the end port number in the End Port No.
LABEL End Port No. Enter a port number in this field. To forward only one port, enter the port number again in the Start Port No. field above and then enter it again in this field. To forward a series of ports, enter the last port number in a series that begins with the port number in the Start Port No.
The following table describes the labels in this screen. LABEL Local Start IP This is the starting Inside Local IP Address (ILA). Local IP addresses are N/A for Server port mapping. Local End IP This is the end Inside Local IP Address (ILA). If your rule is for all local IP addresses, then enter 0.0.0.0 as the Local Start IP address and 255.255.255.255 as the Local End IP address.
LABEL Type 1-1: One-to-one mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type. M-1: Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL's Single User Account feature that previous ZyXEL routers supported only.
The following table describes the labels in this screen. LABEL Type Choose the port mapping type from one of the following. 1. One-to-One: One-to-One mode maps one local IP address to one global IP address. Note that port numbers do not change for One-to-one NAT mapping type. 2.
This chapter discusses how to configure your Prestige to use Dynamic DNS. Dynamic DNS Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.). You can also access your FTP server or Web site on your own computer using a domain name (for instance myhost.dhs.org, where myhost is a name of your choice) that will never change instead of using an IP address that changes each time you reconnect.
The following table describes the labels in this screen. LABEL Active Select this check box to use dynamic DNS. Service Provider Select the name of your Dynamic DNS service provider. Host Name Type the domain name assigned to your Prestige by your Dynamic DNS provider. E-mail Address Type your e-mail address.
Page 119
Firewall and Content Filters Part III: Firewall and Content Filter This part introduces firewalls in general and the Prestige firewall. It also explains customized services and logs and gives example firewall rules and an overview of content filtering.
This chapter gives some background information on firewalls and introduces the Prestige firewall. Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another. The networking term “firewall” is a system or group of systems that enforces an access- control policy between two networks.
Information hiding prevents the names of internal systems from being made known via DNS to outside systems, since the application gateway is the only host whose name must be made known to outside systems. Robust authentication and logging pre-authenticates application traffic before it reaches internal hosts and causes it to be logged more effectively than if it were logged with standard host logging.
Prestige 792H G.SHDSL Router Figure 8-1 Prestige Firewall Application Denial of Service Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources.
8.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification. 3. Brute-force attacks that flood a network with useless data. 4.
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is established. 2-a SYN Attack floods a targeted system with a series of SYN packets.
2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. 3.
The only legal NetBIOS commands are the following - all others are illegal. All SMTP commands are illegal except for those displayed in the following tables. AUTH DATA EHLO QUIT RCPT RSET Traceroute Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
Allows all sessions originating from the LAN (local network) to the WAN (Internet). Denies all sessions originating from the WAN to the LAN. The previous figure shows the Prestige’s default firewall rules in action as well as demonstrates how stateful inspection works.
4. Based on the obtained state information, a firewall rule creates a temporary access list entry that is inserted at the beginning of the WAN interface's inbound extended access list. This temporary access list entry is designed to permit inbound packets of the same connection as the outbound packet just inspected.
Prestige 792H G.SHDSL Router Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the Prestige itself (as with the "virtual connections" created for UDP and ICMP). 8.5.3 TCP Security The Prestige uses state information embedded in TCP packets.
8.5.5 Upper Layer Protocols Some higher layer protocols (such as FTP and RealAudio) utilize multiple network connections simultaneously. In general terms, they usually have a "control connection" which is used for sending commands between endpoints, and then "data connections" which are used for transmitting bulk information. Consider the FTP protocol.
1. Encourage your company or organization to develop a comprehensive security plan. Good network administration takes into account what hackers can do and prepares against attacks. The best defense against hackers and crackers is information. Educate all employees about the importance of security and how to minimize risk.
Packet filtering only checks the header portion of an IP packet. When To Use Filtering 1. To block/allow LAN packets by their MAC addresses. 2. To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3. To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...
Page 134
Prestige 792H G.SHDSL Router 6. The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. 8-14 Firewalls...
This chapter shows you how to enable and configure the Prestige firewall. Remote Management and the Firewall When remote management is configured to allow management (see the Remote Management chapter) and the firewall is enabled: • The firewall blocks remote management from the WAN unless you configure a firewall rule to allow it.
Configuring E-mail Alerts To change your Prestige’s E-mail log settings, click Advanced Setup, Firewall, and then E-mail. The screen appears as shown. This screen is not available on all models. Use the E-Mail screen to configure to where the Prestige is to send logs; the schedule for when the Prestige is to send the logs and which logs and/or immediate alerts the Prestige is to send.
LABEL E-mail Alerts To Alerts are sent to the e-mail address specified in this field. If this field is left blank, alerts will not be sent via e-mail. Return Address Type an E-mail address to identify the Prestige as the sender of the e-mail messages i.e., a "return-to-sender"...
Prestige 792H G.SHDSL Router 9.4.1 Alerts Alerts are reports on events, such as attacks, that you may want to know about right away. You can choose to generate an alert when an attack is detected in the Alert screen (Figure 9-3 - select the Generate alert when attack detected checkbox) or when a rule is matched in the Edit Rule screen (see Figure 10-5) When an event generates an alert, a message can be immediately sent to an e-mail account that you specify in the Log...
delete half-open sessions as necessary, until the rate of new connection attempts drops below another threshold (one-minute low). The rate is the number of new attempts detected in the last one-minute sample period. TCP Maximum Incomplete and Blocking Time An unusually high number of half-open sessions with the same destination host address could indicate that a Denial of Service attack is being launched against the host.
The following table describes the labels in this screen. LABEL Generate alert Select this check box to generate an alert whenever an attack is detected. when attack detected Denial of Services Thresholds One Minute Low This is the rate of new half-open sessions that causes the firewall to stop deleting half-open sessions.
Page 141
LABEL One Minute High This is the rate of new half-open sessions that causes the firewall to start deleting half-open sessions. The default is "100". When the rate of new connection attempts rises above this number, the Prestige deletes half-open sessions as required to accommodate new connection attempts.
This chapter contains instructions for defining both Local Network and Internet rules. 10.1 Rules Overview Firewall rules are subdivided into “Local Network” and “Internet”. By default, the Prestige’s stateful packet inspection allows all communications to the Internet that originate from the local network, and blocks all traffic to the LAN that originates from the Internet.
3. What is the direction connection: from the LAN to the Internet, or from the Internet to the LAN? 4. What IP services will be affected? 5. What computers on the LAN are to be affected (if any)? 6. What computers on the Internet will be affected? The more specific, the better. For example, if traffic is being allowed from the Internet to the LAN, it is better to allow only certain machines on the Internet to access the LAN.
Prestige 792H G.SHDSL Router Source Address What is the connection’s source address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? Destination Address What is the connection’s destination address; is it on the LAN or WAN? Is it a single IP, a range of IPs or a subnet? 10.3 Connection Direction This section talks about configuring firewall rules for connections going from LAN to WAN and WAN to...
Prestige 792H G.SHDSL Router 10.3.2 WAN to LAN Rules The default rule for WAN to LAN traffic blocks all incoming connections (WAN to LAN). If you wish to allow certain WAN users to have access to your LAN, you will need to create custom rules to allow it. See the following figure.
The following table describes the labels in this screen. Table 10-1 Firewall Logs LABEL This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost. Time This is the time the log was recorded in this format.
Table 10-1 Firewall Logs LABEL Reason This field states the reason for the log; i.e., was the rule matched, not matched, or was there an attack. The set and rule coordinates (<X, Y> where X=1,2; Y=00~10) follow with a simple explanation. There are two policy sets; set 1 (X = 1) is for LAN to WAN rules and set 2 (X = 2) for WAN to LAN rules.
Prestige 792H G.SHDSL Router Click on Firewall, then Rule Summary to bring up the following screen. This screen is a summary of the existing rules. Note the order in which the rules are listed. The ordering of your rules is very important as rules are applied in turn. Figure 10-4 Firewall Rules Summary: First Screen The following table describes the labels in this screen.
Table 10-2 Firewall Rules Summary: First Screen LABEL The default action for Use the drop-down list box to select whether to Block (silently discard) or packets not matching Forward (allow the passage of) packets that do not match the following rules. following rules Default Permit Log Select this check box to log all matched rules in the default set.
defines the service. (Note that there may be more than one IP protocol type. For example, look at the default configuration labeled “(DNS)”. supported. Custom services may also be configured using the Custom Ports function discussed later. SERVICE AIM/NEW_ICQ(TCP:5190) AUTH(TCP:113) BGP(TCP:179) BOOTP_CLIENT(UDP:68) BOOTP_SERVER(UDP:67)
Page 152
SERVICE NEWS(TCP:144) NFS(UDP:2049) NNTP(TCP:119) PING(ICMP:0) POP3(TCP:110) PPTP(TCP:1723) PPTP_TUNNEL(GRE:0) RCMD(TCP:512) REAL_AUDIO(TCP:7070) REXEC(TCP:514) RLOGIN(TCP:513) RTELNET(TCP:107) RTSP(TCP/UDP:554) SFTP(TCP:115) SMTP(TCP:25) SNMP(TCP/UDP:161) SNMP-TRAPS (TCP/UDP:162) SQL-NET(TCP:1521) 10-10 Table 10-3 Predefined Services DESCRIPTION A protocol for news groups. Network File System - NFS is a client/server distributed file service that provides transparent file-sharing for network environments.
