Download Print this page

ZyXEL Communications SBG3500-N000 User Manual

Sbg3500-n series wireless n fiber wan small business gateway

Hide thumbs Also See for SBG3500-N000:

User manual (410 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

SBG3500-N Series

SBG3500-N000 / SBG3500-NB00

Wireless N Fiber WAN Small Business Gateway

Version 1.00

Edition 4, 9/2014

Quick Start Guide

User's Guide

Default Login Details

LAN IP Address

User Name

www.zyxel.com

Password

http://192.168.1.1

admin

1234

Copyright © 2014 ZyXEL Communications Corporation

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the SBG3500-N000 and is the answer not in the manual?

Questions and answers

Summary of Contents for ZyXEL Communications SBG3500-N000

Page 1 SBG3500-N Series SBG3500-N000 / SBG3500-NB00 Wireless N Fiber WAN Small Business Gateway Version 1.00 Edition 4, 9/2014 Quick Start Guide User’s Guide Default Login Details LAN IP Address http://192.168.1.1 User Name admin www.zyxel.com Password 1234 Copyright © 2014 ZyXEL Communications Corporation...
Page 2 IMPORTANT! READ CAREFULLY BEFORE USE. KEEP THIS GUIDE FOR FUTURE REFERENCE. Screenshots and graphics in this book may differ slightly from your product due to differences in your product firmware or your computer operating system. Every effort has been made to ensure that the information in this manual is accurate.
Page 3: Table Of Contents
Contents Overview Contents Overview User’s Guide ............................16 Introducing the SBG3500-N Series ......................17 The Web Configurator ..........................25 Quick Start ...............................32 Tutorials ..............................35 Technical Reference ..........................96 Status Screens ............................97 Broadband .............................100 Wireless ..............................130 LAN ...............................159 Routing ..............................179 Quality of Service (QoS) ........................185 Network Address Translation (NAT) ......................203 Dynamic DNS Setup ..........................219 AP Control .............................222...
Page 4 Contents Overview SNMP ..............................332 Time ..............................334 E-mail Notification ..........................337 Logs Setting ............................339 Firmware Upgrade ..........................342 Configuration ............................344 Diagnostic .............................347 Troubleshooting ............................352 SBG3500-N Series User’s Guide...
Page 5: Table Of Contents
Table of Contents Table of Contents Contents Overview ..........................3 Table of Contents ..........................5 Part I: User’s Guide ..................16 Chapter 1 Introducing the SBG3500-N Series ....................17 1.1 Overview ............................17 1.2 Applications for the SBG3500-N Series ...................17 1.2.1 Internet Access ........................17 1.2.2 Wireless LAN ...........................20 1.2.3 SBG3500-N Series’s USB Support ..................21 1.3 LEDs (Lights) ............................21...
Page 6 Table of Contents 4.5 Setting Up a Secure Wireless Network .....................40 4.5.1 Configuring the Wireless Network Settings ................41 4.5.2 Using WPS ..........................43 4.5.3 Without WPS ...........................47 4.6 Setting Up Multiple Wireless Groups ....................48 4.7 Configuring Static Route for Routing to Another Network ..............51 4.8 Configuring QoS Queue and Class Setup ..................54 4.9 Access the SBG3500-N Series Using DDNS ..................57 4.9.1 Registering a DDNS Account on www.dyndns.org ..............57...
Page 7 Table of Contents 6.1 Overview ............................100 6.1.1 What You Can Do in this Chapter ..................100 6.1.2 What You Need to Know ......................101 6.1.3 Before You Begin ........................104 6.2 The Broadband Screen ........................104 6.2.1 Add/Edit Internet Connection ....................106 6.3 The 3G WAN Screen ........................114 6.4 The Add New 3G Dongle Screen ....................
Page 8 Table of Contents Chapter 8 LAN ..............................159 8.1 Overview ............................159 8.1.1 What You Can Do in this Chapter ..................159 8.1.2 What You Need To Know .......................160 8.1.3 Before You Begin ........................161 8.2 The LAN Setup Screen ........................161 8.3 The Static DHCP Screen .........................165 8.4 The UPnP Screen ...........................167 8.5 Installing UPnP in Windows Example .....................167 8.5.1 Using UPnP in Windows XP Example ...................169...
Page 9 Table of Contents 10.8 Technical Reference ........................198 Chapter 11 Network Address Translation (NAT)....................203 11.1 Overview ............................203 11.1.1 What You Can Do in this Chapter ..................203 11.1.2 What You Need To Know .....................203 11.2 The Port Forwarding Screen ......................204 11.2.1 Add/Edit Port Forwarding ....................206 11.3 The Applications Screen .......................207 11.3.1 Add New Application ......................208 11.4 The Port Triggering Screen ......................208...
Page 10 Table of Contents 14.1 Overview ............................227 14.1.1 What You Can Do in this Chapter ..................227 14.1.2 What You Need To Know .....................227 14.2 Radio Screen ..........................228 14.2.1 Add/Modify New Profile .......................229 14.3 SSID Screen ..........................233 14.3.1 Add New Profile/Modify SSID Profile ...................234 14.4 Security Screen ..........................235 14.4.1 Add/Modify Security Profile ....................236 14.5 MAC Filtering Screen ........................239...
Page 11 Table of Contents Chapter 18 MAC Filter............................261 18.1 Overview ............................261 18.2 The MAC Filter Screen ........................262 Chapter 19 User Access Control ........................264 19.1 Overview ............................264 19.2 The User Access Control Screen ....................264 19.2.1 Add/Edit a User Access Control Rule ..................265 Chapter 20 Scheduler Rules..........................267 20.1 Overview ............................267...
Page 12 Table of Contents 22.7.4 Negotiation Mode ........................290 22.7.5 IPSec and NAT ........................290 22.7.6 VPN, NAT, and NAT Traversal .....................291 22.7.7 ID Type and Content ......................292 22.7.8 Pre-Shared Key ........................293 22.7.9 Diffie-Hellman (DH) Key Groups ..................293 Chapter 23 PPTP VPN ............................294 23.1 Overview ............................294 23.2 What You Can Do in this Chapter ....................294 23.3 PPTP VPN Setup ..........................295...
Page 13 Table of Contents 27.2 ARP Table Screen ......................... 311 Chapter 28 Routing Table ............................313 28.1 Overview ............................313 28.2 The Routing Table Screen ......................313 Chapter 29 IGMP Status ............................315 29.1 Overview ............................315 29.2 The IGMP Group Status Screen ....................315 Chapter 30 xDSL Statistics..........................316 30.1 The xDSL Statistics Screen ......................316 Chapter 31...
Page 14 Table of Contents 35.2 The TR-069 Client Screen ......................330 Chapter 36 SNMP ..............................332 36.1 The SNMP Agent Screen ......................332 Chapter 37 Time ..............................334 37.1 Overview ............................334 37.2 The Time Screen ..........................334 Chapter 38 E-mail Notification ..........................337 38.1 Overview ............................337 38.2 The Email Notification Screen .......................337 38.2.1 Email Notification Edit ......................337 Chapter 39 Logs Setting .............................339...
Page 15 Table of Contents Chapter 43 Troubleshooting..........................352 43.1 Power, Hardware Connections, and LEDs ..................352 43.2 SBG3500-N Series Access and Login ..................353 43.3 Internet Access ..........................355 43.4 Wireless Internet Access .......................356 43.5 USB Device Connection ........................357 43.6 UPnP .............................358 Appendix A Setting up Your Computer’s IP Address ...............359 Appendix B IP Addresses and Subnetting..................379 Appendix C Pop-up Windows, JavaScript and Java Permissions ...........387 Appendix D Wireless LANs......................394...
Page 16: User's Guide
User’s Guide...
Page 17: Introducing The Sbg3500-N Series
• One USB Port for 3G Connection and File Sharing • One SFP Port for Fiber Optic Internet Connection • One GbE WAN Port • Two VDSL2/ADSL2+ (SBG3500-N000 only) Integrated Ports (Bonding) • One VDSL2/ADSL2+ (SBG3500-NB00 only) Port • Integrated Firewall with Secure Network Management •...
Page 18 Chapter 1 Introducing the SBG3500-N Series • ADSL2+ and VDSL, connect the DSL1 and/or DSL2 port using a phone cable to a DSL or MODEM on a splitter or your telephone jack. For single DSL connection, use only DSL1 port. For DSL bonding connection, use both DSL1 and DSL2 port at the same time.
Page 19 Chapter 1 Introducing the SBG3500-N Series Figure 1 SBG3500-N Series’s Internet Access Application WLAN Bridging PPPoE IPoE/IPoA PPPoA Load Balancing ADSL2+/VDSL WLAN ADSL2+/VDSL and GbE ADSL2+/VDSL and Fiber WLAN ADSL2+/VDSL and 3G SBG3500-N Series User’s Guide...
Page 20: Wireless Lan
Chapter 1 Introducing the SBG3500-N Series Figure 2 SBG3500-N Series’s Internet Access Application (Continue) WLAN Fiber and 3G WLAN GbE and 3G You can also configure IP filtering on the SBG3500-N Series for secure Internet access. Go to Security > MAC Filter to do this task. When the IP filter is on, all incoming traffic from the Internet to your network is blocked by default unless it is initiated from your network.
Page 21: Using The Wlan Button
Chapter 1 Introducing the SBG3500-N Series Using the WLAN Button If the wireless network is turned off, press the WLAN button at the back of the SBG3500-N Series. Once the WLAN LED turns green, the wireless network is active. 1.2.3 SBG3500-N Series’s USB Support The USB port of the SBG3500-N Series is used for 3G Dongle and file-sharing.
Page 22 Chapter 1 Introducing the SBG3500-N Series Figure 5 LEDs on the Device SBG3500-N000 SBG3500-NB00 None of the LEDs are on if the SBG3500-N Series is not receiving power. Table 1 LED Descriptions COLOR STATUS DESCRIPTION POWER Green The SBG3500-N Series is receiving power and ready for use.
Page 23 Chapter 1 Introducing the SBG3500-N Series Table 1 LED Descriptions (continued) COLOR STATUS DESCRIPTION ETHERNET Left LED The SBG3500-N Series has a successful Ethernet connection with a LAN 1-4 (1000) device on the Local Area Network (LAN). Blinking The SBG3500-N Series is sending or receiving data to/from the LAN. Green The SBG3500-N Series does not have an Ethernet connection with the LAN.
Page 24: Ways To Manage The Sbg3500-N Series
Chapter 1 Introducing the SBG3500-N Series 1.4 Ways to Manage the SBG3500-N Series Use any of the following methods to manage the SBG3500-N Series. • Web Configurator. This is recommended for everyday management of the SBG3500-N Series using a (supported) web browser. •...
Page 25: The Web Configurator
H A PT ER The Web Configurator 2.1 Overview The web configurator is an HTML-based management interface that allows easy device setup and management of the SBG3500-N Series via Internet browser. Use Internet Explorer 8.0 and later versions with JavaScript enabled, or Mozilla Firefox 3 and later versions or Safari 2.0 and later versions or Google Chrome and later versions.
Page 26 Chapter 2 The Web Configurator Figure 6 Password Screen The following screen displays prompting you to change the password. It is strongly recommended you change the default password. Enter a new password, minding the rules in the screen, retype it to confirm and click Apply.
Page 27: Web Configurator Layout
Chapter 2 The Web Configurator 2.2 Web Configurator Layout Figure 9 Screen Layout As illustrated above, the main screen is divided into these parts: • A - title bar • B - main window • C - navigation panel 2.2.1 Title Bar The title bar provides some icons in the upper right corner.
Page 28: Main Window
Chapter 2 The Web Configurator 2.2.2 Main Window The main window displays information and configuration fields. It is discussed in the rest of this document. See Chapter 5 on page 97 for more information about the Status screen. If you click Virtual Device on the System Info screen, a graphic shows the connection status of the Device’s ports.
Page 29 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION LAN Setup Use this screen to configure LAN TCP/IP settings, and other advanced properties. Static DHCP Use this screen to assign specific IP addresses to individual MAC addresses.
Page 30 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION Scheduler Rule Scheduler Rule Use this screen to configure the days and times when a configured restriction (such as User Access control) is enforced. Certificates Local Certificates Use this screen to view a summary list of certificates and manage certificates and certification requests.
Page 31 Chapter 2 The Web Configurator Table 3 Navigation Panel Summary (continued) LINK FUNCTION Log Setting Log Setting Use this screen to change your SBG3500-N Series’s log settings. Firmware Firmware Use this screen to upload firmware to your device. Upgrade Upgrade Configuration Configuration Use this screen to backup and restore your device’s configuration...
Page 32: Quick Start
H A PT ER Quick Start 3.1 Overview Use the Quick Start screens to configure the SBG3500-N Series’s time zone, basic Internet access, and wireless settings. Note: See the technical reference chapters (starting on page 96) for background information on the features in this chapter. 3.2 Quick Start Setup The Quick Start Wizard appears automatically after login.
Page 33 Chapter 3 Quick Start Figure 12 WAN Interface Selection Enter your Internet connection information in this screen. The screen and fields to enter may vary depending on your current connection type. Click Next. Figure 13 Internet Connection Turn the wireless LAN on or off. If you keep it on, record the security settings so you can configure your wireless clients to connect to the SBG3500-N Series.
Page 34 Chapter 3 Quick Start Figure 14 Internet Connection Your SBG3500-N Series saves your settings and attempts to connect to the Internet. SBG3500-N Series User’s Guide...
Page 35: Tutorials
H A PT ER Tutorials 4.1 Overview This chapter shows you how to use the SBG3500-N Series’s various features. • Setting Up an ADSL PPPoE Connection, see page 35 • Setting Up a GbE WAN connection, see page 38 • Setting Up a 3G WAN connection, see page 40...
Page 36 Chapter 4 Tutorials In this example, the DSL connection has the following information. General Name MyDSLConnection Type ADSL Connection Mode Routing Encapsulation PPPoE IPv6/IPv4 Mode IPv4 ATM PVC Configuration VPI/VCI 36/48 Encapsulation Mode LLC/SNAP-Bridging Service Category UBR without PCR Account Information PPP User Name 1234@DSL-Ex.com PPP Password...
Page 37 Chapter 4 Tutorials You should see a summary of your new DSL connection setup in the Broadband screen as follows. SBG3500-N Series User’s Guide...
Page 38: Setting Up A Gbe Wan Connection
Chapter 4 Tutorials Try to connect to a website to see if you have correctly set up your Internet connection. Be sure to contact your service provider for any information you need to configure the WAN screens. 4.3 Setting Up a GbE WAN connection This tutorial shows you how to set up your Gigabit Ethernet WAN connection using the Web Configurator.
Page 39 Chapter 4 Tutorials In this example, the Ethernet connection has the following information. General Name MyETHER Type Ethernet Mode Routing Service and PPPoE Encapsulation IPv6/IPv4 Mode IPv4 Account Information 802.1p 802.1q 300 kbps SBG3500-N Series User’s Guide...
Page 40: Setting Up A 3G Wan Connection
Chapter 4 Tutorials PPP User Name 1234@ETHER-Ex.com PPP Password ABCDEF! PPP Auto Connect Enabled PPPoE Service name ethertest PPPoE Passthrough Enabled 1492 IP Address 192.168.1.40 Primary DNS Server 192.168.5.5 Secondary DNS Server 192.168.5.6 Others PPPoE Passthrough: Disabled NAT: Enabled IGMP Multicast Proxy: Enabled Apply as Default Gateway: Enabled You should see a summary of your new Ethernet connection setup in the Broadband screen as follows.
Page 41: Configuring The Wireless Network Settings
Chapter 4 Tutorials Thomas has to configure the wireless network settings on the SBG3500-N Series. Then he can set up a wireless network using WPS (Section 4.5.2 on page 43) or manual configuration (Section 4.5.3 on page 47). 4.5.1 Configuring the Wireless Network Settings This example uses the following parameters to set up a wireless network.
Page 42 Chapter 4 Tutorials Go to the Wireless > Others screen and select 802.11b/g/n Mixed in the 802.11 Mode field. Click Apply. SBG3500-N Series User’s Guide...
Page 43: Using Wps
Chapter 4 Tutorials Thomas can now use the WPS feature to establish a wireless connection between his notebook and the SBG3500-N Series (see Section 4.5.2 on page 43). He can also use the notebook’s wireless client to search for the SBG3500-N Series (see Section 4.5.3 on page 47).
Page 44 Chapter 4 Tutorials Note: Your SBG3500-N Series has a WPS button located on its front panel as well as a WPS button in its configuration utility. Both buttons have exactly the same function: you can use one or the other. Note: It doesn’t matter which device’s WPS you enable first, but you must enable the second device’s WPS within two minutes of enabling the first one.
Page 45 Chapter 4 Tutorials Example WPS Process: PBC Method Wireless Client Device WITHIN 2 MINUTES Click “Connect” SECURITY INFO COMMUNICATION PIN Configuration When you use the PIN configuration method, you need to use both the SBG3500-N Series’s web configurator and the wireless client’s utility. Launch your wireless client’s configuration utility.
Page 46 Chapter 4 Tutorials Enter the PIN number of the wireless client and click the Register button. Activate WPS function on the wireless client utility screen within two minutes. The SBG3500-N Series authenticates the wireless client and sends the proper configuration settings to the wireless client.
Page 47: Without Wps
