Page 1 SBG3500-N000 Wireless N Fiber WAN Small Business Gateway Version 1.00 Edition 2, 4/2014 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 User Name admin Password 1234 www.zyxel.com Copyright © 2014 ZyXEL Communications Corporation...
Page 2 Related Documentation • Quick Start Guide The Quick Start Guide shows how to connect the SBG3500-N000 and access the Web Configurator wizards. It contains information on setting up your network and configuring for Internet access.
Page 3: Table Of Contents
L2TP VPN ..........................280 Log ............................286 Network Status ........................289 ARP Table ..........................292 Routing Table ...........................294 IGMP Status ..........................296 xDSL Statistics .........................297 User Account ..........................300 Remote Management .......................303 TR-069 Client ...........................305 SNMP ............................307 Time ............................309 E-mail Notification ........................312 Logs Setting ..........................314 SBG3500-N000 User’s Guide...
Page 4 Contents Overview Firmware Upgrade ........................317 Configuration ..........................319 Diagnostic ..........................322 Troubleshooting ........................327 SBG3500-N000 User’s Guide...
Page 5: Table Of Contents
3.2 Quick Start Setup .........................32 Chapter 4 Tutorials ........................... 35 4.1 Overview ..........................35 4.2 Setting Up an ADSL PPPoE Connection ................35 4.3 Setting Up a GbE WAN connection ..................38 4.4 Setting Up a 3G WAN connction ..................40 SBG3500-N000 User’s Guide...
Page 6 4.15.5 Configuring L2TP VPN on Android Devices (Client) ..........92 4.15.6 Configuring L2TP VPN in iOS Devices (Client) ............95 Part II: Technical Reference..............97 Chapter 5 Status Screens ........................99 5.1 Overview ..........................99 5.2 The Status Screen ........................99 Chapter 6 Broadband..........................102 SBG3500-N000 User’s Guide...
Page 7 7.9 Technical Reference ......................148 7.9.1 Wireless Network Overview ..................148 7.9.2 Additional Wireless Terms ..................150 7.9.3 Wireless Security Overview ..................150 7.9.4 Signal Problems .......................152 7.9.5 BSS ..........................153 7.9.6 MBSSID ........................153 7.9.7 Preamble Type ......................154 7.9.8 WiFi Protected Setup (WPS) ..................154 SBG3500-N000 User’s Guide...
Page 8 10.4.1 Adding a QoS Queue ....................194 10.5 The Class Setup Screen ....................194 10.5.1 Add/Edit QoS Class ....................196 10.6 The QoS Policer Setup Screen ..................199 10.6.1 Add/Edit a QoS Policer ..................200 10.7 The QoS Monitor Screen ....................201 10.8 Technical Reference ......................202 SBG3500-N000 User’s Guide...
Page 9 13.2.1 Interface Group Configuration ................227 13.2.2 Interface Grouping Criteria ..................229 Chapter 14 USB Service .......................... 231 14.1 Overview ..........................231 14.1.1 What You Can Do in this Chapter ................231 14.1.2 What You Need To Know ..................231 14.2 The File Sharing Screen ....................232 SBG3500-N000 User’s Guide...
Page 10 19.2 What You Need to Know ....................250 19.3 The Local Certificates Screen ..................251 19.3.1 Create Certificate Request ..................252 19.3.2 Load Signed Certificate ..................253 19.4 The Trusted CA Screen ....................254 19.4.1 Import Trusted CA Certificate .................255 Chapter 20 IPSec VPN..........................256 SBG3500-N000 User’s Guide...
Page 11 22.4 L2TP VPN Troubleshooting Tips ..................282 Chapter 23 Log ............................286 23.1 Overview ..........................286 23.1.1 What You Can Do in this Chapter ................286 23.1.2 What You Need To Know ..................286 23.2 The System Log Screen ....................287 23.3 The Security Log Screen ....................288 SBG3500-N000 User’s Guide...
Page 12 29.2 The User Account Screen ....................300 29.2.1 Add/Edit a User Account ..................301 Chapter 30 Remote Management......................303 30.1 Overview ..........................303 30.2 The Remote MGMT Screen .....................303 Chapter 31 TR-069 Client......................... 305 31.1 Overview ..........................305 31.2 The TR-069 Client Screen ....................305 SBG3500-N000 User’s Guide...
Page 13 38.1 Overview ..........................322 38.1.1 What You Can Do in this Chapter ................322 38.2 What You Need to Know ....................322 38.3 Ping & TraceRoute & NsLookup ..................323 38.4 802.1ag ..........................324 38.5 OAM Ping Test .........................325 Chapter 39 Troubleshooting........................327 SBG3500-N000 User’s Guide...
Page 14 Appendix B IP Addresses and Subnetting................356 Appendix C Pop-up Windows, JavaScript and Java Permissions ........364 Appendix D Wireless LANs....................373 Appendix E IPv6 ........................386 Appendix F Services......................394 Appendix G Legal Information ..................... 399 Index ............................403 SBG3500-N000 User’s Guide...
Page 15: User's Guide
User’s Guide...
Page 17: Introducing The Sbg3500-N
Here are some example uses for which the SBG3500-N is well suited. 1.2.1 Internet Access Your SBG3500-N provides multiple Internet access methods (up to two at a time), and you can use them in the following combinations, if your ISP supports them. SBG3500-N000 User’s Guide...
Page 18 The below table is a summary of the SBG3500-N Multi-WAN combinations and failover. SFP/ETHERNET WAN Active Active Failover Active Failover Active Failover Active Active The following figure shows the possible internet access scenarios described above. SBG3500-N000 User’s Guide...
Page 19 Chapter 1 Introducing the SBG3500-N Computers can connect to the SBG3500-N’s LAN ports (or wirelessly). Figure 1 SBG3500-N’s Internet Access Application WLAN Bridging PPPoE IPoE/IPoA PPPoA Load Balancing ADSL2+/VDSL WLAN ADSL2+/VDSL and GbE ADSL2+/VDSL and Fiber WLAN ADSL2+/VDSL and 3G SBG3500-N000 User’s Guide...
Page 20: Wireless Lan
The SBG3500-N is a wireless Access Point (AP) for wireless clients, such as notebook computers or PDAs and iPads. It allows them to connect to the Internet without having to rely on inconvenient Ethernet cables. You can configure your wireless network in either the built-in Web Configurator. Figure 3 Wireless Access Example SBG3500-N000 User’s Guide...
Page 21: Sbg3500-N's Usb Support
Use the built-in USB 2.0 port to share files on a USB memory stick or a USB hard drive (B). You can connect one USB hard drive to the SBG3500-N at a time. Use FTP to access the files on the USB device. Figure 4 USB File Sharing Application SBG3500-N000 User’s Guide...
Page 22: Leds (Lights)
Green There is no Gigabit Ethernet link. Right The Gigabit Ethernet connection is working. LED (10/ Blinking The SBG3500-N is sending or receiving data to/from the Gigabit 100) Ethernet link. Orange There is no Gigabit Ethernet link. SBG3500-N000 User’s Guide...
Page 23: Ways To Manage The Sbg3500-N
• TR-069. This is an auto-configuration server used to remotely configure your SBG3500-N. 1.5 Good Habits for Managing the SBG3500-N Do the following things regularly to make the SBG3500-N more secure and to manage the SBG3500-N more effectively. SBG3500-N000 User’s Guide...
Page 24: The Reset Button
To set the device back to the factory default settings, press the RESET button for ten seconds or until the POWER LED begins to blink and then release it. When the POWER LED begins to blink, the defaults have been restored and the device restarts. SBG3500-N000 User’s Guide...
Page 25: The Web Configurator
If you have changed the password, enter your password and click Login. Figure 6 Password Screen SBG3500-N000 User’s Guide...
Page 26 The Status page appears, where you can view the SBG3500-N’s interface and system information. Click the Quick Start Wizard button on top of the page to configure the SBG3500-N’s time zone, basic Internet access, and wireless settings. See Chapter 3 on page 32 for more information. Figure 8 Status SBG3500-N000 User’s Guide...
Page 27: Web Configurator Layout
Table 2 Web Configurator Icons in the Title Bar ICON DESCRIPTION Quick Start: Click this icon to open screens where you can configure the SBG3500-N’s time zone Internet access, and wireless settings. Logout: Click this icon to log out of the web configurator. SBG3500-N000 User’s Guide...
Page 28: Main Window
Use this screen to configure advanced wireless settings. Channel Status Use this screen to scan wireless LAN channel noises and view the results. Scheduling Use this screen to set a schedule to turn off wireless LAN for power saving purposes. SBG3500-N000 User’s Guide...
Page 29 Use this screen to block web sites with the specific URL. Control Control Scheduler Rule Scheduler Rule Use this screen to configure the days and times when a configured restriction (such as User Access control) is enforced. SBG3500-N000 User’s Guide...
Page 30 Use this screen to configure up to two mail servers and sender Notification Notification addresses on the SBG3500-N. Log Setting Log Setting Use this screen to change your SBG3500-N’s log settings. Firmware Firmware Use this screen to upload firmware to your device. Upgrade Upgrade SBG3500-N000 User’s Guide...
Page 31 Use this screen to configure CFM (Connectivity Fault Management) MD (maintenance domain) and MA (maintenance association), perform connectivity tests and view test reports. OAM Ping Use this screen to view information to help you identify problems with the DSL connection. SBG3500-N000 User’s Guide...
Page 32: Quick Start
The Quick Start Wizard appears automatically after login. Or you can click the Click Start icon in the top right corner of the web configurator to open the quick start screens. Select the time zone of the Device’s location and click Next. Figure 11 Time Zone SBG3500-N000 User’s Guide...
Page 33 Select your current WAN interface to configure its settings. Figure 12 WAN Interface Selection Enter your Internet connection information in this screen. The screen and fields to enter may vary depending on your current connection type. Click Next. Figure 13 Internet Connection SBG3500-N000 User’s Guide...
Page 34 Turn the wireless LAN on or off. If you keep it on, record the security settings so you can configure your wireless clients to connect to the Device. Click Save. Figure 14 Internet Connection Your Device saves your settings and attempts to connect to the Internet. SBG3500-N000 User’s Guide...
Page 35: Tutorials
Service Provider (ISP) to configure the Device. Be sure to contact your service provider for any information you need to configure the Broadband screens. Click Network Setting > Broadband to open the following screen. Click Add New WAN Interface. SBG3500-N000 User’s Guide...
Page 36 Configure this rule as your default Internet connection by selecting the Apply as Default Gateway check box. Then select DNS as Static and enter the DNS server addresses provided to you, such as 192.168.5.2 (DNS server1)/192.168.5.1 (DNS server2). Leave the rest of the fields to the default settings. SBG3500-N000 User’s Guide...
Page 37 Chapter 4 Tutorials Click Apply to save your settings. SBG3500-N000 User’s Guide...
Page 38: Setting Up A Gbe Wan Connection
Internet Service Provider (ISP) to configure the Device. Be sure to contact your service provider for any information you need to configure the Broadband screens. Click Network Setting > Broadband to open the following screen. Next, click Add New WAN Interface to open the following screen. SBG3500-N000 User’s Guide...
Page 39 Chapter 4 Tutorials In this example, the Ethernet connection has the following information. General Name MyETHER Type Ethernet Mode Routing Service and PPPoE Encapsulation IPv6/IPv4 Mode IPv4 Account Information 802.1p 802.1q 300 kbps SBG3500-N000 User’s Guide...
Page 40: Setting Up A 3G Wan Connction
116) for setting up a 3G WAN connection. Make sure you insert a valid SIM card (with active data plan) into the 3G USB dongle before you inser the USB dongle to the USB port of your computer. SBG3500-N000 User’s Guide...
Page 41: Setting Up A Secure Wireless Network
43) or manual configuration (Section 4.5.3 on page 47). 4.5.1 Configuring the Wireless Network Settings This example uses the following parameters to set up a wireless network. SSID Example Security Mode WPA-PSK Pre-Shared Key DoNotStealMyWirelessNetwork 802.11 Mode 802.11b/g/n Mixed SBG3500-N000 User’s Guide...
Page 42 Chapter 4 Tutorials Click Network Setting > Wireless to open the General screen. Select More Secure as the security level and WPA2-PSK as the security mode. Configure the screen using the provided parameters (see page 41). Click Apply. SBG3500-N000 User’s Guide...
Page 43: Using Wps
In the wireless client utility, go to the WPS setting page. Enable WPS and press the WPS button (Start or WPS button). Log into Device’s web configurator and go to the Network Setting > Wireless > WPS screen. Enable the WPS function and click Apply. Then click the Connect button. SBG3500-N000 User’s Guide...
Page 44 WPS within two minutes of enabling the first one. The Device sends the proper configuration settings to the wireless client. This may take up to two minutes. The wireless client is then able to communicate with the Device securely. SBG3500-N000 User’s Guide...
Page 45: Wireless Client
Chapter 4 Tutorials The following figure shows you an example of how to set up a wireless network and its security. Example WPS Process: PBC Method Wireless Client Device WITHIN 2 MINUTES Click “Connect” SECURITY INFO COMMUNICATION SBG3500-N000 User’s Guide...
Page 46 The Device authenticates the wireless client and sends the proper configuration settings to the wireless client. This may take up to two minutes. The wireless client is then able to communicate with the Device securely. SBG3500-N000 User’s Guide...
Page 47: Without Wps
“DoNotStealMyWirelessNetwork” pre-shared key to establish an wireless Internet connection. Note: The Device supports IEEE 802.11b, IEEE 802.11g, and IEEE 802.11n wireless clients. Make sure that your notebook or computer’s wireless adapter supports one of these standards. SBG3500-N000 User’s Guide...
Page 48: Setting Up Multiple Wireless Groups
Company A will use the following parameters to set up the wireless network groups. COMPANY GUEST SSID Company Guest Security Level More Secure More Secure Basic Security Mode WPA2-PSK WPA2-PSK Static WEP Pre-Shared Key ForCompanyOnly ForVIPOnly Guest12345678 SBG3500-N000 User’s Guide...
Page 49 Configure the screen using the provided parameters and click Apply. Click Network Setting > Wireless > More AP to open the following screen. Click the Edit icon to configure the second wireless network group. SBG3500-N000 User’s Guide...
Page 50 Chapter 4 Tutorials Configure the screen using the provided parameters and click Apply. In the More AP screen, click the Edit icon to configure the third wireless network group. SBG3500-N000 User’s Guide...
Page 51: Configuring Static Route For Routing To Another Network
In order to extend your Intranet and control traffic flowing directions, you may connect a router to the Device’s LAN. The router may be used to separate two department networks. This tutorial shows how to configure a static routing rule for two network routings. SBG3500-N000 User’s Guide...
Page 52 B. This tutorial uses the following example IP settings: Table 4 IP Settings in this Tutorial DEVICE / COMPUTER IP ADDRESS The Device’s WAN 172.16.1.1 The Device’s LAN 192.168.1.1 IP Type IPv4 Use Interface ADSL/atm0 192.168.1.34 SBG3500-N000 User’s Guide...
