Instruction/ maintenance manual of the product P-661HW ZyXEL Communications
Go to page of 383
P-661H/HW Series 802.1 1g Wireless ADSL2+ 4-port Security Gateway User ’ s Guide V ersion 3.40 Edition 1 5/2006.
.
P-661H/HW Series User’s Guide Copyright 3 Copyright Copyright © 2006 by ZyXEL Communications Corpo ration. The contents of this publication may not be reprod uced in any part or as a whole, transcr.
P-661H/HW Series User’s Guide 4 Certifications Certifications Federal Communications Commissi on (FCC) Interference St atement This device complies with Part 15 of FCC rul es. Operation is subject to the following two conditions: • This device may not cause harmful interference.
P-661H/HW Series User’s Guide Certifications 5.
P-661H/HW Series User’s Guide 6 Safety Warnings Safety W arnings For your safety , be sure to read and fo llow all warning notices and instructions. • Do NOT open the device or un it. Opening or removi ng covers can expose you to dangerous high vo ltage points or othe r risks.
P-661H/HW Series User’s Guide ZyXEL Limited Warranty 7 ZyXEL Limited W arranty ZyXEL warrants to the original en d user (purchaser) that this product is free from any defects in materials or workmansh ip for a period of up to tw o years from the date of purchase .
P-661H/HW Series User’s Guide 8 Customer Suppo rt Customer Support Please have the following information r eady when you contact customer support. • Product model and serial number . • W arranty Information. • Date that you received your de vice.
P-661H/HW Series User’s Guide Customer Support 9 POLAND info@pl.zyxel.com +48-22-5286603 www .pl.zyxel.com ZyXEL Communications ul.Emilli Plater 53 00-1 13 Warszawa Poland +48-22-5206701 RUSSIA http://zyxel.ru/support +7-095-542- 89-29 www .zyxel.ru ZyXEL Russia Ostrovityanova 37a S tr .
P-661H/HW Series User’s Guide 10 Customer Suppo rt.
P-661H/HW Series User’s Guide Table of Contents 11 T able of Content s Copyright .................................................. ................................................................ 3 Certifications ...................................
P-661H/HW Series User’s Guide 12 Table of Contents 2.4.3 S tatus: Any IP T able ................... ............. ............ ................. ............ ......... 53 2.4.4 S tatus: WLAN S tatus (Wireles s devices only) .........................
P-661H/HW Series User’s Guide Table of Contents 13 4.3 T r affic Shaping ............. ............. ............. ................ ............. ................ ............. ..80 4.3.1 A TM Traf fic Classes ............... ............. .........
P-661H/HW Series User’s Guide 14 Table of Contents 6.2.5 One-T ouch Intelligent Se curity T e chnology (OTIST ) .. ................ ............. 1 12 6.3 Wireless Performance Overview ............... ................ ............. ................ .
P-661H/HW Series User’s Guide Table of Contents 15 Chapter 8 Firewalls ......................................... ..................................................... .................. 145 8.1 Firewall Overview ..................... ...............
P-661H/HW Series User’s Guide 16 Table of Contents 9.4.2 Alerts ...... ............. ............. ............. ................ ............. ............. ................ 160 9.5 T r iangle Route .............. ............. ................ ...
P-661H/HW Series User’s Guide Table of Contents 17 12.1.3.1 Encryption ..... ................. ................ ............. ............. ................ ...197 12.1.3.2 Data Confidentiality ........ ...... ....... ............ ................. .
P-661H/HW Series User’s Guide 18 Table of Contents 13.19 VPN and Remote Management ......... ................ ................ ................ .......... 229 Chapter 14 St atic Route ........................................................ ........
P-661H/HW Series User’s Guide Table of Contents 19 17.3 T elnet .................... ................ ............. ............. ................ ............. ............ .......253 17.4 Configuring T elnet ...... ............. ................ .
P-661H/HW Series User’s Guide 20 Table of Contents Chapter 22 Diagnostic ...................................... ..................................................... .................. 291 22.1 General Diagnostic . ................ ............. ...
P-661H/HW Series User’s Guide Table of Contents 21 Command Interpreter .................................................................................... ....... 327 Command Syntax ...... ............. ................ ............. ..............
P-661H/HW Series User’s Guide 22 Table of Contents Appendix L Pop-up Windows, JavaScripts and Java Pe rmissions ..................................... 369 Internet Explorer Pop-up Blockers ......... ....... ...... ............. ................ .....
P-661H/HW Series User’s Guide List of Figure s 23 List of Figures Figure 1 Protected Internet A ccess Applications ............................ ................. ................ ... 40 Figure 2 LAN-to-LAN Applicat ion Example ............ .........
P-661H/HW Series User’s Guide 24 List of Figures Figure 39 Advanced Internet Connection ........ ... ................. ............ ................. ............ ....... 85 Figure 40 More Connections ........ ................ ............. ........
P-661H/HW Series User’s Guide List of Figure s 25 Figure 82 S tateful Inspection . ................ .... ...... ................ ............. ................ ............. .......... 15 1 Figure 83 Ideal Firewall Setup .. ............ ............
P-661H/HW Series User’s Guide 26 List of Figures Figure 125 T wo Phases to Set Up the IPSec S A ................... ............. ................ ............. ... 216 Figure 126 Advanced VPN Policies ................ ............. ................
P-661H/HW Series User’s Guide List of Figure s 27 Figure 168 Log Settings ............... ................ ............. ................ ............. ................ ............. 2 83 Figure 169 Firmware Upgrade .. ................ .............
P-661H/HW Series User’s Guide 28 List of Figures Figure 21 1 WP A(2)-PSK Authen tication .... ................ ............. ................ ............. ................ 367 Figure 212 Pop-up Blocker ....................... ............. ........
P-661H/HW Series User’s Guide List of Tables 29 List of T ables T able 1 ADSL S tandards ................ ................ ................ ............. ................ ............. .......... 35 T able 2 Front Panel LED s .... ................ .
P-661H/HW Series User’s Guide 30 List of Tables T able 39 Wireless: WP A-PSK/WP A2 -P SK ............ ................ .......................... ............ ....... 1 16 T able 40 Wireless: WP A/WP A2 ................ ................ ............
P-661H/HW Series User’s Guide List of Tables 31 T able 82 Matching ID T y pe and Content Configuration Example ....... ................ ................ 210 T able 83 Mismatching ID T ype and Content Configuration Example .......... ................
P-661H/HW Series User’s Guide 32 List of Tables T able 125 Troubleshooting Accessing the ZyXEL Device ........ ................ ................ .......... 295 T able 126 Dev ice .. ................ ............. ............. ................ .....
P-661H/HW Series User’s Guide Preface 33 Preface Congratulations on you r purchase of th e ZyXEL Devi ce series ADSL 2+ gateway . The ZyXEL Device has a 4-port switch that allows you to conn ect up to 4 computers to the ZyXEL Device without purchasing a switch/hub.
P-661H/HW Series User’s Guide 34 Preface User Guide Feedback Help us help you. E-mail all User Guide-related comments, questions or suggestions for improvement to techwriters@zyxel.com.tw or send regular mail to The T echnical W riting T eam, ZyXEL Communications Corp.
P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device 35 C HAPTER 1 Getting T o Know Y our ZyXEL Device This chapter describes the key features and applications of your ZyXEL Device .
P-661H/HW Series User’s Guide 36 Chapter 1 Getting To Kn ow Your ZyXEL Device 1.2 Features High Speed Internet Access Y our ZyXEL Device ADSL/ADSL2/ADSL2+ router can s upport downstream transmission rates of up to 24Mbps and upstream transmissi on rates of 3.
P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device 37 Media Bandwid th Management ZyXEL ’ s Media Bandwidth Management allows yo u to specify bandwidt h classes based on an application and/or subnet. Y ou can allocate specific amounts of bandwidth capacity (bandwidth budgets) to dif ferent bandwidth classes.
P-661H/HW Series User’s Guide 38 Chapter 1 Getting To Kn ow Your ZyXEL Device IP Alias IP Alias allows you to partition a physical ne twork into logical networks over the same Ethernet interface.
P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device 39 Both WP A and WP A2 improv e data encryption by using T empor al Key Integrity Proto col (TKIP), Message Integrity Check (MIC) and IE EE 802.
P-661H/HW Series User’s Guide 40 Chapter 1 Getting To Kn ow Your ZyXEL Device Figure 1 Protected Internet Access Applications 1.3.2 LAN to LAN Application Y ou can use the ZyXEL Device to connect two geographically dispersed networks over the ADSL line.
P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device 41 The following table describes the LEDs. 1.5 Hardware Connection Refer to the Quick S tart Guide for information on ha rdware connection. 1.6 Splitters and Microfilters This section describes how to connect ADSL splitters and micr ofilters.
P-661H/HW Series User’s Guide 42 Chapter 1 Getting To Kn ow Your ZyXEL Device 1.6.1 Connecting a POTS Splitter When you use the Full Rate (G .dmt) ADSL standa rd, you can use a POTS (Plain Old T elephone Service) splitter to separate th e telephone and ADSL si gnals.
P-661H/HW Series User’s Guide Chapter 1 Getting To Know Your ZyXEL Device 43 Figure 5 Connecting a Microfilter.
P-661H/HW Series User’s Guide 44 Chapter 1 Getting To Kn ow Your ZyXEL Device.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 45 C HAPTER 2 Introducing the W eb Configurator This chapter describes how to access and navigate the web configurator .
P-661H/HW Series User’s Guide 46 Chapter 2 Introducing the Web Configurator status only . Click Login to proceed to a screen asking you to change your password or click Cancel to revert to the default password. Figure 6 Password Screen 6 If you entered the user password, skip the next two steps and refer to Section 2.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 47 Figure 8 Select a Mode Note: The management session automatically time s out when the time period set in the Administrator Inactivity T imer field expires (default five minutes).
P-661H/HW Series User’s Guide 48 Chapter 2 Introducing the Web Configurator Figure 9 Web Configurator : Main Screen Note: Click the icon (located in the top right corner of most screens) to view embedded help.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 49 LAN IP Use this screen to configure LAN TCP/IP settings, en able Any IP and other advanced properties.
P-661H/HW Series User’s Guide 50 Chapter 2 Introducing the Web Configurator VPN Setup Use this screen to configure each VPN tunnel. Monitor Use this screen to look at the current status of each VPN tunnel. VPN Global Setting Use this screen to allow NetBIOS traffic through VPN tunnels.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 51 2.4.2 St atus Screen The following summarizes how to navigate the web configurator from the St a t u s screen. Some fields or links are not available if yo u entered the user password in the login password screen (see Figure 6 on page 46 ).
P-661H/HW Series User’s Guide 52 Chapter 2 Introducing the Web Configurator Default Gateway This is the IP address of the default gateway , if applicable. VPI/VCI This is the Virtual Path Identifier and Vi rtual Channel Identifier that you entered in the Wizard or W AN screen.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 53 2.4.3 St atus: Any IP T able Click the Any IP T able hyperlink in the St a t u s scree n.