Chapter 4 Tutorials Example WPS Process: PIN Method Wireless Client ZyXEL Device WITHIN 2 MINUTES Authentication by PIN SECURITY INFO COMMUNICATION 4.5.3 Without WPS Use the wireless adapter’s utility installed on the notebook to search for the “Example” SSID. Then enter the “DoNotStealMyWirelessNetwork”...
Page 48: Setting Up Multiple Wireless Groups
Chapter 4 Tutorials 4.6 Setting Up Multiple Wireless Groups Company A wants to create different wireless network groups for different types of users as shown in the following figure. Each group has its own SSID and security mode. Company Guest •...
Page 49 Chapter 4 Tutorials Click Network Setting > Wireless > More AP to open the following screen. Click the Edit icon to configure the second wireless network group. Configure the screen using the provided parameters and click Apply. SBG3500-N Series User’s Guide...
Page 50 Chapter 4 Tutorials In the More AP screen, click the Edit icon to configure the third wireless network group. Configure the screen using the provided parameters and click Apply. SBG3500-N Series User’s Guide...
Page 51: Configuring Static Route For Routing To Another Network
Chapter 4 Tutorials Check the status of VIP and Guest in the More AP screen. The yellow bulbs signify that the SSIDs are active and ready for wireless access. 4.7 Configuring Static Route for Routing to Another Network In order to extend your Intranet and control traffic flowing directions, you may connect a router to the SBG3500-N Series’s LAN.
Page 52 Chapter 4 Tutorials In the following figure, router R is connected to the SBG3500-N Series’s LAN. R connects to two networks, N1 (192.168.1.x/24) and N2 (192.168.10.x/24). If you want to send traffic from computer A (in N1 network) to computer B (in N2 network), the traffic is sent to the SBG3500-N Series’s WAN default gateway by default.
Page 53 Chapter 4 Tutorials Table 4 IP Settings in this Tutorial DEVICE / COMPUTER IP ADDRESS R’s N1 192.168.1.253 R’s N2 192.168.10.2 192.168.10.33 To configure a static route to route traffic from N1 to N2: Log into the SBG3500-N Series’s Web Configurator in advanced mode. Click Network Setting >...
Page 54: Configuring Qos Queue And Class Setup
Chapter 4 Tutorials 4.8 Configuring QoS Queue and Class Setup This section contains tutorials on how you can configure the QoS screen. Let’s say you are a team leader of a small sales branch office. You want to prioritize e-mail traffic because your task includes sending urgent updates to clients at least twice every hour.
Page 55 Chapter 4 Tutorials Tutorial: Advanced > QoS Click Queue Setup > Add new Queue to create a new queue. In the screen that opens, check Active and enter or select the following values: • Name: E-mail • Interface: WAN • Priority: 1 (High) •...
Page 56 Chapter 4 Tutorials Tutorial: Advanced > QoS > Class Setup Class Name Give a class name to this traffic, such as E-mail in this example. From This is the interface from which the traffic will be coming from. Select LAN1 for this Interface example.
Page 57: Access The Sbg3500-N Series Using Ddns
Chapter 4 Tutorials This maps e-mail traffic coming from port 25 to the highest priority, which you have created in the previous screen (see the IP Protocol field). This also maps your computer’s IP address and MAC address to the E-mail queue (see the Source fields). Verify that the queue setup works by checking Network Setting >...
Page 58: Configuring Ddns On Your Sbg3500-N Series
Chapter 4 Tutorials Then you will need to configure the same account and host name on the SBG3500-N Series later. 4.9.2 Configuring DDNS on Your SBG3500-N Series Configure the following settings in the Network Setting > DNS > Dynamic DNS screen. •...
Page 59 Chapter 4 Tutorials Thomas Josephine Click Security > MAC Filter to open the MAC Filter screen. Select the Enable check box to activate MAC filter function. Select Allow. Then enter the host name and MAC address of Thomas’ computer in this screen. Click Apply.
Page 60: Access Your Shared Files From A Computer
Chapter 4 Tutorials 4.11 Access Your Shared Files From a Computer Here is how to enable the Samba feature on the SBG3500-N Series and access a file storage device connected to the SBG3500-N Series’s USB port. Log into the web configurator and go to the Maintenance > User Account screen. Click the Edit icon on the account you are currently using.
Page 61: Certificate Configuration For Vpn
Chapter 4 Tutorials File Sharing via Windows Explorer Once you log in the USB device displays in the folder. 4.12 Certificate Configuration for VPN You may generate a self-signed Certification Authority (CA) certificate using a third party tool or get an official CA certificate from any trusted certificate agent.
Page 62 Chapter 4 Tutorials In the Security > Certificates > Local Certificates screen, click Create Certificate Request. Enter your information as shown in the following screen and click Apply. The contents of the certificate display in the View Certificate screen. Copy the Signing Request section and paste it to a file (for example, sbg.req) in Fedora, or another system, which contains your original CA certificate.
Page 63 Chapter 4 Tutorials In Fedora, issue the following openssl command to generate the host certificate for the SBG3500-N Series: openssl ca -config ./openssl.conf -policy policy_anything -out sbg.pem -infiles sbg.req Click the Load_Signed button in the View Certificate screen. Cut the contents of sbg.pem (only the binary portion between BEGIN CERTIFICATE and END CERTIFICATE).
Page 64: Examples Of Configuring Ipsec Vpn Rules
Chapter 4 Tutorials 10 Now you may configure VPN to use the new certificate for authentication in the VPN > IPSec VPN > Monitor screen. 4.13 Examples of Configuring IPSec VPN Rules The first two examples show how to configure Site-to-Site rules with pre-shared secrets. The first example uses 3DES encryption and the second one uses AES128.
Page 65 Chapter 4 Tutorials Authentication SHA1 Key Group Phase 2 SA Life Time 3600 Tunnel Mode Encapsulation Tunnel Encryption 3DES Authentication SHA1 Policy Local IP Type Subnet Local IP Address 192.168.1.0 Local Subnet Mask 255.255.255.0 Remote IP Type Subnet Remote IP Address 172.23.9.0 Remote Subnet Mask 255.255.255.0...
Page 66 Chapter 4 Tutorials You can see the new IPSec VPN rule you’ve just created in the VPN > IPSec VPN > Monitor screen. SBG3500-N Series User’s Guide...
Page 67: Example 2: Use Aes128 Encryption
Chapter 4 Tutorials 4.13.2 Example 2: Use AES128 Encryption Here is another example of creating a Gateway-to-Gateway IPSec VPN rule with pre-shared secrets. Click the Add New Entry button in the VPN > IPSec VPN > Setup screen. Enter vpn2 as the Connection Name. Remove the existing encryption by clicking Remove icon or Reset button.
Page 68: Example 3: Configuring A Site-To-Site With Dynamic Peer Rule
Chapter 4 Tutorials You can see the new IPSec VPN rule you’ve just created in the VPN > IPSec VPN > Monitor screen. 4.13.3 Example 3: Configuring a Site-to-Site with Dynamic Peer Rule Select Site-to-Site with Dynamic Peer in the Application Scenario field in the General section.
Page 69: Pptp Vpn Tutorial
Chapter 4 Tutorials Note: The policy for the remote VPN client is not shown in the screen because it is an unknown to the remote access VPN client. 4.14 PPTP VPN Tutorial The example uses the following settings in setting up a basic PPTP VPN tunnel. Figure 15 PPTP VPN Example 172.16.1.2 PPTP VPN IP Address Pool:...
Page 70: Configuring Pptp Vpn On Windows (Client)
Chapter 4 Tutorials 4.14.2 Configuring PPTP VPN on Windows (Client) The following sections cover how to configure PPTP in remote user computers using Windows 7, Vista and XP. The example settings in these sections match the PPTP VPN configuration example in Section 4.14 on page On Windows 7 On Windows 7, do the following to establish a PPTP VPN connection.
Page 71 Chapter 4 Tutorials Select Use my Internet connection (VPN). Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later.
Page 72 Chapter 4 Tutorials Click Create. Enter the user name and password later. Click Close. Do not connect yet. SBG3500-N Series User’s Guide...
Page 73 Chapter 4 Tutorials Click the Network icon in your system tray, then click Connect to a Network and Sharing Center on Windows 7. Cick Change adapter settings. Double-click the new connection icon. SBG3500-N Series User’s Guide...
Page 74 Chapter 4 Tutorials 10 The connection screen appears. Click Properties. 11 The Properties window appears. Click Security. 12 Select Point to Point Tunneling Protocol (PPTP) as the Type of VPN. Select Maximum strength encryption (disconnect if server declines) and the Allow these protocols radio button.
Page 75 Chapter 4 Tutorials 13 In the Connect window, enter the username and password of your SBG3500-N Series’s account. Click Connect. Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 33 on page 325.
Page 76 Chapter 4 Tutorials 16 Click the Network icon in your system tray, then right click the PPTP connection and select Status to open the connection status screen. 17 From the status screen, you can disconnect this connection. Or you can click Details to see the connection details.
Page 77: Configuring Pptp Vpn On Android Devices (Client)
Chapter 4 Tutorials 18 Access a server or other network resource on subnet 192.168.1.0 behind the SBG3500-N Series to make sure your access works. 4.14.3 Configuring PPTP VPN on Android Devices (Client) The following sections cover how to configure the built-in PPTP client in remote user’s Android devices.
Page 78 Chapter 4 Tutorials Fill out the following fields. • VPN Name: Enter a name for your VPN configuration. • Set VPN Server: This is the WAN IP address of the SBG3500-N Series, in this example, 172.16.1.2 • Enable Encryption: checked. •...
Page 79: Configuring Pptp Vpn In Ios Devices (Client)
Chapter 4 Tutorials 4.14.4 Configuring PPTP VPN in iOS Devices (Client) The following sections cover how to configure the built-in PPTP client in iOS devices (iPhone, iPad, iPod Touch, etc). Due to GUI difference among various iOS devices, the figures may not match what your iOS device displays.
Page 80 Chapter 4 Tutorials Select the PPTP tab. Enter the following fields. • Description: Enter a name for your VPN configuration. • Server: This is the WAN IP address of the SBG3500-N Series, in this example, 172.16.1.2. • Account: This is the user account created on SBG3500-N Series for accessing the network via VPN.
Page 81: L2Tp Vpn Tutorial
Chapter 4 Tutorials 4.15 L2TP VPN Tutorial This section illustrates how to set up a basic L2TP VPN tunnel between the SBG3500-N Series and a remote client. The example uses the following settings in setting up a basic L2TP VPN tunnel. Figure 16 L2TP VPN Example 172.16.1.2 L2TP VPN IP Address Pool:...
Page 82: Configuring The L2Tp Vpn Setup (Server)
Chapter 4 Tutorials Select the Enable checkbox. Select Pre-Shared Key and configure a password. This example uses 1234567890. Click Apply. 4.15.2 Configuring the L2TP VPN Setup (Server) Go to the VPN > L2TP VPN > Setup screen and configure the following: •...
Page 83: Configuring L2Tp Vpn In Windows (Client)
Chapter 4 Tutorials 4.15.3 Configuring L2TP VPN in Windows (Client) The following sections cover how to configure L2TP on the remote user computers using Windows 7, . The example settings in these sections match the L2TP VPN configuration example in Section on page 4.15.3.1 Enabling IPSec Service in Windows...
Page 84: Configuring L2Tp Vpn On Windows 7
Chapter 4 Tutorials In the Services window, scroll down to find IPsec Policy Agent. Make sure the status is Started. If not, click Start the service in the left panel. 4.15.4 Configuring L2TP VPN on Windows 7 In Windows 7 do the following to establish an L2TP VPN connection. SBG3500-N Series User’s Guide...
Page 85 Chapter 4 Tutorials Click Start > Control Panel > Network and Internet. Click Network and Sharing Center > Setup a new connection or network > Connect to a workplace. Click Next. Select No, create a new connection. Click Next. SBG3500-N Series User’s Guide...
Page 86 Chapter 4 Tutorials Select Use my Internet connection (VPN). Enter the domain name or WAN IP Address that you want to connect to (172.16.1.2 in this example) and give this connection a name. Select Don't connect now; just set it up so I can connect later.
Page 87 Chapter 4 Tutorials Click Close. Do not connect yet. Click the Network icon in your system tray, then click Open Network and Sharing Center . Click Change adapter settings. SBG3500-N Series User’s Guide...
Page 88 Chapter 4 Tutorials 10 Double-click the new connection icon. 11 The connection screen appears. Click Properties. SBG3500-N Series User’s Guide...
Page 89 Chapter 4 Tutorials 12 The Properties window appears. Click Security. 13 Select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec) as the Type of VPN. Select the Optional encryption (connect even if no encryption) and the Allow these protocols radio button. Select Microsoft CHAP Version 2 (MS-CHAP v2) and clear all of other check boxes. Do not click OK yet.
Page 90 Chapter 4 Tutorials 16 A window appears while the username and password are verified. The connection is then established. 17 Click the Network icon in your system tray, then right click the L2TP connection and select Status to open the connection status screen. 18 From the status screen, you can disconnect this connection.
Page 91: Configuring L2Tp Vpn On Android Devices (Client)
Chapter 4 Tutorials 4.15.5 Configuring L2TP VPN on Android Devices (Client) The following sections cover how to configure the built-in L2TP client in remote user’s Android devices. Due to GUI differences among various Android devices, the figures may not exactly match what your Android device displays.
Page 92 Chapter 4 Tutorials On some Android versions, you may have to tap the button instead The Edit VPN profile screen appears. Fill out the following fields. • Name: Enter a name for your VPN configuration. • Type: Select L2TP/IPSec PSK. •...
Page 93: Configuring L2Tp Vpn In Ios Devices (Client)
Chapter 4 Tutorials Enter the username and password of your user account configured on the SBG3500-N Series. Note: The user account must have been configured in the Maintenance > User Account screen. Refer to Chapter 33 on page 325. You can see Connected when the L2TP VPN connection has been established. Click the connection name to get connection details.
Page 94 Chapter 4 Tutorials your iOS device displays. The example settings in these sections matches the L2TP VPN configuration example in Section on page On your iOS device, select Home > Settings > General > Network. Select VPN > Add VPN Configuration…. Select the L2TP tab.
Page 95 Chapter 4 Tutorials Save the configuration. The saved configuration appears on the VPN screen. Select it and then slide the VPN bar to the ON position. Your iOS device will begin L2TP connection. SBG3500-N Series User’s Guide...
Page 96: Technical Reference
Technical Reference...
Page 97: Status Screens
H A PT ER Status Screens 5.1 Overview After you log into the Web Configurator, the Status screen appears. You can use the Status screen to look at the current status of the Device, system resources, and interfaces (LAN, WAN, and WLAN).
Page 98 Chapter 5 Status Screens Table 5 Status Screen (continued) LABEL DESCRIPTION WAN Information (These fields display when you have a WAN connection.) WAN Type This field displays the current WAN connection type. MAC Address This shows the WAN Ethernet adapter MAC (Media Access Control) Address of your SBG3500-N Series.
Page 99 Chapter 5 Status Screens Table 5 Status Screen (continued) LABEL DESCRIPTION Memory This field displays what percentage of the SBG3500-N Series’s memory is currently used. Usage Usually, this percentage should not increase much. If memory usage does get close to 100%, the SBG3500-N Series is probably becoming unstable, and you should restart the device.
Page 100: Broadband
H A PT ER Broadband 6.1 Overview This chapter discusses the SBG3500-N Series’s Broadband screens. Use these screens to configure your SBG3500-N Series for Internet access. A WAN (Wide Area Network) connection is an outside connection to another network or the Internet.
Page 101: What You Need To Know
Chapter 6 Broadband • Use the Add New 3G Dongle screen to view or add a new 3G dongle (Section 6.4 on page 118). • Use the Advanced screen to enable or disable PTM over ADSL, Annex M, and DSL PhyR functions (Section 6.4.1 on page 118).
Page 102 Chapter 6 Broadband WAN IP Address The WAN IP address is an IP address for the SBG3500-N Series, which makes it accessible from an outside network. It is used by the SBG3500-N Series to communicate with other devices in other networks.
Page 103 Chapter 6 Broadband • Any number of consecutive blocks of zeros can be replaced by a double colon. A double colon can only appear once in an IPv6 address. So 2001:0db8:0000:0000:1a2f:0000:0000:0015 can be written as 2001:0db8::1a2f:0000:0000:0015, 2001:0db8:0000:0000:1a2f::0015, 2001:db8::1a2f:0:0:15 or 2001:db8:0:0:1a2f::15. IPv6 Prefix and Prefix Length Similar to an IPv4 subnet mask, IPv6 uses an address prefix to represent the network address.
Page 104: Before You Begin
Chapter 6 Broadband Dual Stack Lite Use Dual Stack Lite when local network computers use IPv4 and the ISP has an IPv6 network. When the SBG3500-N Series has an IPv6 WAN address and you set IPv6/IPv4 Mode to IPv6 Only, you can enable Dual Stack Lite to use IPv4 computers and services. The SBG3500-N Series tunnels IPv4 packets inside IPv6 encapsulation packets to the ISP’s Address Family Transition Router (AFTR in the graphic) to connect to the IPv4 Internet.
Page 105 Chapter 6 Broadband The following table describes the labels in this screen. Table 7 Network Setting > Broadband LABEL DESCRIPTION Add new WAN Click this button to create a new connection. Interface This is the index number of the entry. Name This is the service name of the connection.
Page 106: Add/Edit Internet Connection
Chapter 6 Broadband 6.2.1 Add/Edit Internet Connection Click Add new WAN Interface in the Broadband screen or the Edit icon next to an existing WAN interface to configure a WAN connection. The screen varies depending on the interface type, mode, encapsulation, and IPv6/IPv4 mode you select.
Page 107 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Type Select whether it is ADSL/VDSL over PTM, ADSL over ATM, or Ethernet connection. • ADSL/VDSL over PTM: The SBG3500-N Series uses the VDSL technology for data transmission over the DSL port. •...
Page 108 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION Encapsulation Select the method of multiplexing used by your ISP from the drop-down list box. Choices Mode are: • LLC/SNAP-BRIDGING: In LCC encapsulation, bridged PDUs are encapsulated by identifying the type of the bridged media in the SNAP header. This is available only when you select IPoE or PPPoE in the Select DSL Link Type field.