Page 53 Gateway IP Address field. Select ADSL/atm0 as the Use Interface. Click OK. Now B should be able to receive traffic from A. You may need to additionally configure B’s firewall settings to allow specific traffic to pass through. SBG3500-N000 User’s Guide...
Page 54: Configuring Qos Queue And Class Setup
Traffic that does not match this class is assigned a priority queue based on the internal QoS mapping table on the Device. QoS Example 10,000 kbps Your computer IP=192.168.1.23 and/or MAC=AA:FF:AA:FF:AA:FF A colleague’s computer Email traffic: Highest priority Other traffic: Automatic classifier SBG3500-N000 User’s Guide...
Page 55 Click Queue Setup > Add new Queue to create a new queue. In the screen that opens, check Active and enter or select the following values: • Name: E-mail • Interface: WAN • Priority: 1 (High) • Weight: 8 • Rate Limit: 5,000 (kbps) Tutorial: Advanced > QoS > Queue Setup SBG3500-N000 User’s Guide...
Page 56 Type the MAC address of your computer - AA:FF:AA:FF:AA:FF. Type the MAC Mask if you know it. To Queue Link this to an item in the Network Setting > QoS > Queue Setup screen, which is the E- Index mail queue created in this example. SBG3500-N000 User’s Guide...
Page 57: Access The Device Using Ddns
• IP Address: Enter the WAN IP address that your Device is currently using. You can find the IP address on the Device’s Web Configurator Status page. Then you will need to configure the same account and host name on the Device later. SBG3500-N000 User’s Guide...
Page 58: Configuring Ddns On Your Device
Open a web browser on the computer (using the IP address a.b.c.d) that is connected to the Internet. Type http://zyxelrouter.dyndns.org and press [Enter]. The Device’s login page should appear. You can then log into the Device and manage it. SBG3500-N000 User’s Guide...
Page 59: Configuring The Mac Address Filter
Click Security > MAC Filter to open the MAC Filter screen. Select the Enable check box to activate MAC filter function. Select Allow. Then enter the host name and MAC address of Thomas’ computer in this screen. Click Apply. SBG3500-N000 User’s Guide...
Page 60: Access Your Shared Files From A Computer
In this example, the account in use is admin. Click the Edit icon next to it. Set the File Sharing Service (SAMBA) feature to Enable to allow uses to access shared files in USB storage. Enter mnt as the File Share Name. Click Apply. SBG3500-N000 User’s Guide...
Page 61: Certificate Configuration For Vpn
CA certificate from any trusted certificate agent. In this tutorial, a self-signed CA certificate (cacert.pem) was created by using the openssl command in Fedora 10. First, you need to import the CA certificate. Go to the Security > Certificates > Trusted CA screen and click Import Certificate. SBG3500-N000 User’s Guide...
Page 62 Browse the directory in Fedora, or another system, which contains your CA certificate (e.g., cacert.pem), then click OK. In the Security > Certificates > Local Certificates screen, click Create Certificate Request. Enter your information as shown in the following screen and click Apply. SBG3500-N000 User’s Guide...
Page 63 CERTIFICATE). You can use "vi" or your favorite text editor to cut the portion, but do not use the "cat" command. Paste it to the indicated part of the Certificate section in the View Certificate screen. Click Apply. SBG3500-N000 User’s Guide...
Page 64: Examples Of Configuring Ipsec Vpn Rules
Click the Add New Entry button in the VPN > IPSec VPN > Setup screen and enter the following parameters: General Connection Name vpn1 Application Scenario Site-to-Site My Address ETHWAN Peer Gateway Address 22.23.24.25 Authentication Key Exchange Mode Auto Pre-Shared Key 1234567890 Phase 1 SA Life Time 28800 Negotiation Mode Main Encryption 3DES SBG3500-N000 User’s Guide...
Page 65 SA Life Time 3600 Tunnel Mode Encapsulation Tunnel Encryption 3DES Authentication SHA1 Policy Local IP Type Subnet Local IP Address 192.168.1.0 Local Subnet Mask 255.255.255.0 Remote IP Type Subnet Remote IP Address 172.23.9.0 Remote Subnet Mask 255.255.255.0 SBG3500-N000 User’s Guide...
Page 66 Chapter 4 Tutorials You can see the new IPSec VPN rule you’ve just created in the VPN > IPSec VPN > Monitor screen. SBG3500-N000 User’s Guide...
Page 67: Example 2: Use Aes128 Encryption
Enter vpn2 as the Connection Name. Remove the existing encryption by clicking Remove icon or Reset button. Then select AES128 and click the Add button in the Encryption fields of phase 1 and 2. Other parameters are the same as example 1’s. SBG3500-N000 User’s Guide...
Page 68: Example 3: Configuring A Site-To-Site With Dynamic Peer Rule
Select Remote Access in the Application Scenario field in the General section. Other parameters are the same as example 1’s. Note: The Peer Gateway Address is not shown in the screen because it is an unknown IP address to the remote access VPN client. SBG3500-N000 User’s Guide...
Page 69: Pptp Vpn Tutorial
1.Go to the VPN > PPTP VPN > Setup screen and configure the following. • Select the Enable checkbox. • Set Access Group 1 to 192.168.1.0/255.255.255.0. • Select DNS as User Defined and enter a DNS server address. The DNS server address in this example is 8.8.8.8. SBG3500-N000 User’s Guide...
Page 70: Configuring Pptp Vpn On Windows (Client)
On Windows 7 On Windows 7, do the following to establish a PPTP VPN connection. Click Start > Control Panel > Network and Sharing Center > Setup a new connection or network > Connect to a workplace. Click Next. SBG3500-N000 User’s Guide...
Page 71 Chapter 4 Tutorials Select No, create a new connection. Click Next. Select Use my Internet connection (VPN). SBG3500-N000 User’s Guide...
Page 72 Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later. Click Next. Click Create. Enter the user name and password later. SBG3500-N000 User’s Guide...
Page 73 Chapter 4 Tutorials Click Close. Do not connect yet. Click the Network icon in your system tray, then click Connect to a Network and Sharing Center on Windows 7. Cick Change adapter settings. SBG3500-N000 User’s Guide...
Page 74 Chapter 4 Tutorials Double-click the new connection icon. 10 The connection screen appears. Click Properties. 11 The Properties window appears. Click Security. SBG3500-N000 User’s Guide...
Page 75 Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 29 on page 300. 14 A window appears while the username and password are verified. The connection is then established. SBG3500-N000 User’s Guide...
Page 76 15 The Network and Sharing Center windows appear. You can view the connection status or disconnect the connection. Click View Status to open the connection status screen. 16 Click the Network icon in your system tray, then right click the PPTP connection and select Status to open the connection status screen. SBG3500-N000 User’s Guide...
Page 77: Configuring Pptp Vpn On Android Devices (Client)
Android device displays. The example settings in these sections match the PPTP VPN configuration example in Section 4.14 on page On your Android device, select Home > Settings > Wireless and network > VPN settings. SBG3500-N000 User’s Guide...
Page 78 PPTP connection. Enter the username and password of your user account configured on the Device. Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 29 on page 300. SBG3500-N000 User’s Guide...
Page 79: Configuring Pptp Vpn In Ios Devices (Client)
Touch, etc). Due to GUI difference among various iOS devices, the figures may not match what your iOS device displays. The example settings in these sections match the PPTP VPN configuration example in Section 4.14 on page On your iOS device, select Home > Settings > General > Network. SBG3500-N000 User’s Guide...
Page 80 • Password: This is the password for account. • Secret: This is your pre-shared key for your VPN connection, in this example, 1234567890. • Send All Traffic: This example uses the route-all configuration (ON). Save the configuration. SBG3500-N000 User’s Guide...
Page 81: L2Tp Vpn Tutorial
• Use the default IP address pool to assign the remote users a point-to-point IP addresses from 10.2.1.1 to 10.2.1.32 for use in the L2TP VPN tunnel. • The access group configuration allows the remote L2TP user to access only the LAN subnet 192.168.2.0/24. SBG3500-N000 User’s Guide...
Page 82: Configuring The Default_L2Tpvpn Ipsec Vpn Rule (Server)
Go to the VPN > L2TP VPN > Setup screen and configure the following: • Select the Enable checkbox. • Set Access Group 1 to 192.168.2.0/255.255.255.0. • Select DNS as User Defined and enter a DNS server address. The DNS server address in this example is 8.8.8.8. SBG3500-N000 User’s Guide...
Page 83: Configuring L2Tp Vpn In Windows (Client)
4.15.3.1 Enabling IPSec Service in Windows By default, a Windows computer should have IPSec service enabled. However, before you configure the client, it is suggested to make sure the computer is running the Microsoft IPSec service. SBG3500-N000 User’s Guide...
Page 84 Click the Start button and enter “services” in the text box. Then click Services under the Programs window. In the Services window, scroll down to find IPsec Policy Agent. Make sure the status is Started. If not, click Start the service in the left panel. SBG3500-N000 User’s Guide...
Page 85: Configuring L2Tp Vpn On Windows 7
In Windows 7 do the following to establish an L2TP VPN connection. Click Start > Control Panel > Network and Internet. Click Network and Sharing Center > Setup a new connection or network > Connect to a workplace. Click Next. SBG3500-N000 User’s Guide...
Page 86 Chapter 4 Tutorials Select No, create a new connection. Click Next. Select Use my Internet connection (VPN). SBG3500-N000 User’s Guide...
Page 87 Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later. Click Next. Click Create. Enter the user name and password later. SBG3500-N000 User’s Guide...
Page 88 Chapter 4 Tutorials Click Close. Do not connect yet. Click the Network icon in your system tray, then click Open Network and Sharing Center . Click Change adapter settings. SBG3500-N000 User’s Guide...
Page 89 Chapter 4 Tutorials 10 Double-click the new connection icon. 11 The connection screen appears. Click Properties. 12 The Properties window appears. Click Security. SBG3500-N000 User’s Guide...
Page 90 IPSec configuration that the Device is using for Default_L2TPVPN IPSec VPN rule. In this example, enter 1234567890. Click OK to return to the Connect window. 15 Enter the username and password of your user account configured on the Device. Click Connect. SBG3500-N000 User’s Guide...
Page 91 16 A window appears while the username and password are verified. The connection is then established. 17 Click the Network icon in your system tray, then right click the L2TP connection and select Status to open the connection status screen. SBG3500-N000 User’s Guide...
Page 92: Configuring L2Tp Vpn On Android Devices (Client)
Due to GUI differences among various Android devices, the figures may not exactly match what your Android device displays. The example settings in these sections match the L2TP VPN configuration example in Section on page On your Android device, select Home > Settings > More > VPN. SBG3500-N000 User’s Guide...
Page 93 • Server address: This is the WAN IP address of the Device, in this example, 172.16.1.2 • L2TP secret and IPSec identifier: Not used. • IPSec pre-shared key: This is your pre-shared key for your VPN connection, in this example, 1234567890. Save the configuration. SBG3500-N000 User’s Guide...
Page 94 Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 29 on page 300. You can see Connected when the L2TP VPN connection has been established. Click the connection name to get connection details. There you can also disconnect. SBG3500-N000 User’s Guide...
Page 95: Configuring L2Tp Vpn In Ios Devices (Client)
• Account: This is the user account created on Device for accessing the network via VPN. • RSA SecurID: Not used in this configuration. • Password: This is the password for account. • Secret: This is your pre-shared key for your VPN connection, in this example, 1234567890. SBG3500-N000 User’s Guide...
Page 96 • Send All Traffic: This example uses the route-all configuration (ON). Save the configuration. The saved configuration appears on the VPN screen. Select it and then slide the VPN bar to the ON position. Your iOS device will begin L2TP connection. SBG3500-N000 User’s Guide...
Page 97: Technical Reference
Technical Reference...
Page 99: Status Screens
Host Name This field displays the Device system name. It is used for identification. Model This shows the model number of your Device. Number Firmware This is the current version of the firmware inside the Device. Version SBG3500-N000 User’s Guide...
Page 100 If memory usage does get close to 100%, the Device is probably becoming unstable, and you should restart the device. See Section 37.2 on page 319, or turn off the device (unplug the power) for a few seconds. SBG3500-N000 User’s Guide...
Page 101 Name This field displays the identification name for the IPSec SA. Application This field displays the scenario type for the IPSec SA. Scenario Remote This field displays the remote gateway Address used in the SA. Gateway Address SBG3500-N000 User’s Guide...
Page 102: Broadband
• Use the Broadband screen to view, remove or add a WAN interface. You can also configure the WAN settings on the SBG3500-N for Internet access (Section 6.2 on page 106). • Use the 3G WAN screen to configure 3G WAN connection (Section 6.3 on page 116). SBG3500-N000 User’s Guide...
Page 103: What You Need To Know
WAN connection to the Internet, you need to use the same encapsulation method used by your ISP (Internet Service Provider). If your ISP offers a dial-up Internet connection using PPPoE (PPP over Ethernet), they should also provide a username and password (and service name) for user authentication. SBG3500-N000 User’s Guide...
Page 104 The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways: • Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. SBG3500-N000 User’s Guide...
Page 105 IPv4 services. The SBG3500-N uses it’s configured IPv4 WAN IP to route IPv4 traffic to the IPv4 Internet. Figure 20 IPv6 Rapid Deployment - IPv6 - IPv4 - IPv4 - IPv6 in IPv4 ISP (IPv4) IPv6 Internet IPv6 in IPv4 IPv6 IPv4 IPv4 IPv4 Internet SBG3500-N000 User’s Guide...
Page 106: Before You Begin
Use this screen to change your SBG3500-N’s Internet access settings. Click Network Setting > Broadband from the menu. The summary table shows you the configured WAN services (connections) on the SBG3500-N. Figure 22 Network Setting > Broadband SBG3500-N000 User’s Guide...
Page 107 This shows whether Multicast Listener Discovery (MLD) is activated or not for this connection. MLD is not available when the connection uses the bridging service. Modify Click the Edit icon to configure the WAN connection. Click the Delete icon to remove the WAN connection. SBG3500-N000 User’s Guide...
Page 108: Add/Edit Internet Connection
Figure 23 Routing Mode The following table describes the labels in this screen. Table 8 Routing Mode LABEL DESCRIPTION General Active Select this to activate the WAN configuration settings. Name Specify a descriptive name for this connection. SBG3500-N000 User’s Guide...
Page 109 EoA supports ENET ENCAP (IPoE), PPPoE and RFC1483/2684 bridging encapsulation methods. PPPoA (PPP over ATM) allows just one PPPoA connection over a PVC. IPoA (IP over ATM) allows just one RFC 1483 routing connection over a PVC. SBG3500-N000 User’s Guide...
Page 110 This value specifies the time in minutes that elapses before the router automatically disconnects from the PPPoE server. This field is not configurable if you select PPP Auto Connect. PPPoE Service Enter the name of your PPPoE service here. Name SBG3500-N000 User’s Guide...
Page 111 IP address automatically generated by the SBG3500-N using the IPv6 prefix from an RA. This option is available only when you choose to get your IPv6 address automatically. Select Static if you have a fixed IPv6 address assigned by your ISP. SBG3500-N000 User’s Guide...