SERVICE SSDP(UDP:1900) SSH(TCP/UDP:22) STRMWORKS(UDP:1558) SYSLOG(UDP:514) TACACS(UDP:49) TELNET(TCP:23) TFTP(UDP:69) VDOLIVE(TCP:7000) 10.7 Creating/Editing Firewall Rules To create a new rule, click a number (No.) in the last screen shown to display the following screen. Creating Custom Rules Table 10-3 Predefined Services DESCRIPTION Simple Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using UDP port 1900.
Figure 10-5 Creating/Editing A Firewall Rule The following table describes the labels in this screen. LABEL Click SrcAdd to add a new address, SrcEdit to edit an existing one or SrcDelete to Source Address delete one. 10-12 Table 10-4 Creating/Editing A Firewall Rule DESCRIPTION Creating Custom Rules...
Table 10-4 Creating/Editing A Firewall Rule LABEL Destination Address Click DestAdd to add a new address, DestEdit to edit an existing one or DestDelete to delete one. Services Select a service in the Available Services box on the left, then click >> to select. The selected service shows up on the Selected Services box on the right.
Figure 10-6 Adding/Editing Source and Destination Addresses The following table describes the labels in this screen. Table 10-5 Adding/Editing Source and Destination Addresses LABEL Address Type Do you want your rule to apply to packets with a particular (single) IP address, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address? Select an option from the drop-down list box that includes: Single Address, Range Address, Subnet Address and Any Address.
10.8.1 Factors Influencing Choices for Timeout Values The factors influencing choices for timeout values are the same as the factors influencing choices for threshold values – see section 9.4.2. Click Timeout for either Local Network or Internet. The following table describes the labels in this screen. LABEL TCP Timeout Values Connection Timeout...
Page 158
LABEL Back Click Back to return to the previous screen. Click Apply to save your customized settings and exit this screen. Apply Cancel Click Cancel to return to the previous configuration. 10-16 Table 10-6 Timeout DESCRIPTION Creating Custom Rules...
Prestige 792H G.SHDSL Router Chapter 11 Customized Services This chapter covers creating, viewing and editing custom services. 11.1 Introduction to Customized Services Configure customized services and port numbers not predefined by the Prestige (see Figure 10-5). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website.
LABEL Customized Services This is the number of your customized port. Click a rule’s number of a service to go to the Firewall Customized Services Config screen to configure or edit a customized service. Name This is the name of your customized service. This shows the IP protocol (TCP, UDP or Both) that defines your customized Protocol service.
Table 11-2 Creating/Editing A Customized Service LABEL Service Name Type a unique name for your custom port. Service Type Choose the IP port (TCP, UDP or TCP/UDP) that defines your customized port from the drop down list box. Port Configuration Type Click Single to specify one port only or Range to specify a span of ports that define your customized service.
Step 1. Click ScrAdd to open the Rule IP Config screen. Configure it as follows and click Apply. Step 5. Click Edit Available Service in the Edit rule screen and then click a rule number to bring up the Firewall Customized Services Config screen. Configure as follows. Figure 11-5 Customized Service for MyService Example Customized services show up with an “*”...
Step 4. Follow the procedures outlined earlier in this chapter to configure all your rules. Configure the rule configuration screen like the one below and apply it. Click Apply when finished. Figure 11-6 Syslog Rule Configuration Example Customized Services Prestige 792H G.SHDSL Router This is the address range of the MyService computers.
Step 6. On completing the configuration procedure for these Internet firewall rules, the Rule Summary screen should look like the following. Don’t forget to click Apply when you have finished configuring your rule(s) to save your settings back to the Prestige. This rule allows a MyService connection from the WAN.
Prestige 792H G.SHDSL Router Chapter 12 Content Filtering This chapter covers how to configure content filtering. 12.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs. Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL.
The following table describes the labels in this screen. LABEL Enable Keyword Blocking Select this check box to enable this feature. Block Websites that This box contains the list of all the keywords that you have configured the Prestige contain these keywords in to block.
LABEL Add Keyword Click Add Keyword after you have typed a keyword. Repeat this procedure to add other keywords. Up to 127 keywords are allowed. When you try to access a web page containing a keyword, you will get a message telling you that the content filter is blocking this request.
LABEL Days to Block: Select a check box to configure which days of the week (or everyday) you want the content filtering to be active. Time of Day to Use the 24 hour format to configure which time of the day (or select the All day check box) Block: you want the content filtering to be active.
LABEL Type the ending IP address of a specific range of users on your LAN that you want to exclude from content filtering. Leave this field blank if you want to exclude an individual computer. Click Back to return to the previous screen. Back Apply Click Apply to save your changes back to the Prestige.
The following table describes the labels in this screen. LABEL Page Choose a page of logs from the drop-down list box to display. This is the index number of the content filter log. Time This field displays the time of the log. Source IP This field displays the IP address of the computer accessing the web site.
Page 171
VPN/IPSec Part IV: VPN/IPSec This part provides information about configuring VPN/IPSec for secure communications.
13.1 VPN Overview A VPN (Virtual Private Network) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing technologies/services used to transport traffic over the Internet or any insecure network that uses the TCP/IP protocol suite for communication.
Data Confidentiality The IPSec sender can encrypt packets before transmitting them across a network. Data Integrity The IPSec receiver can validate packets sent by the IPSec sender to ensure that the data has not been altered during transmission. Data Origin Authentication The IPSec receiver can verify the source of IPSec packets.
Prestige 792H G.SHDSL Router Figure 13-3 IPSec Architecture 13.2.1 IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
13.3 Encapsulation The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode. Figure 13-4 Transport and Tunnel Mode IPSec Encapsulation 13.3.1 Transport Mode Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options, but before any upper layer protocols contained in the packet (such as TCP and UDP).
A NAT device in between the IPSec endpoints will rewrite either the source or destination address with one of its own choosing. The VPN device at the receiving end will verify the integrity of the incoming packet by computing its own hash value, and complain that the hash value appended to the received packet doesn't match.
Prestige 792H G.SHDSL Router Chapter 14 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for information on viewing logs and the Reference Guide for IPSec log description 14.1 VPN/IPSec Overview Use the screens documented in this chapter to configure rules for VPN connections and manage VPN connections.
DES (default) Data Encryption Standard (DES) is a widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data. 3DES Triple DES (3DES) is a variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
Prestige 792H G.SHDSL Router The Secure Gateway IP Address may be configured as 0.0.0.0 only when using IKE key management and not Manual key management. 14.5 VPN Summary Screen The following figure helps explain the main fields in the web configurator. Figure 14-1 IPSec Summary Fields Local and remote IP addresses must be static.
The following table describes the labels in this screen. LABEL This is the VPN policy index number. Click a number to edit VPN policies. Name This field displays the identification name for this VPN policy. Active This field displays whether the VPN policy is active or not. A "Y" signifies that this VPN policy is active.
LABEL IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay). Secure Gateway This is the IP address of the remote IPSec router. This must be a fixed, public IP address for traffic going through the Internet.
With main mode (see section 14.10.1), the ID type and content are encrypted to provide identity protection. In this case the Prestige can only distinguish between up to eight different incoming SAs that connect from remote IPSec routers that have dynamic WAN IP addresses. The Prestige can distinguish up to eight incoming SAs because you can select between two encryption algorithms (DES and 3DES), two authentication algorithms (MD5 and SHA1) and two key groups (DH1 and DH2) when you configure a VPN rule (see section 14.11).
Table 14-5 Matching ID Type and Content Configuration Example PRESTIGE A Local ID type: E-mail Local ID content: tom@yourcompany.com Peer ID type: IP Peer ID content: 1.1.1.2 The two Prestiges in this example cannot complete their negotiation because Prestige B’s Local ID type is IP, but Prestige A’s Peer ID type is set to E-mail.
The following table describes the labels in this screen. LABEL IPSec Setup Active Select this check box to activate this VPN policy. Keep Alive Select either Yes or No from the drop-down list box. Select Yes to have the Prestige automatically reinitiate the SA after the SA lifetime times out, even if there is no traffic.
Page 188
LABEL Local Address Type Use the drop-down menu to choose Single, Range, or Subnet. Select Single for a single IP address. Select Range for a specific range of IP addresses. Select Subnet to specify IP addresses on a network by their subnet mask. IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige.
Page 189
LABEL End / Subnet Mask When the Remote Address Type field is configured to Single, enter the IP address in the IP Address Start field again here. When the Remote Address Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
Page 190
Prestige 792H G.SHDSL Router Table 14-7 VPN IKE LABEL DESCRIPTION Content When you select IP in the Peer ID Type field, type the IP address of the computer with which you will make the VPN connection or leave the field blank to have the Prestige automatically use the address in the Secure Gateway Address field.
LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet Algorithm data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Choose a Diffie-Hellman public-key cryptography key group (DH1 or DH2). Set the IKE SA lifetime. This field allows you to determine how long an IKE SA should stay up before it times out. An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected.
Prestige 792H G.SHDSL Router 14.10.3 Perfect Forward Secrecy (PFS) Enabling PFS means that the key is transient. The key is thrown away and replaced by a brand new key using a new Diffie-Hellman exchange for each new IPSec SA setup. With PFS enabled, if one key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous keys.
Prestige 792H G.SHDSL Router Figure 14-5 VPN IKE: Advanced The following table describes the labels in this screen. Table 14-8 VPN IKE: Advanced LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP, 6 for TCP, 17 for UDP, etc. 0 is the default and signifies any protocol.