Page 109 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION PPPoE This field is available when you select PPPoE encapsulation. Passthrough In addition to the SBG3500-N Series’s built-in PPPoE client, you can enable PPPoE pass through to allow up to ten hosts on the LAN to use PPPoE client software on their computers to connect to the ISP via the SBG3500-N Series.
Page 110 Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION WAN IPv6 Enter the IPv6 address assigned by your ISP. Address Prefix Enter the address prefix length to specify how many most significant bits in an IPv6 address Length compose the network address. Next Hop Enter the IP address of the next-hop gateway.
Page 111: Bridge Mode
Chapter 6 Broadband Table 8 Routing Mode (continued) LABEL DESCRIPTION 802.1q Type the VLAN ID number (from 1 to 4094) for traffic through this connection. Rate Limit Enter the rate limit for the connection. This is the maximum transmission rate allowed for traffic on this connection.
Page 112 Chapter 6 Broadband Table 9 Bridge Mode (ADSL/VDSL over PTM) (continued) LABEL DESCRIPTION Mode Select Bridge when your ISP provides you more than one IP address and you want the connected computers to get individual IP address from ISP’s DHCP server directly. If you select Bridge, you cannot use routing functions, such as QoS, Firewall, DHCP server and NAT on traffic from the selected LAN port(s).
Page 113 Chapter 6 Broadband Table 10 Bridge Mode (ADSL over ATM) (continued) LABEL DESCRIPTION Name Enter a service name of the connection. Type Select ADSL over ATM as the interface for which you want to configure here. The SBG3500-N Series uses the ADSL technology for data transmission over the DSL port. Mode Select Bridge when your ISP provides you more than one IP address and you want the connected computers to get individual IP address from ISP’s DHCP server directly.
Page 114: The 3G Wan Screen
Chapter 6 Broadband Table 10 Bridge Mode (ADSL over ATM) (continued) LABEL DESCRIPTION Maximum Burst Maximum Burst Size (MBS) refers to the maximum number of cells that can be sent at the Size peak rate. Type the MBS, which is less than 65535. This field is available only when you select Non Realtime VBR or Realtime VBR.
Page 115 Chapter 6 Broadband Figure 26 Network Setting > Broadband > 3G WAN SBG3500-N Series User’s Guide...
Page 116 Chapter 6 Broadband The following table describes the labels in this screen. Table 11 Network Setting > Broadband > 3G WAN LABEL DESCRIPTION 3G Connection Settings Card This field displays the manufacturer and model name of your 3G card if you inserted one in description the SBG3500-N Series.
Page 117 Chapter 6 Broadband Table 11 Network Setting > Broadband > 3G WAN (continued) LABEL DESCRIPTION Time Budget Click the check box Time Budget to set the number of hours that the user account is allowed per month. Data Budget Click the check box Data Budget to set the amount of data in Mbytes or kPackets that is allowed for transmission for the user account.
Page 118: The Add New 3G Dongle Screen
Chapter 6 Broadband 6.4 The Add New 3G Dongle Screen Use the Add New 3G Dongle screen to view and manage the list of 3G dongles the SBG3500-N Series can use for a 3G backup connection. Click Network Setting > Broadband > Add New 3G Dongle to display the following screen. Figure 27 Network Setting >...
Page 119: The Advanced Screen
Chapter 6 Broadband The following table describes the labels in this screen. Table 13 Add 3G Dongle Information LABEL DESCRIPTION Default VID Enter the default vendor ID of the 3G dongle. Default PID Enter the default product ID of the 3G dongle. Target VID Enter the target vendor ID of the 3G dongle.
Page 120: The 802.1X Screen
Chapter 6 Broadband Table 14 Network Setting > Network Setting > Advanced (continued) LABEL DESCRIPTION PhyR US Enable or disable PhyR US (upstream) for upstream transmission to the WAN. PhyR US should be enabled if data being transmitted upstream is sensitive to noise. However, enabling PhyR US can decrease the US line rate.
Page 121: Edit 802.1X Settings
Chapter 6 Broadband Table 15 Network Setting > Network Setting > 802.1x (continued) LABEL DESCRIPTION Apply Click Apply to save your changes back to the SBG3500-N Series. Cancel Click Cancel to return to the previous configuration. 6.6.1 Edit 802.1x Settings Use this screen to edit a 802.1x authentication’s settings.
Page 122: The Multi-Wan Screen
Chapter 6 Broadband 6.7 The multi-WAN Screen Use the multi-WAN screen to configure the multiple WAN load-balance and fail-over rules to distribute traffic among different interfaces. This helps to increase overall network throughput and reliability. Load-balancing divides traffic loads between multiple interfaces. This allows you to improve quality of service and maximize bandwidth utilization for multiple ISP links.
Page 123: How To Configure Multi-Wan For Load-Balancing And Fail-Over
Chapter 6 Broadband Figure 33 multi-WAN: Add/Edit The following table describes the labels in this screen. Table 18 multi-WAN: Add/Edit LABEL DESCRIPTION Interface If you are adding a new entry, select the interface that you want to configure this rule for. The list shows the interfaces that have not configured multi-WAN rules.
Page 124 Chapter 6 Broadband As these two wired WAN connections have different bandwidths, you can set multi-WAN to send traffic over these WAN connections in a 3:1 ratio. Most 3G WAN connections charge the user for the amount of data sent, so you can set multi-WAN to send traffic over the 3G WAN connection only if all other WAN connections are unavailable.
Page 125: Technical Reference
Chapter 6 Broadband 6.7.2.2 What Can Go Wrong? • There can only be one WAN connection configured as passive mode at a time. If there is already a WAN connection configured as passive mode, you will not be able to add or edit another WAN connection in passive mode until the aforementioned WAN connection is changed to active mode or deleted.
Page 126 Chapter 6 Broadband Service Provider’s (ISP) DSLAM (digital access multiplexer). Please refer to RFC 2364 for more information on PPPoA. Refer to RFC 1661 for more information on PPP. PPP over Ethernet (PPPoE) Point-to-Point Protocol over Ethernet (PPPoE) provides access control and billing functionality in a manner similar to dial-up services using PPP.
Page 127: Ip Address Assignment
Chapter 6 Broadband Unspecified Bit Rate (UBR) The Unspecified Bit Rate (UBR) ATM traffic class is for bursty data transfers. However, UBR doesn't guarantee any bandwidth and only delivers traffic when the network has spare bandwidth. An example application is background file transfer. IP Address Assignment A static IP is a fixed IP that your ISP gives you.
Page 128 Chapter 6 Broadband Multicast IP packets are transmitted in either one of two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of hosts on the network - not everybody and not just 1.
Page 129 Chapter 6 Broadband compose the network address. The prefix length is written as “/x” where x is a number. For example, 2001:db8:1a2b:15::1a2f:0/32 means that the first 32 bits (2001:db8) is the subnet prefix. SBG3500-N Series User’s Guide...
Page 130: Wireless
H A PT ER Wireless 7.1 Overview This chapter describes the SBG3500-N Series’s Network Setting > Wireless screens. Use these screens to set up your SBG3500-N Series’s wireless connection. 7.1.1 What You Can Do in this Chapter This section describes the SBG3500-N Series’s Wireless screens. Use these screens to set up your SBG3500-N Series’s wireless connection.
Page 131: What You Need To Know
Chapter 7 Wireless 7.1.2 What You Need to Know Wireless Basics “Wireless” is essentially radio communication. In the same way that walkie-talkie radios send and receive information over the airwaves, wireless networking devices exchange information with one another. A wireless networking device is just like a radio that lets your computer exchange information with radios attached to other computers.
Page 132 Chapter 7 Wireless Figure 34 Network Setting > Wireless > General The following table describes the general wireless LAN labels in this screen. Table 19 Network Setting > Wireless > General LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field. Band This shows the wireless band which this radio profile is using.
Page 133 Chapter 7 Wireless Table 19 Network Setting > Wireless > General (continued) LABEL DESCRIPTION Bandwidth Select whether the SBG3500-N Series uses a wireless channel width of 20MHz or 40MHz. A standard 20MHz channel offers transfer speeds of up to 150Mbps whereas a 40MHz channel uses two standard channels and offers speeds of up to 300 Mbps.
Page 134: No Security
Chapter 7 Wireless Table 19 Network Setting > Wireless > General (continued) LABEL DESCRIPTION Security Mode Select Basic (WEP) or More Secure (WPA(2)-PSK, WPA(2)) to add security on this wireless network. The wireless clients which want to associate to this network must have same wireless security settings as the SBG3500-N Series.
Page 135 Chapter 7 Wireless Your SBG3500-N Series allows you to configure up to four 64-bit or 128-bit WEP keys but only one key can be enabled at any one time. In order to configure and enable WEP encryption, click Network Setting > Wireless to display the General screen, then select Basic as the security level.
Page 136: More Secure (Wpa(2)-Psk)
Chapter 7 Wireless 7.2.3 More Secure (WPA(2)-PSK) The WPA-PSK security mode provides both improved data encryption and user authentication over WEP. Using a Pre-Shared Key (PSK), both the SBG3500-N Series and the connecting client share a common password in order to validate the connection. This type of encryption, while robust, is not as strong as WPA, WPA2 or even WPA2-PSK.
Page 137: Wpa(2) Authentication
Chapter 7 Wireless Table 22 Wireless > General: More Secure: WPA(2)-PSK (continued) LABEL DESCRIPTION Encryption Select the encryption type (AES or TKIP+AES) for data encryption. Select AES if your wireless clients can all use AES. Select TKIP+AES to allow the wireless clients to use either TKIP or AES. Group Key The Group Key Update Timer is the rate at which the RADIUS server sends a new group Update Timer...
Page 138: The More Ap Screen
Chapter 7 Wireless Table 23 Wireless > General: More Secure: WPA(2) (continued) LABEL DESCRIPTION Authentication Server IP Address Enter the IP address of the external authentication server in dotted decimal notation. Port Enter the port number of the external authentication server. The default port number is Number 1812.
Page 139: Edit More Ap
Chapter 7 Wireless The following table describes the labels in this screen. Table 24 Network Setting > Wireless > More AP LABEL DESCRIPTION This is the index number of the entry. Status This field indicates whether this SSID is active. A yellow bulb signifies that this SSID is active.
Page 140 Chapter 7 Wireless The following table describes the fields in this screen. Table 25 More AP: Edit LABEL DESCRIPTION Wireless Network Setup Wireless You can Enable or Disable the wireless LAN in this field. Passphrase If you set security for the wireless LAN and have the SBG3500-N Series generate a Type password, the setting in this field determines how the SBG3500-N Series generates the password.
Page 141: Mac Authentication
Chapter 7 Wireless 7.4 MAC Authentication This screen allows you to configure the ZyXEL Device to give exclusive access to specific devices (Allow) or exclude specific devices from accessing the ZyXEL Device (Deny). Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 142: The Wps Screen
Chapter 7 Wireless 7.5 The WPS Screen Use this screen to configure WiFi Protected Setup (WPS) on your SBG3500-N Series. WPS allows you to quickly set up a wireless network with strong security, without having to configure security settings manually. Set up each WPS connection between two devices. Both devices must support WPS.
Page 143: The Wmm Screen
Chapter 7 Wireless Table 27 Network Setting > Wireless > WPS (continued) LABEL DESCRIPTION Connect Click this button to add another WPS-enabled wireless device (within wireless range of the SBG3500-N Series) to your wireless network. This button may either be a physical button on the outside of device, or a menu button similar to the Connect button on this screen.
Page 144: The Others Screen
Chapter 7 Wireless The following table describes the labels in this screen. Table 28 Network Setting > Wireless > WMM LABEL DESCRIPTION Select On to have the SBG3500-N Series automatically give a service a priority level according to the ToS value in the IP header of packets it sends. WMM QoS (Wifi MultiMedia Quality of Service) gives high priority to voice and video, which makes them run more smoothly.
Page 145 Chapter 7 Wireless The following table describes the labels in this screen. Table 29 Network Setting > Wireless > Others LABEL DESCRIPTION RTS/CTS Data with its frame size larger than this value will perform the RTS (Request To Send)/CTS Threshold (Clear To Send) handshake.
Page 146: The Channel Status Screen
Chapter 7 Wireless 7.8 The Channel Status Screen Use the Channel Status screen to scan wireless LAN channel noises and view the results. Click Network Setting > Wireless > Channel Status. The screen appears as shown. Click Scan to scan the wireless LAN channels. You can view the results in the Channel Scan Result section. Figure 45 Network Setting >...
Page 147 Chapter 7 Wireless • An “infrastructure” type of network has one or more access points and one or more wireless clients. The wireless clients connect to the access points. • An “ad-hoc” type of network is one in which there is no access point. Wireless clients connect to one another in order to exchange information.
Page 148: Additional Wireless Terms
Chapter 7 Wireless variety of networks to exist in the same place without interfering with one another. When you create a network, you must select a channel to use. Since the available unlicensed spectrum varies from one country to another, the number of available channels also varies.
Page 149 Chapter 7 Wireless long string of apparently random numbers and letters - but it is not very secure if you use a short key which is very easy to guess - for example, a three-letter word from the dictionary. Because of the damage that can be done by a malicious attacker, it’s not just people who have sensitive information on their network who should use security.
Page 150: Signal Problems
Chapter 7 Wireless Unauthorized wireless devices can still see the information that is sent in the wireless network, even if they cannot use the wireless network. Furthermore, there are ways for unauthorized wireless users to get a valid user name and password. Then, they can use that user name and password to use the wireless network.
Page 151: Bss
Chapter 7 Wireless transmissions, such as military or air traffic control communications, or from machines that are coincidental emitters such as electric motors or microwaves. Problems with absorption occur when physical objects (such as thick walls) are between the two radios, muffling the signal. 7.9.5 BSS A Basic Service Set (BSS) exists when all communications between wireless stations or between a wireless station and a wired network client go through one access point (AP).
Page 152: Preamble Type
Chapter 7 Wireless 7.9.6.1 Notes on Multiple BSSs • A maximum of eight BSSs are allowed on one AP simultaneously. • You must use different keys for different BSSs. If two wireless devices have different BSSIDs (they are in different BSSs), but have the same keys, they may hear each other’s communications (but not communicate with each other).
Page 153 Chapter 7 Wireless Ensure that the two devices you want to set up are within wireless range of one another. Look for a WPS button on each device. If the device does not have one, log into its configuration utility and locate the button (see the device’s User’s Guide for how to do this - for the SBG3500-N Series, see Section 7.6 on page 143).
Page 154: How Wps Works
Chapter 7 Wireless On a computer connected to the wireless client, try to connect to the Internet. If you can connect, WPS was successful. If you cannot connect, check the list of associated wireless clients in the AP’s configuration utility. If you see the wireless client in the list, WPS was successful.
Page 155 Chapter 7 Wireless depends on the standards supported by the devices. If the registrar is already part of a network, it sends the existing information. If not, it generates the SSID and WPA(2)-PSK randomly. The following figure shows a WPS-enabled client (installed in a notebook computer) connecting to a WPS-enabled access point.
Page 156 Chapter 7 Wireless The following figure shows an example network. In step 1, both AP1 and Client 1 are unconfigured. When WPS is activated on both, they perform the handshake. In this example, AP1 is the registrar, and Client 1 is the enrollee. The registrar randomly generates the security information to set up the network, since it is unconfigured and has no existing information.
Page 157 Chapter 7 Wireless Figure 52 WPS: Example Network Step 3 EXISTING CONNECTION CLIENT 1 REGISTRAR CLIENT 2 ENROLLEE 7.9.8.5 Limitations of WPS WPS has some limitations of which you should be aware. • WPS works in Infrastructure networks only (where an AP and a wireless client communicate). It does not work in Ad-Hoc networks (where there is no AP).
Page 158 Chapter 7 Wireless access point is the WPS registrar, the enrollee, or was not involved in the WPS handshake; a rogue device must still associate with the access point to gain access to the network. Check the MAC addresses of your wireless clients (usually printed on a label on the bottom of the device). If there is an unknown MAC address you can remove it or reset the AP.
Page 159: Lan
H A PT ER 8.1 Overview A Local Area Network (LAN) is a shared communication system to which many networking devices are connected. It is usually located in one immediate area such as a building or floor of a building. Use the LAN screens to help you configure a LAN DHCP server and manage IP addresses.
Page 160: What You Need To Know
Chapter 8 LAN 8.1.2 What You Need To Know 8.1.2.1 About LAN IP Address IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network. These networking devices are also known as hosts. Subnet Mask Subnet masks determine the maximum number of possible hosts on a network.
Page 161: Before You Begin
Chapter 8 LAN • Assigning lease times to mappings Windows Messenger is an example of an application that supports NAT traversal and UPnP. See the Chapter 11 on page 203 for more information on NAT. Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues.
Page 162 Chapter 8 LAN Figure 53 Network Setting > LAN > LAN Setup SBG3500-N Series User’s Guide...
