ZyXEL Communications ZyAir G-2000 PlusV2 User Manual
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Wireless Router
  5. ZyAir G-2000 PlusV2
  6. User manual
ZyXEL Communications ZyAir G-2000 PlusV2 User Manual

ZyXEL Communications ZyAir G-2000 PlusV2 User Manual

4-port wireless router
Hide thumbs Also See for ZyAir G-2000 PlusV2:
1
2
3
4
5
6
7
8
9
10
Table Of Contents
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
Table of Contents

Advertisement

Quick Links

Download this manual
ZyXEL G-2000 Plus v2
4-port Wireless Router
User's Guide
Version 3.60
Edition 1
2/2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZyAir G-2000 PlusV2 and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications ZyAir G-2000 PlusV2

Summary of Contents for ZyXEL Communications ZyAir G-2000 PlusV2

  • Page 1 ZyXEL G-2000 Plus v2 4-port Wireless Router User’s Guide Version 3.60 Edition 1 2/2006...

  • Page 3: Copyright

    Published by ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others.

  • Page 4: Certifications

    ZyXEL G-2000 Plus v2 User’s Guide Certifications Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
  • Page 5 2400 to 2483.5 MHz by specified firmware controlled in USA. Certifications 1 Go to www.zyxel.com 2 Select your product from the drop-down list box on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. Certifications...

  • Page 6: Safety Warnings

    ZyXEL G-2000 Plus v2 User’s Guide Safety Warnings For your safety, be sure to read and follow all warning notices and instructions. • To reduce the risk of fire, use only No. 26 AWG (American Wire Gauge) or larger telecommunication line cord.

  • Page 7: Zyxel Limited Warranty

    Any replacement will consist of a new or re-manufactured functionally equivalent product of equal or higher value, and will be solely at the discretion of ZyXEL. This warranty shall not apply if the product has been modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions.

  • Page 8: Customer Support

    ZyXEL G-2000 Plus v2 User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
  • Page 9 ZyXEL G-2000 Plus v2 User’s Guide METHOD SUPPORT E-MAIL TELEPHONE WEB SITE REGULAR MAIL SALES E-MAIL FTP SITE LOCATION info@pl.zyxel.com +48-22-5286603 www.pl.zyxel.com ZyXEL Communications ul.Emilli Plater 53 POLAND +48-22-5206701 00-113 Warszawa Poland http://zyxel.ru/support +7-095-542-89-29 www.zyxel.ru ZyXEL Russia Ostrovityanova 37a Str.
  • Page 10 ZyXEL G-2000 Plus v2 User’s Guide Customer Support...

  • Page 11: Table Of Contents

    List of Tables ......................31 Preface ........................35 Chapter 1 Getting to Know Your Device ................37 1.1 Introducing the ZyXEL G-2000 Plus v2 .............37 1.2 Features ......................37 1.2.1 Physical Features ..................37 1.2.2 Firmware Features ..................38 1.3 Applications for the ZyXEL device ..............43 1.3.1 Internet Access and Wireless Network .............43...
  • Page 12 ZyXEL G-2000 Plus v2 User’s Guide 3.3 Wizard Setup Wireless LAN ................52 3.3.1 Name (SSID), Channel ID and Security ...........53 3.3.2 Configuring WEP or WPA(2)-PSK Security ..........54 3.3.3 Confirm Security Settings ................55 3.4 Wizard Setup WAN ....................56 3.4.1 Ethernet .....................56 3.4.2 PPPoE Encapsulation................58...
  • Page 13 ZyXEL G-2000 Plus v2 User’s Guide 6.2 Wireless Security Overview ................82 6.2.1 SSID ......................82 6.2.2 MAC Address Filter ...................82 6.2.3 User Authentication ..................82 6.2.4 Encryption ....................83 6.3 Additional Wireless Terms ..................84 6.4 Configuring Wireless ..................84 6.5 Wireless Security - No Security ................86 6.6 Configuring WEP Encryption ................87...
  • Page 14 10.4.2.1 ICMP Vulnerability ..............139 10.4.2.2 Traceroute ...................139 10.5 Stateful Inspection ..................140 10.5.1 Stateful Inspection Process ..............140 10.5.2 Stateful Inspection and the ZyXEL device ..........141 10.5.3 TCP Security ..................142 10.5.4 UDP/ICMP Security ................142 10.5.5 Upper Layer Protocols ................142 10.6 Guidelines For Enhancing Security With Your Firewall ........143 10.7 Packet Filtering Vs Firewall ................143...
  • Page 15 ZyXEL G-2000 Plus v2 User’s Guide 11.3.1 Rule Checklist ..................146 11.3.2 Security Ramifications ................146 11.3.3 Key Fields For Configuring Rules ............147 11.3.3.1 Action ...................147 11.3.3.2 Service ..................147 11.3.3.3 Source Address ................147 11.3.3.4 Destination Address ..............147 11.4 Connection Direction Examples ..............147 11.4.1 LAN to WAN Rules ................148...
  • Page 16 ZyXEL G-2000 Plus v2 User’s Guide Chapter 14 UPnP........................179 14.1 Universal Plug and Play Overview ..............179 14.1.1 How Do I Know If I'm Using UPnP? ............179 14.1.2 NAT Traversal ..................179 14.1.3 Cautions with UPnP ................179 14.2 UPnP and ZyXEL ...................180 14.3 Configuring UPnP ..................180...
  • Page 17 18.7 Restart Screen ....................233 Chapter 19 Introducing the SMT .................... 235 19.1 SMT Introduction ....................235 19.2 Connect to your ZyXEL device Using Telnet ..........235 19.2.1 Entering Password ................235 19.3 Changing the System Password ..............236 19.4 ZyXEL device SMT Menu Overview Example ..........236 19.5 Navigating the SMT Interface .................237...
  • Page 18 ZyXEL G-2000 Plus v2 User’s Guide 22.2 Protocol Dependent Ethernet Setup ..............248 22.3 TCP/IP Ethernet Setup and DHCP ..............248 22.3.1 IP Alias Setup ..................250 22.4 Wireless LAN Setup ..................252 22.4.1 Configuring MAC Address Filter ............254 Chapter 23 Internet Access ....................257 23.1 Introduction to Internet Access Setup ............257...
  • Page 19 27.6 Configuring Trigger Port Forwarding .............292 Chapter 28 Filter Configuration ....................295 28.1 Introduction to Filters ..................295 28.1.1 The Filter Structure of the ZyXEL device ..........296 28.2 Configuring a Filter Set ..................297 28.2.1 Configuring a Filter Rule ...............300 28.2.2 Configuring a TCP/IP Filter Rule ............300 28.2.3 Configuring a Generic Filter Rule ............304...
  • Page 20 ZyXEL G-2000 Plus v2 User’s Guide Chapter 32 System Information and Diagnosis ..............323 32.1 System Status ....................323 32.2 System Information ..................325 32.2.1 System Information ................325 32.2.2 Console Port Speed ................326 32.3 Log and Trace ....................326 32.3.1 Viewing Error Log .................326 32.3.2 UNIX Syslog ..................327...
  • Page 21 Call Scheduling ....................359 36.1 Introduction to Call Scheduling ..............359 Chapter 37 Troubleshooting ....................363 Problems Starting Up the ZyXEL device ..............363 Problems with the Ethernet Interface ..............363 Problems with the Password.................. 364 Problems with Telnet ....................364 Problems with the WLAN Interface ................
  • Page 22 ZyXEL G-2000 Plus v2 User’s Guide Case A: The ZyXEL device is using the same LAN and WAN IP addresses..381 Case B: The ZyXEL device LAN IP address conflicts with the DHCP client IP address Case C: The Subscriber IP address is the same as the IP address of a network device Case D: Two or more subscribers have the same IP address.
  • Page 23 ZyXEL G-2000 Plus v2 User’s Guide WPA(2) ........................410 Security Parameters Summary ................413 Appendix J Types of EAP Authentication ................417 EAP-MD5 (Message-Digest Algorithm 5)............... 417 EAP-TLS (Transport Layer Security)..............417 EAP-TTLS (Tunneled Transport Layer Service) ............ 417 PEAP (Protected EAP)................... 418 LEAP ........................
  • Page 24 ZyXEL G-2000 Plus v2 User’s Guide Table of Contents...

  • Page 25: List Of Figures

    ZyXEL G-2000 Plus v2 User’s Guide List of Figures Figure 1 Internet Access Application ..............44 Figure 2 Firewall Application .................. 44 Figure 3 Change Password Screen ............... 46 Figure 4 Replace Certificate Screen ..............46 Figure 5 The MAIN MENU Screen of the Web Configurator ........48 Figure 6 Enter System and Domain Names.
  • Page 26 Figure 73 Remote Management: DNS ..............176 Figure 74 Security ....................177 Figure 75 Configuring UPnP .................. 180 Figure 76 ZyXEL device Authenticates Wireless Stations ........190 Figure 77 ZyXEL device Authenticates other AP’s ..........190 Figure 78 Internal RADIUS Server Setting Screen ..........192 Figure 79 Trusted AP Overview ................
  • Page 27 Figure 107 Login Screen ..................236 Figure 108 Menu 23.1 System Security : Change Password ......... 236 Figure 109 ZyXEL device SMT Menu Overview Example ........237 Figure 110 ZyXEL device SMT Main Menu ............239 Figure 111 Menu 23: System Security ..............240 Figure 112 Menu 23 System Password ..............
  • Page 28 ZyXEL G-2000 Plus v2 User’s Guide Figure 125 Internet Access Setup (PPTP) ............259 Figure 126 Internet Access Setup (PPPoE) ............260 Figure 127 Menu 11.1 Remote Node Profile for Ethernet Encapsulation ....264 Figure 128 Menu 11.1 Remote Node Profile for PPPoE Encapsulation ....266 Figure 129 Menu 11.1 Remote Node Profile for PPTP Encapsulation ....
  • Page 29 ZyXEL G-2000 Plus v2 User’s Guide Figure 167 Example Filter: Menu 21.1.3.1 ............. 307 Figure 168 Example Filter Rules Summary: Menu 21.1.3 ........308 Figure 169 Protocol and Device Filter Sets ............309 Figure 170 Filtering LAN Traffic ................310 Figure 171 Filtering Remote Node Traffic ..............
  • Page 30 ZyXEL G-2000 Plus v2 User’s Guide Figure 210 Windows 95/98/Me: TCP/IP Properties: DNS Configuration ....372 Figure 211 Windows XP: Start Menu ..............373 Figure 212 Windows XP: Control Panel ..............373 Figure 213 Windows XP: Control Panel: Network Connections: Properties ..374 Figure 214 Windows XP: Local Area Connection Properties .........

  • Page 31: List Of Tables

    ZyXEL G-2000 Plus v2 User’s Guide List of Tables Table 1 IEEE 802.11b .................... 39 Table 2 IEEE 802.11g .................... 39 Table 3 Web Configurator Screens Summary ............48 Table 4 Enter System and Domain Names ............52 Table 5 Enter Name and Select Security .............. 53 Table 6 Wireless LAN Basic Security ..............
  • Page 32 ZyXEL G-2000 Plus v2 User’s Guide Table 38 NAT Definitions ..................114 Table 39 NAT Mapping Types ................117 Table 40 Services and Port Numbers ..............119 Table 41 SUA/NAT Setup ..................121 Table 42 Address Mapping ..................123 Table 43 Address Mapping Edit ................125 Table 44 Trigger Port .....................
  • Page 33 ZyXEL G-2000 Plus v2 User’s Guide Table 81 Firmware Upload ..................228 Table 82 Restore Configuration ................231 Table 83 Main Menu Commands ................237 Table 84 Main Menu Summary ................239 Table 85 Menu 1 General Setup ................242 Table 86 Menu 1.1 Configure Dynamic DNS ............
  • Page 34 Table 125 System Maintenance : Time and Date Setting ........352 Table 126 ......................356 Table 127 Menu 26.1 Schedule Set Setup ............361 Table 128 Troubleshooting the Start-Up of Your ZyXEL device ......363 Table 129 Troubleshooting the Ethernet Interface ..........363 Table 130 Troubleshooting the Password ............. 364 Table 131 Troubleshooting Telnet .................

  • Page 35: Preface

    American products. About This User's Guide This User’s Guide is designed to guide you through the configuration of your ZyXEL device using the web configurator or the SMT. The web configurator parts of this guide contain background information on features configurable by web configurator. The SMT parts of this...
  • Page 36 Settings and then click Control Panel. • “e.g.,” is a shorthand for “for instance”, and “i.e.,” means “that is” or “in other words”. • The ZyXEL G2000 Plus v2 may be referred to as the “ZyXEL device” in this User’s Guide.

  • Page 37: Getting To Know Your Device

    This chapter introduces the main features and applications of the ZyXEL device. 1.1 Introducing the ZyXEL G-2000 Plus v2 The ZyXEL G-2000 Plus v2 is a wireless access point and a broadband router with a built-in switch rolled into one. As an Internet gateway, your ZyXEL device can share an Internet connection (through a cable or DSL modem) with multiple computers.

  • Page 38: Firmware Features

    The blue ZyAIR LED (also known as the breathing LED) is on when the ZyXEL device is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use the web configurator to turn this LED off even when the ZyXEL device is on and data is being transmitted/received.

  • Page 39: Table 1 Ieee 802.11B

    Limit the number of Client Connections You may set a maximum number of wireless stations that may connect to the ZyXEL device. This may be necessary if for example, there is interference or difficulty with channel assignment due to a high density of APs within a coverage area.

  • Page 40: Wep Encryption

    Please see the appendix for details about this feature. Wireless LAN MAC Address Filtering Your ZyXEL device checks the MAC address of the wireless station against a list of allowed or denied MAC addresses. WEP Encryption WEP (Wired Equivalent Privacy) encrypts data frames before transmitting over the wireless network to help keep network communications private.

  • Page 41: Dynamic Dns Support

    ISP to use their existing network configuration with newer broadband technologies such as ADSL. The PPPoE driver on the ZyXEL device is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
  • Page 42 DHCP server capability enabled by default. It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyXEL device also acts as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.