Page 112 IEEE 802.1p defines up to 8 separate traffic types by inserting a tag into a MAC-layer frame that contains bits to define class of service. Select the IEEE 802.1p priority level (from 0 to 7) to add to traffic through this connection. The greater the number, the higher the priority level. SBG3500-N000 User’s Guide...
Page 113: Bridge Mode
Select this to activate the WAN configuration settings. Name Enter a service name of the connection. Type Select ADSL/VDSL over PTM as the interface that you want to configure. The SBG3500-N uses the VDSL technology for data transmission over the DSL port. SBG3500-N000 User’s Guide...
Page 114 If you select ADSL over ATM as the interface type, the following screen appears. Figure 25 Bridge Mode (ADSL over ATM) The following table describes the fields in this screen. Table 10 Bridge Mode (ADSL over ATM) LABEL DESCRIPTION General Active Select this to activate the WAN configuration settings. SBG3500-N000 User’s Guide...
Page 115 The Sustainable Cell Rate (SCR) sets the average cell rate (long-term) that can be Rate transmitted. Type the SCR, which must be less than the PCR. Note that system default is 0 cells/sec. This field is available only when you select Non Realtime VBR or Realtime VBR. SBG3500-N000 User’s Guide...
Page 116: The 3G Wan Screen
Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. 6.3 The 3G WAN Screen Use this screen to configure your 3G settings. Click Network Setting > Broadband > 3G WAN. SBG3500-N000 User’s Guide...
Page 117 Chapter 6 Broadband Note: The actual data rate you obtain varies depending the 3G card you use, the signal strength to the service provider’s base station, and so on. Figure 26 Network Setting > Broadband > 3G WAN SBG3500-N000 User’s Guide...
Page 118 Enter the first DNS server address assigned by the ISP. server Secondary DNS Enter the second DNS server address assigned by the ISP. server Budget Setup Enable Budget Click the radio buttons Enable to activate budget control or Disable to deactivate budget Control control. SBG3500-N000 User’s Guide...
Page 119 Type a number (0-9999) in the Minutes field to indicate the frequency of the log generation. Apply Click Apply to save your changes back to the SBG3500-N. Cancel Click Cancel to return to the previous configuration. SBG3500-N000 User’s Guide...
Page 120: The Add New 3G Dongle Screen
6.4.1 Add 3G Dongle Information Click Add New Entry in the Add New 3G Dongle screen to show the following. Enter the information for a new 3G dongle to add it. Figure 28 Add 3G Dongle Information SBG3500-N000 User’s Guide...
Page 121: The Advanced Screen
Select Enable to use PTM over ADSL. Since PTM has less overhead than ATM, some ISPs use PTM over ADSL for better performance. Annex M You can enable Annex M for the SBG3500-N to use double upstream mode to increase the maximum upstream transfer rate. SBG3500-N000 User’s Guide...
Page 122: The 802.1X Screen
This shows the certificate used for this authentication. This displays N/A when there is no certificate assigned. Trusted CA This shows the Trusted CA used for this authentication. This displays N/A when there is no Trusted CA assigned. SBG3500-N000 User’s Guide...
Page 123: Edit 802.1X Settings
Select the Trusted CA you want to assign to the authentication. You need to import the certificate in the Security > Certificates > Trusted CA screen. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 124: The Multi-Wan Screen
Mode This shows whether the rule is Active or Passive. Weight This shows the weight of the rule. Modify Click the Edit icon to configure the multi-WAN rule. Click the Delete icon to remove the multi-WAN rule. SBG3500-N000 User’s Guide...
Page 125: Add/Edit Multi-Wan
SBG3500-N sends through each member interface. The higher an interface’s weight is (relative to the weights of the interfaces), the more traffic the SBG3500-N sends through that interface. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 126: How To Configure Multi-Wan For Load-Balancing And Fail-Over
Click the Delete icon next to the VDSL WAN connection as it is not needed in this example. Click the Edit icon next to the ETHWAN-SFP WAN connection. This brings up the edit window. Change the weight field to 3 and click the Apply button. SBG3500-N000 User’s Guide...
Page 127: Technical Reference
Ethernet network, without using PPP encapsulation. They are routed between the Ethernet interface and the WAN interface and then formatted so that they can be understood in a bridged environment. For instance, it encapsulates routed Ethernet frames into bridged Ethernet cells. SBG3500-N000 User’s Guide...
Page 128 An example of an VBR-RT connection would be video conferencing. Video conferencing requires real-time data transfers and the bandwidth requirement varies in proportion to the video image's changing dynamics. SBG3500-N000 User’s Guide...
Page 129 VID (VLAN Identifier) of null (0) is called a priority frame, meaning that only the priority level is significant and the default VID of the ingress port is given as the VID of the frame. Of the SBG3500-N000 User’s Guide...
Page 130 The 128-bit IPv6 address is written as eight 16-bit hexadecimal blocks separated by colons (:). This is an example IPv6 address 2001:0db8:1a2b:0015:0000:0000:1a2f:0000. IPv6 addresses can be abbreviated in two ways: • Leading zeros in a block can be omitted. So 2001:0db8:1a2b:0015:0000:0000:1a2f:0000 can be written as 2001:db8:1a2b:15:0:0:1a2f:0. SBG3500-N000 User’s Guide...
Page 131 IPv6 prefix length specifies how many most significant bits (start from the left) in the address compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. SBG3500-N000 User’s Guide...
Page 132: Wireless
• Use the Others screen to configure wireless advanced features, such as the RTS/CTS Threshold (Section 7.7 on page 146). • Use the Channel Status screen to scan wireless LAN channel noises and view the results (Section 7.8 on page 148). SBG3500-N000 User’s Guide...
Page 133: What You Need To Know
Device’s SSID, channel or security settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the Device’s new settings. SBG3500-N000 User’s Guide...
Page 134 APs as possible. The channel number which the Device is currently using then displays next to this field. more.../less Click more... to show more information. Click less to hide them. SBG3500-N000 User’s Guide...
Page 135 Device. When you select to use a security, additional options appears in this screen. Or you can select No Security to allow any client to associate this network without any data encryption or authentication. See the following sections for more details about this field. SBG3500-N000 User’s Guide...
Page 136: No Security
RADIUS server. If your wireless devices support nothing stronger than WEP, use the highest encryption level available. Your Device allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. SBG3500-N000 User’s Guide...
Page 137 The default password is Passowrd 1. more.../less Click more... to show more fields in this section. Click less to hide them. WEP Encryption Select 64-bits or 128-bits. This dictates the length of the security key that the network is going to use. SBG3500-N000 User’s Guide...
Page 138: More Secure (Wpa(2)-Psk)
Click more... to show more fields in this section. Click less to hide them. WPA-PSK This field appears when you choose WPA-PSK2 as the Security Mode. Compatible Check this field to allow wireless devices using WPA-PSK security mode to connect to your Device. The Device supports WPA-PSK and WPA2-PSK simultaneously. SBG3500-N000 User’s Guide...
Page 139: Wpa(2) Authentication
The following table describes the labels in this screen. Table 23 Wireless > General: More Secure: WPA(2) LABEL DESCRIPTION Security Level Select More Secure to enable WPA(2)-PSK data encryption. Security Mode Choose WPA or WPA2 from the drop-down list box. SBG3500-N000 User’s Guide...
Page 140: The More Ap Screen
This screen allows you to enable and configure multiple Basic Service Sets (BSSs) on the Device. Click Network Setting > Wireless > More AP. The following screen displays. Figure 39 Network Setting > Wireless > More AP SBG3500-N000 User’s Guide...
Page 141: Edit More Ap
Click the Edit icon to configure the SSID profile. 7.3.1 Edit More AP Use this screen to edit an SSID profile. Click the Edit icon next to an SSID in the More AP screen. The following screen displays. Figure 40 More AP: Edit SBG3500-N000 User’s Guide...
Page 142 Or you can select No Security to allow any client to associate this network without any data encryption or authentication. Section 7.2.1 on page 136 for more details about this field. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 143: Mac Authentication
This is the MAC addresses of the wireless devices that are allowed or denied access to the Device. Modify Click the Delete icon to delete the entry. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 144: The Wps Screen
The following table describes the labels in this screen. Table 27 Network Setting > Wireless > WPS LABEL DESCRIPTION Select Enable to activate WPS on the Device. Method 1 Use this section to set up a WPS wireless network using Push Button Configuration (PBC). SBG3500-N000 User’s Guide...
Page 145: The Wmm Screen
Use this screen to enable Wi-Fi MultiMedia (WMM) and WMM Power Save in wireless networks for multimedia applications. Click Network Setting > Wireless > WMM. The following screen displays. Figure 43 Network Setting > Wireless > WMM SBG3500-N000 User’s Guide...
Page 146: The Others Screen
Data with its frame size larger than this value will perform the RTS (Request To Send)/CTS Threshold (Clear To Send) handshake. Enter a value between 0 and 2347. Fragmentation This is the maximum data fragment size that can be sent. Enter a value between 256 and Threshold 2346. SBG3500-N000 User’s Guide...
Page 147 Select a preamble type from the drop-down list box. Choices are Long or Short. See Section 7.9.7 on page 154 for more information. This field is configurable only when you set 802.11 Mode to 802.11b. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 148: The Channel Status Screen
• A bridge is a radio that relays communications between access points and wireless clients, extending a network’s range. Traditionally, a wireless network operates in one of two ways. SBG3500-N000 User’s Guide...
Page 149 Radio Channels In the radio spectrum, there are certain frequency bands allocated for unlicensed, civilian use. For the purposes of wireless networking, these bands are divided into numerous channels. This allows a SBG3500-N000 User’s Guide...
Page 150: Additional Wireless Terms
- for example, a twenty-letter long string of apparently random numbers and letters - but it is not very secure if you use a short key which is very easy to guess - for example, a three-letter word from the dictionary. SBG3500-N000 User’s Guide...
Page 151 Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses. Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. SBG3500-N000 User’s Guide...
Page 152: Signal Problems
Problems with distance occur when the two radios are too far apart. Problems with interference occur when other radio waves interrupt the data signal. Interference may come from other radio transmissions, such as military or air traffic control communications, or from machines that are SBG3500-N000 User’s Guide...
Page 153: Bss
BSSs simultaneously. You can then assign varying QoS priorities and/or security modes to different SSIDs. Wireless devices can use different BSSIDs to associate with the same AP. 7.9.6.1 Notes on Multiple BSSs • A maximum of eight BSSs are allowed on one AP simultaneously. SBG3500-N000 User’s Guide...
Page 154: Preamble Type
Take the following steps to set up WPS using the button. Ensure that the two devices you want to set up are within wireless range of one another. SBG3500-N000 User’s Guide...
Page 155 On a computer connected to the wireless client, try to connect to the Internet. If you can connect, WPS was successful. If you cannot connect, check the list of associated wireless clients in the AP’s configuration utility. If you see the wireless client in the list, WPS was successful. SBG3500-N000 User’s Guide...
Page 156: How Wps Works
WPA-PSK or WPA2-PSK pre-shared key to the enrollee. Whether WPA-PSK or WPA2-PSK is used depends on the standards supported by the devices. If the registrar is already part of a network, it sends the existing information. If not, it generates the SSID and WPA(2)-PSK randomly. SBG3500-N000 User’s Guide...
Page 157 This section shows how security settings are distributed in an example WPS setup. The following figure shows an example network. In step 1, both AP1 and Client 1 are unconfigured. When WPS is activated on both, they perform the handshake. In this example, AP1 SBG3500-N000 User’s Guide...
Page 158 (it already has security information for the network). AP1 supplies the existing security information to Client 2. Figure 51 WPS: Example Network Step 2 REGISTRAR EXISTING CONNECTION CLIENT 1 ENROLLEE CLIENT 2 SBG3500-N000 User’s Guide...
Page 159 (if the device supports this feature). Then, you can enter the key into the non-WPS device and join the network as normal (the non-WPS device must also support WPA-PSK or WPA2-PSK). SBG3500-N000 User’s Guide...
Page 160 Check the MAC addresses of your wireless clients (usually printed on a label on the bottom of the device). If there is an unknown MAC address you can remove it or reset the AP. SBG3500-N000 User’s Guide...
Page 161: Lan
• Use the Additional Subnet screen to configure IP alias and public static IP (Section 8.5 on page 169). • Use the 5th Ethernet Port screen to configure the Ethernet WAN port as a LAN port (Section 8.8 on page 179). SBG3500-N000 User’s Guide...
Page 162: What You Need To Know
UPnP devices and enable exchange of simple product and service descriptions. NAT traversal allows the following: • Dynamic port mapping • Learning public IP addresses SBG3500-N000 User’s Guide...
Page 163: Before You Begin
This will become the IP address of your SBG3500-N. Enter the IP subnet mask into the IP Subnet Mask field. Unless instructed otherwise it is best to leave this alone, the configurator will automatically compute a subnet mask based upon the IP address you entered. SBG3500-N000 User’s Guide...
Page 164 Chapter 8 LAN Click Apply to save your settings. Figure 53 Network Setting > LAN > LAN Setup SBG3500-N000 User’s Guide...
Page 165 TFTP server dynamically at server startup. TFTP Server Type an IP address for the TFTP server. This field allows you to access multiple TFTP servers Address (option using DHCP option 150. Option 150 is Cisco proprietary. 150) SBG3500-N000 User’s Guide...
Page 166 Select Enable MLD Snooping to activate MLD Snooping on the SBG3500-N. This allows the SBG3500-N to check MLD packets passing through it and learn the multicast group membership. It helps reduce multicast traffic. SBG3500-N000 User’s Guide...
Page 167: The Static Dhcp Screen
00:A0:C5:00:00:02. Use this screen to change your SBG3500-N’s static DHCP settings. Click Network Setting > LAN > Static DHCP to open the following screen. Figure 54 Network Setting > LAN > Static DHCP SBG3500-N000 User’s Guide...
Page 168 If you select Manual Input, enter the IP address that you want to assign to the computer on your LAN with the MAC address that you will also specify. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 169: The Upnp Screen
Click Cancel to exit this screen without saving. 8.5 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP. Installing UPnP in Windows Me Follow the steps below to install the UPnP in Windows Me. SBG3500-N000 User’s Guide...
Page 170 Chapter 8 LAN Click Start and Control Panel. Double-click Add/Remove Programs. Click on the Windows Setup tab and select Communication in the Components selection box. Click Details. Add/Remove Programs: Windows Setup: Communication SBG3500-N000 User’s Guide...
