Download Print this page

ZyXEL Communications P-660HWP-D1 User Manual

802.11g homeplug av adsl2+ security gateway

Hide thumbs Also See for P-660HWP-D1:

Release note (27 pages)

,

Quick start manual (13 pages)

,

Specifications (2 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

P-660HWP-D1

802.11g HomePlug AV ADSL2+ Security Gateway

User's Guide

Version 3.40

6/2007

Edition 1

www.zyxel.com

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the P-660HWP-D1 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications P-660HWP-D1

Page 1 P-660HWP-D1 802.11g HomePlug AV ADSL2+ Security Gateway User’s Guide Version 3.40 6/2007 Edition 1 www.zyxel.com...
Page 3: About This User's Guide
About This User's Guide About This User's Guide Intended Audience This manual is intended for people who want to configure the P-660HWP-D1 using the web configurator. You should have at least a basic knowledge of TCP/IP networking concepts and topology.
Page 4: Document Conventions
Syntax Conventions • The P-660HWP-D1 may be referred to as the “P-660HWP-D1”, the “device” or the “system” in this User’s Guide. • Product labels, screen names, field labels and field choices are all in bold font.
Page 5 Document Conventions Icons Used in Figures Figures in this User’s Guide may use the following generic icons. The P-660HWP-D1 icon is not an exact representation of your device. P-660HWP-D1 Computer Notebook computer Server DSLAM Firewall Telephone Switch Router P-660HWP-D1 User’s Guide...
Page 6: Safety Warnings
Only use the included antenna(s). • If you wall mount your device, make sure that no electrical lines, gas or water pipes will be damaged. This product is recyclable. Dispose of it properly. P-660HWP-D1 User’s Guide...
Page 7 Safety Warnings P-660HWP-D1 User’s Guide...
Page 8 Safety Warnings P-660HWP-D1 User’s Guide...
Page 9: Table Of Contents
Contents Overview Contents Overview Introduction ..........................31 Introducing the P-660HWP-D1 ....................33 Introducing the Web Configurator ....................41 Wizards ........................... 55 Wizard Setup for Internet/Wireless Access ................57 Bandwidth Management Wizard ....................69 Network ........................... 71 WAN Setup ..........................73 LAN Setup ..........................
Page 10 Contents Overview P-660HWP-D1 User’s Guide...
Page 11: Table Of Contents
Introducing the P-660HWP-D1 ....................33 1.1 Overview ..........................33 1.2 Ways to Manage the P-660HWP-D1 ................... 35 1.3 Good Habits for Managing the P-660HWP-D1 ..............35 1.4 LEDs ............................ 35 1.5 Hardware Connections ......................37 1.5.1 Connecting a POTS Splitter ..................37 1.5.2 Telephone Microfilters ....................
Page 12 5.1.7 NAT ..........................76 5.2 Metric ........................... 76 5.3 Traffic Shaping ........................76 5.3.1 ATM Traffic Classes ....................77 5.4 Zero Configuration Internet Access ..................78 5.5 Internet Connection ......................78 5.5.1 Configuring Advanced Internet Connection Setup ............. 81 P-660HWP-D1 User’s Guide...
Page 13 5.8 Configuring WAN Backup ....................88 Chapter 6 LAN Setup..........................91 6.1 LAN Overview ........................91 6.1.1 LANs, WANs and the P-660HWP-D1 ................. 91 6.1.2 DHCP Setup ....................... 92 6.1.3 DNS Server Address ....................92 6.1.4 DNS Server Address Assignment ................92 6.2 LAN TCP/IP .........................
Page 14 9.5.2 Port Forwarding: Services and Port Numbers ............140 9.5.3 Configuring Servers Behind Port Forwarding (Example) ......... 141 9.6 Configuring Port Forwarding ....................141 9.6.1 Port Forwarding Rule Edit ..................142 9.7 Address Mapping ....................... 143 9.7.1 Address Mapping Rule Edit ..................145 P-660HWP-D1 User’s Guide...
Page 15 10.4.2 Types of DoS Attacks ..................... 152 10.5 Stateful Inspection ......................154 10.5.1 Stateful Inspection Process ..................155 10.5.2 Stateful Inspection and the P-660HWP-D1 ............156 10.5.3 TCP Security ......................156 10.5.4 UDP/ICMP Security ....................157 10.5.5 Upper Layer Protocols ................... 157 10.6 Guidelines for Enhancing Security with Your Firewall .............
Page 16 13.13 Trusted Remote Hosts > Import ................... 203 13.14 Trusted Remote Host Certificate Details ..............204 13.15 Directory Servers ......................207 13.16 Directory Server Add or Edit ..................207 Part V: Advanced ................. 209 Chapter 14 Static Route ........................... 211 14.1 Static Route ........................211 P-660HWP-D1 User’s Guide...
Page 17 17.1.3 System Timeout ..................... 232 17.2 WWW ..........................232 17.3 Telnet ..........................233 17.4 Configuring Telnet ......................234 17.5 Configuring FTP ......................234 17.6 SNMP ..........................235 17.6.1 Supported MIBs ..................... 236 17.6.2 SNMP Traps ......................237 P-660HWP-D1 User’s Guide...
Page 18 20.1.1 Alerts and Logs ...................... 263 20.2 Viewing the Logs ......................263 20.3 Configuring Log Settings ....................264 20.3.1 Example E-mail Log ....................266 20.4 Log Descriptions ......................267 Chapter 21 Tools............................281 21.1 Firmware Upgrade ......................281 P-660HWP-D1 User’s Guide...
Page 19 22.2 DSL Line Diagnostic ...................... 288 Chapter 23 Troubleshooting........................289 23.1 Power, Hardware Connections, and LEDs ..............289 23.2 P-660HWP-D1 Access and Login ................... 290 23.3 Internet Access ........................ 291 23.4 Powerline Issues ......................293 Part VII: Appendices and Index ............295 Appendix A Product Specifications and Wall Mounting ............
Page 20 Table of Contents P-660HWP-D1 User’s Guide...
Page 21: List Of Figures
Figure 4 Connecting a POTS Splitter ..................... 37 Figure 5 Connecting a Microfilter ......................38 Figure 6 Connecting a Microfilter and Y-Connector ................38 Figure 7 P-660HWP-D1 with ISDN ......................39 Figure 8 Password Screen ........................42 Figure 9 User status screen ........................42 Figure 10 Change Password at Login ....................
Page 22 Figure 77 Network > Powerline > Status ....................133 Figure 78 How NAT Works ........................136 Figure 79 NAT Application With IP Alias ....................137 Figure 80 NAT General ......................... 139 Figure 81 Multiple Servers Behind NAT Example ................141 P-660HWP-D1 User’s Guide...
Page 23 Figure 119 Security > Certificates > Directory Server > Add ..............208 Figure 120 Example of Static Routing Topology ..................211 Figure 121 Static Route ........................212 Figure 122 Static Route Edit ......................... 213 Figure 123 Subnet-based Bandwidth Management Example .............. 216 Figure 124 Bandwidth Management: Summary ................... 220 P-660HWP-D1 User’s Guide...
Page 24 Figure 162 Error Message ........................283 Figure 163 Maintenance > Tools > Configuration ................. 283 Figure 164 Configuration Restore Successful ..................284 Figure 165 Temporarily Disconnected ....................285 Figure 166 Configuration Restore Error ....................285 Figure 167 Restart Screen ........................285 P-660HWP-D1 User’s Guide...
Page 25 Figure 206 Pop-up Blocker Settings ..................... 353 Figure 207 Internet Options: Security ....................354 Figure 208 Security Settings - Java Scripting ..................355 Figure 209 Security Settings - Java ...................... 355 Figure 210 Java (Sun) .......................... 356 P-660HWP-D1 User’s Guide...
Page 26 List of Figures P-660HWP-D1 User’s Guide...
Page 27: List Of Tables
Table 32 Wireless LAN: General ......................108 Table 33 Wireless No Security ......................109 Table 34 Wireless: Static WEP Encryption ....................110 Table 35 Wireless: WPA-PSK/WPA2-PSK .....................111 Table 36 Wireless: WPA/WPA2 ......................113 Table 37 Wireless LAN: Advanced ......................114 Table 38 OTIST .............................116 P-660HWP-D1 User’s Guide...
Page 28 Table 78 Security > Certificates > Trusted Remote Hosts ..............203 Table 79 Security > Certificates > Trusted Remote Hosts > Import ............204 Table 80 Security > Certificates > Trusted Remote Hosts > Details ............. 205 Table 81 Security > Certificates > Directory Servers ................207 P-660HWP-D1 User’s Guide...
Page 29 Table 119 UPnP Logs ........................... 271 Table 120 Content Filtering Logs ......................271 Table 121 Attack Logs .......................... 272 Table 122 IPSec Logs ........................... 272 Table 123 IKE Logs ..........................273 Table 124 PKI Logs ..........................276 P-660HWP-D1 User’s Guide...
Page 30 Table 152 Subnet 3 ..........................337 Table 153 Subnet 4 ..........................337 Table 154 Eight Subnets ........................338 Table 155 Class C Subnet Planning ..................... 338 Table 156 Class B Subnet Planning ..................... 338 Table 157 Firewall Commands ......................345 P-660HWP-D1 User’s Guide...
Page 31: Introduction
Introduction Introducing the P-660HWP-D1 (33) Introducing the Web Configurator (41)
Page 33: Introducing The P-660Hwp-D1
It also complies with the HomePlug AV standard, enabling networking using standard electrical wiring. In the P-660HWP-D1 product name, “H” denotes an integrated 4-port switch (hub) and “W” denotes an included wireless LAN card that provides wireless connectivity. “P” denotes power line connection capability.
Page 34: Figure 1 Protected Internet Access Applications
Chapter 1 Introducing the P-660HWP-D1 Figure 1 Protected Internet Access Applications You can also use the P-660HWP-D1 to connect two geographically dispersed networks over the ADSL line. A typical LAN-to-LAN application example is shown as follows. Figure 2 LAN-to-LAN Application Example The P-660HWP-D1 is compatible with the ADSL/ADSL2/ADSL2+ standards.
Page 35: Ways To Manage The P-660Hwp-D1
• TR-069. This is an auto-configuration server used to remotely configure your device. 1.3 Good Habits for Managing the P-660HWP-D1 Do the following things regularly to make the P-660HWP-D1 more secure and to manage the P-660HWP-D1 more effectively. • Change the password. Use a password that’s not easy to guess and that consists of different types of characters, such as numbers and letters.
Page 36: Figure 3 Front Panel
POWERLINE Green The P-660HWP-D1 detects another power line Ethernet adapter. Blinking The P-660HWP-D1 is transmitting data. (When the device is managing the network, the LED does not blink.) The P-660HWP-D1 does not detect another power line Ethernet adapter. P-660HWP-D1 User’s Guide...
Page 37: Hardware Connections
Figure 4 Connecting a POTS Splitter 1 Connect the side labeled “Phone” to your telephone. 2 Connect the side labeled “Modem” or “DSL” to your P-660HWP-D1. 3 Connect the side labeled “Line” to the telephone wall jack. 1.5.2 Telephone Microfilters Telephone voice transmissions take place in the lower frequency range, 0 - 4KHz, while ADSL transmissions take place in the higher bandwidth range, above 4KHz.
Page 38: P-660Hwp-D1 With Isdn
Figure 6 Connecting a Microfilter and Y-Connector 1.5.3 P-660HWP-D1 With ISDN This section relates to people who use their P-660HWP-D1 with ADSL over ISDN (digital telephone service) only. The following is an example installation for the P-660HWP-D1 with ISDN.
Page 39: Figure 7 P-660Hwp-D1 With Isdn
Chapter 1 Introducing the P-660HWP-D1 Figure 7 P-660HWP-D1 with ISDN P-660HWP-D1 User’s Guide...
Page 40 Chapter 1 Introducing the P-660HWP-D1 P-660HWP-D1 User’s Guide...
Page 41: Introducing The Web Configurator
LAN port for initial configuration. 1 Make sure your P-660HWP-D1 hardware is properly connected (refer to the Quick Start Guide). 2 Prepare your computer/computer network to connect to the P-660HWP-D1 (refer to the Quick Start Guide).
Page 42: User Access
Enter a new password between 1 and 30 characters, retype it to confirm and click Apply. Alternatively click Ignore to proceed to the main menu if you do not want to change the password now. P-660HWP-D1 User’s Guide...
Page 43: Figure 10 Change Password At Login
Otherwise, select Go to Advanced setup and click Apply to display the Status screen. Figure 11 Select a Mode The management session automatically times out when the time period set in the Administrator Inactivity Timer field expires (default five minutes). Simply log back into the P-660HWP-D1 if this happens. P-660HWP-D1 User’s Guide...
Page 44: Resetting The P-660Hwp-D1
If you forget your password or cannot access the web configurator, you will need to use the RESET button at the back of the P-660HWP-D1 to reload the factory-default configuration file. This means that you will lose all configurations that you had previously and the password will be reset to “1234”.