  • Page 43: Applications For The Zyxel Device

    Wireless LAN Channel Usage The Wireless Channel Usage screen displays whether the radio channels are used by other wireless devices within the transmission range of the ZyXEL device. This allows you to select the channel with minimum interference for your ZyXEL device.

  • Page 44: Firewall For Secure Broadband Internet Access

    Figure 1 Internet Access Application 1.3.2 Firewall for Secure Broadband Internet Access The ZyXEL device provides protection from attacks by Internet hackers. By default, the firewall blocks all incoming traffic from the WAN. The firewall supports TCP/UDP inspection and DoS (Denial of Services) detection and prevention, as well as real time alerts, reports and logs.

  • Page 45: Introducing The Web Configurator

    H A P T E R Introducing the Web Configurator This chapter describes how to access the ZyXEL device web configurator and provides an overview of its screens. The default IP address of the ZyXEL device is 192.168.1.1. 2.1 Web Configurator Overview The embedded web configurator allows you to manage the ZyXEL device from anywhere through a browser such as Microsoft Internet Explorer or Netscape Navigator.

  • Page 46: Figure 3 Change Password Screen

    ZyXEL G-2000 Plus v2 User’s Guide Figure 3 Change Password Screen 6 Click Apply in the Replace Certificate screen to create a certificate using your ZyXEL device’s MAC address that will be specific to this device. Figure 4 Replace Certificate Screen You should now see the MAIN MENU screen.

  • Page 47: Resetting The Zyxel Device

    If you forget your password or cannot access the web configurator, you will need to reload the factory-default configuration file or use the RESET button on the side panel of the ZyXEL device. Uploading this configuration file replaces the current configuration file with the factory-default configuration file.

  • Page 48: Figure 5 The Main Menu Screen Of The Web Configurator

    ZyXEL G-2000 Plus v2 User’s Guide Figure 5 The MAIN MENU Screen of the Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen. Table 3 Web Configurator Screens Summary LINK SUB-LINK FUNCTION WIZARD SETUP...
  • Page 49 MAINTENANCE These screens to upload firmware, backup and restore configuration or restore the ZyXEL device to its factory defaults. These screens also lets you view the status of the ZyXEL device and lets you perform a restart. LOGOUT Click this icon to exit the web configurator.
  • Page 50 ZyXEL G-2000 Plus v2 User’s Guide Chapter 2 Introducing the Web Configurator...

  • Page 51: Chapter 3 Wizard Setup

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R Wizard Setup The web configurator’s setup wizard helps you configure your ZyXEL device for Internet access and set up a wireless LAN. 3.1 Wizard Setup Overview The wizard will guide you through several steps. You will need to enter some information for identification purposes, you will then setup your wireless LAN and security.

  • Page 52: Wizard Setup Wireless Lan

    In Windows XP, click Start, My Computer, View system information and then click the Computer Name tab. Note the entry in the Full computer name field and enter it as the ZyXEL device System Name. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-"...

  • Page 53: Name (Ssid), Channel Id And Security

    ZyXEL G-2000 Plus v2 User’s Guide 3.3.1 Name (SSID), Channel ID and Security This screen allows you to setup a unique name for your ZyXEL device on the wireless network. You also decide on the channel for your wireless transmission and what kind of security you would like to use.

  • Page 54: Configuring Wep Or Wpa(2)-Psk Security

    Select this option to enter hexadecimal characters as the WEP keys. The preceding “0x” is entered automatically. Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyXEL device and the wireless stations must use the same WEP key for data transmission.

  • Page 55: Confirm Security Settings

    ZyXEL G-2000 Plus v2 User’s Guide Choose Extend(WPA-PSK with customized key) or Extend(WPA2-PSK with customized key) security in the Wireless LAN Setup screen to set up a Pre-Shared Key. Figure 9 Wireless LAN Extend Security The following table describes the labels in this screen.

  • Page 56: Wizard Setup Wan

    Click Finish to exit the wizard without configuring ZyXEL device’s WAN setup. 3.4 Wizard Setup WAN The ZyXEL device offers three choices of encapsulation. They are Ethernet, PPP over Ethernet or PPTP. You will need to enter the Internet access information given to you by your ISP exactly in the wizard screens.

  • Page 57: Figure 11 Ethernet Encapsulation

    This field only applies when you select Telia Login in the Service Type field. The (min) Telia server logs the ZyXEL device out if the ZyXEL device does not log in periodically. Type the number of minutes from 1 to 59 (30 default) for the ZyXEL device to wait between logins.

  • Page 58: Pppoe Encapsulation

    By implementing PPPoE directly on the ZyXEL device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL device does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.

  • Page 59: Pptp Encapsulation

    ZyXEL G-2000 Plus v2 User’s Guide Figure 12 PPPoE Encapsulation The following table describes the labels in this screen. Table 10 PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose PPP over Ethernet from the pull-down list box. PPPoE forms a dial-up connection.

  • Page 60: Figure 13 Pptp Encapsulation

    Internet. Refer to the appendix for more information on PPTP. Note: The ZyXEL device supports one PPTP server connection at any given time. Figure 13 PPTP Encapsulation The following table describes the fields in this screen.

  • Page 61: Wizard Setup Wan Ip

    ZyXEL G-2000 Plus v2 User’s Guide Table 11 PPTP Encapsulation LABEL DESCRIPTION Server IP Address Type the IP address of the PPTP server. Connection ID/ Enter the connection ID or connection name in this field. It must follow the "c:id"...

  • Page 62: Dns Server Address Assignment

    Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyXEL device, but make sure that no other device on your network is using that IP address.

  • Page 63: Figure 14 Wan Setup

    ZyXEL G-2000 Plus v2 User’s Guide Note: ZyXEL recommends you clone the MAC address from a computer on your LAN even if your ISP does not require MAC address authentication. Table 13 Example of Network Properties for LAN Servers with Fixed IP Addresses Choose an IP address 192.168.1.2-192.168.1.32;...

  • Page 64: Basic Setup Complete

    The DNS server is extremely important because without it, you must know the IP address of a computer before you can access it. The ZyXEL device uses a system DNS server (in the order you specify here) to resolve domain names for VPN, DDNS and the time server.

  • Page 65: Figure 15 Wizard Finish

    ZyXEL G-2000 Plus v2 User’s Guide Figure 15 Wizard Finish Well done! You have successfully set up the ZyXEL device. A congratulations screen displays some information. Chapter 3 Wizard Setup...
  • Page 66 ZyXEL G-2000 Plus v2 User’s Guide Chapter 3 Wizard Setup...

  • Page 67: Chapter 4 System Screens

    DESCRIPTION General Setup System Name Type a descriptive name to identify the ZyXEL device in the Ethernet network. This name can be up to 30 alphanumeric characters long. Spaces are not allowed, but dashes "-" and underscores "_" are accepted.

  • Page 68: Dynamic Dns

    First DNS Server Select From DHCP if your DHCP server dynamically assigns DNS server information (and the ZyXEL device's Ethernet IP address). The field to the right Second DNS Server displays the (read-only) DNS server IP address that the DHCP assigns.

  • Page 69: Configuring Dynamic Dns

    ZyXEL G-2000 Plus v2 User’s Guide 4.4 Configuring Dynamic DNS To change your ZyXEL device’s DDNS, click SYSTEM, then the DDNS tab. The screen appears as shown. Figure 17 DDNS The following table describes the labels in this screen. Table 16 DDNS...

  • Page 70: Configuring Password

    ADVANCED and then the Password tab. The screen appears as shown. This screen allows you to change the ZyXEL device’s password. If you forget your password (or the ZyXEL device IP address), you will need to reset the ZyXEL device. See Chapter 2 on page 47 for details.

  • Page 71: Configuring Time Setting

    Current Time and Date Current Time This field displays the time on your ZyXEL device. Each time you reload this page, If configured to use a time server, the ZyXEL device synchronizes the time with the time server. Current Date This field displays the date of your ZyXEL device.
  • Page 72 Table 18 Time Setting LABEL DESCRIPTION Get from Time Select this if you would like a time server to update the time on your ZyXEL Server device. Time Protocol Select the time service protocol that your time server uses. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

  • Page 73: Chapter 5 Lan Screens

    TCP/IP configuration at start-up from a server. You can configure the ZyXEL device as a DHCP server or disable it. When configured as a server, the ZyXEL device provides the TCP/IP configuration for the clients. If DHCP service is disabled, you must have another DHCP server on your LAN, or else the computer must be manually configured.

  • Page 74: Ip Address And Subnet Mask

    RIP Direction controls the sending and receiving of RIP packets. When set to Both or Out Only, the ZyXEL device will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...

  • Page 75: Configuring Ip

    The ZyXEL device supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP- v2). At start up, the ZyXEL device queries all directly connected networks to gather group membership. After that, the ZyXEL device periodically updates this information. IP multicasting can be enabled/disabled on the ZyXEL device LAN and/or WAN interfaces in the web configurator (LAN;...

  • Page 76: Figure 20 Lan Ip

    DNS Servers Assigned by DHCP Server The ZyXEL device passes a DNS (Domain Name System) server IP address (in the order you specify here) to the DHCP clients. The ZyXEL device only passes this information to the LAN DHCP clients when you select the DHCP Server check box.
  • Page 77 LAN IP address displays in the field to the right (read-only). The ZyXEL device tells the DHCP clients on the LAN that the ZyXEL device itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyXEL device,...

  • Page 78: Configuring Static Dhcp

    00:A0:C5:00:00:02. To change your ZyXEL device’s Static DHCP settings, click LAN, then the Static DHCP tab. The screen appears as shown. Chapter 5 LAN Screens...

  • Page 79: Configuring Ip Alias

    Ethernet interface with the ZyXEL device itself as the gateway for each LAN network. To change your ZyXEL device’s IP Alias settings, click LAN, then the IP Alias tab. The screen appears as shown. Chapter 5 LAN Screens...

  • Page 80: Figure 22 Ip Alias

    Table 21 IP Alias LABEL DESCRIPTION IP Alias 1,2 Select the check box to configure another LAN network for the ZyXEL device. IP Address Enter the IP address of your ZyXEL device in dotted decimal notation. IP Subnet Mask Your ZyXEL device will automatically calculate the subnet mask based on the IP address that you assign.

  • Page 81: Chapter 6 Wireless Lan

    The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your ZyXEL device is the AP. Every wireless network must follow these basic guidelines.

  • Page 82: Wireless Security Overview

    ZyXEL G-2000 Plus v2 User’s Guide Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network. 6.2 Wireless Security Overview The following sections introduce different types of wireless security you can set up in the wireless network.

  • Page 83: Encryption

    For example, suppose you have a wireless network with the ZyXEL device. The ZyXEL device does not have a local user database, and you do not have a RADIUS server. Therefore, there is no wireless network login. Suppose the wireless network has two devices.

  • Page 84: Additional Wireless Terms

    ZyXEL G-2000 Plus v2 User’s Guide When you select WPA2 or WPA2-PSK in your ZyXEL device, you can also select an option (WPA compatible) to support WPA as well. In this case, if some of the devices support WPA and some support WPA2, you should set up WPA2-PSK or WPA2 (depending on the type of wireless network login) and select the WPA compatible option in the ZyXEL device.

  • Page 85: Figure 24 Wireless

    SSID. Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. Note: If you are configuring the ZyXEL device from a computer connected to the wireless LAN and you change the ZyXEL device’s SSID or WEP settings, you will lose your wireless...

  • Page 86: Wireless Security - No Security

    The blue ZyXEL device LED is on when the ZyXEL device is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL device is on and data is being transmitted/received.

  • Page 87: Configuring Wep Encryption

    ZyXEL G-2000 Plus v2 User’s Guide Figure 25 Wireless: No Security The following table describes the labels in this screen. Table 25 Wireless No Security LABEL DESCRIPTION Security Select No Security to allow wireless stations to communicate with the access points without any data encryption.

  • Page 88: Figure 26 Wireless: Static Wep Encryption

    Security Select Static WEP to enable static WEP encryption. Passphrase Enter a Passphrase (up to 32 printable characters) and click Generate. The ZyXEL device automatically generates a WEP key. Select 64-bit WEP or 128-bit WEP to enable data encryption. Encryption...

  • Page 89: Configuring Wpa(2)-Psk Authentication

    The preceding "0x", that identifies a hexadecimal key, is entered automatically. Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyXEL device and the wireless stations must use the same WEP key for data transmission.

  • Page 90: Figure 27 Wireless: Wpa(2)-Psk

    This check box is available only when you select WPA2-PSK as your security level. Select this to have both WPA2-PSK and WPA-PSK wireless clients be able to communicate with the ZyXEL device even when the ZyXEL device is using WPA2- PSK. Pre-Shared Key Type a password from 8 to 63 case-sensitive ASCII characters (including spaces and symbols).

  • Page 91: Configuring Wpa(2) Authentication

    ZyXEL G-2000 Plus v2 User’s Guide 6.8 Configuring WPA(2) Authentication In order to configure and enable WPA Authentication; click the WIRELESS link under ADVANCED to display the Wireless screen. Select WPA or WPA2 from the Security list. Note: WPA and WPA2 are two separate choices in this screen. The only configuration difference between the two is that you can select WPA2 to be compatible with WPA.

  • Page 92: Figure 28 Wireless: Wpa(2)

    This check box is available only when you select WPA2 as your security level. Select this to have both WPA2 and WPA wireless clients be able to communicate with the ZyXEL device even when the ZyXEL device is using WPA2. ReAuthentication...

  • Page 93: Configuring Radius

    6.9 Configuring RADIUS You can configure the ZyXEL device to authenticate wireless clients using an external RADIUS server or have the ZyXEL device itself act as a RADIUS server using the internal RADIUS server. To specify a RADIUS server, click the WIRELESS link under ADVANCED and then choose Internal RADIUS Server or External RADIUS Server in the Wireless configuration screen.

  • Page 94: Figure 29 Wireless: Wpa(2)

    The following table describes the labels in this screen. Table 29 RADIUS LABEL DESCRIPTION Select this radio button to use the ZyXEL device’s Internal RADIUS Server. Internal RADIUS You can authenticate other AP’s or wireless clients in other wireless networks. Server...

  • Page 95: Configuring 802.1X

    Shared Secret Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyXEL device. The key must be the same on the external accounting server and your ZyXEL device. The key is not sent over the network.

