Summary of Contents for ZyXEL Communications ZyAIR
Page 1
ZyAIR Wireless Gateway Series User's Guide Version 3.50 July 2003...
Page 2
Trademarks ZyNOS (ZyXEL Network Operating System) is a registered trademark of ZyXEL Communications, Inc. Other trademarks mentioned in this publication are used for identification purposes only and may be properties of their respective owners.
Page 3
ZyAIR Wireless Gateway Series User’s Guide Federal Communications Commission (FCC) Interference Statement This device complies with Part 15 of FCC rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operations.
ZyAIR Wireless Gateway Series User’s Guide ZyXEL Limited Warranty ZyXEL warrants to the original end user (purchaser) that this product is free from any defects in materials or workmanship for a period of up to two years from the date of purchase. During the warranty period, and...
ZyAIR Wireless Gateway Series User’s Guide Customer Support Please have the following information ready when you contact customer support. • Product model and serial number. • Warranty Information. • Date that you received your device. • Brief description of the problem and the steps you took to solve it.
Customer Support............................v List of Figures ............................... xv List of Tables ..............................xxi Preface ................................ xxiv OVERVIEW..............................I Chapter 1 Getting to Know Your ZyAIR....................1-1 Introducing the ZyAIR Wireless Gateway Series ..............1-1 ZyAIR Features..........................1-1 Application for the ZyAIR......................1-6 1.3.1 Internet Access Application ....................1-6 Chapter 2 Introducing the Web Configurator ..................2-1...
Page 7
ZyAIR Wireless Gateway Series User’s Guide System Overview ........................4-1 Configuring General Setup......................4-1 Dynamic DNS ..........................4-2 4.3.1 DYNDNS Wildcard ......................4-3 Configuring Dynamic DNS......................4-3 Configuring Password ........................4-4 Configuring Time Setting......................4-5 Chapter 5 LAN Screens ..........................5-1 LAN Overview...........................5-1 LANs and WANs ........................5-1 5.2.1 LANs, WANs and the ZyAIR ....................5-1...
Page 8
ZyAIR Wireless Gateway Series User’s Guide 7.11 Configuring RADIUS ......................7-14 WAN................................III Chapter 8 WAN Screens ..........................8-1 WAN Overview .........................8-1 Configuring WAN ISP.......................8-1 8.2.1 Ethernet Encapsulation ......................8-1 8.2.2 PPPoE Encapsulation......................8-3 8.2.3 PPTP Encapsulation......................8-5 TCP/IP Priority (Metric) ......................8-6 Configuring WAN IP.........................8-7 Configuring WAN MAC ......................8-10 SUA/NAT AND STATIC ROUTE .......................IV...
Page 10
16.6.3 Back to Factory Defaults....................16-13 SMT GETTING STARTED MENUS.......................VIII Chapter 17 Introducing the SMT ......................17-1 17.1 Connect to your ZyAIR Using Telnet..................17-1 17.2 Connect to Your ZyAIR Using the Console Port..............17-1 17.2.1 Initial Screen ........................17-2 17.2.2 Entering Password ......................17-2 17.3 Changing the System Password ....................17-2 17.4 ZyAIR SMT Menu Overview Example...................17-3...
Page 11
ZyAIR Wireless Gateway Series User’s Guide 19.1.1 General Ethernet Port Filter Setup ...................19-1 19.2 TCP/IP Ethernet and DHCP Setup...................19-2 19.3 IP Alias.............................19-4 19.3.1 IP Alias Setup........................19-5 19.4 Wireless LAN Setup ........................19-6 19.4.1 Configuring MAC Address Filter..................19-9 19.4.2 Configuring Roaming on the ZyAIR................19-11 Chapter 20 Internet Access ........................20-1...
Page 12
28.2.6 Backup Configuration Using TFTP .................28-5 28.2.7 TFTP Command Example ....................28-5 28.2.8 GUI-based TFTP Clients ....................28-5 28.2.9 Backup Via Console Port (only for ZyAIR B-2000) ............28-6 28.3 Restore Configuration......................28-7 28.3.1 Restore Using FTP......................28-8 28.3.2 Restore Using FTP Session Example................28-9 28.3.3 Restore Via Console Port (only for ZyAIR B-2000) ............28-9...
Page 13
28.4.7 Uploading Via Console Port (only for ZyAIR B-2000) ..........28-13 28.4.8 Uploading Firmware File Via Console Port (only for ZyAIR B-2000) ......28-14 28.4.9 Example Xmodem Firmware Upload Using HyperTerminal.........28-14 28.4.10 Uploading Configuration File Via Console Port (only for ZyAIR B-2000)....28-15 28.4.11 Example Xmodem Configuration Upload Using HyperTerminal........28-15...
Page 14
ZyAIR Wireless Gateway Series User’s Guide Appendix E Wireless LAN With IEEE 802.1x ..................E-1 Appendix F Types of EAP Authentication ....................F-1 Appendix G Antenna Selection and Positioning Recommendation ............G-1 Appendix H PPPoE.............................H-1 Appendix I PPTP ............................I-1 Appendix J IP Subnetting ...........................J-1 Appendix K Command Interpreter......................K-1...
Page 16
ZyAIR Wireless Gateway Series User’s Guide Figure 9-1 How NAT Works...........................9-3 Figure 9-2 NAT Application with IP Alias......................9-4 Figure 9-3 Multiple Servers Behind NAT Example..................9-7 Figure 9-4 SUA/NAT Setup..........................9-8 Figure 9-5 Address Mapping ........................9-10 Figure 9-6 Address Mapping Rule........................9-11 Figure 10-1 Example of Static Routing Topology ..................10-1 Figure 10-2 IP Static Route Summary ......................10-2...
Page 17
Figure 17-2 Login Screen ..........................17-2 Figure 17-3 Menu 23.1 System Security : Change Password ..............17-3 Figure 17-4 ZyAIR B-2000 v.2 SMT Menu Overview Example..............17-4 Figure 17-5 ZyAIR B-2000 v.2 SMT Main Menu ..................17-6 Figure 18-1 Menu 1 General Setup ......................18-2 Figure 18-2 Menu 1.1 Configure Dynamic DNS ..................
Page 18
ZyAIR Wireless Gateway Series User’s Guide Figure 23-4 Menu 15.1 Address Mapping Sets.....................23-3 Figure 23-5 Menu 15.1.255 SUA Address Mapping Rules ................23-4 Figure 23-6 Menu 15.1.1 Address Mapping Rules ..................23-5 Figure 23-7 Menu 15.1.1.1 Address Mapping Rule..................23-6 Figure 23-8 Menu 15.2 Port Forwarding Setup ....................23-9 Figure 23-9 NAT Example 1........................23-10...
Page 19
ZyAIR Wireless Gateway Series User’s Guide Figure 27-3 Menu 24.2 System Information and Console Port Speed............27-3 Figure 27-4 Menu 24.2.1 System Maintenance : Information ..............27-3 Figure 27-5 Menu 24.2.2 System Maintenance : Change Console Port Speed ..........27-4 Figure 27-6 Menu 24.3 System Maintenance : Log and Trace ..............
Features table in Chapter 1 of this user’s guide to see what features are specific to your ZyAIR model. This User’s Guide is designed to guide you through the configuration of your ZyAIR using the web configurator or the SMT.
Page 25
• The ZyAIR Wireless Gateway series may be referred to simply as the ZyAIR in the user’s guide. User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The Technical Writing Team, ZyXEL Communications...
Overview Part I: OVERVIEW This part introduces the main features and applications of the ZyAIR and shows how to access the web configurator and use the Wizard to configure for Internet Access.
ZyAIR Features The following sections describe the features of the ZyAIR Wireless Gateway series. Features vary by ZyAIR model. This table lists the difference between models; it does not include features that are common to all of the ZyAIR models.
A combination of switch and router makes your ZyAIR a cost-effective and viable network solution. You can connect up to four computers to the LAN ports on you ZyAIR without the cost of a hub. 10/100M Auto-negotiating Ethernet/Fast Ethernet Interface This auto-negotiating feature allows the ZyAIR to detect the speed of incoming transmissions and adjust appropriately without manual intervention.
Page 31
ZyAIR Wireless Gateway Series User’s Guide ZyAIR LED The blue ZyAIR LED (also known as the Breathing LED) is on when the ZyAIR is on and blinks (or breaths) when data is being transmitted to/from its wireless stations. You may use the web configurator to turn this LED off even when the ZyAIR is on and data is being transmitted/received.
ADSL. The PPPoE driver on the ZyAIR is transparent to the computers on the LAN, which see only Ethernet and are not aware of PPPoE thus saving you from having to manage PPPoE clients on individual computers.
Page 33
It can assign IP addresses, an IP default gateway and DNS servers to DHCP clients. The ZyAIR also acts as a surrogate DHCP server (DHCP Relay) where it relays IP address assignment from the actual real DHCP server to the clients.
Wireless LAN Channel Usage The Wireless Channel Usage displays whether the radio channels are used by other wireless devices within the transmission range of the ZyAIR. This allows you to select the channel with minimum interference for your ZyAIR. Application for the ZyAIR Here is an application example of what you can do with your ZyAIR.
Web Configurator Overview The web configurator makes it easy to configure and manage the ZyAIR. The screens you see in the web configurator may vary somewhat from the ones shown in this document due to differences between individual ZyAIR models or firmware versions.
If you forget your password or cannot access the ZyAIR, you will need to reload the factory-default configuration file or use the RESET button on the side panel of the ZyAIR. Uploading this configuration file replaces the current configuration file with the factory-default configuration file. This means that you will lose all configurations that you had previously and the speed of the console port will be reset to the default of 9600bps with 8 data bit, no parity, one stop bit and flow control set to none.
This method is only applicable to ZyAIR models with a console port, such as the ZyAIR B-2000. Step 1. Download the default configuration file from the ZyAIR FTP site, unzip it and save it in a folder. Step 2. Turn off the ZyAIR, begin a terminal emulation software session and turn on the ZyAIR again.
Navigating the ZyAIR Web Configurator The following summarizes how to navigate the web configurator from the MAIN MENU screen. The screen for your model may vary slightly for different ZyAIR models. Follow the instructions you see in the MAIN MENU screen or click the icon (located in the top right corner of most screens) to view online help.
Wizard Setup This chapter provides information on the Wizard Setup screens in the web configurator. Wizard Setup Overview The web configurator’s setup wizard helps you configure your ZyAIR for Internet access and set up wireless LAN. 3.1.1 Channel The range of radio frequencies used by IEEE 802.11b wireless devices is called a “channel”. Channels available depend on your geographical area.
ZyAIR Wireless Gateway Series User’s Guide Wizard Setup: General Setup General Setup contains administrative and system-related information. Figure 3-1 Wizard 1: General Setup The following table describes the labels in this screen. Wizard Setup...
ZyAIR Wireless Gateway Series User’s Guide Table 3-1 Wizard 1: General Setup LABEL DESCRIPTION System Name It is recommended you type your computer's "Computer name". some ISPs check this name you should enter your computer's "Computer Name". In Windows 95/98 click Start, Settings, Control Panel, Network. Click the Identification tab, note the entry for the Computer Name field and enter it as the System Name.
ESSID Enter a descriptive name (up to 32 printable 7-bit ASCII characters) for the wireless LAN. If you change this field on the ZyAIR, make sure all wireless stations use the same ESSID in order to access the network. Choose To manually set the ZyAIR to use a channel, select a channel from the drop-down list box.
Select this option to enter hexadecimal characters as the WEP keys. The preceding “0x” is entered automatically. Key 1 to Key 4 The WEP keys are used to encrypt data. Both the ZyAIR and the wireless stations must use the same WEP key for data transmission.
ZyAIR Wireless Gateway Series User’s Guide Figure 3-3 Wizard 3: Ethernet Encapsulation The following table describes the labels in this screen. Table 3-3 Wizard 3: Ethernet Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation You must choose the Ethernet option when the WAN port is used as a regular Ethernet.