Page 195
LABEL Enable Replay As a VPN setup is processing intensive, the system is vulnerable to Denial of Service Protection (DoS) attacks The IPSec receiver can detect and reject old or duplicate packets to protect against replay attacks. Select YES from the drop-down menu to enable replay detection, or select NO to disable it.
Page 196
LABEL Encryption Select DES or 3DES from the drop-down list box. Algorithm When DES is used for data communications, both sender and receiver must know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code.
LABEL Authentication Select SHA1 or MD5 from the drop-down list box. MD5 (Message Digest 5) and Algorithm SHA1 (Secure Hash Algorithm) are hash algorithms used to authenticate packet data. The SHA1 algorithm is generally considered stronger than MD5, but is slower. Select MD5 for minimal security and SHA-1 for maximum security.
Prestige 792H G.SHDSL Router Current ZyXEL implementation assumes identical outgoing and incoming SPIs. 14.13 Configuring Manual Key You only configure VPN Manual Key when you select Manual in the Key Management field on the VPN IKE screen. This is the VPN Manual Key screen as shown next. Figure 14-6 VPN Manual Key 14-20 VPN Screens...
The following table describes the labels in this screen. LABEL IPSec Setup Active Select this check box to activate this VPN policy. Name Type up to 32 characters to identify this VPN policy. You may use any character, including spaces, but the Prestige drops trailing spaces. IPSec Key Mode Select IKE or Manual from the drop-down list box.
Page 200
LABEL IP Address Start When the Local Address Type field is configured to Single, enter a (static) IP address on the LAN behind your Prestige. When the Local Address Type field is configured to Range, enter the beginning (static) IP address, in a range of computers on your LAN behind your Prestige.
Page 201
LABEL My IP Address Enter the WAN IP address of your Prestige. The Prestige uses its current WAN IP address (static or dynamic) in setting up the VPN tunnel if you leave this field as 0.0.0.0. The VPN tunnel has to be rebuilt if this IP address changes. Secure Gateway Type the WAN IP address or the URL (up to 31 characters) of the IPSec router with Address...
LABEL Apply Click Apply to save your changes back to the Prestige. Cancel Click Cancel to begin configuring this screen afresh. Delete Click Delete to remove the current rule. 14.14 Viewing SA Monitor Click VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and manage active VPN connections.
The following table describes the labels in this screen. LABEL This is the security association index number. Name This field displays the identification name for this VPN policy. Encapsulation This field displays Tunnel or Transport mode. IPSec Algorithm This field displays the security protocols used for an SA. Both AH and ESP increase Prestige processing requirements and communications latency (delay).
LABEL Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the Prestige. Click Refresh to display the current active VPN connection(s). Refresh 14.15 Configuring Global Setting To change your Prestige’s global settings, click VPN and then Global Setting. The screen appears as shown. The following table describes the labels in this screen.
14.16 Configuring IPSec Logs To view IPSec logs in this screen, click Advanced Setup, VPN, and then Logs to open the screen shown next. The following table describes the labels in this screen. LABEL Back Click Back to return to the previous screen. Previous Page Click Previous Page to view more logs.
Double exclamation marks (!!) denote an error or warning message. The following table shows sample log messages during IKE key exchange. Table 14-13 Sample IKE Key Exchange Logs LOG MESSAGE Cannot find outbound SA for rule <#d> Send Main Mode request to <IP> Send Aggressive Mode request to <IP>...
Table 14-14 Sample IPSec Logs During Packet Transmission LOG MESSAGE !! Inbound packet authentication failed !! Inbound packet decryption failed Rule <#d> idle time out, disconnect The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
14.17 Telecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single Prestige at headquarters. The telecommuters use IPSec routers with dynamic WAN IP addresses. The Prestige at headquarters has a static public IP address. 14.17.1 Telecommuters Sharing One VPN Rule Example See the following figure and table for an example configuration that allows multiple telecommuters (A, B...
14.17.2 Telecommuters Using Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic WAN IP addresses (use Dynamic DNS to do this). With aggressive negotiation mode (see section 14.10.1), the Prestige can use the ID types and contents to distinguish between VPN rules.
Remote Management Configuration 15.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which Prestige interface (if any) from which computers. You may manage your Prestige from a remote location via: Internet (WAN only) LAN only To disable remote management of a service, select Disable in the corresponding Server Access field.
Use the Prestige’s WAN IP address when configuring from the WAN. Use the Prestige’s LAN IP address when configuring from the LAN. 15.1.3 System Timeout There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections.
15.5 Configuring Remote Management Click Remote Management to open the following screen. The following table describes the labels in this screen. LABEL Server Type Each of these labels denotes a service that you may use to remotely manage the Prestige. Access Select the access interface.
Universal Plug-and-Play (UPnP) 16.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer- to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network.
All UPnP-enabled devices may communicate freely with each other without additional configuration. Disable UPnP if this is not your intention. 16.1.4 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still being tested.
FIELD Enable the Universal Plug Select this checkbox to activate UPnP. Be aware that anyone could use a and Play (UPnP) Service UPnP application to open the web configurator's login screen without entering the Prestige's IP address (although you must still enter the password to access the web configurator).
Page 219
Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. Step 1. Click Start and Control Panel. Double-click Add/Remove Programs. Step 2. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Step 3.
Page 220
Installing UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP. Step 1. Click start and Control Panel. Step 2. Double-click Network Connections. Step 3. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components ….
16.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the Prestige. Make sure the computer is connected to a LAN port of the Prestige. Turn on your computer and the Prestige. Auto-discover Your UPnP-enabled Network Device Step 1.
Page 222
Step 3. In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. When the UPnP-enabled device is disconnected from your computer, all port Step 5. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray UPnP mappings will be deleted automatically.
Page 223
Step 6. Double-click on the icon to display your current Internet connection status. Web Configurator Easy Access Example With UPnP, you can access the web-based configurator on the Prestige without finding out the IP address of the Prestige first. This comes helpful if you do not know the IP address of the Prestige. Follow the steps below to access the web configurator.
Page 224
Step 4. An icon with the description for each UPnP-enabled device displays under Local Network. Step 5. Right-click on the icon for your Prestige and select Invoke. The web configurator login screen displays. Step 6. Right-click on the icon for your Prestige and select Properties.
Page 225
Prestige 792H G.SHDSL Router Part VI: Maintenance This part covers the maintenance screens. Troubleshooting 17-1...
Prestige 792H G.SHDSL Router Chapter 17 Maintenance This chapter displays system information such as ZyNOS firmware, port IP addresses and port traffic statistics. 17.1 Maintenance Overview Use the maintenance screens to view system information, upload new firmware, manage configuration and restart your Prestige.
Page 228
Prestige 792H G.SHDSL Router Figure 17-1 System Status The following table describes the labels in this screen. 17-2 Maintenance...
LABEL System Status System Name This is the name of your Prestige. It is for identification purposes. ZyNOS F/W Version This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's proprietary Network Operating System design. DSL FW Version This is the DSL firmware version associated with your Prestige. Standard This is the standard that your Prestige is using.
Prestige 792H G.SHDSL Router 17.2.1 System Statistics Click Show Statistics in the System Status screen to open the following screen. Read-only information here includes port status and packet specific statistics. Also provided are "system up time" and "poll interval(s)". The Poll Interval(s) field is configurable. Figure 17-2 System Status: Show Statistics The following table describes the labels in this screen.
Page 231
Table 17-2 System Status: Show Statistics LABEL WAN Port Statistics This is the WAN port. Link Status This is the status of your WAN link. Transfer Rate This is the transfer rate in kbps. Upstream Speed This is the upstream speed of your Prestige. Downstream Speed This is the downstream speed of your Prestige.
LABEL above. Stop Click this button to halt the refreshing of the system statistics. 17.3 DHCP Table Screen DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the Prestige as a DHCP server or disable it.
LABEL This field displays the MAC (Media Access Control) address of the computer with the displayed Address host name. Every Ethernet device has a unique MAC address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. 17.4 Diagnostic Screens These read-only screens display information to help you identify problems with the Prestige.
The following table describes the labels in this screen. LABEL TCP/IP Type the IP address of a computer that you want to ping in order to test a connection. Address Ping Click this button to ping the IP address that you entered. Click this button to reboot the Prestige.
LABEL Back Click this button to go back to the main Diagnostic screen. 17.4.2 Diagnostic DSL Line Screen Click Diagnostic and then DSL Line to open the screen shown next. The following table describes the labels in this screen. LABEL Reset xDSL Click this button to reinitialize the xDSL line.
“Start to reset xDSL... Reset xDSL Line Successfully!” Back Click this button to go back to the main Diagnostic screen. 17.5 Firmware Screen Find firmware at www.zyxel.com extension, e.g., "Prestige.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes.
The following table describes the labels in this screen. LABEL File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse... Click Browse... to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them.
Page 238
SMT General Configuration SMT General Configuration This part covers System Management Terminal configuration for general setup, LAN setup, wireless LAN setup, Internet access, remote nodes, remote node TCP/IP, static routing and NAT. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
This chapter explains how to access and navigate the System Management Terminal and gives an 18.1 SMT Introduction The Prestige’s SMT (System Management Terminal) is a menu-driven interface that you can access from a terminal emulator through the console port or over a telnet connection. 18.1.1 Procedure for SMT Configuration via Console Port Follow the steps below to access your Prestige via the console port.
Prestige 792H G.SHDSL Router Please note that if there is no activity for longer than five minutes after you log in, your Prestige will automatically log you out. Enter Password : **** Figure 18-1 Login Screen 18.1.4 Prestige SMT Menu Overview The following figure gives you an overview of the various SMT menu screens of your Prestige.