Page 45: Table 3 Web Configurator Screens Summary
OTIST Use this screen to enable OTIST. MAC Filter Use the MAC filter screen to configure the P-660HWP-D1 to block access to devices or block the devices from accessing the P-660HWP-D1. Use this screen to configure Wi-Fi Multimedia Quality of Service (WMM QoS).
Page 46 Use this screen to exclude a range of users on the LAN from content filtering on your P-660HWP-D1. Certificates My Certificates Use this screen to show a list of the P-660HWP-D1’s certificates. Trusted CA’s Use this screen to show a list of the P-660HWP-D1’s certificates issued by trusted certification authorities.
Page 47: Status Screen
IP address(es) users can use FTP to access the P- 660HWP-D1. SNMP Use this screen to configure your P-660HWP-D1’s settings for Simple Network Management Protocol management. Use this screen to configure through which interface(s) and from which IP address(es) users can send DNS queries to the P-660HWP-D1.
Page 48: Figure 13 Status Screen
This is the ZyNOS firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. DSL Firmware This is the DSL firmware version associated with your P-660HWP-D1. This is Version sometimes needed by technicians to help troubleshoot problems. WAN Information DSL Mode This is the standard that your P-660HWP-D1 is using.
Page 49 Network Operating System) and is thus available for running processes like NAT, VPN and the firewall. The bar displays what percent of the P-660HWP-D1's heap memory is in use. The bar turns from green to red when the maximum is being approached.
Page 50: Status: Any Ip Table
Click the Any IP Table hyperlink in the Status screen. The Any IP table shows current read- only information (including the IP address and the MAC address) of all network devices that use the Any IP feature to communicate with the P-660HWP-D1. Figure 14 Status: Any IP Table The following table describes the labels in this screen.
Page 51: Status: Bandwidth Status
Chapter 2 Introducing the Web Configurator Table 6 Status: WLAN Status (continued) LABEL DESCRIPTION Association This field displays the time a wireless station first associated with the P-660HWP-D1. TIme Refresh Click Refresh to reload this screen. 2.4.5 Status: Bandwidth Status Click the Bandwidth Status hyperlink in the Status screen.
Page 52: Status: Packet Statistics
System Monitor System up Time This is the elapsed time the system has been up. Current Date/Time This field displays your P-660HWP-D1’s present date and time. CPU Usage This field specifies the percentage of CPU utilization. Memory Usage This field specifies the percentage of memory utilization.
Page 53: Changing Login Password
Table 7 Status: Packet Statistics (continued) LABEL DESCRIPTION Upstream Speed This is the upstream speed of your P-660HWP-D1. Downstream Speed This is the downstream speed of your P-660HWP-D1. Node-Link This field displays the remote node index number and link type. Link types are PPPoA, ENET, RFC 1483 and PPPoE.
Page 54: Figure 19 System General
Chapter 2 Introducing the Web Configurator Figure 19 System General P-660HWP-D1 User’s Guide...
Page 55: Wizards
Wizards Wizard Setup for Internet/Wireless Access (57) Bandwidth Management Wizard (69)
Page 57: Wizard Setup For Internet/Wireless Access
1 Click the wizard icon ( ) in the top right corner of the web configurator to display the wizard main screen. 2 Click INTERNET/WIRELESS SETUP to configure the system for Internet access. Figure 20 Wizard: Welcome P-660HWP-D1 User’s Guide...
Page 58: Step 1: Configuring Internet Access
Click Back to go back to the previous screen. Next Click Next to continue to the next wizard screen. The next wizard screen you see depends on what protocol you chose above. Exit Click Exit to close the wizard screen without saving your changes. P-660HWP-D1 User’s Guide...
Page 59: Figure 22 Internet Connection With Pppoe
Back Click Back to go back to the previous wizard screen. Apply Click Apply to save your changes to the P-660HWP-D1. Exit Click Exit to close the wizard screen without saving your changes. Figure 23 Internet Connection with RFC 1483...
Page 60: Figure 24 Internet Connection With Enet Encap
Enter the IP addresses of the DNS servers. The DNS servers are passed to the DHCP Server clients along with the IP address and the subnet mask. Second DNS As above. Server Back Click Back to go back to the previous wizard screen. P-660HWP-D1 User’s Guide...
Page 61: Figure 25 Internet Connection With Pppoa
Table 11 Internet Connection with ENET ENCAP (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the P-660HWP-D1. Exit Click Exit to close the wizard screen without saving your changes. Figure 25 Internet Connection with PPPoA The following table describes the fields in this screen.
Page 62: Figure 27 Connection Test Successful
• If the wizard does not detect a connection type and the following screen appears (see Figure 28 on page 63), check your hardware connections and click Restart the INTERNET/WIRELESS SETUP Wizard to have the P-660HWP-D1 detect your connection again. P-660HWP-D1 User’s Guide...
Page 63: Step 2: Configuring Wireless Access
After you configure the Internet access information, use the following screens to set up your wireless LAN. This section is available on the wireless devices only. 4 Use this screen to activate the wireless LAN and OTIST. Click Next to continue. P-660HWP-D1 User’s Guide...
Page 64: Figure 29 Wireless Lan Setup Wizard 1
OTIST. Setup Key Type an OTIST Setup Key of up to eight English keyboard characters in length. Be sure to use the same OTIST Setup Key on the P-660HWP-D1 and wireless clients. Back Click Back to display the previous screen.
Page 65: Figure 30 Wireless Lan Setup Wizard 2
Enter a descriptive name (up to 32 printable 7-bit English keyboard characters) for the (SSID) wireless LAN. If you change this field on the P-660HWP-D1, make sure all wireless stations use the same SSID in order to access the network. Channel The range of radio frequencies used by IEEE 802.11b/g wireless devices is called a...
Page 66: Manually Assign A Wpa-Psk Key
Chapter 3 Wizard Setup for Internet/Wireless Access The wireless stations and P-660HWP-D1 must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WPA-PSK (if WPA-PSK is enabled) for wireless communication. 6 This screen varies depending on the security mode you selected in the previous screen.
Page 67: Figure 32 Manually Assign A Wep Key
LABEL DESCRIPTION The WEP keys are used to encrypt data. Both the P-660HWP-D1 and the wireless stations must use the same WEP key for data transmission. Enter any 5, 13 or 29 English keyboard characters or 10, 26 or 58 hexadecimal characters (“0-9”, “A-F”) for a 64-bit, 128-bit or 256-bit WEP key respectively.
Page 68: Figure 34 Internet Access And Wireless Wizard Setup Complete
Refer to the rest of this guide for more detailed information on the complete range of P-660HWP-D1 features. If you cannot access the Internet, open the web configurator again to confirm that the Internet settings you configured in the wizard setup are correct.
Page 69: Bandwidth Management Wizard
Bandwidth management allows you to control the amount of bandwidth going out through the P-660HWP-D1’s WAN port and prioritize the distribution of the bandwidth according to service bandwidth requirements. This helps keep one service from using all of the available bandwidth and shutting out other users.
Page 70: Figure 36 Bandwidth Management Wizard: General Information
The following fields describe the label in this screen. Table 19 Bandwidth Management Wizard: General Information LABEL DESCRIPTION Active Select the Active check box to have the P-660HWP-D1 apply bandwidth management to traffic going out through the P-660HWP-D1’s port(s). Back Click Back to display the previous screen. Next Click Next to proceed to the next screen.
Page 71: Network
Network WAN Setup (73) LAN Setup (91) Wireless LAN (103) Powerline (127) Network Address Translation (NAT) (135)
Page 73: Wan Setup
5.1 WAN Overview A WAN (Wide Area Network) is an outside connection to another network or the Internet. 5.1.1 Encapsulation Be sure to use the encapsulation method required by your ISP. The P-660HWP-D1 supports the following methods. 5.1.1.1 ENET ENCAP The MAC Encapsulated Routing Link Protocol (ENET ENCAP) is only implemented with the IP network protocol.
Page 74: Multiplexing
PPPoA stands for Point to Point Protocol over ATM Adaptation Layer 5 (AAL5). A PPPoA connection functions like a dial-up Internet connection. The P-660HWP-D1 encapsulates the PPP session based on RFC1483 and sends it through an ATM PVC (Permanent Virtual Circuit) to the Internet Service Provider’s (ISP) DSLAM (digital access multiplexer).
Page 75: Vpi And Vci
The P-660HWP-D1 does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the P-660HWP-D1 will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
Page 76: Nat
"1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the P-660HWP-D1’s routes to the Internet. If any two of the default routes have the same metric, the P-660HWP-D1 uses the following pre-defined priorities: •...
Page 77: Atm Traffic Classes
PCR is specified) but is only available when data is being sent. An example of an VBR-RT connection would be video conferencing. Video conferencing requires real-time data transfers and the bandwidth requirement varies in proportion to the video image's changing dynamics. P-660HWP-D1 User’s Guide...
Page 78: Zero Configuration Internet Access
An example application is background file transfer. 5.4 Zero Configuration Internet Access Once you turn on and connect the P-660HWP-D1 to a telephone jack, it automatically detects the Internet connection settings (such as the VCI/VPI numbers and the encapsulation method) from the ISP and makes the necessary configuration changes.
Page 79: Figure 39 Internet Connection (Pppoe)
Choices vary depending on the mode you select in the Mode field. If you select Bridge in the Mode field, select either PPPoA or RFC 1483. If you select Routing in the Mode field, select PPPoA, RFC 1483, ENET ENCAP or PPPoE. P-660HWP-D1 User’s Guide...
Page 80 Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The P-660HWP-D1 will try to bring up the connection automatically if it is disconnected. Connect on Select Connect on Demand when you don't want the connection up all the time Demand and specify an idle time-out in the Max Idle Timeout field.
Page 81: Configuring Advanced Internet Connection Setup
Chapter 5 WAN Setup 5.5.1 Configuring Advanced Internet Connection Setup To edit your P-660HWP-D1's advanced WAN settings, click the Advanced Setup button in the Internet Connection screen. The screen appears as shown. Figure 40 Advanced Internet Connection Setup The following table describes the labels in this screen.
Page 82: Configuring More Connections
LAN to use PPPoE client software on their computers to connect to the ISP via the P-660HWP-D1. Each host can have a separate account and a public WAN IP address.
Page 83: More Connections Edit
Apply Click Apply to save the changes. Cancel Click Cancel to begin configuring this screen afresh. 5.6.1 More Connections Edit Click the edit icon ( ) in the More Connections screen to configure a connection. P-660HWP-D1 User’s Guide...
Page 84: Figure 42 More Connections Edit
Select Routing from the drop-down list box if your ISP allows multiple computers to share an Internet account. If you select Bridge, the P-660HWP-D1 will forward any packet that it does not route to this remote node; otherwise, the packets are discarded.
Page 85 Nailed-Up Select Nailed-Up Connection when you want your connection up all the time. Connection The P-660HWP-D1 will try to bring up the connection automatically if it is disconnected. Connect on Select Connect on Demand when you don't want the connection up all the time Demand and specify an idle time-out in the Max Idle Timeout field.
Page 86: Configuring More Connections Advanced Setup
Chapter 5 WAN Setup 5.6.2 Configuring More Connections Advanced Setup To edit your P-660HWP-D1's advanced WAN settings, click the Advanced Setup button in the More Connections Edit screen. The screen appears as shown. Figure 43 More Connections Advanced Setup The following table describes the labels in this screen.
Page 87: Traffic Redirect
LAN to use PPPoE client software on their computers to connect to the ISP via the P-660HWP-D1. Each host can have a separate account and a public WAN IP address.
Page 88: Configuring Wan Backup
Chapter 5 WAN Setup Figure 45 Traffic Redirect LAN Setup 5.8 Configuring WAN Backup To change your P-660HWP-D1’s WAN backup settings, click Network > WAN > WAN Backup Setup. The screen appears as shown. Figure 46 WAN Backup Setup P-660HWP-D1 User’s Guide...
Page 89: Table 25 Wan Backup Setup
Backup Type Select the method that the P-660HWP-D1 uses to check the DSL connection. Select DSL Link to have the P-660HWP-D1 check if the connection to the DSLAM is up. Select ICMP to have the P-660HWP-D1 periodically ping the IP addresses configured in the Check WAN IP Address fields.
Page 90 Chapter 5 WAN Setup P-660HWP-D1 User’s Guide...
Page 91: Lan Setup
6.1.1 LANs, WANs and the P-660HWP-D1 The actual physical connection determines whether the P-660HWP-D1 ports are LAN or WAN ports. There are two separate IP networks, one inside the LAN network and the other outside the WAN network as shown next.