Password Type the password associated with the username above. Login Server IP The ZyAIR will find the Roadrunner Server IP if this field is left blank. If it does not, Address then you must enter the authentication server IP address.
ZyAIR Wireless Gateway Series User’s Guide Figure 3-4 Wizard 3: PPTP Encapsulation The following table describes the labels in this screen. Table 3-4 Wizard 3: PPTP Encapsulation LABEL DESCRIPTION ISP Parameters for Internet Access Encapsulation Select PPTP from the drop-down list box.
By implementing PPPoE directly on the ZyAIR (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyAIR does that part of the task. Furthermore, with NAT, all of the LAN's computers will have Internet access.
ZyAIR Wireless Gateway Series User’s Guide Figure 3-5 Wizard 3: PPPoE Encapsulation The following table describes the labels in this screen. Table 3-5 Wizard 3: PPPoE Encapsulation LABEL DESCRIPTION ISP Parameter for Internet Access Encapsulation Choose an encapsulation method from the pull-down list box. PPPoE forms a dial-up connection.
Select Nailed Up Connection if you do not want the connection to time out. Nailed Up Connection Idle Timeout Type the time in seconds that elapses before the ZyAIR automatically disconnects from the PPPoE server. Next Click Next to continue.
Once you have decided on the network number, pick an IP address that is easy to remember, for instance, 192.168.1.1, for your ZyAIR, but make sure that no other device on your network is using that IP address. The subnet mask specifies the network number portion of an IP address. Your ZyAIR will compute the subnet mask automatically based on the IP address that you entered.
ISP does not require MAC address authentication. Your ZyAIR WAN port is always set at half-duplex mode as most cable/DSL modems only support half- duplex mode. Make sure your modem is in half-duplex mode. Your ZyAIR supports full duplex mode on the LAN side.
ZyAIR Wireless Gateway Series User’s Guide Figure 3-6 Wizard 4: WAN and DNS The following table describes the labels in this screen. Table 3-8 Wizard 4: WAN and DNS LABEL DESCRIPTION WAN IP Address Assignment Get automatically from Select this option If your ISP did not assign you a fixed IP address. This is the default selection.
Click Finish to complete and save the wizard setup. If you are currently using a wireless (LAN) adapter to access this ZyAIR and you made changes to the ESSID, then you will need to make the same changed to your wireless (LAN) adapter after you click the Finish button.
ZyAIR Wireless Gateway Series User’s Guide Figure 3-7 Setup Complete Well done! You have successfully set up your ZyAIR to operate on your network and access the Internet. 3-16 Wizard Setup...
ZyAIR Wireless Gateway Series User’s Guide Chapter 4 System Screens This chapter provides information on the System screens. System Overview This section provides information on general system setup. Configuring General Setup Click ADVANCED and then SYSTEM to open the General screen.
System DNS Servers First DNS Server Select From ISP if your ISP dynamically assigns DNS server information (and the ZyAIR's WAN IP address). The field to the right displays the (read-only) DNS server IP Second DNS address that the ISP assigns.
If you have a private WAN IP address, then you cannot use Dynamic DNS. Configuring Dynamic DNS To change your ZyAIR’s DDNS, click ADVANCED, SYSTEM and then the DDNS tab. The screen appears as shown. Figure 4-2 DDNS...
The screen appears as shown. This screen allows you to change the ZyAIR’s password. If you forget your password (or the ZyAIR IP address), you will need to reset the ZyAIR or upload the default configuration file via console port (on ZyAIR B-2000 only). See the Resetting the ZyAIR section for details.
Configuring Time Setting To change your ZyAIR’s time and date, click ADVANCED, SYSTEM and then the Time Setting tab. The screen appears as shown. Use this screen to configure the ZyAIR’s time based on your local time zone. System Screens...
Select the time service protocol that your time server sends when you turn on the ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
Page 65
(the default is tick.stdtime.gov.tw). Current Time This field displays the time of your ZyAIR. (hh:mm:ss) Each time you reload this page, the ZyAIR synchronizes the time with the time server. New Time This field displays the last updated time from the time server.
5.2.1 LANs, WANs and the ZyAIR The actual physical connection determines whether the ZyAIR ports are LAN or WAN ports. There are two separate IP networks, one inside, the LAN network; the other outside: the WAN network as shown next: Figure 5-1 LAN &...
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
(including gateways). All hosts must join the 224.0.0.1 group in order to participate in IGMP. The address 224.0.0.2 is assigned to the multicast routers group. The ZyAIR supports both IGMP version 1 (IGMP-v1) and IGMP version 2 (IGMP-v2). At start up, the ZyAIR queries all directly connected networks to gather group membership. After that, the ZyAIR periodically updates this information.
DHCP Setup (refer to your User's Guide for background information) DHCP Server Select this option to allow your ZyAIR to assign IP addresses, an IP default gateway and DNS servers to Windows 95, Windows NT and other systems that support the DHCP client.
Page 71
(read-only). The ZyAIR tells the DHCP clients on the LAN that the ZyAIR itself is the DNS server. When a computer on the LAN sends a DNS query to the ZyAIR, the ZyAIR forwards the query to the ZyAIR's system DNS server (configured in the SYSTEM General screen) and relays the response back to the computer.
Page 72
ZyAIR Wireless Gateway Series User’s Guide Table 5-1 IP LABEL DESCRIPTION Reset Click Reset to reload the previous configuration for this screen. LAN Screens...
ZyAIR Wireless Gateway Series User’s Guide Chapter 6 Wireless Configuration and Roaming This chapter discusses how to configure the Wireless and Roaming screens on the ZyAIR. Wireless LAN Overview This section introduces the wireless LAN(WLAN) and some basic scenarios. 6.1.1 IBSS An Independent Basic Service Set (IBSS), also called an Ad-hoc network, is the simplest WLAN configuration.
ZyAIR Wireless Gateway Series User’s Guide Figure 6-2 Basic Service set 6.1.3 ESS An Extended Service Set (ESS) consists of a series of overlapping BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
ZyAIR Wireless Gateway Series User’s Guide Figure 6-3 Extended Service Set Wireless LAN Basics Refer also to the Wizard Setup chapter for more background information on Wireless LAN features, such as channels. 6.2.1 RTS/CTS A hidden node occurs when two stations are within range of the same access point, but are not within range of each other.
Figure 6-4 RTS/CTS When station A sends data to the ZyAIR, it might not know that station B is already using the channel. If these two stations send data at the same time, collisions may occur when both sets of data arrive at the AP at the same time, resulting in a loss of messages for both stations.
RTS/CTS size. Configuring Wireless If you are configuring the ZyAIR from a computer connected to the wireless LAN and you change the ZyAIR’s ESSID or WEP settings, you will lose your wireless connection when you press Apply to confirm. You must then change the wireless settings of your computer to match the ZyAIR’s new settings.
ZyAIR Wireless Gateway Series User’s Guide Figure 6-5 Wireless The following table describes the general wireless LAN labels in this screen. Table 6-1 Wireless LABEL DESCRIPTION Enable Click the check box to activate wireless LAN. Wireless LAN Wireless Configuration and Roaming...
Set the operating frequency/channel depending on your particular region. Channel ID To manually set the ZyAIR to use a channel, select a channel from the drop-down list box. Click MAINTENANCE, WIRELESS and then the Channel Usage tab to open the Channel Usage screen to make sure the channel is not already used by another AP or independent peer-to-peer wireless network.
ZyAIR Wireless Gateway Series User’s Guide In a network environment with multiple access points, wireless stations are able to switch from one access point to another as they move between the coverage areas. This is roaming. As the wireless station moves from place to place, it is responsible for choosing the most appropriate access point depending on the signal strength, network utilization or other factors.
LABEL DESCRIPTION Active Select Yes from the drop-down list box to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet. All APs on the same subnet and the wireless stations must have the same ESSID to allow roaming.
Page 82
APs. The default is 16290. Make sure this port is not used by other services. Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to reload the previous configuration for this screen.
WEP provides a mechanism for encrypting data using encryption keys. Both the AP and the wireless stations must use the same WEP key to encrypt and decrypt data. Your ZyAIR allows you to configure up to four 64- bit or 128-bit WEP keys, but only one key can be enabled at any one time.
ZyAIR Wireless Gateway Series User’s Guide 7.2.2 Authentication Three different methods can be used to authenticate wireless stations to the network: Open System, Shared Key, and Auto. The following figure illustrates the steps involved. Authentication Access Point Wireless Station Open System Authentication...
The same is true for shared key authentication. However, when it is set to auto authentication, the ZyAIR will accept either type of authentication request and the ZyAIR will fall back to use open authentication if the shared key does not match.
Allowed Output Power Set the output power of the ZyAIR in this field. If there is a high density of APs within an area, decrease the output power of the ZyAIR to reduce interference with other APs. The options are 11dBm (50mW), 13dBm (32mW), 15dBm (20mW) or 17dBm (12.6mW).
Click Reset to reload the previous configuration for this screen. MAC Filter The MAC filter screen allows you to configure the ZyAIR to give exclusive access to up to 32 devices (Allow Association) or exclude up to 32 devices from accessing the ZyAIR (Deny Association). Every Ethernet device has a unique MAC (Media Access Control) address.
• Accounting Keeps track of the client’s network activity. RADIUS user is a simple package exchange in which your ZyAIR acts as a message relay between the wireless station and the network RADIUS server. Types of RADIUS Messages The following types of RADIUS messages are exchanged between the access point and the RADIUS server...
EAP-compatible RADIUS server, the access point helps a wireless station and a RADIUS server perform authentication. The type of authentication you use depends on the RADIUS server or the AP. The ZyAIR supports EAP- TLS, EAP-TTLS and DEAP with RADIUS. Refer to the Types of EAP Authentication appendix for descriptions on the four common types.
EAP-MD5 authentication steps, see the IEEE 802.1x appendix. • The wireless station sends a “start” message to the ZyAIR. • The ZyAIR sends a “request identity” message to the wireless station for identity information. • The wireless station replies with identity information, including username and password. •...
Introduction to Local User Database By storing user profiles locally on the ZyAIR, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. However, there is a limit on the number of users you may authenticate in this way.
RADIUS server has priority. Idle Timeout The ZyAIR automatically disconnects a wireless station from the wired network after a period of inactivity. The wireless station needs to enter the username and password again before access to the wired network is allowed.
Page 94
RADIUS server for a wireless station's username and password. Select Local first, then RADIUS to have the ZyAIR first check the user database on the ZyAIR for a wireless station's username and password. If the user name is not found, the ZyAIR then checks the user database on the specified RADIUS server.
ZyAIR for authentication. 7.10 Configuring Local User Database To change your ZyAIR’s local user database, click ADVANCED, WIRELESS and then the Local User Database tab. The screen appears as shown (some of the screen’s blank rows are not shown).
Type a password (up to 31 characters) for this user profile. Note that as you type a password, the screen displays a (*) for each character you type. Apply Click Apply to save your changes back to the ZyAIR. Click Reset to reload the previous configuration for this screen. Reset 7.11 Configuring RADIUS...
Enter a password (up to 31 alphanumeric characters) as the key to be shared between the external accounting server and the ZyAIR. The key must be the same on the external accounting server and your ZyAIR. The key is not sent over the network.
See the Wizard Setup chapter for more background information on most fields in the WAN screens. Background information on WAN fields not included in the Wizard is described here. Configuring WAN ISP To change your ZyAIR’s WAN ISP settings, click ADVANCED, WAN and then the ISP tab. The screen differs by the encapsulation.
RR-Manager (Roadrunner Manager authentication method), RR-Telstra or Telia Login. Choose a Roadrunner service type if your ISP is Time Warner's Roadrunner; otherwise choose Standard. Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to begin configuring this screen afresh. Service Type The screen varies according to the service type you select.
Confirm field above was what you intended. Login Server IP The ZyAIR will find the Roadrunner Server IP address if this field is left blank. If it Address does not, then you must enter the authentication server IP address. Login Server Type the domain name of the Telia login server, for example "login1.telia.com".