P-661H/HW Series User’s Guide 54 Chapter 2 Introducing the Web Configurator 2.4.4 St atus: WLAN St atus (Wireless devices only) Click WLAN S t atus in the St a t u s screen to open this screen. Use this screen to view the wireless stations that are current ly associated to the ZyXEL Device.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 55 Figure 13 S tatus: VPN S tatus The following table describes the labels in this screen. 2.4.6 St atus: Bandwidth S t atus Select the Bandwidth S tatus hyperlink in the St a t u s screen.
P-661H/HW Series User’s Guide 56 Chapter 2 Introducing the Web Configurator 2.4.7 St atus: Packet St atistics Click the Packet S tatistics hyperlink in the St a t u s screen. Read-only information here includes port status and packet specific statisti cs.
P-661H/HW Series User’s Guide Chapter 2 Introducing the Web Configur ator 57 2.4.8 Changing Login Password It is highly recommended that you periodic ally change the password for accessing the ZyXEL Device.
P-661H/HW Series User’s Guide 58 Chapter 2 Introducing the Web Configurator Figure 16 System General The following table describes th e fields in this screen. T able 9 System General: Password LABEL DESCRIPTION Old Password T ype the default password or the existing password you us e to access the system in this field.
P-661H/HW Series User’s Guide Chapter 3 Wizards 59 C HAPTER 3 W izards Use these screens to configure Internet access or to configure basic bandwidth management.
P-661H/HW Series User’s Guide 60 Chapter 3 Wizards 3.1 Internet Setup Wizard Use these screens to configure Internet access and wi reless network settings (wireless devices only). T o access this wizard, click INTERNET/WIRELESS SETUP in the wizard main screen.
P-661H/HW Series User’s Guide Chapter 3 Wizards 61 3.1.2 Manual Configuration The ZyXEL Device detected the DSL connecti on but not the Internet settings. Y ou should specify the Internet settings manually . 3.1.2.1 Screen 1 Figure 20 Internet Setup Wiza rd: Manual Configuration Click Back to re turn to the wizard main screen.
P-661H/HW Series User’s Guide 62 Chapter 3 Wizards The following table describes the fields in this screen. 3.1.2.3 Screen 3 These screens let you enter the rest of the Inte rnet settings , which depend on the encapsul ation your Internet connection u ses (and the mode you selected, for RFC148 3).
P-661H/HW Series User’s Guide Chapter 3 Wizards 63 The following table describes the fields in this screen. This screen appears if your Intern et connection uses PPPoE encapsulation.
P-661H/HW Series User’s Guide 64 Chapter 3 Wizards The following table describes the fields in this screen. This screen appears if your Internet connecti on uses RFC1483 encapsulation in routing mode. Figure 24 Internet Setup Wiza rd: ISP Parameters (RFC1483 + Routing Mode) The following table describes the fields in this screen.
P-661H/HW Series User’s Guide Chapter 3 Wizards 65 Figure 25 Internet Se tup Wizard: ISP Parameters (PPPoA) The following table describes the fields in this screen. No additional screen appears if your Internet connection us es RFC1483 encapsulation in bridge mode.
P-661H/HW Series User’s Guide 66 Chapter 3 Wizards Figure 26 Internet Setu p Wizard: No DSL Connection Click Restart the Internet/Wireless Setup W izard to return to the wiza rd main screen.
P-661H/HW Series User’s Guide Chapter 3 Wizards 67 Figure 28 Wireless LAN Setup Wizard 1 The following table describes the labels in this screen. 3 Configure your wireless settin gs in this screen. Click Next . Table 16 Wireless LAN Setup Wizard 1 LABEL DESCRIPTION Active Select the check box to turn o n the w ireless LAN.
P-661H/HW Series User’s Guide 68 Chapter 3 Wizards Figure 29 Wireless LAN Setup Wizard 2 The following table describes the labels in this screen. Table 17 Wireless LAN Setup Wizard 2 LABEL DESCRIPTION Network Name(SSID) Enter a descriptive name (up to 32 printable 7-bit ASCII character s) for the wireless LAN.
P-661H/HW Series User’s Guide Chapter 3 Wizards 69 Note: The wireless stations and ZyXEL Device must use the same SSID, channel ID and WEP encryption key (if WEP is enabled), WP A-PSK (if WP A-PSK is enabled) for wireless communicatio n. 4 This screen varies depending on the security mode you selected in the previous screen.
P-661H/HW Series User’s Guide 70 Chapter 3 Wizards Figure 31 Manually assign a WEP key The following table describes the labels in this screen. 5 Click Apply to save your wireless LAN settings. Table 19 Manually assign a WEP key LABEL DESCRIPTION Key The WEP keys are used to encrypt da ta.
P-661H/HW Series User’s Guide Chapter 3 Wizards 71 Figure 32 Wireless LAN Setup: Apply Figure 33 Internet Setup Wizard: Summar y Screen 6 Use the read-only summary table to check whether what you have configured is correct. Click Finish to complete and save the wizard se tup.
P-661H/HW Series User’s Guide 72 Chapter 3 Wizards Launch your web browser and navigate to www .zyxel.com. Inte rnet access is just the beginning. Refer to the rest of this guide for more detailed information on the complete range of ZyXEL Device features.
P-661H/HW Series User’s Guide Chapter 3 Wizards 73 T o access this wizard, open the web configura tor (see Section 2.2 on page 4 5 ) and click BANDWIDTH MANAGEMENT SETUP in the wizard main screen. 3.3.1 Screen 1 Activate bandwidth management and select to a llocate bandwidth to packets ba sed on the services.
P-661H/HW Series User’s Guide 74 Chapter 3 Wizards The following fields describe the label in this screen. 3.3.2 Screen 2 Use the second wizard screen to select the se rvices that you want to apply bandwidth management, and select the p riorities that you want to apply to the services listed.
P-661H/HW Series User’s Guide Chapter 3 Wizards 75 The following table describes the labels in this screen. 3.3.3 Screen 3 Follow the on-screen in structions and click Finish to complete the wizard setup and save your configuration.
P-661H/HW Series User’s Guide 76 Chapter 3 Wizards.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 77 C HAPTER 4 W AN Setup This chapter describes how to configure W AN settings. 4.1 W AN Overview A W AN (W ide Area Network) is an outside conn ection to another network or the Intern et. 4.1.1 Encap sulation Be sure to use the encapsulat ion method required by your ISP .
P-661H/HW Series User’s Guide 78 Chapter 4 WAN Setup By implementing PPPoE directly on the ZyXEL Device (rather than individual computers), the computers on the LAN do not need PPPoE software installed, since the ZyXEL Device does that part of the task.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 79 4.1.4 IP Address Assignment A static IP is a fixed IP that your ISP gives you. A dynamic IP is not fixed; the ISP assigns you a different one each time. The Si ngle User Account feature can be enabled or disabled if you have either a dynamic or static IP .
P-661H/HW Series User’s Guide 80 Chapter 4 WAN Setup 4.2 Metric The metric represents the "cost of transmissi on". A router determines the best route for transmission by choosing a path with the lowest "cost".
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 81 Maximum Burst Size (MBS) is the maximum numb er of cells that can be sent at the PCR. After MBS is reached, cell rates fall below SCR until cell rate averages to the SCR again. At this time, more cells (up to the MBS) can be sent at the PCR again.
P-661H/HW Series User’s Guide 82 Chapter 4 WAN Setup The VBR-nR T (non real-time V a riable Bit Rate) ty pe is used with bu rsty connections that do not require closely controlled delay and delay variation. It is commonly used for " bursty" traffic typical on LANs.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 83 Figure 38 Internet Conne ction (PPPoE) The following table describes the labels in this screen. Table 24 Internet Connection LABEL DESCRIPTION General Name Enter the name of your Internet Service Provider , e.
P-661H/HW Series User’s Guide 84 Chapter 4 WAN Setup 4.5.1 Configuring Advance d Internet Connection T o edit your ZyXEL Device's ad vanced W AN settings, click the Advanced Setup button in the Internet Connection screen. The screen appears as shown.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 85 Figure 39 Advanced Internet Connection The following table describes the labels in this screen. Table 25 Advanced Inte rnet Connection LABEL DESC.
P-661H/HW Series User’s Guide 86 Chapter 4 WAN Setup 4.6 Configuring More Connections This section describes the protocol-independent parameters for a remote network. They are required for placing calls to a remote gate way and the network behind it across a W AN connection.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 87 Figure 40 More Connections The following table describes the labels in this screen. 4.6.1 More Connections Edit Click the edit icon in the More Con nections sc reen to configure a connection . Table 26 More Connections LABEL DESCRIPTION # This is the index number of a connection.
P-661H/HW Series User’s Guide 88 Chapter 4 WAN Setup Figure 41 More Connections Edit The following table describes the labels in this screen. Table 27 More Connections Edit LABEL DESCRIPTION Active Select the check box to activate or clear the check box to deactivate this connection.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 89 User Name (PPPoA and PPPoE encapsulation only ) Enter the user name exactly as your ISP assigned. If assigned a name in the form user@domain where doma in identifies a service name, then ent er both components exactly as given.
P-661H/HW Series User’s Guide 90 Chapter 4 WAN Setup 4.6.2 Configuring More Connections Advanced Setup T o edit your ZyXEL Device's ad vanced W AN settings, click the Advanced Setup button in the Mor e Connections Edit screen. The screen appears as shown.
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 91 4.7 T raffic Redirect T raffic redirect forwards traf fic to a backup gateway when the ZyXEL Device cannot connect to the Internet.
P-661H/HW Series User’s Guide 92 Chapter 4 WAN Setup Figure 44 T raffic Redirect LAN Setup 4.8 Configuring W AN Backup T o change your ZyXE L Device’ s W AN backup settin gs, click WA N > W AN Backup Setup .
P-661H/HW Series User’s Guide Chapter 4 WAN Setup 93 Figure 45 W AN Backup Setup The following table describes the labels in this screen. Table 29 W AN Backup Setup LABEL DESCRIPTION Backup T ype Select the method tha t the ZyXEL Device uses to check the DSL connecti on.
P-661H/HW Series User’s Guide 94 Chapter 4 WAN Setup T raffic Redirect T raffic redirect forwards traffic to a backup gateway when the ZyXEL Device cannot connect to the Internet. Active Traf f ic Redirect Select this check box to have the ZyXEL Device use traffic redirect if the normal W AN conn ection goes down.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 95 C HAPTER 5 LAN Setup This chapter describes how to configure LAN settings. 5.1 LAN Overview A Local Area Network (LAN) is a shared comm unication system to which many computers are attached.
P-661H/HW Series User’s Guide 96 Chapter 5 LAN Setup 5.1.2 DHCP Setup DHCP (Dynamic Host Configuration Protocol , RFC 2131 and RFC 2132) allows indiv idual clients to obtain TCP/IP configuration at start-up from a server . Y o u can configure the ZyXEL Device as a DHCP server or disable it.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 97 5.1.4 DNS Server Address Assignment Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. The DNS server is extremely important because wit hout it, you must know the IP address of a computer before you can access it.
P-661H/HW Series User’s Guide 98 Chapter 5 LAN Setup 5.2.1.1 Private IP Addresses Every machine on the Internet must ha ve a unique address. If your ne tworks are isolate d from the Internet, for example, only between your two branch of fice s, you can assign any IP addresses to the hosts without problems.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 99 5.2.3 Multicast T raditionally , IP packets are transmitted in one of either two ways - Unicast (1 sender - 1 recipient) or Broadcast (1 sender - everybody on the network). Multicast delivers IP packets to a group of host s on the network - not everybody and not just 1.