Prestige 650HW Main Menu Menu 3 Menu 1 Menu 4 LAN Setup General Setup Internet Access Setup Menu 1.1 Menu 3.1 Configure Dynamic LAN Port Filter Setup Menu 3.2 Menu 3.2.1 TCP/IP and DHCP IP Alias Setup Setup Menu 3.5 Menu 3.5.1 Wireless LAN WLAN MAC...
Prestige 792H G.SHDSL Router 18.2 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your Prestige. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
Filter and Firewall Setup SNMP Configuration System Maintenance IP Routing Policy Setup Introducing the SMT Copyright (c) 1994 - 2003 ZyXEL Communications Corp. Prestige 792H Main Menu Advanced Management Enter Menu Selection Number: Figure 18-3 SMT Main Menu Table 18-2 Main Menu Summary Use this menu to set up your general information.
Prestige 792H G.SHDSL Router MENU TITLE Schedule Setup VPN/IPSec Setup Exit 18.3 Changing the System Password Change the Prestige default password by following the steps shown next. Step 1. Enter 23 in the main menu to display Menu 23 - System Security. Step 2.
Menu 1 - General Setup contains administrative and system-related information. 19.1 General Setup Menu 1 — General Setup contains administrative and system-related information (shown next). The System Name field is for identification purposes. However, because some ISPs check this name you should enter your computer's "Computer Name".
Prestige 792H G.SHDSL Router System Name= ? Location= Contact Person's Name= Domain Name= Edit Dynamic DNS= No Route IP= Yes Bridge= No Fill in the required fields. Refer to the table shown next for more information about these fields. FIELD System Name Enter a descriptive name for identification purposes.
19.2.1 Configuring Dynamic DNS If you have a private WAN IP address, then you cannot use Dynamic DNS. To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field. Press [ENTER] to display Menu 1.1— Configure Dynamic DNS as shown next. Service Provider = WWW.DynDNS.ORG Active= Yes Host= me.ddns.org...
Prestige 792H G.SHDSL Router This chapter shows you how to configure the WAN settings of your Prestige 20.1 WAN Setup Use Menu 2 – WAN Setup to configure G.SHDSL settings for your WAN line. Different telephone companies deploy different types of G.SHDSL service. If you are unsure of any of this information, please check with your telephone company.
Page 250
Press [SPACE BAR] to select Enable (activate) or Disable (deactivate). Rate Adaption Transfer Max Rate Press [SPACE BAR] to select a Transfer Max Rate greater than or equal to (2312 Kbps) the Transfer Min Rate and press [ENTER] to continue. Transfer Min Rate Press [SPACE BAR] to select a Transfer Min Rate less than or equal to the (2312 Kbps)
This chapter shows you how to configure Dial Backup for your Prestige 21.1 Dial Backup Overview To set up the auxiliary port (Dial Backup or CON/AUX) for use in the event that the regular WAN connection is dropped, first make sure you have set up the switch and port connection (see the Quick Start Guide for the Hardware Installation chapter), then configure: Menu 2 - WAN Setup, Menu 2.1 - Advanced WAN Setup and...
Prestige 792H G.SHDSL Router FIELD Dial-Backup: Active Use this field to turn the dial-backup feature on (Yes) or off (No). Port Speed Press [SPACE BAR] and then press [ENTER] to select the speed of the connection between the Dial Backup port and the external device. Available speeds are: 9600, 19200, 38400, 57600, 115200 or 230400 bps.
AT Command Strings: Dial= atdt Drop= ~~+++~~ath Answer= ata Drop DTR When Hang Up= Yes AT Response Strings: CLID= NMBR = Called Id= Speed= CONNECT Table 21-2 Advanced WAN Port Setup: AT Commands Fields FIELD AT Command Strings: Dial Enter the AT Command string to make a call. Drop Enter the AT Command string to drop a call.
Prestige 792H G.SHDSL Router Table 21-2 Advanced WAN Port Setup: AT Commands Fields FIELD Speed Enter the keyword preceding the connection speed. Table 21-3 Advanced WAN Port Setup: Call Control Parameters FIELD Call Control Dial Timeout (sec) Enter a number of seconds for the Prestige to keep trying to set up an outgoing call before timing out (stopping).
Rem Node Name= ? Active= Yes Outgoing: My Login= My Password= ******** Authen= CHAP/PAP Pri Phone #= ? Sec Phone #= Figure 21-3 Remote Node Profile (Backup ISP) Table 21-4 Remote Node Profile (Backup ISP) FIELD Rem Node Enter a descriptive name for the remote node. This field can be up to Name eight characters.
Page 256
Prestige 792H G.SHDSL Router Table 21-4 Remote Node Profile (Backup ISP) FIELD Pri Phone # Enter the first (primary) phone number from the ISP for this remote node. If the Primary Phone number is busy or does not answer, your Sec Phone # Prestige dials the Secondary Phone number if available.
Table 21-4 Remote Node Profile (Backup ISP) FIELD Once you have configured this menu, press [ENTER] at the message “Press ENTER to Confirm...” to save your configuration, or press [ESC] at any time to cancel. 21.2.1 Editing PPP Options The Prestige’s dial back-up feature uses PPP. To edit the remote node PPP Options, move the cursor to the Edit PPP Options field in Menu 11.1 - Remote Node Profile, and use the space bar to select Yes.
Prestige 792H G.SHDSL Router Move the cursor to the Edit IP field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to open Menu 11.3 - Network Layer Options. Menu 11.3 - Remote Node Network Layer Options Figure 21-6 Remote Node Network Layer Options Table 21-5 Remote Node Network Layer Options FIELD...
Table 21-5 Remote Node Network Layer Options FIELD Private This parameter determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcasts. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
This chapter shows you how to configure the LAN settings for your Prestige 22.1 Ethernet Setup This section describes how to configure the Ethernet using Menu 3 – Ethernet Setup. From the main menu, enter 3 to open the menu as follows. 22.1.1 LAN Port Filter Setup In this menu type 1 to open Menu 3.1- LAN Port Filter Setup.
Prestige 792H G.SHDSL Router If you need to define filters, please read the Filter Configuration chapter first, then return to this menu. 22.1.2 IP Alias Setup Use Menu 3.2 to configure the first network. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 —...
Follow the instructions in the following table to configure IP Alias parameters. FIELD IP Alias Choose Yes to configure the LAN network for the Prestige. IP Address Enter the IP address of your Prestige in dotted decimal notation IP Subnet Mask Your Prestige will automatically calculate the subnet mask based on the IP address that you assign.
Prestige 792H G.SHDSL Router 22.1.4 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your Prestige for TCP/IP. To edit Menu 3.2, enter 3 from the main menu to display Menu 3 — Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2 — TCP/IP and DHCP Ethernet Setup as shown next Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup:...
Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD DHCP Setup DHCP If set to Server, your Prestige can assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client. If set to None, the DHCP server will be disabled.
Page 266
Prestige 792H G.SHDSL Router Table 22-2 TCP/IP and DHCP Ethernet Setup FIELD Multicast IGMP (Internet Group Multicast Protocol) is a network-layer protocol used to establish membership in a Multicast group. The Prestige supports both IGMP version 1 (IGMP-v1) and version 2 ( IGMP-v2). Press the [ Multicasting or select None to disable it.
This chapter shows you how to configure your Prestige for Internet Access 23.1 Internet Access Overview This section provides information on configuring your Prestige for Internet access. It includes information on encapsulation types, IP address assignment and ATM networks. 23.2 Internet Access Setup Menu 4 allows you to enter the Internet Access information in one screen.
Prestige 792H G.SHDSL Router FIELD ISP’s Name Enter the name of your Internet Service Provider. This information is for identification purposes only. Encapsulation Press [ used by your ISP. Choices are PPPoE, PPPoA, RFC 1483 or ENET ENCAP. Multiplexing Press [ used by your ISP.
Page 269
FIELD Idle Timeout This value specifies the number of idle seconds that elapse before the Prestige automatically disconnects the PPPoE session. IP Address Press [ Assignment assignment. IP Address Enter the IP address supplied by your ISP if applicable. Network Address Press [ Translation Feature.
24.1 Remote Node Overview This section describes the protocol-independent parameters for a remote node. A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection. When you use Menu 4 to set up Internet access, you are configuring one of the remote nodes.
Prestige 791R G.SHDSL Router Enter Node # to Edit: 24.2.1 Encapsulation and Multiplexing Scenarios For Internet access you should use the encapsulation and multiplexing methods used by your ISP. For LAN-to-LAN applications, for example, between a branch office and corporate headquarters, prior agreement on methods is necessary because encapsulation and multiplexing cannot be automatically determined.
Menu 11.1 - Remote Node Profile Rem Node Name= myISP Active= Yes Encapsulation= RFC-1483 Multiplexing= VC-based Incoming: Rem Login= N/A Rem Password= N/A Outgoing: My Login= N/A My Password= N/A Authen= N/A Press Space Bar to Toggle. FIELD Rem Node Name Active Encapsulation Multiplexing...
Page 274
Prestige 791R G.SHDSL Router FIELD Rem Password Outgoing: My Login My Password Authen Route Bridge Edit IP/Bridge Edit ATM Options Telco Option Allocated Budget (min) Period (hr) 24-4 Table 24-1 Remote Node Profile DESCRIPTION Type the password used when this remote node calls your Prestige.