Page 92: Dhcp Setup
If the Primary and Secondary DNS Server fields in the DHCP Setup screen are not specified, for instance, left as 0.0.0.0, the P-660HWP-D1 tells the DHCP clients that it itself is the DNS server. When a computer sends a DNS query to the P-660HWP-D1, the P-660HWP- D1 forwards the query to the real DNS server learned through IPCP and relays the response back to the computer.
Page 93: Lan Tcp/Ip
If your ISP gives you DNS server addresses, enter them in the DNS Server fields in the DHCP Setup screen. • The P-660HWP-D1 acts as a DNS proxy when the Primary and Secondary DNS Server fields are left as 0.0.0.0 in the DHCP Setup screen.
Page 94: Rip Setup
• Both - the P-660HWP-D1 will broadcast its routing table periodically and incorporate the RIP information that it receives. • In Only - the P-660HWP-D1 will not send any RIP packets but will accept all RIP packets received. • Out Only - the P-660HWP-D1 will send out RIP packets but will not accept any RIP packets received.
Page 95: Any Ip
660HWP-D1 to be in the same subnet to allow the computer to access the Internet (through the P-660HWP-D1). In cases where your computer is required to use a static IP address in another network, you may need to manually configure the network settings of the computer every time you want to access the Internet via the P-660HWP-D1.
Page 96: Configuring Lan Ip
P-660HWP-D1. 1 When a computer (which is in a different subnet) first attempts to access the Internet, it sends packets to its default gateway (which is not the P-660HWP-D1) by looking at the MAC address in its ARP table.
Page 97: Configuring Advanced Lan Setup
Click this button to display the Advanced LAN Setup screen and edit more details of your LAN setup. 6.3.1 Configuring Advanced LAN Setup To edit your P-660HWP-D1's advanced LAN settings, click the Advanced Setup button in the LAN IP screen. The screen appears as shown. Figure 50 Advanced LAN Setup The following table describes the labels in this screen.
Page 98: Dhcp Setup
Cancel Click Cancel to begin configuring this screen afresh. 6.4 DHCP Setup Use this screen to configure the DNS server information that the P-660HWP-D1 sends to the DHCP client devices on the LAN. Figure 51 DHCP Setup The following table describes the labels in this screen.
Page 99: Lan Client List
Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02. To change your P-660HWP-D1’s static DHCP settings, click Network > LAN > Client List. The screen appears as shown. P-660HWP-D1 User’s Guide...
Page 100: Lan Ip Alias
IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The P-660HWP-D1 supports three logical LAN interfaces via its single physical Ethernet interface with the P-660HWP-D1 itself as the gateway for each LAN network.
Page 101: Figure 53 Physical Network & Partitioned Logical Networks
The following figure shows a LAN divided into subnets A, B, and C. Figure 53 Physical Network & Partitioned Logical Networks To change your P-660HWP-D1’s IP alias settings, click Network > LAN > IP Alias. The screen appears as shown.
Page 102: Table 30 Lan Ip Alias
RIP packets. Select the RIP direction from None/ Both/In Only/Out Only. When set to Both or Out Only, the P-660HWP-D1 will broadcast its routing table periodically. When set to Both or In Only, it will incorporate the RIP information that it receives;...
Page 103: Wireless Lan
The wireless network is the part in the blue circle. In this wireless network, devices A and B are called wireless clients. The wireless clients use the access point (AP) to interact with other devices (such as the printer) or with the Internet. Your P-660HWP-D1 is the AP. Every wireless network must follow these basic guidelines.
Page 104: Wireless Network Setup
• wireless standard: IEEE 802.11b, g, b/g or a • Security: ( ) None ( ) WEP (64bit, 128bit or 256bit key) (ASCII or Hex):________________ ( ) IEEE 802.1x ( ) WPA-PSK (TKIP or AES):_______________ ( ) WPA (TKIP or AES) P-660HWP-D1 User’s Guide...
Page 105: Wireless Security Overview
Some wireless devices, such as scanners, can detect wireless networks but cannot use wireless networks. These kinds of wireless devices might not have MAC addresses. Hexadecimal characters are 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, and F. P-660HWP-D1 User’s Guide...
Page 106: User Authentication
RADIUS server. Therefore, there is no user authentication. Suppose the wireless network has two wireless clients. Device A only supports WEP, and device B supports WEP and WPA. Therefore, you should set up Static WEP in the wireless network. P-660HWP-D1 User’s Guide...
Page 107: One-Touch Intelligent Security Technology (Otist)
With ZyXEL’s OTIST, you set up the SSID and WPA-PSK on the P-660HWP-D1. Then, the P-660HWP-D1 transfers them to the devices in the wireless networks. As a result, you do not have to set up the SSID and encryption on every device in the wireless network.
Page 108: No Security
SSID. Enter a descriptive name (up to 32 printable 7-bit English keyboard characters) for the wireless LAN. Note: If you are configuring the P-660HWP-D1 from a computer connected to the wireless LAN and you change the P- 660HWP-D1’s SSID or WEP settings, you will lose your wireless connection when you press Apply to confirm.
Page 109: Wep Encryption
Both the wireless clients and the access points must use the same WEP key. Your P-660HWP-D1 allows you to configure up to four 64-bit, 128-bit or 256-bit WEP keys but only one key can be enabled at any one time.
Page 110: Wpa-Psk/Wpa2-Psk
660HWP-D1 automatically generates a WEP key. WEP Key The WEP keys are used to encrypt data. Both the P-660HWP-D1 and the wireless clients must use the same WEP key for data transmission. If you want to manually set the WEP key, enter any 5, 13 or 29 characters (English keyboard string) or 10, 26 or 58 hexadecimal characters (“0-9”, “A-F”) for a 64-bit,...
Page 111: Figure 59 Wireless: Wpa-Psk/Wpa2-Psk
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the P-660HWP-D1 even when the P-660HWP-D1 is using WPA2-PSK or WPA2. Pre-Shared Key The encryption mechanisms used for WPA/WPA2 and WPA-PSK/WPA2-PSK are the same.
Page 112: Wpa/Wpa2
WLAN on a periodic basis. Setting of the Group Key Update Timer is also supported in WPA-PSK/WPA2-PSK mode. The default is 1800 seconds (30 minutes). Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to reload the previous configuration for this screen. Advanced Setup Click Advanced Setup to display the Wireless Advanced Setup screen and edit more details of your WLAN setup.
Page 113: Table 36 Wireless: Wpa/Wpa2
This check box is available only when you select WPA2-PSK or WPA2 in the Security Mode field. Select the check box to have both WPA2 and WPA wireless clients be able to communicate with the P-660HWP-D1 even when the P-660HWP-D1 is using WPA2-PSK or WPA2. ReAuthentication...
Page 114: Wireless Lan Advanced Setup
256 and 2432. Output Power Set the output power of the P-660HWP-D1 in this field. This control changes the strength of the P-660HWP-D1's antenna gain or transmission power. Antenna gain is the increase in coverage. Higher antenna gain improves the range of the signal for better communications.
Page 115: Otist
Enter 0 to disable this feature. Back Click Back to return to the previous screen. Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to reload the previous configuration for this screen. 7.5 OTIST In a wireless network, the wireless clients must have the same SSID and security settings as the access point (AP) or wireless router (we will refer to both as “AP”...
Page 116: Figure 62 Otist
Click Start to encrypt the wireless security data using the setup key and have the P-660HWP-D1 set the wireless client(s) to use the same wireless settings as the P-660HWP-D1. You must also activate and start OTIST on the wireless client(s) all within three minutes.
Page 117: Starting Otist
After reviewing the settings, click OK. Figure 64 Security Key 2 This screen appears while OTIST settings are being transferred. It closes when the transfer is complete. Figure 65 OTIST in Progress (AP) P-660HWP-D1 User’s Guide...
Page 118: Notes On Otist
5 If you configure OTIST to generate a WPA-PSK key, this key changes each time you run OTIST. Therefore, if a new wireless client joins your wireless network, you need to run OTIST on the AP and ALL wireless clients again. P-660HWP-D1 User’s Guide...
Page 119: Mac Filter
Chapter 7 Wireless LAN 7.6 MAC Filter The MAC filter screen allows you to configure the P-660HWP-D1 to give exclusive access to up to 32 devices (Allow) or exclude up to 32 devices from accessing the P-660HWP-D1 (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 120: Wmm Qos
Enter the MAC addresses of the wireless client that are allowed or denied access to Address the P-660HWP-D1 in these address fields. Enter the MAC addresses in a valid MAC address format, that is, six hexadecimal character pairs, for example, 12:34:56:78:9a:bc.
Page 121: Services
The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type. For example, look at the DNS service. (UDP/TCP:53) means UDP port 53 and TCP port 53. P-660HWP-D1 User’s Guide...
Page 122: Table 41 Commonly Used Services
Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the control channel. PPTP_TUNNEL(GRE:0) Point-to-Point Tunneling Protocol enables secure transfer of data over public networks. This is the data channel. RCMD(TCP:512) Remote Command Service. P-660HWP-D1 User’s Guide...
Page 123: Qos Screen
WMM QoS checks the ToS in the header of transmitted data packets. It gives the application a priority according to this number. If the ToS is not specified, then transmitted data is treated as normal or best-effort traffic. P-660HWP-D1 User’s Guide...
Page 124: Figure 70 Wireless Lan: Qos
LABEL DESCRIPTION Enable WMM QoS Select the check box to enable WMM QoS on the P-660HWP-D1. WMM QoS Policy Select Default to have the P-660HWP-D1 automatically give a service a priority level according to the ToS value in the IP header of packets it sends.
Page 125: Application Priority Configuration
This displays the port the selected service uses. Type a port number in the field provided if you want to use a different port to the default port. See table Table 41 on page 122 for information on port numbers. Priority Select a priority from the drop-down list box. P-660HWP-D1 User’s Guide...
Page 126 Chapter 7 Wireless LAN Table 43 Application Priority Configuration (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the P-660HWP-D1. Cancel Click Cancel to return to the previous screen without saving your changes. P-660HWP-D1 User’s Guide...
Page 127: Powerline
HomePlug AV powerline adapters in your network communicate with each other by sending and receiving information over your home’s electrical wiring. The P-660HWP-D1 plugs into an ordinary outlet to create a new network which can extend to any other electrical outlet in any room of a house.
Page 128: Privacy And Powerline Adapters
The HomePlug AV standard uses 128-bit AES (Advanced Encryption Standard) to safely transmit data between powerline adapters. For the P-660HWP-D1 and powerline adapters to communicate with each other they all need to use the same Network Membership Key (NMK). Otherwise, they cannot unscramble the encrypted data sent in the powerline network.
Page 129: Setting Up Multiple Powerline Networks
You now have two private networks on your powerline circuit. Information is not shared between the two networks as only powerline adapters with the same password can communicate with each other. The following figure shows two private powerline networks on the same electrical circuit. P-660HWP-D1 User’s Guide...
Page 130: Configuring Local Settings
Use the Local Setting screen to enter the network name for the network you wish to configure. You can also change the DAK Password for your P-660HWP-D1 from this screen. Click Network > Powerline to access the settings of your local station.
Page 131: Configuring Remote Settings
You can find the DAK printed on a sticker on the bottom of a HomePlug enabled device. You do not have to enter the DAK Password of your P-660HWP-D1 to access the network, but it is recommended that you change the DAK Password for added security.
Page 132: Powerline Network Status
8.5 Powerline Network Status Use this screen to check the status of your powerline network and for expert troubleshooting. Click on Network > Powerline > Status to access advanced information on the status of your powerline network. P-660HWP-D1 User’s Guide...
Page 133: Figure 77 Network > Powerline > Status
SNID SNID refers to Short Network Identifier. This number is a short form of the NID. Local Station This section gives information on the adapter (your P-660HWP-D1) Information you are using to access the powerline network. MAC Address This is the MAC address of the Local Station. You can find the MAC address of an adapter displayed on a sticker on the bottom of your device.
Page 134 This is the MAC address of an adapter on your powerline network. Address Bridged MAC Your P-660HWP-D1 may also connect to an Ethernet network such Address as a LAN or the Internet. Your powerline network will then be able to connect to an Ethernet network through your P-660HWP-D1.
Page 135: Network Address Translation (Nat)