P-661H/HW Series User’s Guide 100 Chapter 5 LAN Setup Figure 47 Any IP Example The Any IP fe ature does n ot apply to a computer using either a dynami c IP address or a static IP address tha t is in the sa me subnet as the ZyXEL Devi ce’ s IP address.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 101 5.3 Configuring LAN IP Click LAN to open the IP screen. See Section 5.1 on page 95 for background information.
P-661H/HW Series User’s Guide 102 Chapter 5 LAN Setup Figure 49 Advanced LAN Setup The following table describes the labels in this screen. Table 31 Advanced LA N Setup LABEL DESCRIPTION RIP & M.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 103 5.4 DHCP Setup Use this screen to configure th e DNS server information that the ZyXEL Device sends to the DHCP client devices on the LAN.
P-661H/HW Series User’s Guide 104 Chapter 5 LAN Setup The following table describes the labels in this screen. 5.5 LAN Client List This table allows you to assign IP addresses on the LAN to specific individual computers based on their MAC Addresses.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 105 Figure 51 LAN Client List The following table describes the labels in this screen. T able 33 LAN Client List LABEL DESCRIPTION IP Address Enter the IP address that you want to assign to the computer on your LAN with the MAC address specified b elow .
P-661H/HW Series User’s Guide 106 Chapter 5 LAN Setup 5.6 LAN IP Alias IP alias allows you to partition a physical network into dif fer ent logical networks over the same Ethernet interface.
P-661H/HW Series User’s Guide Chapter 5 LAN Setup 107 The following table describes the labels in this screen. T able 34 LAN IP Alias LABEL DESCRIPTION IP Alias 1, 2 Select the check box to confi gure another LAN network for the Z yXEL Device. IP Address Enter the IP address of your ZyXEL Device in dotted decimal notation.
P-661H/HW Series User’s Guide 108 Chapter 5 LAN Setup.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 109 C HAPTER 6 W ireless LAN This chapter discusses how to configure the wireless network settings in your device (wireless devices only). See the appendices for more detailed information about wireless networks.
P-661H/HW Series User’s Guide 110 Chapter 6 Wireless LAN • Every device in the same wireless network must use security compa tible with the ZyXEL Device. Security stops unauthorized devices from using the wireless network. It can also protect the information that is sent in the wireless network.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 111 For wireless networks, u ser names and passwords can be stored in a RADIUS server . This is a server used in businesses more than in homes. If you do not have a RADIUS server , you cannot set up user names and passwords for your users.
P-661H/HW Series User’s Guide 112 Chapter 6 Wireless LAN When you select WP A2 or WP A2-PSK in your ZyXEL Device, you can also select an option ( WP A compatible ) to support WP A as well.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 113 Figure 54 Wireless LAN: General The following table describes the general wireless LAN labels in this screen.
P-661H/HW Series User’s Guide 114 Chapter 6 Wireless LAN 6.4.1 No Security Select No Security to allow wireless clients to commun icate with the access points without any data encryption. Note: If you do not enable an y wireless security on your ZyXEL Device, your network is accessible to any wireless network ing device tha t is within range.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 115 Figure 56 Wireless: S tatic WEP Encryption The following table describes the wireless LAN security labels in this screen. 6.4.3 WP A-PSK/WP A2-PSK In order to configure and enable WP A(2)-PSK authentication; click Network > Wir eless LAN to display the Ge neral screen.
P-661H/HW Series User’s Guide 116 Chapter 6 Wireless LAN Figure 57 Wireless: WP A-PSK/WP A2-PSK The following table describes the wireless LAN security labels in this screen. Table 39 Wireless: WP A-PSK/WP A2-PSK LABEL DESCRIPTION Security Mode Choose WP A-PSK or WP A2-PSK from the drop-d own list box.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 117 6.4.4 WP A/WP A2 In order to configure and enable WP A/WP A2; click the Wir eless LAN link under Network to display the General screen.
P-661H/HW Series User’s Guide 118 Chapter 6 Wireless LAN The following table describes the wireless LAN security labels in this screen. Table 40 Wireless: WPA/WPA2 LABEL DESCRIPTION WP A Compatible This check box is available only when you select WP A2-PSK or WP A2 in th e Security Mode field.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 119 6.4.5 Wireless LAN Advanced Setup T o configure advanced wi reless settings, click the Advanced Setup button in the General screen. The screen appears as shown. Figure 59 Wireless LAN: Advanced The following table describes the labels in this screen.
P-661H/HW Series User’s Guide 120 Chapter 6 Wireless LAN 6.5 OTIST In a wireless network, the wireless clients mu st have the same SSID and security settings as the access point (AP) or wireless router (we wi ll refer to both as “AP” here) in order to associate with it.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 121 Note: The AP and wireless client(s) MUST use the same Setup key . 6.5.1.1 AP Y ou can enable OTIST using the RESET button or the web configurator .
P-661H/HW Series User’s Guide 122 Chapter 6 Wireless LAN The following table describes the labels in this screen. 6.5.1.2 Wireless Client On your wireless client, star t the ZyXEL utility and click the Adapter tab. Select the OTIST check box, enter the same Setup Key as your AP’ s and click Save .
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 123 6.5.2 St arting OTIST Note: Y ou must click Star t in the AP OTIST web configurator screen and in the wireless client(s) Adapter screen all within three minutes (at the time of writing).
P-661H/HW Series User’s Guide 124 Chapter 6 Wireless LAN Figure 66 S tart OTIST? 2 If an OTIST -enabled wireless client los es its wireless connection for more than ten seconds, it will search for an OTIST -enabled AP for up to one minute.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 125 Figure 67 MAC Addres s Filter The following table describes the labels in this menu. Table 43 MAC Address F ilter LABEL DESCRIPTION Active MAC Filter Select the check box to enable MAC ad dress filtering.
P-661H/HW Series User’s Guide 126 Chapter 6 Wireless LAN 6.7 WMM QoS WMM (W i-Fi MultiMedia) QoS (Quality of Service) allows you to prioritize wireless traf fic according to the delivery requirements of individual services. WMM is a part of the IEEE 802.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 127 6.7.3 Services The commonly used services and port numbers ar e shown in the following table. Please refer to RFC 1700 for further information about port numbers. Next to the name of the service, two fields appear in brackets.
P-661H/HW Series User’s Guide 128 Chapter 6 Wireless LAN 6.8 QoS Screen The QoS screen by default allows you to au tomatically give a service a priority level according to the T oS value in the IP header of the packets it sends.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 129 6.8.1 T oS (T ype of Service) and WMM QoS T oS defines the DS (Differentiated Service) fiel d in the IP packet header . The T oS value of outgoing packe ts is between 0 and 255. 0 is the lowest priority .
P-661H/HW Series User’s Guide 130 Chapter 6 Wireless LAN 6.8.2 Application Pr iority Configuration T o edit a WMM QoS application en try , click the edit icon under Modi fy . The following screen displays. Figure 69 Application Priority Configuration The following table describes the fields in this screen.
P-661H/HW Series User’s Guide Chapter 6 Wireless LAN 131 Service The following is a description of the applications you can prioritize with WMM QoS. Select a service from the drop-down list b ox. • FTP File Transfer Program enables fast transf er of files, including large files tha t may not be possible by e-mail.
P-661H/HW Series User’s Guide 132 Chapter 6 Wireless LAN.
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 133 C HAPTER 7 Network Address T ranslation (NA T) Screens This chapter discusses how to configure NA T on the ZyXEL Device.
P-661H/HW Series User’s Guide 134 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens 7.1.2 What NA T Does In the simplest form, NA T changes the sour ce IP address in a packet received from a subscriber (the inside local address) to anothe r (the inside global address) before forwarding the packet to the W AN side.
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 135 7.1.4 NA T Ap plication The following figure illustrates a possible NA T application, wher e three inside LANs (logical LANs using IP Alias) behind the ZyXEL Devi ce can communicate with three distinct W AN networks.
P-661H/HW Series User’s Guide 136 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens Port numbers do NOT change for One-to-One and Many-to-Many No Overload NA T mapping types.
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 137 Figure 72 NA T Gener al The following table describes the labels in this screen.
P-661H/HW Series User’s Guide 138 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens 7.4.1 Default Se rver IP Address In addition to the servers for specified services, NA T supports a default server IP address. A default server receives packets from ports that are not specifie d in this screen.
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 139 Figure 73 Multiple Servers Be hind NA T Example 7.5 Configuring Port Forwarding Note: The Port Forwarding screen is a vailable only when you select SUA Only in the NA T > General screen.
P-661H/HW Series User’s Guide 140 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens The following table describes th e fields in this screen. 7.5.1 Port Forwarding Rule Edit T o edit a port forwarding rule, c lick the rule’ s edit icon in the Port Forwarding screen to display the screen shown next.
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 141 The following table describes th e fields in this screen. 7.6 Address Mapping Note: The Address Mapping screen is available only when you select Ful l Feature in the NA T > General screen.
P-661H/HW Series User’s Guide 142 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens Figure 76 Address Mapping Rule s The following table describes th e fields in this screen. Table 54 Address Mapp ing Rules LABEL DESCRIPTION # This is the rule index number .
P-661H/HW Series User’s Guide Chapter 7 Network Address Translatio n (NAT) Screens 143 7.6.1 Address Mapping Rule Edit T o edit an address mapping rule, click the rule’ s edit icon in the Address Mapping screen to display the screen shown next. Figure 77 Edit Address Mapping Rule The following table describes th e fields in this screen.
P-661H/HW Series User’s Guide 144 Chapt er 7 Network Ad dress Transla tion (NAT) Scr eens Back Click Back to return to the previous screen. Apply Click Apply to save your changes back to the ZyXEL Device. Cancel Click Cancel to begin configuring this screen afresh.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 145 C HAPTER 8 Firewalls This chapter gives some back ground information on firewa lls and introduces the ZyXEL Device firewall. 8.1 Firewall Overview Originally , the term fir ewall referred to a construction techni que designed to prevent the spread of fire from one room to another .
P-661H/HW Series User’s Guide 146 Chapter 8 Firewalls 8.2.2 Applicatio n-level Firewalls Application-level firewalls restrict access by serv ing as proxies for e xternal servers. Since they use programs written for specific Internet servic es, such as HTTP, FTP and tel net, they can evaluate network packets for valid applicatio n-sp ecific data.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 147 • The LAN (Local Area Network) port attache s to a network of compute rs, which needs security from the outside world. These computer s will have access to Internet services such as e-mail, FTP , and the W orld W ide W e b.
P-661H/HW Series User’s Guide 148 Chapter 8 Firewalls 8.4.2 T ypes of Do S Att acks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. 2 Those that exploit weaknesses in the TCP/IP specification. 3 Brute-force attacks that flood a network with useless data.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 149 Under normal circumstances, the applica tion that initiates a session sends a SYN (synchronize) packet to the receiving server . The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the in itiator responds with an ACK (acknowledgment).