DESCRIPTION ISP Parameters for Internet Access Encapsulation The PPP over Ethernet choice is for a dial-up connection using PPPoE. The ZyAIR supports PPPoE (Point-to-Point Protocol over Ethernet). Service Name Type the PPPoE service name provided to you. PPPoE uses a service name to identify and reach the PPPoE server.
Table 8-3 PPPoE Encapsulation LABEL DESCRIPTION Apply Click Apply to save your changes back to the ZyAIR. Reset Click Reset to begin configuring this screen afresh. 8.2.3 PPTP Encapsulation Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables secure transfer of data from a remote client to a private server, creating a Virtual Private Network (VPN) using TCP/IP-based networks.
"1" for directly connected networks. The number must be between "1" and "15"; a number greater than "15" means the link is down. The smaller the number, the lower the "cost". The metric sets the priority for the ZyAIR’s routes to the Internet. If any two of the default routes have the same metric.
ZyAIR Wireless Gateway Series User’s Guide Configuring WAN IP To change your ZyAIR’s WAN IP settings, click ADVANCED, WAN and then the IP tab. Figure 8-5 IP Setup The following table describes the labels in this screen. Table 8-5 IP Setup...
Page 108
Enter the ZyAIR WAN IP address in this field if you selected Use Fixed IP Address. Address My WAN IP Enter the ZyAIR WAN IP subnet mask (if your ISP gave you one) in this field if you Subnet Mask selected Use Fixed IP Address.
Page 109
When set to Both or In Only, the ZyAIR will incorporate RIP information that it receives. When set to None, the ZyAIR will not send any RIP packets and will ignore any RIP packets received. By default, RIP Direction is set to Both.
Reset Click Reset to begin configuring this screen afresh. Configuring WAN MAC To change your ZyAIR’s WAN MAC settings, click ADVANCED, WAN and then the MAC tab. The screen appears as shown. Figure 8-6 MAC Setup The MAC address screen allows users to configure the WAN port's MAC address by either using the factory default or cloning the MAC address from a computer on your LAN.
IP address known within another network. 9.1.1 NAT Definitions Inside/outside denotes where a host is located relative to the ZyAIR. For example, the computers of your subscribers are the inside hosts, while the web servers on the Internet are the outside hosts.
Many-to-One and Many-to-Many Overload NAT mapping) in each packet and then forwards it to the Internet. The ZyAIR keeps track of the original addresses and port numbers so incoming reply packets can have their original values restored. The following figure illustrates this.
9.1.4 NAT Application The following figure illustrates a possible NAT application, where three inside LANs (logical LANs using IP Alias) behind the ZyAIR can communicate with three distinct WAN networks. More examples follow at the end of this chapter. SUA/NAT...
NAT supports five types of IP/port mapping. They are: One to One: In One-to-One mode, the ZyAIR maps one local IP address to one global IP address. Many to One: In Many-to-One mode, the ZyAIR maps multiple local IP addresses to one global IP address.
SUA (Single User Account) is a ZyNOS implementation of a subset of NAT that supports two types of mapping, Many-to-One and Server. The ZyAIR also supports Full Feature NAT to map multiple global IP addresses to multiple private LAN IP addresses of clients or servers using mapping types. Select either SUA Only or Full Feature in WAN IP.
ZyAIR Wireless Gateway Series User’s Guide You may enter a single port number or a range of port numbers to be forwarded, and the local IP address of the desired server. The port number identifies a service; for example, web service is on port 80 and FTP on port 21.
ZyAIR Wireless Gateway Series User’s Guide Table 9-3 Services and Port Numbers SERVICES PORT NUMBER POP3 (Post Office Protocol) NNTP (Network News Transport Protocol) SNMP (Simple Network Management Protocol) SNMP trap PPTP (Point-to-Point Tunneling Protocol) 1723 9.2.2 Configuring Servers Behind SUA (Example) Let's say you want to assign ports 22-25 to one server, port 80 to another and assign a default server IP address of 192.168.1.35 as shown in the next figure.
ZyAIR Wireless Gateway Series User’s Guide If you do not assign a Default Server IP address, then all packets received for ports not specified in this screen will be discarded. Click ADVANCED and then SUA/NAT to open the SUA Server screen.
Click Reset to begin configuring this screen afresh. Configuring Address Mapping Ordering your rules is important because the ZyAIR applies the rules in the order that you specify. When a rule matches the current packet, the ZyAIR takes the corresponding action and the remaining rules are ignored.
ZyAIR Wireless Gateway Series User’s Guide Figure 9-5 Address Mapping The following table describes the labels in this screen. Table 9-5 Address Mapping LABEL DESCRIPTION This field displays the index number of the address mapping rule. Local Start IP This refers to the Inside Local Address (ILA), that is the starting local IP address. Local IP addresses are N/A for Server port mapping.
ZyAIR Wireless Gateway Series User’s Guide Table 9-5 Address Mapping LABEL DESCRIPTION Insert Click Insert to insert a new mapping rule before an existing one. Edit Click Edit to go to the Address Mapping Rule screen. Delete Click Delete to delete an address mapping rule.
Page 124
This is the ending global IP address (IGA). This field is N/A for One-to-One, Many- to-One and Server mapping types. Apply Click Apply to save your changes back to the ZyAIR. Cancel Click Cancel to exit this screen without saving.
For instance, the ZyAIR knows about network N2 in the following figure through remote node Router 1. However, the ZyAIR is unable to route a packet to network N3 because it doesn't know that there is a route through the same remote node Router 1 (via gateway Router 2). The static routes are for you to tell the ZyAIR about the networks beyond the remote nodes.
IP address of one of the remote nodes. Edit To set up a static route on the ZyAIR, click the radio button next to the static route index number you want to configure, then click Edit to go to the Static Route -Edit screen.
LABEL DESCRIPTION Delete To remove a static route on the ZyAIR, click the radio button next to the static route index number you want to remove, then click Delete. 10.2.1 Configuring Route Entry Select a static route index number and click Edit. The screen shown next appears. Fill in the required information for each static route.
Page 128
Type the IP address of the gateway. Address The gateway is an immediate neighbor of your ZyAIR that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyAIR;...
Firewall and Remote Management Part V: FIREWALL AND REMOTE MANAGEMENT This part introduces firewalls in general and the ZyAIR firewall. It also explains custom ports and gives example firewall rules and information on Remote Management.
ZyAIR Wireless Gateway Series User’s Guide Chapter 11 Introduction to Firewalls This chapter gives some background information on firewalls and introduces the ZyAIR firewall. This chapter is not applicable to the ZyAIR B-2000. 11.1 Firewall Overview Originally, the term firewall referred to a construction technique designed to prevent the spread of fire from one room to another.
The ZyAIR firewall is a stateful inspection firewall and is designed to protect against Denial of Service attacks when activated (in SMT menu 21.2 or in the web configurator). The ZyAIR’s purpose is to allow a private Local Area Network (LAN) to be securely connected to the Internet. The ZyAIR can be used to prevent theft, destruction and modification of data, as well as log events, which may be important to the security of your network.
ZyAIR Wireless Gateway Series User’s Guide Figure 11-1 ZyAIR Firewall Application 11.4.1 Basics Computers share information over the Internet using a common language called TCP/IP. TCP/IP, in turn, is a set of application protocols that perform specific functions. An “extension number”, called the "TCP port" or "UDP port"...
ZyAIR Wireless Gateway Series User’s Guide Table 11-1 Common IP Ports Telnet HTTP SMTP POP3 11.4.2 Types of DoS Attacks There are four types of DoS attacks: 1. Those that exploit bugs in a TCP/IP implementation. 2. Those that exploit weaknesses in the TCP/IP specification.
ZyAIR Wireless Gateway Series User’s Guide Figure 11-2 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment).
ZyAIR Wireless Gateway Series User’s Guide 2-b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.
To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The ZyAIR blocks all IP Spoofing attempts.
Figure 11-5 Stateful Inspection The previous figure shows the ZyAIR’s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a Telnet session from within the LAN and responses to this request are allowed.
ZyAIR Wireless Gateway Series User’s Guide Chapter 12 Firewall Screens This chapter shows you how to configure your ZyAIR firewall. This chapter is not applicable to the ZyAIR B-2000. 12.1 Access Methods The web configurator is, by far, the most comprehensive firewall configuration tool your ZyAIR has to offer.
ZyAIR Wireless Gateway Series User’s Guide If you configure firewall rules without a good understanding of how they work, you might inadvertently introduce security risks to the firewall and to the protected network. Make sure you test your rules after you configure them.
This section describes examples for firewall rules for connections going from LAN to WAN and from WAN to LAN. LAN to LAN/ZyAIR and WAN to WAN/ZyAIR rules apply to packets coming in on the associated interface (LAN or WAN respectively). LAN to LAN/ZyAIR means policies for LAN-to-ZyAIR (the policies for managing the ZyAIR through the LAN interface) and policies for LAN-to-LAN (the policies that control routing between two subnets on the LAN).
ZyAIR Wireless Gateway Series User’s Guide 12.4.1 LAN to WAN Rules The default rule for LAN to WAN traffic is that all users on the LAN are allowed non-restricted access to the WAN. When you configure a LAN to WAN rule, you in essence want to limit some or all users from accessing certain services on the WAN.
The firewall is automatically enabled when you configure blocked services. When you configure a remote management menu to allow access to the ZyAIR, a firewall rule (WAN-to-WAN) is automatically created. Click ADVANCED and FIREWALL to open the Settings screen. Enable (or activate) the firewall by selecting the Enable Firewall check box as seen in the following screen.
LABEL DESCRIPTION Enable Firewall Select this check box to activate the firewall. The ZyAIR performs access control and protects against Denial of Service (DoS) attacks when the firewall is activated. LAN to WAN To log packets related to firewall rules, make sure that Access Control under Log is selected in the Logs, Log Settings screen.
Active X components, Java applets and cookies. Finally you can schedule when the ZyAIR performs content filtering by day and time. Click ADVANCED, FIREWALL and then the Filter tab to open the Filter screen.
ZyAIR Wireless Gateway Series User’s Guide Figure 12-4 Firewall Filter The following table describes the labels in this screen. Table 12-2 Firewall Filter LABEL DESCRIPTION Restrict Web Select the categories of web features that you want to restrict. Features 12-8...
Page 147
ZyAIR Wireless Gateway Series User’s Guide Table 12-2 Firewall Filter LABEL DESCRIPTION ActiveX ActiveX is a tool for building dynamic and active Web pages and distributed object applications. When you visit an ActiveX Web site, ActiveX controls are downloaded to your browser, where they remain in case you visit the site again.
ZyAIR Wireless Gateway Series User’s Guide 12.5.2 Configuring Firewall Services Click ADVANCED, FIREWALL and then the Services tab to open the Services screen. Use this screen to enable service blocking, enter/delete/modify the services you want to block and the date/time you want to block them.
ZyAIR Wireless Gateway Series User’s Guide Table 12-3 Creating/Editing A Firewall Rule LABEL DESCRIPTION Enable Services Select the check box to activate service blocking. Blocking Available Services This is a list of pre-defined services (ports) you may prohibit your LAN computers from using.
The Available Services list box in the Services screen (see Figure 12-5) displays all predefined services that the ZyAIR already supports. Next to the name of the service, two fields appear in brackets. The first field indicates the IP protocol type (TCP, UDP, or ICMP). The second field indicates the IP port number that defines the service.
Page 151
ZyAIR Wireless Gateway Series User’s Guide Table 12-4 Predefined Services SERVICE DESCRIPTION NNTP(TCP:119) Network News Transport Protocol is the delivery mechanism for the USENET newsgroup service. PING(ICMP:0) Packet INternet Groper is a protocol that sends out ICMP echo requests to test whether or not a remote host is reachable.