IP address known within another network. 9.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the P-660HWP-D1, for example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Page 136: What Nat Does
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The P-660HWP-D1 keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
Page 137: Nat Mapping Types
9.1.5 NAT Mapping Types NAT supports five types of IP/port mapping. They are: • One to One: In One-to-One mode, the P-660HWP-D1 maps one local IP address to one global IP address. • Many to One: In Many-to-One mode, the P-660HWP-D1 maps multiple local IP addresses to one global IP address.
Page 138: Sua (Single User Account) Versus Nat
Table 48 on page 138. • Choose SUA Only if you have just one public WAN IP address for your P-660HWP-D1. • Choose Full Feature if you have multiple public WAN IP addresses for your P-660HWP- 9.3 SIP ALG Some applications, such as SIP, cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’...
Page 139: Nat General Setup
9.4 NAT General Setup You must create a firewall rule in addition to setting up SUA/NAT, to allow traffic from the WAN to be forwarded through the P-660HWP-D1. Click Network > NAT to open the following screen. Figure 80 NAT General The following table describes the labels in this screen.
Page 140: Port Forwarding
If you do not assign a Default Server IP address, the P-660HWP-D1 discards all packets received for ports that are not specified here or in the remote management setup.
Page 141: Configuring Servers Behind Port Forwarding (Example)
The Port Forwarding screen is available only when you select SUA Only in the NAT > General screen. If you do not assign a Default Server IP address, the P-660HWP-D1 discards all packets received for ports that are not specified here or in the remote management setup.
Page 142: Port Forwarding Rule Edit
If you do not assign a Default Server IP address, the P-660HWP-D1 discards all packets received for ports that are not specified here or in the remote management setup.
Page 143: Address Mapping
The Address Mapping screen is available only when you select Full Feature in the NAT > General screen. Ordering your rules is important because the P-660HWP-D1 applies the rules in the order that you specify. When a rule matches the current packet, the P-660HWP-D1 takes the corresponding action and the remaining rules are ignored.
Page 144: Figure 84 Address Mapping Rules
4, rules 5 to 7 will be pushed up by 1 rule, so old rules 5, 6 and 7 become new rules 4, 5 and 6. To change your P-660HWP-D1’s address mapping settings, click Network > NAT > Address Mapping to open the following screen.
Page 145: Address Mapping Rule Edit
Edit Details Click this link to go to the Port Forwarding screen to edit a server mapping set that you have selected in the Server Mapping Set field. Back Click Back to return to the previous screen. P-660HWP-D1 User’s Guide...
Page 146 Chapter 9 Network Address Translation (NAT) Table 54 Edit Address Mapping Rule (continued) LABEL DESCRIPTION Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. P-660HWP-D1 User’s Guide...
Page 147: Security
Security Firewalls (149) Firewall Configuration (161) Content Filtering (183) Certificates (187)
Page 149: Firewalls
There are three main types of firewalls: • Packet Filtering Firewalls • Application-level Firewalls • Stateful Inspection Firewalls 10.2.1 Packet Filtering Firewalls Packet filtering firewalls restrict access based on the source/destination computer network address of a packet and the type of application. P-660HWP-D1 User’s Guide...
Page 150: Application-Level Firewalls
The P-660HWP-D1 also has packet filtering capabilities. The P-660HWP-D1 is installed between the LAN and the Internet. This allows it to act as a secure gateway for all data passing between the Internet and the LAN.
Page 151: Denial Of Service Attacks
Denials of Service (DoS) attacks are aimed at devices and networks with a connection to the Internet. Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The P-660HWP-D1 is pre-configured to automatically detect and thwart all known DoS attacks.
Page 152: Types Of Dos Attacks
ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. P-660HWP-D1 User’s Guide...
Page 153: Figure 88 Syn Flood
"intermediary" network, but will also congest the network of the spoofed source IP address, known as the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible. Figure 89 Smurf Attack P-660HWP-D1 User’s Guide...
Page 154: Stateful Inspection
To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The P-660HWP-D1 blocks all IP Spoofing attempts. 10.5 Stateful Inspection With stateful inspection, fields of the packets are compared to packets that are already known to be trusted.
Page 155: Stateful Inspection Process
Chapter 10 Firewalls are allowed in. The P-660HWP-D1 uses stateful packet inspection to protect the private LAN from hackers and vandals on the Internet. By default, the P-660HWP-D1’s stateful inspection allows all communications to the Internet that originate from the LAN, and blocks all traffic to the LAN that originates from the Internet.
Page 156: Stateful Inspection And The P-660Hwp-D1
Below is a brief technical description of how these connections are tracked. Connections may either be defined by the upper protocols (for instance, TCP), or by the P-660HWP-D1 itself (as with the “virtual connections” created for UDP and ICMP).
Page 157: Udp/Icmp Security
IP and UDP information will be allowed back in through the firewall. A similar situation exists for ICMP, except that the P-660HWP-D1 is even more restrictive. Specifically, only outgoing echoes will allow incoming echo replies, outgoing address mask requests will allow incoming address mask replies, and outgoing timestamp requests will allow incoming timestamp replies.
Page 158: Guidelines For Enhancing Security With Your Firewall
• If you use “chat rooms” or IRC sessions, be careful with any information you reveal to strangers. • If your system starts exhibiting odd behavior, contact your ISP. Some hackers will set off hacks that cause your system to slowly become unstable or unusable. P-660HWP-D1 User’s Guide...
Page 159: Packet Filtering Vs Firewall
10.7 Packet Filtering Vs Firewall Below are some comparisons between the P-660HWP-D1’s filtering and firewall functions. 10.7.1 Packet Filtering: • The router filters packets as they pass through the router’s interface according to the filter rules you designed.
Page 160 • Use the firewall if you need routine e-mail reports about your system or need to be alerted when attacks occur. • The firewall can block specific URL traffic that might occur in the future. The URL can be saved in an Access Control List (ACL) database. P-660HWP-D1 User’s Guide...
Page 161: Firewall Configuration
• WAN to LAN • WAN to WAN/ Router This prevents computers on the WAN from using the P-660HWP-D1 as a gateway to communicate with other computers on the WAN and/or managing the P-660HWP-D1. You may define additional rules and sets or modify existing ones but please exercise extreme caution in doing so.
Page 162: Rule Logic Overview
These custom rules work by comparing the Source IP address, Destination IP address and IP protocol type of network traffic to rules set by the administrator. Your customized rules take precedence and override the P-660HWP-D1’s default rules. 11.3 Rule Logic Overview Study these points carefully before configuring rules.
Page 163: Key Fields For Configuring Rules
LAN to LAN/ Router and WAN to WAN/ Router rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ Router means policies for LAN-to-P-660HWP-D1 (the policies for managing the P-660HWP-D1 through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
Page 164: Lan To Wan Rules
Click Security > Firewall to display the following screen. Activate the firewall by selecting the Active Firewall check box as seen in the following screen. Refer to Section 10.1 on page 149 for more information. Figure 91 Firewall: General P-660HWP-D1 User’s Guide...
Page 165: Firewall Rules Summary
Denial of Service (DoS) attacks when the firewall is activated. Bypass Triangle Select this check box to have the P-660HWP-D1 firewall permit the use of triangle Route route topology on the network. See the appendix for more on triangle route topology.
Page 166: Figure 92 Firewall Rules
Table 60 Firewall Rules LABEL DESCRIPTION Firewall Rules This read-only bar shows how much of the P-660HWP-D1's memory for recording Storage Space firewall rules it is currently using. When you are using 80% or less of the storage in Use space, the bar is green.
Page 167: Configuring Firewall Rules
The ordering of your rules is important as they are applied in order of their numbering. Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. 11.6.1 Configuring Firewall Rules Refer to Section 10.1 on page 149...
Page 168: Figure 93 Firewall: Edit Rule
Chapter 11 Firewall Configuration Figure 93 Firewall: Edit Rule P-660HWP-D1 User’s Guide...
Page 169: Table 61 Firewall: Edit Rule
Log Settings page and select the Access Control logs category to have the P-660HWP-D1 record these logs. Alert Send Alert Select the check box to have the P-660HWP-D1 generate an alert when the rule Message to is matched. Administrator When Matched P-660HWP-D1 User’s Guide...
Page 170: Customized Services
Click Cancel to exit this screen without saving. 11.6.2 Customized Services Configure customized services and port numbers not predefined by the P-660HWP-D1. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) website. For further information on these services, please read Section 11.8 on page...
Page 171: Example Firewall Rule
Click Delete to delete the current rule and return to the previous screen. 11.7 Example Firewall Rule The following Internet firewall rule example allows a hypothetical “MyService” connection from the Internet. 1 Click Security > Firewall > Rules. 2 Select WAN to LAN in the Packet Direction field. P-660HWP-D1 User’s Guide...
Page 172: Figure 96 Firewall Example: Rules
6 Click an index number to display the Customized Services Config screen and configure the screen as follows and click Apply. Figure 97 Edit Custom Port Example 7 Select Any in the Destination Address box and then click Delete. 8 Configure the destination address screen as follows and click Add. P-660HWP-D1 User’s Guide...
Page 173: Figure 98 Firewall Example: Edit Rule: Destination Address
9 Use the Add >> and Remove buttons between Available Services and Selected Services list boxes to configure it as follows. Click Apply when you are done. Custom services show up with an “*” before their names in the Services list box and the Rules list box. P-660HWP-D1 User’s Guide...
Page 174: Figure 99 Firewall Example: Edit Rule: Select Customized Services
Figure 99 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following. Rule 1 allows a “MyService” connection from the WAN to IP addresses 10.0.0.10 through 10.0.0.15 on the LAN. P-660HWP-D1 User’s Guide...
Page 175: Predefined Services
Section 11.6.1 on page 167) displays all predefined services that the P-660HWP-D1 already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service. (Note that there may be more than one IP protocol type.
Page 176 UNIX systems and network servers. SSDP(UDP:1900) Simole Service Discovery Protocol (SSDP) is a discovery service searching for Universal Plug and Play devices on your home network or upstream Internet gateways using DUDP port 1900. P-660HWP-D1 User’s Guide...
Page 177: Anti-Probing
Another videoconferencing solution. 11.9 Anti-Probing If an outside user attempts to probe an unsupported port on your P-660HWP-D1, an ICMP response packet is automatically returned. This allows the outside user to know the P- 660HWP-D1 exists. The P-660HWP-D1 supports anti-probing, which prevents the ICMP response packet from being sent.
Page 178: Dos Thresholds
Select this option to prevent hackers from finding the P-660HWP-D1 by probing to Requests for for unused ports. If you select this option, the P-660HWP-D1 will not respond to Unauthorized port request(s) for unused ports, thus leaving the unused ports and the P- Services.
Page 179: Half-Open Sessions
(TCP Maximum Incomplete), the P-660HWP-D1 starts deleting half-open sessions according to one of the following methods: • If the Blocking Time timeout is 0 (the default), then the P-660HWP-D1 deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host will never exceed the threshold.
Page 180: Figure 102 Firewall: Threshold
This is the rate of new half-open sessions 80 existing half-open sessions. that causes the firewall to stop deleting half- open sessions. The P-660HWP-D1 continues to delete half-open sessions as necessary, until the rate of new connection attempts drops below this number.
Page 181 TCP Maximum Incomplete is reached. Enter the length of blocking time in minutes (between 1 and 256). Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. P-660HWP-D1 User’s Guide...
Page 182 Chapter 11 Firewall Configuration P-660HWP-D1 User’s Guide...
Page 183: Content Filtering
Content filtering gives you the ability to block web sites that contain key words (that you specify) in the URL. You can set a schedule for when the P-660HWP-D1 performs content filtering. You can also specify trusted IP addresses on the LAN for which the P- 660HWP-D1 will not perform content filtering.