FIELD Schedule Sets Nailed up Connection Session Options Edit Filter Sets Idle Timeout (sec) When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 24.3 Remote Node Network Layer Options Perform the following steps to edit Menu 11.3 –...
Prestige 791R G.SHDSL Router Figure 24-3 Remote Node Network Layer Options Table 24-2 Remote Node Network Layer Options FIELD IP Options IP Address Press [SPACE BAR] and then [ENTER] to select Dynamic if the remote Assignment node is using a dynamically assigned IP address or Static if it is using a static (fixed) IP address.
Table 24-2 Remote Node Network Layer Options FIELD Private This determines if the Prestige will include the route to this remote node in its RIP broadcasts. If set to Yes, this route is kept private and not included in RIP broadcast. If No, the route to this remote node will be propagated to other hosts through RIP broadcasts.
Prestige 791R G.SHDSL Router Figure 24-4 Sample IP Addresses for a TCP/IP LAN-to-LAN Connection 24.4 Remote Node Filter Move the cursor to the Edit Filter Sets field in menu 11.1, then press [SPACE BAR] to select Yes. Press [ENTER] to display Menu 11.5 – Remote Node Filter. Use Menu 11.5 –...
Figure 24-6 Remote Node Filter (RFC1483 or ENET ENCAP Encapsulation) 24.5 Editing ATM Layer Options Follow these steps to edit Menu 11.6 – Remote Node ATM Layer Options. Step 1. In Menu 11.1, move the cursor to the Edit ATM Options then press [SPACE BAR] to toggle and set the value to Yes.
Prestige 791R G.SHDSL Router 24.5.2 LLC-based Multiplexing or PPP Encapsulation For LLC-based multiplexing or PPP encapsulation, one VC carries multiple protocols with protocol identifying information being contained in each packet header. Menu 11.6 - Remote Node ATM Layer Options VPI/VCI (LLC-Multiplexing or PPP-Encapsulation) VPI #= 0 VCI #= 38 ATM QoS Type= UBR...
Prestige 791R G.SHDSL Router Chapter 25 Static Route Setup This chapter shows how to setup IP static routes. 25.1 Static Route Overview Static routes tell the Prestige routing information that it cannot learn automatically through other means. This can arise in cases where RIP is disabled on the LAN or a remote network is beyond the one that is directly connected to a remote node.
Prestige 791R G.SHDSL Router Step 1. To configure an IP static route, use Menu 12 – Static Route Setup (shown next). See the bridging chapter for more information on Bridge Static Routes. Step 2. From Menu 12, select 1 to open Menu 12.1 – IP Static Route Setup, as shown next. Now, type the index number of one of the static routes you want to configure.
FIELD Route # This is the index number of the static route that you chose in menu 12.1. Route Name Type a descriptive name for this route. This is for identification purpose only. Active This field allows you to activate/deactivate this static route. Destination IP Address This parameter specifies the IP network address of the final destination.
This chapter shows you how to configure the bridging parameters of your Prestige. 26.1 Bridging Overview Bridging bases the forwarding decision on the MAC (Media Access Control), or hardware address, while routing does it on the network layer (IP) address. Bridging allows the Prestige to transport packets of network layer protocols that it does not route, for example, SNA, from one network to another.
Prestige 791R G.SHDSL Router IP Options: IP Address Assignment= Static Rem IP Addr: 0.0.0.0 Rem Subnet Mask= 0.0.0.0 My WAN Addr= 0.0.0.0 NAT= Full Feature Address Mapping Set=2 Metric= 2 Private= No RIP Direction= Both Version= RIP-2B Multicast= IGMP-v2 IP Policies= Press ENTER to Confirm or ESC to Cancel: Figure 26-1 Remote Node Bridging Options Table 26-1 Remote Node Bridging Options...
Choose a static route to edit in menu 12.3. You configure bridge static routes in menu 12.3.1 as shown next. FIELD Route # This is the route index number you typed in Menu 12.3 – Bridge Static Route Setup. Route Name Type a name for the bridge static route for identification purposes.
Page 288
Prestige 791R G.SHDSL Router FIELD When you have completed this menu, press [ENTER] at the prompt “Press ENTER to confirm or ESC to cancel” to save your configuration or press [ESC] to cancel and go back to the previous screen. 26-4 DESCRIPTION Bridging Setup...
Prestige 791R G.SHDSL Router Chapter 27 Network Address Translation (NAT) This chapter discusses how to configure NAT on the Prestige. 27.1 SUA (Single User Account) Versus NAT SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server.
Prestige 791R G.SHDSL Router Press Space Bar to Toggle. Figure 27-1 Applying NAT for Internet Access The following figure shows how you apply NAT to the remote node in menu 11.1. Step 1. Enter 11 from the main menu and choose a node number. Step 2.
Table 27-1 Applying NAT to the Remote Node FIELD Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your Prestige. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section 27.3.1).
Prestige 791R G.SHDSL Router Enter Menu Selection Number: Enter 255 to display the next screen (see also section 27.1). The fields in this menu cannot be changed. Set Name= Local Start IP Local End IP --------------- --------------- 0.0.0.0 255.255.255.255 Press ENTER to Confirm or ESC to Cancel: Figure 27-5 Address Mapping Rules - SUA Table 27-2 Address Mapping Rules - SUA FIELD...
Page 293
Table 27-2 Address Mapping Rules - SUA FIELD Local Start IP Local Start IP is the starting local IP address (ILA) Local End IP is the ending local IP address (ILA). If the Local End IP rule is for all local IPs, then the Start IP is 0.0.0.0 and the End IP is 255.255.255.255.
Prestige 791R G.SHDSL Router Set Name= ? Local Start IP --------------- Action= Edit Press ENTER to Confirm or ESC to Cancel: If the Set Name field is left blank, the entire set will be deleted. The Type, Local and Global Start/End IPs are configured in menu 15.1.1.1 (described later) and the values are displayed here.
Page 295
FIELD Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted. The default is Edit. Edit means you want to edit a selected rule (see Action following field).
Prestige 791R G.SHDSL Router Type= One-to-One Local IP: Start= Global IP: Start= Server Mapping Set= N/A Press Space Bar to Toggle. Figure 27-7 Editing/Configuring an Individual Rule in a Set Table 27-4 Editing/Configuring an Individual Rule in a Set FIELD Type Press [SPACE BAR] and then [ENTER] to select from a total of five types.
27.3.2 Configuring a Server behind NAT Follow these steps to configure a server behind NAT: Step 1. Enter 15 in the main menu to go to Menu 15 - NAT Setup. Step 2. Enter 2 to display Menu 15.2 - NAT Server Sets as shown next. Step 3.
Prestige 791R G.SHDSL Router Rule --------------------------------------------------- Step 4. Enter a port number in an unused Start Port No field. To forward only one port, enter it again in the End Port No field. To specify a range of ports, enter the last port to be forwarded in the End Port No field.
Prestige 791R G.SHDSL Router Figure 27-10 Multiple Servers Behind NAT Example 27.4 General NAT Examples This section provides some examples with Network Address Translation. 27.4.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where your ILAs (Inside Local addresses) all map to one dynamic IGA (Inside Global Address) assigned by your ISP.
Prestige 791R G.SHDSL Router From menu 4, choose the SUA Only option from the Network Address Translation field. This is the Many-to-One mapping discussed in section 27.4. The SUA Only read-only option from the Network Address Translation field in menus 4 and 11.3 is specifically pre-configured to handle this case. 27.4.2 Example 2: Internet Access with an Inside Server Figure 27-13 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to...
Prestige 791R G.SHDSL Router Figure 27-14 NAT Example 2 - Menu 15.2.1 27.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server.
Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3). See the figure below. Menu 11.3 - Remote Node Network Layer Options IP Options: IP Address Assignment= Static...
Prestige 791R G.SHDSL Router Step 5. In menu 15.1.1.1, select Type as One-to-One (direct mapping for packets going both ways), and set the local Start IP as 192.168.1.10 (the IP address of FTP Server 1) and the global Start IP as 10.132.50.1 (our first IGA). See the figure below. Type= One-to-One Local IP: Start= 192.168.1.10...
Page 305
Now configure the IGA3 to map to our web server and mail server on the LAN. Step 8. Enter 15 from the main menu. Step 9. Enter 2 in Menu 15 - NAT Setup. Step 10. Enter 1 in Menu 15.2 - NAT Server Sets and enter 1 again to see the following menu. Configure it as shown.
Prestige 791R G.SHDSL Router 27.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many-to-Many No Overload mapping, as port numbers do not change for Many-to- Many No Overload (and One-to-One) NAT mapping types.
Other applications such as some gaming programs are NAT unfriendly because they embed addressing information in the data stream. These applications won’t work through NAT even when using One-to-One and Many-to-Many No Overload Follow the steps outlined in example 3 to configure these two menus as follows. Type= Many-to-Many No Overload Local IP: Start= 192.168.1.10...
Prestige 791R G.SHDSL Router Set Name= Example4 Local Start IP --------------- 192.168.1.10 27-20 Menu 15.1.1 - Address Mapping Rules Local End IP Global Start IP --------------- --------------- 192.168.1.12 10.132.50.1 Action= Edit Select Rule= Press ENTER to Confirm or ESC to Cancel: Figure 27-22 Example 4 - Menu 15.1.1 Global End IP Type...
Advanced Management Part IX: ADVANCED MANAGEMENT This part discusses Filter Configuration, SNMP, System Maintenance and IP Policy Routing, Call Scheduling and Remote Management.
Prestige 791R G.SHDSL Router Chapter 28 Filter Configuration This chapter shows you how to create and apply filters. 28.1 About Filtering Your Prestige uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering.