Page 152
ZyAIR Wireless Gateway Series User’s Guide Table 12-4 Predefined Services SERVICE DESCRIPTION TFTP(UDP:69) Trivial File Transfer Protocol is an Internet file transfer protocol similar to FTP, but uses the UDP (User Datagram Protocol) rather than TCP (Transmission Control Protocol). VDOLIVE(TCP:7000) Another videoconferencing solution.
ZyAIR B-2000. 13.1 Remote Management Overview Remote management allows you to determine which services/protocols can access which ZyAIR interface (if any) from which computers. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility.
There is a system timeout of five minutes (three hundred seconds) for either the console port or telnet/web/FTP connections. Your ZyAIR automatically logs you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
Select the interface(s) through which a computer may access the ZyAIR using this service. Secured Client A secured client is a “trusted” computer that is allowed to communicate with the ZyAIR IP Address using this service. Select All to allow any computer to access the ZyAIR using this service.
ZyAIR Wireless Gateway Series User’s Guide 13.4 Configuring FTP You can upload and download the ZyAIR’s firmware and configuration files using FTP, please see the chapter on firmware and configuration file maintenance for details. To use this feature, your computer must have an FTP client.
Reset Click Reset to begin configuring this screen afresh. 13.5 Configuring WWW To change your ZyAIR’s World Wide Web settings, click ADVANCED, REMOTE MANAGEMENT and then the WWW tab. The screen appears as shown. Figure 13-4 WWW The following table describes the labels in this screen.
Simple Network Management Protocol is a protocol used for exchanging management information between network devices. SNMP is a member of the TCP/IP protocol suite. Your ZyAIR supports SNMP agent functionality, which allows a manager station to manage and monitor the ZyAIR through the network. The ZyAIR supports SNMP version one (SNMPv1) and version two c (SNMPv2c).
An SNMP managed network consists of two main types of component: agents and a manager. An agent is a management software module that resides in a managed device (the ZyAIR). An agent translates the local management information from the managed device into a form compatible with SNMP.
Trap - Used by the agent to inform the manager of some events. 13.6.1 Supported MIBs The ZyAIR supports MIB II that is defined in RFC-1213 and RFC-1215. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance.
ZyAIR Wireless Gateway Series User’s Guide 13.6.3 REMOTE MANAGEMENT: SNMP To change your ZyAIR’s SNMP settings, click ADVANCED, REMOTE MANAGEMENT and then the SNMP tab. The screen appears as shown. Figure 13-6 SNMP The following table describes the labels in this screen.
Enter the Set community, which is the password for incoming Set requests from the management station. Trusted Host If you enter a trusted host, your ZyAIR will only respond to SNMP messages from this address. A blank (default) field means your ZyAIR will respond to all SNMP messages it receives, regardless of source.
Security tab. The screen appears as shown. If an outside user attempts to probe an unsupported port on your ZyAIR, an ICMP response packet is automatically returned. This allows the outside user to know the ZyAIR exists. The ZyAIR series support...
Select this option to prevent hackers from finding the ZyAIR by probing for unused to requests for ports. If you select this option, the ZyAIR will not send ICMP response packets to port unauthorized request(s) for unused ports, thus leaving the unused ports and the ZyAIR unseen.
ZyAIR Wireless Gateway Series User’s Guide Chapter 14 UPnP Screen This chapter introduces the Universal Plug and Play feature. 14.1 Universal Plug and Play Overview Universal Plug and Play (UPnP) is a distributed, open networking standard that uses TCP/IP for simple peer-to-peer network connectivity between devices.
ZyAIR Wireless Gateway Series User’s Guide 14.1.3 Cautions with UPnP The automated nature of NAT traversal applications in establishing their own services and opening firewall ports may present network security issues. Network information and configuration may also be obtained and modified by users in some network environments.
Select this check box to activate UPnP. Be aware that anyone could use a and Play (UPnP) feature UPnP application to open the web configurator's login screen without entering the ZyAIR's IP address (although you must still enter the password to access the web configurator). Allow users to make...
LABEL DESCRIPTION Allow UPnP to pass Select this check box to create a static LAN to LAN/ZyAIR rule that allows through Firewall forwarding of ports 1900 and 80. Selecting this check box also creates a dynamic firewall rule every time a NAT forwarding port is reserved for UPnP.
ZyAIR Wireless Gateway Series User’s Guide Step 3. In the Communications window, select the Universal Plug and Play check box in the Components selection box. Step 4. Click OK to go back to the Add/Remove Programs Properties window and click Next.
This section shows you how to use the UPnP feature in Windows XP. You must already have UPnP installed in Windows XP and UPnP activated on the ZyAIR. Make sure the computer is connected to a LAN port of the ZyAIR. Turn on your computer and the ZyAIR. 14.5.1 Auto-discover Your UPnP-enabled Network Device Step 1.
Page 173
ZyAIR Wireless Gateway Series User’s Guide Step 3. Step 4. In the Internet Connection Properties You may edit or delete the port window, click Settings to see the port mappings or click Add to mappings that were automatically created. manually add port mappings.
14.5.2 Web Configurator Easy Access With UPnP, you can access the web-based configurator on the ZyAIR without finding out the IP address of the ZyAIR first. This is helpful if you do not know the IP address of the ZyAIR.
Page 175
ZyAIR Wireless Gateway Series User’s Guide Step 1. Click start and then Control Panel. Step 2. Double-click Network Connections. Step 3. Select My Network Places under Other Places. Step 4. An icon with the description for each UPnP-enabled device displays under Local Network.
Page 176
ZyAIR Wireless Gateway Series User’s Guide Step 6. Right-click the icon for your ZyAIR and select Properties. A properties window displays with basic information about the ZyAIR. 14-10 UPnP Screens...
15.1 Using the View Log Screen The web configurator allows you to look at all of the ZyAIR’s logs in one location. Click ADVANCED and then LOGS to open the View Log screen. Use the View Log screen to see the logs for the categories that you selected in the Log Settings screen (see section 15.2).
ZyAIR Wireless Gateway Series User’s Guide Figure 15-1 View Log The following table describes the labels in this screen. Table 15-1 View Log LABEL DESCRIPTION Display Select a log category from the drop down list box to display logs within the selected category.
Use the Log Settings screen to configure to where the ZyAIR is to send the logs; the schedule for when the ZyAIR is to send the logs and which logs and/or immediate alerts the ZyAIR is to send.
ZyAIR Wireless Gateway Series User’s Guide The following table describes the labels in this screen. Table 15-2 Log Settings LABEL DESCRIPTION Address Info Mail Server Enter the server name or the IP address of the mail server for the e-mail addresses specified below.
Click Reset to begin configuring this screen afresh. 15.3 Configuring Reports To change your ZyAIR’s log reports, click ADVANCED, LOGS and then the Reports tab. The screen appears as shown. The Reports screen displays which computers on the LAN send and receive the most traffic, what kinds of traffic are used the most and which web sites are visited the most often.
The ZyAIR records web site hits by counting the HTTP GET packets. Many web sites include HTTP GET references to other web sites and the ZyAIR may count these as hits, thus the web hit count is not (yet) 100% accurate.
Hits 15.3.1 Viewing Protocol/Port In the Reports screen, select Protocol/Port from the Report Type drop-down list box to have the ZyAIR record and display which protocols or service ports have been used the most and the amount of traffic for the most used protocols or service ports.
Protocol/Port This column lists the protocols or service ports for which the most traffic has gone through the ZyAIR. The protocols or service ports are listed in descending order with the most used protocol or service port listed first. Start Collection/...
In the Reports screen, select LAN IP Address from the Report Type drop-down list box to have the ZyAIR record and display the LAN IP addresses that the most traffic has been sent to and/or from and how much traffic has been sent to and/or from those IP addresses.
ZyAIR Wireless Gateway Series User’s Guide Table 15-5 LAN IP Address Report LABEL DESCRIPTION The button text shows Start Collection when the ZyAIR is not recording report data and Start Collection/ Stop Collection Stop Collection when the ZyAIR is recording report data.
ZyAIR. 16.2 System Status Screen Click MAINTENANCE to open the System Status screen, where you can use to monitor your ZyAIR. Note that these fields are READ-ONLY and are meant to be used for diagnostic purposes. Figure 16-1 System Status The following table describes the labels in this screen.
This is the ZyNOS Firmware version and the date created. ZyNOS is ZyXEL's Version proprietary Network Operating System design. Routing Protocols This shows the routing protocol – IP for which the ZyAIR is configured. WAN Port IP Address This is the WAN port IP address.
DHCP (Dynamic Host Configuration Protocol, RFC 2131 and RFC 2132) allows individual clients to obtain TCP/IP configuration at start-up from a server. You can configure the ZyAIR as a DHCP server or disable it. When configured as a server, the ZyAIR provides the TCP/IP configuration for the clients. If set to None, DHCP service will be disabled and you must have another DHCP server on your LAN, or else the computer must be manually configured.
Refresh Click Refresh to reload the DHCP table. 16.4 Wireless Screen View the wireless stations that are currently associated to the ZyAIR in the Association List screen. Click MAINTENANCE and then WIRELESS to display the screen as shown next. 16-4...
This is the index number of an associated wireless station. MAC Address This field displays the MAC address of an associated wireless station. Association Time This field displays the time a wireless station first associated with the ZyAIR. Refresh Click Refresh to reload the screen. 16.4.1 Channel Usage The Channel Usage screen displays whether a channel is used by another wireless network or not.
ZyAIR Wireless Gateway Series User’s Guide Figure 16-5 Channel Usage (ZyAIR B-2000) The following table describes the labels in this screen. Table 16-5 Channel Usage (ZyAIR B-2000) LABEL DESCRIPTION This is the index number of the channel currently used by the associated AP in an Channel Infrastructure wireless network or wireless station in an Ad-Hoc wireless network.
ZyAIR Wireless Gateway Series User’s Guide Figure 16-6 Channel Usage The following table describes the labels in this screen. Table 16-6 Channel Usage LABEL DESCRIPTION This is the Service Set IDentification name of the AP in an infrastructure wireless network or wireless station in an Ad-Hoc wireless network.
(usually) uses the system model name with a "*.bin" extension, e.g., "zyair.bin". The upload process uses HTTP (Hypertext Transfer Protocol) and may take up to two minutes. After a successful upload, the system will reboot. See the Firmware and Configuration File Maintenance chapter for upgrading firmware using FTP/TFTP commands.
After you see the Firmware Upload in Process screen, wait two minutes before logging into the device again. Figure 16-8 Firmware Upload In Process The ZyAIR automatically restarts in this time causing a temporary network disconnect. In some operating systems, you may see the following icon on your desktop. Figure 16-9 Network Temporarily Disconnected...
16.6.1 Backup Configuration Backup configuration allows you to backup (save) the current system (ZyAIR) configuration to your computer. Backup is highly recommended once your ZyAIR is functioning properly. Click Backup to save your current ZyAIR configuration to your computer.
Restore configuration replaces your ZyAIR's current configuration (content filters, firewall settings, etc.) with a previously saved configuration. Restore files (usually) have a .ROM extension, e.g., "zyair.rom". The system reboots automatically after the file transfer is complete and uses the configured values in the file.
If you uploaded the default configuration file you may need to change the IP address of your computer to be in the same subnet as that of the default ZyAIR IP address (192.168.1.1). See the appendix for details on how to set up your computer’s IP address.
16.6.3 Back to Factory Defaults Clicking the Reset button in this section clears all user-entered configuration information and returns the ZyAIR to its factory defaults as shown on the screen. This will erase all configurations that you have applied. Click the Default tab to display the screen shown next.
ZyAIR Wireless Gateway Series User’s Guide Figure 16-17 Reset Warning Message You can also press the RESET button on the side panel to reset the factory defaults of your ZyAIR. Refer to the Resetting the ZyAIR section for more information on the RESET button.
SMT Getting Started Menus Part VIII: SMT GETTING STARTED MENUS This part introduces the SMT (System Management Terminal) and discusses the “Getting Started” SMT menus. See the web configurator parts of this guide for background information on features configurable by web configurator and SMT. VIII...