  • Page 96: Figure 30 Wireless: 802.1X

    ZyXEL G-2000 Plus v2 User’s Guide Figure 30 Wireless: 802.1x The following table describes the labels in this screen. Table 30 Wireless: 802.1x and No WEP LABEL DESCRIPTION ReAuthentication Specify how often wireless stations have to reenter usernames and passwords in Timer (in seconds) order to stay connected.

  • Page 97: Mac Filter

    Select Local first, then RADIUS to have the ZyXEL device first check the trusted user database on the ZyXEL device for a wireless station's username and password. If the user name is not found, the ZyXEL device then checks the user database on the specified RADIUS server.

  • Page 98: Figure 31 Mac Address Filter

    Define the filter action for the list of MAC addresses in the MAC Address table. Filter Action Select Deny Association to block access to the ZyXEL device, MAC addresses not listed will be allowed to access the ZyXEL device Select Allow Association to permit access to the ZyXEL device, MAC addresses not listed will be denied access to the ZyXEL device.

  • Page 99: Configuring Roaming

    Table 32 Roaming LABEL DESCRIPTION Select Yes from the drop-down list box to enable roaming on the ZyXEL device if you Active have two or more ZyXEL devices on the same subnet. Note: All APs on the same subnet and the wireless stations must have the same SSID to allow roaming.
  • Page 100 ZyXEL G-2000 Plus v2 User’s Guide Chapter 6 Wireless LAN...

  • Page 101: Chapter 7 Wan

    A WAN (Wide Area Network) is an outside connection to another network or the Internet. 7.2 Configuring WAN ISP To change your ZyXEL device’s WAN ISP settings, click WAN, then ISP tab. The screen differs depending on the encapsulation and service type.

  • Page 102: Service Type

    Choose from Standard, RR-Toshiba (Roadrunner Toshiba authentication method), RR-Manager (Roadrunner Manager authentication method), RR-Telstra (RoadRunner Telstra authentication method), or Telia Login. Apply Click Apply to save your changes back to the ZyXEL device. Reset Click Reset to begin configuring this screen afresh. 7.2.1.1 Service Type The screen varies according to the service type you select.

  • Page 103: Pppoe Encapsulation

    Relogin Every(min) This field only applies when you select Telia Login in the Service Type. The Telia server logs the ZyXEL device out if the ZyXEL device does not log in periodically. Type the number of minutes from 1 to 59 for the ZyXEL device to wait between logins.

  • Page 104: Figure 35 Pppoe Encapsulation

    By implementing PPPoE directly on the ZyXEL device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL device does that part of the task. Furthermore, with NAT, all of the LANs’ computers will have access.

  • Page 105: Pptp Encapsulation

    This value specifies the time in seconds that elapses before the router automatically disconnects from the PPPoE server. Apply Click Apply to save your changes back to the ZyXEL device. Reset Click Reset to begin configuring this screen afresh. 7.2.3 PPTP Encapsulation...

  • Page 106: Figure 36 Pptp Encapsulation

    Nailed-up Connection Select Nailed-Up Connection if you do not want the connection to time out. Idle Timeout This value specifies the time in seconds that elapses before the ZyXEL device automatically disconnects from the PPTP server. PPTP Configuration My IP Address Type the (static) IP address assigned to you by your ISP.

  • Page 107: Configuring Wan Ip

    Click Reset to begin configuring this screen afresh. 7.3 Configuring WAN IP To change your ZyXEL device’s WAN IP settings, click WAN, then the WAN IP tab. This screen varies according to the type of encapsulation you select. If your ISP did not assign you a fixed IP address, click Get automatically from ISP, otherwise click Use fixed IP Address and enter the IP address in the field provided.

  • Page 108: Figure 37 Wan: Ip

    ZyXEL G-2000 Plus v2 User’s Guide Figure 37 WAN: IP The following table describes the labels in this screen. Table 37 WAN: IP LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
  • Page 109 When set to Both or In Only, the ZyXEL device will incorporate RIP information that it receives. When set to None, the ZyXEL device will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.

  • Page 110: Configuring Wan Mac

    Reset Click Reset to begin configuring this screen afresh. 7.4 Configuring WAN MAC To change your ZyXEL device’s WAN MAC settings, click WAN, then the MAC tab. The screen appears as shown. Figure 38 MAC Setup The MAC address screen allows users to configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
  • Page 111 ZyXEL G-2000 Plus v2 User’s Guide Otherwise, click Spoof this computer's MAC address - IP Address and enter the IP address of the computer on the LAN whose MAC you are cloning. Once it is successfully configured, the address will be copied to the rom file (ZyNOS configuration file). It will not change unless you change the setting or upload a different ROM file.
  • Page 112 ZyXEL G-2000 Plus v2 User’s Guide Chapter 7 WAN...

  • Page 113: Single User Account (Sua) / Network Address Translation (Nat)

    IP address known within another network. 8.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyXEL device. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.

  • Page 114: What Nat Does

    Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyXEL device keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.

  • Page 115: Nat Application

    8.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyXEL device can communicate with three distinct WAN networks. More examples follow at the end of this chapter.

  • Page 116: Nat Mapping Types

    8.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the ZyXEL device maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the ZyXEL device maps multiple local IP addresses to one global IP address.

  • Page 117: Using Nat

    SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyXEL device also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types.

  • Page 118: Default Server Ip Address

    Note: If you do not assign a Default Server IP Address, the ZyXEL device discards all packets received for ports that are not specified in this screen or remote management.

  • Page 119: Configuring Servers Behind Sua (Example)

    Figure 41 Multiple Servers Behind NAT Example 8.4 Configuring SUA Server Note: If you do not assign a Default Server IP Address, the ZyXEL device discards all packets received for ports that are not specified in this screen or remote management.

  • Page 120: Figure 42 Sua/Nat Setup

    ZyXEL G-2000 Plus v2 User’s Guide Figure 42 SUA/NAT Setup The following table describes the labels in this screen. Chapter 8 Single User Account (SUA) / Network Address Translation (NAT)

  • Page 121: Configuring Address Mapping

    Click Reset to begin configuring this screen afresh. 8.5 Configuring Address Mapping Ordering your rules is important because the ZyXEL device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL device takes the corresponding action and the remaining rules are ignored.

  • Page 122: Figure 43 Address Mapping

    ZyXEL G-2000 Plus v2 User’s Guide Figure 43 Address Mapping The following table describes the labels in this screen. Chapter 8 Single User Account (SUA) / Network Address Translation (NAT)

  • Page 123: Configuring Address Mapping

    One-to-one NAT mapping type. 2. Many-to-One mode maps multiple local IP addresses to one global IP address. This is equivalent to SUA (i.e., PAT, port address translation), ZyXEL device's Single User Account feature that previous ZyXEL device routers supported only.

  • Page 124: Figure 44 Address Mapping Edit

    ZyXEL G-2000 Plus v2 User’s Guide Figure 44 Address Mapping Edit The following table describes the labels in this screen. Chapter 8 Single User Account (SUA) / Network Address Translation (NAT)

  • Page 125: Trigger Port Forwarding

    Trigger port forwarding solves this problem by allowing computers on the LAN to dynamically take turns using the service. The ZyXEL device records the IP address of a LAN computer that sends traffic to the WAN to request a service with a specific port number and protocol (a "trigger"...

  • Page 126: Trigger Port Forwarding Example

    1 Jane requests a file from the Real Audio server (port 7070). 2 Port 7070 is a “trigger” port and causes the ZyXEL device to record Jane’s computer IP address. The ZyXEL device associates Jane's computer IP address with the "incoming"...

  • Page 127: Figure 46 Trigger Port

    ZyXEL G-2000 Plus v2 User’s Guide Figure 46 Trigger Port The following table describes the labels in this screen. Chapter 8 Single User Account (SUA) / Network Address Translation (NAT)

  • Page 128: Table 44 Trigger Port

    Type a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyXEL device to record the IP address of the LAN computer that sent the traffic to a server on the WAN.

  • Page 129: Static Route Screens

    N2 in the following figure through remote node router R1. However, the ZyXEL device is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node router R1 (via gateway router R2). The static routes are for you to tell the ZyXEL device about the networks beyond the remote nodes.

  • Page 130: Figure 48 Static Route

    ZyXEL G-2000 Plus v2 User’s Guide Figure 48 Static Route The following table describes the labels in this screen. Chapter 9 Static Route Screens...

  • Page 131: Configuring Route Entry

    Select a static route index number and then click Edit to set up a static route on the ZyXEL device. Delete To remove a static route on the ZyXEL device, click the radio button next to the static route index number you want to remove, then click Delete. 9.2.1 Configuring Route Entry Select a static route index number and click Edit.

  • Page 132: Table 46 Static Route: Edit

    ZyXEL device that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyXEL device; over the WAN, the gateway must be the IP address of one of the Remote Nodes.

  • Page 133: Chapter 10 Firewalls

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R Firewalls This chapter gives some background information on firewalls and introduces the ZyXEL device firewall. 10.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.

  • Page 134: Stateful Inspection Firewalls

    Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN. The ZyXEL device has one Ethernet WAN port and one Ethernet LAN port, which are used to physically separate the network into two areas.

  • Page 135: Denial Of Service

    Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyXEL device is pre-configured to automatically detect and thwart all known DoS attacks.

  • Page 136: Types Of Dos Attacks

    ZyXEL G-2000 Plus v2 User’s Guide 10.4.2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.

  • Page 137: Figure 51 Three-Way Handshake

    ZyXEL G-2000 Plus v2 User’s Guide Figure 51 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).

  • Page 138: Figure 52 Syn Flood

    ZyXEL G-2000 Plus v2 User’s Guide Figure 52 SYN Flood b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

  • Page 139: Icmp Vulnerability

    To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyXEL device blocks all IP Spoofing attempts. Chapter 10 Firewalls...

  • Page 140: Stateful Inspection

    The ZyXEL device uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the ZyXEL device’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.

  • Page 141: Stateful Inspection And The Zyxel Device

    Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the ZyXEL device itself (as with the "virtual connections" created for UDP and ICMP).

  • Page 142: Tcp Security

    ZyXEL G-2000 Plus v2 User’s Guide 10.5.3 TCP Security The ZyXEL device uses state information embedded in TCP packets. The first packet of any new connection has its SYN flag set and its ACK flag cleared; these are "initiation" packets.

  • Page 143: Guidelines For Enhancing Security With Your Firewall

    Internet. For FTP to work properly, this connection must be allowed to pass through even though a connection from the Internet would normally be rejected. In order to achieve this, the ZyXEL device inspects the application-level FTP data. Specifically, it searches for outgoing "PORT" commands, and when it sees these; it adds a cache entry for the anticipated data connection.

  • Page 144: When To Use Filtering

    ZyXEL G-2000 Plus v2 User’s Guide 10.7.1.1 When To Use Filtering 1 To block/allow LAN packets by their MAC addresses. 2 To block/allow special IP packets which are neither TCP nor UDP, nor ICMP packets. 3 To block/allow both inbound (WAN to LAN) and outbound (LAN to WAN) traffic between the specific inside host/network "A"...

  • Page 145: Chapter 11 Firewall Screens

    The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator. SMT screens allow you to activate the firewall. CLI commands provide limited configuration options and are only recommended for advanced users, please refer to the Appendix for firewall CLI commands.

  • Page 146: Rule Logic Overview

    These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the ZyXEL device’s default rules. 11.3 Rule Logic Overview Note: Study these points carefully before configuring rules.

  • Page 147: Key Fields For Configuring Rules

    This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/ZyXEL device and WAN to WAN/ZyXEL device rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ZyXEL...

  • Page 148: Lan To Wan Rules

    ZyXEL G-2000 Plus v2 User’s Guide 11.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non- restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.

  • Page 149: Alerts

    Edit Rule screen (see Figure 59 Configure the Log Settings screen to have the ZyXEL device send an immediate e-mail message to you when an event generates an alert. Refer to the chapter on logs for details.

  • Page 150: Rule Summary

    ZyXEL G-2000 Plus v2 User’s Guide Figure 57 Default Rule The following table describes the labels in this screen. Table 49 Default Rule LABEL DESCRIPTION ZyXEL device Enable Firewall Select this check box to activate the firewall. The performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated.

  • Page 151: Figure 58 Rule Summary

    When the amount of space used is over 80%, the bar is red. Packet Direction Use the drop-down list box to select a direction of travel of packets ((W)LAN to (W)LAN/ZyXEL device, (W)LAN to WAN, WAN to (W)LAN, WAN to WAN/ZyXEL device) for which you want to configure firewall rules.

  • Page 152: Configuring Firewall Rules

    ZyXEL G-2000 Plus v2 User’s Guide Table 50 Rule Summary LABEL DESCRIPTION Action This is the specified action for that rule, either Block or Forward. Note that Block means the firewall silently discards the packet. Schedule This field tells you whether a schedule is specified (Yes) or not (No).

  • Page 153: Figure 59 Creating/Editing A Firewall Rule

    ZyXEL G-2000 Plus v2 User’s Guide Figure 59 Creating/Editing A Firewall Rule Chapter 11 Firewall Screens...

  • Page 154: Table 51 Creating/Editing A Firewall Rule

    ZyXEL G-2000 Plus v2 User’s Guide The following table describes the labels in this screen. Table 51 Creating/Editing A Firewall Rule LABEL DESCRIPTION Edit Source/Destination Address Address Type Do you want your rule to apply to packets with a particular (single) IP, a range of IP addresses (e.g., 192.168.1.10 to 192.169.1.50), a subnet or any IP address?

  • Page 155: Configuring Custom Services

    Click Cancel to exit this screen without saving. 11.6.3 Configuring Custom Services Configure customized ports for services not predefined by the ZyXEL device (See “Predefined Services” on page 159 for a list of predefined services). For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.

  • Page 156: Example Firewall Rule

    ZyXEL G-2000 Plus v2 User’s Guide 11.7 Example Firewall Rule The following Internet firewall rule example allows a hypothetical My Service connection from the Internet. 1 Click the FIREWALL link and then the Rule Summary tab. Select WAN to LAN from the Packet Direction drop-down list box.