Page 171 Follow the steps below to install the UPnP in Windows XP. Click Start and Control Panel. Double-click Network Connections. In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Network Connections SBG3500-N000 User’s Guide...
Page 172: Using Upnp In Windows Xp Example
Next. 8.6 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the SBG3500-N. SBG3500-N000 User’s Guide...
Page 173 Click Start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway. Right-click the icon and select Properties. Network Connections In the Internet Connection Properties window, click Settings to see the port mappings there were automatically created. Internet Connection Properties SBG3500-N000 User’s Guide...
Page 174 When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically. Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. System Tray Icon SBG3500-N000 User’s Guide...
Page 175 SBG3500-N first. This comes helpful if you do not know the IP address of the SBG3500-N. Follow the steps below to access the web configurator. Click Start and then Control Panel. Double-click Network Connections. SBG3500-N000 User’s Guide...
Page 176 Select My Network Places under Other Places. Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your SBG3500-N and select Invoke. The web configurator login screen displays. Network Connections: My Network Places SBG3500-N000 User’s Guide...
Page 177 Chapter 8 LAN Right-click on the icon for your SBG3500-N and select Properties. A properties window displays with basic information about the SBG3500-N. Network Connections: My Network Places: Properties: Example SBG3500-N000 User’s Guide...
Page 178: The Additional Subnet Screen
Select the checkbox to enable the Public LAN feature. Your ISP must support Public LAN and Static IP. IP Address Enter the public IP address provided by your ISP. IP Subnet Mask Enter the public IP subnet mask provided by your ISP. SBG3500-N000 User’s Guide...
Page 179: The 5Th Ethernet Port Screen
Apply Click Apply to save your changes back to the SBG3500-N. Cancel Click Cancel to exit this screen without saving. 8.9 Technical Reference This section provides some technical background information about the topics covered in this chapter. SBG3500-N000 User’s Guide...
Page 180: Lans, Wans And The Sbg3500-N
• The ISP tells you the DNS server addresses, usually in the form of an information sheet, when you sign up. If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. SBG3500-N000 User’s Guide...
Page 181: Lan Tcp/Ip
Internet, for example, only between your two branch offices, you can assign any IP addresses to the hosts without problems. However, the Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of IP addresses specifically for private networks: • 10.0.0.0 — 10.255.255.255 • 172.16.0.0 — 172.31.255.255 • 192.168.0.0 — 192.168.255.255 SBG3500-N000 User’s Guide...
Page 182 Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, “Address Allocation for Private Internets” and RFC 1466, “Guidelines for Management of IP Address Space”. SBG3500-N000 User’s Guide...
Page 183: Routing
184). • Use the Policy Forwarding screen to configure policy routing on the Device. (Section 9.3 on page 185). • Use the RIP screen to set up RIP settings on the Device. (Section 9.4 on page 187). SBG3500-N000 User’s Guide...
Page 184: The Routing Screen
Use this screen to add or edit a static route. Click Add new static route in the Routing screen or the Edit icon next to the static route you want to edit. The screen shown next appears. Figure 62 Routing: Add/Edit SBG3500-N000 User’s Guide...
Page 185: The Policy Forwarding Screen
The following table describes the labels in this screen. Table 40 Network Setting > Routing >Policy Forwarding LABEL DESCRIPTION Add new Policy Click this to create a new policy forwarding rule. Forward Rule This is the index number of the entry. SBG3500-N000 User’s Guide...
Page 186: Add/Edit Policy Forwarding
The following table describes the labels in this screen. Table 41 Policy Forwarding: Add/Edit (Sheet 1 of 2) LABEL DESCRIPTION Policy Name Enter a descriptive name of up to 8 printable English keyboard characters, not including spaces. Source IP Enter the source IP address. SBG3500-N000 User’s Guide...
Page 187: The Rip Screen
Select Passive to have the Device update the routing table based on the RIP packets received from neighbors but not advertise its route information to other routers in this interface. Select Active to have the Device advertise its route information and also listen for routing updates from neighboring routers. SBG3500-N000 User’s Guide...
Page 188 Chapter 9 Routing Table 42 Network Setting > Routing > RIP LABEL DESCRIPTION Enabled Select the check box to activate the settings. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 189: Quality Of Service (Qos)
(Section 10.5 on page 194). • The Policer Setup screen lets you add, edit or delete QoS policers (Section 10.5 on page 194). • The Monitor screen lets you view the Device's QoS-related packet statistics (Section 10.7 on page 201). SBG3500-N000 User’s Guide...
Page 190: What You Need To Know
(or queues). Your Device uses the Token Bucket algorithm to allow a certain amount of large bursts while keeping a limit at the average rate. Traffic Rate Traffic Rate Time Time (Before Traffic Shaping) (After Traffic Shaping) SBG3500-N000 User’s Guide...
Page 191: The Quality Of Service General Screen
Click Network Setting > QoS > General to open the screen as shown next. Use this screen to enable or disable QoS and set the upstream bandwidth. See Section 10.1 on page 189 for more information. Figure 66 Network Settings > QoS > General SBG3500-N000 User’s Guide...
Page 192: The Queue Setup Screen
Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. 10.4 The Queue Setup Screen Click Network Setting > QoS > Queue Setup to open the screen as shown next. SBG3500-N000 User’s Guide...
Page 193 This shows the maximum transmission rate allowed for traffic on this queue. Modify Click the Edit icon to edit the queue. Click the Delete icon to delete an existing queue. Note that subsequent rules move up by one when you take this action. SBG3500-N000 User’s Guide...
Page 194: Adding A Qos Queue
Click Cancel to exit this screen without saving. 10.5 The Class Setup Screen Use this screen to add, edit or delete QoS classifiers. A classifier groups traffic into data flows according to specific criteria such as the source address, destination address, source port number, SBG3500-N000 User’s Guide...
Page 195 This is the name of the queue in which traffic of this classifier is put. Modify Click the Edit icon to edit the classifier. Click the Delete icon to delete an existing classifier. Note that subsequent rules move up by one when you take this action. SBG3500-N000 User’s Guide...
Page 196: Add/Edit Qos Class
Chapter 10 Quality of Service (QoS) 10.5.1 Add/Edit QoS Class Click Add new Classifier in the Class Setup screen or the Edit icon next to a classifier to open the following screen. Figure 70 Class Setup: Add/Edit SBG3500-N000 User’s Guide...
Page 197 For example, if you set the MAC address to 00:13:49:00:00:00 and the mask to ff:ff:ff:00:00:00, a packet with a MAC address of 00:13:49:12:34:56 matches this criteria. Exclude Select this option to exclude the packets that match the specified criteria from this classifier. Others SBG3500-N000 User’s Guide...
Page 198 If you select Unchange, the Device keep the VLAN ID in the packets. Forward to Select a WAN interface through which traffic of this class will be forwarded out. If you select Interface Unchange, the Device forward traffic of this class according to the default routing table. SBG3500-N000 User’s Guide...
Page 199: The Qos Policer Setup Screen
This shows the how the policer has the Device treat different types of traffic belonging to the policer’s member QoS classes. Modify Click the Edit icon to edit the policer. Click the Delete icon to delete an existing policer. Note that subsequent rules move up by one when you take this action. SBG3500-N000 User’s Guide...
Page 200: Add/Edit A Qos Policer
Specify what the Device does for packets within the committed rate and burst size (green- Action marked packets). • Pass: Send the packets without modification. • DSCP Mark: Change the DSCP mark value of the packets. Enter the DSCP mark value to use. SBG3500-N000 User’s Guide...
Page 201: The Qos Monitor Screen
This is the index number of the entry. Name This shows the name of the queue. Pass Rate This shows how many packets assigned to this queue are transmitted successfully. Drop Rate This shows how many packets assigned to this queue are dropped. SBG3500-N000 User’s Guide...
Page 202: Technical Reference
DiffServ defines a new Differentiated Services (DS) field to replace the Type of Service (TOS) field in the IP header. The DS field contains a 2-bit unused field and a 6-bit DSCP field which can define up to 64 service levels. The following figure illustrates the DS field. SBG3500-N000 User’s Guide...
Page 203 LAYER 2 LAYER 3 PRIORITY IEEE 802.1P USER QUEUE PRIORITY TOS (IP IP PACKET DSCP (ETHERNET PRECEDENCE) LENGTH (BYTE) PRIORITY) 000000 000000 >1100 001110 250~1100 001100 001010 001000 010110 010100 010010 010000 011110 <250 011100 011010 011000 SBG3500-N000 User’s Guide...
Page 204 The Single Rate Three Color Marker (srTCM, defined in RFC 2697) is a type of traffic policing that identifies packets by comparing them to one user-defined rate, the Committed Information Rate (CIR), and two burst sizes: the Committed Burst Size (CBS) and Excess Burst Size (EBS). SBG3500-N000 User’s Guide...
Page 205 • If the PBS bucket has enough tokens, the Device checks the CBS bucket. The packet is marked green and can be transmitted if the number of tokens in the CBS bucket is equal to or greater than the size of the packet (in bytes). Otherwise, the packet is marked yellow. SBG3500-N000 User’s Guide...
Page 206: Network Address Translation (Nat)
WAN side. In the simplest form, NAT changes the source IP address in a packet received from a subscriber (the inside local address) to another (the inside global address) before forwarding the packet to the SBG3500-N000 User’s Guide...
Page 207: The Port Forwarding Screen
Let's say you want to assign ports 21-25 to one FTP, Telnet and SMTP server (A in the example), port 80 to another (B in the example) and assign a default server IP address of 192.168.1.35 to a SBG3500-N000 User’s Guide...
Page 208 This is the last external port number that identifies a service. Translation This is the first internal port number that identifies a service. Start Port Translation End This is the last internal port number that identifies a service. Port SBG3500-N000 User’s Guide...
Page 209: Add/Edit Port Forwarding
To forward only one port, enter the port number again in the End Port field. To forward a series of ports, enter the start port number here and the end port number in the End Port field. SBG3500-N000 User’s Guide...
Page 210: The Applications Screen
Forwarded WAN Interface This field shows the WAN interface through which the service is forwarded. Server IP This field displays the destination IP address for the service. Address Modify Click the Delete icon to delete the rule. SBG3500-N000 User’s Guide...
Page 211: Add New Application
LAN can use the service in the same manner. This way you do not need to configure a new IP address each time you want a different LAN computer to use the application. SBG3500-N000 User’s Guide...
Page 212 IP address of the LAN computer that sent the traffic to a server on the WAN. This is the first port number that identifies a service. Trigger End This is the last port number that identifies a service. Port Trigger Proto. This is the trigger transport layer protocol. SBG3500-N000 User’s Guide...
Page 213: Add/Edit Port Triggering Rule
Type a port number or the starting port number in a range of port numbers. Trigger End Type a port number or the ending port number in a range of port numbers. Port Trigger Protocol Select the transport layer protocol from TCP, UDP, or TCP/UDP. SBG3500-N000 User’s Guide...
Page 214: The Default Server Screen
Note: If you do not assign a Default Server Address, the Device discards all packets received for ports that are not specified in the NAT Port Forwarding screen. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 215: The Alg Screen
When a rule matches the current packet, the Device takes the corresponding action and the remaining rules are ignored. Click Network Setting > NAT > Address Mapping to display the following screen. Figure 84 Network Setting > NAT > Address Mapping SBG3500-N000 User’s Guide...
Page 216: Add/Edit Address Mapping Rule
11.7.1 Add/Edit Address Mapping Rule To add or edit an address mapping rule, click Add new rule or the rule’s edit icon in the Address Mapping screen to display the screen shown next. Figure 85 Address Mapping: Add/Edit SBG3500-N000 User’s Guide...
Page 217: Technical Reference
IP address of a host when the packet is in the local network, while the global address refers to the IP address of the host when the same packet is traveling in the WAN side. SBG3500-N000 User’s Guide...
Page 218: What Nat Does
Many-to-Many Overload mapping), NAT offers the additional benefit of firewall protection. With no servers defined, your Device filters out all incoming inquiries, thus preventing intruders from probing your network. For more information on IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT). SBG3500-N000 User’s Guide...
Page 219: How Nat Works
Figure 86 How NAT Works NAT Table Inside Local Inside Global IP Address IP Address 192.168.1.10 IGA 1 192.168.1.13 192.168.1.11 IGA 2 192.168.1.12 IGA 3 192.168.1.13 IGA 4 192.168.1.12 192.168.1.10 IGA1 Inside Local Inside Global Address (ILA) Address (IGA) 192.168.1.11 192.168.1.10 SBG3500-N000 User’s Guide...
Page 220: Nat Application
SMTP (Simple Mail Transfer Protocol) DNS (Domain Name System) Finger HTTP (Hyper Text Transfer protocol or WWW, Web) POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723 SBG3500-N000 User’s Guide...
Page 221 (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 88 Multiple Servers Behind NAT Example A=192.168.1.33 192.168.1.1 B=192.168.1.34 IP address assigned by ISP C=192.168.1.35 D=192.168.1.36 SBG3500-N000 User’s Guide...
Page 222: Dynamic Dns Setup
• Use the DNS Entry screen to view, configure, or remove DNS routes (Section 12.2 on page 223). • Use the Dynamic DNS screen to enable DDNS and configure the DDNS settings on the Device (Section 12.3 on page 224). SBG3500-N000 User’s Guide...
Page 223: What You Need To Know
You can manually add or edit the Device’s DNS name and IP address entry. Click Add new DNS entry in the DNS Entry screen or the Edit icon next to the entry you want to edit. The screen shown next appears. Figure 90 DNS Entry: Add/Edit SBG3500-N000 User’s Guide...
Page 224: The Dynamic Dns Screen
If you select TZO in the Service Provider field, enter the password you used to register for this service. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 225 Chapter 12 Dynamic DNS Setup SBG3500-N000 User’s Guide...
Page 226: Interface Group
Click this button to create a new interface group. Interface Group Status This field displays whether the interface group is active or not. A yellow bulb signifies that this group is active. A gray bulb signifies that the group is not active. SBG3500-N000 User’s Guide...
Page 227: Interface Group Configuration
Click the Add New Interface Group button in the Interface Group/VLAN screen to open the following screen. Use this screen to create a new interface group. Note: An interface can belong to only one group at a time. Figure 93 Interface Group Configuration SBG3500-N000 User’s Guide...
Page 228 This shows if wildcard on DHCP option 60 is enabled. Support Remove Click the Remove icon to delete this rule from the Device. Apply Click Apply to save your changes back to the Device. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 229: Interface Grouping Criteria