Page 163 Chapter 8 LAN The following table describes the fields in this screen. Table 32 Network Setting > LAN > LAN Setup LABEL DESCRIPTION Interface Group Group Name Select the interface group name for which you want to configure LAN settings. See Chapter 15 on page 243 for how to create a new interface group.
Page 164 Chapter 8 LAN Table 32 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION DHCP Server This is the period of time DHCP-assigned addresses is used. DHCP automatically assigns IP Lease Time addresses to clients when they log in. DHCP centralizes IP address management on central computers that run the DHCP server program.
Page 165: The Static Dhcp Screen
Chapter 8 LAN Table 32 Network Setting > LAN > LAN Setup (continued) LABEL DESCRIPTION LAN IPv6 Select how you want to obtain an IPv6 address: Address Assign • stateless + DNS send by RADVD: The SBG3500-N Series uses IPv6 stateless Setup autoconfiguration.
Page 166 Chapter 8 LAN The following table describes the labels in this screen. Table 33 Network Setting > LAN > Static DHCP LABEL DESCRIPTION Add new static Click this to add a new static DHCP entry. lease This is the index number of the entry. Status This field displays whether the client is connected to the SBG3500-N Series.
Page 167: The Upnp Screen
Chapter 8 LAN 8.4 The UPnP Screen Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices. A UPnP device can dynamically join a network, obtain an IP address, convey its capabilities and learn about other devices on the network. In turn, a device can leave a network smoothly and automatically when it is no longer in use.
Page 168 Chapter 8 LAN Click the Start icon, Control Panel and then the Network and Sharing Center. Click Change Advanced Sharing Settings. Under Network Discover section, select Turn on network discovery and click Save Changes. Network discovery allows your computer to find other computers and devices on the network and other computers on the network to find your computer.
Page 169: Using Upnp In Windows Xp Example
Chapter 8 LAN 8.5.1 Using UPnP in Windows XP Example This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the SBG3500-N Series. Make sure the computer is connected to a LAN port of the SBG3500-N Series. Turn on your computer and the SBG3500-N Series.
Page 170 Chapter 8 LAN Figure 58 Internet Connection Properties You may edit or delete the port mappings or click Add to manually add port mappings. Figure 59 Internet Connection Properties: Advanced Settings Figure 60 Internet Connection Properties: Advanced Settings: Add Note: When the UPnP-enabled device is disconnected from your computer, all port mappings will be deleted automatically.
Page 171: Web Configurator Easy Access
Chapter 8 LAN Figure 61 System Tray Icon Double-click on the icon to display your current Internet connection status. Figure 62 Internet Connection Status 8.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the SBG3500-N Series without finding out the IP address of the SBG3500-N Series first.
Page 172 Chapter 8 LAN Figure 63 Network Connections An icon with the description for each UPnP-enabled device displays under Local Network. Right-click on the icon for your SBG3500-N Series and select Invoke. The web configurator login screen displays. Figure 64 Network Connections: My Network Places Right-click on the icon for your SBG3500-N Series and select Properties.
Page 173 Chapter 8 LAN Figure 65 Network Connections: My Network Places: Properties: Example SBG3500-N Series User’s Guide...
Page 174: The Additional Subnet Screen
Chapter 8 LAN 8.6 The Additional Subnet Screen Use the Additional Subnet screen to configure IP alias and public static IP. IP alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The SBG3500-N Series supports multiple logical LAN interfaces via its physical Ethernet interface with the SBG3500-N Series itself as the gateway for the LAN network.
Page 175: The 5Th Ethernet Port Screen
Chapter 8 LAN Table 36 Network Setting > LAN > Additional Subnet (continued) LABEL DESCRIPTION Offer Public IP Select the checkbox to enable the SBG3500-N Series to provide public IP addresses by by DHCP DHCP server. Enable ARP Select the checkbox to enable the ARP (Address Resolution Protocol) proxy. Proxy Apply Click Apply to save your changes.
Page 176: Dhcp Setup
Chapter 8 LAN Figure 68 LAN and WAN IP Addresses 8.8.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the SBG3500-N Series as a DHCP server or disable it.
Page 177: Lan Tcp/Ip
Chapter 8 LAN 8.8.4 LAN TCP/IP The SBG3500-N Series has built-in DHCP server capability that assigns IP addresses and DNS servers to systems that support DHCP client capability. IP Address and Subnet Mask Similar to the way houses on a street share a common street name, so too do computers on a LAN share one common network number.
Page 178 Chapter 8 LAN Note: Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines above. For more information on address assignment, please refer to RFC 1597, “Address Allocation for Private Internets” and RFC 1466, “Guidelines for Management of IP Address Space”.
Page 179: Routing
H A PT ER Routing 9.1 Overview The SBG3500-N Series usually uses the default gateway to route outbound traffic from computers on the LAN to the Internet. To have the SBG3500-N Series send data to devices not reachable through the default gateway, use static routes. For example, the next figure shows a computer (A) connected to the SBG3500-N Series’s LAN interface.
Page 180: The Routing Screen
Chapter 9 Routing 9.2 The Routing Screen Use this screen to view and configure the static route rules on the SBG3500-N Series. Click Network Setting > Routing > Static Route to open the following screen. Figure 70 Network Setting > Routing > Static Route The following table describes the labels in this screen.
Page 181: The Policy Forwarding Screen
Chapter 9 Routing The following table describes the labels in this screen. Table 39 Routing: Add/Edit LABEL DESCRIPTION Active This field allows you to activate/deactivate this static route. Select this to enable the static route. Clear this to disable this static route without having to delete the entry.
Page 182: Add/Edit Policy Forwarding
Chapter 9 Routing Table 40 Network Setting > Routing >Policy Forwarding (continued) LABEL DESCRIPTION Policy Name This is the name of the rule. Source IP This is the source IP address. Source Subnet This is the source subnet mask address. Mask Protocol This is the transport layer protocol.
Page 183: The Rip Screen
Chapter 9 Routing Table 41 Policy Forwarding: Add/Edit (Sheet 2 of 2) LABEL DESCRIPTION Source Subnet Enter the source subnet mask address. Mask Protocol Select the transport layer protocol (TCP or UDP). Source Port Enter the source port number. Source MAC Enter the source MAC address.
Page 184 Chapter 9 Routing Table 42 Network Setting > Routing > RIP LABEL DESCRIPTION Enabled Select the check box to activate the settings. Apply Click Apply to save your changes. Cancel Click Cancel to exit this screen without saving. SBG3500-N Series User’s Guide...
Page 185: Quality Of Service (Qos)
HAPTER Quality of Service (QoS) 10.1 Overview Quality of Service (QoS) refers to both a network’s ability to deliver data with minimum delay, and the networking methods used to control the use of bandwidth. Without QoS, all traffic data is equally likely to be dropped when the network is congested.
Page 186: What You Need To Know
Chapter 10 Quality of Service (QoS) 10.2 What You Need to Know The following terms and concepts may help as you read through this chapter. QoS versus Cos QoS is used to prioritize source-to-destination traffic flows. All packets in the same flow are given the same priority.
Page 187: The Quality Of Service General Screen
Chapter 10 Quality of Service (QoS) Traffic Policing Traffic policing is the limiting of the input or output transmission rate of a class of traffic on the basis of user-defined criteria. Traffic policing methods measure traffic flows against user-defined criteria and identify it as either conforming, exceeding or violating the criteria. Traffic Rate Traffic Rate Time...
Page 188: The Queue Setup Screen
Chapter 10 Quality of Service (QoS) The following table describes the labels in this screen. Table 43 Network Setting > QoS > General LABEL DESCRIPTION Select the Enable check box to turn on QoS to improve your network performance. WAN Managed Enter the amount of upstream bandwidth for the WAN interfaces that you want to allocate Upstream using QoS.
Page 189 Chapter 10 Quality of Service (QoS) Figure 76 Network Setting > QoS > Queue Setup The following table describes the labels in this screen. Table 44 Network Setting > QoS > Queue Setup LABEL DESCRIPTION Add new Queue Click this button to create a new queue entry. This is the index number of the entry.
Page 190: Adding A Qos Queue
Chapter 10 Quality of Service (QoS) 10.4.1 Adding a QoS Queue Click Add new Queue or the edit icon in the Queue Setup screen to configure a queue. Figure 77 Queue Setup: Add The following table describes the labels in this screen. Table 45 Queue Setup: Add LABEL DESCRIPTION...
Page 191: Add/Edit Qos Class
Chapter 10 Quality of Service (QoS) destination port number or incoming interface. For example, you can configure a classifier to select traffic from the same protocol port (such as Telnet) to form a flow. You can give different priorities to traffic that the SBG3500-N Series forwards out through the WAN interface.
Page 192 Chapter 10 Quality of Service (QoS) Figure 79 Class Setup: Add/Edit SBG3500-N Series User’s Guide...
Page 193 Chapter 10 Quality of Service (QoS) The following table describes the labels in this screen. Table 47 Class Setup: Add/Edit LABEL DESCRIPTION Active Select this to enable this classifier. Class Name Enter a descriptive name of up to 15 printable English keyboard characters, not including spaces.
Page 194 Chapter 10 Quality of Service (QoS) Table 47 Class Setup: Add/Edit (continued) LABEL DESCRIPTION Service This field is available only when you select IP in the Ether Type field. This field simplifies classifier configuration by allowing you to select a predefined application.
Page 195: The Qos Policer Setup Screen
Chapter 10 Quality of Service (QoS) Table 47 Class Setup: Add/Edit (continued) LABEL DESCRIPTION Forward to Select a WAN interface through which traffic of this class will be forwarded out. If you select Interface Unchange, the SBG3500-N Series forward traffic of this class according to the default routing table.
Page 196: Add/Edit A Qos Policer
Chapter 10 Quality of Service (QoS) 10.6.1 Add/Edit a QoS Policer Click Add new Policer in the Policer Setup screen or the Edit icon next to a policer to show the following screen. Figure 81 Policer Setup: Add/Edit The following table describes the labels in this screen. Table 49 Policer Setup: Add/Edit LABEL DESCRIPTION...
Page 197: The Qos Monitor Screen
Chapter 10 Quality of Service (QoS) Table 49 Policer Setup: Add/Edit (continued) LABEL DESCRIPTION Non- Specify what the SBG3500-N Series does for packets that exceed the excess burst size or Conforming peak rate and burst size (red-marked packets). Action • Drop: Discard the packets.
Page 198: Technical Reference
Chapter 10 Quality of Service (QoS) 10.8 Technical Reference The following section contains additional technical information about the SBG3500-N Series features described in this chapter. IEEE 802.1Q Tag The IEEE 802.1Q standard defines an explicit VLAN tag in the MAC header to identify the VLAN membership of a frame across bridges.
Page 199 Chapter 10 Quality of Service (QoS) DSCP is backward compatible with the three precedence bits in the ToS octet so that non-DiffServ compliant, ToS-enabled network device will not conflict with the DSCP mapping. DSCP (6 bits) Unused (2 bits) The DSCP value determines the forwarding behavior, the PHB (Per-Hop Behavior), that each packet gets across the DiffServ network.
Page 200: Token Bucket
Chapter 10 Quality of Service (QoS) Table 52 Internal Layer2 and Layer3 QoS Mapping LAYER 2 LAYER 3 PRIORITY IEEE 802.1P USER QUEUE PRIORITY TOS (IP IP PACKET DSCP (ETHERNET PRECEDENCE) LENGTH (BYTE) PRIORITY) 011110 <250 011100 011010 011000 100110 100100 100010 100000...
Page 201 Chapter 10 Quality of Service (QoS) Single Rate Three Color Marker The Single Rate Three Color Marker (srTCM, defined in RFC 2697) is a type of traffic policing that identifies packets by comparing them to one user-defined rate, the Committed Information Rate (CIR), and two burst sizes: the Committed Burst Size (CBS) and Excess Burst Size (EBS).
Page 202 Chapter 10 Quality of Service (QoS) • If the PBS bucket has enough tokens, the SBG3500-N Series checks the CBS bucket. The packet is marked green and can be transmitted if the number of tokens in the CBS bucket is equal to or greater than the size of the packet (in bytes).
Page 203: Network Address Translation (Nat)
HAPTER Network Address Translation (NAT) 11.1 Overview This chapter discusses how to configure NAT on the SBG3500-N Series. NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Page 204: The Port Forwarding Screen
Chapter 11 Network Address Translation (NAT) WAN side. When the response comes back, NAT translates the destination address (the inside global address) back to the inside local address before forwarding it to the original inside host. Port Forwarding A port forwarding set is a list of inside (behind NAT on the LAN) servers, for example, web or FTP, that you can make visible to the outside world even though NAT makes your whole inside network appear as a single computer to the outside world.
Page 205 Chapter 11 Network Address Translation (NAT) Figure 83 Multiple Servers Behind NAT Example A=192.168.1.33 B=192.168.1.34 192.168.1.1 IP Address assigned by ISP C=192.168.1.3 D=192.168.1.36 Click Network Setting > NAT > Port Forwarding to open the following screen. Appendix F on page 415 for port numbers commonly used for particular services.
Page 206: Add/Edit Port Forwarding
Chapter 11 Network Address Translation (NAT) Table 53 Network Setting > NAT > Port Forwarding (continued) LABEL DESCRIPTION Translation This is the first internal port number that identifies a service. Start Port Translation End This is the last internal port number that identifies a service. Port Protocol This shows the IP protocol supported by this virtual server, whether it is TCP, UDP, or TCP/...
Page 207: The Applications Screen
Chapter 11 Network Address Translation (NAT) Table 54 Port Forwarding: Add/Edit (continued) LABEL DESCRIPTION End Port Enter the last port of the original destination port range. To forward only one port, enter the port number in the Start Port field above and then enter it again in this field.
Page 208: Add New Application
Chapter 11 Network Address Translation (NAT) 11.3.1 Add New Application This screen lets you create new NAT application rules. Click Add new application in the Applications screen to open the following screen. Figure 87 Applications: Add The following table describes the labels in this screen. Table 56 Applications: Add LABEL DESCRIPTION...
Page 209 Chapter 11 Network Address Translation (NAT) For example: Figure 88 Trigger Port Forwarding Process: Example Jane requests a file from the Real Audio server (port 7070). Port 7070 is a “trigger” port and causes the SBG3500-N Series to record Jane’s computer IP address.
Page 210: Add/Edit Port Triggering Rule
Chapter 11 Network Address Translation (NAT) Table 57 Network Setting > NAT > Port Triggering (continued) LABEL DESCRIPTION Trigger Proto. This is the trigger transport layer protocol. Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service.
Page 211: The Default Server Screen
Chapter 11 Network Address Translation (NAT) Table 58 Port Triggering: Configuration Add/Edit (continued) LABEL DESCRIPTION Open Start Port The open port is a port (or a range of ports) that a server on the WAN uses when it sends out a particular service. The SBG3500-N Series forwards the traffic with this port (or range of ports) to the client computer on the LAN that requested the service.
Page 212: The Alg Screen
Chapter 11 Network Address Translation (NAT) 11.6 The ALG Screen Some NAT routers may include a SIP Application Layer Gateway (ALG). A SIP ALG allows SIP calls to pass through NAT by examining and translating IP addresses embedded in the data stream. When the SBG3500-N Series registers with the SIP register server, the SIP ALG translates the SBG3500-N Series’s private IP address inside the SIP data stream to a public IP address.
Page 213: Add/Edit Address Mapping Rule
Chapter 11 Network Address Translation (NAT) The following table describes the fields in this screen. Table 61 Network Setting > NAT > Address Mapping LABEL DESCRIPTION Add new rule Click this to create a new rule. This is the index number of the address mapping set. Local Start IP This is the starting Inside Local IP Address (ILA).
Page 214: Technical Reference
Chapter 11 Network Address Translation (NAT) The following table describes the fields in this screen. Table 62 Address Mapping: Add/Edit LABEL DESCRIPTION Type Choose the IP/port mapping type from one of the following. One-to-One: This mode maps one local IP address to one global IP address. Note that port numbers do not change for the One-to-one NAT mapping type.
Page 215: What Nat Does
Chapter 11 Network Address Translation (NAT) Note that inside/outside refers to the location of a host, while global/local refers to the IP address of a host used in a packet. Thus, an inside local address (ILA) is the IP address of an inside host in a packet when the packet is still in the local network, while an inside global address (IGA) is the IP address of the same inside host when the packet is on the WAN side.
Page 216: How Nat Works
Chapter 11 Network Address Translation (NAT) 11.8.3 How NAT Works Each packet has two addresses – a source address and a destination address. For outgoing packets, the ILA (Inside Local Address) is the source address on the LAN, and the IGA (Inside Global Address) is the source address on the WAN.
Page 217 Chapter 11 Network Address Translation (NAT) Figure 96 NAT Application With IP Alias Port Forwarding: Services and Port Numbers The most often used port numbers are shown in the following table. Please refer to RFC 1700 for further information about port numbers. Please also refer to the Supporting CD for more examples and details on port forwarding and NAT.
Page 218 Chapter 11 Network Address Translation (NAT) third (C in the example). You assign the LAN IP addresses and the ISP assigns the WAN IP address. The NAT network appears as a single host on the Internet. Figure 97 Multiple Servers Behind NAT Example A=192.168.1.33 192.168.1.1 B=192.168.1.34...
Page 219: Dynamic Dns Setup