Prestige 791R G.SHDSL Router Outgoing Data Packet Match Drop packet Figure 28-1 Outgoing Packet Filtering Process Two sets of factory filter rules have been configured in Menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
Fetch Next Filter Set Next Filter Set Available? Drop Packet You can apply up to four filter sets to a particular port to block various types of packets. Because each filter set can have up to six rules, you can have a maximum of 24 rules active for a single port. Filter Configuration Filter Set Fetch Next...
Prestige 791R G.SHDSL Router For incoming packets, your Prestige applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets. The Filter Structure of the Prestige A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name.
Filter rule sets 11 and 12 are used by the web configurator. Your custom configurator may be lost if you use rule 11 or 12. Step 3. Type a descriptive name or comment in the Edit Comments field and press [ENTER]. Step 4.
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 Enter Filter Rule Number (1-6) to Configure: Figure 28-6 Telnet_WAN Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y Gen Off=12, Len=2, Mask=ffff, Value=8863 2 Y Gen...
# A Type - - ---- -------------------------------------------------------------- - - - 1 Y IP PR=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 Figure 28-8 FTP_WAN Filter Rules Summary # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=161 2 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=162 Enter Filter Rule Number (1-6) to Configure: 1...
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=21 3 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=69 4 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80 Enter Filter Rule Number (1-6) to Configure: 1 Figure 28-10 Web Set2 Filter Rules Summary 28.2.1 Filter Rules Summary Menus...
FIELD Action Not Matched. “F” means to forward the packet immediately and skip checking the remaining rules. “D” means to drop the packet. “N” means to check the next rule. The protocol dependent filter rules abbreviation are listed as follows: FILTER TYPE 28.3 Filter Rule Configuration To configure a filter rule, type its number in Menu 21.1 –...
Prestige 791R G.SHDSL Router 28.3.1 TCP/IP Filter Rule This section shows you how to configure a TCP/IP filter rule. TCP/IP rules allow you to base the rule on the fields in the IP and the upper layer protocol, for example, UDP and TCP headers. To configure TCP/IP rules, select TCP/IP Filter Rule from the Filter Type field and press [ENTER] to open Menu 21.1.1 –...
Page 321
FIELD IP Protocol This is the upper layer protocol, for example, TCP is 6, UDP is 17 and ICMP is 1. The value must be between 0 and 255. A value of O matches ANY protocol. IP Source Route IP Source Route is an optional header that dictates the route an IP packet takes from its source to its destination.
Page 322
Prestige 791R G.SHDSL Router FIELD Select the logging option from the following: None – No packets will be logged. Action Matched – Only packets that match the rule parameters will be logged. Action Not Matched – Only packets that do not match the rule parameters will be logged.
Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest IP Addr Matched Check IP Protocol Matched Check Src & Dest Port Matched More? Action Matched Drop Drop Packet Filter Configuration Not Matched...
Prestige 791R G.SHDSL Router 28.3.2 Generic Filter Rule This section shows you how to configure a generic filter rule. The purpose of generic rules is to allow you to filter non-IP packets. For IP, it is generally easier to use the IP rules directly. For generic rules, the Prestige treats a packet as a byte stream as opposed to an IP packet.
Table 28-4 Generic Filter Rule Menu Fields FIELD Filter # This is the filter set, filter rule coordinates, for instance, 2, 3 refers to the second filter set and the third rule of that set. Filter Type Press [SPACE BAR] and then [ENTER] to select a type of rule. Parameters displayed below each type will be different.
Prestige 791R G.SHDSL Router 28.4 Filter Types and NAT There are two classes of filter rules, Generic Filter Device rules and Protocol Filter (TCP/IP) rules. Generic Filter rules act on the raw data from/to LAN and WAN. Protocol Filter rules act on IP packets. When NAT (Network Address Translation) is enabled, the inside IP address and port number are replaced on a connection-by-connection basis, which makes it impossible to know the exact address and port on the wire.
Step 1. Enter 21 from the main menu to open Menu 21 — Filter Set Configuration. Step 2. Enter the index number of the filter set you want to configure (in this case 3) Step 3. Type a descriptive name or comment in the Edit Comments field (for example, TELNET_WAN) and press [ENTER].
Prestige 791R G.SHDSL Router # A Type - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=23 This shows you that you have configured and activated (A = Y) a TCP/IP filter rule (Type = IP, Pr = 6) for destination telnet ports (DP = 23).
Menu 21.3.1 - TCP/IP Filter Rule Filter #: 3,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 Destination: IP Addr= 0.0.0.0 Source: IP Addr= 0.0.0.0 TCP Estab= No More= No Action Matched= Drop Action Not Matched= Forward Press ENTER to Confirm or ESC to Cancel: There are no more rules to check.
Prestige 791R G.SHDSL Router Step 3. This brings you to menu 11.5. Enter the example filter set number in this menu as shown in the following figure. Figure 28-18 Sample Filter Rules Summary — Applying a Remote Node Filter Set 28.6 Applying Filters and Factory Defaults This section shows you where to apply the filter(s) after you design it (them).
filter set(s) that you want to apply as appropriate. You can choose up to four filter sets (from twelve) by typing their numbers separated by commas, for example, 3, 4, 6, 11. The factory default filter set, NetBIOS_LAN, is inserted in the protocol filters field under Input Filter Sets in menu 3.1 in order to prevent local NetBIOS messages from triggering calls to the DNS server.
Prestige 791R G.SHDSL Router Chapter 29 SNMP Configuration This chapter explains SNMP Configuration. SNMP is only available if TCP/IP is configured. 29.1 SNMP Overview Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of TCP/IP protocol suite. Your Prestige supports SNMP agent functionality, which allows a manager station to manage and monitor the Prestige through the network.
Prestige 791R G.SHDSL Router An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the Prestige). An agent translates the local management information from the managed device into a form compatible with SNMP. The manager is the console through which network administrators perform network management functions.
FIELD SNMP: Get Community Type the Get Community, which is the password for the incoming Get- and GetNext requests from the management station. Set Community Type the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your Prestige will only respond to SNMP messages from this address.
Page 336
Prestige 791R G.SHDSL Router TRAP # TRAP NAME warmStart (defined in RFC-1215) linkUp (defined in RFC-1215) authenticationFailure (defined in RFC-1215) linkDown (defined in RFC-1215) The port number is its interface index under the interface group. 29-4 DESCRIPTION A trap is sent after booting (software reboot). A trap is sent with the port number.
This chapter covers the diagnostic tools that help you to maintain your Prestige. 30.1 System Maintenance Overview These tools include updates on system status, port status, log and trace capabilities and upgrades for the system software. This chapter describes how to use these tools in detail. Type 24 in the main menu to open Menu 24 30.2 System Status The first selection, System Status gives you information on the status and statistics of the ports, as shown...
Prestige 791R G.SHDSL Router Node-Lnk Status 1-ENET My WAN IP (from ISP):0.0.0.0 Ethernet: Status: 10M/Half Duplex Collisions: 0 CPU Load= 3.8% Figure 30-2 System Maintenance — Status Table 30-1 System Maintenance FIELD Node-Lnk This is the node index number and link type. Link types are: PPP, ENET, 1483. Status Shows the status of the remote node.
Table 30-1 System Maintenance FIELD Rx Pkts The number of received packets from the LAN. Collision Number of collisions. Shows statistics for the WAN. Line Status Shows the current status of the xDSL line which can be Up or Down. Upstream Shows the upstream transfer rate in kbps.
Menu 1 – General Setup. Routing Refers to the routing protocol used. ZyNOS F/W Version Refers to the ZyNOS (ZyXEL Network Operating System) system firmware version. ZyNOS is a registered trademark of ZyXEL Communications Corporation. xDSL F/W Version Refers to the DSL version. Standard This refers to the operational protocol the Prestige and the DSLAM (Digital Subscriber Line Access Multiplexer) are using.
30.3.2 Console Port Speed You can set up different port speeds for the console port through Menu 24.2.2 – System Maintenance – Console Port Speed. Your Prestige supports 9600 (default), 19200 and 38400 bps. Press [SPACE BAR] and then [ENTER] to select the desired speed in menu 24.2.2, as shown in the following figure. Menu 24.2.2 –...
Prestige 791R G.SHDSL Router Step 3. Enter 1 from Menu 24.3 — System Maintenance — Log and Trace to display the error log in the system. After the Prestige finishes displaying the error log, you will have the option to clear it. Samples of typical error and information messages are presented in the next figure.
Table 30-3 System Maintenance Menu — Syslog Parameters PARAMETER UNIX Syslog: Active Use [SPACE BAR] and then [ENTER] to turn syslog on or off. Syslog IP Address Type the IP address of your syslog server. Log Facility Use [SPACE BAR] and then [ENTER] to select one of seven different local options. The log facility lets you log the message in different server files.
The following table describes the diagnostic tests available in menu 24.4 for and the connections. Table 30-4 System Maintenance Menu — Diagnostic FIELD Reset xDSL Re-initialize the xDSL link to the telephone company. Ping Host Ping the host to see if the links and TCP/IP protocol on both systems are working. Reboot System Reboot the Prestige.
Prestige 792H G.SHDSL Router Chapter 31 Firmware and Configuration File Maintenance This chapter tells you how to backup and restore your configuration file as well as upload new firmware and configuration files. 31.1 Filename Conventions The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password, DHCP Setup, TCP/IP Setup, etc.