P-661H/HW Series User’s Guide 150 Chapter 8 Firewalls Figure 81 Smurf Attack 8.4.2.1 ICMP V ulnerability ICMP is an error -reporting protocol that work s in concert with IP . The following ICMP types trigger an alert: 8.4.2.2 Illegal Comma nds (NetBIOS and SMTP) The only legal NetBIOS commands are the following - all others are illegal.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 151 8.4.2.3 T raceroute T raceroute is a utility used to determine th e path a packet takes between two endpoints. Sometimes when a packet filter firewall is conf igured incorrectly an at ta cker can traceroute the firewall gaining knowledge of the network topology inside the firewall.
P-661H/HW Series User’s Guide 152 Chapter 8 Firewalls The previous figure shows the ZyXEL Device’ s default firewall rules in action as well as demonstrates how stateful inspection works. User A can initiate a T elnet session from within the LAN and responses to this request are allowe d.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 153 • Allow certain types of traffic from the In ternet to specific hosts on the LAN. • Allow access to a W eb server to everyone but competitors. • Restrict use of certain protocols, such as T elnet, to authoriz ed users on the LAN.
P-661H/HW Series User’s Guide 154 Chapter 8 Firewalls A similar situation exists for ICMP , except that the ZyXEL Device is even more restrictive. Specifically , only outgoing echoes will allow in c.
P-661H/HW Series User’s Guide Chapter 8 Firewalls 155 • Encourage your co mpany or organization to develop a co mprehensive security p lan. Good network administration takes into ac count what hackers can do and prepares against attacks. The best defense against hack ers and crackers is information.
P-661H/HW Series User’s Guide 156 Chapter 8 Firewalls 8.7.1.1 When T o Use Filtering • T o block/allow LAN packet s by their MAC addresses. • T o block/allow special IP packets which are neither TCP nor UDP , nor ICMP packe ts.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 157 C HAPTER 9 Firewall Configuration This chapter shows you how to enable and configure t he ZyXEL Device firewall. 9.1 Access Methods The web configurator is, by far , the most co mprehensive firewall configuration tool your ZyXEL Device has to offer .
P-661H/HW Series User’s Guide 158 Chapter 9 Firewall Configuration Note: If you configure firewall rules wit hout a good understanding of how they work, you might inadvertently introduce securi ty risks to the f irewall and to the protected network.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 159 4 Does a rule that allows Internet users acces s to resources on the LAN create a security vulnerability? For example, if FTP ports (TCP 20, 21) are al lowed from the Internet to the LAN, Internet users may be able to connect to computers with running FTP servers.
P-661H/HW Series User’s Guide 160 Chapter 9 Firewall Configuration 9.4.1 LAN to W AN Rules The default rule for LAN to W AN traffic is that all use rs on the LAN are allowed non- restricted access to the W AN. When you config ure a LAN to W AN rule, you in essenc e want to limit some or all users from accessing cer tain services on the W AN.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 161 As a result, the ZyXEL Device resets the co nnection, as the conn ection has not been acknowledged. Figure 84 “T ria ngle Route” Prob lem 9.5.2 Solving the “T ri angle Route” Problem Y ou can have the ZyXEL Device allow triangle route sessions.
P-661H/HW Series User’s Guide 162 Chapter 9 Firewall Configuration 9.6 General Firewall Policy Click Security > Fir ewall to display the followi ng screen. Activate the firewall by selecting the Active Fir e wall check box as seen in the following screen.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 163 9.7 Firewall Rules Summary Note: The ordering of your rule s is very important as rules are app lied in turn. Refer to Section 8.1 on page 145 for more information. Click Security > Firewall > Rules to bring up the following scre en.
P-661H/HW Series User’s Guide 164 Chapter 9 Firewall Configuration The following table describes the labels in this screen. 9.7.1 Configuring Firewa ll Rules Refer to Section 8.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 165 In the Rules screen, select an index number and cl ick Add or click a rule’ s Edit icon to display this screen and refer to the following table for information on the labels.
P-661H/HW Series User’s Guide 166 Chapter 9 Firewall Configuration The following table describes the labels in this screen. Table 62 Firewall: Edit Rule LABEL DESCRIPTION Active Select this option to ena ble this firewall rule.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 167 9.7.2 Customized Services Configure customized services and port number s not predefined by the ZyXEL Device. For a comprehensive list of port numbers and services, visit the IANA (Internet Assigned Number Authority) web site.
P-661H/HW Series User’s Guide 168 Chapter 9 Firewall Configuration 9.7.3 Configuring A Customized Service Click a rule number in the Firewall Customized Services screen to create a new custom port or edit an existing one. This actio n displays the following screen.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 169 Figure 91 Firewall Example: Rules 3 In the Rules screen, select the index number after that you want to add the rule. For example, if you select “6”, your new rule b ecomes number 7 and the previous rule 7 (if there is one) becomes rule 8.
P-661H/HW Series User’s Guide 170 Chapter 9 Firewall Configuration Figure 93 Firewall Example: Edit Ru le: Des tination Addres s 9 Use the Add >> and Remove buttons between A vailable Services and Selected Services list boxes to configure it as follows.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 171 Figure 94 Firewall Example: Edit Rule: Select Customized Services On completing the configuration procedure for this Internet firewall rule, the Rules screen should look like the following.
P-661H/HW Series User’s Guide 172 Chapter 9 Firewall Configuration Figure 95 Firewall Example: Rules: MyService 9.9 Predefined Services The A vailable Services list box in the Edit Rule screen (see Section 9.7.1 on page 164 ) displays all predefined services that the ZyXEL Device already supports.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 173 H.323(TCP:1720) Net Meeting uses this proto col. HTTP(TCP:80) Hyper T ext Transfer Protocol - a cl ient/server protocol for the wo rld wide web. HTTPS HTTPS is a secured ht tp session of ten used in e-comme rce.
P-661H/HW Series User’s Guide 174 Chapter 9 Firewall Configuration 9.10 Anti-Probing If an outside user attempts to probe an unsupp orted port on your ZyXEL Device , an ICMP response packet is automatically returned. This allows the ou tside user to know the ZyXEL Device exists.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 175 The following table describes the labels in this screen. 9.1 1 DoS Thresholds For DoS attacks, the ZyXEL Device uses threshol ds to determine when to drop sessions that do not become fully established.
P-661H/HW Series User’s Guide 176 Chapter 9 Firewall Configuration If your network is slower than average for any of these factors (especially if you have servers that are slow or handle many tasks and are of ten busy), then the de fault values should be reduced.
P-661H/HW Series User’s Guide Chapter 9 Firewall Configuration 177 9.1 1.3 Configuring Firewall Thresholds The ZyXEL Device also sends alerts whenever TCP Maximum Incomplete is exceeded. The global values specified for the threshold an d timeout apply to all TCP connections.
P-661H/HW Series User’s Guide 178 Chapter 9 Firewall Configuration Maximum Incomplete Low This is the number of existing half-open sessions that cau ses the firewall to stop deleting half-open sessions.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 179 C HAPTER 10 T rend Micro Security Services This chapter contains informa tion about configuring T rend Micr o Security Services (TMSS).
P-661H/HW Series User’s Guide 180 Chapter 10 Trend Micro Security Services Figure 99 Download Active X to View TMSS Web Page 2 In the TMSS web page, click Service Summary . Figure 100 TMSS Web Pag e (Dashboard) 3 Click Activate My Services to begin a 3-step process to activate TMSS.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 181 Figure 102 TMSS 3 S teps 5 Fill in the registration form and submit it. Figure 103 TMSS Registration Form 6 After you submit the registration form, you w ill receive an e-mail w ith instructions for validating your e-mail address.
P-661H/HW Series User’s Guide 182 Chapter 10 Trend Micro Security Services Figure 104 Example TMSS Activated Service Summa ry Screen Y ou need a Parental Contr o l license to activate configure Par ental Control categories on the ZyXEL Device (see Figure 1 10 on page 187 ).
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 183 Figure 106 General TMSS Settings The following table describes the labels in this screen.
P-661H/HW Series User’s Guide 184 Chapter 10 Trend Micro Security Services 10.2.2 TMSS Exception List Use this screen to exempt comp uters from TMSS monitoring. Click Security > TMSS > Exception List to display the screen. Note: At the time of writing, TMSS may monitor up to 10 ZyXEL Device L AN computers with TMSS installed.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 185 10.3 TMSS V irus Protection Use this screen to look at the status of computers under TMSS monitoring. Click Security > TMSS > V irus Protection to display the screen.
P-661H/HW Series User’s Guide 186 Chapter 10 Trend Micro Security Services 10.4 Parent al Controls Use this screen to schedule and block web pages based on pre-defined web site categories such as pornography , gambling, etc. Note: Y ou need a T rend Micro Parental Control license in order to configure this screen.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 187 Figure 1 10 Parental Controls The following table describes the labels in this screen. Table 71 Parental Controls LABEL DESCRIPTION Restrict Web Features Select the web features you want to disable.
P-661H/HW Series User’s Guide 188 Chapter 10 Trend Micro Security Services 10.4.1 Parent al Controls St atistics This screen displays a record of attempted entr ies to web pages or actual entries to web pages from a list of categories. Click St a t i s t i c s in the Parental Controls screen to open it.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 189 Figure 1 1 1 Parental Controls S tatistics The following table describes the labels in this screen. 10.5 ActiveX Controls in Internet Explorer If ActiveX is disabled, you will not be able to download ActiveX cont rols or to use T rend Micro Security Services.
P-661H/HW Series User’s Guide 190 Chapter 10 Trend Micro Security Services Figure 1 12 Internet Options Secur ity 3 Scroll down to ActiveX controls and plug-ins . 4 Under Download signed ActiveX controls select the Prompt radio button. 5 Under Run ActiveX controls and plug-ins make sure the Enable radio button is selected.
P-661H/HW Series User’s Guide Chapter 10 Tre nd Micro Se curity Services 191 Figure 1 13 Security Setting ActiveX Controls.
P-661H/HW Series User’s Guide 192 Chapter 10 Trend Micro Security Services.
P-661H/HW Series User’s Guide Chapter 11 Content Filtering 193 C HAPTER 11 Content Filtering This chapter covers how to configure content filtering. 1 1.1 Content Filtering Overview Internet content filtering allows you to create and enforce Internet access policies tailored to your needs.
P-661H/HW Series User’s Guide 194 Chapter 11 Content Filtering The following table describes the labels in this screen. 1 1.3 Configuring the Schedule T o set the days and times for the ZyXEL De vice to perform content filtering, click Security > Content Filter > Schedule .
P-661H/HW Series User’s Guide Chapter 11 Content Filtering 195 The following table describes the labels in this screen. 1 1.4 Configuring T r usted Computers T o exclude a range of users on the LAN from content fi ltering on your ZyXEL Device, click Security > Content Filter > Tr u s t e d .
P-661H/HW Series User’s Guide 196 Chapter 11 Content Filtering.
P-661H/HW Series User’s Guide Chapter 12 Introduction to IPSec 197 C HAPTER 12 Introduction to IPSec This chapter introduces the basics of IPSec VPNs. 12.1 VPN Overview A VPN (V irtual Private Network) provides sec ure communications between sites without the expense of leased site-to-site lines.