HAPTER Dynamic DNS Setup 12.1 Overview DNS (Domain Name System) is for mapping a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because without it, you must know the IP address of a machine before you can access it. In addition to the system DNS server(s), each WAN interface (service) is set to have its own static or dynamic DNS server list.
Page 220: What You Need To Know
Chapter 12 Dynamic DNS Setup 12.1.2 What You Need To Know DYNDNS Wildcard Enabling the wildcard feature for your host causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org. This feature is useful if you want to be able to use, for example, www.yourhost.dyndns.org and still reach your hostname.
Page 221: The Dynamic Dns Screen
Chapter 12 Dynamic DNS Setup The following table describes the labels in this screen. Table 66 DNS Entry: Add/Edit LABEL DESCRIPTION FQDN Enter the Fully Qualified Domain Name (FQDN) of the DNS entry. For example, if your hostname is myhost and a parent domain name is example.com, then your FQDN is myhost.example.com.
Page 222: Ap Control
HAPTER AP Control 13.1 Overview Use the AP Control screens to configure how the manage the Access Points (APs) SBG3500-N Series that are connected to it. 13.1.1 What You Can Do in this Chapter • The Controller screen (Section 13.2 on page 222) sets how the SBG3500-N Series allows new APs to connect to the network.
Page 223: The Managed Ap List Screen
Chapter 13 AP Control The following table describes the fields in this screen. Table 68 Network Setting > AP Control > Controller LABEL DESCRIPTION Enable Click the check box to enable AP Controller in the SBG3500-N Series. Registration Select Manual to add each AP to the SBG3500-N Series for management, or Always Type Accept to automatically add APs to the SBG3500-N Series for management.
Page 224: The Load Balancing Screen
Chapter 13 AP Control Table 69 Network Setting > AP Control > Managed AP List (continued) LABEL DESCRIPTION Description This field displays the AP’s description, which you can configure by selecting the AP’s entry and clicking the Edit button. Modify Click the Edit icon to edit the AP’s properties.
Page 225: The Dynamic Channel Selection Screen
Chapter 13 AP Control Table 70 Network Setting > AP Control > Load Balancing (continued) LABEL DESCRIPTION Disassociate Select this option to disassociate wireless clients connected to the AP when it becomes station when overloaded. If you do not enable this option, then the AP simply delays the connection until overloaded it can afford the bandwidth it requires, or it transfers the connection to another AP within its broadcast radius.
Page 226 Chapter 13 AP Control The following table describes the fields in this screen. Table 71 Network Setting > AP Control > DCS LABEL DESCRIPTION General Settings Select Now Click the Select Now button to have the managed APs scan for and select an available channel immediately.
Page 227: Ap Profile
HAPTER AP Profile 14.1 Overview This chapter shows you how to configure preset profiles for the Access Points (APs) connected to your SBG3500-N Series wireless network. 14.1.1 What You Can Do in this Chapter • The Radio screen (Section 14.2 on page 228) creates radio configurations that can be used by the APs.
Page 228: Radio Screen
Chapter 14 AP Profile • Layer-2 Isolation - This profile prevents connected devices from communicating with each other in the SBG3500-N Series local network. It checks only the wirless traffic that goes through the SBG3500-N Series interfaces, including the virtual interfaces and the bridge interface between the 2.4 and 5 GHz WLAN.
Page 229: Add/Modify New Profile
Chapter 14 AP Profile The following table describes the labels in this screen. Table 72 Configuration > Object > AP Profile > Radio LABEL DESCRIPTION Add New Profile Click this to add a new radio profile. This field is a sequential value, and it is not associated with a specific profile. Enable This icon is lit when the entry is active and dimmed when the entry is inactive.
Page 230 Chapter 14 AP Profile Figure 106 Network Setting > AP Profile > Add/Modify New Profile The following table describes the labels in this screen. Table 73 Network Settings > AP Profile > Add/Modify New Profile LABEL DESCRIPTION General Settings Enable Select this option to make this profile active.
Page 231 Chapter 14 AP Profile Table 73 Network Settings > AP Profile > Add/Modify New Profile (continued) LABEL DESCRIPTION Mode Select how to let wireless clients connect to the AP. When using the 2.4 GHz band, select b/g to let IEEE 802.11b and IEEE 802.11g compliant WLAN devices associate with the AP.
Page 232 Chapter 14 AP Profile Table 73 Network Settings > AP Profile > Add/Modify New Profile (continued) LABEL DESCRIPTION Beacon Interval When a wirelessly networked device sends a beacon, it includes with it a beacon interval. This specifies the time period before the device sends the beacon again. The interval tells receiving devices on the network how long they can wait in low-power mode before waking up to handle the beacon.
Page 233: Ssid Screen
Chapter 14 AP Profile Table 73 Network Settings > AP Profile > Add/Modify New Profile (continued) LABEL DESCRIPTION MBSSID Settings This section allows you to associate an SSID profile with the radio profile. SSID Profile Click the drop down list next to the SSID Profile number. If you want to reassign the SSID profile, choose disable, otherwise, choose default.
Page 234: Add New Profile/Modify Ssid Profile
Chapter 14 AP Profile Table 74 Network Setting > AP Profile > SSID (continued) LABEL DESCRIPTION VLAN ID This field indicates the VLAN ID associated with the SSID profile. Modify Click the Edit icon to edit the SSID profile. Click the Delete icon to delete an existing SSID profile. Note that subsequent SSID profile moves up by one when you take this action.
Page 235: Security Screen
Chapter 14 AP Profile Table 75 Network Setting > AP Profile > SSID > Add New Profile/Modify SSID Profile (continued) LABEL DESCRIPTION Select a Quality of Service (QoS) access category to associate with this SSID. Access categories minimize the delay of data packets across a wireless network. Certain categories, such as video or voice, are given a higher priority due to the time sensitive nature of their data packets.
Page 236: Add/Modify Security Profile
Chapter 14 AP Profile Note: You can have a maximum of 8 security profiles on the SBG3500-N Series. Figure 109 Network Setting > AP Profile > Security The following table describes the labels in this screen. Table 76 Network Setting > AP Profile > Security LABEL DESCRIPTION Add New Profile...
Page 237 Chapter 14 AP Profile Figure 110 Network Setting > AP Profile > Security > Add New Profile/Modify The following table describes the labels in this screen. Table 77 Network Setting > AP Profile > Security > Add New Profile/Modify LABEL DESCRIPTION General Settings Profile Name...
Page 238 Chapter 14 AP Profile Table 77 Network Setting > AP Profile > Security > Add New Profile/Modify LABEL DESCRIPTION MAC Authentication Select this to use an external server to authenticate wireless clients by their MAC address. Users cannot get an IP address if the MAC authentication fails. An external server can use the wireless client’s account (username/password) or Calling Station ID for MAC authentication.
Page 239: Mac Filtering Screen
Chapter 14 AP Profile Table 77 Network Setting > AP Profile > Security > Add New Profile/Modify LABEL DESCRIPTION Cipher Type Select an encryption cipher type from the list. • auto - This automatically chooses the best available cipher based on the cipher in use by the wireless client that is attempting to make a connection.
Page 240: Add New Entry/Modify Mac Filtering Profile
Chapter 14 AP Profile 14.5.1 Add New Entry/Modify MAC Filtering Profile This screen allows you to create a new MAC filtering profile or edit an existing one. To access this screen, click the Add New Profile button or select a MAC filter profile from the list and click the Modify button.
Page 241: Layer-2 Isolation Screen
Chapter 14 AP Profile In the following example, layer-2 isolation is enabled on the SBG3500-N Series’ interface Vlan1. A printer, PC and AP are in the Vlan1. The IP address of network printer (C) is added to the white list. The connected AP then cannot communicate with the PC (D), but can access the network printer (C), server (B), wireless client (A) and the Internet.
Page 242: Add New Profile/Modify Layer-2 Isolation
Chapter 14 AP Profile 14.7.1 Add New Profile/Modify Layer-2 Isolation This screen allows you to create a new rule in the Layer-2 Islation Profile or edit an existing one. To access this screen, click the Add New Profile button or select an entry from the list and click the Modify button.
Page 243: Interface Group
HAPTER Interface Group 15.1 Overview By default, the four LAN interfaces on the SBG3500-N Series are in the same group and can communicate with each other. Creating a new interface will create a new LAN bridge interface (subnet) (for example, 192.168.2.0/24) that acts as a dependent LAN network, and is a different subnet from default LAN subnet (192.168.1.0/24).
Page 244: Interface Group Configuration
Chapter 15 Interface Group Table 82 Network Setting > Interface Group/VLAN (continued) LABEL DESCRIPTION Group Name This shows the descriptive name of the group. 802.1q This shows the VLAN ID number (from 0 to 4094) of the interface group. IPv4 This shows the IP address of the interface group where the traffic passes through.
Page 245: Interface Grouping Criteria
Chapter 15 Interface Group The following table describes the fields in this screen. Table 83 Interface Group Configuration LABEL DESCRIPTION Group Name Enter a name to identify this group. You can enter up to 30 characters. You can use letters, numbers, hyphens (-) and underscores (_).
Page 246 Chapter 15 Interface Group Figure 118 Interface Grouping Criteria The following table describes the fields in this screen. Table 84 Interface Grouping Criteria LABEL DESCRIPTION Source MAC Enter the source MAC address of the packet. Address DHCP Option Select this option and enter the Vendor Class Identifier (Option 60) of the matched traffic, such as the type of the hardware or firmware.
Page 247 Chapter 15 Interface Group Table 84 Interface Grouping Criteria (continued) LABEL DESCRIPTION Product Enter the product class of the device. Class Model Enter the model name of the device. Name Serial Enter the serial number of the device. Number Apply Click Apply to save your changes back to the SBG3500-N Series.
Page 248: Usb Service
HAPTER USB Service 16.1 Overview The SBG3500-N Series has a USB port used to share files via a USB memory stick or a USB hard drive. In the USB Service screens, you can enable the file-sharing server. 16.1.1 What You Can Do in this Chapter •...
Page 249: The File Sharing Screen
Chapter 16 USB Service Samba SMB is a client-server protocol used by Microsoft Windows systems for sharing files, printers, and so on. Samba is a free SMB server that runs on most Unix and Unix-like systems. It provides an implementation of an SMB client and server for use with non-Microsoft operating systems. It allows file and print sharing between computers running Windows and computers running Unix.
Page 250 Chapter 16 USB Service The SBG3500-N Series detects the USB device and makes its contents available for browsing. If you are connecting a USB hard drive that comes with an external power supply, make sure it is connected to an appropriate power source that is on. Note: If your USB device cannot be detected by the SBG3500-N Series, see the troubleshooting for suggestions.
Page 251: Firewall
HAPTER Firewall 17.1 Overview This chapter shows you how to enable and configure the SBG3500-N Series’s security settings. Use the firewall to protect your SBG3500-N Series and network from attacks by hackers on the Internet and control access to it. By default the firewall: •...
Page 252: What You Need To Know
Chapter 17 Firewall 17.1.2 What You Need to Know SYN Attack A SYN attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue.
Page 253: The Firewall Screen
Chapter 17 Firewall Figure 122 ZWO 17.2 The Firewall Screen Use this screen to enable the firewall on the SBG3500-N Series. Click Security > Firewall to display the General screen. Figure 123 Security > Firewall > General Select Enable to activate the firewall feature on the SBG3500-N Series. 17.3 The DoS Screen DoS (Denial of Service) attacks can flood your Internet connection with invalid packets and connection requests, using so much bandwidth and so many resources that Internet access...
Page 254: The Service Screen
Chapter 17 Firewall Use the DoS screen to activate protection against DoS attacks. Click Security > Firewall > DoS to display the following screen. Figure 124 Security > Firewall > DoS The following table describes the labels in this screen. Table 86 Security >...
Page 255: Add/Edit A Service
Chapter 17 Firewall Figure 125 Security > Firewall > Service The following table describes the labels in this screen. Table 87 Security > Firewall > Service LABEL DESCRIPTION Add new Click this to add a new service. service entry Name This is the name of your customized service.
Page 256 Chapter 17 Firewall Figure 126 Service: Add/Edit The following table describes the labels in this screen. Table 88 Service: Add/Edit LABEL DESCRIPTION Protocol Choose the IP protocol (TCP, UDP, ICMP, or Other) that defines your customized port from the drop-down list box. Select Other to be able to enter a protocol number. Source/ These fields are displayed if you select TCP or UDP as the IP port.
Page 257: The Access Control Screen
Chapter 17 Firewall 17.5 The Access Control Screen Click Security > Firewall > Access Control to display the following screen. This screen displays a list of the configured incoming or outgoing filtering rules. Figure 127 Security > Firewall > Access Control The following table describes the labels in this screen.
Page 258: Add/Edit An Acl Rule
Chapter 17 Firewall Table 89 Security > Firewall > Access Control (continued) LABEL DESCRIPTION Action This is the policy of the access control. Choose the following option from the drop-down list: Select Drop to silently discard the packets without sending a TCP reset packet or an ICMP destination-unreachable message to the sender.
Page 259 Chapter 17 Firewall Table 90 Access Control: Add/Edit (continued) LABEL DESCRIPTION Order Select the order of the ACL rule. Direction Select the direction of the ACL rule. You may select from WAN to LAN, WAN to Router, WAN to DMZ, LAN to WAN, LAN to Router, LAN to DMZ, DMZ to WAN, DMZ to LAN, and DMZ to Router.
Page 260: The Zone Control Screen
Chapter 17 Firewall 17.6 The Zone Control Screen Use this screen to set the security level of the firewall on the SBG3500-N Series. Firewall rules are grouped based on the direction of travel of packets to which they apply. Click Security > Firewall > Zone Control to display the following screen. Figure 129 Security >...
Page 261: Mac Filter
HAPTER MAC Filter 18.1 Overview You can configure the SBG3500-N Series to permit access to clients based on their MAC addresses in the MAC Filter screen. This applies to wired and wireless connections. Every Ethernet device has a unique MAC (Media Access Control) address. The MAC address is assigned at the factory and consists of six pairs of hexadecimal characters, for example, 00:A0:C5:00:00:02.
Page 262: The Mac Filter Screen
Chapter 18 MAC Filter 18.2 The MAC Filter Screen Use this screen to allow wireless and LAN clients access to the SBG3500-N Series. Click Security > MAC Filter. The screen appears as shown. Figure 130 Security > MAC Filter The following table describes the labels in this screen. Table 92 Security >...
Page 263 Chapter 18 MAC Filter Table 92 Security > MAC Filter (continued) LABEL DESCRIPTION Apply Click Apply to save your changes. Cancel Click Cancel to restore your previously saved settings. SBG3500-N Series User’s Guide...
Page 264: User Access Control
HAPTER User Access Control 19.1 Overview User Access control allows you to block web sites with the specific URL. You can also define time periods and days during which the SBG3500-N Series performs User Access control on a specific user. 19.2 The User Access Control Screen Use this screen to enable User Access control, view the User Access control rules and schedules.
Page 265: Add/Edit A User Access Control Rule
Chapter 19 User Access Control Table 93 Security > User Access Control (continued) LABEL DESCRIPTION Network This shows whether the network service is configured. If not, None will be shown. Service Website Block This shows whether the website block is configured. If not, None will be shown. Modify Click the Edit icon to go to the screen where you can edit the rule.
Page 266 Chapter 19 User Access Control Table 94 User Access Control Rule: Add/Edit (continued) LABEL DESCRIPTION Network User Select the LAN user that you want to apply this rule to from the drop-down list box. If you select Custom, enter the LAN user’s MAC address. If you select All, the rule applies to all LAN users.
Page 267: Scheduler Rules
HAPTER Scheduler Rules 20.1 Overview You can define time periods and days during which the SBG3500-N Series performs scheduled rules of certain features (such as Firewall Access Control, User Access Control) on a specific user in the Scheduler Rules screen. 20.2 The Scheduler Rules Screen Use this screen to view, add, or edit time schedule rules.
Page 268 Chapter 20 Scheduler Rules Figure 134 Scheduler Rules: Add/Edit The following table describes the fields in this screen. Table 96 Scheduler Rules: Add/Edit LABEL DESCRIPTION Rule Name Enter a name (up to 31 printable English keyboard characters, not including spaces) for this schedule.
Page 269: Certificates
HAPTER Certificates 21.1 Overview The SBG3500-N Series can use certificates (also called digital IDs) to authenticate users. Certificates are based on public-private key pairs. A certificate contains the certificate owner’s identity and public key. Certificates provide a way to exchange public keys for use in authentication. 21.1.1 What You Can Do in this Chapter •...
Page 270: Create Certificate Request
Chapter 21 Certificates Figure 135 Security > Certificates > Local Certificates The following table describes the labels in this screen. Table 97 Security > Certificates > Local Certificates LABEL DESCRIPTION Private Key is Select the checkbox and enter the private key into the text box to store it on the protected by a SBG3500-N Series.
Page 271 Chapter 21 Certificates Figure 136 Create Certificate Request The following table describes the labels in this screen. Table 98 Create Certificate Request LABEL DESCRIPTION Certificate Type up to 63 ASCII characters (not including spaces) to identify this certificate. Name Common Name Select Auto to have the SBG3500-N Series configure this field automatically.