Page 184: Configuring The Schedule
Click Cancel to return to the previously saved settings. 12.3 Configuring the Schedule To set the days and times for the P-660HWP-D1 to perform content filtering, click Security > Content Filter > Schedule. The screen appears as shown. Figure 104 Content Filter: Schedule...
Page 185: Configuring Trusted Computers
Click Cancel to return to the previously saved settings. 12.4 Configuring Trusted Computers To exclude a range of users on the LAN from content filtering on your P-660HWP-D1, click Security > Content Filter > Trusted. The screen appears as shown.
Page 186 Chapter 12 Content Filtering P-660HWP-D1 User’s Guide...
Page 187: Certificates
A certification path is the hierarchy of certification authority certificates that validate a certificate. The P-660HWP-D1 does not trust a certificate if any certificate on its path has expired or been revoked.
Page 188: Advantages Of Certificates
13.2 Self-signed Certificates You can have the P-660HWP-D1 act as a certification authority and sign its own certificates. 13.3 Verifying a Certificate Before you import a trusted CA or trusted remote host certificate into the P-660HWP-D1, you should verify that you have the actual certificate.
Page 189: Configuration Summary
Use the My Certificate screens to generate and export self-signed certificates or certification requests and import the P-660HWP-D1’s CA-signed certificates. Use the Trusted CA screens to save the certificates of trusted CAs to the P-660HWP-D1. You can also export the certificates to a computer.
Page 190: My Certificates
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the P-660HWP-D1’s PKI storage space that is Space in Use currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 191: My Certificates > Details
190). Click the edit icon to open the My Certificate Details screen. You can use this screen to view in-depth certificate information and change the certificate’s name. If it is a self-signed certificate, you can also set the P-660HWP-D1 to use the certificate to sign the imported trusted remote host certificates.
Page 192: Table 71 Security > Certificates > My Certificates > Edit
If the certificate is a self-signed certificate, the certificate itself is the only one in the list. The P-660HWP-D1 does not trust the certificate and displays “Not trusted” in this field if any certificate on the path has expired or been revoked.
Page 193 Key Algorithm This field displays the type of algorithm that was used to generate the certificate’s key pair (the P-660HWP-D1 uses RSA encryption) and the length of the key set in bits (1024 bits for example). Subject Alternative This field displays the certificate owner‘s IP address (IP), domain name (DNS)
Page 194: My Certificates > Create
13.7 My Certificates > Create Click Security > Certificates > My Certificates > Create to open the My Certificate Create screen. Use this screen to have the P-660HWP-D1 create a self-signed certificate, enroll a certificate with a certification authority or generate a certification request.
Page 195: Table 73 Security > Certificates > My Certificates > Create
Select Create a certification request and save it locally for later manual request and save it enrollment to have the P-660HWP-D1 generate and store a request for a locally for later certificate. Use the My Certificate Details screen to view the certification manual enrollment request and copy it to send to the certification authority.
Page 196: My Certificates > Import
Return button that takes you back to the My Certificates screen. If you configured the My Certificate Create screen to have the P-660HWP-D1 enroll a certificate and the certificate enrollment is not successful, you see a screen with a Return button that takes you back to the My Certificate Create screen.
Page 197: Certificate File Formats
Chapter 13 Certificates • You can only import a certificate that matches a corresponding certification request that was generated by the P-660HWP-D1 (the certification request contains the private key). The certificate you import replaces the corresponding request in the My Certificates screen.
Page 198: Trusted Cas
P- 660HWP-D1 to accept as trusted. The P-660HWP-D1 accepts any valid certificate signed by a certification authority on this list as being trustworthy; thus you do not need to import any certificate that is signed by one of these certification authorities.
Page 199: Trusted Ca Details
Trusted CA Details screen. Use this screen to view in-depth information about the certification authority’s certificate, change the certificate’s name and set whether or not you want the P-660HWP-D1 to check a certification authority’s list of revoked certificates before trusting a certificate issued by the certification authority.
Page 200: Table 76 Security > Certificates > Trusted Cas > Details
Certificate Revocation List certificates issued (CRL). by this CA against a Clear this check box to have the P-660HWP-D1 not check incoming certificates that are issued by this certification authority against a Certificate Revocation List (CRL). Certification Path Click the Refresh button to have this read-only text box display the end entity’s...
Page 201: Trusted Ca > Import
Click Export to send a file containing your certificate details. Apply Click Apply to save your changes back to the P-660HWP-D1. You can only change the name and/or set whether or not you want the P-660HWP-D1 to check the CRL that the certification authority issues before trusting a certificate issued by the certification authority.
Page 202: Trusted Remote Hosts
Trusted CAs screen. You do not need to add any certificate that is signed by one of the certification authorities on the Trusted CAs screen since the P-660HWP-D1 automatically accepts any valid certificate signed by a trusted certification authority as being trustworthy.
Page 203: Trusted Remote Hosts > Import
LABEL DESCRIPTION PKI Storage This bar displays the percentage of the P-660HWP-D1’s PKI storage space that is Space in Use currently in use. When the storage space is almost full, you should consider deleting expired or unnecessary certificates before adding more certificates.
Page 204: Trusted Remote Host Certificate Details
Click Browse to find the certificate file you want to upload. Back Click Back to go the previous screen Apply Click Apply to save the certificate on the P-660HWP-D1. Cancel Click Cancel to quit and return to the Trusted Remote Hosts screen. 13.14 Trusted Remote Host Certificate Details Click Security >...
Page 205: Figure 117 Security > Certificates > Trusted Remote Hosts > Details
For a trusted host, the list consists of the end entity’s own certificate and the default self-signed certificate that the P-660HWP-D1 uses to sign remote host certificates. Refresh Click Refresh to display the certification path.
Page 206 P-660HWP-D1 that the P-660HWP-D1 uses to sign the trusted remote host certificates. Signature Algorithm This field displays the type of algorithm that the P-660HWP-D1 used to sign the certificate, which is rsa-pkcs1-sha1 (RSA public-private key encryption algorithm and the SHA1 hash algorithm).
Page 207: Directory Servers
This screen displays a summary list of directory servers (that contain lists of valid and revoked certificates) that have been saved into the P-660HWP-D1. If you decide to have the P- 660HWP-D1 check incoming certificates against the issuing certification authority’s list of revoked certificates, the P-660HWP-D1 first checks the server(s) listed in the CRL Distribution Points field of the incoming certificate.
Page 208: Figure 119 Security > Certificates > Directory Server > Add
389 is the default server port number for LDAP. Login Setting Login The P-660HWP-D1 may need to authenticate itself in order to assess the directory server. Type the login name (up to 31 ASCII characters) from the entity maintaining the directory server (usually a certification authority).
Page 209: Advanced
Advanced Static Route (211) Bandwidth Management (215) Dynamic DNS Setup (227) Remote Management Configuration (231) Universal Plug-and-Play (UPnP) (243)
Page 211: Static Route
D1 knows about network N2 in the following figure through remote node Router 1. However, the P-660HWP-D1 is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the P-660HWP-D1 about the networks beyond the remote nodes.
Page 212: Static Route Edit
Click the Edit icon to go to the screen where you can set up a static route on the P- 660HWP-D1. Click the Delete icon to remove a static route from the P-660HWP-D1. A window displays asking you to confirm that you want to delete the route.
Page 213: Figure 122 Static Route Edit
LAN or WAN port. The gateway helps forward packets to their destinations. Back Click Back to return to the previous screen without saving. Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. P-660HWP-D1 User’s Guide...
Page 214 Chapter 14 Static Route P-660HWP-D1 User’s Guide...
Page 215: Bandwidth Management
(bandwidth budgets) to different bandwidth rules. The P-660HWP-D1 applies bandwidth management to traffic that it forwards out through an interface. The P-660HWP-D1 does not control the bandwidth of traffic that comes into an interface. Bandwidth management applies to all traffic flowing out of the router, regardless of the traffic's source.
Page 216: Application And Subnet-Based Bandwidth Management
660HWP-D1 has two types of scheduler: fairness-based and priority-based. 15.5.1 Priority-based Scheduler With the priority-based scheduler, the P-660HWP-D1 forwards traffic from bandwidth classes according to the priorities that you assign to the bandwidth classes. The larger a bandwidth class’s priority number is, the higher the priority. Assign real-time applications (like those using audio or video) a higher priority number to provide smoother operation.
Page 217: Fairness-Based Scheduler
When you enable maximize bandwidth usage, the P-660HWP-D1 first makes sure that each bandwidth class gets up to its bandwidth allotment. Next, the P-660HWP-D1 divides up an interface’s available bandwidth (bandwidth that is unbudgeted or unused by the classes) depending on how many bandwidth classes require more bandwidth and on their priority levels.
Page 218: Maximize Bandwidth Usage Example
Chapter 15 Bandwidth Management 15.6.2 Maximize Bandwidth Usage Example Here is an example of a P-660HWP-D1 that has maximize bandwidth usage enabled on an interface. The following table shows each bandwidth class’s bandwidth budget. The classes are set up based on subnets. The interface is set to 10240 kbps. Each subnet is allocated 2048 kbps.
Page 219: Bandwidth Management Priorities
• Each class gets up to its budgeted bandwidth. The administration class only uses 1024 kbps of its budgeted 2048 kbps. • The P-660HWP-D1 divides the total 3072 kbps total of unbudgeted and unused bandwidth equally among the other classes. 1024 kbps extra goes to each so the other classes each get a total of 3072 kbps.
Page 220: Configuring Summary
You can also set this number lower than the interface’s actual transmission speed. If you do not enable Max Bandwidth Usage, this will cause the P-660HWP-D1 to not use some of the interface’s available bandwidth. P-660HWP-D1 User’s Guide...
Page 221: Bandwidth Management Rule Setup
Select Priority-Based to give preference to bandwidth classes with higher priorities. Select Fairness-Based to treat all bandwidth classes equally. Select this check box to have the P-660HWP-D1 divide up all of the interface’s Bandwidth unallocated and/or unused bandwidth among the bandwidth classes that require Usage bandwidth.
Page 222: Diffserv
Click the Edit icon to go to the screen where you can edit the rule. Click the Remove icon to delete an existing rule. Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh.
Page 223: Rule Configuration
Click the Edit icon or select User Defined from the Service drop-down list in the Rule Setup screen to configure a bandwidth management rule. Use bandwidth rules to allocate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets. Figure 127 Bandwidth Management Rule Configuration P-660HWP-D1 User’s Guide...
Page 224: Table 94 Bandwidth Management Rule Configuration
LABEL DESCRIPTION Rule Configuration Active Select this check box to have the P-660HWP-D1 apply this bandwidth management rule. Enable a bandwidth management rule to give traffic that matches the rule priority over traffic that does not match the rule. Enabling a bandwidth management rule also allows you to control the maximum amounts of bandwidth that can be used by traffic that matches the rule.
Page 225: Table 95 Services And Port Numbers
Enter the TOS Mask value between 0 (lowest priority) and 255. Back Click Back to go to the previous screen. Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. Table 95 Services and Port Numbers...
Page 226: Bandwidth Monitor
Chapter 15 Bandwidth Management 15.11 Bandwidth Monitor To view the P-660HWP-D1’s bandwidth usage and allotments, click Advanced > Bandwidth MGMT > Monitor. The screen appears as shown. Select an interface from the drop-down list box to view the bandwidth usage of its bandwidth rules. The gray section of the bar represents the percentage of unused bandwidth and the blue color represents the percentage of bandwidth in use.
Page 227: Dynamic Dns Setup