Prestige 792H G.SHDSL Router FILE TYPE INTERNAL NAME Configuration Rom-0 File Firmware 31.2 Backup Configuration The Prestige displays different messages explaining different ways to backup, restore and upload files in menus 24.5, 24.6, 24. 7.1 and 24.7.2; depending on whether you use the console port or Telnet. Option 5 from Menu 24 –...
31.2.1 Backup Configuration Follow the instructions as shown in the next screen. Menu 24.5 - System Maintenance - Backup Configuration To transfer the configuration file to your workstation, follow the procedure below: 1. Launch the FTP client on your computer. 2.
Prestige 792H G.SHDSL Router 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec. ftp>...
4. You have an SMT console session running. 31.2.6 Backup Configuration Using TFTP The Prestige supports the up/downloading of the firmware and the configuration file using TFTP (Trivial File Transfer Protocol) over LAN. Although TFTP should work over WAN as well, it is not recommended. To use TFTP, your computer must have both telnet and TFTP clients.
Prestige 792H G.SHDSL Router Table 31-3 General Commands for GUI-based TFTP Clients COMMAND Host Enter the IP address of the Prestige. 192.168.1.1 is the Prestige’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the Prestige and “Fetch” to back up the file on your computer.
Step 3. Run the HyperTerminal program by clicking Transfer, then Receive File as shown in the following screen. Figure 31-5 Backup Configuration Example Step 4. After a successful backup you will see the following screen. Press any key to return to the SMT menu.
Prestige 792H G.SHDSL Router DO NOT INTERUPT THE FILE TRANSFER PROCESS AS THIS MAY PERMANENTLY DAMAGE YOUR PRESTIGE. 31.3.1 Restore Using FTP For details about backup using (T)FTP please refer to earlier sections on FTP and TFTP file upload in this chapter.
31.3.2 Restore Using FTP Session Example ftp> put config.rom rom-0 200 Port command okay 150 Opening data connection for STOR rom-0 226 File received OK 221 Goodbye for writing flash ftp: 16384 bytes sent in 0.06Seconds 273.07Kbytes/sec. ftp>quit Figure 31-8 Restore Using FTP Session Example Refer to section 31.2.5 to read about configurations that disallow TFTP and FTP over WAN.
Prestige 792H G.SHDSL Router Figure 31-11 Restore Configuration Example Step 4. After a successful restoration you will see the following screen. Press any key to restart the Prestige and return to the SMT menu. Figure 31-12 Successful Restoration Confirmation Screen 31.4 Uploading Firmware and Configuration Files This section shows you how to upload firmware and configuration files.
Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system. Then type "root" and SMT password as requested.
Prestige 792H G.SHDSL Router 31.4.3 FTP File Upload Command from the DOS Prompt Example Step 1. Launch the FTP client on your computer. Step 2. Enter “open”, followed by a space and the IP address of your Prestige. Step 3. Press [ENTER] when prompted for a username.
To use TFTP, your computer must have both telnet and TFTP clients. To transfer the firmware and the configuration file, follow the procedure shown next. Step 1. Use telnet from your computer to connect to the Prestige and log in. Because TFTP does not have any security checks, the Prestige records the IP address of the telnet client and accepts TFTP requests only from this address.
Prestige 792H G.SHDSL Router 31.4.8 Uploading Firmware File Via Console Port Step 1. Select 1 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.1 – System Maintenance – Upload System Firmware, then follow the instructions as shown in the following screen.
31.4.10 Uploading Configuration File Via Console Port Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen. Menu 24.7.2 - System Maintenance - Upload System Configuration File To upload system configuration file: 1.
Prestige 792H G.SHDSL Router After the configuration upload process has completed, restart the Prestige by entering “atgo”. 31-16 Figure 31-19 Example Xmodem Upload Firmware and Configuration File Maintenance Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol.
System Maintenance and Information 32.1 Command Interpreter Mode The Command Interpreter (CI) is a part of the main system firmware. The CI provides much of the same functionality as the SMT, while adding some low-level setup and diagnostic functions. Enter the CI from the SMT by selecting menu 24.8.
Prestige 792H G.SHDSL Router Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: ras> 32.2 Call Control Support Call Control Support is only applicable when Encapsulation is set to PPPoE in menu 4 or menu 11.1.
Menu 24.9.1 - System Maintenance - Budget Management Remote Node 1.MyISP 2.-------- 3.-------- 4.-------- 5.-------- 6.-------- 7.-------- 8.-------- The total budget is the time limit on the accumulated time for outgoing calls to a remote node. When this limit is reached, the call will be dropped and further outgoing calls to that remote node will be blocked. After each period, the total budget is reset.
Prestige 792H G.SHDSL Router 32.3 Time and Date Setting The Prestige keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your Prestige. Menu 24.10 allows you to update the time and date settings of your Prestige.
FIELD Use Time Server Enter the time service protocol that your time server sends when you turn on the when Bootup Prestige. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works. The main differences between them are the format.
33.1 IP Policy Routing Overview Traditionally, routing is based on the destination address only and the IAD takes the shortest path to forward a packet. IP Routing Policy (IPPR) provides a mechanism to override the default routing behavior and alter the packet forwarding based on the policy defined by the network administrator. Policy-based routing is applied to incoming packets on a per interface basis, prior to the normal routing.
Prestige 792H G.SHDSL Router IPPR follows the existing packet filtering facility of RAS in style and in implementation. The policies are divided into sets, where related policies are grouped together. A user defines the policies before applying them to an interface or a remote node, in the same fashion as the filters. There are 12 policy sets with six policies in each set.
- - -------------------------------------------------------------------------- 1 Y SA=1.1.1.1-1.1.1.1,DA=2.2.2.2-2.2.2.5 SP=20-25,DP=20-25,P=6,T=NM,PR=0 2 N __________________________________________________________________________ __________________________________________________________________________ 3 N __________________________________________________________________________ __________________________________________________________________________ 4 N __________________________________________________________________________ __________________________________________________________________________ 5 N __________________________________________________________________________ __________________________________________________________________________ 6 N __________________________________________________________________________ __________________________________________________________________________ Enter Policy Rule Number (1-6) to Configure: Figure 33-2 Sample IP Routing Policy Setup Table 33-1 IP Routing Policy Setup Abbreviations ABBREVIATION Criterion...
Prestige 792H G.SHDSL Router Type a number from 1 to 6 to display Menu 25.1.1 – IP Routing Policy (see the next figure). This menu allows you to configure a policy rule. Policy Set Name= test Active= Yes Criteria: IP Protocol Type of Service= Normal Precedence Source:...
FIELD Len Comp Press [SPACE BAR] and then [ENTER] to choose from Equal, Not Equal, Less, Greater, Less or Equal or Greater or Equal. Source: addr start / end Source IP address range from start to end. port start / end Source port number range from start to end;...
Prestige 792H G.SHDSL Router Menu 3.2 - TCP/IP and DHCP Ethernet Setup DHCP Setup: DHCP= None Client IP Pool Starting Address= N/A Size of Client IP Pool= N/A Primary DNS Server= N/A Secondary DNS Server= N/A Remote DHCP Server= N/A TCP/IP Setup: IP Address= 192.168.1.1 IP Subnet Mask= 255.255.255.0...
33.4 IP Policy Routing Example If a network has both Internet and remote node connections, you can route Web packets to the Internet using one policy and route FTP packets to a remote network using another policy. See the next figure. To force Web packets coming from clients with IP addresses of 192.168.1.33 to 192.168.1.64 to be routed to the Internet via the WAN port of the Prestige, follow the steps as shown next.
Prestige 792H G.SHDSL Router Policy Set Name= set1 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 192.168.1.2 port start= 0 Destination: addr start= 0.0.0.0 port start= 80 Action= Matched Gateway addr Type of Service= No Change Precedence Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Policy Set Name= set2 Active= Yes Criteria: IP Protocol Type of Service= Don't Care Precedence Source: addr start= 0.0.0.0 port start= 0 Destination: addr start= 0.0.0.0 port start= 20 Action= Matched Gateway addr Type of Service= No Change Precedence Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.
Call scheduling (applicable for PPPoA or PPPoE encapsulation only) allows you to dictate when a 34.1 Call Scheduling Overview The call scheduling feature allows the Prestige to manage a remote node and dictate when a remote node should be called and for how long. This feature is similar to the scheduler in a video cassette recorder (you can specify a time period for the VCR to record).
Prestige 792H G.SHDSL Router To delete a schedule set, enter the set number and press [SPACE BAR] and then [ENTER] (or delete) in the Edit Name field. To setup a schedule set, select the schedule set you want to setup from menu 26 (1-12) and press [ENTER] to see Menu 26.1 —...
Page 381
FIELD How Often Should this schedule set recur weekly or be used just once only? Press the [SPACE BAR] and then [ENTER] to select Once or Weekly. Both these options are mutually exclusive. If Once is selected, then all weekday settings are N/A. When Once is selected, the schedule rule deletes automatically after the scheduled time elapses.
Prestige 792H G.SHDSL Router Rem Node Name= ? Active= Yes Encapsulation= PPPoE Multiplexing=VC-based Service Name= Incoming Rem Login= Rem Password= ******** Outgoing= My Login=? My Password= ******** Authen= CHAP/PAP Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. Figure 34-3 Applying Schedule Set(s) to a Remote Node (PPPoE) You can apply up to four schedule sets, separated by commas, for one remote node.