Page 272: Load Signed Certificate
Chapter 21 Certificates Figure 137 Certificate Request Created 21.3.2 Load Signed Certificate After you create a certificate request and have it signed by a Certificate Authority, in the Local Certificates screen click the certificate request’s Load Signed icon to import the signed certificate into the SBG3500-N Series.
Page 273: The Trusted Ca Screen
Chapter 21 Certificates The following table describes the labels in this screen. Table 99 Load Signed Certificate LABEL DESCRIPTION Certificate This is the name of the signed certificate. Name Certificate Copy and paste the signed certificate into the text box to store it on the SBG3500-N Series. Apply Click Apply to save your changes.
Page 274 Chapter 21 Certificates Figure 140 Trusted CA: Import Certificate The following table describes the fields in this screen. Table 101 Trusted CA: Import Certificate LABEL DESCRIPTION Certificate File Type in the location of the certificate you want to upload in this field or click Browse ... to Path find it.
Page 275: Ipsec Vpn
HAPTER IPSec VPN 22.1 Overview A virtual private network (VPN) provides secure communications between sites without the expense of leased site-to-site lines. A secure VPN is a combination of tunneling, encryption, authentication, access control and auditing. It is used to transport traffic over the Internet or any insecure network that uses TCP/IP for communication.
Page 276: What You Need To Know
Chapter 22 IPSec VPN 22.3 What You Need To Know A VPN tunnel is usually established in two phases. Each phase establishes a security association (SA), a contract indicating what security parameters the SBG3500-N Series and the remote IPSec router will use. The first phase establishes an Internet Key Exchange (IKE) SA between the SBG3500-N Series and remote IPSec router.
Page 277: Add/Edit Vpn Rule
Chapter 22 IPSec VPN Click VPN > IPSec VPN to display the Setup screen. This is a read-only menu of your IPSec VPN rules (tunnels). Edit a VPN rule by clicking the Edit icon. Note: The default IPsec rule Default_L2TPVPN cannot be disconnected on the VPN > IPSec VPN >...
Page 278 Chapter 22 IPSec VPN Figure 145 VPN > IPSec VPN > Setup > Edit SBG3500-N Series User’s Guide...
Page 279 Chapter 22 IPSec VPN The following table describes the labels in this screen. Table 103 VPN > IPSec VPN > Setup > Edit LABEL DESCRIPTION General Enable Select the checkbox to activate this VPN policy. Connection Name Enter a name to identify this VPN policy. If you are editing an existing policy, this field is not editable.
Page 280 Chapter 22 IPSec VPN Table 103 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Fall Back to Primary When this box is checked, the SBG3500-N Series attempts to re-connect to the primary Peer Gateway when peer gateway address again when it is back up. The SBG3500-N Series will use possible secondary gateway address when the primary address is down.
Page 281 Chapter 22 IPSec VPN Table 103 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION SPI (HEX) Type a hexadecimal value (between 256 and 4095) for the Security Parameter Index (SPI). Make sure the remote VPN endpoint has the same value in its SPI field. Tunnel Mode Choose from the following tunnel modes in the drop-down list.
Page 282 Chapter 22 IPSec VPN Table 103 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Phase 1 Phase 1 Encryption and Authentication can have up to 3 algorithm pairs. You cannot use phase 1 Encryption, Authentication, and Key Group pairs that already exist in other enabled IPsec rules with Remote Access selected as the Application Scenario.
Page 283 Chapter 22 IPSec VPN Table 103 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Key Group Select which Diffie-Hellman key group (DHx) you want to use for encryption keys. Choices are: DH1 - use a 768-bit random number DH2 - use a 1024-bit random number DH5 - use a 1536-bit random number The longer the key, the more secure the encryption, but also the longer it takes to...
Page 284 Chapter 22 IPSec VPN Table 103 VPN > IPSec VPN > Setup > Edit (continued) LABEL DESCRIPTION Encryption Select which key size and encryption algorithm to use in the IKE SA. Choices are: DES - a 56-bit key with the DES encryption algorithm 3DES - a 168-bit key with the DES encryption algorithm AES128 - a 128-bit key with the AES encryption algorithm AES192 - a 192-bit key with the AES encryption algorithm...
Page 285: The Default_L2Tpvpn Ipsec Vpn Rule
Chapter 22 IPSec VPN 22.4.3 The Default_L2TPVPN IPSec VPN Rule A default IPSec VPN rule (Default_L2TP_VPN) is predefined. It can be edited but cannot be removed. This rule is used for L2TP VPN exclusively and is disabled by default. The following table lists the default settings for the Default_L2TP_VPN IPSec VPN. Table 104 Default settings for Default_L2TP_VPN GENERAL AUTHENTICATION...
Page 286: The Radius Screen
Chapter 22 IPSec VPN The following table describes the labels in this screen. Table 105 VPN > IPSec VPN > Monitor LABEL DESCRIPTION Radio Buttons Click the radio button to choose the VPN client you want to connect or disconnect. Name This field displays the identification name for this IPSec VPN policy.
Page 287: Technical Reference
Chapter 22 IPSec VPN Table 106 VPN > IPSec VPN > Radius (continued) LABEL DESCRIPTION Enter a password (up to 15 alphanumeric characters) as the key to be shared between the external authentication server and the SBG3500-N Series. The key is not sent over the network. This key must be the same on the external authentication server and the SBG3500-N Series.
Page 288: Encapsulation
Chapter 22 IPSec VPN IPSec Algorithms The ESP (Encapsulating Security Payload) Protocol (RFC 2406) and AH (Authentication Header) protocol (RFC 2402) describe the packet formats and the default standards for packet structure (including implementation algorithms). The Encryption Algorithm describes the use of encryption techniques such as DES (Data Encryption Standard) and Triple DES algorithms.
Page 289: Ike Phases
Chapter 22 IPSec VPN Tunnel Mode Tunnel mode encapsulates the entire IP packet to transmit it securely. A Tunnel mode is required for gateway services to provide access to internal systems. Tunnel mode is fundamentally an IP tunnel with authentication and encryption. This is the most common mode of operation. Tunnel mode is required for gateway to gateway and host to gateway communications.
Page 290: Negotiation Mode
Chapter 22 IPSec VPN • Choose an encryption algorithm. • Choose an authentication algorithm • Choose a Diffie-Hellman public-key cryptography key group. • Set the IPSec SA lifetime. This field allows you to determine how long the IPSec SA should stay up before it times out.
Page 291: Vpn, Nat, And Nat Traversal
Chapter 22 IPSec VPN Transport mode ESP with authentication is not compatible with NAT. Table 107 VPN and NAT SECURITY PROTOCOL MODE Transport Tunnel Transport Tunnel 22.7.6 VPN, NAT, and NAT Traversal NAT is incompatible with the AH protocol in both transport and tunnel mode. An IPSec VPN using the AH protocol digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, but a NAT device between the IPSec endpoints rewrites the source or destination address.
Page 292: Id Type And Content
Chapter 22 IPSec VPN Table 108 VPN and NAT SECURITY PROTOCOL MODE Transport Tunnel Y* - This is supported in the SBG3500-N Series if you enable NAT traversal. 22.7.7 ID Type and Content With aggressive negotiation mode (see Section 22.7.4 on page 290), the SBG3500-N Series identifies incoming SAs by ID type and content since this identifying information is not encrypted.
Page 293: Pre-Shared Key
Chapter 22 IPSec VPN The two SBG3500-N Seriess in this example cannot complete their negotiation because SBG3500-N Series B’s Local ID type is IP, but SBG3500-N Series A’s Remote ID type is set to E-mail. An “ID mismatched” message displays in the IPSEC LOG. Table 111 Mismatching ID Type and Content Configuration Example SBG3500-N SERIES A SBG3500-N SERIES B...
Page 294: Pptp Vpn
HAPTER PPTP VPN 23.1 Overview Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a VPN using TCP/IP-based networks. PPTP supports on-demand, multi-protocol and virtual private networking over public networks, such as the Internet.
Page 295: Pptp Vpn Setup
Chapter 23 PPTP VPN 23.3 PPTP VPN Setup Use this screen to configure settings for a Point to Point Tunneling Protocol (PPTP) server. Click VPN > PPTP VPN to open the Setup screen as shown next. Figure 153 VPN > PPTP VPN > Setup This screen contains the following fields: Table 112 VPN >...
Page 296: The Pptp Vpn Monitor Screen
Chapter 23 PPTP VPN Table 112 VPN > PPTP VPN > Setup (continued) LABEL DESCRIPTION Authentication Select how the SBG3500-N Series authenticates a remote user before allowing access Method to the PPTP VPN tunnel. The authentication method has the SBG3500-N Series check a user’s user name and password against the SBG3500-N Series’s local database, which is configured in the Maintenance >...
Page 297 Chapter 23 PPTP VPN TIP: This could be due to one of the following reasons: a. The client device is not connected to the Internet successfully. Action: Check the client device’s Internet connection. b. Incorrect server address configured on the client device. (1) If the Local WAN Interface is “Any”: From the SBG3500-N Series’s GUI, click Status.
Page 298 Chapter 23 PPTP VPN e. The SBG3500-N Series’s WAN interface on which the PPTP connection is established is disconnected. A PPTP client is connected successfully but cannot access the local host or server behind the SBG3500-N Series. Tip: This may be caused by one of the followings: a.
Page 299: L2Tp Vpn
HAPTER L2TP VPN 24.1 Overview The Layer 2 Tunneling Protocol (L2TP) works at layer 2 (the data link layer) to tunnel network traffic between two peers over another network (like the Internet). In L2TP VPN, an IPSec VPN tunnel (defined by the IPSec VPN rule Default_L2TPVPN, refer to Section 22.4.3 on page 285) is established first and then an L2TP tunnel is built inside it.
Page 300 Chapter 24 L2TP VPN Figure 156 VPN > L2TP VPN > Setup The following table describes the fields in this screen. Table 114 VPN > L2TP VPN > Setup LABEL DESCRIPTION Enable Select the checkbox to enable the SBG3500-N Series’s L2TP VPN function. VPN Connection This is the WAN interface where L2TP VPN listens for a client connection request.
Page 301: The L2Tp Vpn Monitor Screen
Chapter 24 L2TP VPN Table 114 VPN > L2TP VPN > Setup (continued) LABEL DESCRIPTION WINS Server The WINS (Windows Internet Naming Service) server keeps a mapping table of the (Optional) computer names on your network and the IP addresses that they are currently using. Type the IP addresses of up to two WINS servers to assign to the remote users.
Page 302 Chapter 24 L2TP VPN From the SBG3500-N Series’s GUI, click Status. The client device should be configured with one of the WAN interface IP addresses. (2) If the Local Gateway Address for Default_L2TPVPN is an IP address: Use that IP address for the client device to connect. c.
Page 303 Chapter 24 L2TP VPN (1) Client has no activity for a period of time. (2) Client loses connectivity to the SBG3500-N Series for a period of time. (3) Any IPSec VPN configuration change is applied on the SBG3500-N Series. (4) Either Default_L2TPVPN IPSec configuration or L2TP VPN is disabled on the SBG3500-N Series. (5) When any one of these configuration changes is applied on the SBG3500-N Series: WAN Interface used for L2TP VPN, IP Address Pool, Access Group.
Page 304 Chapter 24 L2TP VPN Table 116 Phase 1 IPSec proposals provided by the built-in L2TP client in popular operating systems (Encryption/Authentication/Key Group) WINDOWS XP WINDOWS VISTA WINDOWS 7 IOS 5.1 ANDROID 4.1 3DES/SHA1/ 3DES/SHA1/ AES/SHA1/DH15 AES/SHA1/DH2 AES/SHA1/DH2 DH15 DH15 3DES/SHA1/DH2 3DES/SHA1/DH2 3DES/SHA1/ AES/MD5/DH2...
Page 305: Log
HAPTER 25.1 Overview The web configurator allows you to choose which categories of events and/or alerts to have the SBG3500-N Series log and then display the logs or have the SBG3500-N Series send them to an administrator (as e-mail) or to a syslog server. 25.1.1 What You Can Do in this Chapter •...
Page 306: The System Log Screen
Chapter 25 Log Table 118 Syslog Severity Levels CODE SEVERITY Notice: There is a normal but significant condition on the system. Informational: The syslog contains an informational message. Debug: The message is intended for debug-level purposes. 25.2 The System Log Screen Use the System Log screen to see the system logs.
Page 307 Chapter 25 Log Figure 159 System Monitor > Log > Security Log The following table describes the fields in this screen. Table 120 System Monitor > Log > Security Log LABEL DESCRIPTION Level Select a severity level from the drop-down list box. This filters search results according to the severity level you have selected.
Page 308: Network Status
HAPTER Network Status 26.1 Overview Use the Network Status screens to look at network Network Status and statistics of the WAN and LAN interfaces. 26.1.1 What You Can Do in this Chapter • Use the WAN screen to view the WAN traffic statistics (Section 26.2 on page 308).
Page 309: The Lan Status Screen
Chapter 26 Network Status Table 121 System Monitor > Network Status > WAN (continued) LABEL DESCRIPTION Error This indicates the number of frames with errors received on this interface. Drop This indicates the number of received packets dropped on this interface. 26.3 The LAN Status Screen Click System Monitor >...
Page 310 Chapter 26 Network Status Table 123 System Monitor > Network Status > LAN LABEL DESCRIPTION Device Name This displays the system name of the device on the SBG3500-N Series. IP Address This displays the IP address of the device on the SBG3500-N Series.
Page 311: Arp Table
HAPTER ARP Table 27.1 Overview Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address, also known as a Media Access Control or MAC address, on the local area network. An IP (version 4) address is 32 bits long.
Page 312 Chapter 27 ARP Table Table 124 System Monitor > ARP Table (continued) LABEL DESCRIPTION MAC Address This is the MAC address of the device with the listed IP address. Device This is the type of interface used by the device. You can click on the device type to go to its configuration screen.
Page 313: Routing Table
HAPTER Routing Table 28.1 Overview Routing is based on the destination address only and the SBG3500-N Series takes the shortest path to forward a packet. 28.2 The Routing Table Screen Click System Monitor > Routing Table to open the following screen. Figure 163 System Monitor >...
Page 314 Chapter 28 Routing Table Table 125 System Monitor > Routing Table (continued) LABEL DESCRIPTION Service This indicates the name of the service used to forward the route. Interface This indicates the name of the interface through which the route is forwarded. br0 indicates the LAN interface.
Page 315: Igmp Status
HAPTER IGMP Status 29.1 Overview Use the IGMP Status screens to look at IGMP group status and traffic statistics. 29.2 The IGMP Group Status Screen Use this screen to look at the current list of multicast groups the SBG3500-N Series has joined and which ports have joined it.
Page 316: Xdsl Statistics
HAPTER xDSL Statistics 30.1 The xDSL Statistics Screen Use this screen to view detailed DSL statistics. Click System Monitor > xDSL Statistics to open the following screen. Figure 165 System Monitor > xDSL Statistics SBG3500-N Series User’s Guide...
Page 317 Chapter 30 xDSL Statistics The following table describes the labels in this screen. Table 127 System Monitor > xDSL Statistics LABEL DESCRIPTION Refresh Interval Select the time interval for refreshing statistics. xDSL Training This displays the current state of setting up the DSL connection. Status Mode This displays the ITU standard used for this connection.
Page 318 Chapter 30 xDSL Statistics Table 127 System Monitor > xDSL Statistics (continued) LABEL DESCRIPTION Downstream These are the statistics for the traffic direction coming into the port from the service provider. Upstream These are the statistics for the traffic direction going out from the port to the service provider.
Page 319: Ap Monitor
HAPTER AP Monitor 31.1 Overview Use the AP Monitor screens to check status and information on the APs that are connected to the SBG3500-N Series. 31.1.1 What You Can Do in this Chapter • The AP List screen (Section 31.2 on page 319) displays which APs are currently connected to the SBG3500-N Series.
Page 320: Radio List Screen
Chapter 31 AP Monitor Table 128 System Monitor >AP Monitor > AP List (continued) LABEL DESCRIPTION This field indicates the AP’s IP address. This field indicates the AP’s MAC address. Model This field indicates the AP’s model number. AC/AP Mgmt This field indicates the Access Controller (the SBG3500-N Series) management VLAN ID VLAN setting for the AP and the runtime management VLAN iD setting on the AP.
Page 321: Station List Screen
Chapter 31 AP Monitor The following table describes the labels in this screen. Table 130 System Monitor > AP Monitor > Radio List LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific profile. Loading This indicates the AP’s load balance status (UnderLoad or OverLoad) when load balancing is enabled on the AP.
Page 322 Chapter 31 AP Monitor The following table describes the labels in this screen. Table 132 System Monitor > AP Monitor > Station List LABEL DESCRIPTION This field is a sequential value, and it is not associated with a specific profile. MAC Address This field indicates the station’s MAC address.
Page 323: Myzyxel
HAPTER MyZyXEL 32.1 MyZyXEL Overview MyZyXEL.com is ZyXEL’s online services center where you can register your SBG3500-N Series and manage subscription services available for the SBG3500-N Series. To use a subscription service, you have to register the SBG3500-N Series and activate the corresponding service at myZyXEL.com (through the SBG3500-N Series).
Page 324 Chapter 32 MyZyXEL Figure 169 Maintenance > MyZyXEL > License Status The following table describes the fields in this screen. Table 133 Maintenance > MyZyXEL > License Status LABEL DESCRIPTION License Status This is the entry’s position in the list. Service This lists the services that available on the SBG3500-N Series.
Page 325: User Account
HAPTER User Account 33.1 Overview Use the User Account screen to manage user accounts, which includes configuring the username, password, retry times, file sharing, captive portal, and customizing the login message. 33.2 The User Account Screen Click Maintenance > User Account to open the following screen. Figure 170 Maintenance >...
Page 326: Add/Edit A User Account