H A P T E R Dynamic DNS Setup This chapter discusses how to configure your P-660HWP-D1 to use Dynamic DNS. 16.1 Dynamic DNS Overview Dynamic DNS allows you to update your current dynamic IP address with one or many dynamic DNS services so that anyone can contact you (in NetMeeting, CU-SeeMe, etc.).
Page 228: Figure 129 Dynamic Dns
Select the type of service that you are registered for from your Dynamic DNS Type service provider. Host Name Type the domain name assigned to your P-660HWP-D1 by your Dynamic DNS provider. You can specify up to two host names in the field separated by a comma (","). User Name Type your user name.
Page 229 Type the IP address of the host name(s). Use this if you have a static IP address. Address Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh. P-660HWP-D1 User’s Guide...
Page 230 Chapter 16 Dynamic DNS Setup P-660HWP-D1 User’s Guide...
Page 231: Remote Management Configuration
To disable remote management of a service, select Disable in the corresponding Access Status field. You may only have one remote management session running at a time. The P-660HWP-D1 automatically disconnects a remote management session of lower priority when another remote management session of higher priority starts.
Page 232: Remote Management Limitations
There is a default system management idle timeout of five minutes (three hundred seconds). The P-660HWP-D1 automatically logs you out if the management session remains idle for longer than this timeout period. The management session does not time out when a statistics screen is polling.
Page 233: Telnet
17.3 Telnet You can configure your P-660HWP-D1 for remote Telnet access as shown next. The administrator uses Telnet from a computer on a remote network to access the P-660HWP-D1. Figure 131 Telnet Configuration on a TCP/IP Network P-660HWP-D1 User’s Guide...
Page 234: Configuring Telnet
A secured client is a “trusted” computer that is allowed to communicate with the P- 660HWP-D1 using this service. Select All to allow any computer to access the P-660HWP-D1 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the P-660HWP-D1 using this service.
Page 235: Snmp
Secured Client IP A secured client is a “trusted” computer that is allowed to communicate with the P- 660HWP-D1 using this service. Select All to allow any computer to access the P-660HWP-D1 using this service. Choose Selected to just allow the computer with the IP address that you specify to access the P-660HWP-D1 using this service.
Page 236: Supported Mibs
• Trap - Used by the agent to inform the manager of some events. 17.6.1 Supported MIBs The P-660HWP-D1 supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
Page 237: Snmp Traps
Chapter 17 Remote Management Configuration 17.6.2 SNMP Traps The P-660HWP-D1 will send traps to the SNMP manager when any one of the following events occurs: Table 101 SNMP Traps TRAP # TRAP NAME DESCRIPTION coldStart (defined in RFC-1215) A trap is sent after booting (power on).
Page 238: Configuring Dns
To change your P-660HWP-D1’s DNS settings, click Advanced > Remote MGMT > DNS. The screen appears as shown. Use this screen to set from which IP address the P-660HWP-D1 will accept DNS queries and on which interface it can send them your P-660HWP-D1’s DNS settings.
Page 239: Configuring Icmp
To change your P-660HWP-D1’s security settings, click Advanced > Remote MGMT > ICMP. The screen appears as shown. If an outside user attempts to probe an unsupported port on your P-660HWP-D1, an ICMP response packet is automatically returned. This allows the outside user to know the P- 660HWP-D1 exists.
Page 240: 240
Select this option to prevent hackers from finding the P-660HWP-D1 by probing for requests for unused ports. If you select this option, the P-660HWP-D1 will not respond to port unauthorized request(s) for unused ports, thus leaving the unused ports and the P-660HWP-D1 services unseen.
Page 241: Figure 138 Enabling Tr-069
Chapter 17 Remote Management Configuration Follow the procedure below to configure your P-660HWP-D1 to be managed by CNM Access. See the Command Interpreter appendix for information on the command structure and how to access the CLI (Command Line Interface) on the P-660HWP-D1.
Page 242 Chapter 17 Remote Management Configuration P-660HWP-D1 User’s Guide...
Page 243: Universal Plug-And-Play (Upnp)
The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments. P-660HWP-D1 User’s Guide...
Page 244: Upnp And Zyxel
Chapter 18 Universal Plug-and-Play (UPnP) When a UPnP device joins a network, it announces its presence with a multicast message. For security reasons, the P-660HWP-D1 allows multicast messages only on the LAN. All UPnP-enabled devices may communicate freely with each other without additional configuration.
Page 245: Installing Upnp In Windows Example
Clear this check box to have the firewall block all UPnP application packets (for example, MSN packets). Apply Click Apply to save the setting to the P-660HWP-D1. Cancel Click Cancel to return to the previously saved settings. 18.3 Installing UPnP in Windows Example This section shows how to install UPnP in Windows Me and Windows XP.
Page 246: Installing Upnp In Windows Xp
3 In the Network Connections window, click Advanced in the main menu and select Optional Networking Components …. Figure 142 Network Connections 4 The Windows Optional Networking Components Wizard window displays. Select Networking Service in the Components selection box and click Details. P-660HWP-D1 User’s Guide...
Page 247: Using Upnp In Windows Xp Example
Next. 18.4 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the P-660HWP-D1. P-660HWP-D1 User’s Guide...
Page 248: Auto-Discover Your Upnp-Enabled Network Device
Chapter 18 Universal Plug-and-Play (UPnP) Make sure the computer is connected to a LAN port of the P-660HWP-D1. Turn on your computer and the P-660HWP-D1. 18.4.1 Auto-discover Your UPnP-enabled Network Device 1 Click start and Control Panel. Double-click Network Connections. An icon displays under Internet Gateway.
Page 249: Figure 146 Internet Connection Properties
Chapter 18 Universal Plug-and-Play (UPnP) Figure 146 Internet Connection Properties 4 You may edit or delete the port mappings or click Add to manually add port mappings. Figure 147 Internet Connection Properties: Advanced Settings P-660HWP-D1 User’s Guide...
Page 250: Figure 148 Internet Connection Properties: Advanced Settings: Add
5 Select Show icon in notification area when connected option and click OK. An icon displays in the system tray. Figure 149 System Tray Icon 6 Double-click on the icon to display your current Internet connection status. P-660HWP-D1 User’s Guide...
Page 251: Web Configurator Easy Access
18.4.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the P-660HWP-D1 without finding out the IP address of the P-660HWP-D1 first. This comes helpful if you do not know the IP address of the P-660HWP-D1.
Page 252: Figure 151 Network Connections
Chapter 18 Universal Plug-and-Play (UPnP) Figure 151 Network Connections 4 An icon with the description for each UPnP-enabled device displays under Local Network. 5 Right-click on the icon for your P-660HWP-D1 and select Invoke. The web configurator login screen displays. P-660HWP-D1 User’s Guide...
Page 253: Figure 152 Network Connections: My Network Places
Chapter 18 Universal Plug-and-Play (UPnP) Figure 152 Network Connections: My Network Places 6 Right-click on the icon for your P-660HWP-D1 and select Properties. A properties window displays with basic information about the P-660HWP-D1. Figure 153 Network Connections: My Network Places: Properties: Example...
Page 254 Chapter 18 Universal Plug-and-Play (UPnP) P-660HWP-D1 User’s Guide...
Page 255: Maintenance And Troubleshooting
Maintenance and Troubleshooting System (257) Logs (263) Tools (281) Diagnostic (287) Troubleshooting (289)
Page 257: System
The Domain Name entry is what is propagated to the DHCP clients on the LAN. If you leave this blank, the domain name obtained by DHCP from the ISP is used. While you must enter the host name (System Name), the domain name can be assigned from the P-660HWP-D1 via DHCP.
Page 258: Figure 154 System General Setup
(not recommended). Password User Password If you log in with the user password, you can only view the P-660HWP-D1 status. The default user password is user. New Password Type your new system password (up to 30 characters). Note that as you type a password, the screen displays a (*) for each character you type.
Page 259: Time Setting
19.2 Time Setting To change your P-660HWP-D1’s time and date, click Maintenance > System > Time Setting. The screen appears as shown. Use this screen to configure the P-660HWP-D1’s time based on your local time zone. Figure 155 System Time Setting...
Page 260: Table 108 System Time Setting
When you set Time and Date Setup to Manual, enter the new date in this field and then click Apply. Get from Time Select this radio button to have the P-660HWP-D1 get the time and date from the Server time server you specified below.
Page 261 In Germany for instance, you would type 2 because Germany's time zone is one hour ahead of GMT or UTC (GMT+1). Apply Click Apply to save your changes to the P-660HWP-D1. Cancel Click Cancel to begin configuring this screen afresh.
Page 262 Chapter 19 System P-660HWP-D1 User’s Guide...
Page 263: Logs
20.1 Logs Overview The web configurator allows you to choose which categories of events and/or alerts to have the P-660HWP-D1 log and then display the logs or have the P-660HWP-D1 send them to an administrator (as e-mail) or to a syslog server.
Page 264: Configuring Log Settings
This field displays additional information about the log entry. 20.3 Configuring Log Settings Use the Log Settings screen to configure to where the P-660HWP-D1 is to send logs; the schedule for when the P-660HWP-D1 is to send the logs and which logs and/or immediate alerts the P-660HWP-D1 is to record.
Page 265: Figure 157 Log Settings
P-660HWP-D1 sends. Not all ZyXEL models have this field. Send Log To The P-660HWP-D1 sends logs to the e-mail address specified in this field. If this field is left blank, the P-660HWP-D1 does not send logs via e-mail. Send Alerts To Alerts are real-time notifications that are sent as soon as an event, such as a DoS attack, system error, or forbidden web access attempt occurs.
Page 266: Example E-Mail Log
Enter the time of the day in 24-hour format (for example 23:00 equals 11:00 pm) to Sending Log send the logs. Clear log after Select the checkbox to delete all the logs after the P-660HWP-D1 sends an E-mail sending mail of the logs. Syslog Logging The P-660HWP-D1 sends a log to an external syslog server.
Page 267: Log Descriptions
Successful FTP login Someone has failed to log on to the router via ftp. FTP login failed The maximum number of NAT session table entries has been NAT Session Table is Full! exceeded and the table is full. P-660HWP-D1 User’s Guide...
Page 268: Table 112 System Error Logs
Firewall rule [NOT] match:[TCP | matched (or did not match) a configured firewall rule UDP | IGMP | ESP | GRE | OSPF] (denoted by its number) and was blocked or forwarded <Packet Direction>, <rule:%d> according to the rule. P-660HWP-D1 User’s Guide...
Page 269: Table 114 Tcp Reset Logs
Attempted access matched a configured filter rule (denoted [TCP | UDP | ICMP | IGMP | by its set and rule number) and was blocked or forwarded Generic] packet filter according to the rule. matched (set:%d, rule:%d) P-660HWP-D1 User’s Guide...
Page 270: Table 116 Icmp Logs
Starting The PPP connection’s Internet Protocol Control Protocol stage is opening. ppp:IPCP Opening The PPP connection’s Link Control Protocol stage is closing. ppp:LCP Closing The PPP connection’s Internet Protocol Control Protocol stage is closing. ppp:IPCP Closing P-660HWP-D1 User’s Guide...
Page 271: Table 119 Upnp Logs
The P-660HWP-D1 cannot get the IP address of the external content DNS resolving failed filtering via DNS query. Creating socket failed The P-660HWP-D1 cannot issue a query because TCP/IP socket creation failed, port:port number. The connection to the external content filtering server failed.
Page 272: Table 121 Attack Logs
Inbound packet may have altered or tampered with the packet. authentication failed The router dropped an inbound packet for which SPI could not find a Receive IPSec packet, corresponding phase 2 SA. but no corresponding tunnel exists P-660HWP-D1 User’s Guide...
Page 273: Table 123 Ike Logs
My Remote <My remote> - ends of the connection. <My remote> The displayed ID information did not match between the two vs. My Local <My local>-<My ends of the connection. local> A packet was sent. Send <packet> P-660HWP-D1 User’s Guide...
Page 274 Rule [%d] Phase 1 encryption match between the router and the peer. algorithm mismatch The listed rule’s IKE phase 1 authentication algorithm did not Rule [%d] Phase 1 match between the router and the peer. authentication algorithm mismatch P-660HWP-D1 User’s Guide...
Page 275 Rule [%d] phase 2 mismatch router and the peer. The listed rule’s IKE phase 2 key lengths (with the AES Rule [%d] Phase 2 key length encryption algorithm) did not match between the router and mismatch the peer. P-660HWP-D1 User’s Guide...
Page 276: Table 124 Pki Logs