35.1 Remote Management Overview Remote management setup is for managing Telnet, FTP and Web services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility. You may manage your Prestige from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
Prestige 791R G.SHDSL Router 35.1.3 Remote Management and Web Services You can use the Prestige’s embedded web configurator for configuration and file management. See the online help for details. 35.1.4 Disabling Remote Management To disable remote management of a service, select Disable in the corresponding Server Access field. 35.2 Remote Management Setup Enter 11 in menu 24 to display Menu 24.11 —...
FIELD Secured Client IP The default 0.0.0.0 allows any client to use this service to remotely manage the Prestige. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Page 386
SMT VPN/IPSec and Internal SPTGEN Part X: SMT VPN/IPSec and Internal SPTGEN This part provides information about configuring VPN/IPSec for secure communications and Internal SPTGEN for configuration of multiple Prestiges. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT.
36.1 VPN/IPSec Overview The VPN/IPSec main SMT menu has these main submenus: 1. Define VPN policies in menu 27.1 submenus, including security policies, endpoint IP addresses, peer IPSec router IP address and key management. 2. Menu 27.2 - SA Monitor allows you to manage (refresh or disconnect) your SA connections. This is an overview of the VPN menu tree.
36.2 IPSec Summary Screen Type 1 in menu 27 and then press [ENTER] to display Menu 27.1 IPSec Summary. This is a summary read-only menu of your IPSec rules (tunnels). Edit or create an IPSec rule by selecting an index number and then configuring the associated submenus.
Page 389
FIELD Name This field displays the unique identification name for this VPN rule. The name may be up to 32 characters long but only 10 characters will be displayed here. Y signifies that this VPN rule is active. Local Addr When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Start Single, this is a static IP address on the LAN behind your Prestige.
Page 390
FIELD Key Mgt This field displays the SA’s type of key management, (IKE or Manual). Remote When the Addr Type field in Menu 27.1.1 IPSec Setup is configured to Addr Start Single, this is a static IP address on the network behind the remote IPSec router.
FIELD Select Press [SPACE BAR] to choose from None, Edit, Delete, Go To Rule, Command Next Page or Previous Page and then press [ENTER]. You must select a rule in the next field when you choose the Edit, Delete or Go To commands.
Index= 1 Active= Yes Local ID type= IP My IP Addr= 0.0.0.0 Peer ID type= IP Secure Gateway Address= zw50test.zyxel.com.tw Protocol= 0 Local: IP Addr Start= 1.1.1.1 Remote: IP Addr Start= 4.4.4.4 Enable Replay Detection = No Key Management= IKE Edit Key Management Setup= No The following table describes the fields in this menu.
Page 393
FIELD Content When you select IP in the Local ID Type field, type the IP address of your computer or leave the field blank to have the Prestige automatically use its own IP address. When you select DNS in the Local ID Type field, type a domain name (up to 31 characters) by which to identify this Prestige.
Page 394
FIELD Secure Type the IP address or the domain name (up to 31 characters) of the Gateway IPSec router with which you’re making the VPN connection. Address Set this field to 0.0.0.0 if the remote IPSec router has a dynamic WAN IP address (the Key Management field must be set to IKE, see later).
Page 395
Prestige 792H G.SHDSL Router Table 36-2 Menu 27.1.1 IPSec Setup FIELD DESCRIPTION EXAMPLE End/Subnet When the Addr Type field is configured to Single, this field is N/A. 192.168.1.38 Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the LAN behind your Prestige.
Page 396
FIELD End/Subnet When the Addr Type field is configured to Single, this field is N/A. Mask When the Addr Type field is configured to Range, enter the end (static) IP address, in a range of computers on the network behind the remote IPSec router.
36.4 IKE Setup To edit this menu, the Key Management field in Menu 27.1.1 – IPSec Setup must be set to IKE. Move the cursor to the Edit Key Management Setup field in Menu 27.1.1 – IPSec Setup; press [SPACE BAR] to select Yes and then press [ENTER] to display Menu 27.1.1.1 –...
Page 398
FIELD Encryption When DES is used for data communications, both sender and receiver must Algorithm know the same secret key, which can be used to encrypt and decrypt the message or to generate and verify a message authentication code. Prestige DES encryption algorithm uses a 56-bit key.
FIELD Perfect Perfect Forward Secrecy (PFS) is disabled (None) by default in phase 2 Forward IPSec SA setup. This allows faster IPSec setup, but is not so secure. Press Secrecy (PFS) [SPACE BAR] and choose from DH1 or DH2 to enable PFS. DH1 refers to Diffie-Hellman Group 1 a 768 bit random number.
Active Protocol= ESP Tunnel ESP Setup AH Setup The following table describes the fields in this menu. FIELD Active Protocol Press [SPACE BAR] to choose from ESP Tunnel, ESP Transport, AH Tunnel or AH Transport and then press [ENTER]. Choosing an ESP combination causes the AH Setup fields to be non-applicable (N/A) ESP Setup The ESP Setup fields are N/A if you chose an AH Active Protocol.
Page 401
FIELD Authentication Press [SPACE BAR] to choose from MD5 or SHA1 and then press [ENTER]. Algorithm Key Enter the authentication key to be used by IPSec if applicable. The key must be unique. Enter 16 characters for MD5 authentication and 20 characters for SHA-1 authentication.
This chapter teaches you how to manage your SAs by using the SA Monitor in SMT menu 27.2. 37.1 SA Monitor Overview A Security Association (SA) is the group of security settings related to a specific VPN tunnel. This menu (shown next) displays active VPN connections.
FIELD This is the security association index number. Name This field displays the identification name for this VPN policy. This name is unique for each connection where the secure gateway IP address is a public static IP address. When the secure gateway IP address is 0.0.0.0 (as discussed in the last chapter), there may be different connections using this same VPN rule.
37.3 Viewing IPSec Log To view the IPSec and IKE connection log, type 3 in menu 27 and press [ENTER] to display the IPSec log as shown next. The following figure shows a typical log from the initiator of a VPN connection. Index: Date/Time: ------------------------------------------------------------...
Prestige 792H G.SHDSL Router Chapter 38 Internal SPTGEN 38.1 Internal SPTGEN Overview Internal SPTGEN (System Parameter Table Generator) is a configuration text file useful for efficient configuration of multiple Prestiges. Internal SPTGEN lets you configure, save and upload multiple menus at the same time using just one configuration text file –...
This is the name of the menu. / Menu 1 General Setup 10000000 = Configured 10000001 = System Name 10000002 = Location 10000003 = Contact Person’s Name 10000004 = Route IP 10000005 = Route IPX 10000006 = Bridge This is the Field Identification Number column.
field value is not legal error:-1 ROM-t is not saved, error Line ID:10000000 reboot to get the original configuration Bootbase Version: V2.02 | 2/22/2001 13:33:11 RAM: Size = 8192 Kbytes FLASH: Intel 8M *2 Figure 38-2 Invalid Parameter Entered: Command Line Example The Prestige will display the following if you enter parameter(s) that are valid.
You can rename your “rom-t” file when you save it to your computer but it must be named “rom-t” when you upload it to your Prestige. 38.4 Internal SPTGEN FTP Upload Example 1. Launch your FTP application. 2. Enter "bin". The command “bin” sets the transfer mode to binary.
This chapter covers potential problems and the corresponding remedies. 39.1 Problems Starting Up the Prestige Table 39-1 Troubleshooting the Start-Up of Your Prestige PROBLEM None of the LEDs Make sure that the Prestige’s power adapter is connected to the Prestige and plugged turn on when I turn in to an appropriate power source.
Header 39.3 Problems with the WAN Interface Table 39-3 Troubleshooting the WAN Interface PROBLEM I cannot get a WAN The WAN IP is provided when the ISP recognizes the user as an authorized user after IP address from verifying the MAC address, Host Name or User ID. the ISP.
39.5 Problems with the Password Table 39-5 Troubleshooting the Password PROBLEM The Password and Username fields are case-sensitive. Make sure that you enter the I cannot access the Prestige. correct password and username using the proper casing. Restore the factory default configuration file. This will restore all of the factory defaults including the password.
PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit) which connects to a xDSL Access Concentrator where the PPP session terminates (see the next figure). One PVC can support any number of PPP sessions from your LAN. PPPoE provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 418
Header The PPPoE driver makes the Ethernet appear as a serial link to the PC and the PC runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC). Between the AC and an ISP, the AC is acting as a L2TP (Layer 2 Tunneling Protocol) LAC (L2TP Access Concentrator) and tunnels the PPP frames to the ISP.
ATM is a connection-oriented technology, meaning that it sets up virtual circuits over which end systems communicate. The terminology for virtual circuits is as follows: • Virtual Channel • Virtual Path • Virtual Circuit Think of a virtual path as a cable that contains a bundle of wires. The cable connects two points and wires within the cable provide individual circuits between the two points.
AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AUSTRALIA AND NEW ZELAND PLUG STANDARDS AC Power Adapter Model Input Power Output Power...
Page 421
AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption Safety Standards AC Power Adapter Model Input Power Output Power Power Consumption...
Page 422
Power Consumption Safety Standards CCEE (GB8898) Power Adapter Specifications...
Page 428
TCP/IP ...8-3, 8-4, 15-2, 21-7, 28-16, 30-9, 35-1 TCP/IP Options... 24-9 Teardrop... 8-4 Telnet ... 15-2, 35-1 Telnet Configuration ... 15-2, 35-1 Telnet Under NAT ... 35-1 Text File Format ... 38-1 TFTP And FTP Over WAN} ... 35-3 Restrictions ... 35-3 TFTP and FTP over WAN Will Not Work When…...