Chapter 33 User Account Table 134 Maintenance > User Account (continued) LABEL DESCRIPTION Lock Period This field indicates the number of minutes for the lockout period. A user cannot log into the SBG3500-N Series during the lockout period, even if he/she enters correct account information.
Page 327 Chapter 33 User Account The following table describes the labels in this screen. Table 135 User Account: Add/Edit LABEL DESCRIPTION User Name This field is read-only if you are editing the user account. Enter a descriptive name for the user account. The user name can be up to 15 alphanumeric characters (0-9, A-Z, a-z, -, _ with no spaces).
Page 328: Remote Management
HAPTER Remote Management 34.1 Overview Remote Management allows you to manage your SBG3500-N Series from a remote location through the following interfaces: • LAN • WAN • Trust Domain Note: The SBG3500-N Series is managed using the Web Configurator. 34.2 The Remote MGMT Screen Use this screen to configure through which interface(s) users can use which service(s) to manage the SBG3500-N Series.
Page 329 Chapter 34 Remote Management The following table describes the fields in this screen. Table 136 Maintenance > Remote MGMT LABEL DESCRIPTION Trust Domain Status This field displays whether the Trust Domain is active or not. IP Address Enter the Trust Domain IP address. Click Add to add an IP address which the computer is allowed to access and manage the the SBG3500-N Series.
Page 330: Client
HAPTER TR-069 Client 35.1 Overview This chapter explains how to configure the SBG3500-N Series’s TR-069 auto-configuration settings. 35.2 The TR-069 Client Screen TR-069 defines how Customer Premise Equipment (CPE), for example your SBG3500-N Series, can be managed over the WAN by an Auto Configuration Server (ACS). TR-069 is based on sending Remote Procedure Calls (RPCs) between an ACS and a client device.
Page 331 Chapter 35 TR-069 Client The following table describes the fields in this screen. Table 137 Maintenance > TR-069 Client LABEL DESCRIPTION Inform Select Enable for the SBG3500-N Series to send periodic inform via TR-069 on the WAN. Otherwise, select Disable. Inform Interval Enter the time interval (in seconds) at which the SBG3500-N Series sends information to the auto-configuration server.
Page 332: Snmp
HAPTER SNMP 36.1 The SNMP Agent Screen Simple Network Management Protocol is a protocol used for exchanging management information between network devices. Your SBG3500-N Series supports SNMP agent functionality, which allows a manager station to manage and monitor the SBG3500-N Series through the network. The SBG3500-N Series supports SNMP version one (SNMPv1) and version two (SNMPv2c).
Page 333 Chapter 36 SNMP • Get - Allows the manager to retrieve an object variable from the agent. • GetNext - Allows the manager to retrieve the next object variable from a table or list within an agent. In SNMPv1, when a manager wants to retrieve all elements of a table from an agent, it initiates a Get operation, followed by a series of GetNext operations.
Page 334: Time
HAPTER Time 37.1 Overview This chapter shows you how to configure system related settings, such as system time, password, name, the domain name and the inactivity timeout interval. 37.2 The Time Screen To change your SBG3500-N Series’s time and date, click Maintenance > Time. The screen appears as shown.
Page 335 Chapter 37 Time Figure 176 Maintenance > Time The following table describes the fields in this screen. Table 139 Maintenance > Time LABEL DESCRIPTION Current Date/Time Current Time This field displays the time of your SBG3500-N Series. Each time you reload this page, the SBG3500-N Series synchronizes the time with the time server.
Page 336 Chapter 37 Time Table 139 Maintenance > Time (continued) LABEL DESCRIPTION Time zone offset Choose the time zone of your location. This will set the time difference between your time zone and Greenwich Mean Time (GMT). Daylight Saving Daylight Saving Time is a period from late spring to early fall when many countries set their clocks ahead of normal local time by one hour to give more daytime light in the evening.
Page 337: E-Mail Notification
HAPTER E-mail Notification 38.1 Overview A mail server is an application or a computer that runs such an application to receive, forward and deliver e-mail messages. To have the SBG3500-N Series send reports, logs or notifications via e-mail, you must specify an e- mail server and the e-mail addresses of the sender and receiver.
Page 338 Chapter 38 E-mail Notification Figure 178 Email Notification > Add The following table describes the labels in this screen. Table 141 Email Notification > Add LABEL DESCRIPTION Mail Server Address Enter the server name or the IP address of the mail server for the e-mail address specified in the Account Email Address field.
Page 339: Logs Setting
HAPTER Logs Setting 39.1 Overview You can configure where the SBG3500-N Series sends logs and which logs and/or immediate alerts the SBG3500-N Series records in the Logs Setting screen. 39.2 The Log Setting Screen To change your SBG3500-N Series’s log settings, click Maintenance > Logs Setting. The screen appears as shown.
Page 340: Example E-Mail Log
Chapter 39 Logs Setting The following table describes the fields in this screen. Table 142 Maintenance > Logs Setting LABEL DESCRIPTION Syslog Setting Syslog Logging The SBG3500-N Series sends a log to an external syslog server. Select Enable to enable syslog logging. Mode Select the syslog destination from the drop-down list box.
Page 341 Chapter 39 Logs Setting • The date format here is Day-Month-Year. • The date format here is Month-Day-Year. The time format is Hour-Minute-Second. • "End of Log" message shows that a complete log has been sent. Figure 180 E-mail Log Example Subject: Firewall Alert From Date:...
Page 342: Firmware Upgrade
HAPTER Firmware Upgrade 40.1 Overview This chapter explains how to upload new firmware to your SBG3500-N Series. You can download new firmware releases from your nearest ZyXEL FTP site (or www.zyxel.com) to use to upgrade your device’s performance. Only use firmware for your device’s specific model. Refer to the label on the bottom of your SBG3500-N Series.
Page 343 Chapter 40 Firmware Upgrade After you see the firmware updating screen, wait two minutes before logging into the SBG3500-N Series again. Figure 182 Firmware Uploading The SBG3500-N Series automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 183 Network Temporarily Disconnected After two minutes, log in again and check your new firmware version in the Status screen.
Page 344: Configuration
HAPTER Configuration 41.1 Overview The Configuration screen allows you to backup and restore device configurations. You can also reset your device settings back to the factory default. 41.2 The Configuration Screen Click Maintenance > Configuration. Information related to factory defaults, backup configuration, and restoring configuration appears in this screen, as shown next.
Page 345 Chapter 41 Configuration Restore Configuration Restore Configuration allows you to upload a new or previously saved configuration file from your computer to your SBG3500-N Series. Table 144 Restore Configuration LABEL DESCRIPTION File Path Type in the location of the file you want to upload in this field or click Browse ... to find it. Browse...
Page 346: The Reboot Screen
Chapter 41 Configuration Figure 188 Reset Warning Message Figure 189 Reset In Process Message You can also press the RESET button on the rear panel to reset the factory defaults of your SBG3500-N Series. Refer to Section 1.6 on page 24 for more information on the RESET button.
Page 347: Diagnostic
HAPTER Diagnostic 42.1 Overview The Diagnostic screens display information to help you identify problems with the SBG3500-N Series. The route between a CO VDSL switch and one of its CPE may go through switches owned by independent organizations. A connectivity fault point generally takes time to discover and impacts subscriber’s network access.
Page 348: Ping & Traceroute & Nslookup
Chapter 42 Diagnostic 42.3 Ping & TraceRoute & NsLookup Use this screen to ping, traceroute, or nslookup an IP address. Click Maintenance > Diagnostic > Ping & TraceRoute & NsLookup to open the screen shown next. Figure 191 Maintenance > Diagnostic > Ping & TraceRoute & NsLookup The following table describes the fields in this screen.
Page 349: Oam Ping Test
Chapter 42 Diagnostic Figure 192 Maintenance > Diagnostic > 802.1ag The following table describes the fields in this screen. Table 146 Maintenance > Diagnostic > 802.1ag LABEL DESCRIPTION 802.1ag Connectivity Fault Management Maintenance Select a level (0-7) under which you want to create an MA. Domain (MD) Level Destination MAC Enter the target device’s MAC address to which the SBG3500-N Series performs a CFM...
Page 350 Chapter 42 Diagnostic PVC. The SBG3500-N Series sends an OAM F4 or F5 packet to the DSLAM or ATM switch and then returns it to the SBG3500-N Series. The test result then displays in the text box. ATM sets up virtual circuits over which end systems communicate. The terminology for virtual circuits is as follows: •...
Page 351 Chapter 42 Diagnostic Figure 194 Maintenance > Diagnostic > OAM Ping Test The following table describes the fields in this screen. Table 147 Maintenance > Diagnostic > OAM Ping Test LABEL DESCRIPTION Select a PVC on which you want to perform the loopback test. F4 segment Press this to perform an OAM F4 segment loopback test.
Page 352: Troubleshooting
HAPTER Troubleshooting This chapter offers some suggestions to solve problems you might encounter. The potential problems are divided into the following categories. • Power, Hardware Connections, and LEDs • SBG3500-N Series Access and Login • Internet Access • Wireless Internet Access •...
Page 353: Sbg3500-N Series Access And Login
Chapter 43 Troubleshooting If the problem continues, contact the vendor. 43.2 SBG3500-N Series Access and Login I forgot the IP address for the SBG3500-N Series. The default LAN IP address is 192.168.1.1. If you changed the IP address and have forgotten it, you might get the IP address of the SBG3500- N Series by looking up the IP address of the default gateway for your computer.
Page 354 Chapter 43 Troubleshooting Reset the device to its factory defaults, and try to access the SBG3500-N Series with the default IP address. See Section 1.6 on page If the problem continues, contact the network administrator or vendor, or try one of the advanced suggestions.
Page 355: Internet Access
Chapter 43 Troubleshooting 43.3 Internet Access I cannot access the Internet. Check the hardware connections, and make sure the LEDs are behaving as expected. See the Quick Start Guide and Section 1.3 on page Make sure you entered your ISP account information correctly in the Network Setting > Broadband screen.
Page 356: Wireless Internet Access
Chapter 43 Troubleshooting Make sure you configured a proper EthernetWAN interface (Network Setting > Broadband > Multi-WAN screen) with the Internet account information provided by your ISP and that it is enabled. Check that the WAN interface you are connected to is in the same interface group as the Ethernet connection (Network Setting >...
Page 357: Usb Device Connection
Chapter 43 Troubleshooting • Try closing some programs that use the Internet, especially peer-to-peer applications. If the wireless client is sending or receiving a lot of information, it may have too many programs open that use the Internet. What is a Server Set ID (SSID)? An SSID is a name that uniquely identifies a wireless network.
Page 358: Upnp
Chapter 43 Troubleshooting Re-connect your USB device to the SBG3500-N Series. 43.6 UPnP When using UPnP and the SBG3500-N Series reboots, my computer cannot detect UPnP and refresh My Network Places > Local Network. Disconnect the Ethernet cable from the SBG3500-N Series’s LAN port or from your computer. Re-connect the Ethernet cable.
Page 359: Appendix A Setting Up Your Computer's Ip Address
PP EN D I X Setting up Your Computer’s IP Address All computers must have a 10M or 100M Ethernet adapter card and TCP/IP installed. Windows 95/98/Me/NT/2000/XP/Vista, Macintosh OS 7 and later operating systems and all versions of UNIX/LINUX include the software components you need to install and use TCP/IP on your computer.
Page 360 Appendix A Setting up Your Computer’s IP Address Installing Components The Network window Configuration tab displays a list of installed components. You need a network adapter, the TCP/IP protocol and Client for Microsoft Networks. If you need the adapter: In the Network window, click Add. Select Adapter and then click Add.
Page 361 Appendix A Setting up Your Computer’s IP Address Figure 196 Windows 95/98/Me: TCP/IP Properties: IP Address Click the DNS Configuration tab. • If you do not know your DNS information, select Disable DNS. • If you know your DNS information, select Enable DNS and type the information in the fields below (you may not need to fill them all in).
Page 362 Appendix A Setting up Your Computer’s IP Address • If you do not know your gateway’s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add. Click OK to save and close the TCP/IP Properties window.
Page 363 Appendix A Setting up Your Computer’s IP Address Figure 199 Windows XP: Control Panel Right-click Local Area Connection and then click Properties. Figure 200 Windows XP: Control Panel: Network Connections: Properties Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and then click Properties. SBG3500-N Series User’s Guide...
Page 364 Appendix A Setting up Your Computer’s IP Address Figure 201 Windows XP: Local Area Connection Properties The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). • If you have a dynamic IP address click Obtain an IP address automatically. •...
Page 365 Appendix A Setting up Your Computer’s IP Address If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: •...
Page 366 Appendix A Setting up Your Computer’s IP Address Figure 204 Windows XP: Internet Protocol (TCP/IP) Properties Click OK to close the Internet Protocol (TCP/IP) Properties window. Click Close (OK in Windows 2000/NT) to close the Local Area Connection Properties window. Close the Network Connections window (Network and Dial-up Connections in Windows 2000/NT).
Page 367 Appendix A Setting up Your Computer’s IP Address Figure 205 Windows Vista: Start Menu In the Control Panel, double-click Network and Internet. Figure 206 Windows Vista: Control Panel Click Network and Sharing Center. Figure 207 Windows Vista: Network And Internet Click Manage network connections.
Page 368 Appendix A Setting up Your Computer’s IP Address Right-click Local Area Connection and then click Properties. Note: During this procedure, click Continue whenever Windows displays a screen saying that it needs your permission to continue. Figure 209 Windows Vista: Network and Sharing Center Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Page 369 Appendix A Setting up Your Computer’s IP Address • If you have a static IP address click Use the following IP address and fill in the IP address, Subnet mask, and Default gateway fields. • Click Advanced. Figure 211 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK.
Page 370 Appendix A Setting up Your Computer’s IP Address Figure 212 Windows Vista: Advanced TCP/IP Properties In the Internet Protocol Version 4 (TCP/IPv4) Properties window, (the General tab): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
Page 371 Appendix A Setting up Your Computer’s IP Address Figure 213 Windows Vista: Internet Protocol Version 4 (TCP/IPv4) Properties 10 Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties window. 11 Click Close to close the Local Area Connection Properties window. Close the Network Connections window.
Page 372 Appendix A Setting up Your Computer’s IP Address Figure 214 Macintosh OS 8/9: Apple Menu Select Ethernet built-in from the Connect via list. Figure 215 Macintosh OS 8/9: TCP/IP For dynamically assigned settings, select Using DHCP Server from the Configure: list. For statically assigned settings, do the following: SBG3500-N Series User’s Guide...
Page 373 Appendix A Setting up Your Computer’s IP Address • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. • Type the IP address of your SBG3500-N Series in the Router address box. Close the TCP/IP Control Panel.
Page 374 Appendix A Setting up Your Computer’s IP Address Figure 217 Macintosh OS X: Network For statically assigned settings, do the following: • From the Configure box, select Manually. • Type your IP address in the IP Address box. • Type your subnet mask in the Subnet mask box. •...
Page 375 Appendix A Setting up Your Computer’s IP Address Using the K Desktop Environment (KDE) Follow the steps below to configure your computer IP address using the KDE. Click the Red Hat button (located on the bottom left corner), select System Setting and click Network.
Page 376 Appendix A Setting up Your Computer’s IP Address If you know your DNS server IP address(es), click the DNS tab in the Network Configuration screen. Enter the DNS server information in the fields provided. Figure 220 Red Hat 9.0: KDE: Network Configuration: DNS Click the Devices tab.
Page 377: Verifying Settings
Appendix A Setting up Your Computer’s IP Address Figure 222 Red Hat 9.0: Dynamic IP Address Setting in ifconfig-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=dhcp USERCTL=no PEERDNS=yes TYPE=Ethernet • If you have a static IP address, enter in the BOOTPROTO= field. Type IPADDR= followed static by the IP address (in dotted decimal notation) and type NETMASK= followed by the subnet mask.
Page 378 Appendix A Setting up Your Computer’s IP Address Figure 226 Red Hat 9.0: Checking TCP/IP Properties [root@localhost]# ifconfig eth0 Link encap:Ethernet HWaddr 00:50:BA:72:5B:44 inet addr:172.23.19.129 Bcast:172.23.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:717 errors:0 dropped:0 overruns:0 frame:0 TX packets:13 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:730412 (713.2 Kb) TX bytes:1570 (1.5 Kb)
Page 379: Appendix B Ip Addresses And Subnetting
PP EN D I X IP Addresses and Subnetting This appendix introduces IP addresses and subnet masks. IP addresses identify individual devices on a network. Every networking device (including computers, servers, routers, printers, etc.) needs an IP address to communicate across the network.
Page 380: Subnet Masks
Appendix B IP Addresses and Subnetting Figure 227 Network Number and Host ID How much of the IP address is the network number and how much is the host ID varies according to the subnet mask. Subnet Masks A subnet mask is used to determine which bits are part of the network number, and which bits are part of the host ID (using a logical AND operation).