The following procedure details how to telnet into your ZyAIR. Step 1. Make sure your computer IP address and the ZyAIR IP address are on the same subnet. Refer to the Setting Up Your Computer IP Address appendix. Step 2.
ZyAIR will automatically log you out. 17.2.1 Initial Screen When you turn on your ZyAIR, it performs several internal tests as well as line initialization. After the initialization, the ZyAIR asks you to press [ENTER] to continue, as shown.
Note that as you type a password, the screen displays an asterisk “*” for each character you type. 17.4 ZyAIR SMT Menu Overview Example We use the ZyAIR B-2000 v.2 SMT menus in this guide as an example. The SMT menus for your model may vary slightly for different ZyAIR wireless gateway models.
System Maintenance -- Upload System Upload System Firmware Upload Firmware Diagnostic Configuration File Menu 24.6 Menu 24.5 System Maintenance -- System Maintenance -- Restore Configuration Backup Configuration Figure 17-4 ZyAIR B-2000 v.2 SMT Menu Overview Example 17-4 Introducing the SMT...
ZyAIR Wireless Gateway Series User’s Guide 17.5 Navigating the SMT Interface Several operations that you should be familiar with before you attempt to modify the configuration are listed in the table below. Table 17-1 Main Menu Commands OPERATION KEYSTROKE DESCRIPTION...
Static Routing Setup Use this menu to set up static routes. Dial-in User Setup Use this menu to set up local user profiles on the ZyAIR. NAT Setup Use this menu to specify inside servers when NAT is enabled. Filter and Firewall Setup Use this menu to set up filters and firewall to provide security, etc.
Page 212
ZyAIR Wireless Gateway Series User’s Guide Table 17-2 Main Menu Summary MENU TITLE DESCRIPTION Exit Use this to exit from SMT and return to a blank screen. Introducing the SMT 17-7...
To use this service, you must register with the Dynamic DNS service provider. The Dynamic DNS service provider will give you a password or key. The ZyAIR supports www.dyndns.org. You can apply to this service provider for Dynamic DNS service.
ZyAIR Wireless Gateway Series User’s Guide Menu 1 - General Setup System Name= Domain Name= zyxel.com.tw First System DNS Server= From ISP IP Address= N/A Second System DNS Server= From ISP IP Address= N/A Third System DNS Server= None IP Address= N/A...
ZyAIR Wireless Gateway Series User’s Guide Table 18-1 Menu 1 General Setup FIELD DESCRIPTION EXAMPLE Edit Dynamic DNS Press [SPACE BAR] to select Yes and press [ENTER] to configure Menu 1.1 – Configure Dynamic DNS (discussed next). When you have completed this menu, press [ENTER] at the prompt “Press ENTER to Confirm…” to save your configuration, or press [ESC] at any time to cancel.
Page 217
IP address of the host name(s) with the ZyAIR’s WAN IP address. DDNS does not work with a private IP address. When both fields are set to No, the ZyAIR must have a public WAN IP address in order for DDNS to work.
IP address of the host name(s) to the IP address User Specified IP specified below. Address Only select Yes if the ZyAIR uses or is behind a static public IP address. Enter the static public IP address if you select Yes in the User IP Address Specified IP Addr field.
Page 219
ZyAIR Wireless Gateway Series User’s Guide Table 18-3 Menu 2 WAN Setup FIELD DESCRIPTION EXAMPLE Assigned By Press [SPACE BAR] to select Factory default and press [ENTER] to Factory default use the factory assigned MAC address. Select IP address attached on LAN and enter the IP address in the IP Address field below to clone the MAC address of the computer on the Ethernet.
ZyAIR Wireless Gateway Series User’s Guide Chapter 19 LAN Setup This chapter shows you how to configure the LAN on your ZyAIR. 19.1 LAN Setup This section describes how to configure the Ethernet using Menu 3 – LAN Setup. From the main menu, enter 3 to display menu 3.
19.2 TCP/IP Ethernet and DHCP Setup Use menu 3.2 to configure your ZyAIR for TCP/IP. To edit menu 3.2, enter 3 from the main menu to display Menu 3-Ethernet Setup. When menu 3 appears, press 2 and press [ENTER] to display Menu 3.2-TCP/IP and DHCP Ethernet Setup, as shown next...
(default) If set to None, the DHCP server will be disabled. If set to Relay, the ZyAIR acts as a surrogate DHCP server and relays DHCP requests and responses between the remote server and the clients. Enter the IP address of the actual, remote DHCP server in the Remote DHCP Server in this case.
IP Alias allows you to partition a physical network into different logical networks over the same Ethernet interface. The ZyAIR supports three logical LAN interfaces via its single physical Ethernet interface with the ZyAIR itself as the gateway for each LAN network.
ZyAIR Wireless Gateway Series User’s Guide 19.3.1 IP Alias Setup Use menu 3.2 to configure the first network. Move the cursor to Edit IP Alias field and press [SPACE BAR] to choose Yes and press [ENTER] to configure the second and third network.
19.4 Wireless LAN Setup Use menu 3.5 to set up your ZyAIR as the wireless access point. To edit menu 3.5, enter 3 from the main menu to display Menu 3 – LAN Setup. When menu 3 appears, press 5 and then press [ENTER] to display Menu 3.5 –...
Page 227
Select 64-bit WEP or 128-bit WEP to enable data encryption. Default Key Enter the key number (1 to 4) in this field. Only one key can be enabled at any one time. This key must be the same on the ZyAIR and the wireless stations to communicate.
[ESC] to cancel and go back to the previous screen. 19.4.1 Configuring MAC Address Filter Your ZyAIR checks the MAC address of the wireless station device against a list of allowed or denied MAC addresses. However, intruders could fake allowed MAC addresses so MAC-based authentication is less secure than EAP authentication.
Define the filter action for the list of MAC addresses in the MAC address filter table. To deny access to the ZyAIR, press [SPACE BAR] to select Deny Association and press [ENTER]. MAC addresses not listed will be allowed to access the router.
ZyAIR Wireless Gateway Series User’s Guide 19.4.2 Configuring Roaming on the ZyAIR Enable the roaming feature if you have two or more ZyAIRs on the same subnet. Follow the steps below to allow roaming on your ZyAIR. Step 1. From the main menu, enter 3 to display Menu 3 – LAN Setup.
FIELD DESCRIPTION Active Press [SPACE BAR] and then [ENTER] to select Yes to enable roaming on the ZyAIR if you have two or more ZyAIRs on the same subnet. Port # Enter the port number to communicate roaming information between access points. The port number must be the same on all access points.
Menu 4 allows you to enter the Internet Access information in one screen. Menu 4 is actually a simplified setup for one of the remote nodes that you can access in menu 11. Before you configure your ZyAIR for Internet access, you need to collect your Internet account information from your ISP and telephone company.
Network Address Translation= SUA Only Press ENTER to Confirm or ESC to Cancel: Figure 20-1 Menu 4 Internet Access Setup The following table contains instructions on how to configure your ZyAIR for Internet access. Table 20-2 Menu 4 Internet Access Setup FIELD...
Page 234
] at any time to cancel. If all your settings are correct your ZyAIR should connect automatically to the Internet. If the connection fails, note the error message that you receive on the screen and take the appropriate troubleshooting steps.
SMT Advanced Applications Menus Part IX: SMT ADVANCED APPLICATION MENUS This part shows how to configure Remote Node, Static Routing, Dial-in User and NAT.
The ZyAIR does two things when you specify a nailed-up connection. The first is that idle timeout is disabled. The second is that the ZyAIR will try to bring up the connection when turned on and whenever the connection is down. A nailed-up connection can be very expensive for obvious reasons.
ZyAIR Wireless Gateway Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 My Login=...
Page 239
Table 21-1 Menu 11.1 Remote Node Profile FIELD DESCRIPTION EXAMPLE Outgoing: My Login Type the login name assigned by your ISP when the ZyAIR calls this remote node. My Password Type the password assigned by your ISP when the ZyAIR calls this remote node. Authen This field sets the authentication protocol used for outgoing calls.
Idle Timeout (sec) Type the number of seconds (0-9999) that can elapse when the ZyAIR is idle (there is no traffic going to the remote node), before (default) the ZyAIR automatically disconnects the remote node. 0 means that the session will not timeout.
IP network numbers for the WAN and LAN links and each end to have a unique address within the WAN network number. In that case, type the IP address assigned to the WAN port of your ZyAIR. Remote Node Configuration...
Use Menu 11.5 - Remote Node Filter to specify the filter set(s) to apply to the incoming and outgoing traffic between this remote node and the ZyAIR and also to prevent certain packets from triggering calls. You can specify up to 4 filter sets separated by comma, for example, 1, 5, 9, 12, in each filter field.
Each remote node specifies only the network to which the gateway is directly connected and the ZyAIR has no knowledge of the networks beyond. For instance, the ZyAIR knows about network N2 in the following figure through remote node Router 1.
ZyAIR Wireless Gateway Series User’s Guide Configuration Step 1. To configure an IP static route, use Menu 12 - Static Route Setup as shwon next. Menu 12 - IP Static Route Setup 1. ________ 2. ________ 3. ________ 4. ________ 5.
Page 245
Type the IP address of the gateway. The gateway is an immediate neighbor of your Address ZyAIR that will forward the packet to the destination. On the LAN, the gateway must be a router on the same segment as your ZyAIR; over WAN, the gateway must be the IP address of one of the remote nodes.
This chapter shows you how to create user accounts on the ZyAIR. 22.1 Dial-in User Setup By storing user profiles locally, your ZyAIR is able to authenticate wireless users without interacting with a network RADIUS server. Follow the steps below to set up user profiles on your ZyAIR.
ZyAIR Wireless Gateway Series User’s Guide Table 22-1 Menu 14.1- Edit Dial-in User FIELD DESCRIPTION User Name Enter a username up to 31 alphanumeric characters long for this user profile. This field is case sensitive. Active Press [SPACE BAR] to select Yes and press [ENTER] to enable the user profile.
ZyAIR Wireless Gateway Series User’s Guide Chapter 23 Network Address Translation (NAT) This chapter discusses how to configure NAT on the ZyAIR. 23.1 Introduction NAT (Network Address Translation - NAT, RFC 1631) is the translation of the IP address of a host in a packet, for example, the source address of an outgoing packet, used within one network to a different IP address known within another network.
Press [SPACE BAR] and then [ENTER] to select Full Feature if you Full Feature Address have multiple public WAN IP addresses for your ZyAIR. Mapping Select None to disable NAT. When you select SUA Only, the SMT uses Address Mapping Set 255 (menu 15.1 - see Section 23.2.1).
ZyAIR Wireless Gateway Series User’s Guide Menu 15 – NAT Setup 1. Address Mapping Sets 2. Port Forwarding Setup 3. Trigger Port Setup Enter Menu Selection Number: Figure 23-3 Menu 15 NAT Setup 23.2.1 Address Mapping Sets Enter 1 to bring up Menu 15.1 – Address Mapping Sets.
ZyAIR Wireless Gateway Series User’s Guide Menu 15.1.1 - Address Mapping Rules Set Name= SUA Local Start IP Local End IP Global Start IP Global End IP Type --------------- --------------- --------------- --------------- ------ 0.0.0.0 255.255.255.255 0.0.0.0 0.0.0.0 Server Figure 23-5 Menu 15.1.255 SUA Address Mapping Rules The following table explains the fields in this menu.
ZyAIR Wireless Gateway Series User’s Guide User-Defined Address Mapping Sets Now let’s look at option 1 in menu 15.1. Enter 1 to bring up this menu. We’ll just look at the differences from the previous menu. Note the extra Action and Select Rule fields mean you can configure rules in this screen.
ZyAIR Wireless Gateway Series User’s Guide You must press [ENTER] at the bottom of the screen to save the whole set. You must do this again if you make any changes to the set – including deleting a rule. No changes to the set take place until this action is taken.