P-661H/HW Series User’s Guide 198 Chapter 1 2 Introduc tion to IPSec Figure 1 17 Encryption and D ecryption 12.1.3.2 Dat a Confidentiality The IPSec sender can encrypt packets befo re transmitting them across a network.
P-661H/HW Series User’s Guide Chapter 12 Introduction to IPSec 199 12.2 IPSec Architecture The overall IPSec architect ure is shown as follows. Figure 1 18 IPSec Architecture 12.
P-661H/HW Series User’s Guide 200 Chapter 1 2 Introduc tion to IPSec Figure 1 19 Transpor t and T unnel Mode IPSec Encapsulation 12.3.1 T ransport Mode Tr a n s p o r t mode is used to protect upper layer prot ocols and only af fects the data in the IP packet.
P-661H/HW Series User’s Guide Chapter 12 Introduction to IPSec 201 NA T is incompatible with the AH protocol in both Tr a n s p o r t and T unnel mode. An IPSec VPN using the AH protocol digitally sig n s the outbound packet, both data p a yload and headers, with a hash value appe nded to the pack et.
P-661H/HW Series User’s Guide 202 Chapter 1 2 Introduc tion to IPSec.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 203 C HAPTER 13 VPN Screens This chapter introduces the VPN screens. See the Logs chapter for in formation on viewing logs and the appendix for IPSec log descriptions.
P-661H/HW Series User’s Guide 204 Chapter 13 VPN Screens 13.3 My IP Address My IP Address is the W AN IP address of th e ZyXEL Device. The ZyXEL Device has to rebuild the VPN tunnel if the My IP Address changes after setup. The following applies if this field is configured as 0.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 205 13.4 Secure Gateway Address Secure Gateway Address is the W AN IP address or domain name of the remote IPSec router (secure gateway). If the remote secure gateway has a static W AN IP address, enter it in the Secure Gateway Address field.
P-661H/HW Series User’s Guide 206 Chapter 13 VPN Screens Figure 121 VPN Setup The following table describes the fields in this screen. T able 78 VPN Setup LABEL DESCRIPTION No. This is the VPN policy index number . Click a numbe r to edit VPN policies.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 207 13.6 Keep Alive When you initiate an IPSec tunnel with keep alive enabled, the ZyX EL Device automatically renegotiates the tunnel wh en the IPSec SA lifetime period expires (see Section 13.12 on page 216 for more on the IPSec SA lifetime).
P-661H/HW Series User’s Guide 208 Chapter 13 VPN Screens Figure 122 NA T Router Between IPSec Routers Normally you cannot set up an IKE SA with a NA T router between the two IPSe c routers because the NA T router changes the header of the IPSec packet.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 209 The following figure depicts an example wh ere three VPN tunnels are created from ZyXEL Device A; one to branch office 2, one to branch of fice 3 and an other to headquarters.
P-661H/HW Series User’s Guide 210 Chapter 13 VPN Screens The type of ID can be a domain name, an IP addr ess or an e-mail address. The content is the IP address, domain name, or e-mail address. 13.9.1 ID T ype and Content Examples T wo IPSec routers must have matching ID type and content configuration in order to set up a VPN tunnel.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 211 The two ZyXEL Devices in this example cann ot complete their negotiation because ZyXEL Device B’ s Local ID type is IP , but ZyXEL Device A ’ s Peer ID type is set to E-mail . An “ID mismatched” message displays in the IPSEC LOG .
P-661H/HW Series User’s Guide 212 Chapter 13 VPN Screens Figure 124 Edit VPN Policies The following table describes the fields in this screen. T able 84 Edit VPN Policies LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy .
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 213 NA T Traversal This function is available if the VPN protocol is ESP . Select this check box if you want to set up a VPN tunnel when there are NA T routers between the ZyXEL Devi ce and remo te IPSec router .
P-661H/HW Series User’s Guide 214 Chapter 13 VPN Screens Remote Remote IP addresses must be static and correspond to the remote IPSec router's configured local IP addresses. The remote fields do not apply when th e Secure Gateway IP Address field is configured to 0.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 215 Peer ID T ype Select IP to id entify the remote IPSec router by its IP address. Select DNS to identify the remote IPSec router by a domain name. Select E-mail to identify the remote IPSec router by an e-mail address.
P-661H/HW Series User’s Guide 216 Chapter 13 VPN Screens 13.12 IKE Phases There are two phases to every IKE (Internet Key Exchange) ne gotiation – phase 1 (Authentication) and ph ase 2 (Key Exchange). A phase 1 exchange establishes an IKE SA and the second one uses that SA to negotiate SAs for IPSe c.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 217 • Choose an authentication algorithm. • Choose a Dif fie-Hellman public-key cry p tography key group ( DH1 or DH2 ) . • Set the IKE SA lifetime. This field allows you to determin e how l ong an IKE SA should stay up before it times out.
P-661H/HW Series User’s Guide 218 Chapter 13 VPN Screens 13.12.2 Diffie-Hellman (DH) Key Groups Diffie-Hellman (DH) is a publi c -ke y cryptography protocol tha t allows two parties to establish a shared secret over an unsecured communications channel.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 219 Figure 126 Advanced VPN Policies The following table describes the fields in this screen. T able 85 Advanced VPN Policies LABEL DESCRIPTION VPN - IKE Protocol Enter 1 for ICMP , 6 for TCP , 1 7 for UDP , etc.
P-661H/HW Series User’s Guide 220 Chapter 13 VPN Screens Negotiati on Mode Select Main or Aggressive from the drop-down list box. Multiple SAs connecting through a secure gateway must have the same negotiation mode . Pre-Shared Key T ype your pre-shared key in this field.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 221 13.14 Manual Key Setup Manual key managemen t is useful if you have pro blems with IKE key managemen t. 13.14.1 Security Parameter Index (SPI) An SPI is used to distinguish dif ferent SAs te rminating at the same de stination and using the same IPSec protocol.
P-661H/HW Series User’s Guide 222 Chapter 13 VPN Screens Figure 127 VPN: Manual Key The following table describes the fields in this screen. Table 86 VPN: Manual Key LABEL DESCRIPTION IPSec Setup Active Select this check box to activate this VPN policy .
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 223 DNS Server (for IPSec VPN) If there is a private DNS server that se rvices the VPN, type its IP address here. The ZyXEL Device a ssigns this addi tional DNS server to the ZyXEL D evice 's DHCP clients that have IP addresses in this IPSec rule's range of lo cal addresses.
P-661H/HW Series User’s Guide 224 Chapter 13 VPN Screens 13.16 V iewing SA Monitor Click Security , VPN and Monitor to open the SA Monitor screen as shown. Use this screen to display and ma nage active VPN conn ections. A Security Association (SA) is the group of se cu rity settings related to a specific VPN tunnel.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 225 When there is outbound traffic but no inbound tr affic, the SA times out automatically after two minutes. A tunnel with no outb ound or inbound traf fic is "idle" and does not timeout until the SA lifetime period expires.
P-661H/HW Series User’s Guide 226 Chapter 13 VPN Screens Figure 129 VPN: Global Setting The following table describes the fields in this screen. 13.18 T elecommuter VPN/IPSec Examples The following examples show how multiple telecommuters can make VPN connections to a single ZyXEL D evice at headqu arters.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 227 Figure 130 T elecommuters Sharing One VPN Rule Example 13.18.2 T elecommuters Usin g Unique VPN Rules Example In this example the telecommuters (A, B and C in the figure) use IPSec routers with domain names that are mapped to their dynamic W AN IP addresses (use Dynamic DNS to do this).
P-661H/HW Series User’s Guide 228 Chapter 13 VPN Screens Figure 131 T elecommuters Using Uniq ue VPN Rules Example Table 90 T elecommuters Using Unique VPN Rules Example T ELECOMMUTERS HEADQUARTERS All T ele commuter Rules: All Headquarters Rules: My IP Address 0.
P-661H/HW Series User’s Guide Chapter 13 VPN Screens 229 13.19 VPN and Remote Management If a VPN tunnel uses T elnet, FTP , WWW , then yo u should configure remo te management ( Remote Management ) to allow access for that service.
P-661H/HW Series User’s Guide 230 Chapter 13 VPN Screens.
P-661H/HW Series User’s Guide Chapter 14 Static Rout e 231 C HAPTER 14 S t atic Route This chapter shows you how to configure static routes for your ZyXEL Device. 14.1 S t atic Route Each remote node specifies only the network to which the gateway is di rectly connected, and the ZyXEL Device has no know ledge of the network s beyond.
P-661H/HW Series User’s Guide 232 Chapter 14 Static Route Figure 133 S tatic Route The following table describes the labels in this screen. 14.2.1 S t atic Route Edit Select a static route index numb er and click Edit . The screen shown next appears.
P-661H/HW Series User’s Guide Chapter 14 Static Rout e 233 Figure 134 S tatic Route Edit The following table describes the labels in this screen. T able 92 S tatic Route Edit LABEL DESCRIPTION Active This field allows you to activa te/deactivate this st atic route.
P-661H/HW Series User’s Guide 234 Chapter 14 Static Route.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 235 C HAPTER 15 Bandwid th Management This chapter contains information about configuri ng bandwidth management, editing rules and viewing the ZyXEL Device’ s bandwidth man agement logs.
P-661H/HW Series User’s Guide 236 Chapter 15 Bandwidth Management Figure 135 Subnet-based Ba ndwidt h Management Example 15.4 Application and Subnet-based Bandwid th Management Y ou could also create bandwidth clas ses based on a combination of a subnet and an application.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 237 15.5.2 Fairness-based Scheduler The ZyXEL Device divides bandwidth equally among bandwidth classes when using the fairness-based scheduler; thus preventing one ba ndwidth class from using all of the interface’ s bandwidth.
P-661H/HW Series User’s Guide 238 Chapter 15 Bandwidth Management 15.6.2 Maximize Ba ndwid th Usag e Example Here is an example of a ZyXEL Device that has maximize bandwidth usage enabled on an interface. The following table shows each ba nd width class’ s bandwidth budget.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 239 • Research requires more bandwidth but only gets its budgeted 2048 kbps because all of the unbudgeted and unu sed bandwidth goes to the higher priority sales and marketing classes.
P-661H/HW Series User’s Guide 240 Chapter 15 Bandwidth Management 15.6.4 Bandwid th Management Priorities The following table describes the priorities th at you can apply to traf fic that the ZyXEL Device forwards out through an interface. 15.7 Configuring Summary Click Advanced > Bandwidth M GMT to open the screen as shown next.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 241 15.8 Bandwid th Management Rule Setup Y ou must use the Bandwidth Management Summary screen to enable bandwidth management on an interface before yo u can configure rules for that interface.
P-661H/HW Series User’s Guide 242 Chapter 15 Bandwidth Management Figure 137 Bandwidth Management: Rule Setup The following table describes the labels in this screen. Table 100 Bandwidth Management: Rule Setup LABEL DESCRIPTION Direction Select the direction of traffic to which you want to apply bandwidth management.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 243 15.8.1 Rule Configuration Click the Edit icon or select User define in the Service field to configure a bandwidth management rule. Use bandwidth rul es to allo cate specific amounts of bandwidth capacity (bandwidth budgets) to specific applications and/or subnets.