  • Page 157: Figure 62 Rule Edit Example

    ZyXEL G-2000 Plus v2 User’s Guide Figure 62 Rule Edit Example 6 In the Edit Rule screen, click Add under Custom Service to open the Edit Custom Service screen. Configure it as follows and click Apply. Figure 63 Edit Custom Service Example 7 In the Edit Rule screen, use the arrows between Available Services and Selected Service(s) to configure it as follows.

  • Page 158: Figure 64 My Service Rule Configuration

    ZyXEL G-2000 Plus v2 User’s Guide Figure 64 My Service Rule Configuration Chapter 11 Firewall Screens...

  • Page 159: Predefined Services

    Figure 59 ) displays all predefined services that the ZyXEL device already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type.
  • Page 160 ZyXEL G-2000 Plus v2 User’s Guide Table 53 Predefined Services (continued) SERVICE DESCRIPTION FTP(TCP:20.21) File Transfer Program, a program to enable fast transfer of files, including large files that may not be possible by e-mail. H.323(TCP:1720) NetMeeting uses this protocol.
  • Page 161 ZyXEL G-2000 Plus v2 User’s Guide Table 53 Predefined Services (continued) SERVICE DESCRIPTION SNMP(TCP/UDP:161) Simple Network Management Program. SNMP-TRAPS(TCP/UDP:162) Traps for use with the SNMP (RFC:1215). SQL-NET(TCP:1521) Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers.
  • Page 162 ZyXEL G-2000 Plus v2 User’s Guide Chapter 11 Firewall Screens...

  • Page 163: Chapter 12 Content Filtering

    The ZyXEL device can block web features such as ActiveX controls, Java applets, cookies and disable web proxies. 12.3 Days and Times The ZyXEL device also allows you to define time periods and days during which the ZyXEL device performs content filtering. 12.4 Configure Content Filtering Click Content Filter on the navigation panel, to open the following screen.

  • Page 164: Figure 66 Content Filter

    ZyXEL G-2000 Plus v2 User’s Guide Figure 66 Content Filter The following table describes the labels in this screen. Table 54 Content Filter LABEL DESCRIPTION Restrict Web Select the box(es) to restrict a feature. When you download a page containing a Features restricted feature, that part of the web page will appear blank or grayed out.
  • Page 165 ZyXEL G-2000 Plus v2 User’s Guide Table 54 Content Filter LABEL DESCRIPTION Keyword Type a keyword in this field. You may use any character (up to 64 characters). Wildcards are not allowed. You can also enter a numerical IP address.
  • Page 166 ZyXEL G-2000 Plus v2 User’s Guide Chapter 12 Content Filtering...

  • Page 167: Remote Management Screens

    To disable remote management of a service, select Disable in the corresponding Server Access field. You may only have one remote management session running at a time. The ZyXEL device automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.

  • Page 168: Remote Management And Nat

    There is a default system management idle timeout of five minutes (three hundred seconds). The ZyXEL device automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.

  • Page 169: Configuring Telnet

    Click Reset to begin configuring this screen afresh. 13.3 Configuring TELNET You can configure your ZyXEL device for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the ZyXEL device. Chapter 13 Remote Management Screens...

  • Page 170: Figure 68 Telnet Configuration On A Tcp/Ip Network

    Address ZyXEL device using this service. Select All to allow any computer to access the ZyXEL device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL device using this service.

  • Page 171: Configuring Ftp

    FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client. To change your ZyXEL device’s FTP settings, click REMOTE MGMT, then the FTP tab. The screen appears as shown.

  • Page 172: Snmp

    An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL device). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 173: Supported Mibs

    • Trap - Used by the agent to inform the manager of some events. 13.5.1 Supported MIBs The ZyXEL device supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.

  • Page 174: Configuring Snmp

    The default is public and allows all requests. Trusted Host If you enter a trusted host, your ZyXEL device will only respond to SNMP messages from this address. A blank (default) field means your ZyXEL device will respond to all SNMP messages it receives, regardless of source.

  • Page 175: Configuring Dns

    Address ZyXEL device using this service. Select All to allow any computer to access the ZyXEL device using this service. Choose Selected to just allow the computer with the IP address that you specify to access the ZyXEL device using this service.

  • Page 176: Configuring Security

    To change your ZyXEL device’s security settings, click REMOTE MGMT, then the Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyXEL device, an ICMP response packet is automatically returned. This allows the outside user to know the ZyXEL device exists.

  • Page 177: Figure 74 Security

    Select this option to prevent hackers from finding the ZyXEL device by probing for requests for unused ports. If you select this option, the ZyXEL device will not respond to port unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyXEL device services unseen.
  • Page 178 ZyXEL G-2000 Plus v2 User’s Guide Chapter 13 Remote Management Screens...

  • Page 179: Chapter 14 Upnp

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R UPnP This chapter introduces the Universal Plug and Play feature. 14.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.

  • Page 180: Upnp And Zyxel

    Disable UPnP if this is not your intention. 14.2 UPnP and ZyXEL ZyXEL has achieved UPnP certification from the Universal Plug and Play Forum Creates UPnP™ Implementers Corp. (UIC). ZyXEL device's UPnP implementation supports IGD 1.0 (Internet Gateway Device). At the time of writing ZyXEL device's UPnP implementation supports Windows Messenger 4.6 and 4.7 while Windows Messenger 5.0 and Xbox are still...

  • Page 181: Installing Upnp In Windows Example

    Select this checkbox to activate UPnP. Be aware that anyone could use and Play (UPnP) feature a UPnP application to open the web configurator's login screen without entering the ZyXEL device's IP address (although you must still enter the password to access the web configurator). Allow users to make...

  • Page 182: Installing Upnp In Windows Xp

    ZyXEL G-2000 Plus v2 User’s Guide 1 Click Start and Control Panel. Double- click Add/Remove Programs. 2 Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. 3 In the Communications window, select the Universal Plug and Play check box in the Components selection box.

  • Page 183: Using Upnp In Windows Xp Example

    This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyXEL device. Make sure the computer is connected to a LAN port of the ZyXEL device. Turn on your computer and the ZyXEL device.

  • Page 184: Auto-Discover Your Upnp-Enabled Network Device

    ZyXEL G-2000 Plus v2 User’s Guide 14.5.1 Auto-discover Your UPnP-enabled Network Device 1 Click Start and Control Panel. Double- click Network Connections. An icon displays under Internet Gateway. 2 Right-click the icon and select Properties. 3 In the Internet Connection Properties window, click Settings to see the port mappings that were automatically created.

  • Page 185: Web Configurator Easy Access

    14.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.

  • Page 186: Web Configurator Easy Access

    14.5.3 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyXEL device without finding out the IP address of the ZyXEL device first. This is helpful if you do not know the IP address of the ZyXEL device.
  • Page 187 Other Places. 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click the icon for your ZyXEL device and select Invoke. The web configurator login screen displays. 6 Right-click the icon for your ZyXEL device and select Properties.
  • Page 188 ZyXEL G-2000 Plus v2 User’s Guide Chapter 14 UPnP...

  • Page 189: Internal Radius Server

    The ZyXEL device has a built-in RADIUS server that can authenticate wireless clients or other AP’s in other wireless networks. The ZyXEL device can function as an AP and as a RADIUS server at the same time. PEAP (Protected EAP) and MD5 authentication is implemented on the internal RADIUS server using simple username and password methods over a secure TLS connection.

  • Page 190: Figure 76 Zyxel Device Authenticates Wireless Stations

    DESCRIPTION Setting Use the Setting screen to display information about the ZyXEL device’s certificate and to activate the internal RADIUS server on your ZyXEL device. Trusted AP Use the Trusted AP screen to configure which trusted AP’s you can authenticate. You can authenticate up to 31 AP’s using the ZyXEL device’s internal RADIUS.

  • Page 191: Internal Radius Server Setting

    RADIUS server can be authenticated. ZyXEL recommends that you replace the factory default certificate with one that uses your ZyXEL device's MAC address. This can be done when you first log in to the ZyXEL device or in the Advanced web configurator Certificates screen.

  • Page 192: Figure 78 Internal Radius Server Setting Screen

    Name This field displays the name used to identify this certificate. The ZyXEL device has an auto_generated_self_signed_cert by factory default. The factory default certificate is common to all ZyXEL device’s that use certificates. You can replace...

  • Page 193: Trusted Ap Overview

    Click Reset to start configuring this screen afresh. 15.3 Trusted AP Overview A trusted AP is an AP that uses the ZyXEL device’s internal RADIUS server to authenticate it’s wireless clients. The following shows how this is done in two phases.

  • Page 194: Configuring Trusted Ap

    DESCRIPTION This field displays the trusted AP index number. Active Select this checkbox to have the ZyXEL device use the IP Address and Shared Secret to authenticate a trusted AP. IP Address Type the IP network address of the trusted AP in dotted decimal notation.

  • Page 195: Trusted Users Overview

    They are grayed out and therefore cannot be configured. The shared secret must be the same on the trusted AP and your ZyXEL device. The shared secret is not sent over the network. The shared secret is used to encrypt messages from and to the ZyXEL device.

  • Page 196: Figure 81 Trusted Users Screen

    DESCRIPTION This field displays the trusted user index number. Active Select this checkbox to have the ZyXEL device authenticate wireless clients with the same user name and password activated on their wireless utility. User Name Enter the username for this user account. This name can be up to 31 alphanumeric characters long, including spaces.
  • Page 197 ZyXEL G-2000 Plus v2 User’s Guide Table 66 Trusted Users LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyXEL device. Reset Click Reset to begin configuring this screen afresh. Chapter 15 Internal RADIUS Server...
  • Page 198 ZyXEL G-2000 Plus v2 User’s Guide Chapter 15 Internal RADIUS Server...

  • Page 199: Chapter 16 Certificates

    16.1 Certificates Overview The ZyXEL device can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication.

  • Page 200: Advantages Of Certificates

    ZyXEL G-2000 Plus v2 User’s Guide A certification path is the hierarchy of certification authority certificates that validate a certificate. The ZyXEL device does not trust a certificate if any certificate on its path has expired or been revoked. Certification authorities maintain directory servers with databases of valid and revoked certificates.

  • Page 201: Figure 82 My Certificates

    LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.
  • Page 202 Note that subsequent certificates move up by one when you take this action Create Click Create to go to the screen where you can have the ZyXEL device generate a certificate or a certification request. Import Click Import to open a screen where you can save the certificate that you have enrolled from a certification authority from your computer to the ZyXEL device.

  • Page 203: Certificate File Formats

    X.509 certificate into a printable form. • Binary PKCS#7: This is a standard that defines the general syntax for data (including digital signatures) that may be encrypted. The ZyXEL device currently allows the importation of a PKS#7 file that contains a single certificate.

  • Page 204: Creating A Certificate

    Click CERTIFICATES, My Certificates and then Create to open the My Certificate Create screen. Use this screen to have the ZyXEL device create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request, see the following figure.

  • Page 205: Figure 84 My Certificate Create

    ZyXEL G-2000 Plus v2 User’s Guide Figure 84 My Certificate Create Chapter 16 Certificates...

  • Page 206: Table 69 My Certificate Create

    Select Create a certification request and save it locally for later manual request and save it enrollment to have the ZyXEL device generate and store a request for a locally for later manual certificate. Use the My Certificate Details screen to view the certification enrollment request and copy it to send to the certification authority.

  • Page 207: My Certificate Details

    In the case of a self-signed certificate, you can set it to be the one that the ZyXEL device uses to sign the trusted remote host certificates that you import to the ZyXEL device.

  • Page 208: Figure 85 My Certificate Details

    31 characters to identify this certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL device use this certificate to sign the Default self-signed trusted remote host certificates that you import to the ZyXEL device. This check certificate which box is only available with self-signed certificates.
  • Page 209 If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The ZyXEL device does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.

  • Page 210: Trusted Cas

    Click CERTIFICATES, Trusted CAs to open the Trusted CAs screen. This screen displays a summary list of certificates of the certification authorities that you have set the ZyXEL device to accept as trusted. The ZyXEL device accepts any valid certificate signed by a certification authority on this list as being trustworthy;...

  • Page 211: Figure 86 Trusted Cas

    LABEL DESCRIPTION PKI Storage This bar displays the percentage of the ZyXEL device’s PKI storage space that is Space in Use currently in use. When you are using 80% or less of the storage space, the bar is green. When the amount of space used is over 80%, the bar is red. When the bar is red, you should consider deleting expired or unnecessary certificates before adding more certificates.

  • Page 212: Importing A Trusted Ca's Certificate

    Import to open the Trusted CA Import screen. Follow the instructions in this screen to save a trusted certification authority’s certificate to the ZyXEL device, see the following figure. Note: You must remove any spaces from the certificate’s filename before you can import the certificate.

  • Page 213: Trusted Ca Certificate Details

    Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the ZyXEL device to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.

  • Page 214: Figure 88 Trusted Ca Details

    31 characters to identify this key certificate. You may use any character (not including spaces). Property Select this check box to have the ZyXEL device use this certificate to sign the Default self-signed trusted remote host certificates that you import to the ZyXEL device. This check certificate which box is only available with self-signed certificates.
  • Page 215 Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the ZyXEL device uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate’s owner‘s IP address (IP), domain name (DNS)
  • Page 216 Click Apply to save your changes back to the ZyXEL device. You can only change the name and/or set whether or not you want the ZyXEL device to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.

  • Page 217: Chapter 17 Log Screens

    ZyXEL device’s logs. Refer to the appendix for example log message explanations. 17.1 Configuring View Log The web configurator allows you to look at all of the ZyXEL device’s logs in one location. Click the LOGS links under ADVANCED to open the View Log screen. Use the View Log...

  • Page 218: Configuring Log Settings

    Log Settings tab. The screen appears as shown. Use the Log Settings screen to configure to where the ZyXEL device is to send the logs; the schedule for when the ZyXEL device is to send the logs and which logs and/or immediate alerts the ZyXEL device is to send.

  • Page 219: Figure 90 Log Settings

    ZyXEL G-2000 Plus v2 User’s Guide Figure 90 Log Settings Chapter 17 Log Screens...

  • Page 220: Table 75 Log Settings

    Select the categories of logs that you want to record. Send Immediate Alert Select the categories of alerts for which you want the ZyXEL device to immediately send e-mail alerts. Apply Click Apply to save your customized settings and exit this screen.