Select DUID-LL (DUID Based on Link-layer Address) to enter the device’s hardware type and hardware address (MAC address) in the following fields. Select Other to enter any string that identifies the device in the DUID field. DHCP Option Select this and enter vendor specific information of the matched traffic. SBG3500-N000 User’s Guide...
Page 230 Enter the model name of the device. Name Serial Enter the serial number of the device. Number Apply Click Apply to save your changes back to the Device. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 231: Usb Service
The Device uses Common Internet File System (CIFS) protocol for its file sharing functions. CIFS compatible computers can access the USB file storage devices connected to the Device. CIFS protocol is supported on Microsoft Windows, Linux Samba and other operating systems (refer to your systems specifications for CIFS compatibility). SBG3500-N000 User’s Guide...
Page 232: The File Sharing Screen
14.2.1 Before You Begin Make sure the Device is connected to your network and turned on. Connect the USB device to one of the Device’s USB port. Make sure the Device is connected to your network. SBG3500-N000 User’s Guide...
Page 233 File Sharing Select Enable to activate file sharing through the Device. Services Host Name Enter the host name on the share. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 234: Firewall
• Use the Access Control screen to view and configure incoming/outgoing filtering rules (Section 15.4 on page 239). • Use the DoS screen to activate protection against Denial of Service (DoS) attacks (Section 15.5 on page 241). SBG3500-N000 User’s Guide...
Page 235: What You Need To Know
Stateful Packet Inspection (SPI) tracks each connection crossing the firewall and makes sure it is valid. Filtering decisions are based not only on rules but also context. For example, traffic from the WAN may only be allowed to cross the firewall in response to a request from the LAN. SBG3500-N000 User’s Guide...
Page 236: The Firewall Screen
Click the check box Permit to allow the passage of the packets. Click the check box Log to create a log when an action from Firewall rule is taken. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 237: The Service Screen
Other and the protocol number displays if the service uses another IP protocol. Modify Click the Edit icon to edit the entry. Click the Delete icon to remove this entry. SBG3500-N000 User’s Guide...
Page 238: Add/Edit A Service
For other IP protocol rules this shows the protocol number. Modify Click the Delete icon to remove the rule. Service Name Enter a unique name (up to 32 printable English keyboard characters, including spaces) for your customized port. SBG3500-N000 User’s Guide...
Page 239: The Access Control Screen
This displays the destination IP addresses to which this rule applies. Please note that a blank destination address is equivalent to Any. Service This displays the transport layer protocol that defines the service and the direction of traffic to which this rule applies. SBG3500-N000 User’s Guide...
Page 240: Add/Edit An Acl Rule
Enter a descriptive name of up to 16 alphanumeric characters, not including spaces, underscores, and dashes. You must enter the filter name to add an ACL rule. This field is read-only if you are editing the ACL rule. SBG3500-N000 User’s Guide...
Page 241: The Dos Screen
Click Cancel to exit this screen without saving. 15.5 The DoS Screen DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access becomes unavailable. SBG3500-N000 User’s Guide...
Page 242 DoS Protection Select Enable to enable protection against DoS attacks. Blocking Deny Ping Select Enable to block ping request packets. Response Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 243: Mac Filter
MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. You need to know the MAC addresses of the devices to configure this screen. SBG3500-N000 User’s Guide...
Page 244: The Mac Filter Screen
Device in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc. Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 245: User Access Control
This shows the MAC address of the LAN user’s computer to which this rule applies. (MAC) Internet Access This shows the day(s) and time on which User Access control is enabled. Schedule Network This shows whether the network service is configured. If not, None will be shown. Service SBG3500-N000 User’s Guide...
Page 246: Add/Edit A User Access Control Rule
The following table describes the fields in this screen. Table 80 User Access Control Rule: Add/Edit LABEL DESCRIPTION General Active Select the checkbox to activate this User Access control rule. User Access Enter a descriptive name for the rule. Control Profile Name SBG3500-N000 User’s Guide...
Page 247 Click Add to show a screen to enter the URL of web site or URL keyword to which the Device URL Keyword blocks access. Click Delete to remove it. Apply Click this button to save your settings back to the Device. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 248: Scheduler Rules
This shows the description of this rule. Modify Click the Edit icon to edit the schedule. Click the Delete icon to delete a scheduler rule. Note: You cannot delete a scheduler rule once it is applied to a certain feature. SBG3500-N000 User’s Guide...
Page 249: Add/Edit A Schedule
Enter the time period of each day, in 24-hour format, during which User Access control will Range be enforced. Description Enter a description for this scheduler rule. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 250: Certificates
You can use the Device to generate certification requests that contain identifying information and public keys and then send the certification requests to a certification authority. SBG3500-N000 User’s Guide...
Page 251: The Local Certificates Screen
For a certification request, click Load Signed to import the signed certificate. Click the Remove icon to delete the certificate (or certification request). You cannot delete a certificate that one or more features is configured to use. SBG3500-N000 User’s Guide...
Page 252: Create Certificate Request
After you click Apply, the following screen displays to notify you that you need to get the certificate request signed by a Certificate Authority. If you already have, click Load_Signed to import the signed certificate into the Device. Otherwise click Back to return to the Local Certificates screen. SBG3500-N000 User’s Guide...
Page 253: Load Signed Certificate
After you create a certificate request and have it signed by a Certificate Authority, in the Local Certificates screen click the certificate request’s Load Signed icon to import the signed certificate into the Device. Note: You must remove any spaces from the certificate’s filename before you can import Figure 112 Load Signed Certificate SBG3500-N000 User’s Guide...
Page 254: The Trusted Ca Screen
Click the View icon to open a screen with an in-depth list of information about the certificate (or certification request). Click the Remove button to delete the certificate (or certification request). You cannot delete a certificate that one or more features is configured to use. SBG3500-N000 User’s Guide...
Page 255: Import Trusted Ca Certificate
CA will be displayed in the Network Setting > Broadband > 802.1x: Authentication Edit screen. Certificate Copy and paste the certificate into the text box to store it on the Device. Click OK to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 256: Ipsec Vpn
• Use the Monitor screen to display and manage active IPSec VPN connections (Section 20.5 on page 266). • Use the Radius screen to manage the list of RADIUS servers the SBG3500-N can use in authenticating users (Section 20.6 on page 267). SBG3500-N000 User’s Guide...
Page 257: What You Need To Know
The following figure helps explain the main fields in the web configurator. Figure 117 IPSec Fields Summary Remote Network Local Network Remote IPSec Router VPN Tunnel Remote IP Address Local IP Address Local and remote IP addresses must be static. SBG3500-N000 User’s Guide...
Page 258: Add/Edit Vpn Rule
You can click the Add New Entry button or a policy’s Edit icon in the IPSec VPN > Setup screen to either add or edit a VPN policy. Note: The SBG3500-N uses the system default gateway interface’s WAN IP address as its WAN IP address to set up a VPN tunnel. SBG3500-N000 User’s Guide...
Page 259: The Vpn Connection Add/Edit Screen
Chapter 20 IPSec VPN 20.4.2 The VPN Connection Add/Edit Screen Configure the VPN connection settings in the IPSec VPN > Setup > Edit screen. Figure 119 VPN > IPSec VPN > Setup > Edit SBG3500-N000 User’s Guide...
Page 260 The VPN connection is briefly lost when SBG3500-N tries to reconnect using the primary address. Note that the peer devices using the secondary address cannot use a nailed-up VPN connecton setting. SBG3500-N000 User’s Guide...
Page 261 Main as the Negotiation Mode with Pre-Shared Key. Manual SPI (HEX) Type a hexadecimal value (between 256 and 4095) for the Security Parameter Index (SPI). Make sure the remote VPN endpoint has the same value in its SPI field. SBG3500-N000 User’s Guide...
Page 262 =) in the field per following rule. MD5 - 16-20 characters SHA1 - 20 characters You can also use hexadecimal by typing “0x” in the beginning of the key. The remote IPSec router must have the same encryption key. SBG3500-N000 User’s Guide...
Page 263 SHA1 and MD5. SHA1 is generally considered stronger than MD5, but it is also slower. Click this to add phase 1 Encryption and Authentication. Modify Select an entry and click the delete icon to remove it. SBG3500-N000 User’s Guide...
Page 264 Tunnel - this mode encrypts the IP header information and the data. Transport - this mode only encrypts the data. If you set Encapsulation to Transport, Policy (Local and Remote) is not applicable. The SBG3500-N and remote IPSec router must use the same encapsulation. SBG3500-N000 User’s Guide...
Page 265 Click this checkbox to force data traffic to go through VPN tunnel when its destination IP Tunnel address matches an entry in the IPSec VPN policy rule. Apply Click Apply to save your changes back to the SBG3500-N. Cancel Click Cancel to restore your previous settings. SBG3500-N000 User’s Guide...
Page 266: The Default_L2Tpvpn Ipsec Vpn Rule
(DPD) XAUTH 20.5 The IPSec VPN Monitor Screen In the Web Configurator, click VPN > IPSec VPN > Monitor. Use this screen to display and manage active VPN connections. Figure 120 VPN > IPSec VPN > Monitor SBG3500-N000 User’s Guide...
Page 267: The Radius Screen
If the RADIUS server has a backup server, enter its address here. Address Backup Specify the port number on the RADIUS server to which the SBG3500-N sends Authentication Port authentication requests. Enter a number between 1 and 65535. SBG3500-N000 User’s Guide...
Page 268: Technical Reference
Click Cancel to restore your previous settings. 20.7 Technical Reference This section provides some technical background information about the topics covered in this chapter. 20.7.1 IPSec Architecture The overall IPSec architecture is shown as follows. Figure 122 IPSec Architecture SBG3500-N000 User’s Guide...
Page 269: Encapsulation
With the use of AH as the security protocol, protection is extended forward into the IP header to verify the integrity of the entire packet by use of portions of the original IP header in the hashing process. SBG3500-N000 User’s Guide...
Page 270: Ike Phases
An IKE SA times out when the IKE SA lifetime period expires. If an IKE SA times out when an IPSec SA is already established, the IPSec SA stays connected. In phase 2 you must: SBG3500-N000 User’s Guide...
Page 271: Negotiation Mode
The encrypted contents, but not the new headers, are signed with a hash value appended to the packet. Tunnel mode ESP with authentication is compatible with NAT because integrity checks are performed over the combination of the "original header plus original payload," which is unchanged by a NAT device. SBG3500-N000 User’s Guide...
Page 272: Vpn, Nat, And Nat Traversal
"original header plus original payload," which is unchanged by a NAT device. The compatibility of AH and ESP with NAT in tunnel and transport modes is summarized in the following table. Table 94 VPN and NAT SECURITY PROTOCOL MODE Transport Tunnel SBG3500-N000 User’s Guide...
Page 273: Id Type And Content
Table 96 Matching ID Type and Content Configuration Example SBG3500-N A SBG3500-N B Local ID type: User-FQDN Local ID type: IP Local ID content: tom@yourcompany.com Local ID content: 1.1.1.2 Remote ID type: IP Remote ID type: E-mail Remote ID content: 1.1.1.2 Remote ID content: tom@yourcompany.com SBG3500-N000 User’s Guide...
Page 274: Pre-Shared Key
768-bit, 1024-bit 1536-bit, 2048-bit, and 3072-bit Diffie-Hellman groups are supported. Upon completion of the Diffie-Hellman exchange, the two peers have a shared secret, but the IKE SA is not authenticated. For authentication, use pre-shared keys. SBG3500-N000 User’s Guide...
Page 275: Pptp Vpn
21.2 What You Can Do in this Chapter • Use the Setup screen to configure the PPTP VPN settings in the SBG3500-N (Section 21.3 on page 276). • Use the Monitor screen to view settings for PPTP clients (Section 21.4 on page 277). SBG3500-N000 User’s Guide...
Page 276: Pptp Vpn Setup
Specify up to 2 LAN groups (subnets) which a PPTP VPN client is allowed to access. If (Optional) none is specified, all LAN groups can be accessed. Enter the IP address and subnet mask for the LAN group(s). SBG3500-N000 User’s Guide...
Page 277: The Pptp Vpn Monitor Screen
Select a VPN client connection and click this to disconnect. 21.5 PPTP VPN Troubleshooting Tips This section lists the common troubleshooting tips for PPTP VPN. A PPTP client device (such as a PC, smart phone, tablet) cannot connect to the SBG3500-N. SBG3500-N000 User’s Guide...
Page 278 When any one of these configuration changes is applied on the SBG3500-N: WAN interface used for PPTP VPN, IP address pool, access group. e. The SBG3500-N’s WAN interface on which the PPTP connection is established is disconnected. SBG3500-N000 User’s Guide...
Page 279 An Android device cannot connect to the SBG3500-N’s PPTP VPN. Tip: Devices running an Android OS older than version 4.1 have issues with PPTP/MPPE encryption. Avoid using devices that run an Android OS older than version 4.1 for PPTP VPN connection. SBG3500-N000 User’s Guide...
Page 280: L2Tp Vpn
• Use the Monitor screen to view settings for L2TP clients (Chapter 22 on page 282). Note: You need to configure the Default_L2TPVPN VPN rule in the VPN > IPSec > IPSec Setup screen. See Chapter 20 on page 256 for information on IPSec VPN. SBG3500-N000 User’s Guide...
Page 281: L2Tp Vpn Screen
Select how the SBG3500-N authenticates a remote user before allowing access to the Method L2TP VPN tunnel. The authentication method has the SBG3500-N check a user’s user name and password against the SBG3500-N’s local database, which is configured in the Maintenance > User Account screen. SBG3500-N000 User’s Guide...
Page 282: The L2Tp Vpn Monitor Screen
A L2TP client device (such as a PC, smart phone, tablet) cannot connect to the SBG3500-N. TIP: This could be due to one of the following reasons: a. The client device is not connected to the Internet successfully. SBG3500-N000 User’s Guide...
Page 283 This usually happens at the first connection attempt after a new connection profile is created. Reconfigure the pre-shared key on the client Windows device and retry the connection. An L2TP client device cannot reconnect after it is disconnected. SBG3500-N000 User’s Guide...
Page 284 IPSec proposals provided by a built-in L2TP client in the popular operating systems during IPSec phase 1 negotiation. The first proposal that can be supported by the phase 1 setting in the Default_L2TPVPN IPSec VPN rule will be accepted by the SBG3500-N000 User’s Guide...
Page 285 ESP/AES/MD5 ESP/3DES/SHA1 ESP/3DES/SHA1 ESP/3DES/MD5 ESP/3DES/MD5 ESP/DES/SHA1 ESP/DES/MD5 AH/-/SHA1 and ESP/3DES/SHA1 ESP/3DES/SHA1 ESP/3DES/- AH/-/MD5 and AH/-/SHA1 and ESP/DES/SHA1 ESP/3DES/- ESP/AES/- AH/-/SHA1 and AH/-/SHA1 and ESP/-/SHA1 ESP/3DES/SHA1 ESP/3DES/- AH/-/MD5 and AH/-/SHA1 and AH/-/SHA1 ESP/3DES/MD5 ESP/3DES/SHA1 ESP/DES/MD5 ESP/-/SHA1 ESP/DES/SHA1 AH/-/SHA1 SBG3500-N000 User’s Guide...