P-661H/HW Series User’s Guide 244 Chapter 15 Bandwidth Management Use All Managed Bandwidth Select this option to allow a rule to borrow unused bandwi dth on the interface. Bandwidth borrowing is governed by the priority of the rules. That is, a rule with the highest priority is the first to borrow bandwidth.
P-661H/HW Series User’s Guide Chapter 15 Bandwidth Managemen t 245 15.9 Bandwid th Monitor T o view the ZyXEL Device’ s bandwidth usage and allotments, click Advanced > Bandwidth MGMT > Mon itor . The screen appears as s hown. Select an interface from the drop-down list box to view the bandwidth usa ge of its bandwidth rules.
P-661H/HW Series User’s Guide 246 Chapter 15 Bandwidth Management.
P-661H/HW Series User’s Guide Chapter 16 Dynamic DNS Setup 247 C HAPTER 16 Dynamic DNS Setup This chapter discusses how to configure your ZyXEL Device to use Dynamic DNS.
P-661H/HW Series User’s Guide 248 Chapter 1 6 Dynamic DNS Setup Figure 140 Dynamic DNS The following table describes th e fields in this screen. Table 103 Dynamic DNS LABEL DESCRIPTION Dynamic DNS Setup Active Dynamic DNS Select this check box to use dynamic DNS.
P-661H/HW Series User’s Guide Chapter 16 Dynamic DNS Setup 249 Dynamic DNS server auto detect IP Address Select this option only when there are one or more NA T routers between the ZyXEL Device and the DDNS server . This feat ure has the DDNS server automatically detect and use the IP address of th e NA T router that has a public IP address.
P-661H/HW Series User’s Guide 250 Chapter 1 6 Dynamic DNS Setup.
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 251 C HAPTER 17 Remote Management Configuration This chapter provides information on config uring remote management.
P-661H/HW Series User’s Guide 252 Chapter 17 Remote Ma nagement Configuration • The IP address in the Secured Client IP field does not match th e client IP address. If it does not match, the ZyXEL Device will disconnect the session immediately . • There is already another rem ote management session with an equal or higher priority running.
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 253 The following table describes the labels in this screen. 17.3 T elnet Y ou can configure your ZyXEL Device for remote T elnet access as shown next. The administrator uses T elnet from a computer on a remote network to access the ZyXEL Device.
P-661H/HW Series User’s Guide 254 Chapter 17 Remote Ma nagement Configuration Figure 143 Remote Mana gement: T elnet The following table describes the labels in this screen.
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 255 Figure 144 Remote Mana gement: FTP The following table describes the labels in this screen. 17.6 SNMP Simple Network Management Protocol (SNM P) i s a protocol u sed for exchanging management information b etween network devices.
P-661H/HW Series User’s Guide 256 Chapter 17 Remote Ma nagement Configuration Figure 145 SNMP Managemen t Model An SNMP managed network consis ts of two main types of comp onent: agen ts and a manager . An agent is a management software module that resi des in a managed device (the ZyXEL Device).
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 257 17.6.2 SNMP T rap s The ZyXEL Device will send traps to the SNMP manager when any on e of the following events occurs: 17.6.3 Configuring SNMP T o change your ZyXE L Device’ s SNMP settings, c lick Advanced > Remote MGMT > SNMP .
P-661H/HW Series User’s Guide 258 Chapter 17 Remote Ma nagement Configuration Figure 146 Remote Mana gement: SNMP The following table describes the labels in this screen.
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 259 17.7 Configuring DNS Use DNS (Domain Name System) to map a domain name to its corresponding IP address and vice versa. Refer to the chapter on LAN for background information.
P-661H/HW Series User’s Guide 260 Chapter 17 Remote Ma nagement Configuration If an outside user attempts to probe an unsupp orted port on your ZyXEL Device , an ICMP response packet is automatically returned. This allows the ou tside user to know the ZyXEL Device exists.
P-661H/HW Series User’s Guide Chapter 17 Remote M anagement Configuration 261 17.9 TR-069 (P-661H Only) TR-069 is a protocol that de fines how your ZyXEL Device can be managed via a management server such as ZyXEL ’ s V antage CNM Access.
P-661H/HW Series User’s Guide 262 Chapter 17 Remote Ma nagement Configuration periodicEnable [0:Disable/ 1:Enable] Whether or not the device mu st periodically send information to CNM Access. It is recommended to set thi s value to 1 in order for the ZyXEL Device to send information to CNM Access.
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 263 C HAPTER 18 Universal Plug-and-Play (UPnP) This chapter introduces the UPnP feature in the web configura tor .
P-661H/HW Series User’s Guide 264 Chapter 18 Univer sal Plug-and-Play (UPnP) 18.1.3 Cautions with UPnP The automated nature of NA T traversal applications in establishing their own services and opening firewall ports ma y present network security issues.
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 265 The following table describes the fields in this screen. 18.3 Inst alling UPnP in Windows Example This section shows ho w to install UPnP in W indows Me and W indows XP . Inst alling UPnP in Windows Me Follow the steps below to inst all the UPnP in W indows Me.
P-661H/HW Series User’s Guide 266 Chapter 18 Univer sal Plug-and-Play (UPnP) Figure 151 Add/Remove Programs: Wind ows Setup: Communication 3 In the Communications window , select the Universal Plug and Play check box in the Components selection box.
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 267 Inst alling UPnP in Windows XP Follow the steps below to install the UPnP in Windows XP .
P-661H/HW Series User’s Guide 268 Chapter 18 Univer sal Plug-and-Play (UPnP) 5 In the Networking Services window , select the Universal Plug and Play check box. Figure 155 Networking Services 6 Click OK to go back to the W indows Optional Networking Component W izard window and click Next .
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 269 Figure 156 Network Connections 3 In the Internet Connection Properties window , click Settings to see the port mappings there were automatically created.
P-661H/HW Series User’s Guide 270 Chapter 18 Univer sal Plug-and-Play (UPnP) Figure 157 Internet Connection Properties 4 Y ou may edit or delete the port mappings o r click Add to manually add port mappings.
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 271 Figure 158 Internet Connection Properties: Adva nced Settings Figure 159 Internet Connection Proper ties: Adva nced Settings: Add 5 When the UP nP-enabled device is disconn ected from your computer , all port mappings will be deleted automatically .
P-661H/HW Series User’s Guide 272 Chapter 18 Univer sal Plug-and-Play (UPnP) Figure 160 System T r ay Icon 7 Double-click on the icon to display yo ur curr ent Internet co nnection status.
P-661H/HW Series User’s Guide Chapter 18 Universa l Plug-and-Play (UPnP) 273 Figure 162 Network Connections 4 An icon with the description for e ach UPnP-enabled device disp lays under Local Network . 5 Right-click on the icon for your ZyXEL Device an d select Invoke .
P-661H/HW Series User’s Guide 274 Chapter 18 Univer sal Plug-and-Play (UPnP) Figure 163 Network Connections: My Network Places 6 Right-click on the icon for your ZyXEL Device and select Pr operties . A properties window displays with basic info rmation about the ZyXEL Device.
P-661H/HW Series User’s Guide Chapter 19 System 275 C HAPTER 19 System Use this screen to configure the ZyXEL Device’ s time and date settings. 19.1 General Setup 19.1.1 General Setup and System Name General Setup contains administrative and system-related information.
P-661H/HW Series User’s Guide 276 Chapter 19 Syst em Figure 165 System General Setu p The following table describes the labels in this screen. T able 1 14 System General Setup LABEL DESCRIPTION General Setup System Name Choose a descriptive name for identificatio n purposes.
P-661H/HW Series User’s Guide Chapter 19 System 277 19.2 T ime Setting T o change your ZyXEL De vice’ s time and date, click Maintenance > System > Time Setting . The screen appears as shown. Use this screen to configure the ZyXEL Device’ s time based on your local time zone.
P-661H/HW Series User’s Guide 278 Chapter 19 Syst em The following table describes th e fields in this screen. Table 115 System T ime Setting LABEL DESCRIPTION Current T ime and Date Current T ime This field displays the ti me of your ZyXEL Device. Each time you reload this page, the ZyXEL Device synch ronizes the time with the time server .
P-661H/HW Series User’s Guide Chapter 19 System 279 S tart Date Configure the day a nd time when Dayl ight Saving Time starts if you selected Enable Daylight Saving . The o'clock field uses the 24 hour format. Here are a couple of examples: Daylight Saving Time st arts in most parts of the United S tates on the first Sunday of April.
P-661H/HW Series User’s Guide 280 Chapter 19 Syst em.
P-661H/HW Series User’s Guide Chapter 20 Logs 281 C HAPTER 20 Logs This chapter contains inform ation about configuring genera l log settings and viewing the ZyXEL Device’ s logs.
P-661H/HW Series User’s Guide 282 Chapter 20 Logs The following table describes th e fields in this screen. 20.3 Configuring Log Settings Use the Log Settings screen to configure to where the Zy XEL.
P-661H/HW Series User’s Guide Chapter 20 Logs 283 Figure 168 Log Settings The following table describes the fields in this screen. Table 117 Log Settings LABEL DESCRIPTION E-mail Log Settings Mail Server Ente r the server name or the IP address of the mail server for the e-mail addresses specified below .
P-661H/HW Series User’s Guide 284 Chapter 20 Logs Enable SMTP Authentication SMTP (Simple Mail T r ansfer Protocol) is the message-exchange standard for the Internet. SMTP enables you to move mess a ges from one e-mail server to another . Select the check box to activate SMTP authen tica tion.
P-661H/HW Series User’s Guide Chapter 21 Tools 285 C HAPTER 21 To o l s This chapter covers uploadin g new firmware, managing config uration and restarting your ZyXEL Device. 21.1 Firmware Upgrade Find firmware at www .zyxel.com in a file that (usually) uses the system model name with a .
P-661H/HW Series User’s Guide 286 Chapter 21 Tools Note: Do NOT turn off th e ZyXEL Device while firmware upload is in pro gress! After you see the Firmware Upload in Pr ogress screen, wait two minutes before logging into the ZyXEL Device again.
P-661H/HW Series User’s Guide Chapter 21 Tools 287 Figure 172 Error Message 21.2 Configuration Use this screen to back up or restore the conf ig uration of the ZyXEL Devic e. Y ou can also use this screen to reset the ZyXEL Device to the factory default settings.
P-661H/HW Series User’s Guide 288 Chapter 21 Tools Note: Do not turn of f the device while conf iguration file upload is in progress. When the ZyXEL Device has finished restoring the selected configuration file, the fol lowing screen appears. Figure 174 Configuration Upload Successfu l The device now automatically restarts.
P-661H/HW Series User’s Guide Chapter 21 Tools 289 Figure 175 Network T emporarily Disconnected If the ZyXEL Device’ s IP address is different in the configuration file you selected, you may need to change the IP address of your computer to be in the same subnet as that of the default management IP address (192.
P-661H/HW Series User’s Guide 290 Chapter 21 Tools.
P-661H/HW Series User’s Guide Chapter 22 Diagnostic 291 C HAPTER 22 Diagnostic These read-only screens display information to help you identify problems with the ZyXEL Device. 22.1 General Diagnostic Click Maintenance > Diagnostic to open the screen shown next.