  • Page 221: Configuring Reports

    The ZyXEL device records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyXEL device may count these as hits, thus the web hit count is not (yet) 100% accurate.

  • Page 222: Table 76 Reports

    The LAN IP addresses are listed in descending order with the LAN IP address to and/or from which the most traffic was sent listed first. Note: All of the recorded reports data is erased when you turn off the ZyXEL device. Chapter 17 Log Screens...

  • Page 223: Chapter 18 Maintenance

    ZyXEL device. 18.2 System Status Screen Click MAINTENANCE to open the System Status screen, where you can use to monitor your ZyXEL device. Note that these labels are READ-ONLY and are meant to be used for diagnostic purposes. Chapter 18 Maintenance...

  • Page 224: Figure 92 System Status

    The model name identifies your device type. The model name should also be on a sticker on your ZyXEL device. If you are uploading firmware, be sure to upload firmware for this exact model name. This field is not available on all models.

  • Page 225: System Statistics

    TCP/IP configuration at start-up from a server. You can configure the ZyXEL device as a DHCP server or disable it. When configured as a server, the ZyXEL device provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.

  • Page 226: Figure 94 Maintenance Dhcp Table

    ZyXEL G-2000 Plus v2 User’s Guide Click MAINTENANCE, and then the DHCP Table tab. Read-only information here relates to your DHCP status. The DHCP table shows current DHCP Client information (including IP Address, Host Name and MAC Address) of all network clients using the DHCP server.

  • Page 227: Association List

    00:A0:C5:00:00:02. Reserve Select this check box to have the ZyXEL device always assign this IP address to this MAC address (and host name). Apply Click Apply to have the MAC address and IP address also display in the LAN Static DHCP screen (where you can edit them).

  • Page 228: F/W Upload Screen

    ZyXEL G-2000 Plus v2 User’s Guide 18.5 F/W Upload Screen Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a "*.bin" extension, e.g., "zyxel.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.

  • Page 229: Figure 97 Firmware Upload In Process

    ZyXEL G-2000 Plus v2 User’s Guide Figure 97 Firmware Upload In Process The ZyXEL device automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 98 Network Temporarily Disconnect After two minutes, log in again and check your new firmware version in the System Status screen.

  • Page 230: Configuration Screen

    ZyXEL G-2000 Plus v2 User’s Guide Figure 99 Firmware Upload Error 18.6 Configuration Screen See the Firmware and Configuration File Maintenance chapter for transferring configuration files using FTP/TFTP commands. Click MAINTENANCE, and then the Configuration tab. Information related to factory defaults, backup configuration, and restoring configuration appears as shown next.

  • Page 231: Backup Configuration

    Backup configuration allows you to back up (save) the ZyXEL device’s current configuration to a file on your computer. Once your ZyXEL device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.

  • Page 232: Figure 101 Configuration Upload Successful

    If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyXEL device IP address (192.168.1.1). See your Quick Installation Guide for details on how to set up your computer’s IP address.

  • Page 233: Back To Factory Defaults

    18.6.3 Back to Factory Defaults Pressing the Reset button in this section clears all user-entered configuration information and returns the ZyXEL device to its factory defaults as shown on the screen. The following warning screen will appear. Figure 104 Reset Warning Message You can also press the RESET button on the side panel to reset the factory defaults of your ZyXEL device.

  • Page 234: Figure 105 Restart Screen

    ZyXEL G-2000 Plus v2 User’s Guide Figure 105 Restart Screen Chapter 18 Maintenance...

  • Page 235: Chapter 19 Introducing The Smt

    Please note that if there is no activity for longer than five minutes (default timeout period) after you log in, your ZyXEL device will automatically log you out. You will then have to telnet into the ZyXEL device again. You can use the web configurator or the CI commands to change the inactivity time out period.

  • Page 236: Changing The System Password

    Enter Password : **** 19.3 Changing the System Password Change the ZyXEL device default password by following the steps shown next. 1 From the main menu, enter 23 to display Menu 23 – System Security. 2 Enter 1 to display Menu 23.1 – System Security – Change Password as shown next.

  • Page 237: Navigating The Smt Interface

    ZyXEL G-2000 Plus v2 User’s Guide Figure 109 ZyXEL device SMT Menu Overview Example 19.5 Navigating the SMT Interface The SMT (System Management Terminal) is the interface that you use to configure your ZyXEL device. Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below.
  • Page 238 ZyXEL G-2000 Plus v2 User’s Guide Table 83 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION Move to a “hidden” Press [SPACE BAR] Fields beginning with “Edit” lead to hidden menus and menu to change No to Yes have a default setting of No. Press [SPACE BAR] once to then press [ENTER].

  • Page 239: System Management Terminal Interface Summary

    Static Routing Setup Use this menu to set up static routes. Dial-in User Setup Use this menu to set up local user profiles on the ZyXEL device. NAT Setup Use this menu to specify inside servers when NAT is enabled.

  • Page 240: Figure 111 Menu 23: System Security

    ZyXEL G-2000 Plus v2 User’s Guide Change the ZyXEL device default password by following the steps shown next. 1 Enter 23 in the main menu to display Menu 23 - System Security as shown next. Figure 111 Menu 23: System Security...

  • Page 241: Chapter 20 General Setup

    "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer name field and enter it as the ZyXEL device System Name.

  • Page 242: Figure 113 Menu 1 General Setup

    IP address of a machine Second System DNS before you can access it. The ZyXEL device uses a system DNS server (in the Server order you specify here) to resolve domain names for VPN, DDNS and the time Third System DNS server.

  • Page 243: Procedure To Configure Dynamic Dns

    ZyXEL G-2000 Plus v2 User’s Guide 20.1.2 Procedure to Configure Dynamic DNS Note: If you have a private WAN IP address, then you cannot use Dynamic DNS To configure Dynamic DNS, go to Menu 1 — General Setup and select Yes in the Edit Dynamic DNS field.

  • Page 244: Table 86 Menu 1.1 Configure Dynamic Dns

    Address address of the host name(s) to the IP address specified below. Only select Yes if the ZyXEL device uses or is behind a static public IP address. IP Address Enter the static public IP address if you select Yes in the User Specified IP Addr field.

  • Page 245: Chapter 21 Menu 2 Wan Setup

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R Menu 2 WAN Setup This chapter describes how to configure the WAN using menu 2. 21.1 Introduction to WAN This chapter explains how to configure settings for your WAN port.

  • Page 246: Table 87 Menu 2 Wan Setup

    ZyXEL G-2000 Plus v2 User’s Guide Table 87 Menu 2 WAN Setup FIELD DESCRIPTION MAC Address Assigned By Press [SPACE BAR] and then [ENTER] to choose one of two methods to assign a MAC Address. Choose Factory Default to select the factory assigned default MAC Address.

  • Page 247: Chapter 22 Lan Setup

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R LAN Setup This chapter shows you how to configure wired Local Area Network (LAN) settings on your ZyXEL device. 22.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 – LAN Setup. From the main menu, enter 3 to display menu 3.

  • Page 248: Protocol Dependent Ethernet Setup

    • For bridging Ethernet setup refer to the Bridging Setup chapter. 22.3 TCP/IP Ethernet Setup and DHCP Use menu 3.2 to configure your ZyXEL device for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3 — LAN Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2 —...

  • Page 249: Table 88 Dhcp Ethernet Setup Fields

    LAN IP address displays in the IP Address field below (read-only). The ZyXEL device tells the DHCP clients on the LAN that the ZyXEL device itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyXEL device, the ZyXEL device forwards the query to the ZyXEL device's system DNS server (configured in menu 1) and relays the response back to the computer.

  • Page 250: Ip Alias Setup

    IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyXEL device supports three logical LAN interfaces via its single physical Ethernet interface with the ZyXEL device itself as the gateway for each LAN network.

  • Page 251: Figure 120 Menu 3.2.1: Ip Alias Setup

    ZyXEL G-2000 Plus v2 User’s Guide Figure 120 Menu 3.2.1: IP Alias Setup Menu 3.2.1 - IP Alias Setup IP Alias 1= No IP Address= N/A IP Subnet Mask= N/A RIP Direction= N/A Version= N/A Incoming protocol filters= N/A Outgoing protocol filters= N/A...

  • Page 252: Wireless Lan Setup

    22.4 Wireless LAN Setup Use menu 3.5 to set up your ZyXEL device as the wireless access point. To edit menu 3.5, enter 3 from the main menu to display Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.5 –...

  • Page 253: Figure 121 Menu 3.5 Wireless Lan Setup

    Default Key Enter the key number (1 to 4) in this field. Only one key can be enabled at any one time. This key must be the same on the ZyXEL device and the wireless stations to communicate. Chapter 22 LAN Setup...

  • Page 254: Configuring Mac Address Filter

    Select Yes to enable the Breathing LED, also known as the ZyAIR LED. The blue ZyAIR LED is on when the ZyXEL device is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. Clear the check box to turn this LED off even when the ZyXEL device is on and data is being transmitted/received.

  • Page 255: Figure 122 Menu 3.5 Wireless Lan Setup

    ZyXEL G-2000 Plus v2 User’s Guide 2 Enter 5 to display Menu 3.5 – Wireless LAN Setup. Figure 122 Menu 3.5 Wireless LAN Setup Menu 3.5 - Wireless LAN Setup Enable Wireless LAN= Yes ESSID= Wireless Hide ESSID= No Edit MAC Address Filter= Yes...

  • Page 256: Table 92 Menu 3.5.1 Wlan Mac Address Filter

    Define the filter action for the list of MAC addresses in the MAC address filter table. To deny access to the ZyXEL device, press [SPACE BAR] to select Deny Association and press [ENTER]. MAC addresses not listed will be allowed to access the router.

  • Page 257: Chapter 23 Internet Access

    Use information from your ISP along with the instructions in this chapter to set up your ZyXEL device to access the Internet. There are three different menu 4 screens depending on whether you chose Ethernet, PPTP or PPPoE Encapsulation. Contact your ISP to determine what encapsulation type you should use.

  • Page 258: Configuring The Pptp Client

    Enter your password again to make sure that you have entered is correctly. Login Server The ZyXEL device will find the RoadRunner Server IP if this field is left blank. If it does not, then you must enter the authentication server IP address.

  • Page 259: Figure 125 Internet Access Setup (Pptp)

    ZyXEL G-2000 Plus v2 User’s Guide To configure a PPTP client, you must configure the My Login and Password fields for a PPP connection and the PPTP parameters for a PPTP connection. After configuring My Login and Password for PPP connection, press [SPACE BAR] and then [ENTER] in the Encapsulation field in Menu 4 -Internet Access Setup to choose PPTP as your encapsulation option.

  • Page 260: Configuring The Pppoe Client

    Press [SPACE BAR] and then press [ENTER] to choose PPTP. The encapsulation method influences your choices for the IP Address field. Idle Timeout This value specifies the time, in seconds, that elapses before the ZyXEL device automatically disconnects from the PPTP server. 23.4 Configuring the PPPoE Client If you enable PPPoE in menu 4, you will see the next screen.

  • Page 261: Basic Setup Complete

    Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet. You may deactivate the firewall in menu 21.2 or via the ZyXEL device embedded web configurator. You may also define additional firewall rules or modify existing ones but please exercise extreme caution in doing so.
  • Page 262 ZyXEL G-2000 Plus v2 User’s Guide Chapter 23 Internet Access...

  • Page 263: Remote Node Configuration

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R Remote Node Configuration This chapter covers remote node configuration. 24.1 Introduction to Remote Node Setup A remote node is required for placing calls to a remote gateway. A remote node represents both the remote gateway and the network behind it across a WAN connection.

  • Page 264: Figure 127 Menu 11.1 Remote Node Profile For Ethernet Encapsulation

    ZyXEL G-2000 Plus v2 User’s Guide Figure 127 Menu 11.1 Remote Node Profile for Ethernet Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes ISP= No Apply Alias= None Encapsulation= Ethernet Edit IP= No...

  • Page 265: Table 96 Menu 11.1 Remote Node Profile For Ethernet Encapsulation

    ZyXEL device to wait between logins. Route This field refers to the protocol that will be routed by your ZyXEL device – IP is the only option for the ZyXEL device. Use [SPACE BAR] to select Yes to use your ISP.

  • Page 266: Pppoe Encapsulation

    The ZyXEL device does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyXEL device will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.

  • Page 267: Pptp Encapsulation

    Session Options Idle Timeout Type the length of idle time (when there is no traffic from the ZyXEL device to the remote node) in seconds that can elapse before the ZyXEL device automatically disconnects the PPPoE connection. This option only applies when the ZyXEL device initiates the call.

  • Page 268: Figure 129 Menu 11.1 Remote Node Profile For Pptp Encapsulation

    ZyXEL G-2000 Plus v2 User’s Guide Figure 129 Menu 11.1 Remote Node Profile for PPTP Encapsulation Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes ISP= No Apply Alias= None Encapsulation= PPTP Edit IP= No...

  • Page 269: Edit Ip

    ZyXEL G-2000 Plus v2 User’s Guide Table 98 Menu 11.1 Remote Node Profile for PPTP Encapsulation FIELD DESCRIPTION Encapsulation Press [SPACE BAR] and then [ENTER] to select PPTP. You must also go to menu 11.3 to check the IP Address setting once you have selected the encapsulation method.

  • Page 270: Table 99 Remote Node Network Layer Options

    See the NAT chapter for a full discussion on this feature. Metric Enter a number from 1 to 15 to set this route’s priority among the ZyXEL device’s routes (see the Metric section in the WAN and Dial Backup Setup chapter) The smaller the number, the higher priority the route has.

  • Page 271: Remote Node Filter

    Use menu 11.5 to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyXEL device to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by commas, for example, 1, 5, 9, 12, in each filter field.
  • Page 272 ZyXEL G-2000 Plus v2 User’s Guide Chapter 24 Remote Node Configuration...

  • Page 273: Chapter 25 Static Route Setup

    ZyXEL G-2000 Plus v2 User’s Guide H A P T E R Static Route Setup This chapter shows how to setup IP static routes. 25.1 IP Static Route Setup To configure an IP static route, use Menu 12 – Static Routing Setup (shown next).