The recorded reason codes are cert not trusted: only approximate reasons for not trusting the certificate. Please see <subject name> Table 125 on page 277 for the corresponding descriptions of the codes. P-660HWP-D1 User’s Guide...
Page 277: Table 125 Certificate Path Verification Failure Reason Codes
LAN to LAN/P- ACL set for packets traveling from the LAN to the LAN or 660HWP-D1 the P-660HWP-D1. (W to W) WAN to WAN/P- ACL set for packets traveling from the WAN to the WAN 660HWP-D1 or the P-660HWP-D1. P-660HWP-D1 User’s Guide...
Page 278: Table 127 Icmp Notes
Time Exceeded Time to live exceeded in transit Fragment reassembly time exceeded Parameter Problem Pointer indicates the error Timestamp Timestamp request message Timestamp Reply Timestamp reply message Information Request Information request message Information Reply Information reply message P-660HWP-D1 User’s Guide...
Page 279: Table 128 Syslog Logs
RFC for detailed information on each type. Table 129 RFC-2408 ISAKMP Payload Types LOG DISPLAY PAYLOAD TYPE Security Association Proposal PROP Transform TRANS Key Exchange Identification Certificate Certificate Request CER_REQ Hash HASH Signature Nonce NONCE Notification NOTFY Delete Vendor ID P-660HWP-D1 User’s Guide...
Page 280 Chapter 20 Logs P-660HWP-D1 User’s Guide...
Page 281: Tools
Find firmware at www.zyxel.com in a file that (usually) uses the system model name with a .bin extension, for example, “P-660HWP-D1.bin”. The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot.
Page 282: Figure 160 Firmware Upload In Progress
Click Upload to begin the upload process. This process may take up to two minutes. Do NOT turn off the P-660HWP-D1 while firmware upload is in progress! After you see the Firmware Upload in Progress screen, wait two minutes before logging into the P-660HWP-D1 again.
Page 283: Configuration Screen
Figure 163 Maintenance > Tools > Configuration Backup configuration allows you to back up (save) the P-660HWP-D1’s current configuration to a file on your computer. Once your P-660HWP-D1 is configured and functioning properly, it is highly recommended that you back up your configuration file before making configuration changes.
Page 284: Restore Configuration
Upload Click Upload to begin the upload process. Do not turn off the P-660HWP-D1 while configuration file upload is in progress After you see a “Restore Configuration successful” screen, you must then wait one minute before logging into the P-660HWP-D1 again.
Page 285: Back To Factory Defaults
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default P-660HWP-D1 IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
Page 286 Chapter 21 Tools P-660HWP-D1 User’s Guide...
Page 287: Diagnostic
Table 133 Diagnostic: General LABEL DESCRIPTION TCP/IP Type the IP address of a computer that you want to ping in order to test a connection. Address Ping Click this button to ping the IP address that you entered. P-660HWP-D1 User’s Guide...
Page 288: Dsl Line Diagnostic
Click this button to start the ATM loopback test. Make sure you have configured at Test least one PVC with proper VPIs/VCIs before you begin this test. The P-660HWP-D1 sends an OAM F5 packet to the DSLAM/ATM switch and then returns it (loops it back) to the P-660HWP-D1.
Page 289: Troubleshooting
2 Make sure you are using the power adaptor or cord included with the P-660HWP-D1. 3 Make sure the power adaptor or cord is connected to the P-660HWP-D1 and plugged in to an appropriate power source. Make sure the power source is turned on.
Page 290: P-660Hwp-D1 Access And Login
2 If you changed the IP address and have forgotten it, you might get the IP address of the P-660HWP-D1 by looking up the IP address of the default gateway for your computer. To do this in most Windows computers, click Start > Run, enter cmd, and then enter ipconfig.
Page 291: Internet Access
Chapter 23 Troubleshooting 5 Reset the device to its factory defaults, and try to access the P-660HWP-D1 with the default IP address. See Section 2.3 on page 6 If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.
Page 292 1 There might be a lot of traffic on the network. Look at the LEDs, and check Section 1.4 on page 35. If the P-660HWP-D1 is sending or receiving a lot of information, try closing some programs that use the Internet, especially peer-to-peer applications. 2 Reboot the P-660HWP-D1.
Page 293: Powerline Issues
1 Check your power supply. Powerline adapters operate from the power supplied by your home wiring and cannot operate without a working power supply. 2 Make sure that you are using the power cable included with your P-660HWP-D1 to attach your P-660HWP-D1 to the power supply. Standard plugs do not have a powerline network capability.
Page 294 Chapter 23 Troubleshooting 4 Avoid wiring that is old, low quality or with a long wiring path, as this may affect the quality of your powerline signal. P-660HWP-D1 User’s Guide...
Page 295: Appendices And Index
Appendices and Index Product Specifications and Wall Mounting (297) Wireless LANs (303) Setting up Your Computer’s IP Address (317) IP Subnetting (333) Command Interpreter (341) Firewall Commands (345) Pop-up Windows, JavaScripts and Java Permissions (351) Legal Information (357) Customer Support (361) Index (367)
Page 297: Appendix A Product Specifications And Wall Mounting
P P E N D I X Product Specifications and Wall Mounting Product Specifications The following tables summarize the P-660HWP-D1’s hardware and firmware features.M4 Table 135 Hardware Specifications Dimensions (W x D x H) 250 x 170 x 36 mm...
Page 298 Configuration Backup & Make a copy of the P-660HWP-D1’s configuration. You can put it back Restoration on the P-660HWP-D1 later if you decide to revert back to an earlier configuration. Network Address Each computer on your network must have its own unique IP address.
Page 299: Table 137 Wireless Firmware Specifications
FEATURE DESCRIPTION Content Filter The P-660HWP-D1 blocks or allows access to web sites that you specify and blocks access to web sites with URLs that contain keywords that you specify. You can define time periods and days during which content filtering is enabled.
Page 300: Table 138 Standards Supported
Appendix A Product Specifications and Wall Mounting FEATURE DESCRIPTION Output Power Management This allows you to alter the level of power used by the P-660HWP-D1. For example, when access points are placed closely together power output levels may be reduced. Wireless LAN MAC...
Page 301: Wall-Mounting Instructions
5 Make sure the screws are snugly fastened to the wall. They need to hold the weight of the P-660HWP-D1 with the connection cables. 6 Align the holes on the back of the P-660HWP-D1 with the screws on the wall. Hang the P-660HWP-D1 on the screws.
Page 302: Figure 170 Wall-Mounting Example
Appendix A Product Specifications and Wall Mounting Figure 170 Wall-mounting Example The following are dimensions of an M4 tap screw and masonry plug used for wall mounting. All measurements are in millimeters (mm). Figure 171 Masonry Plug and M4 Tap Screw P-660HWP-D1 User’s Guide...
Page 303: Appendix B Wireless Lans
Intra-BSS traffic is traffic between wireless clients in the BSS. When Intra-BSS is enabled, wireless client A and B can access the wired network and communicate with each other. When Intra-BSS is disabled, wireless client A and B can still access the wired network but cannot communicate with each other. P-660HWP-D1 User’s Guide...
Page 304: Figure 173 Basic Service Set
An ESSID (ESS IDentification) uniquely identifies each ESS. All access points and their associated wireless clients within the same ESS must have the same ESSID in order to communicate. P-660HWP-D1 User’s Guide...
Page 305: Figure 174 Infrastructure Wlan
(AP) or wireless gateway, but out-of-range of each other, so they cannot "hear" each other, that is they do not know if the channel is currently being used. Therefore, they are considered hidden from each other. P-660HWP-D1 User’s Guide...
Page 306: Figure 175 Rts/Cts
AP will fragment the packet into smaller data frames. A large Fragmentation Threshold is recommended for networks not prone to interference while you should set a smaller threshold for busy networks or networks that are prone to interference. P-660HWP-D1 User’s Guide...
Page 307: Table 139 Ieee 802.11G
DQPSK (Differential Quadrature Phase Shift Keying) 5.5 / 11 CCK (Complementary Code Keying) 6/9/12/18/24/36/48/54 OFDM (Orthogonal Frequency Division Multiplexing) Wireless Security Overview Wireless security is vital to your network to protect wireless communication between wireless clients, access points and the wired network. P-660HWP-D1 User’s Guide...
Page 308: Table 140 Wireless Security Levels
Appendix B Wireless LANs Wireless security methods available on the P-660HWP-D1 are data encryption, wireless client authentication, restricting access by device MAC address and hiding the P-660HWP-D1 identity. The following figure shows the relative effectiveness of these wireless security methods available on your P-660HWP-D1.
Page 309: Types Of Radius Messages
EAP to interact with an EAP-compatible RADIUS server, an access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server and an intermediary AP(s) that supports IEEE 802.1x. . P-660HWP-D1 User’s Guide...
Page 310 However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE 802.1x. P-660HWP-D1 User’s Guide...
Page 311: Table 141 Comparison Of Eap Authentication Types
If the AP or the wireless clients do not support WPA2, just use WPA or WPA-PSK depending on whether you have an external RADIUS server or not. Select WEP only when the AP and/or wireless clients do not support WPA or WPA2. WEP is less secure than WPA or WPA2. P-660HWP-D1 User’s Guide...
Page 312 AP and does not need to go with the authentication process again. Pre-authentication enables fast roaming by allowing the wireless client (already connecting to an AP) to perform IEEE 802.1x authentication with another AP before connecting to it. P-660HWP-D1 User’s Guide...
Page 313: Wireless Client Wpa Supplicants
2 The AP checks each wireless client's password and (only) allows it to join the network if the password matches. 3 The AP and wireless clients use the pre-shared key to generate a common PMK (Pairwise Master Key). P-660HWP-D1 User’s Guide...
Page 314: Figure 177 Wpa(2)-Psk Authentication
An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air. P-660HWP-D1 User’s Guide...
Page 315: Antenna Characteristics
In general, antennas should be mounted as high as practically possible and free of obstructions. In point-to–point application, position both antennas at the same height and in a direct line of sight to each other to attain the best performance. P-660HWP-D1 User’s Guide...
Page 316 For a single AP application, place omni-directional antennas as close to the center of the coverage area as possible. For directional antennas, point the antenna in the direction of the desired coverage area. P-660HWP-D1 User’s Guide...
Page 317: Appendix C Setting Up Your Computer's Ip Address
After the appropriate TCP/IP components are installed, configure the TCP/IP settings in order to "communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the P-660HWP-D1’s LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Page 318: Figure 178 Windows 95/98/Me: Network: Configuration
2 Select Client and then click Add. 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click 5 Restart your computer so the changes you made take effect. P-660HWP-D1 User’s Guide...
Page 319: Figure 179 Windows 95/98/Me: Tcp/Ip Properties: Ip Address
• If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in). P-660HWP-D1 User’s Guide...
Page 320: Figure 180 Windows 95/98/Me: Tcp/Ip Properties: Dns Configuration
5 Click OK to save and close the TCP/IP Properties window. 6 Click OK to close the Network window. Insert the Windows CD if prompted. 7 Turn on your P-660HWP-D1 and restart your computer when prompted. Verifying Settings 1 Click Start and then Run.
Page 321: Figure 181 Windows Xp: Start Menu
Appendix C Setting up Your Computer’s IP Address Figure 181 Windows XP: Start Menu 2 In the Control Panel, double-click Network Connections (Network and Dial-up Connections in Windows 2000/NT). Figure 182 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Properties. P-660HWP-D1 User’s Guide...
Page 322: Figure 183 Windows Xp: Control Panel: Network Connections: Properties
• If you have a dynamic IP address click Obtain an IP address automatically. • If you have a static IP address click Use the following IP Address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. P-660HWP-D1 User’s Guide...
Page 323: Figure 185 Windows Xp: Internet Protocol (Tcp/Ip) Properties
To manually configure a default metric (the number of transmission hops), clear the Automatic metric check box and type a metric in Metric. • Click Add. • Repeat the previous three steps for each default gateway you want to add. • Click OK when finished. P-660HWP-D1 User’s Guide...
Page 324: Figure 186 Windows Xp: Advanced Tcp/Ip Properties
• If you know your DNS server IP address(es), click Use the following DNS server addresses, and type them in the Preferred DNS server and Alternate DNS server fields. If you have previously configured DNS servers, click Advanced and then the DNS tab to order them. P-660HWP-D1 User’s Guide...
Page 325: Figure 187 Windows Xp: Internet Protocol (Tcp/Ip) Properties