Confirm…” to save your configuration, or press [ESC] to cancel. Ordering Your Rules Ordering your rules is important because the ZyAIR applies the rules in the order that you specify. When a rule matches the current packet, the ZyAIR takes the corresponding action and the remaining rules are ignored.
ZyAIR Wireless Gateway Series User’s Guide In addition to the servers for specified services, NAT supports a default server. A service request that does not have a server explicitly designated for it is forwarded to the default server. If the default is not defined, the service request is simply discarded.
ZyAIR Wireless Gateway Series User’s Guide Menu 15.2 – Port Forwarding Setup Rule Start Port No. End Port No. IP Address --------------------------------------------------- Default Default 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Press ENTER to Confirm or ESC to Cancel: Figure 23-8 Menu 15.2 Port Forwarding Setup...
ZyAIR Wireless Gateway Series User’s Guide Figure 23-9 NAT Example 1 Menu 4 - Internet Access Setup ISP's Name= ChangeMe Encapsulation= Ethernet Service Type= Standard My Login= N/A My Password= N/A Login Server= N/A IP Address Assignment= Dynamic IP Address= N/A...
ZyAIR Wireless Gateway Series User’s Guide 23.4.2 Example 2: Internet Access with an Inside Server Figure 23-11 NAT Example 2 In this case, you do exactly as above (use the convenient pre-configured SUA Only set) and then go to menu 15.2 to specify the Inside Server behind the NAT as shown in the next figure.
ZyAIR Wireless Gateway Series User’s Guide 23.4.3 Example 3: Multiple Public IP Addresses With Inside Servers In this example, there are 3 IGAs from our ISP. There are many departments but two have their own FTP server. All departments share the same router. The example will reserve one IGA for each department with an FTP server and all departments use the other IGA.
ZyAIR Wireless Gateway Series User’s Guide Step 1. In this case you need to configure Address Mapping Set 1 from Menu 15.1 - Address Mapping Sets. Therefore you must choose the Full Feature option from the Network Address Translation field (in menu 4 or menu 11.3) as shown in the finger below.
ZyAIR Wireless Gateway Series User’s Guide Step 6. Repeat the previous step for rules 2 to 4 as outlined above. Step 7. When finished, menu 15.1.1 should look like as shown next. Menu 15.1.1 - Address Mapping Rules Set Name= Eample3...
ZyAIR Wireless Gateway Series User’s Guide 23.4.4 Example 4: NAT Unfriendly Application Programs Some applications do not support NAT Mapping using TCP or UDP port address translation. In this case it is better to use Many One-to-One mapping as port numbers do not change for Many One-to-One (and One-to-One) NAT mapping types.
23.5 Trigger Port Setup The ZyAIR records the IP address of a LAN computer that requests a service that you have defined as a “trigger port”. The response from the Internet can then be forwarded directly to the LAN computer. Trigger ports are transient;...
ZyAIR Wireless Gateway Series User’s Guide 2. Port 7070 is a “trigger” port and causes the ZyAIR to record Jane’s computer IP address. The ZyAIR associates Jane's computer IP address with the "incoming" port range of 6970-7170. 3. The Real Audio server responds using a port number ranging between 6970-7170.
Page 266
7170 Trigger The trigger port is a port (or a range of ports) that causes (or triggers) the ZyAIR to record the IP address of the LAN computer that sent the traffic to a server on the WAN. Start Port Enter a port number or the starting port number in a range of port numbers.
SMT Advanced Management Menus Part X: SMT ADVANCED MANAGEMENT MENUS This part discusses Filtering and Firewall setup, SNMP, System Security, System Information and Diagnosis, Firmware and Configuration File Maintenance, System Maintenance and Information, Call Scheduling and Remote Management.
24.1 About Filtering Your ZyAIR uses filters to decide whether or not to allow passage of a data packet and/or to make a call. There are two types of filter applications: data filtering and call filtering. Filters are subdivided into device and protocol filters, which are discussed later.
ZyAIR Wireless Gateway Series User’s Guide Two sets of factory filter rules have been configured in menu 21 to prevent NetBIOS traffic from triggering calls. A summary of their filter rules is shown in the figures that follow. The following figure illustrates the logic flow when executing a filter rule.
24 rules active for a single port. For incoming packets, your ZyAIR applies data filters only. Packets are processed depending on whether a match is found. The following sections describe how to configure filter sets.
ZyAIR Wireless Gateway Series User’s Guide Menu 21.1.1 - Filter Rules Summary # A Type Filter Rules M m n - - ---- --------------------------------------------------------------- - - - 1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=137 N D N 2 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=138...
ZyAIR Wireless Gateway Series User’s Guide 24.2.1 Filter Rules Summary Menus The following tables briefly describe the abbreviations used in menus 21.1.x. Table 24-1 Abbreviations Used in the Filter Rules Summary Menu FIELD DESCRIPTION The filter rule number: 1 to 6.
ZyAIR Wireless Gateway Series User’s Guide Menu 21.1.1.1 - TCP/IP Filter Rule Filter #: 1,1 Filter Type= TCP/IP Filter Rule Active= Yes IP Protocol= 6 IP Source Route= No Destination: IP Addr= 0.0.0.0 IP Mask= 0.0.0.0 Port #= 137 Port # Comp= Equal Source: IP Addr= 0.0.0.0...
Page 276
ZyAIR Wireless Gateway Series User’s Guide Table 24-3 Menu 21.1.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE IP Addr Type the destination IP address of the packet you want to filter. This field is ignored if it is 0.0.0.0. IP Mask Type the IP mask to apply to the Destination: IP Addr field.
Page 277
ZyAIR Wireless Gateway Series User’s Guide Table 24-3 Menu 21.1.1 TCP/IP Filter Rule FIELD DESCRIPTION EXAMPLE Action Matched Select the action for a matching packet. Choices are Check Check Next Rule Next Rule, Forward or Drop. (default) Action Not Matched Select the action for a packet not matching the rule.
ZyAIR Wireless Gateway Series User’s Guide Packet into IP Filter Filter Active? Apply SrcAddrMask to Src Addr Check Src Not Matched IP Addr Matched Apply DestAddrMask to Dest Addr Check Dest Not Matched IP Addr Matched Check Not Matched IP Protocol Matched Check Src &...
For IP, it is generally easier to use the IP rules directly. For generic rules, the ZyAIR treats a packet as a byte stream as opposed to an IP packet. You specify the portion of the packet to check with the Offset (from 0) and the Length fields, both in bytes. The ZyAIR applies the Mask (bit-wise ANDing) to the data portion before comparing the result against the Value to determine a match.
NAT for outgoing packets and after NAT for incoming packets. On the other hand, the generic (or device) filters are applied to the raw packets that appear on the wire. They are applied at the point where the ZyAIR 24-12...
The following figure illustrates this. Figure 24-10 Protocol and Device Filter Sets 24.5 Example Filter Let’s look at an example to block outside users from telnetting into the ZyAIR. Figure 24-11 Sample Telnet Filter Step 1. Enter 1 in menu 21 to open Menu 21.1 – Filter Set Configuration.
ZyAIR Wireless Gateway Series User’s Guide Step 4. Press [ENTER] at the message Press ENTER to confirm or ESC to cancel” to open Menu “ 21.1.3.1 – TCP/IP Filter Rule. Step 5. Type 1 to configure the first filter rule. Make the entries in this menu as shown next.
See earlier in this chapter for information on filters. Output Filter Sets: Apply filters for traffic leaving the ZyAIR. You may apply filter rules for protocol or device filters. See earlier in this section for information on types of filters.
ZyAIR Wireless Gateway Series User’s Guide 24.6.1 Ethernet Traffic You seldom need to filter Ethernet traffic; however, the filter sets may be useful to block certain packets, reduce traffic and prevent security breaches. Go to menu 3.1 (shown next) and type the number(s) of the filter set(s) that you want to apply as appropriate.
By default, when the firewall is activated, all incoming traffic from the WAN to the LAN is blocked unless it is initiated from the LAN. The ZyAIR firewall supports TCP/UDP inspection, DoS detection and prevention, real time alerts, reports and logs.
Trusted Host If you enter a trusted host, your ZyAIR will only respond to SNMP 0.0.0.0 messages from this address. A blank (default) field means your ZyAIR will respond to all SNMP messages it receives, regardless of source.
Page 288
ZyAIR Wireless Gateway Series User’s Guide Table 25-1 Menu 22 SNMP Configuration FIELD DESCRIPTION EXAMPLE Community Type the trap community, which is the password sent with each public trap to the SNMP manager. Destination Type the IP address of the station to send your SNMP traps to.
You should change the default password. If you forget your password you have to restore the default configuration file. Refer to the section on changing the system password in the Introducing the SMT chapter and the section on resetting the ZyAIR in the Introducing the Web Configurator chapter. 26.1.2 Configuring External RADIUS Server Enter 23 in the main menu to display Menu 23 –...
The key is not sent over the network. This key must be the same on the external authentication server and ZyAIR. Accounting Server Press [SPACE BAR] to select Yes and press [ENTER] to enable Active user authentication through an external accounting server.
The IEEE802.1x standards outline enhanced security methods for both the authentication of wireless stations and encryption key management. Follow the steps below to enable EAP authentication on your ZyAIR. Step 1. From the main menu, enter 23 to display Menu23 – System Security.
1800 seconds (or 30 minutes). Idle Timeout The ZyAIR automatically disconnects a client from the wired network after a period of inactivity. The client needs to enter the username and password again before access to the wired network is allowed.
Page 293
ZyAIR cannot reach the RADIUS server, the ZyAIR then checks the local user database on the ZyAIR. When the user name is not found or password does not match in the RADIUS server, the ZyAIR will not check the local user database and the authentication fails.
The first selection, System Status gives you information on the status and statistics of the ports, as shown in the next figure. System Status is a tool that can be used to monitor your ZyAIR. Specifically, it gives you information on your LAN and wireless LAN status, number of packets sent and received.
ZyAIR Wireless Gateway Series User’s Guide Menu 24.1 - System Maintenance - Status 00:47:45 Sat. Jan. 01, 2000 Port Status TxPkts RxPkts Cols Tx B/s Rx B/s Up Time Down 0:00:00 100M/Full 1252 3200 0:47:43 WLAN 0:47:43 Port Ethernet Address...
Table 27-1 Menu 24.1 System Maintenance : Status FIELD DESCRIPTION System Up Time This is the time the ZyAIR is up and running from the last reboot. 27.2 System Information To get to the System Information: Step 1. Enter 24 to display Menu 24 – System Maintenance.
Press ENTER to Confirm or ESC to Cancel: Figure 27-5 Menu 24.2.2 System Maintenance : Change Console Port Speed After you changed the console port speed on your ZyAIR, you must also make the same change to the console port speed parameter of your communication software.
ZyAIR Wireless Gateway Series User’s Guide 27.3 Log and Trace There are two logging facilities in the ZyAIR. The first is the error logs and trace records that are stored locally. The second is the UNIX syslog facility for message logging.
ZyAIR Wireless Gateway Series User’s Guide 27.3.2 UNIX Syslog The ZyAIR uses the UNIX syslog facility to log the CDR (Call Detail Record) and system messages to a syslog server. Syslog can be configured in Menu 24.3.2 – System Maintenance – UNIX Syslog, as shown next.
Equivalent information is available in menu 24.1 in hexadecimal format. 27.4 Diagnostic The diagnostic facility allows you to test the different aspects of your ZyAIR to determine if it is working properly. Menu 24.4 allows you to choose among various types of diagnostic tests to evaluate your system, as shown in the following figure.
Page 302
ZyAIR Wireless Gateway Series User’s Guide Table 27-4 Menu 24.4 System Maintenance : Diagnostic FIELD DESCRIPTION DHCP Renewal Get a new IP address from the DHCP server. Internet Setup Use this option to test your Internet connection. Test Reboot System Reboot the ZyAIR.