  • Page 274: Table 100 Menu12.1 Edit Ip Static Route

    Type the IP address of the gateway. The gateway is an immediate neighbor of your ZyXEL device that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyXEL device;...

  • Page 275: Chapter 26 Dial-In User Setup

    This chapter shows you how to create user accounts on the ZyXEL device. 26.1 Dial-in User Setup By storing user profiles locally, your ZyXEL device is able to authenticate wireless users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your ZyXEL device.

  • Page 276: Figure 136 Menu 14.1- Edit Dial-In User

    ZyXEL G-2000 Plus v2 User’s Guide Figure 136 Menu 14.1- Edit Dial-in User Menu 14.1 - Edit Dial-in User User Name= tester one Active= Yes Password= ******** Leave name field blank to delete profile The following table describes the fields in this screen.

  • Page 277: Network Address Translation (Nat)

    NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Note: Choose SUA Only if you have just one public WAN IP address for your ZyXEL device. Choose Full Feature if you have multiple public WAN IP addresses for your ZyXEL device.

  • Page 278: Figure 137 Menu 4 Applying Nat For Internet Access

    ZyXEL G-2000 Plus v2 User’s Guide Figure 137 Menu 4 Applying NAT for Internet Access Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Retype to Confirm= N/A Login Server= N/A...

  • Page 279: Nat Setup

    Press [SPACE BAR] and then [ENTER] to select Full Feature if you have multiple public WAN IP addresses for your ZyXEL device. The SMT uses the address mapping set that you configure and enter in the Address Mapping Set field (menu 15.1 - see section ).

  • Page 280: Figure 140 Menu 15.1 Address Mapping Sets

    ZyXEL G-2000 Plus v2 User’s Guide Figure 140 Menu 15.1 Address Mapping Sets Menu 15.1 - Address Mapping Sets 1. NAT_SET 255. SUA (read only) Enter Menu Selection Number: Enter 255 to display the next screen, see the SUA (Single User Account) Versus NAT section.

  • Page 281: User-Defined Address Mapping Sets

    ZyXEL G-2000 Plus v2 User’s Guide Table 103 SUA Address Mapping Rules FIELD DESCRIPTION Set Name This is the name of the set you selected in menu 15.1 or enter the name of a new set you want to create.

  • Page 282: Ordering Your Rules

    ZyXEL G-2000 Plus v2 User’s Guide 27.3.1.2 Ordering Your Rules Ordering your rules is important because the ZyXEL device applies the rules in the order that you specify. When a rule matches the current packet, the ZyXEL device takes the corresponding action and the remaining rules are ignored.

  • Page 283: Figure 143 .Menu 15.1.1.1 Editing/Configuring An Individual Rule In A Set

    ZyXEL G-2000 Plus v2 User’s Guide Table 104 Menu 15.1.1 First Set FIELD DESCRIPTION Set Name Enter a name for this set of rules. This is a required field. If this field is left blank, the entire set will be deleted.

  • Page 284: Configuring A Server Behind Nat

    ZyXEL G-2000 Plus v2 User’s Guide Table 105 Menu 15.1.1.1 Editing/Configuring an Individual Rule in a Set FIELD DESCRIPTION Type Press [SPACE BAR] and then [ENTER] to select from a total of five types. These are the mapping types discussed in the chapter on NAT web configurator screens. Server allows you to specify multiple servers of different types behind NAT to this computer.

  • Page 285: General Nat Examples

    ZyXEL G-2000 Plus v2 User’s Guide Figure 144 Menu 15.2.1 NAT Server Setup Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.33 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...

  • Page 286: Example 1: Internet Access Only

    ZyXEL G-2000 Plus v2 User’s Guide 27.5.1 Example 1: Internet Access Only In the following Internet access example, you only need one rule where the ILAs (Inside Local Addresses) of computers A through D map to one dynamic IGA (Inside Global Address) assigned by your ISP.

  • Page 287: Example 3: Multiple Public Ip Addresses With Inside Servers

    ZyXEL G-2000 Plus v2 User’s Guide Figure 148 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and also go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.

  • Page 288: Figure 150 Nat Example 3

    ZyXEL G-2000 Plus v2 User’s Guide 4 You also map your third IGA to the web server and mail server on the LAN. Type Server allows you to specify multiple servers, of different types, to other computers behind NAT on the LAN.

  • Page 289: Figure 151 Nat Example 3: Menu 11.3

    ZyXEL G-2000 Plus v2 User’s Guide Figure 151 NAT Example 3: Menu 11.3 Menu 11.3 - Remote Node Network Layer Options IP Address Assignment= Dynamic IP Address= N/A IP Subnet Mask= N/A Gateway IP Addr= N/A Network Address Translation= Full Feature...

  • Page 290: Figure 152 Example 3: Menu 15.1.1.1

    ZyXEL G-2000 Plus v2 User’s Guide Figure 152 Example 3: Menu 15.1.1.1 Menu 15.1.1.1 Address Mapping Rule Type= One-to-One Local IP: Start= 192.168.1.10 = N/A Global IP: Start= 10.132.50.1 = N/A Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle.

  • Page 291: Example 4: Nat Unfriendly Application Programs

    ZyXEL G-2000 Plus v2 User’s Guide Figure 154 Example 3: Menu 15.2 Menu 15.2 - NAT Server Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 192.168.1.21 192.168.1.20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0...

  • Page 292: Configuring Trigger Port Forwarding

    ZyXEL G-2000 Plus v2 User’s Guide Figure 156 Example 4: Menu 15.1.1.1 Address Mapping Rule. Menu 15.1.1.1 Address Mapping Rule Type= Many-One-to-One Local IP: Start= 192.168.1.10 = 192.168.1.12 Global IP: Start= 10.132.50.1 = 10.132.50.3 Press ENTER to Confirm or ESC to Cancel: After you’ve configured your rule, you should be able to check the settings in menu 15.1.1 as...

  • Page 293: Figure 158 Menu 15.3 Trigger Port Setup

    ZyXEL G-2000 Plus v2 User’s Guide Figure 158 Menu 15.3 Trigger Port Setup Menu 15.3 - Trigger Port Setup Incoming Trigger Rule Name Start Port End Port Start Port End Port ---------------------------------------------------------------------- Real Audio 6970 7170 7070 7070 Press ENTER to Confirm or ESC to Cancel: The following table describes the fields in this screen.

  • Page 294: Table 106 Menu 15.3 Trigger Port Setup

    Enter a port number or the ending port number in a range of port numbers. Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyXEL device to record the IP address of the LAN computer that sent the traffic to a server on the WAN.

  • Page 295: Chapter 28 Filter Configuration

    This chapter shows you how to create and apply filters. 28.1 Introduction to Filters Your ZyXEL device uses filters to decide whether to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.

  • Page 296: The Filter Structure Of The Zyxel Device

    A filter set consists of one or more filter rules. Usually, you would group related rules, e.g., all the rules for NetBIOS, into a single set and give it a descriptive name. The ZyXEL device allows you to configure up to twelve filter sets with six rules in each set, for a total of 72 filter rules in the system.

  • Page 297: Configuring A Filter Set

    24 rules active for a single port. 28.2 Configuring a Filter Set The ZyXEL device includes filtering for NetBIOS over TCP/IP packets by default. To configure another filter set, follow the procedure below. 1 Enter 21 in the main menu to open menu 21.

  • Page 298: Figure 161 Menu 21: Filter And Firewall Setup

    ZyXEL G-2000 Plus v2 User’s Guide Figure 161 Menu 21: Filter and Firewall Setup Menu 21 - Filter and Firewall Setup 1. Filter Setup 2. Firewall Setup Enter Menu Selection Number: 2 Enter 1 to bring up the following menu.

  • Page 299: Table 107 Abbreviations Used In The Filter Rules Summary Menu

    ZyXEL G-2000 Plus v2 User’s Guide Table 107 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number: 1 to 6. Active: “Y” means the rule is active. “N” means the rule is inactive. Type The type of filter rule: “GEN” for Generic, “IP” for TCP/IP.

  • Page 300: Configuring A Filter Rule

    If you include a protocol filter set in a device filter field or vice versa, the ZyXEL device will warn you and will not allow you to save.

  • Page 301: Figure 163 Menu 21.1.1.1 Tcp/Ip Filter Rule

    ZyXEL G-2000 Plus v2 User’s Guide Figure 163 Menu 21.1.1.1 TCP/IP Filter Rule. Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 0 IP Source Route= No Destination: IP Addr= IP Mask=...

  • Page 302: Table 109 Tcp/Ip Filter Rule

    ZyXEL G-2000 Plus v2 User’s Guide Table 109 TCP/IP Filter Rule FIELD DESCRIPTION OPTIONS Active Press [SPACE BAR] and then [ENTER] to select Yes to activate the filter rule or No to deactivate it. IP Protocol Protocol refers to the upper layer protocol, e.g., TCP is 6, UDP is 0-255 17 and ICMP is 1.
  • Page 303 ZyXEL G-2000 Plus v2 User’s Guide Table 109 TCP/IP Filter Rule FIELD DESCRIPTION OPTIONS Press [SPACE BAR] and then [ENTER] to select a logging None option from the following: Action None – No packets will be logged. Matched Action Matched - Only packets that match the rule parameters Action Not will be logged.

  • Page 304: Configuring A Generic Filter Rule

    For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyXEL device treats a packet as a byte stream as opposed to an IP or IPX packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes.

  • Page 305: Figure 165 Menu 21.1.4.1 Generic Filter Rule

    ZyXEL G-2000 Plus v2 User’s Guide To configure a generic rule, select Generic Filter Rule in the Filter Type field in menu 21.1.4.1 and press [ENTER] to open Generic Filter Rule, as shown below. Figure 165 Menu 21.1.4.1 Generic Filter Rule Menu 21.1.4.1 - Generic Filter Rule...

  • Page 306: Example Filter

    “Press ENTER to Confirm” to save your configuration, or press [ESC] to cancel. This data will now be displayed on Menu 21.1.1 - Filter Rules Summary. 28.3 Example Filter Let’s look at an example to block outside users from accessing the ZyXEL device via telnet. Chapter 28 Filter Configuration...

  • Page 307: Figure 166 Telnet Filter Example

    ZyXEL G-2000 Plus v2 User’s Guide Figure 166 Telnet Filter Example 1 Enter 21 from the main menu to open Menu 21 - Filter and Firewall Setup. 2 Enter 1 to open Menu 21.1 - Filter Set Configuration. 3 Enter the index of the filter set you wish to configure (say 3) and press [ENTER] 4 Enter a descriptive name or comment in the Edit Comments field and press [ENTER].

  • Page 308: Figure 168 Example Filter Rules Summary: Menu 21.1.3

    ZyXEL G-2000 Plus v2 User’s Guide • The Port # for the telnet service (TCP protocol) is 23. See RFC 1060 for port numbers of well-known services. • Select Equal from the Port # Comp field as you are looking for packets going to port 23 only.

  • Page 309: Filter Types And Nat

    NAT for incoming packets. On the other hand, the generic, or device filters are applied to the raw packets that appear on the wire. They are applied at the point when the ZyXEL device is receiving and sending the packets; i.e. the interface. The interface can be an Ethernet port or any other hardware port.

  • Page 310: Applying Remote Node Filters

    You can cascade up to four filter sets by entering their numbers separated by commas. The ZyXEL device already has filters to prevent NetBIOS traffic from triggering calls, and block incoming telnet, FTP and HTTP connections.

  • Page 311: Chapter 29 Enabling The Firewall

    The web configurator is, by far, the most comprehensive firewall configuration tool your ZyXEL device has to offer. For this reason, it is recommended that you configure your firewall using the web configurator, see the following chapters for instructions. SMT screens allow you to activate the firewall and view firewall logs.

  • Page 312: Figure 172 Menu 21.2 Firewall Setup

    ZyXEL G-2000 Plus v2 User’s Guide Figure 172 Menu 21.2 Firewall Setup Menu 21.2 - Firewall Setup The firewall protects against Denial of Service (DoS) attacks when it is active. Your network is vulnerable to attacks when the firewall is turned off.

  • Page 313: Chapter 30 Snmp Configuration

    An SNMP managed network consists of two main components: agents and a manager. An agent is a management software module that resides in a managed device (the ZyXEL device). An agent translates the local management information from the managed device into a form compatible with SNMP.

  • Page 314: Supported Mibs

    • Trap - Used by the agent to inform the manager of some events. 30.2 Supported MIBs The ZyXEL device supports RFC-1215 and MIB II as defined in RFC-1213. The focus of the MIBs is to let administrators collect statistic data and monitor status and performance.

  • Page 315: Snmp Traps

    [ESC] to cancel and go back to the previous screen. 30.4 SNMP Traps The ZyXEL device will send traps to the SNMP manager when any one of the following events occurs: Table 112 SNMP Traps...

  • Page 316: Table 113 Ports And Interface Types

    ZyXEL G-2000 Plus v2 User’s Guide Table 112 SNMP Traps TRAP # TRAP NAME DESCRIPTION authenticationFailure (defined in A trap is sent to the manager when receiving any SNMP RFC-1215) get or set requirements with wrong community (password). linkDown (defined in RFC-1215) A trap is sent when the port is down.

  • Page 317: Chapter 31 System Security

    You should change the default password. If you forget your password you have to restore the default configuration file. Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the ZyXEL device in the Introducing the Web Configurator chapter.

  • Page 318: Figure 176 Menu 23 System Security

    ZyXEL G-2000 Plus v2 User’s Guide Figure 176 Menu 23 System Security Menu 23 - System Security 1. Change Password 2. RADIUS Server 4. IEEE802.1x Enter Menu Selection Number: From Menu 23- System Security, enter 2 to display Menu 23.2 – System Security –...

  • Page 319: 319

    The IEEE 802.1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management. Follow the steps below to enable EAP authentication on your ZyXEL device. 1 From the main menu, enter 23 to display Menu23 – System Security.