P-661H/HW Series User’s Guide 292 Chapter 22 Diagnostic 22.2 DSL Line Diagnostic Click Maintenance > Diagnostic > DSL Line to open the screen shown next . Figure 179 Diagnostic: DSL Line The following table describes th e fields in this screen.
P-661H/HW Series User’s Guide Chapter 23 Troubleshooting 293 C HAPTER 23 T roubleshooting This chapter covers potential proble ms and the corresponding remedies.
P-661H/HW Series User’s Guide 294 Chapter 23 Troublesh ooting 23.3 Problems with the W AN Table 124 Troubleshooting the WAN PROBLEM CORRECTIVE ACTION The DSL LED is off. Check the telephone wire and connection s between the ZyXEL Device DSL port and the wall jack.
P-661H/HW Series User’s Guide Chapter 23 Troubleshooting 295 23.4 Problems Accessi ng the ZyXEL Device Table 125 Troubleshooting Accessing the ZyXEL Device PROBLEM CORRECTIVE ACTION I cannot access the ZyXEL Device. The default user password is “user” and admin password is “1234”.
P-661H/HW Series User’s Guide 296 Chapter 23 Troublesh ooting.
P-661H/HW Series User’s Guide Appendix A 297 Appendix A Product S pecifications See also the Introduction ch apter for a general overview of the key features. S pecification T ables Table 126 Device Default IP Address 192.168.1 .1 Default Subnet Mask 255.
P-661H/HW Series User’s Guide 298 Appendix A Table 127 Firmware ADSL S tandards Multi-Mode standard (ANSI T1.413,Issu e 2; G . dmt(G . 992.1); G .lite(G992.
P-661H/HW Series User’s Guide Appendix A 299 Firewall S tateful Packet Inspection. Prevent Denial of Service attacks such as Ping of Death, SYN Flood, LAND, Smurf etc.
P-661H/HW Series User’s Guide 300 Appendix A.
P-661H/HW Series User’s Guide Appendix B 301 Appendix B About ADSL Introduction to DSL DSL (Digital Subscriber Line) te chnology enhances the data ca pacity of the existing twisted- pair wire that runs betwee n the local telephone co mpany switching of fi ces and most homes and offices.
P-661H/HW Series User’s Guide 302 Appendix B cable modems, transmission sp eeds drop significa ntly as mo re users go on-line because the line is shared.
P-661H/HW Series User’s Guide Appendix C 303 A PPENDIX C W all-mounting Instructions Do the following to hang your ZyXEL Devic e on a wall. Note: See the product specifications appe ndix for the size of screws to use and how far apart to place them.
P-661H/HW Series User’s Guide 304 Appendix C.
P-661H/HW Series User’s Guide 305 Appendix D Setting up Y our Computer ’ s IP Address All computers must have a 10M or 100M Et hernet adapter card and TCP/IP installed.
P-661H/HW Series User’s Guide 30 6 Figure 181 WIndows 95/98 /Me: Networ k: Configura tion Inst alling Component s The Network window Configuration tab displays a list of installed components. Y ou need a network adapter , the TCP/IP protocol and Client for Microso ft Networks.
P-661H/HW Series User’s Guide 307 3 Select Microsoft from the list of manufacturers. 4 Select Client for Microsoft Networks from the list of network clients and then click OK .
P-661H/HW Series User’s Guide 30 8 Figure 183 Windows 95/98/Me : TCP/IP Pr operties: DNS Configuration 4 Click the Gateway tab. • If you do not know your g a teway’ s IP address, remove previously installed gateways. • If you have a gateway IP address, type it in the New gateway field and click Add .
P-661H/HW Series User’s Guide 309 Figure 184 Windows XP: S tart Menu 2 In the Control Panel , double-click Network Connections ( Network and Dial-up Connections in W indow s 2000/NT). Figure 185 Windows XP: Control Panel 3 Right-click Local Area Connection and then click Pr operties .
P-661H/HW Series User’s Guide 31 0 Figure 186 Windows XP: Control Panel: Network Connections: Pro perties 4 Select Internet Protocol (TCP/IP) (under the Genera l tab in W in XP) and then click Properties .
P-661H/HW Series User’s Guide 311 • Click Advanced . Figure 188 Windows XP: Internet Protocol (TCP/IP) Propert ies 6 If you do not know your gateway's IP address, remove any previously installed gateways in the IP Settings tab and click OK .
P-661H/HW Series User’s Guide 31 2 Figure 189 Windows XP: Advanced TCP/IP Properties 7 In the Internet Protocol TCP/IP Properties window (the General tab in Windows XP): • Click Obtain DNS server address automatically if you do not know your DNS server IP address(es).
P-661H/HW Series User’s Guide 313 Figure 190 Windows XP: Internet Protocol (TCP/IP) Propert ies 8 Click OK to close the Internet Protocol (TCP/IP) Properties window . 9 Click Close ( OK in W ind ows 2000/NT) to close the Local Area Connection Properties window .
P-661H/HW Series User’s Guide 31 4 Figure 191 Macintosh O S X: App le Menu 2 Click Network i n the icon bar . • Select Automatic from the Location list. • Select Built-in Ethernet from the Show list. • Click the TCP/IP tab. 3 For dynamically assigned settings, select Using DHCP from the Configure list .
P-661H/HW Series User’s Guide 315 6 Restart your computer (if prompted). V erifying Settings Check your TCP/IP properties in the Network window . Linux This section shows you how to configure your computer’ s TCP/IP settings in Red Hat Linux 9.
P-661H/HW Series User’s Guide 31 6 Figure 194 Red Hat 9.0: KDE: Ethern et Device: General • If you have a dy namic IP address, clic k Automatically obtain IP address settings with and select dhcp from the drop down list.
P-661H/HW Series User’s Guide 317 Figure 196 Red Hat 9.0: KDE: Network Config uration: Activate 7 After the network card restart pro cess is complete, make sure the St a t u s is Active in the Network Configuration screen. Using Configuration Files Follow the steps below to edit the network co nfiguration files and se t your computer IP address.
P-661H/HW Series User’s Guide 31 8 Figure 198 Red Hat 9.0: S tatic IP Addres s Setting in ifconfig-eth0 2 If you know your DNS server IP address(es) , enter the DNS server information in the resolv.conf file in the /etc directory . The follo wing fi gure shows an example where two DNS server IP addresses are specified.
P-661H/HW Series User’s Guide Appendix E 319 Appendix E IP Subnetting IP Addressing Routers “route” based on the network number . The router that delivers the data packet to the correct destination host uses the host ID. IP Classes An IP address is made up of four octets (ei ght bits), wri tten in dotted decimal notation, for example, 192.
P-661H/HW Series User’s Guide 320 Appendix E Since the first octet of a class “A” IP address must contain a “0”, the first octet of a class “A” address can have a valu e of 0 to 127.
P-661H/HW Series User’s Guide Appendix E 321 Since the mask is always a continuous number of ones begin ning from the left, fo llowed by a continuous number of zeros for the remainder of the 32 bit mask, you can si mply specify the number of ones instead of writing the value of each octet.
P-661H/HW Series User’s Guide 322 Appendix E Note: In the following chart s, shaded/bolded last octet bit values indicate host ID bit s “borrowed” to form network ID bits. The number of “borrowed” host ID bits determines the number of subnets you can have.
P-661H/HW Series User’s Guide Appendix E 323 Example: Four Subnet s The above exampl e illustrated using a 25-bit subne t mask to divide a class “C” address space into two subnets. Similarly to divide a class “C” address into four subnets, you need to “borrow” two host ID bits to give four possible combinations of 00 , 01, 10 and 1 1.
P-661H/HW Series User’s Guide 324 Appendix E Example Eight Subnet s Similarly use a 27-bit mask to create 8 subnets (001 , 010, 01 1, 100, 101, 1 10). The following table shows class C IP ad dress last octet values for each subnet. The following table is a summary for class “C” subnet planning.
P-661H/HW Series User’s Guide Appendix E 325 Subnetting With Class A and Class B Networks. For class “A” and class “B” addresses the subnet ma sk also determines which bits are part of the network number and which are part of the host ID.
P-661H/HW Series User’s Guide 326 Appendix E.
P-661H/HW Series User’s Guide Appendix F 327 Appendix F Command Interpreter The following describes how to use th e command interpreter . Y ou can use telnet to access the CLI (Command Line Interface) commands. See the included di sk or zyxel.com for more detailed information on these commands.
P-661H/HW Series User’s Guide 328 Appendix F.
P-661H/HW Series User’s Guide Appendix G 329 Appendix G Firewall Commands The following describes the firewall commands. Table 142 Firewall Commands FUNCTION COMMAND DESCRIPTION Firewall Se tUp config edit firewall active <yes | no> This command turns the firewall on or off.
P-661H/HW Series User’s Guide 330 Appendix G config edit firewall e-mail return-addr <e-mail address> This command sets the source e-mail add ress of the firewall e-mails. config edit firewall e-mail email-to <e-mail address> This command sets the e-mail address to which the fire wall e-mails ar e sent.
P-661H/HW Series User’s Guide Appendix G 331 config edit firewall attack minute-low <0-255> This command sets the threshold of half-open sessions where the ZyXEL Device stop s deleting half-opened sessions.
P-661H/HW Series User’s Guide 332 Appendix G Config edit firewall set <set #> log <yes | no> This command sets whether or not the ZyXEL Device creates logs for packets that match the firewall’s default rule set.
P-661H/HW Series User’s Guide Appendix G 333 config edit firewall set <set #> rule <rule #> destaddr- subnet <ip address> <subnet mask> This command sets a rule to have the ZyXEL Device check for traffic with a particular subnet destination (defined by IP address and subnet mask).
P-661H/HW Series User’s Guide 334 Appendix G.
P-661H/HW Series User’s Guide Appendix H 335 Appendix H NetBIOS Filter Commands The following describes the Ne tBIOS packet filter commands. Introduction NetBIOS (Network Basic Input/Output System ) are TCP or UDP broadcast packets that enable a computer to connect to and communicate with a LAN.
P-661H/HW Series User’s Guide 336 Appendix H The filter types and their defa ult settings are as follows. NetBIOS Filter Configuration Syntax:sys filter netbios config <ty pe> <on|off> w.
P-661H/HW Series User’s Guide Appendix I 337 Appendix I PPPoE PPPoE in Action An ADSL modem bridges a PPP session over Ethernet (PPP ov er Ethernet, RFC 2516) from your computer to an A TM PVC (Permanent V irt ual Circuit) which connects to a DSL Acce ss Concentrator where the PPP session terminates (see F igure 202 on page 338 ).
P-661H/HW Series User’s Guide 338 Appendix I Figure 202 Single-Compute r per Router Hardwa re Configuration How PPPoE W orks The PPPoE driver makes the Ethernet appea r as a serial link to the computer and the computer runs PPP over it, while the modem bridges the Ethernet frames to the Access Concentrator (AC).
P-661H/HW Series User’s Guide Appendix J 339 Appendix J Log Descriptions This appendix provides descrip tions of example log messages. Table 144 System Maintenance Logs LOG MESSAGE DESCRIPTION Time calibration is successful The router has adjusted its time based on informati on from the time server .
P-661H/HW Series User’s Guide 340 Appendix J Successful HTTPS login Someo ne has logged on to the router's web configurator interface using HTTPS protocol. HTTPS login failed Someo ne has failed to log on to the router's web configurator interface using HTTPS protocol.