Page 286: Log
CODE SEVERITY Emergency: The system is unusable. Alert: Action must be taken immediately. Critical: The system condition is critical. Error: There is an error condition on the system. Warning: There is a warning condition on the system. SBG3500-N000 User’s Guide...
Page 287: The System Log Screen
Level This field displays the severity level of the logs that the device is to send to this syslog server. Messages This field states the reason for the log. SBG3500-N000 User’s Guide...
Page 288: The Security Log Screen
Level This field displays the severity level of the logs that the device is to send to this syslog server. Messages This field states the reason for the log. SBG3500-N000 User’s Guide...
Page 289: Network Status
This indicates the number of frames with errors transmitted on this interface. Drop This indicates the number of outgoing packets dropped on this interface. Packets Received Data This indicates the number of received packets on this interface. SBG3500-N000 User’s Guide...
Page 290: The Lan Status Screen
Choose the screen refresh time (15, 30, 60 seconds) from the drop-down list to see changes in the devices that are on the network. This displays the device that is connected to the SBG3500-N. Device Name This displays the system name of the device on the SBG3500-N. SBG3500-N000 User’s Guide...
Page 291 This displays the IP address of the device on the SBG3500-N. MAC Address This displays the MAC address of the device on the SBG3500-N. Connection Type This displays the connection type that the device is using to connect to the SBG3500-N. SBG3500-N000 User’s Guide...
Page 292: Arp Table
The following table describes the labels in this screen. Table 110 System Monitor > ARP Table LABEL DESCRIPTION This is the ARP table entry number. IP Address This is the learned IP address of a device connected to a port. SBG3500-N000 User’s Guide...
Page 293 This is the MAC address of the device with the listed IP address. Device This is the type of interface used by the device. You can click on the device type to go to its configuration screen. SBG3500-N000 User’s Guide...
Page 294: Routing Table
M-Modified (redirect): The route is modified from a routing daemon or redirect. Metric The metric represents the "cost of transmission". A router determines the best route for transmission by choosing a path with the lowest "cost". The smaller the number, the lower the "cost". SBG3500-N000 User’s Guide...
Page 295 Interface This indicates the name of the interface through which the route is forwarded. br0 indicates the LAN interface. ptm0 indicates the WAN interface using IPoE or in bridge mode. ppp0 indicates the WAN interface using PPPoE. SBG3500-N000 User’s Guide...
Page 296: Igmp Status
EXCLUDE means that the IP addresses in the Source List are not allowed to receive the multicast group’s traffic but other IP addresses can. Source List This is the list of IP addresses that are allowed or not allowed to receive the multicast group’s traffic depending on the filter mode. SBG3500-N000 User’s Guide...
Page 297: Xdsl Statistics
HAPTER xDSL Statistics 28.1 The xDSL Statistics Screen Use this screen to view detailed DSL statistics. Click System Monitor > xDSL Statistics to open the following screen. Figure 139 System Monitor > xDSL Statistics SBG3500-N000 User’s Guide...
Page 298 Attainable Net These are the highest theoretically possible transfer rates at which the port could send and Data Rate receive payload data without transport layer protocol headers and traffic. xDSL Counters SBG3500-N000 User’s Guide...
Page 299 30% or more errored blocks or at least one defect. This is a subset of ES. This is the number of UnAvailable Seconds. This is the number of Loss Of Signal seconds. This is the number of Loss Of Frame seconds. This is the number of Loss of Margin seconds. SBG3500-N000 User’s Guide...
Page 300: User Account
This field indicates how many times a user can re-enter his/her account information before the Device locks the user out. Idle Timeout This field indicates the number of minutes that the system can idle before being logged out. SBG3500-N000 User’s Guide...
Page 301: Add/Edit A User Account
Use this screen to add or edit a users account. Click Add new user in the User Account screen or the Edit icon next to the user account you want to edit. The screen shown next appears. Figure 141 User Account: Add/Edit SBG3500-N000 User’s Guide...
Page 302 Enter the shared root directory. File Sharing Select if you want the files in the shared directory to be writable or not. Writable Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 303: Remote Management
30.2 The Remote MGMT Screen Use this screen to configure through which interface(s) users can use which service(s) to manage the SBG3500-N. Click Maintenance > Remote MGMT to open the following screen. Figure 142 Maintenance > Remote MGMT SBG3500-N000 User’s Guide...
Page 304 Select a certificate the HTTPS server (the SBG3500-N) uses to authenticate itself to the Certificate HTTPS client. You must have certificates already configured in the Certificates screen. Apply Click Apply to save your changes back to the SBG3500-N. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 305: Client
ACS and specify the ACS IP address or domain name and username and password. Click Maintenance > TR-069 Client to open the following screen. Use this screen to configure your Device to be managed by an ACS. Figure 143 Maintenance > TR-069 Client SBG3500-N000 User’s Guide...
Page 306 You can choose a local certificate used by TR-069 client. The local certificate should be used by TR-069 imported in the Security > Certificates > Local Certificates screen. client Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 307: Snmp
SNMP allows a manager and agents to communicate for the purpose of accessing these objects. SNMP itself is a simple request/response protocol based on the manager/agent model. The manager issues a request and the agent returns responses using the following protocol operations: SBG3500-N000 User’s Guide...
Page 308 Enter the name of the person in charge of the Device. Trap Destination Type the IP address of the station to send your SNMP traps to. Apply Click Apply to save your changes back to the Device. Cancel Click Cancel to restore your previously saved settings. SBG3500-N000 User’s Guide...
Page 309: Time
33.2 The Time Screen To change your Device’s time and date, click Maintenance > Time. The screen appears as shown. Use this screen to configure the Device’s time based on your local time zone. Figure 146 Maintenance > Time SBG3500-N000 User’s Guide...
Page 310 Sunday, and the month to October. The time you select in the o'clock field depends on your time zone. In Germany for instance, you would select 2 in the Hour field because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). SBG3500-N000 User’s Guide...
Page 311 Chapter 33 Time Table 119 Maintenance > Time (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N000 User’s Guide...
Page 312: E-Mail Notification
This field displays the password of the sender’s mail account. Email Address This field displays the e-mail address that you want to be in the from/sender line of the e-mail that the Device sends. Remove Click this button to delete the selected entry(ies). SBG3500-N000 User’s Guide...
Page 313: Email Notification Edit
If you activate SSL/TLS authentication, the e-mail address must be able to be authenticated by the mail server as well. Apply Click this button to save your changes and return to the previous screen. Cancel Click this button to begin configuring this screen afresh. SBG3500-N000 User’s Guide...
Page 314: Logs Setting
You can configure where the Device sends logs and which logs and/or immediate alerts the Device records in the Logs Setting screen. 35.2 The Log Setting Screen To change your Device’s log settings, click Maintenance > Logs Setting. The screen appears as shown. Figure 149 Maintenance > Logs Setting SBG3500-N000 User’s Guide...
Page 315: Example E-Mail Log
35.2.1 Example E-mail Log An "End of Log" message displays for each mail in which a complete log has been sent. The following is an example of a log sent by e-mail. • You may edit the subject title. SBG3500-N000 User’s Guide...
Page 316 |<1,02> 127|Apr 7 00 |From:192.168.1.131 To:192.168.1.255 |match |forward | 10:05:17 |UDP src port:00520 dest port:00520 |<1,02> 128|Apr 7 00 |From:192.168.1.1 To:192.168.1.255 |match |forward | 10:05:30 |UDP src port:00520 dest port:00520 |<1,02> End of Firewall Log SBG3500-N000 User’s Guide...
Page 317: Firmware Upgrade
Click this to find the .bin file you want to upload. Remember that you must decompress compressed (.zip) files before you can upload them. Upload Click this to begin the upload process. This process may take up to two minutes. SBG3500-N000 User’s Guide...
Page 318 After two minutes, log in again and check your new firmware version in the Status screen. If the upload was not successful, the following screen will appear. Click OK to go back to the Firmware Upgrade screen. Figure 154 Error Message SBG3500-N000 User’s Guide...
Page 319: Configuration
Once your Device is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes. The backup configuration file will be useful in case you need to return to your previous settings. Click Backup to save the Device’s current configuration to your computer. SBG3500-N000 User’s Guide...
Page 320 Appendix A on page 334 for details on how to set up your computer’s IP address. If the upload was not successful, the following screen will appear. Click OK to go back to the Configuration screen. Figure 157 Configuration Upload Error SBG3500-N000 User’s Guide...
Page 321: The Reboot Screen
System restart allows you to reboot the Device remotely without turning the power off. You may need to do this if the Device hangs, for example. Click Maintenance > Reboot. Click Reboot to have the Device reboot. This does not affect the Device's configuration. Figure 160 Maintenance > Reboot SBG3500-N000 User’s Guide...
Page 322: Diagnostic
If an MEP port does not respond to the source MEP, this may indicate a fault. Administrators can take further action to check and resume services from the fault according to the line connectivity status report. SBG3500-N000 User’s Guide...
Page 323: Ping & Traceroute & Nslookup
Click this button to perform the traceroute function. This determines the path a packet takes to the specified computer. Nslookup Click this button to perform a DNS lookup on the IP address of a computer you enter. SBG3500-N000 User’s Guide...
Page 324 Click this button to have the selected MEP send the LBM (Loop Back Message) to a specified remote end point. Send Linktrace Click this button to have the selected MEP send the LTMs (Link Trace Messages) to a specified remote end point. SBG3500-N000 User’s Guide...
Page 325: Oam Ping Test
Segment loopback tests allow you to verify integrity of a PVC to the nearest neighboring ATM device. End-to-end loopback tests allow you to verify integrity of an end-to-end PVC. Note: The DSLAM to which the Device is connected must also support ATM F4 and/or F5 to use this test. SBG3500-N000 User’s Guide...
Page 326 Press this to perform an OAM F4 segment loopback test. F4 end-end Press this to perform an OAM F4 end-to-end loopback test. F5 segment Press this to perform an OAM F5 segment loopback test. F5 end-end Press this to perform an OAM F5 end-to-end loopback test. SBG3500-N000 User’s Guide...
Page 327: Troubleshooting
Make sure you understand the normal behavior of the LED. See Section 1.3 on page Check the hardware connections. Inspect your cables for damage. Contact the vendor to replace any damaged cables. Turn the Device off and on. SBG3500-N000 User’s Guide...
Page 328: Device Access And Login
Make sure your Internet browser does not block pop-up windows and has JavaScripts and Java enabled. See Appendix C on page 364. If it is possible to log in from another interface, check the service control settings for HTTP and HTTPS (Maintenance > Remote MGMT). SBG3500-N000 User’s Guide...
Page 329 I cannot use FTP to upload / download the configuration file. / I cannot use FTP to upload new firmware. See the troubleshooting suggestions for I cannot see or access the Login screen in the web configurator. Ignore the suggestions about your browser. SBG3500-N000 User’s Guide...
Page 330: Internet Access
ADSL and VDSL connections cannot work at the same time. You can only use one type of DSL connection, either ADSL or VDSL connection at one time. I cannot connect to the Internet using a Ethernet connection. Make sure you have the Ethernet WAN port connected to a MODEM or Router. SBG3500-N000 User’s Guide...
Page 331: Wireless Internet Access
• Place the AP where there are minimum obstacles (such as walls and ceilings) between the AP and the wireless client. • Reduce the number of wireless clients connecting to the same AP simultaneously, or add additional APs if necessary. SBG3500-N000 User’s Guide...
Page 332: Usb Device Connection
You need to enable it to allow uses to access shared files in USB storage. If you are connecting a USB hard drive that comes with an external power supply, make sure it is connected to an appropriate power source that is on. SBG3500-N000 User’s Guide...
Page 333: Upnp
The Local Area Connection icon for UPnP disappears in the screen. Restart your computer. I cannot open special applications such as white board, file transfer and video when I use the MSN messenger. Wait more than three minutes. Restart the applications. SBG3500-N000 User’s Guide...
Page 334: Appendix A Setting Up Your Computer's Ip Address
IP addresses that place them in the same subnet as the Device’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window. Figure 165 WIndows 95/98/Me: Network: Configuration SBG3500-N000 User’s Guide...
Page 335 Restart your computer so the changes you made take effect. Configuring In the Network window Configuration tab, select your network adapter's TCP/IP entry and click Properties Click the IP Address tab. • If your IP address is dynamic, select Obtain an IP address automatically. SBG3500-N000 User’s Guide...
Page 336 • If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). Figure 167 Windows 95/98/Me: TCP/IP Properties: DNS Configuration SBG3500-N000 User’s Guide...
Page 337 Select your network adapter. You should see your computer's IP address, subnet mask and default gateway. Windows 2000/NT/XP The following example figures use the default Windows XP GUI theme. Click start (Start in Windows 2000/NT), Settings, Control Panel. Figure 168 Windows XP: Start Menu SBG3500-N000 User’s Guide...
Page 338 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 169 Windows XP: Control Panel Right-click Local Area Connection and then click Properties. Figure 170 Windows XP: Control Panel: Network Connections: Properties SBG3500-N000 User’s Guide...
Page 339 • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. SBG3500-N000 User’s Guide...
Page 340 (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. SBG3500-N000 User’s Guide...
Page 341 • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. SBG3500-N000 User’s Guide...
Page 342 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. Windows Vista This section shows screens from Windows Vista Enterprise Version 6.0. SBG3500-N000 User’s Guide...
Page 343 Click the Start icon, Control Panel. Figure 175 Windows Vista: Start Menu In the Control Panel, double-click Network and Internet. Figure 176 Windows Vista: Control Panel Click Network and Sharing Center. Figure 177 Windows Vista: Network And Internet SBG3500-N000 User’s Guide...
Page 344 Figure 178 Windows Vista: Network and Sharing Center Right-click Local Area Connection and then click Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. Figure 179 Windows Vista: Network and Sharing Center SBG3500-N000 User’s Guide...