Properties window. 10 Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT). 11 Turn on your P-660HWP-D1 and restart your computer (if prompted). Verifying Settings 1 Click Start, All Programs, Accessories and then Command Prompt. 2 In the Command Prompt window, type "ipconfig" and then press [ENTER]. You can also open Network Connections, right-click a network connection, click Status and then click the Support tab.
Page 326: Figure 188 Macintosh Os 8/9: Apple Menu
2 Select Ethernet built-in from the Connect via list. Figure 189 Macintosh OS 8/9: TCP/IP 3 For dynamically assigned settings, select Using DHCP Server from the Configure: list. 4 For statically assigned settings, do the following: • From the Configure box, select Manually. P-660HWP-D1 User’s Guide...
Page 327: Figure 190 Macintosh Os X: Apple Menu
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your P-660HWP-D1 in the Router address box. 5 Close the TCP/IP Control Panel. 6 Click Save if prompted, to save changes to your configuration.
Page 328: Figure 191 Macintosh Os X: Network
• Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your P-660HWP-D1 in the Router address box. 5 Click Apply Now and close the window.
Page 329: Figure 192 Red Hat 9.0: Kde: Network Configuration: Devices
Figure 192 Red Hat 9.0: KDE: Network Configuration: Devices 2 Double-click on the profile of the network card you wish to configure. The Ethernet Device General screen displays as shown. Figure 193 Red Hat 9.0: KDE: Ethernet Device: General P-660HWP-D1 User’s Guide...
Page 330: Figure 194 Red Hat 9.0: Kde: Network Configuration: Dns
Ethernet card). Open the eth0 eth0 configuration file with any plain text editor. • If you have a dynamic IP address, enter in the field. The following dhcp BOOTPROTO= figure shows an example. P-660HWP-D1 User’s Guide...
Page 331: Figure 196 Red Hat 9.0: Dynamic Ip Address Setting In Ifconfig-Eth0
Figure 199 Red Hat 9.0: Restart Ethernet Card [root@localhost init.d]# network restart Shutting down interface eth0: [OK] Shutting down loopback interface: [OK] Setting network parameters: [OK] Bringing up loopback interface: [OK] Bringing up interface eth0: [OK] P-660HWP-D1 User’s Guide...
Page 332: Figure 200 Red Hat 9.0: Checking Tcp/Ip Properties
HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb) Interrupt:10 Base address:0x1000 [root@localhost]# P-660HWP-D1 User’s Guide...
Page 333: Appendix D Ip Subnetting
• A class B address (2 host octets: 16 host bits) can have 2 – 2, or 65534 hosts. A class A address (3 host octets: 24 host bits) can have 2 – 2 hosts, or approximately 16 million hosts. P-660HWP-D1 User’s Guide...
Page 334: Table 144 Allowed Ip Address Range By Class
With subnetting, the class arrangement of an IP address is ignored. For example, a class C address no longer has to have 24 bits of network number and 8 bits of host ID. With subnetting, some of the host ID bits are converted into network number bits. P-660HWP-D1 User’s Guide...
Page 335: Table 146 Alternative Subnet Mask Notation
ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets; 192.168.1.0 with mask 255.255.255.128 and 192.168.1.128 with mask 255.255.255.128. P-660HWP-D1 User’s Guide...
Page 336: Table 148 Subnet 1
255.255.255.128 is the directed broadcast address for the first subnet. Therefore, the lowest IP address that can be assigned to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. P-660HWP-D1 User’s Guide...
Page 337: Table 150 Subnet 1
Table 153 Subnet 4 IP/SUBNET MASK NETWORK NUMBER LAST OCTET BIT VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 11000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.193 192.168.1.192 Broadcast Address: Highest Host ID: 192.168.1.254 192.168.1.255 P-660HWP-D1 User’s Guide...
Page 338: Table 154 Eight Subnets
The following table is a summary for class “B” subnet planning. Table 156 Class B Subnet Planning NO. “BORROWED” HOST NO. HOSTS PER SUBNET MASK NO. SUBNETS BITS SUBNET 255.255.128.0 (/17) 32766 255.255.192.0 (/18) 16382 255.255.224.0 (/19) 8190 P-660HWP-D1 User’s Guide...
Page 339 NO. SUBNETS BITS SUBNET 255.255.240.0 (/20) 4094 255.255.248.0 (/21) 2046 255.255.252.0 (/22) 1022 255.255.254.0 (/23) 255.255.255.0 (/24) 255.255.255.128 (/25) 255.255.255.192 (/26) 1024 255.255.255.224 (/27) 2048 255.255.255.240 (/28) 4096 255.255.255.248 (/29) 8192 255.255.255.252 (/30) 16384 255.255.255.254 (/31) 32768 P-660HWP-D1 User’s Guide...
Page 340 Appendix D IP Subnetting P-660HWP-D1 User’s Guide...
Page 341: Appendix E Command Interpreter
1 Connect your computer to the ETHERNET port on the P-660HWP-D1. 2 Make sure your computer IP address and the P-660HWP-D1 IP address are on the same subnet. In Windows, click Start (usually in the bottom left corner), Run and then type (the default P-660HWP-D1 IP address) and click OK.
Page 342: Figure 201 Displaying Log Categories Example
3 to record both logs and alerts for that category. Not every parameter is available with every category. 5 Use the sys logs save command to store the settings in the P-660HWP-D1 (you must do this in order to record logs).
Page 343: Log Command Example
• Use the sys logs clear command to erase all of the P-660HWP-D1’s logs. Log Command Example This example shows how to set the P-660HWP-D1 to record the access logs and alerts and then view the results. ras> sys logs load ras>...
Page 344 Appendix E Command Interpreter P-660HWP-D1 User’s Guide...
Page 345: Appendix F Firewall Commands
This command shows all of the attack response settings. config display firewall e-mail This command shows all of the e-mail settings. This command shows all of the available config display firewall? firewall sub commands. P-660HWP-D1 User’s Guide...
Page 346 This command sets the day on which the config edit firewall e-mail current firewall log is sent through e-mail if the day <sunday | monday | tuesday P-660HWP-D1 is set to send it on a weekly | wednesday | thursday | basis. friday | saturday>...
Page 347 #> udp-idle-timeout <seconds> before the P-660HWP-D1 considers the connection closed. This command sets how long P-660HWP-D1 Config edit firewall set <set waits for a TCP session to be established #> connection-timeout before dropping the session.
Page 348 ICMP. #> rule <rule #> protocol <integer protocol value > This command sets the P-660HWP-D1 to log Config edit firewall set <set traffic that matches the rule, doesn't match, #> rule <rule #> log <none | both or neither.
Page 349 This command resets all of the attack config delete firewall attack response settings to their defaults. This command removes the specified set config delete firewall set from the firewall configuration. <set #> P-660HWP-D1 User’s Guide...
Page 350 Appendix F Firewall Commands Table 157 Firewall Commands (continued) FUNCTION COMMAND DESCRIPTION This command removes the specified rule in a config delete firewall set firewall configuration set. <set #> rule<rule #> P-660HWP-D1 User’s Guide...
Page 351: Appendix G Pop-Up Windows, Javascripts And Java Permissions
1 In Internet Explorer, select Tools, Pop-up Blocker and then select Turn Off Pop-up Blocker. Figure 203 Pop-up Blocker You can also check if pop-up blocking is disabled in the Pop-up Blocker section in the Privacy tab. 1 In Internet Explorer, select Tools, Internet Options, Privacy. P-660HWP-D1 User’s Guide...
Page 352: Figure 204 Internet Options: Privacy
Alternatively, if you only want to allow pop-up windows from your device, see the following steps. 1 In Internet Explorer, select Tools, Internet Options and then the Privacy tab. 2 Select Settings…to open the Pop-up Blocker Settings screen. P-660HWP-D1 User’s Guide...
Page 353: Figure 205 Internet Options: Privacy
3 Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. 4 Click Add to move the IP address to the list of Allowed sites. Figure 206 Pop-up Blocker Settings P-660HWP-D1 User’s Guide...
Page 354: Figure 207 Internet Options: Security
3 Scroll down to Scripting. 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is selected (the default). 6 Click OK to close the window. P-660HWP-D1 User’s Guide...
Page 355: Figure 208 Security Settings - Java Scripting
2 Click the Custom Level... button. 3 Scroll down to Microsoft VM. 4 Under Java permissions make sure that a safety level is selected. 5 Click OK to close the window. Figure 209 Security Settings - Java P-660HWP-D1 User’s Guide...
Page 356: Figure 210 Java (Sun)
1 From Internet Explorer, click Tools, Internet Options and then the Advanced tab. 2 Make sure that Use Java 2 for <applet> under Java (Sun) is selected. 3 Click OK to close the window. Figure 210 Java (Sun) P-660HWP-D1 User’s Guide...
Page 357: Appendix H Legal Information
ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 358 Cet appareil numérique de la classe B est conforme à la norme NMB-003 du Canada. Viewing Certifications 1 Go to http://www.zyxel.com. 2 Select your product on the ZyXEL home page to go to that product's page. 3 Select the certification you wish to view from this page. P-660HWP-D1 User’s Guide...
Page 359: Zyxel Limited Warranty
Registration Register your product online to receive e-mail notices of firmware upgrades and information at www.zyxel.com for global products, or at www.us.zyxel.com for North American products. P-660HWP-D1 User’s Guide...
Page 360 Appendix H Legal Information P-660HWP-D1 User’s Guide...
Page 361: Appendix I Customer Support
• Sales E-mail: sales@zyxel.com.tw • Telephone: +886-3-578-3942 • Fax: +886-3-578-2439 • Web: www.zyxel.com, www.europe.zyxel.com • FTP: ftp.zyxel.com, ftp.europe.zyxel.com • Regular Mail: ZyXEL Communications Corp., 6 Innovation Road II, Science Park, Hsinchu 300, Taiwan Costa Rica • Support E-mail: soporte@zyxel.co.cr • Sales E-mail: sales@zyxel.co.cr •...
Page 362 Appendix I Customer Support • Regular Mail: ZyXEL Communications, Czech s.r.o., Modranská 621, 143 01 Praha 4 - Modrany, Ceská Republika Denmark • Support E-mail: support@zyxel.dk • Sales E-mail: sales@zyxel.dk • Telephone: +45-39-55-07-00 • Fax: +45-39-55-07-07 • Web: www.zyxel.dk • Regular Mail: ZyXEL Communications A/S, Columbusvej, 2860 Soeborg, Denmark Finland •...
Page 363 • Regular Mail: ZyXEL Malaysia Sdn Bhd., 1-02 & 1-03, Jalan Kenari 17F, Bandar Puchong Jaya, 47100 Puchong, Selangor Darul Ehsan, Malaysia North America • Support E-mail: support@zyxel.com • Sales E-mail: sales@zyxel.com • Telephone: +1-800-255-4101, +1-714-632-0882 • Fax: +1-714-632-0858 • Web: www.us.zyxel.com • FTP: ftp.us.zyxel.com P-660HWP-D1 User’s Guide...
Page 364 Appendix I Customer Support • Regular Mail: ZyXEL Communications Inc., 1130 N. Miller St., Anaheim, CA 92806- 2001, U.S.A. Norway • Support E-mail: support@zyxel.no • Sales E-mail: sales@zyxel.no • Telephone: +47-22-80-61-80 • Fax: +47-22-80-61-81 • Web: www.zyxel.no • Regular Mail: ZyXEL Communications A/S, Nils Hansens vei 13, 0667 Oslo, Norway Poland •...
Page 365 • Sales E-mail: sales@zyxel.co.uk • Telephone: +44-1344-303044, 08707-555779 (UK only) • Fax: +44-1344-303034 • Web: www.zyxel.co.uk • FTP: ftp.zyxel.co.uk • Regular Mail: ZyXEL Communications UK Ltd., 11 The Courtyard, Eastern Road, Bracknell, Berkshire RG12 2XB, United Kingdom (UK) P-660HWP-D1 User’s Guide...
Page 366 Appendix I Customer Support P-660HWP-D1 User’s Guide...
Page 367: Index
NMK ATM loopback test channel 103, 305 attack alert interference attack types channel ID attacks Class of Service auxiliary gateway Class of Service (CoS) computer name 257, 258 configuration 92, 281, 283, 330 backup restore 283, 284 P-660HWP-D1 User’s Guide...
Page 368 FCC interference statement 92, 238 filename extension domain name 92, 140, 257, 258 finger Domain Name System see DNS firewall access methods 150, 151, 179 address type basics alerts types anti-probing downstream 33, 34 commands DS Field P-660HWP-D1 User’s Guide...
Page 369 MAC address IBSS MAC address filter ICMP 153, 177 action ICMP echo MAC address filtering IEEE 802.11g MAC filter IGMP 94, 95 maintenance Independent Basic Service Set Management Information Base See IBSS see MIB initialization vector (IV) P-660HWP-D1 User’s Guide...
Page 370 Priorities NAT traversal priority 219, 222 navigating the web configurator priority-based scheduler NetBIOS private network commands product registration Network Address Translation see NAT network disconnect icon 282, 284 network management changing NNTP quick start guide P-660HWP-D1 User’s Guide...
Page 371 SCR switch SYN Flood 152, 153 SYN-ACK syntax conventions safety warnings syslog save settings system errors saving the state system name 257, 258 scheduler fairness-based system restart priority-based system timeout 77, 81, 86 screws security general ramifications P-660HWP-D1 User’s Guide...
Page 372 33, 34 MAC address filter user authentication security local (user) database SSID RADIUS server wireless security 104, 307 weaknesses wizard icon user name WLAN interference security parameters world wide web key caching Vantage CNM Access pre-authentication P-660HWP-D1 User’s Guide...
Page 373 RADIUS application example WPA compatibility WPA2 user authentication vs WPA2-PSK wireless client supplicant with RADIUS application example WPA2-Pre-Shared Key WPA2-PSK 311, 312 application example WPA-PSK 311, 312 application example zero configuration Internet access ZyXEL’s firewall introduction P-660HWP-D1 User’s Guide...
Page 374 Index P-660HWP-D1 User’s Guide...