Page 381 Appendix B IP Addresses and Subnetting Subnet masks are expressed in dotted decimal notation just like IP addresses. The following examples show the binary and decimal notation for 8-bit, 16-bit, 24-bit and 29-bit subnet masks. Table 149 Subnet Masks BINARY DECIMAL 4TH OCTET OCTET...
Page 382 Appendix B IP Addresses and Subnetting Table 151 Alternative Subnet Mask Notation (continued) ALTERNATIVE LAST OCTET LAST OCTET SUBNET MASK NOTATION (BINARY) (DECIMAL) 255.255.255.224 1110 0000 255.255.255.240 1111 0000 255.255.255.248 1111 1000 255.255.255.252 1111 1100 Subnetting You can use subnetting to divide one network into multiple sub-networks. In the following example a network administrator creates two sub-networks to isolate a group of servers from the rest of the company network for security reasons.
Page 383 Appendix B IP Addresses and Subnetting Figure 229 Subnetting Example: After Subnetting In a 25-bit subnet the host ID has 7 bits, so each sub-network has a maximum of 2 – 2 or 126 possible hosts (a host ID of all zeroes is the subnet’s address itself, all ones is the subnet’s broadcast address).
Page 384 Appendix B IP Addresses and Subnetting Table 153 Subnet 2 LAST OCTET BIT IP/SUBNET MASK NETWORK NUMBER VALUE IP Address 192.168.1. IP Address (Binary) 11000000.10101000.00000001. 01000000 Subnet Mask (Binary) 11111111.11111111.11111111. 11000000 Subnet Address: Lowest Host ID: 192.168.1.65 192.168.1.64 Broadcast Address: Highest Host ID: 192.168.1.126 192.168.1.127 Table 154 Subnet 3...
Page 385 Appendix B IP Addresses and Subnetting Subnet Planning The following table is a summary for subnet planning on a network with a 24-bit network number. Table 157 24-bit Network Number Subnet Planning NO. “BORROWED” NO. HOSTS PER SUBNET MASK NO. SUBNETS HOST BITS SUBNET 255.255.255.128 (/25)
Page 386 Appendix B IP Addresses and Subnetting Once you have decided on the network number, pick an IP address for your SBG3500-N Series that is easy to remember (for instance, 192.168.1.1) but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address.
Page 387: Appendix C Pop-Up Windows, Javascript And Java Permissions
PP EN D I X Pop-up Windows, JavaScript and Java Permissions In order to use the web configurator you need to allow: • Web browser pop-up windows from your device. • JavaScript (enabled by default). • Java permissions (enabled by default). Note: Internet Explorer 6 screens are used here.
Page 388 Appendix C Pop-up Windows, JavaScript and Java Permissions Figure 231 Internet Options: Privacy Click Apply to save this setting. Enable Pop-up Blockers with Exceptions Alternatively, if you only want to allow pop-up windows from your device, see the following steps. In Internet Explorer, select Tools, Internet Options and then the Privacy tab.
Page 389 Appendix C Pop-up Windows, JavaScript and Java Permissions Figure 232 Internet Options: Privacy Type the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.167.1. Click Add to move the IP address to the list of Allowed sites. Figure 233 Pop-up Blocker Settings SBG3500-N Series User’s Guide...
Page 390 Appendix C Pop-up Windows, JavaScript and Java Permissions Click Close to return to the Privacy screen. Click Apply to save this setting. JavaScript If pages of the web configurator do not display properly in Internet Explorer, check that JavaScript are allowed. In Internet Explorer, click Tools, Internet Options and then the Security tab.
Page 391 Appendix C Pop-up Windows, JavaScript and Java Permissions Figure 235 Security Settings - Java Scripting Java Permissions From Internet Explorer, click Tools, Internet Options and then the Security tab. Click the Custom Level... button. Scroll down to Microsoft VM. Under Java permissions make sure that a safety level is selected. Click OK to close the window.
Page 392 Appendix C Pop-up Windows, JavaScript and Java Permissions Figure 236 Security Settings - Java JAVA (Sun) From Internet Explorer, click Tools, Internet Options and then the Advanced tab. Make sure that Use Java 2 for <applet> under Java (Sun) is selected. Click OK to close the window.
Page 393 Appendix C Pop-up Windows, JavaScript and Java Permissions Mozilla Firefox Mozilla Firefox 2.0 screens are used here. Screens for other versions may vary. You can enable Java, Javascript and pop-ups in one screen. Click Tools, then click Options in the screen that appears.
Page 394: Appendix D Wireless Lans
PP EN D I X Wireless LANs Wireless LAN Topologies This section discusses ad-hoc and infrastructure wireless LAN topologies. Ad-hoc Wireless LAN Configuration The simplest WLAN configuration is an independent (Ad-hoc) WLAN that connects a set of computers with wireless adapters (A, B, C). Any time two or more wireless adapters are within range of each other, they can set up an independent network, which is commonly referred to as an ad-hoc network or Independent Basic Service Set (IBSS).
Page 395 Appendix D Wireless LANs Figure 241 Basic Service Set An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS). This type of wireless LAN topology is called an Infrastructure WLAN.
Page 396 Appendix D Wireless LANs Figure 242 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by wireless devices to transmit and receive data. Channels available depend on your geographical area. You may have a choice of channels (for your region) so you should use a channel different from an adjacent AP (access point) to reduce interference.
Page 397 Appendix D Wireless LANs RTS/CTS Figure 243 When station A sends data to the AP, it might not know that the station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
Page 398 Appendix D Wireless LANs IEEE 802.11g Wireless LAN IEEE 802.11g is fully compatible with the IEEE 802.11b standard. This means an IEEE 802.11b adapter can interface directly with an IEEE 802.11g access point (and vice versa) at 11 Mbps or lower depending on range.
Page 399 Appendix D Wireless LANs • User based identification that allows for roaming. • Support for RADIUS (Remote Authentication Dial In User Service, RFC 2138, 2139) for centralized user profile and accounting management on a network RADIUS server. • Support for EAP (Extensible Authentication Protocol, RFC 2486) that allows additional authentication methods to be deployed with no changes to the access point or the wireless clients.
Page 400 Appendix D Wireless LANs In order to ensure network security, the access point and the RADIUS server use a shared secret key, which is a password, they both know. The key is not sent over the network. In addition to the shared key, password information exchanged is also encrypted to protect the network from unauthorized access.
Page 401 Appendix D Wireless LANs authentication, EAP-TTLS supports EAP methods and legacy authentication methods such as PAP, CHAP, MS-CHAP and MS-CHAP v2. PEAP (Protected EAP) Like EAP-TTLS, server-side certificate authentication is used to establish a secure connection, then use simple username and password methods through the secured connection to authenticate the clients, thus hiding client identity.
Page 402 Appendix D Wireless LANs If both an AP and the wireless clients support WPA2 and you have an external RADIUS server, use WPA2 for stronger data encryption. If you don't have an external RADIUS server, you should use WPA2-PSK (WPA2-Pre-Shared Key) that only requires a single (identical) password entered into each access point, wireless gateway and wireless client.
Page 403 Appendix D Wireless LANs messages from six to four (CCMP 4-way handshake) and shortens the time required to connect to a network. Other WPA2 authentication features that are different from WPA include key caching and pre-authentication. These two features are optional and may not be supported in all wireless devices.
Page 404 Appendix D Wireless LANs Figure 244 WPA(2) with RADIUS Application Example WPA(2)-PSK Application Example A WPA(2)-PSK application looks as follows. First enter identical passwords into the AP and all wireless clients. The Pre-Shared Key (PSK) must consist of between 8 and 63 ASCII characters or 64 hexadecimal characters (including spaces and symbols).
Page 405 Appendix D Wireless LANs Security Parameters Summary Refer to this table to see what other security parameters you should configure for each authentication method or key management protocol type. MAC address filters are not dependent on how you configure these security features. Table 162 Wireless Security Relational Matrix AUTHENTICATION ENCRYPTIO...
Page 406 Appendix D Wireless LANs 2.5%. For an unobstructed outdoor site, each 1dB increase in gain results in a range increase of approximately 5%. Actual results may vary depending on the network environment. Antenna gain is sometimes specified in dBi, which is how much the antenna increases the signal power compared to using an isotropic antenna.
Page 407: Appendix E Ipv6
PP EN D I X IPv6 Overview IPv6 (Internet Protocol version 6), is designed to enhance IP address size and features. The increase in IPv6 address size to 128 bits (from the 32-bit IPv4 address) allows up to 3.4 x 10 addresses.
Page 408 Appendix E IPv6 Global Address A global address uniquely identifies a device on the Internet. It is similar to a “public IP address” in IPv4. A global unicast address starts with a 2 or 3. Unspecified Address An unspecified address (0:0:0:0:0:0:0:0 or ::) is used as the source address when a device does not have its own address.
Page 409 Appendix E IPv6 Table 165 Reserved Multicast Address (continued) MULTICAST ADDRESS FF08:0:0:0:0:0:0:0 FF09:0:0:0:0:0:0:0 FF0A:0:0:0:0:0:0:0 FF0B:0:0:0:0:0:0:0 FF0C:0:0:0:0:0:0:0 FF0D:0:0:0:0:0:0:0 FF0E:0:0:0:0:0:0:0 FF0F:0:0:0:0:0:0:0 Subnet Masking Both an IPv6 address and IPv6 subnet mask compose of 128-bit binary digits, which are divided into eight 16-bit blocks and written in hexadecimal notation. Hexadecimal uses four bits for each character (1 ~ 10, A ~ F).
Page 410 Appendix E IPv6 the time T2 is reached and the server does not respond, the client sends a Rebind message to any available server (S2). For an IA_TA, the client may send a Renew or Rebind message at the client's discretion.
Page 411 Appendix E IPv6 • Neighbor advertisement: A response from a node to announce its link-layer address. • Router solicitation: A request from a host to locate a router that can act as the default router and forward packets. • Router advertisement: A response to a router solicitation or a periodical multicast advertisement from a router to advertise its presence and other parameters.
Page 412 Appendix E IPv6 sends a group-specific query to the port on which the Done message is received to determine if other devices connected to this port should remain in the group. Example - Enabling IPv6 on Windows XP/2003/Vista By default, Windows XP and Windows 2003 support IPv6. This example shows you how to use the ipv6 install command on Windows XP/2003 to enable IPv6.
Page 413 Appendix E IPv6 Click Start and then OK. Now your computer can obtain an IPv6 address from a DHCPv6 server. Example - Enabling IPv6 on Windows 7 Windows 7 supports IPv6 by default. DHCPv6 is also enabled when you enable IPv6 on a Windows 7 computer.
Page 414 Appendix E IPv6 Click Close to exit the Local Area Connection Status screen. Select Start > All Programs > Accessories > Command Prompt. Use the ipconfig command to check your dynamic IPv6 address. This example shows a global address (2001:b021:2d::1000) obtained from a DHCP server. C:\>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection:...
Page 415: Appendix F Services
P P EN D I X Services The following table lists some commonly-used services and their associated protocols and port numbers. • Name: This is a short, descriptive name for the service. You can use this one or create a different one, if you like.
Page 416 Appendix F Services Table 166 Examples of Services NAME PROTOCOL PORT(S) DESCRIPTION AH (IPSEC_TUNNEL) User-Defined The IPSEC AH (Authentication Header) tunneling protocol uses this service. 5190 AOL’s Internet Messenger service. AUTH Authentication protocol used by some servers. Border Gateway Protocol. BOOTP_CLIENT DHCP Client.
Page 417 Appendix F Services Table 166 Examples of Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION NEW-ICQ 5190 An Internet chat program. NEWS A protocol for news groups. 2049 Network File System - NFS is a client/ server distributed file service that provides transparent file sharing for network environments.
Page 418 Appendix F Services Table 166 Examples of Services (continued) NAME PROTOCOL PORT(S) DESCRIPTION SQL-NET 1521 Structured Query Language is an interface to access data on many different types of database systems, including mainframes, midrange systems, UNIX systems and network servers. SSDP 1900 The Simple Service Discovery Protocol...
Page 419: Appendix G Legal Information
The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. Published by ZyXEL Communications Corporation. All rights reserved.
Page 420: Zyxel Limited Warranty
Appendix G Legal Information ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, ZyXEL will, at its discretion, repair or replace the defective products or components without charge for either parts or labor, and to whatever extent it shall deem necessary to restore the product or components to proper operating condition.
Page 421 Appendix G Legal Information [Slovak] ZyXEL týmto vyhlasuje, že zariadenia spĺňa základné požiadavky a všetky príslušné ustanovenia Smernice 2012/19/ [Finnish] ZyXEL vakuuttaa täten että laitteet tyyppinen laite on direktiivin 2012/19/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen. [Swedish] Härmed intygar ZyXEL att denna utrustning står I överensstämmelse med de väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 2012/19/UE.
Page 422: Safety Warnings
Appendix G Legal Information 1. Although Norway, Switzerland and Liechtenstein are not EU member states, the EU Directive 2012/19/UE has also been implemented in those countries. 2. The regulatory limits for maximum output power are specified in EIRP. The EIRP level (in dBm) of a device can be calculated by adding the gain of the antenna used(specified in dBi) to the output power available at the connector (specified in dBm).
Page 423 Appendix G Legal Information SBG3500-N Series User’s Guide...
Page 424: Appendix H Customer Support
• Brief description of the problem and the steps you took to solve it. Corporate Headquarters (Worldwide) Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Asia China • ZyXEL Communications (Shanghai) Corp. ZyXEL Communications (Beijing) Corp. ZyXEL Communications (Tianjin) Corp. • http://www.zyxel.cn India • ZyXEL Technology India Pvt Ltd • http://www.zyxel.in Kazakhstan •...
Page 425 • ZyXEL Singapore Pte Ltd. • http://www.zyxel.com.sg Taiwan • ZyXEL Communications Corporation • http://www.zyxel.com Thailand • ZyXEL Thailand Co., Ltd • http://www.zyxel.co.th Vietnam • ZyXEL Communications Corporation-Vietnam Office • http://www.zyxel.com/vn/vi Europe Austria • ZyXEL Deutschland GmbH • http://www.zyxel.de SBG3500-N Series User’s Guide...
Page 426 • ZyXEL BY • http://www.zyxel.by Belgium • ZyXEL Communications B.V. • http://www.zyxel.com/be/nl/ Bulgaria • ZyXEL България • http://www.zyxel.com/bg/bg/ Czech • ZyXEL Communications Czech s.r.o • http://www.zyxel.cz Denmark • ZyXEL Communications A/S • http://www.zyxel.dk Estonia • ZyXEL Estonia • http://www.zyxel.com/ee/et/ Finland •...
Page 427 • ZyXEL Communications Poland • http://www.zyxel.pl Romania • ZyXEL Romania • http://www.zyxel.com/ro/ro Russia • ZyXEL Russia • http://www.zyxel.ru Slovakia • ZyXEL Communications Czech s.r.o. organizacna zlozka • http://www.zyxel.sk Spain • ZyXEL Spain • http://www.zyxel.es Sweden • ZyXEL Communications • http://www.zyxel.se Switzerland •...
Page 428 Ecuador • ZyXEL Communication Corporation • http://www.zyxel.com/ec/es/ Middle East Egypt • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml Middle East • ZyXEL Communication Corporation • http://www.zyxel.com/homepage.shtml North America • ZyXEL Communications, Inc. - North America Headquarters • http://www.us.zyxel.com/ SBG3500-N Series User’s Guide...
Page 429 Appendix H Customer Support Oceania Australia • ZyXEL Communications Corporation • http://www.zyxel.com/au/en/ Africa South Africa • Nology (Pty) Ltd. • http://www.zyxel.co.za SBG3500-N Series User’s Guide...
Page 430: Index
Index Index ACL rule 269, 400 Canonical Format Indicator See CFI activation CCMs firewalls certificate SIP ALG factory default SSID Certificate Authority Address Resolution Protocol See CA. administrator password certificates authentication algorithms creating alternative subnet mask notation public key antenna replacing directional storage space...
Page 431 Index copyright CoS technologies EAP Authentication creating certificates ECHO CTS (Clear to Send) e-mail log example CTS threshold 145, 148 Encapsulation customer support PPP over Ethernet encapsulation 101, 288 encryption 150, 402 data fragment threshold 145, 148 DDoS Extended Service Set IDentification 133, 140, 228 default server address Extended Service Set, See ESS...
Page 432 Index NAT applications IPSec algorithms hidden node architecture HTTP IPSec. See also VPN. IPv6 102, 407 addressing 102, 128, 407 EUI-64 IANA global address Internet Assigned Numbers Authority interface ID see IANA link-local address Neighbor Discovery Protocol IBSS ping ID type and content prefix 103, 128, 407 IEEE 802.11g...
Page 433 Index Loop Back Response, see LBR services SIP ALG loopback activation traversal NAT example negotiation mode Network Address Translation see NAT Network Address Translation, see NAT Network Map MAC address 141, 166 NNTP filter 141, 149 MAC authentication Mac filter Maintenance Association, see MA Maintenance Domain, see MD other documentation...
Page 434 Index private IP address RTS (Request To Send) threshold product registration 396, 397 RTS threshold protocol 145, 148 push button Push Button Configuration, see PBC push button, WPS security wireless LAN security associations. See VPN. Security Log Security Parameter Index, see SPI 185, 198 service access control marking...
Page 435 Index wireless LAN status indicators unicast subnet Universal Plug and Play, see UPnP subnet mask 160, 177, 380 upgrading firmware subnetting UPnP SYN attack cautions example syslog installation protocol NAT traversal severity levels USB features system firmware version passwords 25, 26 reset status Virtual Local Area Network See VLAN...
Page 436 Index passwords WPA2 25, 26 228, 401 user authentication vs WPA2-PSK WEP (Wired Equivalent Privacy) wireless client supplicant WEP Encryption 135, 136 with RADIUS application example WEP encryption WPA2-Pre-Shared Key WEP key WPA2-PSK Wi-Fi Protected Access 228, 401 application example wireless client WPA supplicants WPA-PSK 150, 402...

This manual is also suitable for:

Sbg3500-nb00