Page 345 • If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP address and fill in the IP address, Subnet mask, and Default gateway fields. SBG3500-N000 User’s Guide...
Page 346 (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. SBG3500-N000 User’s Guide...
Page 347 • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es). • If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. SBG3500-N000 User’s Guide...
Page 348 Click Start, All Programs, Accessories and then Command Prompt. In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab. SBG3500-N000 User’s Guide...
Page 349 Appendix A Setting up Your Computer’s IP Address Macintosh OS 8/9 Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Figure 184 Macintosh OS 8/9: Apple Menu SBG3500-N000 User’s Guide...
Page 350 Macintosh OS X Click the Apple menu, and click System Preferences to open the System Preferences window. Figure 186 Macintosh OS X: Apple Menu Click Network in the icon bar. • Select Automatic from the Location list. SBG3500-N000 User’s Guide...
Page 351 • Type the IP address of your Device in the Router address box. Click Apply Now and close the window. Turn on your Device and restart your computer (if prompted). Verifying Settings Check your TCP/IP properties in the Network window. SBG3500-N000 User’s Guide...
Page 352 Follow the steps below to configure your computer IP address using the KDE. Click the Red Hat button (located on the bottom left corner), select System Setting and click Network. Figure 188 Red Hat 9.0: KDE: Network Configuration: Devices SBG3500-N000 User’s Guide...
Page 353 If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 190 Red Hat 9.0: KDE: Network Configuration: DNS Click the Devices tab. SBG3500-N000 User’s Guide...
Page 354 The following example shows an example where the static IP address is 192.168.1.10 and the subnet mask is 255.255.255.0. Figure 193 Red Hat 9.0: Static IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.1.10 NETMASK=255.255.255.0 USERCTL=no PEERDNS=yes TYPE=Ethernet SBG3500-N000 User’s Guide...
Page 355: Verifying Settings
HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# SBG3500-N000 User’s Guide...
Page 356: Appendix B Ip Addresses And Subnetting
192.168.1.1). Each of these four parts is known as an octet. An octet is an eight-digit binary number (for example 11000000, which is 192 in decimal notation). Therefore, each octet has a possible range of 00000000 to 11111111 in binary, or 0 to 255 in decimal. SBG3500-N000 User’s Guide...
Page 357 Host ID 00000010 By convention, subnet masks always consist of a continuous sequence of ones beginning from the leftmost bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. SBG3500-N000 User’s Guide...
Page 358 This is usually specified by writing a “/” followed by the number of bits in the mask after the address. For example, 192.1.1.0 /25 is equivalent to saying 192.1.1.0 with subnet mask 255.255.255.128. SBG3500-N000 User’s Guide...
Page 359 You can “borrow” one of the host ID bits to divide the network 192.168.1.0 into two separate sub- networks. The subnet mask is now 25 bits (255.255.255.128 or /25). The “borrowed” host ID bit can have a value of either 0 or 1, allowing two subnets; 192.168.1.0 /25 and 192.168.1.128 /25. SBG3500-N000 User’s Guide...
Page 360 Table 132 Subnet 1 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address (Decimal) 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 00000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 SBG3500-N000 User’s Guide...
Page 361 Similarly, use a 27-bit mask to create eight subnets (000, 001, 010, 011, 100, 101, 110 and 111). The following table shows IP address last octet values for each subnet. Table 136 Eight Subnets SUBNET LAST BROADCAST SUBNET FIRST ADDRESS ADDRESS ADDRESS ADDRESS SBG3500-N000 User’s Guide...
Page 362 16382 255.255.224.0 (/19) 8190 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 255.255.255.252 (/30) 16384 255.255.255.254 (/31) 32768 SBG3500-N000 User’s Guide...
Page 363 Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, Address Allocation for Private Internets and RFC 1466, Guidelines for Management of IP Address Space. SBG3500-N000 User’s Guide...
Page 364: Appendix C Pop-Up Windows, Javascript And Java Permissions
In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 200 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. In Internet Explorer, select Tools, Internet Options, Privacy. SBG3500-N000 User’s Guide...
Page 365 Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab. SBG3500-N000 User’s Guide...
Page 366 Select Settings…to open the Pop-up Blocker Settings screen. Figure 202 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. SBG3500-N000 User’s Guide...
Page 367 Figure 203 Pop-up Blocker Settings Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScript If pages of the web configurator do not display properly in Internet Explorer, check that JavaScript are allowed. SBG3500-N000 User’s Guide...
Page 368 Figure 204 Internet Options: Security Click the Custom Level... button. Scroll down to Scripting. Under Active scripting make sure that Enable is selected (the default). Under Scripting of Java applets make sure that Enable is selected (the default). SBG3500-N000 User’s Guide...
Page 369 Figure 205 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. SBG3500-N000 User’s Guide...
Page 370 Click OK to close the window. Figure 206 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. SBG3500-N000 User’s Guide...
Page 371 Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears. Figure 208 Mozilla Firefox: Tools > Options SBG3500-N000 User’s Guide...
Page 372 Appendix C Pop-up Windows, JavaScript and Java Permissions Click Content.to show the screen below. Select the check boxes as shown in the following screen. Figure 209 Mozilla Firefox Content Security SBG3500-N000 User’s Guide...
Page 373: Appendix D Wireless Lans
(AP). Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is SBG3500-N000 User’s Guide...
Page 374 APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN. The Access Points not only provide communication with the wired network but also mediate wireless network traffic in the immediate neighborhood. SBG3500-N000 User’s Guide...
Page 375 A hidden node occurs when two stations are within range of the same access point, but are not within range of each other. The following figure illustrates a hidden node. Both stations (STA) are within range of the access point (AP) or wireless gateway, but out-of-range of each other, so they SBG3500-N000 User’s Guide...
Page 376 AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. SBG3500-N000 User’s Guide...
Page 377 IEEE802.1x EAP with RADIUS Server Authentication Wi-Fi Protected Access (WPA) WPA2 Most Secure Note: You must enable the same wireless security settings on the Device and on all wireless clients that you want to associate with it. SBG3500-N000 User’s Guide...
Page 378 Sent by a RADIUS server requesting more information in order to allow access. The access point sends a proper response from the user and then sends another Access-Request message. The following types of RADIUS messages are exchanged between the access point and the RADIUS server for user accounting: SBG3500-N000 User’s Guide...
Page 379 This makes user identity vulnerable to passive attacks. A digital certificate is an electronic ID card that authenticates the sender’s identity. However, to implement EAP-TLS, you need a Certificate Authority (CA) to handle certificates, which imposes a management overhead. SBG3500-N000 User’s Guide...
Page 380 Table 141 Comparison of EAP Authentication Types EAP-MD5 EAP-TLS EAP-TTLS PEAP LEAP Mutual Authentication Certificate – Client Optional Optional Certificate – Server Dynamic Key Exchange Credential Integrity None Strong Strong Strong Moderate Deployment Difficulty Easy Hard Moderate Moderate Moderate Client Identity Protection SBG3500-N000 User’s Guide...
Page 381 The encryption mechanisms used for WPA(2) and WPA(2)-PSK are the same. The only difference between the two is that WPA(2)-PSK uses a simple common password, instead of user-specific credentials. The common-password approach makes WPA(2)-PSK susceptible to brute-force SBG3500-N000 User’s Guide...
Page 382 The RADIUS server then checks the user's identification against its database and grants or denies network access accordingly. A 256-bit Pairwise Master Key (PMK) is derived from the authentication process by the RADIUS server and the client. SBG3500-N000 User’s Guide...
Page 383 The AP and wireless clients use the TKIP or AES encryption process, the PMK and information exchanged in a handshake to create temporal encryption keys. They use these keys to encrypt data exchanged between them. Figure 215 WPA(2)-PSK Authentication SBG3500-N000 User’s Guide...
Page 384 Antenna gain, measured in dB (decibel), is the increase in coverage within the RF beam width. Higher antenna gain improves the range of the signal for better communications. For an indoor site, each 1 dB increase in antenna gain results in a range increase of approximately SBG3500-N000 User’s Guide...
Page 385 For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. SBG3500-N000 User’s Guide...
Page 386: Appendix E Ipv6
“private IP address” in IPv4. You can have the same link-local address on multiple interfaces on a device. A link-local unicast address has a predefined prefix of fe80::/10. The link-local unicast address format is as follows. Table 143 Link-local Unicast Address Format 1111 1110 10 Interface ID 10 bits 54 bits 64 bits SBG3500-N000 User’s Guide...
Page 387 All DHCP severs on a local site. FF05:0:0:0:0:0:1:3 The following table describes the multicast addresses which are reserved and can not be assigned to a multicast group. Table 145 Reserved Multicast Address MULTICAST ADDRESS FF00:0:0:0:0:0:0:0 FF01:0:0:0:0:0:0:0 FF02:0:0:0:0:0:0:0 FF03:0:0:0:0:0:0:0 FF04:0:0:0:0:0:0:0 FF05:0:0:0:0:0:0:0 FF06:0:0:0:0:0:0:0 FF07:0:0:0:0:0:0:0 SBG3500-N000 User’s Guide...
Page 388 DHCPv6 server uses T1 and T2 to control the time at which the client contacts with the server to extend the lifetimes on any addresses in the IA_NA before the lifetimes expire. After T1, the client sends the server (S1) (from which the addresses in the IA_NA were obtained) a Renew message. If SBG3500-N000 User’s Guide...
Page 389 • Neighbor solicitation: A request from a host to determine a neighbor’s link-layer address (MAC address) and detect if the neighbor is still reachable. A neighbor being “reachable” means it responds to a neighbor solicitation message (from the host) with a neighbor advertisement message. SBG3500-N000 User’s Guide...
Page 390 Done message to the router or switch. The router or switch then sends a group-specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group. SBG3500-N000 User’s Guide...
Page 391 Install Dibbler and select the DHCPv6 client option on your computer. After the installation is complete, select Start > All Programs > Dibbler-DHCPv6 > Client Install as service. Select Start > Control Panel > Administrative Tools > Services. SBG3500-N000 User’s Guide...
Page 392 Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer. To enable IPv6 in Windows 7: Select Control Panel > Network and Sharing Center > Local Area Connection. Select the Internet Protocol Version 6 (TCP/IPv6) checkbox to enable it. Click OK to save the change. SBG3500-N000 User’s Guide...
Page 393 IPv4 Address... : 172.16.100.61 Subnet Mask ... : 255.255.255.0 Default Gateway ..: fe80::213:49ff:feaa:7125%11 172.16.100.254 SBG3500-N000 User’s Guide...
Page 394: Appendix F Services
• If the Protocol is TCP, UDP, or TCP/UDP, this is the IP port number. • If the Protocol is USER, this is the IP protocol number. • Description: This is a brief explanation of the applications that use this service or the situations in which this service is used. SBG3500-N000 User’s Guide...
Page 395 6667 This is another popular Internet chat program. MSN Messenger 1863 Microsoft Networks’ messenger service uses this protocol. NetBIOS TCP/UDP The Network Basic Input/Output System is used for communication between TCP/UDP computers in a LAN. TCP/UDP TCP/UDP SBG3500-N000 User’s Guide...
Page 396 This is a more secure version of SMTP that runs over SSL. SMTP This is a more secure version of SMTP that authenticates sender from out of network mailservers. SNMP TCP/UDP Simple Network Management Program. SNMP-TRAPS TCP/UDP Traps for use with the SNMP (RFC:1215). SBG3500-N000 User’s Guide...
Page 397 UNIX environments. It operates over TCP/ IP networks. Its primary function is to allow users to log into remote host systems. VDOLIVE 7000 A videoconferencing solution. The UDP port number is specified in the application. user- defined SBG3500-N000 User’s Guide...
Page 398 SBG3500-N000 User’s Guide...
Page 399: Appendix G Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 400: Zyxel Limited Warranty
Dyrektywy 2012/19/UE. [Portuguese] ZyXEL declara que este equipamento está conforme com os requisitos essenciais e outras disposições da Directiva 2012/19/UE. [Slovenian] ZyXEL izjavlja, da je ta oprema v skladu z bistvenimi zahtevami in ostalimi relevantnimi določili direktive 2012/19/UE. SBG3500-N000 User’s Guide...
Page 401 The outdoor usage of the 2.4 GHz band requires an authorization from the Electronic Communications Office. Please check http:// www.esd.lv for more details. 2.4 GHz frekvenèu joslas izmantoðanai ârpus telpâm nepiecieðama atïauja no Elektronisko sakaru direkcijas. Vairâk informâcijas: http://www.esd.lv. Notes: SBG3500-N000 User’s Guide...
Page 402: Safety Warnings
Your product is marked with this symbol, which is known as the WEEE mark. WEEE stands for Waste Electronics and Electrical Equipment. It means that used electrical and electronic products should not be mixed with general waste. Used electrical and electronic equipment should be treated separately. SBG3500-N000 User’s Guide...
Page 403: Index
Basic Service Set, See BSS configuration Basic Service Set, see BSS backup blinking LEDs firewalls Broadband reset broadcast restoring 153, 373 static route 123, 184, 223, 301 example Connectivity Check Messages, see CCMs copyright SBG3500-N000 User’s Guide...
Page 404 DS, dee differentiated services fragmentation threshold 146, 150, 376 DSCP 207, 220 dynamic DNS wildcard Dynamic Host Configuration Protocol, see DHCP dynamic WEP key exchange DYNDNS wildcard General wireless LAN screen Guide Quick Start EAP Authentication SBG3500-N000 User’s Guide...
Page 405 Link Trace Message, see LTM IP address 162, 181 Link Trace Response, see LTR ping login private passwords 25, 26 logs IP Address Assignment 286, 289, 296, 314 Loop Back Response, see LBR IP alias loopback NAT applications SBG3500-N000 User’s Guide...
Page 406 147, 150 outside preamble mode port forwarding prefix delegation port number pre-shared key services private IP address SIP ALG product registration activation protocol traversal NAT example push button negotiation mode Push Button Configuration, see PBC SBG3500-N000 User’s Guide...
Page 407 123, 184, 223, 301 example Routing Information Protocol. See RIP static VLAN RPPCs status RTS (Request To Send) firmware version threshold 375, 376 RTS threshold 146, 150 wireless LAN status indicators subnet subnet mask 162, 181, 357 SBG3500-N000 User’s Guide...
Page 408 Two Rate Three Color Marker, see trTCM note web configurator login passwords 25, 26 WEP Encryption 137, 138 unicast WEP encryption Universal Plug and Play, see UPnP WEP key upgrading firmware Wi-Fi Protected Access UPnP wireless client WPA supplicants cautions SBG3500-N000 User’s Guide...
Page 409 WLAN interference security parameters 152, 381 key caching pre-authentication user authentication vs WPA-PSK wireless client supplicant with RADIUS application example WPA2 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK application example SBG3500-N000 User’s Guide...
Page 410 Index SBG3500-N000 User’s Guide...