The following table is a summary. Please note that the internal filename refers to the filename on the ZyAIR and the external filename refers to the filename not on the ZyAIR, that is, on your computer, local network or FTP site and so the name (but not the extension) may vary. After uploading new firmware, see the ZyNOS F/W Version field in Menu 24.2.1 –...
Telnet. Option 5 from Menu 24 – System Maintenance allows you to backup the current ZyAIR configuration to your computer. Backup is highly recommended once your ZyAIR is functioning properly. FTP is the preferred methods for backing up your current configuration to your computer since they are faster.
Enter “bin” to set transfer mode to binary. Step 6. Use “get” to transfer files from the ZyAIR to the computer, for example, “get rom-0 config.rom” transfers the configuration file on the ZyAIR to your computer and renames it “config.rom”. See earlier in this chapter for more information on filename conventions.
ZyAIR Wireless Gateway Series User’s Guide 28.2.3 Example of FTP Commands from the Command Line 331 Enter PASS command Password: 230 Logged in ftp> bin 200 Type I OK ftp> get rom-0 zyxel.rom 200 Port command okay 150 Opening data connection for STOR ras 226 File received OK ftp: 16384 bytes sent in 1.10Seconds 297.89Kbytes/sec.
Note that the telnet connection must be active and the SMT in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program. For UNIX, use “get” to transfer from the ZyAIR to the computer and “binary” to set binary transfer mode.
Enter the IP address of the ZyAIR. 192.168.1.1 is the ZyAIR’s default IP address when shipped. Send/Fetch Use “Send” to upload the file to the ZyAIR and “Fetch” to back up the file on your computer. Local File Enter the path and name of the firmware file (*.bin extension) or configuration file (*.rom extension) on your computer.
FTP is the preferred method for restoring your current computer configuration to your ZyAIR since FTP is faster. Please note that you must wait for the system to automatically restart after the file transfer is complete.
Find the “rom” file (on your computer) that you want to restore to your ZyAIR. Step 7. Use “put” to transfer files from the ZyAIR to the computer, for example, “put config.rom rom- 0” transfers the configuration file “config.rom” on your computer to the ZyAIR. See earlier in this chapter for more information on filename conventions.
Figure 28-8 Restore Using FTP Session Example Refer to section 28.2.5 to read about configurations that disallow TFTP and FTP over WAN. 28.3.3 Restore Via Console Port (only for ZyAIR B-2000) Restore configuration via console port by following the HyperTerminal procedure shown next. Procedures using other serial communications programs should be similar.
FTP is the preferred method for uploading the firmware and configuration. To use this feature, your computer must have an FTP client. When you telnet into the ZyAIR, you will see the following screens for uploading firmware and the configuration file using FTP.
ZyAIR Wireless Gateway Series User’s Guide Menu 24.7.1 - System Maintenance - Upload System Firmware To upload the system firmware, follow the procedure below: 1. Launch the FTP client on your workstation. 2. Type "open" and the IP address of your system.
Enter “bin” to set transfer mode to binary. Step 6. Use “put” to transfer files from the computer to the ZyAIR, for example, “put firmware.bin ras” transfers the firmware on your computer (firmware.bin) to the ZyAIR and renames it “ras”.
The file name for the firmware is “ras”. Note that the telnet connection must be active and the ZyAIR in CI mode before and during the TFTP transfer. For details on TFTP commands (see following example), please consult the documentation of your TFTP client program.
Type the firmware file’s location, or click Browse to look for it. Choose the Xmodem protocol. Then click Send. Figure 28-17 Example Xmodem Upload After the firmware upload process has completed, the ZyAIR will automatically restart. 28-14 Firmware and Configuration File Maintenance...
ZyAIR Wireless Gateway Series User’s Guide 28.4.10Uploading Configuration File Via Console Port (only for ZyAIR B- 2000) Step 1. Select 2 from Menu 24.7 – System Maintenance – Upload Firmware to display Menu 24.7.2 – System Maintenance – Upload System Configuration File. Follow the instructions as shown in the next screen.
Type the configuration file’s location, or click Browse to search for it. Choose the Xmodem protocol. Then click Send. Figure 28-19 Example Xmodem Upload After the configuration upload process has completed, restart the ZyAIR by entering “atgo”. 28-16 Firmware and Configuration File Maintenance...
Command Interpreter Mode Call Control 10. Time and Date Setting 11. Remote Management Setup Enter Menu Selection Number: Figure 29-1 Menu 24 System Maintenance Copyright (c) 1994 - 2003 ZyXEL Communications Corp. ras> ? Valid commands are: exit device ether...
Encapsulation is set to PPPoE or PPTP in menu 4 or menu 11.1. The budget management function allows you to set a limit on the total outgoing call time of the ZyAIR within certain times. When the total outgoing call time exceeds the limit, the current call will be dropped and any future outgoing calls will be blocked.
ZyAIR Wireless Gateway Series User’s Guide After each period, the total budget is reset. The default for the total budget is 0 minutes and the period is 0 hours, meaning no budget control. You can reset the accumulated connection time in this menu by entering the index of a remote node.
Enter the time service protocol that your time server sends when you turn on the when Bootup ZyAIR. Not all time servers support all protocols, so you may have to check with your ISP/network administrator or use trial and error to find a protocol that works.
You can configure your ZyAIR for remote Telnet access as shown next. Figure 30-1 Telnet Configuration on a TCP/IP Network 30.2 FTP You can upload and download ZyAIR firmware and configuration files using FTP. To use this feature, your computer must have an FTP client. 30.3 Web You can use the ZyAIR’s embedded web configurator for configuration and file management.
Remote management setup is for managing Telnet, FTP and Web services. You can customize the service port, access interface and the secured client IP address to enhance security and flexibility. You may manage your ZyAIR from a remote location via: the Internet (WAN only), the LAN only, All (LAN and WAN) or Disable (neither).
The default 0.0.0.0 allows any client to use this service to remotely 0.0.0.0 manage the ZyAIR. Enter an IP address to restrict access to a client with a matching IP address. Once you have filled in this menu, press [ENTER] at the message "Press ENTER to Confirm or ESC to Cancel"...
Use the ZyAIR’s LAN IP address when configuring from the LAN. 30.6 System Timeout There is a system timeout of five minutes (300 seconds) for Telnet/web/FTP connections. Your ZyAIR will automatically log you out if you do nothing in this timeout period, except when it is continuously updating the status in menu 24.1 or when sys stdio has been changed on the command line.
1, 2, 3 and 4 in are applied in the remote node then set 1 will take precedence over set 2, 3 and 4 as the ZyAIR, by default, applies the lowest numbered set first. Set 2 will take precedence over set 3 and 4, and so on.
Figure 31-2 Menu 26.1 Schedule Set Setup If a connection has been already established, your ZyAIR will not drop it. Once the connection is dropped manually or it times out, then that remote node can't be triggered up until the end of the Duration.
Page 331
ZyAIR Wireless Gateway Series User’s Guide Table 31-1 Menu 26.1 Schedule Set Setup FIELD DESCRIPTION EXAMPLE Once: Date If you selected Once in the How Often field above, then enter the date 2000-01-01 the set should activate here in year-month-date format.
ZyAIR Wireless Gateway Series User’s Guide Menu 11.1 - Remote Node Profile Rem Node Name= ChangeMe Route= IP Active= Yes Encapsulation= PPTP Edit IP= No Service Type= Standard Telco Option: Service Name= N/A Allocated Budget(min)= 0 Outgoing: Period(hr)= 0 Apply your schedule sets...
Appendices Part XI: APPENDICES This part provides contains troubleshooting and additional background information on setting up your computer’s IP address, wireless LAN, 802.1x, PPPoE, PPTP and IP subnetting. It also provides information on the command interpreter interface, NetBIOS commands and logs.
Use the RESET button on the side panel of the ZyAIR to restore the factory default configuration file (hold this button in for more than five seconds). This will restore all of the factory defaults including the password.
Check for faulty Ethernet cables. Make sure the computer’s Ethernet adapter is installed and working properly. Verify that the IP addresses and the subnet masks of the ZyAIR and the computer are on the same subnet. I cannot ping any If all of the LAN LEDs on the front panel are off, check the Ethernet cable connection between your ZyAIR and the computer connected to the LAN port.
Internet Access chapter (SMT). Make sure you entered the correct user name and password. For wireless stations, check that both the ZyAIR and wireless station(s) are using the same ESSID, channel and WEP keys (if WEP encryption is activated). Internet connection If you use PPTP or PPPoE encapsulation, check the idle time-out setting.
Chart A-7 Troubleshooting the WLAN Interface PROBLEM CORRECTIVE ACTION I cannot ping any Make sure the wireless card is properly inserted in the ZyAIR and the WLAN LED is computer on the WLAN. Make sure the wireless adapter on the wireless station is working properly.
ZyAIR Wireless Gateway Series User’s Guide Appendix B Brute-Force Password Guessing Protection The following describes the commands for enabling, disabling and configuring the brute-force password guessing protection mechanism for the password. See the Command Interpreter appendix for information on the command structure.
"communicate" with your network. If you manually assign IP information instead of using dynamic assignment, make sure that your computers have IP addresses that place them in the same subnet as the ZyAIR's LAN port. Windows 95/98/Me Click Start, Settings, Control Panel and double-click the Network icon to open the Network window.
Page 342
ZyAIR Wireless Gateway Series User’s Guide If you need the adapter: In the Network window, click Add. Select Adapter and then click Add. Select the manufacturer and model of your network adapter and then click OK. If you need TCP/IP: In the Network window, click Add.
Page 343
ZyAIR Wireless Gateway Series User’s Guide Click the IP Address tab. -If your IP address is dynamic, select Obtain an IP address automatically. -If you have a static IP address, select Specify an IP address and type your information into the IP Address and Subnet Mask fields.
Page 344
Click OK to save and close the TCP/IP Properties window. Click OK to close the Network window. Insert the Windows CD if prompted. Turn on your ZyAIR and restart your computer when prompted. Verifying Your Computer’s IP Address Click Start and then Run.
Page 345
ZyAIR Wireless Gateway Series User’s Guide For Windows XP, click start, Control Panel. In Windows 2000/NT, click Start, Settings, Control Panel. For Windows XP, click Network Right-click Local Area Connection and Connections. For Windows 2000/NT, click then click Properties. Network and Dial-up Connections.
Page 346
ZyAIR Wireless Gateway Series User’s Guide Select Internet Protocol (TCP/IP) (under the General tab in Win XP) and click Properties. The Internet Protocol TCP/IP Properties window opens (the General tab in Windows XP). -If you have a dynamic IP address click Obtain an IP address automatically.
Page 347
ZyAIR Wireless Gateway Series User’s Guide -If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK. Do one or more of the following if you want to configure additional IP addresses: -In the IP Settings tab, in IP addresses, click Add.
Page 348
Click OK to close the Internet Protocol (TCP/IP) Properties window. Click OK to close the Local Area Connection Properties window. 10. Turn on your ZyAIR and restart your computer (if prompted). Verifying Your Computer’s IP Address Click Start, All Programs, Accessories and then Command Prompt.
Page 349
ZyAIR Wireless Gateway Series User’s Guide Click the Apple menu, Control Panel and double-click TCP/IP to open the TCP/IP Control Panel. Select Ethernet built-in from the Connect via list. For dynamically assigned settings, select Using DHCP Server from the Configure: list.
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyAIR in the Router address box. Close the TCP/IP Control Panel. Click Save if prompted, to save changes to your configuration.
Page 351
-Type your IP address in the IP Address box. -Type your subnet mask in the Subnet mask box. -Type the IP address of your ZyAIR in the Router address box. Click Apply Now and close the window. Turn on your ZyAIR and restart your computer (if prompted).
ZyAIR Wireless Gateway Series User’s Guide Appendix D Wireless LAN and IEEE 802.11 A wireless LAN (WLAN) provides a flexible data communications system that you can use to access various services (navigating the Internet, email, printer services, etc.) without the use of a cabled connection.