  • Page 320: Figure 179 Menu 23.4 System Security : Ieee802.1X

    Wireless Port Control field. Enter a time interval between 10 and 9999 (in seconds). The default time interval is 1800 seconds (or 30 minutes). Idle Timeout (in The ZyXEL device automatically disconnects a client from the wired network second) after a period of inactivity. The client needs to enter the username and password again before access to the wired network is allowed.
  • Page 321 Dynamic WEP Key Exchange. Select 64-bit WEP or 128-bit WEP to enable data encryption. Up to 32 stations can access the ZyXEL device when you configure Dynamic WEP Key Exchange. Type a pre-shared key from 8 to 63 case-sensitive ASCII characters (including spaces and symbols) when you select WPA-PSK in the Key Management Protocol field.
  • Page 322 ZyXEL G-2000 Plus v2 User’s Guide Chapter 31 System Security...

  • Page 323: System Information And Diagnosis

    The first selection, System Status gives you information on the status and statistics of the ports, as shown next. System Status is a tool that can be used to monitor your ZyXEL device. Specifically, it gives you information on your Ethernet and Wireless LAN status, number of packets sent and received.

  • Page 324: Figure 181 Menu 24.1 System Maintenance : Status

    This shows the subnet mask of the network device connected to the port. DHCP This shows the DHCP setting (None or Client) for the port. System Up Time This is the time the ZyXEL device is up and running from the last reboot. Name This displays the device name. Routing Refers to the routing protocol used.

  • Page 325: System Information

    Menu 24.2 - System Information and Console Port Speed 1. System Information 2. Console Port Speed Note: The ZyXEL device also has an internal console port for support personnel only. Do not open the ZyXEL device as it will void your warranty. 32.2.1 System Information Enter 1 in menu 24.2 to display the screen shown next.

  • Page 326: Console Port Speed

    Console Port Speed: 9600 Press ENTER to Confirm or ESC to Cancel: After you changed the console port speed on your ZyXEL device, you must also make the same change to the console port speed parameter of your communication software.

  • Page 327: Unix Syslog

    4. Call-Triggering Packet 32.3.2 UNIX Syslog The ZyXEL device uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog can be configured in Menu 24.3.2 – System Maintenance – UNIX Syslog, as shown next.

  • Page 328: Cdr

    L02 Call Terminated C02 Call Terminated Jul 19 11:19:27 192.168.102.2 ZYXEL: board 0 line 0 channel 0, call 1, C01 Outgoing Call dev=2 ch=0 40002 Jul 19 11:19:32 192.168.102.2 ZYXEL: board 0 line 0 channel 0, call 1, C02 OutCall Connected 64000 40002 Jul 19 11:20:06 192.168.102.2 ZYXEL: board 0 line 0 channel 0, call 1, C02 Call...

  • Page 329: Filter Log

    Proto = LCP / ATCP / BACP / BCP / CBCP / CCP / CHAP/ PAP / IPCP / IPXCP Jul 19 11:42:44 192.168.102.2 ZyXEL: ppp:LCP Closing Jul 19 11:42:49 192.168.102.2 ZyXEL: ppp:IPCP Closing Jul 19 11:42:54 192.168.102.2 ZyXEL: ppp:CCP Closing...

  • Page 330: Firewall Log

    ZyXEL G-2000 Plus v2 User’s Guide 32.3.2.5 Firewall log Firewall Log Message Format SdcmdSyslogSend(SYSLOG_FIREWALL, SYSLOG_NOTICE, buf); buf = IP[Src=xx.xx.xx.xx : spo=xxxx Dst=xx.xx.xx.xx : dpo=xxxx | prot | rule | action] Src: Source Address spo: Source port (empty means no source port information)

  • Page 331: Diagnostic

    Press any key to continue... 32.4 Diagnostic The diagnostic facility allows you to test the different aspects of your ZyXEL device to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown in the following figure.

  • Page 332: Wan Dhcp

    DHCP functionality can be enabled on the LAN or WAN as shown in LAN & WAN DHCP. LAN DHCP has already been discussed. The ZyXEL device can act either as a WAN DHCP client (IP Address Assignment field in menu 4 or menu 11.3 is Dynamic and the Encapsulation field in menu 4 or menu 11 is Ethernet) or None, (when you have a static IP).

  • Page 333: Figure 188 Lan & Wan Dhcp

    ZyXEL G-2000 Plus v2 User’s Guide Figure 188 LAN & WAN DHCP The following table describes the diagnostic tests available in menu 24.4 for your ZyXEL device and associated connections.. Table 119 Menu 24.4 System Maintenance Menu: Diagnostic FIELD DESCRIPTION...
  • Page 334 ZyXEL G-2000 Plus v2 User’s Guide Chapter 32 System Information and Diagnosis...

  • Page 335: Firmware And Configuration File Maintenance

    The configuration file (often called the romfile or rom-0) contains the factory default settings in the menus such as password and TCP/IP Setup, etc. It arrives from ZyXEL with a rom filename extension. Once you have customized the ZyXEL device's settings, they can be saved back to your computer under a filename of your choosing.

  • Page 336: Backup Configuration

    The following table is a summary. Please note that the internal filename refers to the filename on the ZyXEL device and the external filename refers to the filename not on the ZyXEL device, that is, on your computer, local network or FTP site and so the name (but not the extension) will vary.

  • Page 337: Using The Ftp Command From The Dos Prompt

    4 Enter “root” and your SMT password as requested. The default is 1234. 5 Enter “bin” to set transfer mode to binary. 6 Use “get” to transfer files from the ZyXEL device to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyXEL device to your computer and renames it “config.rom”.

  • Page 338: Gui-Based Ftp Clients

    3 The IP address in the Secured Client IP field in menu 24.11 does not match the client IP. If it does not match, the ZyXEL device will disconnect the Telnet session immediately. 4 You have an SMT console session running.

  • Page 339: Backup Configuration Using Tftp

    1 Use telnet from your computer to connect to the ZyXEL device and log in. Because TFTP does not have any security checks, the ZyXEL device records the IP address of the telnet client and accepts TFTP requests only from this address.

  • Page 340: Gui-Based Tftp Clients

    Enter the IP address of the ZyXEL device. 192.168.1.2 is the ZyXEL device’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyXEL device and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration...

  • Page 341: Restore Using Ftp Session Example

    5 Enter “bin” to set transfer mode to binary. 6 Find the “rom” file (on your computer) that you want to restore to your ZyXEL device. 7 Use “put” to transfer files from the ZyXEL device to the computer, for example, “put config.rom rom-0”...

  • Page 342: Uploading Firmware And Configuration Files

    FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyXEL device, you will see the following screens for uploading firmware and the configuration file using FTP.

  • Page 343: Configuration File Upload

    33.4.3 Using the FTP command from the DOS Prompt Example 1 Launch the FTP client on your computer. 2 Enter “open” and the IP address of your ZyXEL device. 3 Press [ENTER] when prompted for a username. Chapter 33 Firmware and Configuration File Maintenance...

  • Page 344: Tftp File Upload

    1 Use telnet from your computer to connect to the ZyXEL device and log in. Because TFTP does not have any security checks, the ZyXEL device records the IP address of the telnet client and accepts TFTP requests only from this address.

  • Page 345: Example: Tftp Command

    ZyXEL G-2000 Plus v2 User’s Guide 5 Use the TFTP client (see the example below) to transfer files between the ZyXEL device and the computer. The file name for the firmware is “ras” and the configuration file is “rom-0” (rom-zero, not capital o).
  • Page 346 ZyXEL G-2000 Plus v2 User’s Guide Chapter 33 Firmware and Configuration File Maintenance...

  • Page 347: System Maintenance And Information

    Enter the CI from the SMT by selecting menu 24.8. See the included disk or the zyxel.com web site for more detailed information on CI commands. Enter 8 from Menu 24 – System Maintenance. A list of valid commands can be found by typing help or ? at the command prompt.

  • Page 348: Call Control Support

    The budget management function allows you to set a limit on the total outgoing call time of the ZyXEL device within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.

  • Page 349: Budget Management

    ZyXEL G-2000 Plus v2 User’s Guide Figure 199 Menu 24.9 System Maintenance : Call Control Menu 24.9 - System Maintenance - Call Control 1. Budget Management 2. Call History Enter Menu Selection Number: 34.2.1 Budget Management Menu 24.9.1 shows the budget management statistics for outgoing calls. Enter 1 from Menu 24.9 - System Maintenance - Call Control to bring up the following menu.

  • Page 350: Call History

    ZyXEL G-2000 Plus v2 User’s Guide Table 123 Menu 24.9.1 - Budget Management FIELD DESCRIPTION Remote Node Enter the index number of the remote node you want to reset (just one in this case) Connection Time/Total This is the total connection time that has gone by (within the allocated budget Budget that you set in menu 11.1).

  • Page 351: Time And Date Setting

    34.3 Time and Date Setting The ZyXEL device keeps track of the time and date. There is also a software mechanism to set the time manually or get the current time and date from an external server when you turn on your ZyXEL device.

  • Page 352: Figure 202 Menu 24.10 System Maintenance : Time And Date Setting

    Enter the time service protocol that your time server sends when you turn on the ZyXEL device. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.

  • Page 353: Resetting The Time

    The ZyXEL device resets the time in three instances: 1 On leaving menu 24.10 after making changes. 2 When the ZyXEL device starts up, if there is a timeserver configured in menu 24.10. 3 24-hour intervals after starting. Chapter 34 System Maintenance and Information...
  • Page 354 ZyXEL G-2000 Plus v2 User’s Guide Chapter 34 System Maintenance and Information...

  • Page 355: Chapter 35 Remote Management

    This chapter covers remote management (SMT menu 24.11). 35.1 Remote Management Remote management allows you to determine which services/protocols can access which ZyXEL device interface (if any) from which computers. You may manage your ZyXEL device from a remote location via: • Internet (WAN only) •...

  • Page 356: Telnet

    Secure Client IP The default 0.0.0.0 allows any client to use this service or protocol to access the ZyXEL device. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...

  • Page 357: Ftp

    ZyXEL G-2000 Plus v2 User’s Guide Figure 204 Telnet Configuration on a TCP/IP Network 35.1.2 FTP You can upload and download ZyXEL device firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 35.1.3 Web You can use the ZyXEL device’s embedded web configurator for configuration and file...

  • Page 358: System Timeout

    There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your ZyXEL device will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.

  • Page 359: Chapter 36 Call Scheduling

    For example, if sets 1, 2 ,3 and 4 in are applied in the remote node then set 1 will take precedence over set 2, 3 and 4 as the ZyXEL device, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.

  • Page 360: Figure 206 Menu 26.1 Schedule Set Setup

    Press ENTER to Confirm or ESC to Cancel: Press Space Bar to Toggle. If a connection has been already established, your ZyXEL device will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.

  • Page 361: Table 127 Menu 26.1 Schedule Set Setup

    ZyXEL G-2000 Plus v2 User’s Guide Table 127 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION Active Press [SPACE BAR] to select Yes or No. Choose Yes and press [ENTER] to activate the schedule set. Start Date Enter the start date when you wish the set to take effect in year -month-date format.

  • Page 362: Figure 207 Applying Schedule Set(S) To A Remote Node (Pppoe)

    ZyXEL G-2000 Plus v2 User’s Guide Figure 207 Applying Schedule Set(s) to a Remote Node (PPPoE) Menu 11.1 - Remote Node Profile Rem Node Name= MyISP Route= IP Active= Yes Encapsulation= PPPoE Edit IP= No Service Type= Standard Telco Option:...

  • Page 363: Chapter 37 Troubleshooting

    If the problem persists, you may have a hardware problem. In this case, you should contact your local vendor. The ZyXEL device The supplied power to the ZyXEL device is too low. Check that the ZyXEL device is receiving reboots automatically enough power.

  • Page 364: Problems With The Password

    Use the RESET button on the top panel of the ZyXEL device to restore the factory default configuration file (hold this button in for about 10 seconds or until the link light turns red).

  • Page 365: Product Specifications

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Product Specifications See also the Introduction chapter for a general overview of the key features. Specification Tables Table 133 Hardware Default IP Address 192.168.1.1 Default Subnet Mask 255.255.255.0 (24 bits)
  • Page 366 ZyXEL G-2000 Plus v2 User’s Guide Table 134 Firmware (continued) Management Embedded Web Configurator CLI (Command Line Interpreter) Remote Management via Telnet or Web SMT (System Management Terminal) SNMP Management Embedded FTP/TFTP server for firmware downloading, configuration backup and restoration with large rom file support...

  • Page 367: Brute-Force Password Guessing Protection

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See Appendix F for information on the command structure.
  • Page 368 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 369: Setting Up Your Computer's Ip Address

    After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyXEL device’s LAN port. Windows 95/98/Me...

  • Page 370: Figure 208 Windows 95/98/Me: Network: Configuration

    ZyXEL G-2000 Plus v2 User’s Guide Figure 208 WIndows 95/98/Me: Network: Configuration Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: 1 In the Network window, click Add.

  • Page 371: Figure 209 Windows 95/98/Me: Tcp/Ip Properties: Ip Address

    ZyXEL G-2000 Plus v2 User’s Guide 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect.

  • Page 372: Windows 2000/Nt/Xp

    5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your ZyXEL device and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.

  • Page 373: Figure 211 Windows Xp: Start Menu

    ZyXEL G-2000 Plus v2 User’s Guide Figure 211 Windows XP: Start Menu 2 For Windows XP, click Network Connections. For Windows 2000/NT, click Network and Dial-up Connections. Figure 212 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties.

  • Page 374: Figure 213 Windows Xp: Control Panel: Network Connections: Properties

    ZyXEL G-2000 Plus v2 User’s Guide Figure 213 Windows XP: Control Panel: Network Connections: Properties 4 Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. Figure 214 Windows XP: Local Area Connection Properties 5 The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP).

  • Page 375: Figure 215 Windows Xp: Advanced Tcp/Ip Settings

    ZyXEL G-2000 Plus v2 User’s Guide • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. Click Advanced. Figure 215 Windows XP: Advanced TCP/IP Settings 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.

  • Page 376: Macintosh Os 8/9

    8 Click OK to close the Internet Protocol (TCP/IP) Properties window. 9 Click OK to close the Local Area Connection Properties window. 10Turn on your ZyXEL device and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt.

  • Page 377: Figure 217 Macintosh Os 8/9: Apple Menu

    ZyXEL G-2000 Plus v2 User’s Guide Figure 217 Macintosh OS 8/9: Apple Menu 2 Select Ethernet built-in from the Connect via list. Figure 218 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list.