ZyXEL Communications SBG3500-N000 User Manual

Contents Overview

Table of Contents

User's Guide

PART I User's Guide

Chapter 1 Introducing the SBG3500-N

Chapter 2 The Web Configurator

Chapter 3 Quick Start

Chapter 4 Tutorials

Technical Reference

Part II: Technical Reference

Chapter 5 Status Screens

Chapter 6 Broadband

Chapter 7 Wireless

Chapter 8 LAN

Chapter 9 Routing

Chapter 10 Quality of Service (Qos)

Chapter 11 Network Address Translation (NAT)

Chapter 12 Dynamic DNS Setup

Chapter 13 Interface Group

Chapter 14 USB Service

Chapter 15 Firewall

Chapter 16 MAC Filter

Chapter 17 User Access Control

Chapter 18 Scheduler Rules

Chapter 19 Certificates

Chapter 20 Ipsec VPN

Chapter 21 PPTP VPN

Chapter 22 L2TP VPN

Chapter 23 Log

Chapter 24 Network Status

Chapter 25 ARP Table

Chapter 26 Routing Table

Chapter 27 IGMP Status

Chapter 28 Xdsl Statistics

Chapter 29 User Account

Quick Links

Troubleshooting

Related Manuals for ZyXEL Communications SBG3500-N000

Summary of Contents for ZyXEL Communications SBG3500-N000