ZyAIR Wireless Gateway Series User’s Guide Spread Spectrum (DSSS) and Frequency-Hopping Spread Spectrum (FHSS), in the 2.4 to 2.4825 GHz unlicensed ISM (Industrial, Scientific and Medical) band. The third method is infrared technology, using very high frequencies, just below visible light in the electromagnetic spectrum to carry data.
Page 355
ZyAIR Wireless Gateway Series User’s Guide points can provide wireless coverage for an entire building or campus. All communications between stations or between a station and a wired network client go through the access point. The Extended Service Set (ESS) shown in the next figure consists of a series of overlapping BSSs (each containing an Access Point) connected together by means of a Distribution System (DS).
ZyAIR Wireless Gateway Series User’s Guide Appendix E Wireless LAN With IEEE 802.1x As wireless networks become popular for both portable computing and corporate networks, security is now a priority. Security Flaws with IEEE 802.11 Wireless networks based on the original IEEE 802.11 have a poor reputation for safety. The IEEE 802.11b wireless access standard, first published in 1999, was based on the MAC address.
Page 358
ZyAIR Wireless Gateway Series User’s Guide RADIUS Server Authentication Sequence The following figure depicts a typical wireless network with a remote RADIUS server for user authentication using EAPOL (EAP Over LAN). Client computer access authorized. Client computer access not authorized.
ZyAIR Wireless Gateway Series User’s Guide Appendix F Types of EAP Authentication This appendix discusses the four popular EAP authentication types: EAP-MD5, EAP-TLS, EAP-TTLS and PEAP. The type of authentication you use depends on the RADIUS server or the AP. Consult your network administrator for more information.
Page 360
ZyAIR Wireless Gateway Series User’s Guide hiding client identity. However, PEAP only supports EAP methods, such as EAP-MD5 and EAP- MSCHAPv2, for client authentication. For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, simple user name and password pair is more practical.
ZyAIR Wireless Gateway Series User’s Guide Appendix G Antenna Selection and Positioning Recommendation An antenna couples RF signals onto air. A transmitter within a wireless device sends an RF signal to the antenna, which propagates the signal through the air. The antenna also operates in reverse by capturing RF signals from the air.
For directional antennas, point the antenna in the direction of the desired coverage area. Connector Type The ZyAIR is equipped with a reverse polarity SMA jack, so it will work with any 2.4GHz wireless antenna with a reverse polarity SMA plug.
ZyAIR Wireless Gateway Series User’s Guide Appendix H PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP over Ethernet, RFC 2516) from your PC to an ATM PVC (Permanent Virtual Circuit), which connects to a DSL Access Concentrator where the PPP session terminates (see the next figure).
ZyAIR as a PPPoE Client When using the ZyAIR as a PPPoE client, the PCs on the LAN see only Ethernet and are not aware of PPPoE. This alleviates the administrator from having to manage the PPPoE clients on the individual PCs.
NT clients to an NT server in a remote location. The pass-through feature allows users on the network to access a different remote server using the ZyAIR's Internet connection. In NAT mode, the ZyAIR is able to pass the PPTP packets to the internal PPTP server (i.e. NT server) behind the NAT. Users need to forward PPTP packets to port 1723 by configuring the server in Menu 15.2 - Server Set Setup.
Page 366
Microsoft includes PPTP as a part of the Windows OS. In Microsoft’s implementation, the PC, and hence the ZyAIR, is the PNS that requests the PAC (the ANT) to place an outgoing call over AAL5 to an RFC 2364 server.
Page 367
ZyAIR Wireless Gateway Series User’s Guide Diagram I-3 Example Message Exchange between PC and an ANT PPP Data Connection The PPP frames are tunneled between the PNS and PAC over GRE (General Routing Encapsulation, RFC 1701, 1702). The individual calls within a tunnel are distinguished using the Call ID field in the GRE header.
Page 369
ZyAIR Wireless Gateway Series User’s Guide Appendix J IP Subnetting IP Addressing Routers “route” based on the network number. The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (eight bits), written in dotted decimal notation, for example, 192.168.1.1.
ZyAIR Wireless Gateway Series User’s Guide A class “A” address (24 host bits) can have 2 –2 hosts (approximately 16 million hosts). Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a value of 0 to 127.
Page 371
ZyAIR Wireless Gateway Series User’s Guide sequence of ones beginning from the left most bit of the mask, followed by a continuous sequence of zeros, for a total number of 32 bits. Since the mask is always a continuous number of ones beginning from the left, followed by a continuous number of zeros for the remainder of the 32 bit mask, you can simply specify the number of ones instead of writing the value of each octet.
Page 372
ZyAIR Wireless Gateway Series User’s Guide Divide the network 192.168.1.0 into two separate subnets by converting one of the host ID bits of the IP address to a network number bit. The “borrowed” host ID bit can be either “0” or “1” thus giving two subnets;...
Page 373
ZyAIR Wireless Gateway Series User’s Guide to an actual host for the first subnet is 192.168.1.1 and the highest is 192.168.1.126. Similarly the host ID range for the second subnet is 192.168.1.129 to 192.168.1.254. Example: Four Subnets The above example illustrated using a 25-bit subnet mask to divide a class “C” address space into two subnets.
ZyAIR Wireless Gateway Series User’s Guide Chart J-12 Class C Subnet Planning NO. “BORROWED” HOST BITS SUBNET MASK NO. SUBNETS NO. HOSTS PER SUBNET 255.255.255.128 (/25) 255.255.255.192 (/26) 255.255.255.224 (/27) 255.255.255.240 (/28) 255.255.255.248 (/29) 255.255.255.252 (/30) 255.255.255.254 (/31) Subnetting With Class A and Class B Networks.
ZyAIR Wireless Gateway Series User’s Guide Appendix K Command Interpreter The following describes how to use the command interpreter. Enter 24 in the main menu to bring up the system maintenance menu. Enter 8 to go to Menu 24.8 - Command Interpreter Mode. See the included disk or zyxel.com for more detailed information on these commands.
Allow or disallow NetBIOS packets to initiate calls. Display NetBIOS Filter Settings Syntax: sys filter netbios disp This command gives a read-only list of the current NetBIOS filter modes for a ZyAIR. =============== NetBIOS Filter Status =============== LAN to WAN: Forward...
ZyAIR Wireless Gateway Series User’s Guide Chart L-1 NetBIOS Filter Default Settings NAME DESCRIPTION EXAMPLE WAN to LAN This field displays whether NetBIOS packets are blocked or forwarded Forward from the WAN to the LAN. IPSec This field displays whether NetBIOS packets sent through a VPN...
The BootModule AT commands execute from within the router’s bootup software, when debug mode is selected before the main router firmware (ZyNOS) is started. When you start up your ZyAIR, you are given a choice to go into debug mode by pressing a key at the prompt shown in the following screen. In debug...
Page 382
ZyAIR Wireless Gateway Series User’s Guide just answer OK ATHE print help ATBAx change baudrate. 1:38.4k, 2:19.2k, 3:9.6k 4:57.6k 5:115.2k ATENx,(y) set BootExtension Debug Flag (y=password) ATSE show the seed of password generator ATTI(h,m,s) change system time to hour:min:sec or show current time...
ZyAIR Wireless Gateway Series User’s Guide Appendix N Log Descriptions Chart N-1 System Error Logs LOG MESSAGE DESCRIPTION %s exceeds the max. This attempt to create a NAT session exceeds the maximum number of NAT session table entries allowed to be created per host.
Page 384
ZyAIR Wireless Gateway Series User’s Guide Chart N-2 System Maintenance Logs LOG MESSAGE DESCRIPTION FTP Login Someone has logged on to the router via FTP. Successfully FTP Login Fail Someone has failed to log on to the router via FTP.
Page 385
ZyAIR Wireless Gateway Series User’s Guide Chart N-4 ICMP Notes TYPE CODE DESCRIPTION A gateway may discard internet datagrams if it does not have the buffer space needed to queue the datagrams for output to the next network on the route to the destination network.
Use the sys logs clear command to erase all of the ZyAIR’s logs. Log Command Example This example shows how to set the ZyAIR to record the error logs and alerts and then view the results. ras> sys logs load ras>...
ZyAIR Wireless Gateway Series User’s Guide Appendix O Power Adaptor Specifications NORTH AMERICAN PLUG STANDARDS AC Power Adaptor Model AD48-1201200DUY Input Power AC120Volts/60Hz/0.25A Output Power DC12Volts/1.2A Power Consumption 10 W Safety Standards UL, CUL (UL 1950, CSA C22.2 No.234-M90) NORTH AMERICAN PLUG STANDARDS...
Page 390
ZyAIR Wireless Gateway Series User’s Guide JAPAN PLUG STANDARDS AC Power Adaptor Model JOD-48-1124 Input Power AC100Volts/ 50/60Hz/ 27VA Output Power DC12Volts/1.2A Power Consumption 10 W Safety Standards T-Mark (Japan Dentori) AUSTRALIA AND NEW ZEALAND PLUG STANDARDS AC Power Adaptor Model...
Page 393
ZyAIR Wireless Gateway Series User’s Guide FTP....4-2, 5-2, 9-5, 9-6, 13-1, 13-4, 30-3 IP Address .. 3-11, 3-12, 5-5, 9-6, 9-8, 16-3, 19-3, Restrictions ..........30-3 21-9, 24-8, 27-4, 27-8 FTP File Transfer ........28-10 IP Addressing..........K-1 FTP Restrictions........13-1, 28-4 IP Alias Setup..........19-5...
Page 394
ZyAIR Wireless Gateway Series User’s Guide Many to Many No Overload....See NAT Packet Triggered ...........27-6 Many to Many Overload......See NAT Packets ............27-2 Many to One ..........See NAT PAP ...............21-3 MD5..............F-1 Password ......4-4, 17-2, 21-3, 25-1 Message Digest Algorithm 5 ....See MD5 Ping ...............27-7...
Page 396
ZyAIR Wireless Gateway Series User’s Guide TFTP and FTP over WAN Will Not Work When…............. 28-4 Valid CI Commands ........29-1 TFTP and FTP Over WAN} ......13-1 VPN ..............8-5 TFTP File Transfer ........28-12 TFTP Restrictions........13-1, 28-4 Three-Way Handshake ......... 11-5 Time and Date Setting ........
Page 397
ZyAIR Wireless Gateway Series User’s Guide Appendix Q Index Call History ......... 29-3, 29-4 Call Scheduling ..........31-1 Maximum Number of Schedule Sets..31-1 4-Port Switch ..........1-2 PPPoE............31-3 Precedence ..........31-1 Precedence Example ....See precedence CDR ..............27-6 Address Assignment ......3-11, 3-12 CDR (Call Detail Record) ......27-6 Ad-hoc Configuration ........D-2...
Page 399
ZyAIR Wireless Gateway Series User’s Guide FTP....4-2, 5-2, 9-5, 9-6, 13-1, 13-4, 30-3 IP Address .. 3-11, 3-12, 5-5, 9-6, 9-8, 16-3, 19-3, Restrictions ..........30-3 21-9, 24-8, 27-4, 27-8 FTP File Transfer ........28-10 IP Addressing..........K-1 FTP Restrictions........13-1, 28-4 IP Alias Setup..........19-5...
Page 400
ZyAIR Wireless Gateway Series User’s Guide Many to Many No Overload....See NAT Packet Triggered ...........27-6 Many to Many Overload......See NAT Packets ............27-2 Many to One ..........See NAT PAP ...............21-3 MD5..............F-1 Password ......4-4, 17-2, 21-3, 25-1 Message Digest Algorithm 5 ....See MD5 Ping ...............27-7...
Page 402
ZyAIR Wireless Gateway Series User’s Guide TFTP and FTP over WAN Will Not Work When…............. 28-4 Valid CI Commands ........29-1 TFTP and FTP Over WAN} ......13-1 VPN ..............8-5 TFTP File Transfer ........28-12 TFTP Restrictions........13-1, 28-4 Three-Way Handshake ......... 11-5 Time and Date Setting ........