P-661H/HW Series User’s Guide Appendix J 341 Table 147 TCP Reset Lo gs LOG MESSAGE DESCRIPTION Under SYN flood attack, sent TCP RST The router sent a TCP reset packet when a host was u nder a SYN flood attack (the TCP incomplete count is per desti nation host.
P-661H/HW Series User’s Guide 342 Appendix J Table 149 ICMP Logs LOG MESSAGE DESCRIPTION Firewall default policy: ICMP <Packet Direction>, <type:%d>, <code:%d> ICMP access matched the default policy and was blocked or forwarded according to the user's setting.
P-661H/HW Series User’s Guide Appendix J 343 ppp:LCP Closing Th e PPP connection’s Link Control Protocol stage is closing. ppp:IPCP Closing The PPP connection’s Internet Protocol Control Proto col stage is closing. Table 152 UPnP Logs LOG MESSAGE DESCRIPTION UPnP pass through Firewall UPnP packets can pass through the firewall.
P-661H/HW Series User’s Guide 344 Appendix J Connecting to content filter server fail The connection to the external content fi ltering server failed.
P-661H/HW Series User’s Guide Appendix J 345 Table 155 IPSec Logs LOG MESSAGE DESCRIPTION Discard REPLAY packet The router re ceived and discarded a packet with an incorrect sequence number . Inbound packet authentication failed The router received a packet that has been altered.
P-661H/HW Series User’s Guide 346 Appendix J Cannot resolve Secure Gateway Addr for rule <%d> The router couldn’t resolve t he IP address from the domain name that was used for the secure gateway address.
P-661H/HW Series User’s Guide Appendix J 347 XAUTH fail! Username: <Username> The router was not able to use extended authentication to authenticate the listed username. Rule[%d] Phase 1 negotiation mode mismatch The listed rule’s IKE phase 1 negotiation mode did not ma tch between the router and the peer .
P-661H/HW Series User’s Guide 348 Appendix J Rule [%d] phase 2 mismatch The l isted rule’s IKE phase 2 di d not ma tch betwe en the router and the peer . Rule [%d] Phase 2 key length mismatch The listed rule’s IKE phase 2 key lengths (with the AES encryption algorithm) di d not match between the router and the peer .
P-661H/HW Series User’s Guide Appendix J 349 Rcvd data <size> too large! Max size allowed: <max size> The router received dire ctory data that was too large (the size is listed) from the LDAP server whose address and port are recorded in the Source field.
P-661H/HW Series User’s Guide 350 Appendix J 26 Database method failed. 27 Path was not verified. 28 Maximum path length reached. Table 159 802.1X Logs LOG MESSAGE DESCRIPTION Local User Database accepts user. A user was authenticated by the local user database.
P-661H/HW Series User’s Guide Appendix J 351 Table 160 ACL Setting Notes P ACKET DIRECTION DIRECTION DESCRIPTION (L to W) LAN to W AN ACL set for p ackets traveling from the LAN to the WAN. (W to L) W AN to LAN ACL set for p ackets traveling from the W AN to the LAN.
P-661H/HW Series User’s Guide 352 Appendix J The following table shows RFC-2408 ISAKMP payload types that the log displays. Please refer to the RFC for detailed information on each type.
P-661H/HW Series User’s Guide Appendix J 353 Log Commands Go to the command in terpreter interface. Configuring What Y ou W ant the ZyXEL Device to Log 1 Use the sys logs load command to load the log setting buffer that allows you to configure which logs the ZyXEL Device is to record.
P-661H/HW Series User’s Guide 354 Appendix J • Use the sys logs clear command to erase all of the ZyXEL Device’ s logs. Log Command Example This example shows how to set the ZyXEL Devi ce to record the acc ess logs and alerts and then view the results.
P-661H/HW Series User’s Guide Appendix K 355 A PPENDIX K Wireless LANs (wireless devices only) Wireless LAN T opologies This section discusses ad-hoc and in frastructure w ireless LAN topologies.
P-661H/HW Series User’s Guide 356 Appendix K Figure 207 Basic Service Set ESS An Extended Service Set (ESS) consists of a series of overlappi ng BSSs, each containing an access point, with each access point connected together by a wired network. This wired connection between APs is called a Distribution System (DS).
P-661H/HW Series User’s Guide Appendix K 357 Figure 208 Infrastructure WLAN Channel A channel is the radio frequency(ies) used by IEEE 802.1 1a/b/g wireless devices.
P-661H/HW Series User’s Guide 358 Appendix K Figure 209 RTS/ CT S When station A sends data to the AP , it might not know that the station B is already using the channel.
P-661H/HW Series User’s Guide Appendix K 359 A large Fragmentation Thr eshold is recommended for networks not prone to interference while you should set a smaller thresh old for busy networks or ne tworks that are prone to interference.
P-661H/HW Series User’s Guide 360 Appendix K Wireless Security Overview W ireless security is vital to your network to p rotect wireless commu nication betw een wireless clients, access points and the wired network.
P-661H/HW Series User’s Guide Appendix K 361 RADIUS RADIUS is based on a client-server model that supports authentication, authorization and accounting. The access point is the client and the server is th e RADIUS server . The RADIUS server handles the following tasks: • Authentication Determines the identity of the users.
P-661H/HW Series User’s Guide 362 Appendix K In order to ensure network security , the access point and the RADIUS server use a shared secret key, which is a password, they both know .
P-661H/HW Series User’s Guide Appendix K 363 PEAP (Protected EAP) Like EAP-TTLS, server-side certific ate authentication is used to establish a secure connection, then use simple username and p assword methods through the secured co nnection to authenticate the clients, thus hiding client identity .
P-661H/HW Series User’s Guide 364 Appendix K WP A and WP A2 W i-Fi Protected Access (WP A) is a subset of the IEEE 802.1 1i standard. WP A2 (IEEE 802.1 1i) is a wireless security standard tha t defines stronger encryp tion, authentication and key manage ment than WP A.
P-661H/HW Series User’s Guide Appendix K 365 By generating unique data encryption keys for ev ery data packet and by creating an integrity checking mechanism (MIC), with TKIP and AES it is more difficult to decrypt data on a W i-Fi network than WEP and dif ficult for an intruder to break into the network.
P-661H/HW Series User’s Guide 366 Appendix K 3 The RADIUS server distributes a Pairwise Mast er Key (PMK) key to th e AP that then sets up a key hierarch y and management system, u sing the pair -wi.
P-661H/HW Series User’s Guide Appendix K 367 Figure 21 1 WP A(2)-PSK Authentication Security Parameters Summary Refer to this table to see what other secur ity parameters you should co nfigure for each Authentication Method/ key management prot ocol type.
P-661H/HW Series User’s Guide 368 Appendix K.
P-661H/HW Series User’s Guide 369 A PPENDIX L Pop-up Windows, JavaScript s and Java Permissions In order to use the web configurator you need to allow: • W eb browser po p-up windows from your device. • JavaScripts (enabled by default). • Java permissions (enabled by default).
P-661H/HW Series User’s Guide 370 Figure 213 Internet Options 3 Click Apply to save this setting. Enable pop-up Blockers with Except ions Alternatively , if you only want to allow pop-up win dows from your device, see the following steps. 1 In Internet Explorer , select To o l s , Internet Options and then the Privacy tab.
P-661H/HW Series User’s Guide 371 Figure 214 Internet Options 3 T ype the IP address of your device (the web page that you do not want to have blocked) with the prefix “http://”. For example, http://192.168.1.1. 4 Click Add to move the IP address to the list of Allowed sites .
P-661H/HW Series User’s Guide 372 Figure 215 Pop-up Blocker Settings 5 Click Close to return to the Privacy screen. 6 Click Apply to save this setting. JavaScript s If pages of the web configura tor do not display properly in Internet Explorer, check that JavaScripts are allowed.
P-661H/HW Series User’s Guide 373 Figure 216 Internet Options 2 Click the Custom Level... button. 3 Scroll down to Scripting . 4 Under Active scripting make sure that Enable is selected (the default). 5 Under Scripting of Java applets make sure that Enable is sele cted (the default).
P-661H/HW Series User’s Guide 374 Figure 217 Security Settings - Java Scripting Java Permissions 1 From Internet Explorer , click To o l s , Internet Options and then the Security tab. 2 Click the Custom Level... button. 3 Scroll down to Microsoft VM .
P-661H/HW Series User’s Guide 375 Figure 218 Security Settings - Java JA V A (Sun) 1 From Internet Explorer , click To o l s , Internet Options and then the Advanced tab. 2 make sure that Use Java 2 for <applet> u nder Java (Sun) is selected. 3 Click OK to clos e the window .
P-661H/HW Series User’s Guide 376 Figure 219 Java (Sun).
P-661H/HW Series User’s Guide Index 377 Index Numerics 11 0 V A C 6 230V AC 6 A Abnormal Working Conditions 7 AC 6 Accessories 6 Acts of God 7 Address Assignment 97 Address Resolution Protocol (ARP).
P-661H/HW Series User’s Guide 378 Index Correcting Interference 4 Corrosive Liquids 6 Covers 6 CTS (Clear to Send) 358 Custom Ports Creating/Editing 168 Customer Support 8 Customized Services 167 Cu.
P-661H/HW Series User’s Guide Index 379 Alerts 160 Anti-Probing 174 Creating/Editing Rules 164 Custom Ports 167 Enabling 162 Firewall Vs Filters 155 Guidelines For Enhancing Security 154 Introductio.
P-661H/HW Series User’s Guide 380 Index K Keep Alive 207 Key Fields For Configurin g Rules 159 L Labor 7 LAN Setup 77 , 95 LAN TCP/IP 97 LAN to W AN Rul es 160 LAND 148 , 149 Legal Rights 7 Liabilit.
P-661H/HW Series User’s Guide Index 381 Permission 3 PFS 218 Photocopying 3 Ping of Death 148 Pipes 6 Point to Point Protocol over A TM Adaptation Layer 5 (AAL5) 78 Point-to-Point 301 Point-to-Point Tunneling Protocol 138 Pool 6 POP3 138 , 147 , 14 8 Postage Prepaid.
P-661H/HW Series User’s Guide 382 Index Safety W arnings 6 Saving the S tate 151 Scheduler 236 Secure Gateway Address 205 Security Association 197 Security In General 154 Security Parameter Index 22.
P-661H/HW Series User’s Guide Index 383 User Authentication 365 User Name 248 V Va l u e 7 VBR (V ariable Bit Rate) 85 , 90 V endor 6 V entilation Slots 6 Viewing Certifications 4 Virtual Channel Id.
An important point after buying a device ZyXEL Communications P-661HW (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought ZyXEL Communications P-661HW yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data ZyXEL Communications P-661HW - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, ZyXEL Communications P-661HW you will learn all the available features of the product, as well as information on its operation. The information that you get ZyXEL Communications P-661HW will certainly help you make a decision on the purchase.
If you already are a holder of ZyXEL Communications P-661HW, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime ZyXEL Communications P-661HW.
However, one of the most important roles played by the user manual is to help in solving problems with ZyXEL Communications P-661HW. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device ZyXEL Communications P-661HW along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center