  • Page 378: Figure 219 Macintosh Os X: Apple Menu

    • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL device in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.

  • Page 379: Figure 220 Macintosh Os X: Network

    • Type your subnet mask in the Subnet mask box. • Type the IP address of your ZyXEL device in the Router address box. 5 Click Apply Now and close the window. 6 Turn on your ZyXEL device and restart your computer (if prompted).
  • Page 380 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 381: Ip Address Assignment Conflicts

    You must set the ZyXEL device to use different LAN and WAN IP addresses on different subnets if you enable DHCP server on the ZyXEL device. For example, you set the WAN IP address to 192.59.1.1 and the LAN IP address to 10.59.1.1. Otherwise, It is recommended the ZyXEL device use a public WAN IP address.

  • Page 382: Case D: Two Or More Subscribers Have The Same Ip Address

    ZyXEL G-2000 Plus v2 User’s Guide Figure 222 IP Address Conflicts: Case B To solve this problem, make sure the ZyXEL device LAN IP address is not in the DHCP IP address pool. Case C: The Subscriber IP address is the same as the IP...

  • Page 383: Figure 224 Ip Address Conflicts: Case D

    ZyXEL G-2000 Plus v2 User’s Guide In this case, the subscribers are not able to access the Internet. Figure 224 IP Address Conflicts: Case D This problem can be solved by adding a VLAN-enabled switch or set the computers to obtain...
  • Page 384 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 385: Ip Addressing

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID.

  • Page 386: Appendix Eip Subnetting

    ZyXEL G-2000 Plus v2 User’s Guide Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127. Similarly the first octet of a class “B” must begin with “10”, therefore the first octet of a class “B”...

  • Page 387: Example: Two Subnets

    ZyXEL G-2000 Plus v2 User’s Guide Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.

  • Page 388: Table 141 Subnet 1

    ZyXEL G-2000 Plus v2 User’s Guide last octet bit values indicate host ID bits “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have. The remaining number of host ID bits (after “borrowing”) determines the number of hosts you can have on each subnet.

  • Page 389: Example: Four Subnets

    ZyXEL G-2000 Plus v2 User’s Guide Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow”...

  • Page 390: Example Eight Subnets

    ZyXEL G-2000 Plus v2 User’s Guide Table 146 Subnet 4 NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255...

  • Page 391: Subnetting With Class A And Class B Networks

    ZyXEL G-2000 Plus v2 User’s Guide Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet mask also determines which bits are part of the network number and which are part of the host ID.
  • Page 392 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 393: Appendix F Command Interpreter

    Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands. Note: Use of undocumented commands or misconfiguration can damage the unit and possibly render it unusable.
  • Page 394 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 395: Appendix G Log Descriptions

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Log Descriptions This appendix provides descriptions of example log messages Table 150 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session number of session per table entries allowed to be created per host.

  • Page 396: Log Commands

    ZyXEL G-2000 Plus v2 User’s Guide Table 152 ICMP Notes (continued) TYPE CODE DESCRIPTION Port unreachable A packet that needed fragmentation was dropped because it was set to Don't Fragment (DF) Source route failed Source Quench A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.

  • Page 397: Table 154 Log Categories And Available Settings

    ZyXEL G-2000 Plus v2 User’s Guide Configuring What You Want the ZyXEL device to Log Use the sys logs load command to load the log setting buffer that allows you to configure which logs ZyXEL device is to record. Use sys logs category followed by a log category and a parameter to decide what to record...

  • Page 398: Log Command Example

    ZyXEL G-2000 Plus v2 User’s Guide Log Command Example ZyXEL device This example shows how to set the to record the error logs and alerts and then view the results. ras> sys logs load ras> sys logs category error 3 ras>...

  • Page 399: Wireless Lan And Ieee 802.11

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection.

  • Page 400: Figure 225 Ibss (Ad-Hoc) Wireless Lan

    ZyXEL G-2000 Plus v2 User’s Guide Figure 225 IBSS (Ad-hoc) Wireless LAN A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).

  • Page 401: Figure 226 Basic Service Set

    ZyXEL G-2000 Plus v2 User’s Guide Figure 226 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).

  • Page 402: Wireless Lan Basics

    ZyXEL G-2000 Plus v2 User’s Guide Figure 227 Extended Service Set Wireless LAN Basics RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they cannot “hear”...

  • Page 403: Fragmentation Threshold

    ZyXEL G-2000 Plus v2 User’s Guide Figure 228 RTS/CTS When station A sends data to the ZyXEL device, it might not know that station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.

  • Page 404: Ieee 802.11

    ZyXEL G-2000 Plus v2 User’s Guide A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. If the Fragmentation Threshold value is smaller than the RTS/CTS value (see previous) you set, then the RTS (Request To Send)/CTS (Clear to Send) handshake will never occur as data frames will be fragmented before they reach RTS/CTS size.

  • Page 405: Wireless Lan Security

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Wireless LAN Security As wireless networks become popular for both portable computing and corporate networks, security is now a priority. IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at...

  • Page 406: Radius

    ZyXEL G-2000 Plus v2 User’s Guide RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is the RADIUS server. The RADIUS server handles the following tasks: •...

  • Page 407: Types Of Authentication

    ZyXEL G-2000 Plus v2 User’s Guide In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.

  • Page 408: Wep Authentication

    ZyXEL G-2000 Plus v2 User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.

  • Page 409: Figure 229 Wep Authentication Steps

    WEP key. If the decrypted message matches the challenge text, the wireless station is authenticated. When your ZyXEL device's authentication method is set to open system, it will only accept open system authentication requests. The same is true for shared key authentication. However,...

  • Page 410: Wpa(2)

    ZyXEL G-2000 Plus v2 User’s Guide WPA(2) Wi-Fi Protected Access (WPA) is a subset of the IEEE 802.11i standard. WPA2 (IEEE 802.11i) is a wireless security standard that defines stronger encryption, authentication and key management than WPA. Key differences between WPA(2) and WEP are improved data encryption and user authentication.

  • Page 411: Wireless Client Wpa Supplicants

    ZyXEL G-2000 Plus v2 User’s Guide By generating unique data encryption keys for every data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a Wi-Fi network than WEP and difficult for an intruder to break into the network.
  • Page 412 ZyXEL G-2000 Plus v2 User’s Guide 2 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. 3 The RADIUS server distributes a Pairwise Master Key (PMK) key to the AP that then...

  • Page 413: Security Parameters Summary

    ZyXEL G-2000 Plus v2 User’s Guide Figure 230 WPA with RADIUS Application Example Security Parameters Summary • Refer to this table to see what other security parameters you should configure for each Authentication Method/ key management protocol type. MAC address filters are not dependent on how you configure these security features.

  • Page 414: Figure 231 Sequences For Eap Md5-Challenge Authentication

    (station or other AP) using a three-way handshake. The following figure depicts a typical wireless network with a ZyXEL device RADIUS server for user authentication using PEAP (Protected EAP) and MS-CHAP V2. The ZyXEL device authenticates in two phases when it is acting as a RADIUS server:...

  • Page 415: Figure 232 Sequences For Peap, Ms-Chap V2 Authentication

    ZyXEL G-2000 Plus v2 User’s Guide Figure 232 Sequences for PEAP, MS–CHAP V2 Authentication...
  • Page 416 ZyXEL G-2000 Plus v2 User’s Guide...

  • Page 417: Types Of Eap Authentication

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Types of EAP Authentication This appendix discusses popular EAP authentication types. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.

  • Page 418: Peap (Protected Eap)

    ZyXEL G-2000 Plus v2 User’s Guide PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication.

  • Page 419: Appendix K Roaming

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Roaming Roaming Overview A wireless station is a device with an IEEE 802.11mode compliant wireless adapter. An access point (AP) acts as a bridge between the wireless and wired networks. An AP creates its own wireless coverage area.

  • Page 420: Figure 233 Roaming Example

    ZyXEL G-2000 Plus v2 User’s Guide Figure 233 Roaming Example The steps below describe the roaming process. 1 As wireless station Y moves from the coverage area of access point P1 to that of access point 2 P2, it scans and uses the signal of access point P2.

  • Page 421: Antenna Selection And Positioning Recommendation

    ZyXEL G-2000 Plus v2 User’s Guide P P E N D I X Antenna Selection and Positioning Recommendation An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air.

  • Page 422: Types Of Antennas For Wlan

    For directional antennas, point the antenna in the direction of the desired coverage area. Connector Type The ZyXEL device is equipped with a reverse polarity SMA jack, so it will work with any 2.4GHz wireless antenna with a reverse polarity SMA plug.

  • Page 423: Appendix M Triangle Route

    Triangle Route The Ideal Setup When the firewall is on, your ZyXEL device acts as a secure gateway between your LAN and the Internet. In an ideal network topology, all incoming and outgoing network traffic passes through the ZyXEL device to protect your LAN against attacks.

  • Page 424: The "Triangle Route" Solutions

    2 The ZyXEL device reroutes the packet to Gateway B, which is in the 192.168.2.1 to 192.168.2.24 subnet. 3 The reply from WAN goes through the ZyXEL device to the computer on the LAN in the 192.168.1.1 to 192.168.1.24 subnet.

  • Page 425: Gateways On The Wan Side

    A second solution to the “triangle route” problem is to put all of your network gateways on the WAN side as the following figure shows. This ensures that all incoming network traffic passes through your ZyXEL device to your LAN. Therefore your LAN is protected. Figure 237 Gateways on the WAN Side...
  • Page 426 ZyXEL G-2000 Plus v2 User’s Guide...
  • Page 427 ZyXEL G-2000 Plus v2 User’s Guide Index Numerics 110V AC 230V AC Abnormal Working Conditions access point access point. See also AP. Accessories Action for Matched Packets Active ActiveX Acts of God Advanced Encryption Standard Airflow Allocated Budget Alternative Subnet Mask Notation...
  • Page 428 ZyXEL G-2000 Plus v2 User’s Guide Backup backup Basement Brute-force Attack, Brute-Force Password Guessing Protection Budget Management 407, 417 Cable Modem Cables, Connecting Call Control Call History Call Scheduling Maximum Number of Schedule Sets PPPoE Precedence Precedence Example Certificate Authority...
  • Page 429 ZyXEL G-2000 Plus v2 User’s Guide Copyright Correcting Interference Corrosive Liquids Cost Of Transmission Covers CPU Load Custom Ports Creating/Editing Customer Support Damage Dampness Danger Dealer Default Defective Denial of Service 134, 135, 311 Denmark, Contact Information Destination Address DHCP...
  • Page 430 ZyXEL G-2000 Plus v2 User’s Guide Electrical Pipes Electrocution Encapsulation 265, 269 Encryption encryption Equal Value Error Log Error/Information Messages Sample Ethernet Encapsulation 118, 263, 264 Europe Exposure Extended Service Set Extended Service Set IDentification Factory LAN Defaults Failure Rules, Part 15...
  • Page 431 ZyXEL G-2000 Plus v2 User’s Guide When To Use Firmware File Maintenance Fitness Fragmentation Threshold France, Contact Information Frequency-Hopping Spread Spectrum 68, 73, 117, 118, 119, 167, 171, 357 Restrictions FTP File Transfer FTP Restrictions FTP Server Functionally Equivalent Gas Pipes...
  • Page 432 ZyXEL G-2000 Plus v2 User’s Guide Independent Basic Service Set Indirect Damages initialization vector (IV) Inside Inside Global Address Inside Local Address Insurance Interference Interference Correction Measures Interference Statement Internet Access ISP's Name Internet access 247, 257 Internet Access Setup...
  • Page 433 ZyXEL G-2000 Plus v2 User’s Guide Liability License Lightning Link type Liquids, Corrosive Local local (user) database Local User Database Log Descriptions Login Name Logs 101, 217 MAC Address MAC address MAC address filter weaknesses MAC Address Filter Action MAC Address Filtering...
  • Page 434 ZyXEL G-2000 Plus v2 User’s Guide How NAT Works Mapping Types Non NAT Friendly Application Programs Ordering Rules Server Sets What NAT does Network Address Translation (NAT) Network Management 42, 119 NNTP North America North America Contact Information Norway, Contact Information...
  • Page 435 ZyXEL G-2000 Plus v2 User’s Guide Power Supply, repair PPPoE Encapsulation 261, 263, 266, 267 PPTP Private 132, 270, 274 Product Model Product Page Product Serial Number Products Proof of Purchase Proper Operating Condition Purchase, Proof of Purchaser Qualified Service Personnel...
  • Page 436 ZyXEL G-2000 Plus v2 User’s Guide Remote Node Remote Node Filter Removing Reorient Repair 6, 7 Replace Replacement Reproduction Required fields Reset Button Restore 7, 231 Restore Configuration Restrict Web Features Return Material Authorization (RMA) Number Returned Products Returns RF signals...
  • Page 437 ZyXEL G-2000 Plus v2 User’s Guide Service 6, 7, 147 Service Name Service Personnel Service Set Service Set IDentity. See SSID. Service Type 155, 258, 265 Services 118, 119 setup a schedule Shipping Shock, Electric SMT Menu Overview SMTP Smurf...
  • Page 438 ZyXEL G-2000 Plus v2 User’s Guide System Information System Status Time and Date System Information System Information & Diagnosis System Maintenance 323, 325, 336, 339, 340, 342, 344, 347, 348, 349, 350, 352 System Name 67, 242 System Timeout 168, 358...
  • Page 439 ZyXEL G-2000 Plus v2 User’s Guide UDP/ICMP Security Undesired Operations Universal Plug and Play (UPnP) Upload Firmware Upper Layer Protocols URL Keyword Blocking Use Server Detected IP User Authentication user authentication local (user) database RADIUS server weaknesses User Name 69, 244...
  • Page 440 ZyXEL G-2000 Plus v2 User’s Guide WEP Encryption 40, 88, 90 Wet Basement Wi-Fi Protected Access 38, 410 wireless client Wireless Client WPA Supplicants Wireless LAN 252, 399 Wireless LAN Setup wireless network basic guidelines wireless networks channel encryption MAC address filter...

This manual is also suitable for:

G-2000 plus v2

Table of Contents